Tobias Brunner
25637aa5d8
Fix Doxygen comment for rdrand plugin
2013-01-31 12:11:37 +01:00
Tobias Brunner
58fd1f3eef
Don't use pointer to a union member in host_create_from_string_and_family()
2013-01-25 13:18:50 +01:00
Tobias Brunner
572a707765
Properly check MSB in openssl plugin's PKCS#7 implementation
2013-01-24 23:36:02 +01:00
Tobias Brunner
69c6a60176
g_thread_init() is deprecated since Glib 2.23
2013-01-24 19:13:40 +01:00
Martin Willi
51dbcf6497
After merging the used trustchain with config, move used certificate to front
2013-01-18 11:59:27 +01:00
Martin Willi
9a06a93ce7
Try to build a trustchain for all configured certificates before enforcing one
...
This enables the daemon to select from multiple configured certificates
by building trustchains against the received certificate requests.
2013-01-18 09:33:15 +01:00
Martin Willi
f29783af8c
Make AUTH_RULE_SUBJECT cert multi-valued
...
Constraints having multiple subject certs defined are fulfilled if
authentication used one of the listed certificates.
2013-01-18 09:33:15 +01:00
Martin Willi
7fb81886b9
Add a bio_reader_t constructor variant freeing passed data during destruction
2013-01-15 17:43:05 +01:00
Martin Willi
47af9848a2
Add a chunk_from_str() initializer that does not include 0-terminator
2013-01-15 17:43:05 +01:00
Martin Willi
1449e6dd55
Reseed rdrand after every 128bit sample only
2013-01-15 17:41:54 +01:00
Martin Willi
426f34baf9
Respect given address family when resolving "%any"
2013-01-14 10:26:12 +01:00
Tobias Brunner
37fb404833
Android.mk of libstrongswan updated
2013-01-14 09:16:33 +01:00
Martin Willi
54a1a75b2f
Don't use bio_writer_t.skip() to write length field when appending more data
...
If the writer reallocates its buffer, the length pointer might not be valid
anymore, or even worse, point to an arbitrary allocation.
2013-01-11 14:57:08 +01:00
Martin Willi
2cd6c5115b
Use raw opcodes for rdrand to build with older binutils
2013-01-11 10:45:14 +01:00
Martin Willi
19ae23452a
Provide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES
2013-01-11 10:45:14 +01:00
Martin Willi
b9148ea232
Provide RNG_STRONG quality in rdrand by forcing PRNG reseed after every sample
2013-01-11 10:45:14 +01:00
Martin Willi
9fe24b004d
Provide RNG_WEAK quality random generator in rdrand
2013-01-11 10:45:14 +01:00
Martin Willi
ed8dc6f132
Add a rdrand plugin stub detecting availability of RDRAND instructions
2013-01-11 10:45:14 +01:00
Martin Willi
ff318ad3e1
Include opensslconf.h before checking its defines
2013-01-03 11:12:05 +01:00
Martin Willi
2b9e597b54
Don't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined
2013-01-03 11:05:49 +01:00
Tobias Brunner
ef33a4ab82
Fixed some typos, courtesy of codespell
2012-12-20 09:35:26 +01:00
Martin Willi
0a344da291
Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set
2012-12-19 10:32:08 +01:00
Martin Willi
71dd4e7895
Don't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin
2012-12-19 10:32:08 +01:00
Martin Willi
3c820cdc23
Implement PKCS#7 decryption using openssl
2012-12-19 10:32:08 +01:00
Martin Willi
2a87944a33
Make available wrapped certificates while verifying PKCS#7 signatures in openssl
2012-12-19 10:32:08 +01:00
Martin Willi
04884be3b5
Implement openssl PKCS#7 certficiate enumeration
2012-12-19 10:32:08 +01:00
Martin Willi
e96d945dcd
Fix doxygen grouping regarding containers and PKCS#7
2012-12-19 10:32:08 +01:00
Martin Willi
36f2e11c70
Enable pkcs7 plugin when building scepclient on Android
2012-12-19 10:32:08 +01:00
Martin Willi
03ba8f9e8c
Move PKCS#9 attribute lists to pkcs7 plugin, as we currently use it there only
2012-12-19 10:32:08 +01:00
Martin Willi
804ba5bb50
Implement get_attribute() in openssl PKCS#7 backend
2012-12-19 10:32:08 +01:00
Martin Willi
063ae4e52a
Allocate data returned by pkcs7_t.get_attribute()
2012-12-19 10:32:08 +01:00
Martin Willi
c61723c69f
Implement OpenSSL PKCS#7 signed-data parsing and verification
2012-12-19 10:32:08 +01:00
Martin Willi
568ad938d1
Add a stub for OpenSSL PKCS#7 parsing
2012-12-19 10:32:08 +01:00
Martin Willi
1865fb929a
Remove unused monolithic PKCS#7 code
2012-12-19 10:32:08 +01:00
Martin Willi
6d21c61a09
Fix encryption algorithm/key size argument processing in PKCS#7 enveloped-data
2012-12-19 10:32:08 +01:00
Martin Willi
ee97055835
Properly clone PKCS#7 attributes passed to builder
2012-12-19 10:32:08 +01:00
Martin Willi
8ccf5a4731
Fix enum names for container_type_t
2012-12-19 10:32:08 +01:00
Martin Willi
9e967d7dda
Add an enumerator for PKCS#7 contained certificates
2012-12-19 10:32:08 +01:00
Martin Willi
d3d706f4fc
Add a getter for signed PKCS#7 attributes
2012-12-19 10:32:08 +01:00
Martin Willi
b95b4730f5
Support multiple signerInfos while parsing PKCS#7 signed-data
2012-12-19 10:32:07 +01:00
Martin Willi
5d932e4f01
Support encoding of PKCS#7 enveloped-data containers
2012-12-19 10:32:07 +01:00
Martin Willi
32745a28cf
Support encoding of PKCS#7 signed-data containers
2012-12-19 10:32:07 +01:00
Martin Willi
3c2986bf0a
Support encoding of PKCS#7 "data" containers
2012-12-19 10:32:07 +01:00
Martin Willi
637a8abb72
Add builder parts to generate PKCS#7 containers
2012-12-19 10:32:07 +01:00
Martin Willi
d7aa09104f
Implement PKCS#7 enveloped-data parsing and decryption
2012-12-19 10:32:07 +01:00
Martin Willi
98bbe0760f
Implement PKCS#7 signed-data parsing and verification
2012-12-19 10:32:07 +01:00
Martin Willi
83ed1464e3
Implement PKCS#7 "data" content type parsing
2012-12-19 10:32:07 +01:00
Martin Willi
ed1c430334
certificate_t.has_subject() matches for certificate serialNumber
2012-12-19 10:32:07 +01:00
Martin Willi
9de6a7a85c
Implement generic PKCS#7 contentInfo parsing
2012-12-19 10:32:07 +01:00
Martin Willi
bd20f040fd
Add a plugin stub for PKCS#7 containers
2012-12-19 10:32:07 +01:00
Martin Willi
692f560546
Add container plugin features
2012-12-19 10:32:07 +01:00
Martin Willi
fc67a932ba
Add a generic interface for crypto containers and a more specific PKCS#7 interface
2012-12-19 10:32:07 +01:00
Martin Willi
67ca44ccbd
Rebuild PKCS#9 encoding after adding new attributes
2012-12-19 10:32:07 +01:00
Martin Willi
60c9b5da8d
Don't store additional encoding for each PKCS#9 attribute
2012-12-19 10:32:07 +01:00
Martin Willi
7f9fedc9bd
Unify PKCS#9 set_attribute* methods to a single add_attribute
...
This way the PKCS#9 implementation does not have to know
the encoding types for values
2012-12-19 10:32:07 +01:00
Martin Willi
c1005c120c
PKCS#9 coding style cleanups
2012-12-19 10:32:07 +01:00
Martin Willi
f0c02e27c4
Remove external build_encoding method in PKCS#9
2012-12-19 10:32:07 +01:00
Martin Willi
4185c64464
Use a ./configure check to detect pthread spinlock availability
...
_POSIX_SPIN_LOCKS does not seem to be defined correctly on all
systems (Debian libc 2.3.6). Fixes #262 .
2012-12-18 09:51:33 +01:00
Martin Willi
b091d80aff
Replace optionsfrom LGPLv2 header by a GPLv2
2012-11-30 18:00:39 +01:00
Martin Willi
7277e4719e
Consolidated %any(6) host_t parsing
2012-11-29 10:22:52 +01:00
Martin Willi
98d0fd25a8
Remove numeric conversion from resolver, it is done directly in host_t
2012-11-29 10:22:52 +01:00
Martin Willi
47f35b46a1
host_create_from_dns() tries a numeric conversion before asking resolver
2012-11-29 10:22:51 +01:00
Martin Willi
f5fe52bf9a
Add a host_t constructor from string, but with a specific family
2012-11-29 10:22:51 +01:00
Andreas Steffen
48b23d06a8
allow the optional sharing if RSA private keys
2012-11-22 00:34:42 +01:00
Andreas Steffen
76bd0d7c1f
overwrite sensitive prime with zeroes
2012-11-18 22:55:22 +01:00
Andreas Steffen
168ee460c6
implemented generation of safe primes
2012-11-18 19:22:31 +01:00
Martin Willi
1e5e1fb685
libstrongswan can be initialized more than once
2012-11-14 10:14:31 +01:00
Andreas Steffen
9901207a09
transmit Product Vendor ID if known
2012-10-31 20:29:36 +01:00
Andreas Steffen
3e765dad95
added some Linux OS PENs
2012-10-31 14:53:01 +01:00
Andreas Steffen
12d68762f7
issue warning if sqlite finalize is missing
2012-10-26 13:22:02 +02:00
Martin Willi
828cefc313
Fix RSA encryption padding terminator in gmp plugin, broken with 5025135f
2012-10-24 20:26:10 +02:00
Tobias Brunner
bca34c3717
Moved utils.[ch] to utils folder
2012-10-24 16:07:53 +02:00
Tobias Brunner
f9625952ad
Moved settings_t to utils folder
2012-10-24 16:00:51 +02:00
Tobias Brunner
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
Tobias Brunner
d5c143e5be
Moved enum_name_t to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
125b37af6d
Moved chunk_t to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
05e448c5cc
Moved printf hooks to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
08944b68ac
Moved integrity_checker_t to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Tobias Brunner
fdee6b5f5a
Moved packet_t and tun_device_t to networking folder
2012-10-24 15:06:18 +02:00
Tobias Brunner
2e7cc07ecd
Moved host_t and host_resolver_t to a new networking subfolder
2012-10-24 15:06:18 +02:00
Martin Willi
fd6c0c8fb4
Add a traffic selector constructor creating a TS directly from a CIDR string
2012-10-24 13:25:02 +02:00
Martin Willi
712e81306f
PKCS#11 library search using keyid uses a fallback to look for certificates
2012-10-24 13:07:54 +02:00
Martin Willi
434902b302
Add a strongswan.conf option to disable loading of all certificates from a pkcs11 module
2012-10-24 13:07:53 +02:00
Martin Willi
36e47a409b
Explicit pkcs11 certificate loading can enforce a module and a slot
2012-10-24 13:07:53 +02:00
Martin Willi
5d4c27d077
Be less verbose if loading PKCS#11 certificate fails
2012-10-24 13:07:53 +02:00
Martin Willi
fbd3863571
Add a builder to load specific pkcs11 certificates by keyid
2012-10-24 13:07:52 +02:00
Martin Willi
ffe42fa405
If no pkcs11 public key for a private key found, search for a certificate
2012-10-24 13:07:52 +02:00
Martin Willi
44fdc62f82
Move pkcs11 public key lookup function declaration to header file
2012-10-24 13:07:52 +02:00
Martin Willi
60e59b7e7f
Add proposal keywords to explicitly specify PRF algorithms
2012-10-24 11:49:36 +02:00
Martin Willi
2232d88569
Support field with specifiers in %N printf hook
2012-10-24 11:34:30 +02:00
Tobias Brunner
3c4d383443
Added an option to reload certificates from PKCS#11 tokens on SIGHUP
2012-10-18 14:42:09 +02:00
Tobias Brunner
ca1c2ee281
Copy the name of pkcs11_library_t objects
...
Strings returned by settings_t.create_section_enumerator will be freed
when the config is reloaded.
2012-10-18 14:42:09 +02:00
Tobias Brunner
25a413cb96
Use a shortcut to resolve numeric IP addresses (no need for separate threads)
2012-10-18 12:27:32 +02:00
Tobias Brunner
d377556863
Use native threads in host resolver so that it works even if processor has no threads
2012-10-18 12:26:49 +02:00
Tobias Brunner
b4f6c39e55
Terminate unused resolver threads after a timeout
2012-10-18 12:26:00 +02:00
Tobias Brunner
49e2d109a3
Only create more threads if needed in host_resolver_t
2012-10-18 12:26:00 +02:00
Tobias Brunner
eecd41e349
Use a helper function to add milliseconds to timeval structs
2012-10-18 12:25:59 +02:00
Tobias Brunner
292d8f41c3
Resolve hosts by DNS name in separate threads so we can cancel them
...
getaddrinfo(3) may block a long time so proper termination of the daemon may
block if DNS servers are not reachable.
getaddrinfo(3) is an optional cancellation point in posix threads so it
might still block a shutdown but at least on Android (with the signal based
pthread_cancel implementation) it works, on Linux starter will kill charon
anyway after a while.
2012-10-18 10:57:55 +02:00
Andreas Steffen
7f5675c8e5
check length of hex-encoded IV
2012-10-07 17:07:35 +02:00