Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | utils: chunk_from_hex() skips optional 0x prefix | Andreas Steffen | 2017-03-06 | 2 | -11/+18 |
| | |||||
* | settings: Add support for hex integers (0x prefix) via get_int() | Tobias Brunner | 2017-03-02 | 1 | -1/+6 |
| | |||||
* | host: Don't log port if it is zero | Tobias Brunner | 2017-03-02 | 2 | -6/+6 |
| | |||||
* | traffic-selector: Allow calling set_address() for any traffic selector | Tobias Brunner | 2017-02-27 | 3 | -48/+63 |
| | | | | | Users may check is_host(), is_dynamic() or includes() before calling this if restrictions are required (most actually already do). | ||||
* | x509: Do not mark generated addrblock extension as critical | Martin Willi | 2017-02-27 | 1 | -2/+1 |
| | | | | | | | | | | | | | | While RFC 3779 says we SHOULD mark it is critical, this has severe side effects in practice. The addrblock extension is not widely used nor implemented, and only a few applications can handle this extension. By marking it critical, none of these applications can make use of such certificates where included addrblocks do not matter, such as TLS/HTTPS. If an application wants to make use of addrblocks, that is usually an explicit decision. Then the very same application obviously can handle addrblocks, and there is no need for the extension to be critical. In other words, for local policy checks it is a local matter to handle the extension, hence making it critical is usually not of much help. | ||||
* | x509: Support encoding the RFC 3779 addrblock extension | Martin Willi | 2017-02-27 | 1 | -3/+134 |
| | |||||
* | builder: Define a builder part for X.509 RFC 3779 address blocks | Martin Willi | 2017-02-27 | 2 | -0/+3 |
| | |||||
* | plugin-loader: Fix hashing of registered plugin features | Tobias Brunner | 2017-02-24 | 1 | -1/+1 |
| | | | | | | | This strangely never caused any noticeable issues, but was the reason for build failures in certain test cases (mostly BLISS) due to missing plugin features when built with specific options on Travis (was not reproducible locally). | ||||
* | mem-cred: Add methods to add/remove shared keys with unique identifiers | Tobias Brunner | 2017-02-16 | 2 | -6/+107 |
| | | | | Also added is a method to enumerate the unique identifiers. | ||||
* | mem-cred: Add method to remove a private key with a specific fingerprint | Tobias Brunner | 2017-02-16 | 2 | -2/+38 |
| | |||||
* | revocation: More accurately describe the flags to disable OCSP/CRL validation | Tobias Brunner | 2017-02-15 | 1 | -8/+7 |
| | | | | | | These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled. | ||||
* | unit-tests: Allow default test timeout to be configured via compile option | Thomas Egerer | 2017-02-14 | 1 | -0/+2 |
| | | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | ||||
* | settings: Fix purge if order differs from alphabetical order | Tobias Brunner | 2017-02-07 | 1 | -1/+1 |
| | |||||
* | libipsec: Fix Windows build via MinGW | Tobias Brunner | 2017-01-25 | 1 | -0/+7 |
| | | | | Fixes #2118. | ||||
* | bliss: Increase timeout for sampler unit test | Tobias Brunner | 2017-01-16 | 1 | -2/+2 |
| | | | | Fixes #2204. | ||||
* | android: Include ref10 subdirectory for curve25519 plugin | Tobias Brunner | 2017-01-16 | 1 | -0/+1 |
| | | | | Fixes #2201. | ||||
* | revocation: OCSP and/or CRL fetching can be disabled | Andreas Steffen | 2016-12-30 | 1 | -38/+71 |
| | |||||
* | Moved Ed25519 tests to libstrongswan | Andreas Steffen | 2016-12-14 | 9 | -141/+27 |
| | |||||
* | unit-tests: Completed coverage of hasher, crypter and libnttfft | Andreas Steffen | 2016-12-14 | 3 | -34/+57 |
| | |||||
* | Implemented EdDSA for IKEv2 using a pro forma Identity hash function | Andreas Steffen | 2016-12-14 | 5 | -17/+108 |
| | |||||
* | Added Ed25519 ref10 implementation from libsodium | Andreas Steffen | 2016-12-14 | 13 | -16/+5789 |
| | |||||
* | Added support of EdDSA signatures | Andreas Steffen | 2016-12-14 | 23 | -35/+857 |
| | |||||
* | openssl: BoringSSL doesn't provide curve data for ECC Brainpool curves | Tobias Brunner | 2016-12-10 | 1 | -1/+4 |
| | |||||
* | android: Optionally build the curve25519 plugin | Tobias Brunner | 2016-12-08 | 1 | -0/+2 |
| | |||||
* | android: Optionally build the chapoly plugin | Tobias Brunner | 2016-12-08 | 1 | -0/+2 |
| | |||||
* | plugin-loader: Strip '!' from critical plugin names when setting paths | Tobias Brunner | 2016-11-18 | 1 | -1/+1 |
| | |||||
* | curve22519: Add a portable backend implemented in plain C | Martin Willi | 2016-11-14 | 4 | -0/+647 |
| | |||||
* | curve25519: Add a plugin providing Curve25519 DH using backend drivers | Martin Willi | 2016-11-14 | 8 | -0/+469 |
| | |||||
* | test-vectors: Add a Curve25519 DH test vector | Martin Willi | 2016-11-14 | 3 | -0/+36 |
| | |||||
* | proposal: Add a curve25519 proposal keyword | Martin Willi | 2016-11-14 | 1 | -0/+1 |
| | |||||
* | diffie-hellman: Add DH group identifiers for Curve25519 and Curve448 | Martin Willi | 2016-11-14 | 2 | -3/+14 |
| | |||||
* | Fixed in-place update of cached base and delta CRLs | Andreas Steffen | 2016-10-30 | 1 | -4/+4 |
| | |||||
* | Newer CRLs replace older versions of the CRL in the cache | Andreas Steffen | 2016-10-26 | 1 | -0/+39 |
| | |||||
* | added XOF dependencies of bliss and ntru plugins | Andreas Steffen | 2016-10-18 | 2 | -4/+26 |
| | |||||
* | newhope: Fix Doxygen group name | Tobias Brunner | 2016-10-14 | 1 | -1/+1 |
| | |||||
* | libnttfft: Fix Doxygen group | Tobias Brunner | 2016-10-14 | 1 | -1/+3 |
| | |||||
* | Fixed some typos, courtesy of codespell | Tobias Brunner | 2016-10-14 | 1 | -2/+2 |
| | |||||
* | newhope: Properly release allocated arrays if RNG can't be created | Tobias Brunner | 2016-10-14 | 1 | -8/+8 |
| | |||||
* | mem-cred: Support storing a delta CRL together with its base | Tobias Brunner | 2016-10-11 | 1 | -8/+30 |
| | | | | | | | | | | | | So far every "newer" CRL (higher serial or by date) replaced an existing "older" CRL. This meant that delta CRLs replaced an existing base CRL and that base CRLs weren't added if a delta CRL was already stored. So the base had to be re-fetched every time after a delta CRL was added. With this change one delta CRL to the latest base may be stored. A newer delta CRL will replace an existing delta CRL (but not its base, older base CRLs are removed, though). And a newer base will replace the existing base and optional delta CRL. | ||||
* | revocation: Cache valid CRL also if certificate is revoked | Tobias Brunner | 2016-10-11 | 1 | -10/+25 |
| | |||||
* | openssl: Fix AES-GCM with BoringSSL | Tobias Brunner | 2016-10-11 | 1 | -3/+3 |
| | | | | | | | | BoringSSL only supports a limited list of (hard-coded) algorithms via EVP_get_cipherbyname(), which does not include AES-GCM. While BoringSSL deprecated these functions they are also supported by OpenSSL (in BoringSSL a completely new interface for AEADs was added, which OpenSSL currently does not support). | ||||
* | android: MGF1 implementation was moved to a plugin | Tobias Brunner | 2016-10-11 | 1 | -2/+1 |
| | | | | Fixes: 188b190a70c9 ("mgf1: Refactored MGF1 as an XOF") | ||||
* | ldap: Fix crash in case of empty LDAP response for CRL fetch | Yannick CANN | 2016-10-06 | 1 | -2/+1 |
| | | | | | | | | | In case of an empty LDAP result during a CRL fetch (for example, due to a wrong filter attribute in the LDAP URI, or invalid LDAP configuration), the call to ldap_result2error() with NULL value for "entry" lead to a crash. Closes strongswan/strongswan#52. | ||||
* | openssl: Add a generic private key loader | Tobias Brunner | 2016-10-05 | 7 | -18/+129 |
| | |||||
* | pkcs1: Support building of KEY_ANY private keys | Tobias Brunner | 2016-10-05 | 2 | -5/+73 |
| | | | | | We try to detect the type of key by parsing the basic structure of the passed ASN.1 blob. | ||||
* | pkcs11: Look for the CKA_ID of the cert if it doesn't match the subjectKeyId | Raphael Geissert | 2016-10-04 | 1 | -4/+152 |
| | | | | | | | | | | | | | | charon-nm fails to find the private key when its CKA_ID doesn't match the subjectKeyIdentifier of the X.509 certificate. In such cases, the private key builder now falls back to enumerating all the certificates, looking for one that matches the supplied subjectKeyIdentifier. It then uses the CKA_ID of that certificate to find the corresponding private key. It effectively means that PKCS#11 tokens where the only identifier to relate the certificate, the public key, and the private key is the CKA_ID are now supported by charon-nm. Fixes #490. | ||||
* | watcher: Avoid allocations due to enumerators | Tobias Brunner | 2016-10-04 | 1 | -37/+83 |
| | | | | | Since the FD set could get rebuilt quite often this change avoids having to allocate memory just to enumerate the registered FDs. | ||||
* | gmp: Support of SHA-3 RSA signatures | Andreas Steffen | 2016-09-22 | 17 | -147/+240 |
| | |||||
* | bliss sampler unit-test: Fixed enumeration type | Andreas Steffen | 2016-09-22 | 1 | -2/+2 |
| | |||||
* | bliss: bliss_sampler expects XOF type | Andreas Steffen | 2016-09-22 | 1 | -4/+3 |
| |