aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* openssl: Update PKCS#12 API to OpenSSL 1.1.0Tobias Brunner2016-06-291-1/+5
|
* openssl: Update PKCS#7 API to OpenSSL 1.1.0Tobias Brunner2016-06-291-3/+7
|
* openssl: Update CRL API to OpenSSL 1.1.0Tobias Brunner2016-06-291-7/+42
| | | | | | There is currently no way to compare the outer and inner algorithms encoded in a parsed CRL. X509_CRL_verify() does not seem to check that either, though (unlike X509_verify()).
* openssl: Update x509 API to OpenSSL 1.1.0Tobias Brunner2016-06-291-12/+48
|
* openssl: Update ECDSA API to OpenSSL 1.1.0Tobias Brunner2016-06-292-5/+24
|
* openssl: Update RSA API to OpenSSL 1.1.0Tobias Brunner2016-06-292-16/+52
|
* openssl: Make some utilities take const BIGNUM pointersTobias Brunner2016-06-292-4/+6
|
* openssl: Add macro to define fallback functions for non-opaque OpenSSL versionsTobias Brunner2016-06-291-0/+38
|
* openssl: Update DH API to OpenSSL 1.1.0Tobias Brunner2016-06-291-11/+41
|
* openssl: Update crypter API to OpenSSL 1.1.0Tobias Brunner2016-06-291-12/+17
| | | | | EVP_CIPHER and EVP_CIPHER_CTX are now opaque types, the getters already existed before.
* openssl: Fix mapping from ASN1 to chunk_t with OpenSSL 1.1.0Tobias Brunner2016-06-291-1/+7
| | | | ASN1_OBJECT is now opaque.
* openssl: Update initialization and cleanup for OpenSSL 1.1.0Tobias Brunner2016-06-291-7/+17
| | | | | | We can't call OPENSSL_cleanup() as that would prevent us from re-initializing the library again (which we use in the Android app, that loads/unloads plugins).
* openssl: OpenSSL 1.1.0 is thread-safe so we don't have to setup callbacksTobias Brunner2016-06-291-0/+13
|
* android: Actually add Android.mk for libtpmtssTobias Brunner2016-06-281-0/+32
|
* android: Fix build after adding libtpmtssTobias Brunner2016-06-283-3/+5
|
* libtpmtss: Added to integrity checksAndreas Steffen2016-06-264-0/+19
|
* aikpub2: Output AIK signature algorithmAndreas Steffen2016-06-261-1/+14
|
* Refactoring to tpm_tss_quote_info objectAndreas Steffen2016-06-2624-397/+923
|
* libimcv: Changed debug level for functional components from 2 to 3Andreas Steffen2016-06-261-2/+2
|
* libtpmtss: Implemented TSS2 quote() methodAndreas Steffen2016-06-261-23/+139
|
* libtpmtss: Implemented TSS2 read_pcr() methodAndreas Steffen2016-06-221-6/+114
|
* libimcv: migrate pts to tpm_tssAndreas Steffen2016-06-2210-495/+568
|
* libtpmtss: Get TPM 2.0 capabilitiesAndreas Steffen2016-06-224-2/+227
|
* libtpmtss: Retrieve TPM 1.2 version infoAndreas Steffen2016-06-223-3/+75
|
* Created libtpmtss library handling access to v1.2 and v2.0 TPMsAndreas Steffen2016-06-2212-393/+914
|
* aikpub2: --handle option retrieves public key from TPM 2.0 NVRAMAndreas Steffen2016-06-222-30/+147
|
* aikpub2: Convert TSS 2.0 AIK public key blob into PKCS#1 formatAndreas Steffen2016-06-225-1/+384
|
* unit-tests: Add tests for expires after CHILD_SA rekeyingTobias Brunner2016-06-171-0/+129
|
* child-rekey: Only rekey installed CHILD_SAsTobias Brunner2016-06-171-7/+14
| | | | | | | | | | | | Depending on the lifetimes a CHILD_SA we rekeyed as responder might expire shortly afterwards. We don't want to rekey it again. When retrying due to an INVALID_KE_PAYLOAD notify the expected state is CHILD_REKEYING if it is anything else (e.g. due to a collision) we ignore it. We also abort the exchange properly if we don't find the CHILD_SA, no need for an empty INFORMATIONAL exchange anymore.
* Report test coverage of libcharon and starterTobias Brunner2016-06-172-0/+6
|
* unit-tests: Add test for CHILD_SA rekey if a retry due to an ↵Tobias Brunner2016-06-171-0/+143
| | | | INVALID_KE_PAYLOAD is delayed
* child-rekey: Ignore failed colliding CHILD_SA rekeyingsTobias Brunner2016-06-171-1/+10
| | | | | | | If a passive rekeying fails due to an INVALID_KE_PAYLOAD we don't want to consider this task later when resolving collisions. This previously might have caused the wrong SA to get deleted/installed based on the nonces in the unsuccessful exchange.
* unit-tests: Add test for collision between IKE_SA rekey and CHILD_SA creationTobias Brunner2016-06-173-0/+108
|
* child-create: Retry creating the CHILD_SA if TEMPORARY_FAILURE is receivedTobias Brunner2016-06-171-4/+33
| | | | We queue a delayed task that is initiated after a while.
* ikev2: Add possibility to delay initiation of a queued taskTobias Brunner2016-06-175-66/+189
| | | | | | | | | | | Such a task is not initiated unless a certain time has passed. This allows delaying certain tasks but avoids problems if we'd do this via a scheduled job (e.g. if the IKE_SA is rekeyed in the meantime). If the IKE_SA is rekeyed the delay of such tasks is reset when the tasks are adopted i.e. they get executed immediately on the new IKE_SA. This hasn't been implemented for IKEv1 yet.
* ike: Reduce RETRY_INTERVAL a bitTobias Brunner2016-06-171-2/+2
| | | | Retry exchanges between 5 and 15 seconds after a temporary failure.
* ike-rekey: Return TEMPORARY_FAILURE when concurrently creating a CHILD_SATobias Brunner2016-06-171-14/+35
|
* unit-tests: Add tests for IKE rekeying if INVALID_KE_PAYLOAD notifies are ↵Tobias Brunner2016-06-171-0/+470
| | | | received
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-175-10/+21
| | | | over local ones
* child-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-174-23/+38
|
* ike-cfg: Add option to prefer supplied proposals over locally configured onesTobias Brunner2016-06-175-32/+48
|
* proposal: Remove MODP_NONE from IKE proposals parsed from stringsTobias Brunner2016-06-171-0/+10
|
* proposal: Handle MODP_NONE in both directions when selecting proposalsTobias Brunner2016-06-174-6/+97
|
* proposal: Parse modpnone as MODP_NONE(0)Tobias Brunner2016-06-171-0/+1
|
* ike-rekey: Make sure to ignore task when detecting collisions if ike-init ↵Tobias Brunner2016-06-171-1/+2
| | | | | | | subtask failed For instance, if INVALID_KE_PAYLOAD is returned we don't want this task to affect any active rekeying (no new SA has been established so far).
* unit-tests: Add test for rekey collision if one CREATE_CHILD_SA response is ↵Tobias Brunner2016-06-171-0/+221
| | | | delayed
* unit-tests: Add tests for IKE_SA rekeying if collision is not detected by ↵Tobias Brunner2016-06-171-0/+340
| | | | one peer
* ike-rekey: Handle undetected collisions also if delete is delayedTobias Brunner2016-06-171-16/+26
| | | | | | | | | | | If the peer does not detect the rekey collision and deletes the old IKE_SA and then receives the colliding rekey request it will respond with TEMPORARY_FAILURE. That notify may arrive before the DELETE does, in which case we may just conclude the rekeying initiated by the peer. Also, since the IKE_SA is destroyed in any case when we receive a delete there is no point in storing the delete task in collide() as process_i() in the ike-rekey task will never be called.
* ike-rekey: There is no passive reauth task, so it will never collide with oneTobias Brunner2016-06-172-7/+4
|
* ike-rekey: Ignore colliding rekey tasks that did not create an IKE_SATobias Brunner2016-06-171-56/+64
| | | | | This simplifies collision handling and we don't need to know about these tasks when concluding the rekeying we initiated.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 01:20:32 +0000