Tobias Brunner
190a278854
plugin-loader: Optionally use load option in each plugin section to load plugins
...
This now works because all plugins use the same config namespace.
If <ns>.load_modular is true, the list of plugins to load is determined
via the value of the <ns>.plugins.<name>.load options.
Using includes the following is possible:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
charon-cmd {
load_modular = yes
plugins {
include strongswan.d/charon-cmd/*.conf
}
}
Where each .conf file would contain something like:
<name> {
load = yes
<option> = <value>
}
To increase the priority of individual plugins load = <priority> can be
used (the default is 1). For instance, to use openssl instead of the
built-in crypto plugins set in strongswan.d/charon/openssl.conf:
openssl {
load = 10
}
If two plugins have the same priority their order in the default plugin
list is preserved. Plugins not found in that list are ordered
alphabetically before other plugins with the same priority.
2014-02-12 14:34:33 +01:00
Tobias Brunner
8dc6e71632
lib: All settings use configured namespace
2014-02-12 14:34:32 +01:00
Martin Willi
7707357227
rdrand: Provide get_features() regardless of RDRAND availability
...
As having no get_features() raises a deprecated warning, we return no features
instead.
2014-02-10 11:22:16 +01:00
Martin Willi
144f1d7041
rdrand: Move RDRAND detection log to level 2
...
When having RDRAND support, these log messages might be confusing when using
pki or other tools.
2014-02-10 11:07:50 +01:00
Martin Willi
88fa7f62be
pem: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Tobias Brunner
72a92d4f7d
curl: Replace spaces in URIs with %20
...
cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL
URIs with spaces in them.
Fixes #454 .
2014-01-23 10:19:30 +01:00
Tobias Brunner
54ca25800c
agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket
...
This is also required if charon-cmd is used with capability dropping.
2014-01-23 10:08:23 +01:00
Andreas Steffen
84814a6b7c
min_MGF_hash_calls parameter is not needed anymore
2013-12-07 23:54:53 +01:00
Andreas Steffen
5da659523e
Optimized MGF1 implementation
2013-12-07 23:29:04 +01:00
Andreas Steffen
abd4797dc1
Implemented ntru_trits class
2013-12-07 23:27:59 +01:00
Andreas Steffen
a978a8194d
Streamlined DRBG and MGF1 debug output
2013-12-07 00:21:28 +01:00
Andreas Steffen
fdc6c682b2
Added own MGF1 mask generating function
2013-12-05 22:55:47 +01:00
Tobias Brunner
d5a0abfa92
unit-tests: Export ntru_drbg_create as testable function so no linking is required
...
This way the plugin does not have to be linked explicitly to the test
runner, which otherwise would require that the plugin is either always
enabled to build the tests or that ifdefs are added to the Makefile.
2013-12-04 20:32:59 +01:00
Tobias Brunner
a24eec4649
unit-tests: Move ntru_test_rng_t to a utility class in libtest
2013-12-04 20:32:59 +01:00
Tobias Brunner
3e8a44c2aa
ntru: Fix compiler warning caused by ++/-- on righthand side of an assignment
...
The behavior of stuff like x = --x; (or x++) is not defined.
2013-12-04 20:32:59 +01:00
Andreas Steffen
7d5b9e81a4
Added DRBG automatic reseeding tests
2013-11-27 20:21:41 +01:00
Andreas Steffen
5443762491
Use strongSwan hash plugins for SHA-1 and SHA-256
2013-11-27 20:21:41 +01:00
Andreas Steffen
a7047cda59
Cleaned up ntru-crypto library
2013-11-27 20:21:41 +01:00
Andreas Steffen
98c6421674
Implemented NIST SP 800-90A DRBG_HMAC with SHA-256
2013-11-27 20:21:41 +01:00
Andreas Steffen
9013973cc8
unit-tests: Added ntru wrong ciphertext test
2013-11-27 20:21:41 +01:00
Andreas Steffen
885e699b58
unit-tests: Added ntru entropy, retransmission and ciphertext tests
2013-11-27 20:21:41 +01:00
Andreas Steffen
802eaf3789
Any of the four NTRU parameter sets can be selected
2013-11-27 20:21:41 +01:00
Andreas Steffen
1f73969eb5
Make the NTRU parameter set configurable
2013-11-27 20:21:41 +01:00
Andreas Steffen
2c620cb089
unit-tests: first NTRU test case
2013-11-27 20:21:40 +01:00
Andreas Steffen
146ad86be5
Prototype implementation of IKE key exchange via NTRU encryption
2013-11-27 20:21:40 +01:00
Tobias Brunner
3bff80aee3
openssl: Verify that a peer's ECDH public value is a point on the elliptic curve
...
This check is mandated by RFC 6989. Since we don't reuse DH secrets,
it is mostly a sanity check.
2013-11-19 15:00:28 +01:00
Andreas Steffen
b63246c5db
Implemented libstrongswan.plugins.random.strong_equals_true option
2013-11-16 00:11:40 +01:00
Tobias Brunner
8d2450d8b8
plugin-loader: Convenience function added to add plugin dirs in build tree
2013-11-06 10:31:07 +01:00
Tobias Brunner
71c9565a3a
pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB
...
This allows more than one builder to try parsing the data read from STDIN.
2013-10-23 17:20:39 +02:00
Tobias Brunner
606aae3aa1
openssl: Add workaround if ECC Brainpool curves are not defined
2013-10-17 13:36:08 +02:00
Tobias Brunner
3c29d2822f
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
...
OpenSSL does not include them in releases before 1.0.2.
2013-10-17 13:36:08 +02:00
Tobias Brunner
0f6f7ba22c
ccm: Add missing comma in get_iv_gen method signature
2013-10-11 17:42:25 +02:00
Tobias Brunner
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
Tobias Brunner
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
Tobias Brunner
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
Tobias Brunner
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
Tobias Brunner
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
Tobias Brunner
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
Tobias Brunner
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
Tobias Brunner
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
Tobias Brunner
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
Tobias Brunner
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
Tobias Brunner
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
Tobias Brunner
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
Martin Willi
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
Tobias Brunner
8f1b44b40c
keychain: Use AM_CPPFLAGS instead of INCLUDES
2013-07-19 09:01:39 +02:00
Martin Willi
4d7a762871
credmgr: introduce a hook function to catch trust chain validation errors
2013-07-18 16:00:30 +02:00