aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* support gre key in ikev1tterasTimo Teräs2017-11-209-39/+171
| | | | | | | | | | | | | | this implements gre key negotiation in ikev1 similarly to the ipsec-tools patch in alpine. the from/to port pair is internally used as gre key for gre protocol traffic selectors. since from/to pairs 0/0xffff and 0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000 will not work. this is not standard compliant, and should probably not be upstreamed or used widely, but it is applied for interoperability with alpine racoon for the time being.
* vici: add (deprecated) async parameterTimo Teräs2017-11-201-2/+3
| | | | | | | This is obsoleted by the new "timeout=-1" option that achieves the same. Only for compatibility with old versions of quagga-nhrp. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* vici: add support for individual sa state changesTimo Teräs2017-11-201-0/+105
| | | | | | Useful for monitoring and tracking full SA. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* vici: send certificates for ike-sa eventsTimo Teräs2017-11-201-7/+41
| | | | Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* charon: add optional source and remote overrides for initiateTimo Teräs2017-11-2012-48/+218
| | | | | | | | | | | This introduces support for specifying optional IKE SA specific source and remote address for child sa initiation. This allows to initiate wildcard connection for known address via vici. In addition this allows impler implementation of trap-any patches and is a prerequisite for dmvpn support. Signed-off-by: Timo Teräs <timo.teras@iki.fi>
* ike: Adhere to IKE_SA limit when checking out by configTobias Brunner2017-11-201-34/+37
| | | | | This prevents new SAs from getting created if we hit the global IKE_SA limit (we still allow checkout_new(), which is used for rekeying).
* hashers: Change names of SHA2 hash algorithmsTobias Brunner2017-11-171-8/+8
| | | | | Keep the lower case names as they are as we use them internally (parsing and e.g. in OpenSSL as identifier).
* ikev2: Add hash algorithm used for RSASSA-PSS signature to log messageTobias Brunner2017-11-171-11/+41
|
* hasher: Add uppercase short names for hash algorithmsTobias Brunner2017-11-172-0/+23
|
* x509: Initialize signature params when parsing attribute certificatesTobias Brunner2017-11-151-1/+1
|
* sw-collector: Unmap history file on failure to instantiate extractorTobias Brunner2017-11-151-0/+1
|
* charon: Explicitly check return value of fileno()Tobias Brunner2017-11-152-2/+12
| | | | | This is mainly for Coverity because fchown() can't take a negative value, which the -1 check implies is possible.
* pkcs8: Add explicit comment for RSASSA-PSS fall-throughTobias Brunner2017-11-151-0/+1
|
* The pacman tool got replaced by the sec-updater toolTobias Brunner2017-11-152-2/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2017-11-1515-19/+19
|
* swanctl: Add check for conflicting short optionsTobias Brunner2017-11-131-0/+9
|
* swanctl: Properly register --counters commmandTobias Brunner2017-11-131-1/+1
| | | | Use C instead of c, which is already used for --load-conns.
* libimcv: Updated imv databaseAndreas Steffen2017-11-111-4/+88
|
* libtpmtss: Added missing argument in hasher_from_signature_scheme()Andreas Steffen2017-11-101-1/+1
|
* charon-tkm: Unlink PID file after deinitTobias Brunner2017-11-101-11/+31
| | | | | | Same change as for charon in the previous commit. References #2460.
* charon: Unlink PID file after daemon deinit (i.e. after unloading plugins etc.)Tobias Brunner2017-11-101-9/+14
| | | | | | | | Make sure, though, that we only remove the file if we actually created it (e.g. not for --help or --version). And do so before deinitializing libstrongswan due to leak detective. Fixes #2460.
* unit-tests: Rename targets for libstrongswan and kernel-netlinkThomas Egerer2017-11-092-10/+10
| | | | | | | | | libstrongswan and kernel-netlink are the only two components which do not adhere to the naming scheme used for all other tests. If the tests are run by an external application this imposes problems due to clashing names. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.confTobias Brunner2017-11-083-16/+88
| | | | Also document the rsa/pss prefix.
* pki: Enable PSS padding if enabled in strongswan.confTobias Brunner2017-11-085-5/+11
|
* pki: Optionally generate RSA/PSS signaturesTobias Brunner2017-11-0813-45/+179
|
* pki: Indent usage lines properly automaticallyTobias Brunner2017-11-085-13/+13
|
* Treat RSASSA-PSS keys like rsaEncryption RSA keysTobias Brunner2017-11-083-1/+20
| | | | | | | | | | In theory we should treat any parameters and the identifier itself as restriction to only use the key to create signatures accordingly (e.g. only use RSA with PSS padding or even use specific hash algorithms). But that's currently tricky as we'd have to store and pass this information along with our private keys (i.e. use PKCS#8 to store them and change the builder calls to pass along the identifier and parameters). That would require quite some work.
* openssl: Add support for signature schemes with parametersTobias Brunner2017-11-082-47/+34
|
* pki: Properly forward digest to attribute certificate builderTobias Brunner2017-11-081-0/+1
|
* x509: Add support for signature schemes with parametersTobias Brunner2017-11-085-143/+220
| | | | | Also adds support for specifying the hash algorithm for attribute certificate signatures.
* builder: Add builder option to pass signature scheme and paramsTobias Brunner2017-11-082-1/+4
|
* ikev2: Use helpers to build signature auth dataTobias Brunner2017-11-081-40/+4
|
* signature-params: Add helpers to parse/build ASN.1 algorithmIdentifier for ↵Tobias Brunner2017-11-083-0/+196
| | | | signature schemes
* ikev2: Enumerate RSA/PSS schemes and use them if enabledTobias Brunner2017-11-085-38/+64
|
* ikev2: Support signing with RSASSA-PSS via RFC 7427 signature authTobias Brunner2017-11-081-6/+21
|
* signature-params: Use helper to build MGF1 algorithmIdentifierTobias Brunner2017-11-081-2/+2
|
* asn1: Add helper function to create algorithmIdentifier with parametersTobias Brunner2017-11-082-6/+23
|
* ikev2: Verify RSASSA-PSS signatures via RFC 7427 signature authTobias Brunner2017-11-081-19/+34
|
* keymat_v2: Pass/receive signature schemes as signature_param_t objectsTobias Brunner2017-11-082-28/+58
|
* auth-cfg: Parse rsa/pss auth tokensTobias Brunner2017-11-082-25/+136
|
* auth-cfg: Store signature schemes as signature_params_t objectsTobias Brunner2017-11-0810-67/+116
| | | | | Due to circular references the hasher_from_signature_scheme() helper does not take a signature_params_t object.
* certificate: Return signature scheme and parameters from issued_by() methodTobias Brunner2017-11-0829-72/+124
| | | | | This also required some include restructuring (avoid including library.h in headers) to avoid unresolvable circular dependencies.
* signature-params: Add helper struct for signature scheme and parametersTobias Brunner2017-11-083-18/+319
|
* android: Add support for creating RSASSA-PSS signatures via JNITobias Brunner2017-11-081-2/+142
|
* unit-tests: Add RSA-PSS signature tests with specific saltsTobias Brunner2017-11-081-92/+818
|
* gcrypt: Add support for static salts when signing with RSA-PSSTobias Brunner2017-11-081-6/+17
|
* gmp: Add support for static salts when signing with RSA-PSSTobias Brunner2017-11-081-2/+6
|
* signature-params: Optionally pass a specific salt value when signingTobias Brunner2017-11-081-0/+2
|
* unit-tests: Warn if we skip RSA tests due to dependenciesTobias Brunner2017-11-081-0/+11
|
* unit-tests: Add ability to issue a warning message for a test caseTobias Brunner2017-11-083-6/+116
| | | | | This way we can warn if we e.g. skipped actually doing something due to dependencies (otherwise the test case would just appear to have succeeded).