Tobias Brunner
cb38e2f30a
Add test vectors for RC2
2013-05-08 15:02:38 +02:00
Tobias Brunner
9d4fc8677f
Add implementation of the RC2 block cipher (RFC 2268)
2013-05-08 15:02:34 +02:00
Tobias Brunner
4076e3ee91
Extract PKCS#5 handling from pkcs8 plugin to separate helper class
2013-05-08 14:53:08 +02:00
Tobias Brunner
e07e489d5f
agent: Use sshkey plugin to parse keys, adds support for ECDSA
2013-05-07 17:08:31 +02:00
Tobias Brunner
dd9e366814
sshkey: Add support for ECDSA keys
2013-05-07 17:08:31 +02:00
Tobias Brunner
cc4408abcb
sshkey: Added builder for SSHKEY RSA keys
2013-05-07 15:38:28 +02:00
Tobias Brunner
584d656b77
Add sshkey plugin stub that will parse RFC 4253 public keys
2013-05-07 14:08:51 +02:00
Tobias Brunner
2d7b55bf9b
openssl: Define a default for FIPS_MODE
2013-05-03 15:11:19 +02:00
Andreas Steffen
f4de6496a2
support of OpenSSL FIPS-140-2 library
2013-04-16 12:37:04 +02:00
Martin Willi
cf1696cab9
Allow SHA1_Init()/SHA1_Update() to fail if OpenSSL version >= 1.0
2013-04-10 18:10:30 +02:00
Martin Willi
b52771fbb2
Check RSA_public_decrypt() length before constructing and comparing a chunk
...
If decryption fails, it returns -1. chunk_equals() should catch that error,
but be more explicit in error checking.
2013-04-10 18:10:30 +02:00
Martin Willi
97d975b7bb
RSA_check_key() may return -1 if it fails
2013-04-10 18:10:30 +02:00
Martin Willi
96a09ce226
RAND_bytes/RAND_pseudo_bytes returns -1 if it is not supported by RAND method
2013-04-10 18:10:30 +02:00
Martin Willi
0faaab20cd
Check return value of ECDSA_Verify() correctly
2013-04-10 18:10:30 +02:00
Tobias Brunner
419a9a4fcd
Make some private functions in plugins static
...
Fixes monolithic build.
2013-03-27 07:32:55 +01:00
Tobias Brunner
5e551da16b
Properly cleanup libmysql
...
Seems to work correctly with recent MySQL versions.
2013-03-19 16:33:07 +01:00
Tobias Brunner
11adf114c1
Fixed Doxygen comments after scanning complete src directory
2013-03-02 18:31:53 +01:00
Tobias Brunner
4c969f7906
openssl: The EVP GCM interface requires at least OpenSSL 1.0.1
2013-03-01 16:57:45 +01:00
Tobias Brunner
81f9cd39fd
openssl: Provide AES-GCM implementation
2013-02-28 18:17:42 +01:00
Tobias Brunner
5f7f4fa398
Order of arguments in Doxygen comment fixed
2013-02-28 18:17:42 +01:00
Tobias Brunner
0d237763dc
openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8g
...
Fixes #292 .
2013-02-20 18:34:54 +01:00
Andreas Steffen
a4ddc0bb26
Encode RSA public keys in RFC 3110 DNSKEY format
2013-02-19 12:25:00 +01:00
Andreas Steffen
f2145c8d3a
Moved configuration from resolver manager to unbound plugin
...
Also streamlined log messages in unbound plugin.
2013-02-19 12:25:00 +01:00
Reto Guadagnini
cfd07978d0
unbound: Implementation of query method of unbound_resolver_t
2013-02-19 11:57:21 +01:00
Reto Guadagnini
5a4126b490
unbound: Implemented resolver_response_t as unbound_response_t
2013-02-19 11:57:21 +01:00
Reto Guadagnini
4a335a2164
unbound: Implemented rr_t as unbound_rr_t
2013-02-19 11:57:21 +01:00
Reto Guadagnini
9f963a7cfc
Added unbound plugin implementing the resolver interface using libunbound
2013-02-19 11:57:21 +01:00
Martin Willi
763e86c093
Use CURL_TIMEOUT and not CURL_CONNECTTIMEOUT for FETCHER_TIMEOUT in curl
...
This allows us to use this timeout beyond DNS resolution. For the initial
connect, we use a hardcoded timeout of 10s for now.
2013-02-08 11:08:06 +01:00
Tobias Brunner
a3a190b7bd
openssl: Properly honor OPENSSL_NO_* defines
2013-01-31 17:33:23 +01:00
Tobias Brunner
25637aa5d8
Fix Doxygen comment for rdrand plugin
2013-01-31 12:11:37 +01:00
Tobias Brunner
572a707765
Properly check MSB in openssl plugin's PKCS#7 implementation
2013-01-24 23:36:02 +01:00
Tobias Brunner
69c6a60176
g_thread_init() is deprecated since Glib 2.23
2013-01-24 19:13:40 +01:00
Martin Willi
1449e6dd55
Reseed rdrand after every 128bit sample only
2013-01-15 17:41:54 +01:00
Martin Willi
2cd6c5115b
Use raw opcodes for rdrand to build with older binutils
2013-01-11 10:45:14 +01:00
Martin Willi
19ae23452a
Provide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES
2013-01-11 10:45:14 +01:00
Martin Willi
b9148ea232
Provide RNG_STRONG quality in rdrand by forcing PRNG reseed after every sample
2013-01-11 10:45:14 +01:00
Martin Willi
9fe24b004d
Provide RNG_WEAK quality random generator in rdrand
2013-01-11 10:45:14 +01:00
Martin Willi
ed8dc6f132
Add a rdrand plugin stub detecting availability of RDRAND instructions
2013-01-11 10:45:14 +01:00
Martin Willi
ff318ad3e1
Include opensslconf.h before checking its defines
2013-01-03 11:12:05 +01:00
Martin Willi
2b9e597b54
Don't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined
2013-01-03 11:05:49 +01:00
Tobias Brunner
ef33a4ab82
Fixed some typos, courtesy of codespell
2012-12-20 09:35:26 +01:00
Martin Willi
0a344da291
Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set
2012-12-19 10:32:08 +01:00
Martin Willi
71dd4e7895
Don't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin
2012-12-19 10:32:08 +01:00
Martin Willi
3c820cdc23
Implement PKCS#7 decryption using openssl
2012-12-19 10:32:08 +01:00
Martin Willi
2a87944a33
Make available wrapped certificates while verifying PKCS#7 signatures in openssl
2012-12-19 10:32:08 +01:00
Martin Willi
04884be3b5
Implement openssl PKCS#7 certficiate enumeration
2012-12-19 10:32:08 +01:00
Martin Willi
e96d945dcd
Fix doxygen grouping regarding containers and PKCS#7
2012-12-19 10:32:08 +01:00
Martin Willi
03ba8f9e8c
Move PKCS#9 attribute lists to pkcs7 plugin, as we currently use it there only
2012-12-19 10:32:08 +01:00
Martin Willi
804ba5bb50
Implement get_attribute() in openssl PKCS#7 backend
2012-12-19 10:32:08 +01:00
Martin Willi
063ae4e52a
Allocate data returned by pkcs7_t.get_attribute()
2012-12-19 10:32:08 +01:00
Martin Willi
c61723c69f
Implement OpenSSL PKCS#7 signed-data parsing and verification
2012-12-19 10:32:08 +01:00
Martin Willi
568ad938d1
Add a stub for OpenSSL PKCS#7 parsing
2012-12-19 10:32:08 +01:00
Martin Willi
6d21c61a09
Fix encryption algorithm/key size argument processing in PKCS#7 enveloped-data
2012-12-19 10:32:08 +01:00
Martin Willi
ee97055835
Properly clone PKCS#7 attributes passed to builder
2012-12-19 10:32:08 +01:00
Martin Willi
9e967d7dda
Add an enumerator for PKCS#7 contained certificates
2012-12-19 10:32:08 +01:00
Martin Willi
d3d706f4fc
Add a getter for signed PKCS#7 attributes
2012-12-19 10:32:08 +01:00
Martin Willi
b95b4730f5
Support multiple signerInfos while parsing PKCS#7 signed-data
2012-12-19 10:32:07 +01:00
Martin Willi
5d932e4f01
Support encoding of PKCS#7 enveloped-data containers
2012-12-19 10:32:07 +01:00
Martin Willi
32745a28cf
Support encoding of PKCS#7 signed-data containers
2012-12-19 10:32:07 +01:00
Martin Willi
3c2986bf0a
Support encoding of PKCS#7 "data" containers
2012-12-19 10:32:07 +01:00
Martin Willi
d7aa09104f
Implement PKCS#7 enveloped-data parsing and decryption
2012-12-19 10:32:07 +01:00
Martin Willi
98bbe0760f
Implement PKCS#7 signed-data parsing and verification
2012-12-19 10:32:07 +01:00
Martin Willi
83ed1464e3
Implement PKCS#7 "data" content type parsing
2012-12-19 10:32:07 +01:00
Martin Willi
ed1c430334
certificate_t.has_subject() matches for certificate serialNumber
2012-12-19 10:32:07 +01:00
Martin Willi
9de6a7a85c
Implement generic PKCS#7 contentInfo parsing
2012-12-19 10:32:07 +01:00
Martin Willi
bd20f040fd
Add a plugin stub for PKCS#7 containers
2012-12-19 10:32:07 +01:00
Martin Willi
692f560546
Add container plugin features
2012-12-19 10:32:07 +01:00
Andreas Steffen
48b23d06a8
allow the optional sharing if RSA private keys
2012-11-22 00:34:42 +01:00
Andreas Steffen
76bd0d7c1f
overwrite sensitive prime with zeroes
2012-11-18 22:55:22 +01:00
Andreas Steffen
168ee460c6
implemented generation of safe primes
2012-11-18 19:22:31 +01:00
Andreas Steffen
12d68762f7
issue warning if sqlite finalize is missing
2012-10-26 13:22:02 +02:00
Martin Willi
828cefc313
Fix RSA encryption padding terminator in gmp plugin, broken with 5025135f
2012-10-24 20:26:10 +02:00
Tobias Brunner
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
Tobias Brunner
d5c143e5be
Moved enum_name_t to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
125b37af6d
Moved chunk_t to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
08944b68ac
Moved integrity_checker_t to utils folder
2012-10-24 16:00:50 +02:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Martin Willi
712e81306f
PKCS#11 library search using keyid uses a fallback to look for certificates
2012-10-24 13:07:54 +02:00
Martin Willi
434902b302
Add a strongswan.conf option to disable loading of all certificates from a pkcs11 module
2012-10-24 13:07:53 +02:00
Martin Willi
36e47a409b
Explicit pkcs11 certificate loading can enforce a module and a slot
2012-10-24 13:07:53 +02:00
Martin Willi
5d4c27d077
Be less verbose if loading PKCS#11 certificate fails
2012-10-24 13:07:53 +02:00
Martin Willi
fbd3863571
Add a builder to load specific pkcs11 certificates by keyid
2012-10-24 13:07:52 +02:00
Martin Willi
ffe42fa405
If no pkcs11 public key for a private key found, search for a certificate
2012-10-24 13:07:52 +02:00
Martin Willi
44fdc62f82
Move pkcs11 public key lookup function declaration to header file
2012-10-24 13:07:52 +02:00
Tobias Brunner
3c4d383443
Added an option to reload certificates from PKCS#11 tokens on SIGHUP
2012-10-18 14:42:09 +02:00
Tobias Brunner
ca1c2ee281
Copy the name of pkcs11_library_t objects
...
Strings returned by settings_t.create_section_enumerator will be freed
when the config is reloaded.
2012-10-18 14:42:09 +02:00
Andreas Steffen
7f5675c8e5
check length of hex-encoded IV
2012-10-07 17:07:35 +02:00
Tobias Brunner
a05f3b2021
Make sure first argument is an int when using %.*s to print e.g. chunks
2012-09-28 18:01:49 +02:00
Tobias Brunner
10b116aa13
Properly initialize chunk for extension OID when parsing CRLs
2012-09-28 15:41:32 +02:00
Tobias Brunner
9fa335cb1b
Properly cleanup varargs in LDAP fetcher's set_option()
2012-09-28 15:13:17 +02:00
Tobias Brunner
b5835ee530
Properly cleanup varargs in enumerators of both SQL backends
2012-09-28 15:10:29 +02:00
Martin Willi
7b68cd9212
Add strongswan.conf runtime options for /dev/[u]random files
...
Fixes #221 .
2012-09-10 17:07:51 +02:00
Tobias Brunner
3570c43968
openssl: Fix registration of the PUBKEY builder
...
libtls drops support for RSA suites if it does not find an RSA backend
(final builder for RSA public keys).
2012-08-18 17:49:57 +02:00
Tobias Brunner
a9f169f699
Don't require PLUGINDIR to be defined.
...
If it is not available, we just load monolithically built plugins.
2012-08-08 15:07:42 +02:00
Martin Willi
7c6d6b0d89
PEM loading soft-depends on MD5 only, as unencrypted files don't need MD5
...
Fixes #211 .
2012-08-03 15:25:17 +02:00
Martin Willi
5d2698dd62
Add a SHA1 test vector forcing padding over block boundary
2012-07-18 15:10:29 +02:00
Martin Willi
610f90a8b9
Use centralized hasher names in openssl plugin
2012-07-17 17:32:00 +02:00
Martin Willi
082b0d7249
Support void return values in OpenSSL 0.9.8 HMAC functions
2012-07-17 10:58:53 +02:00
Martin Willi
3aca89c8e6
Resetting OpenSSL HMAC with NULL key reuses existing key
2012-07-16 14:55:07 +02:00
Martin Willi
9138f49e6a
Make sure HMAC_Init is called before HMAC_Update, fixes crash
2012-07-16 14:55:07 +02:00
Martin Willi
ae4411547a
Check and forward syscall errors in AF_ALG
2012-07-16 14:55:07 +02:00
Martin Willi
e3b2e900e6
Add a return value to hasher_t.reset()
2012-07-16 14:55:06 +02:00
Martin Willi
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
Martin Willi
8bd6a30af1
Add a return value to hasher_t.get_hash()
2012-07-16 14:55:06 +02:00
Martin Willi
ce73fc19db
Add a return value to crypter_t.set_key()
2012-07-16 14:53:38 +02:00
Martin Willi
3b96189a2a
Add a return value to crypter_t.decrypt()
2012-07-16 14:53:38 +02:00
Martin Willi
e35abbe588
Add a return value to crypter_t.encrypt
2012-07-16 14:53:37 +02:00
Martin Willi
6ac8d861d9
Add a return value to mac_t.set_key()
2012-07-16 14:53:37 +02:00
Martin Willi
27e1eabbb5
Add a return value to mac_t.get_bytes()
2012-07-16 14:53:37 +02:00
Tobias Brunner
99dc3d2c15
Check rng return value when seeding OpenSSL RNG
2012-07-16 14:53:36 +02:00
Tobias Brunner
1f5291b1ce
Check rng return value when generating DH secret in gcrypt plugin
2012-07-16 14:53:36 +02:00
Tobias Brunner
5025135f70
Check rng return value when generating DH secrets and primes in gmp plugin
2012-07-16 14:53:35 +02:00
Tobias Brunner
ae56e1eb97
Check rng return value when generating OCSP nonces
2012-07-16 14:53:35 +02:00
Tobias Brunner
ce024c1662
Relay rng return value in nonce plugin
2012-07-16 14:53:34 +02:00
Tobias Brunner
39e807728e
RNGs' get_bytes and allocate_bytes return boolean
2012-07-16 14:53:34 +02:00
Reto Buerki
605985d122
Nonce: Let get_nonce, allocate_nonce return boolean
2012-07-16 14:53:34 +02:00
Martin Willi
f3ca96b2bf
Add a return value to prf_t.set_key()
2012-07-16 14:53:34 +02:00
Martin Willi
ecc080b393
Add a return value to prf_t.allocate_bytes()
2012-07-16 14:53:34 +02:00
Martin Willi
bc47488323
Add a return value to prf_t.get_bytes()
2012-07-16 14:53:33 +02:00
Martin Willi
2d56575d52
Add a return value to signer_t.set_key()
2012-07-16 14:53:33 +02:00
Martin Willi
2e96de60a8
Add a return value to signer_t.get_signature()
2012-07-16 14:53:33 +02:00
Martin Willi
cbfbba7d86
Add a return value to signer_t.allocate_signature()
2012-07-16 14:53:32 +02:00
Martin Willi
ad08730a4b
Add a return value to aead_t.set_key()
2012-07-16 14:53:32 +02:00
Martin Willi
e2ed7bfd22
Add a return value to aead_t.encrypt()
2012-07-16 14:53:32 +02:00
Tobias Brunner
d15975c7f2
Added PLUGIN_NOOP to separate PLUGIN_PROVIDE from previous CALLBACK/REGISTER entries
2012-07-12 16:54:03 +02:00
Tobias Brunner
901dbc1077
openssl: Ensure the thread ID is never zero
...
This might otherwise cause problems because OpenSSL tries to lock
mutexes recursively if it assumes the lock is held by a different
thread e.g. during FIPS initialization.
2012-07-03 12:02:57 +02:00
Tobias Brunner
e516068965
Removed superfluous remove_hasher() call in md5 plugin
2012-06-29 16:23:20 +02:00
Tobias Brunner
8122ae8cd8
gcrypt: Register SHA1 first as HASH_PREFERRED depends on it
2012-06-27 11:31:16 +02:00
Tobias Brunner
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
Tobias Brunner
18d21a57df
Added a method to plugin_loader_t to add 'static' plugin features
...
This allows daemons and other components to register plugin features
like those provided by plugins (following the same lifecycle).
The added features are internally handled like they were added by a
plugin.
2012-06-25 17:03:07 +02:00
Tobias Brunner
e07122436c
Make sure that all features of critical plugins are loaded
2012-06-25 17:03:07 +02:00
Tobias Brunner
738b9121cb
Use mac_t and PRF and signer wrappers in cmac plugin
2012-06-25 16:35:06 +02:00
Tobias Brunner
83cb52b044
Use mac_t and PRF and signer wrappers in xcbc plugin
2012-06-25 16:35:06 +02:00
Tobias Brunner
c4a3c9672a
Make the hmac_t interface a generic interface for message authentication codes
2012-06-25 16:35:06 +02:00
Tobias Brunner
228d096e42
Simplified creation of PRFs and signers in openssl and hmac plugins
2012-06-25 16:35:06 +02:00
Tobias Brunner
73d032e412
Use simple wrappers for HMAC based PRF and signer in openssl plugin
2012-06-25 16:35:06 +02:00
Tobias Brunner
63420c6e13
Use simple wrappers for HMAC based PRF and signer in hmac plugin
2012-06-25 16:35:06 +02:00
Tobias Brunner
8391c1d0b1
Refactored OpenSSL based HMAC implementation
2012-06-25 16:35:06 +02:00
Aleksandr Grinberg
54081897cf
Adding OpenSSL HMAC signer functions to openssl plugin
2012-06-25 16:35:05 +02:00
Aleksandr Grinberg
0504b0a09f
Adding OpenSSL HMAC pseudo random functions to openssl plugin
2012-06-25 16:35:05 +02:00
Aleksandr Grinberg
4faece7b1e
Adding OpenSSL random number functions to openssl plugin
2012-06-25 16:35:05 +02:00
Martin Willi
fd4ff11858
Add signature schemes to auth_cfg during trustchain validation
2012-06-12 14:24:49 +02:00
Martin Willi
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
Tobias Brunner
79d5c4f06b
Fixed return values of several functions (e.g. return FALSE for pointer types).
2012-05-31 17:39:04 +02:00
Martin Willi
060b508e0e
Fix boolean return value if an empty RSA signature is detected in gmp plugin
...
Fixes CVE-2012-2388.
2012-05-31 17:38:59 +02:00
Tobias Brunner
fda9f104b4
Fixed check for loaded plugins with feature types that are not compared exactly.
...
Previously e.g. RNGs with weaker strength would have overwritten stronger
ones.
2012-05-24 15:15:34 +02:00
Tobias Brunner
9eac6106d0
Use a hashtable to check for already loaded plugin features.
2012-05-23 17:50:05 +02:00
Tobias Brunner
a9cfd29c10
Hash function for plugin features added.
2012-05-23 17:50:05 +02:00
Tobias Brunner
816f7f238f
pkcs8: Initialize salt and IV properly.
2012-05-18 08:36:37 +02:00
Adrian-Ken Rueegsegger
04024b5de8
Add nonce plugin implementation
...
This nonce generator uses an RNG to generate nonces. The RNG quality is
currently set to RNG_WEAK which is the same value used in IKE init.
The plugin is enabled and thus built by default.
2012-05-18 08:15:40 +02:00