25637aa5d8
Fix Doxygen comment for rdrand plugin
2013-01-31 12:11:37 +01:00
58fd1f3eef
Don't use pointer to a union member in host_create_from_string_and_family()
2013-01-25 13:18:50 +01:00
572a707765
Properly check MSB in openssl plugin's PKCS#7 implementation
2013-01-24 23:36:02 +01:00
69c6a60176
g_thread_init() is deprecated since Glib 2.23
2013-01-24 19:13:40 +01:00
51dbcf6497
After merging the used trustchain with config, move used certificate to front
2013-01-18 11:59:27 +01:00
9a06a93ce7
Try to build a trustchain for all configured certificates before enforcing one
...
This enables the daemon to select from multiple configured certificates
by building trustchains against the received certificate requests.
2013-01-18 09:33:15 +01:00
f29783af8c
Make AUTH_RULE_SUBJECT cert multi-valued
...
Constraints having multiple subject certs defined are fulfilled if
authentication used one of the listed certificates.
2013-01-18 09:33:15 +01:00
7fb81886b9
Add a bio_reader_t constructor variant freeing passed data during destruction
2013-01-15 17:43:05 +01:00
47af9848a2
Add a chunk_from_str() initializer that does not include 0-terminator
2013-01-15 17:43:05 +01:00
1449e6dd55
Reseed rdrand after every 128bit sample only
2013-01-15 17:41:54 +01:00
426f34baf9
Respect given address family when resolving "%any"
2013-01-14 10:26:12 +01:00
37fb404833
Android.mk of libstrongswan updated
2013-01-14 09:16:33 +01:00
54a1a75b2f
Don't use bio_writer_t.skip() to write length field when appending more data
...
If the writer reallocates its buffer, the length pointer might not be valid
anymore, or even worse, point to an arbitrary allocation.
2013-01-11 14:57:08 +01:00
2cd6c5115b
Use raw opcodes for rdrand to build with older binutils
2013-01-11 10:45:14 +01:00
19ae23452a
Provide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES
2013-01-11 10:45:14 +01:00
b9148ea232
Provide RNG_STRONG quality in rdrand by forcing PRNG reseed after every sample
2013-01-11 10:45:14 +01:00
9fe24b004d
Provide RNG_WEAK quality random generator in rdrand
2013-01-11 10:45:14 +01:00
ed8dc6f132
Add a rdrand plugin stub detecting availability of RDRAND instructions
2013-01-11 10:45:14 +01:00
ff318ad3e1
Include opensslconf.h before checking its defines
2013-01-03 11:12:05 +01:00
2b9e597b54
Don't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined
2013-01-03 11:05:49 +01:00
ef33a4ab82
Fixed some typos, courtesy of codespell
2012-12-20 09:35:26 +01:00
0a344da291
Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set
2012-12-19 10:32:08 +01:00
71dd4e7895
Don't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin
2012-12-19 10:32:08 +01:00
3c820cdc23
Implement PKCS#7 decryption using openssl
2012-12-19 10:32:08 +01:00
2a87944a33
Make available wrapped certificates while verifying PKCS#7 signatures in openssl
2012-12-19 10:32:08 +01:00
04884be3b5
Implement openssl PKCS#7 certficiate enumeration
2012-12-19 10:32:08 +01:00
e96d945dcd
Fix doxygen grouping regarding containers and PKCS#7
2012-12-19 10:32:08 +01:00
36f2e11c70
Enable pkcs7 plugin when building scepclient on Android
2012-12-19 10:32:08 +01:00
03ba8f9e8c
Move PKCS#9 attribute lists to pkcs7 plugin, as we currently use it there only
2012-12-19 10:32:08 +01:00
804ba5bb50
Implement get_attribute() in openssl PKCS#7 backend
2012-12-19 10:32:08 +01:00
063ae4e52a
Allocate data returned by pkcs7_t.get_attribute()
2012-12-19 10:32:08 +01:00
c61723c69f
Implement OpenSSL PKCS#7 signed-data parsing and verification
2012-12-19 10:32:08 +01:00
568ad938d1
Add a stub for OpenSSL PKCS#7 parsing
2012-12-19 10:32:08 +01:00
1865fb929a
Remove unused monolithic PKCS#7 code
2012-12-19 10:32:08 +01:00
6d21c61a09
Fix encryption algorithm/key size argument processing in PKCS#7 enveloped-data
2012-12-19 10:32:08 +01:00
ee97055835
Properly clone PKCS#7 attributes passed to builder
2012-12-19 10:32:08 +01:00
8ccf5a4731
Fix enum names for container_type_t
2012-12-19 10:32:08 +01:00
9e967d7dda
Add an enumerator for PKCS#7 contained certificates
2012-12-19 10:32:08 +01:00
d3d706f4fc
Add a getter for signed PKCS#7 attributes
2012-12-19 10:32:08 +01:00
b95b4730f5
Support multiple signerInfos while parsing PKCS#7 signed-data
2012-12-19 10:32:07 +01:00
5d932e4f01
Support encoding of PKCS#7 enveloped-data containers
2012-12-19 10:32:07 +01:00
32745a28cf
Support encoding of PKCS#7 signed-data containers
2012-12-19 10:32:07 +01:00
3c2986bf0a
Support encoding of PKCS#7 "data" containers
2012-12-19 10:32:07 +01:00
637a8abb72
Add builder parts to generate PKCS#7 containers
2012-12-19 10:32:07 +01:00
d7aa09104f
Implement PKCS#7 enveloped-data parsing and decryption
2012-12-19 10:32:07 +01:00
98bbe0760f
Implement PKCS#7 signed-data parsing and verification
2012-12-19 10:32:07 +01:00
83ed1464e3
Implement PKCS#7 "data" content type parsing
2012-12-19 10:32:07 +01:00
ed1c430334
certificate_t.has_subject() matches for certificate serialNumber
2012-12-19 10:32:07 +01:00
9de6a7a85c
Implement generic PKCS#7 contentInfo parsing
2012-12-19 10:32:07 +01:00
bd20f040fd
Add a plugin stub for PKCS#7 containers
2012-12-19 10:32:07 +01:00
692f560546
Add container plugin features
2012-12-19 10:32:07 +01:00
fc67a932ba
Add a generic interface for crypto containers and a more specific PKCS#7 interface
2012-12-19 10:32:07 +01:00
67ca44ccbd
Rebuild PKCS#9 encoding after adding new attributes
2012-12-19 10:32:07 +01:00
60c9b5da8d
Don't store additional encoding for each PKCS#9 attribute
2012-12-19 10:32:07 +01:00
7f9fedc9bd
Unify PKCS#9 set_attribute* methods to a single add_attribute
...
This way the PKCS#9 implementation does not have to know
the encoding types for values
2012-12-19 10:32:07 +01:00
c1005c120c
PKCS#9 coding style cleanups
2012-12-19 10:32:07 +01:00
f0c02e27c4
Remove external build_encoding method in PKCS#9
2012-12-19 10:32:07 +01:00
4185c64464
Use a ./configure check to detect pthread spinlock availability
...
_POSIX_SPIN_LOCKS does not seem to be defined correctly on all
systems (Debian libc 2.3.6). Fixes #262 .
2012-12-18 09:51:33 +01:00
b091d80aff
Replace optionsfrom LGPLv2 header by a GPLv2
2012-11-30 18:00:39 +01:00
7277e4719e
Consolidated %any(6) host_t parsing
2012-11-29 10:22:52 +01:00
98d0fd25a8
Remove numeric conversion from resolver, it is done directly in host_t
2012-11-29 10:22:52 +01:00
47f35b46a1
host_create_from_dns() tries a numeric conversion before asking resolver
2012-11-29 10:22:51 +01:00
f5fe52bf9a
Add a host_t constructor from string, but with a specific family
2012-11-29 10:22:51 +01:00
48b23d06a8
allow the optional sharing if RSA private keys
2012-11-22 00:34:42 +01:00
76bd0d7c1f
overwrite sensitive prime with zeroes
2012-11-18 22:55:22 +01:00
168ee460c6
implemented generation of safe primes
2012-11-18 19:22:31 +01:00
1e5e1fb685
libstrongswan can be initialized more than once
2012-11-14 10:14:31 +01:00
9901207a09
transmit Product Vendor ID if known
2012-10-31 20:29:36 +01:00
3e765dad95
added some Linux OS PENs
2012-10-31 14:53:01 +01:00
12d68762f7
issue warning if sqlite finalize is missing
2012-10-26 13:22:02 +02:00
828cefc313
Fix RSA encryption padding terminator in gmp plugin, broken with 5025135f
2012-10-24 20:26:10 +02:00
bca34c3717
Moved utils.[ch] to utils folder
2012-10-24 16:07:53 +02:00
f9625952ad
Moved settings_t to utils folder
2012-10-24 16:00:51 +02:00
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
d5c143e5be
Moved enum_name_t to utils folder
2012-10-24 16:00:50 +02:00
125b37af6d
Moved chunk_t to utils folder
2012-10-24 16:00:50 +02:00
05e448c5cc
Moved printf hooks to utils folder
2012-10-24 16:00:50 +02:00
08944b68ac
Moved integrity_checker_t to utils folder
2012-10-24 16:00:50 +02:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
fdee6b5f5a
Moved packet_t and tun_device_t to networking folder
2012-10-24 15:06:18 +02:00
2e7cc07ecd
Moved host_t and host_resolver_t to a new networking subfolder
2012-10-24 15:06:18 +02:00
fd6c0c8fb4
Add a traffic selector constructor creating a TS directly from a CIDR string
2012-10-24 13:25:02 +02:00
712e81306f
PKCS#11 library search using keyid uses a fallback to look for certificates
2012-10-24 13:07:54 +02:00
434902b302
Add a strongswan.conf option to disable loading of all certificates from a pkcs11 module
2012-10-24 13:07:53 +02:00
36e47a409b
Explicit pkcs11 certificate loading can enforce a module and a slot
2012-10-24 13:07:53 +02:00
5d4c27d077
Be less verbose if loading PKCS#11 certificate fails
2012-10-24 13:07:53 +02:00
fbd3863571
Add a builder to load specific pkcs11 certificates by keyid
2012-10-24 13:07:52 +02:00
ffe42fa405
If no pkcs11 public key for a private key found, search for a certificate
2012-10-24 13:07:52 +02:00
44fdc62f82
Move pkcs11 public key lookup function declaration to header file
2012-10-24 13:07:52 +02:00
60e59b7e7f
Add proposal keywords to explicitly specify PRF algorithms
2012-10-24 11:49:36 +02:00
2232d88569
Support field with specifiers in %N printf hook
2012-10-24 11:34:30 +02:00
3c4d383443
Added an option to reload certificates from PKCS#11 tokens on SIGHUP
2012-10-18 14:42:09 +02:00
ca1c2ee281
Copy the name of pkcs11_library_t objects
...
Strings returned by settings_t.create_section_enumerator will be freed
when the config is reloaded.
2012-10-18 14:42:09 +02:00
25a413cb96
Use a shortcut to resolve numeric IP addresses (no need for separate threads)
2012-10-18 12:27:32 +02:00
d377556863
Use native threads in host resolver so that it works even if processor has no threads
2012-10-18 12:26:49 +02:00
b4f6c39e55
Terminate unused resolver threads after a timeout
2012-10-18 12:26:00 +02:00
49e2d109a3
Only create more threads if needed in host_resolver_t
2012-10-18 12:26:00 +02:00
eecd41e349
Use a helper function to add milliseconds to timeval structs
2012-10-18 12:25:59 +02:00
292d8f41c3
Resolve hosts by DNS name in separate threads so we can cancel them
...
getaddrinfo(3) may block a long time so proper termination of the daemon may
block if DNS servers are not reachable.
getaddrinfo(3) is an optional cancellation point in posix threads so it
might still block a shutdown but at least on Android (with the signal based
pthread_cancel implementation) it works, on Linux starter will kill charon
anyway after a while.
2012-10-18 10:57:55 +02:00
7f5675c8e5
check length of hex-encoded IV
2012-10-07 17:07:35 +02:00
Tobias Brunner