cb38e2f30a
Add test vectors for RC2
2013-05-08 15:02:38 +02:00
9d4fc8677f
Add implementation of the RC2 block cipher (RFC 2268)
2013-05-08 15:02:34 +02:00
4076e3ee91
Extract PKCS#5 handling from pkcs8 plugin to separate helper class
2013-05-08 14:53:08 +02:00
e07e489d5f
agent: Use sshkey plugin to parse keys, adds support for ECDSA
2013-05-07 17:08:31 +02:00
dd9e366814
sshkey: Add support for ECDSA keys
2013-05-07 17:08:31 +02:00
cc4408abcb
sshkey: Added builder for SSHKEY RSA keys
2013-05-07 15:38:28 +02:00
584d656b77
Add sshkey plugin stub that will parse RFC 4253 public keys
2013-05-07 14:08:51 +02:00
2d7b55bf9b
openssl: Define a default for FIPS_MODE
2013-05-03 15:11:19 +02:00
f4de6496a2
support of OpenSSL FIPS-140-2 library
2013-04-16 12:37:04 +02:00
cf1696cab9
Allow SHA1_Init()/SHA1_Update() to fail if OpenSSL version >= 1.0
2013-04-10 18:10:30 +02:00
b52771fbb2
Check RSA_public_decrypt() length before constructing and comparing a chunk
...
If decryption fails, it returns -1. chunk_equals() should catch that error,
but be more explicit in error checking.
2013-04-10 18:10:30 +02:00
97d975b7bb
RSA_check_key() may return -1 if it fails
2013-04-10 18:10:30 +02:00
96a09ce226
RAND_bytes/RAND_pseudo_bytes returns -1 if it is not supported by RAND method
2013-04-10 18:10:30 +02:00
0faaab20cd
Check return value of ECDSA_Verify() correctly
2013-04-10 18:10:30 +02:00
419a9a4fcd
Make some private functions in plugins static
...
Fixes monolithic build.
2013-03-27 07:32:55 +01:00
5e551da16b
Properly cleanup libmysql
...
Seems to work correctly with recent MySQL versions.
2013-03-19 16:33:07 +01:00
11adf114c1
Fixed Doxygen comments after scanning complete src directory
2013-03-02 18:31:53 +01:00
4c969f7906
openssl: The EVP GCM interface requires at least OpenSSL 1.0.1
2013-03-01 16:57:45 +01:00
81f9cd39fd
openssl: Provide AES-GCM implementation
2013-02-28 18:17:42 +01:00
5f7f4fa398
Order of arguments in Doxygen comment fixed
2013-02-28 18:17:42 +01:00
0d237763dc
openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8g
...
Fixes #292 .
2013-02-20 18:34:54 +01:00
a4ddc0bb26
Encode RSA public keys in RFC 3110 DNSKEY format
2013-02-19 12:25:00 +01:00
f2145c8d3a
Moved configuration from resolver manager to unbound plugin
...
Also streamlined log messages in unbound plugin.
2013-02-19 12:25:00 +01:00
cfd07978d0
unbound: Implementation of query method of unbound_resolver_t
2013-02-19 11:57:21 +01:00
5a4126b490
unbound: Implemented resolver_response_t as unbound_response_t
2013-02-19 11:57:21 +01:00
4a335a2164
unbound: Implemented rr_t as unbound_rr_t
2013-02-19 11:57:21 +01:00
9f963a7cfc
Added unbound plugin implementing the resolver interface using libunbound
2013-02-19 11:57:21 +01:00
763e86c093
Use CURL_TIMEOUT and not CURL_CONNECTTIMEOUT for FETCHER_TIMEOUT in curl
...
This allows us to use this timeout beyond DNS resolution. For the initial
connect, we use a hardcoded timeout of 10s for now.
2013-02-08 11:08:06 +01:00
a3a190b7bd
openssl: Properly honor OPENSSL_NO_* defines
2013-01-31 17:33:23 +01:00
25637aa5d8
Fix Doxygen comment for rdrand plugin
2013-01-31 12:11:37 +01:00
572a707765
Properly check MSB in openssl plugin's PKCS#7 implementation
2013-01-24 23:36:02 +01:00
69c6a60176
g_thread_init() is deprecated since Glib 2.23
2013-01-24 19:13:40 +01:00
1449e6dd55
Reseed rdrand after every 128bit sample only
2013-01-15 17:41:54 +01:00
2cd6c5115b
Use raw opcodes for rdrand to build with older binutils
2013-01-11 10:45:14 +01:00
19ae23452a
Provide RNG_TRUE quality in rdrand by mixing reseeded outputs using AES
2013-01-11 10:45:14 +01:00
b9148ea232
Provide RNG_STRONG quality in rdrand by forcing PRNG reseed after every sample
2013-01-11 10:45:14 +01:00
9fe24b004d
Provide RNG_WEAK quality random generator in rdrand
2013-01-11 10:45:14 +01:00
ed8dc6f132
Add a rdrand plugin stub detecting availability of RDRAND instructions
2013-01-11 10:45:14 +01:00
ff318ad3e1
Include opensslconf.h before checking its defines
2013-01-03 11:12:05 +01:00
2b9e597b54
Don't build OpenSSL PKCS#7 code if OPENSSL_NO_CMS defined
2013-01-03 11:05:49 +01:00
ef33a4ab82
Fixed some typos, courtesy of codespell
2012-12-20 09:35:26 +01:00
0a344da291
Fix up serialNumber in openssl PKCS#7 if it has a leading MSB set
2012-12-19 10:32:08 +01:00
71dd4e7895
Don't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin
2012-12-19 10:32:08 +01:00
3c820cdc23
Implement PKCS#7 decryption using openssl
2012-12-19 10:32:08 +01:00
2a87944a33
Make available wrapped certificates while verifying PKCS#7 signatures in openssl
2012-12-19 10:32:08 +01:00
04884be3b5
Implement openssl PKCS#7 certficiate enumeration
2012-12-19 10:32:08 +01:00
e96d945dcd
Fix doxygen grouping regarding containers and PKCS#7
2012-12-19 10:32:08 +01:00
03ba8f9e8c
Move PKCS#9 attribute lists to pkcs7 plugin, as we currently use it there only
2012-12-19 10:32:08 +01:00
804ba5bb50
Implement get_attribute() in openssl PKCS#7 backend
2012-12-19 10:32:08 +01:00
063ae4e52a
Allocate data returned by pkcs7_t.get_attribute()
2012-12-19 10:32:08 +01:00
c61723c69f
Implement OpenSSL PKCS#7 signed-data parsing and verification
2012-12-19 10:32:08 +01:00
568ad938d1
Add a stub for OpenSSL PKCS#7 parsing
2012-12-19 10:32:08 +01:00
6d21c61a09
Fix encryption algorithm/key size argument processing in PKCS#7 enveloped-data
2012-12-19 10:32:08 +01:00
ee97055835
Properly clone PKCS#7 attributes passed to builder
2012-12-19 10:32:08 +01:00
9e967d7dda
Add an enumerator for PKCS#7 contained certificates
2012-12-19 10:32:08 +01:00
d3d706f4fc
Add a getter for signed PKCS#7 attributes
2012-12-19 10:32:08 +01:00
b95b4730f5
Support multiple signerInfos while parsing PKCS#7 signed-data
2012-12-19 10:32:07 +01:00
5d932e4f01
Support encoding of PKCS#7 enveloped-data containers
2012-12-19 10:32:07 +01:00
32745a28cf
Support encoding of PKCS#7 signed-data containers
2012-12-19 10:32:07 +01:00
3c2986bf0a
Support encoding of PKCS#7 "data" containers
2012-12-19 10:32:07 +01:00
d7aa09104f
Implement PKCS#7 enveloped-data parsing and decryption
2012-12-19 10:32:07 +01:00
98bbe0760f
Implement PKCS#7 signed-data parsing and verification
2012-12-19 10:32:07 +01:00
83ed1464e3
Implement PKCS#7 "data" content type parsing
2012-12-19 10:32:07 +01:00
ed1c430334
certificate_t.has_subject() matches for certificate serialNumber
2012-12-19 10:32:07 +01:00
9de6a7a85c
Implement generic PKCS#7 contentInfo parsing
2012-12-19 10:32:07 +01:00
bd20f040fd
Add a plugin stub for PKCS#7 containers
2012-12-19 10:32:07 +01:00
692f560546
Add container plugin features
2012-12-19 10:32:07 +01:00
48b23d06a8
allow the optional sharing if RSA private keys
2012-11-22 00:34:42 +01:00
76bd0d7c1f
overwrite sensitive prime with zeroes
2012-11-18 22:55:22 +01:00
168ee460c6
implemented generation of safe primes
2012-11-18 19:22:31 +01:00
12d68762f7
issue warning if sqlite finalize is missing
2012-10-26 13:22:02 +02:00
828cefc313
Fix RSA encryption padding terminator in gmp plugin, broken with 5025135f
2012-10-24 20:26:10 +02:00
f05b427265
Moved debug.[ch] to utils folder
2012-10-24 16:00:51 +02:00
d5c143e5be
Moved enum_name_t to utils folder
2012-10-24 16:00:50 +02:00
125b37af6d
Moved chunk_t to utils folder
2012-10-24 16:00:50 +02:00
08944b68ac
Moved integrity_checker_t to utils folder
2012-10-24 16:00:50 +02:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
712e81306f
PKCS#11 library search using keyid uses a fallback to look for certificates
2012-10-24 13:07:54 +02:00
434902b302
Add a strongswan.conf option to disable loading of all certificates from a pkcs11 module
2012-10-24 13:07:53 +02:00
36e47a409b
Explicit pkcs11 certificate loading can enforce a module and a slot
2012-10-24 13:07:53 +02:00
5d4c27d077
Be less verbose if loading PKCS#11 certificate fails
2012-10-24 13:07:53 +02:00
fbd3863571
Add a builder to load specific pkcs11 certificates by keyid
2012-10-24 13:07:52 +02:00
ffe42fa405
If no pkcs11 public key for a private key found, search for a certificate
2012-10-24 13:07:52 +02:00
44fdc62f82
Move pkcs11 public key lookup function declaration to header file
2012-10-24 13:07:52 +02:00
3c4d383443
Added an option to reload certificates from PKCS#11 tokens on SIGHUP
2012-10-18 14:42:09 +02:00
ca1c2ee281
Copy the name of pkcs11_library_t objects
...
Strings returned by settings_t.create_section_enumerator will be freed
when the config is reloaded.
2012-10-18 14:42:09 +02:00
7f5675c8e5
check length of hex-encoded IV
2012-10-07 17:07:35 +02:00
a05f3b2021
Make sure first argument is an int when using %.*s to print e.g. chunks
2012-09-28 18:01:49 +02:00
10b116aa13
Properly initialize chunk for extension OID when parsing CRLs
2012-09-28 15:41:32 +02:00
9fa335cb1b
Properly cleanup varargs in LDAP fetcher's set_option()
2012-09-28 15:13:17 +02:00
b5835ee530
Properly cleanup varargs in enumerators of both SQL backends
2012-09-28 15:10:29 +02:00
7b68cd9212
Add strongswan.conf runtime options for /dev/[u]random files
...
Fixes #221 .
2012-09-10 17:07:51 +02:00
3570c43968
openssl: Fix registration of the PUBKEY builder
...
libtls drops support for RSA suites if it does not find an RSA backend
(final builder for RSA public keys).
2012-08-18 17:49:57 +02:00
a9f169f699
Don't require PLUGINDIR to be defined.
...
If it is not available, we just load monolithically built plugins.
2012-08-08 15:07:42 +02:00
7c6d6b0d89
PEM loading soft-depends on MD5 only, as unencrypted files don't need MD5
...
Fixes #211 .
2012-08-03 15:25:17 +02:00
5d2698dd62
Add a SHA1 test vector forcing padding over block boundary
2012-07-18 15:10:29 +02:00
610f90a8b9
Use centralized hasher names in openssl plugin
2012-07-17 17:32:00 +02:00
082b0d7249
Support void return values in OpenSSL 0.9.8 HMAC functions
2012-07-17 10:58:53 +02:00
3aca89c8e6
Resetting OpenSSL HMAC with NULL key reuses existing key
2012-07-16 14:55:07 +02:00
9138f49e6a
Make sure HMAC_Init is called before HMAC_Update, fixes crash
2012-07-16 14:55:07 +02:00
ae4411547a
Check and forward syscall errors in AF_ALG
2012-07-16 14:55:07 +02:00
e3b2e900e6
Add a return value to hasher_t.reset()
2012-07-16 14:55:06 +02:00
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
8bd6a30af1
Add a return value to hasher_t.get_hash()
2012-07-16 14:55:06 +02:00
ce73fc19db
Add a return value to crypter_t.set_key()
2012-07-16 14:53:38 +02:00
3b96189a2a
Add a return value to crypter_t.decrypt()
2012-07-16 14:53:38 +02:00
e35abbe588
Add a return value to crypter_t.encrypt
2012-07-16 14:53:37 +02:00
6ac8d861d9
Add a return value to mac_t.set_key()
2012-07-16 14:53:37 +02:00
27e1eabbb5
Add a return value to mac_t.get_bytes()
2012-07-16 14:53:37 +02:00
99dc3d2c15
Check rng return value when seeding OpenSSL RNG
2012-07-16 14:53:36 +02:00
1f5291b1ce
Check rng return value when generating DH secret in gcrypt plugin
2012-07-16 14:53:36 +02:00
5025135f70
Check rng return value when generating DH secrets and primes in gmp plugin
2012-07-16 14:53:35 +02:00
ae56e1eb97
Check rng return value when generating OCSP nonces
2012-07-16 14:53:35 +02:00
ce024c1662
Relay rng return value in nonce plugin
2012-07-16 14:53:34 +02:00
39e807728e
RNGs' get_bytes and allocate_bytes return boolean
2012-07-16 14:53:34 +02:00
605985d122
Nonce: Let get_nonce, allocate_nonce return boolean
2012-07-16 14:53:34 +02:00
f3ca96b2bf
Add a return value to prf_t.set_key()
2012-07-16 14:53:34 +02:00
ecc080b393
Add a return value to prf_t.allocate_bytes()
2012-07-16 14:53:34 +02:00
bc47488323
Add a return value to prf_t.get_bytes()
2012-07-16 14:53:33 +02:00
2d56575d52
Add a return value to signer_t.set_key()
2012-07-16 14:53:33 +02:00
2e96de60a8
Add a return value to signer_t.get_signature()
2012-07-16 14:53:33 +02:00
cbfbba7d86
Add a return value to signer_t.allocate_signature()
2012-07-16 14:53:32 +02:00
ad08730a4b
Add a return value to aead_t.set_key()
2012-07-16 14:53:32 +02:00
e2ed7bfd22
Add a return value to aead_t.encrypt()
2012-07-16 14:53:32 +02:00
d15975c7f2
Added PLUGIN_NOOP to separate PLUGIN_PROVIDE from previous CALLBACK/REGISTER entries
2012-07-12 16:54:03 +02:00
901dbc1077
openssl: Ensure the thread ID is never zero
...
This might otherwise cause problems because OpenSSL tries to lock
mutexes recursively if it assumes the lock is held by a different
thread e.g. during FIPS initialization.
2012-07-03 12:02:57 +02:00
e516068965
Removed superfluous remove_hasher() call in md5 plugin
2012-06-29 16:23:20 +02:00
8122ae8cd8
gcrypt: Register SHA1 first as HASH_PREFERRED depends on it
2012-06-27 11:31:16 +02:00
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
18d21a57df
Added a method to plugin_loader_t to add 'static' plugin features
...
This allows daemons and other components to register plugin features
like those provided by plugins (following the same lifecycle).
The added features are internally handled like they were added by a
plugin.
2012-06-25 17:03:07 +02:00
e07122436c
Make sure that all features of critical plugins are loaded
2012-06-25 17:03:07 +02:00
738b9121cb
Use mac_t and PRF and signer wrappers in cmac plugin
2012-06-25 16:35:06 +02:00
83cb52b044
Use mac_t and PRF and signer wrappers in xcbc plugin
2012-06-25 16:35:06 +02:00
c4a3c9672a
Make the hmac_t interface a generic interface for message authentication codes
2012-06-25 16:35:06 +02:00
228d096e42
Simplified creation of PRFs and signers in openssl and hmac plugins
2012-06-25 16:35:06 +02:00
73d032e412
Use simple wrappers for HMAC based PRF and signer in openssl plugin
2012-06-25 16:35:06 +02:00
63420c6e13
Use simple wrappers for HMAC based PRF and signer in hmac plugin
2012-06-25 16:35:06 +02:00
8391c1d0b1
Refactored OpenSSL based HMAC implementation
2012-06-25 16:35:06 +02:00
54081897cf
Adding OpenSSL HMAC signer functions to openssl plugin
2012-06-25 16:35:05 +02:00
0504b0a09f
Adding OpenSSL HMAC pseudo random functions to openssl plugin
2012-06-25 16:35:05 +02:00
4faece7b1e
Adding OpenSSL random number functions to openssl plugin
2012-06-25 16:35:05 +02:00
fd4ff11858
Add signature schemes to auth_cfg during trustchain validation
2012-06-12 14:24:49 +02:00
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
79d5c4f06b
Fixed return values of several functions (e.g. return FALSE for pointer types).
2012-05-31 17:39:04 +02:00
060b508e0e
Fix boolean return value if an empty RSA signature is detected in gmp plugin
...
Fixes CVE-2012-2388.
2012-05-31 17:38:59 +02:00
fda9f104b4
Fixed check for loaded plugins with feature types that are not compared exactly.
...
Previously e.g. RNGs with weaker strength would have overwritten stronger
ones.
2012-05-24 15:15:34 +02:00
9eac6106d0
Use a hashtable to check for already loaded plugin features.
2012-05-23 17:50:05 +02:00
a9cfd29c10
Hash function for plugin features added.
2012-05-23 17:50:05 +02:00
816f7f238f
pkcs8: Initialize salt and IV properly.
2012-05-18 08:36:37 +02:00
04024b5de8
Add nonce plugin implementation
...
This nonce generator uses an RNG to generate nonces. The RNG quality is
currently set to RNG_WEAK which is the same value used in IKE init.
The plugin is enabled and thus built by default.
2012-05-18 08:15:40 +02:00
Tobias Brunner