sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-11-22 00:01:45 -05:00
Code Issues Projects Releases Wiki Activity
16,219 Commits 102 Branches 331 Tags
Commit Graph

16219 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andreas Steffen
087b027f88 testing: Converted ipv6/host2host-ikev1 to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
0a6f8644ef testing: Removed libipsec/rw-suite-b 2017-11-10 11:49:39 +01:00
Andreas Steffen
9375c9c9db testing: Converted libipsec/net2net-null to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
86d1b7a14d testing: Converted libipsec/net2net-cert-ipv6 to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
c3b8778fc9 testing: Converted libipsec/net2net-cert to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
de42a67b79 testing: Converted libipsec/net2net-3des to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
6922d5e56a testing: Converted libipsec/host2host-cert to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
3659fda1a5 testing: Converted gcrypt-ikev2 to swanctl 2017-11-10 11:49:39 +01:00
Andreas Steffen
b46deb8107 testing: Converted gcrypt-ikev1 to systemd 2017-11-10 11:49:38 +01:00
Andreas Steffen
88a950d915 testing: Converted af-alg to systemd 2017-11-10 11:49:38 +01:00
Andreas Steffen
67a97c18ae testing: Enable systemd 2017-11-10 11:49:38 +01:00
Andreas Steffen
804784cc1c testing: Updated some descriptions 2017-11-10 11:49:38 +01:00
Andreas Steffen
0d63255513 libtpmtss: Added missing argument in hasher_from_signature_scheme() 2017-11-10 11:47:27 +01:00
Tobias Brunner
291b02262d charon-tkm: Unlink PID file after deinit 
Same change as for charon in the previous commit.

References #2460.
 2017-11-10 10:56:13 +01:00
Tobias Brunner
1b4d97dbb7 charon: Unlink PID file after daemon deinit (i.e. after unloading plugins etc.) 
Make sure, though, that we only remove the file if we actually
created it (e.g. not for --help or --version).  And do so before
deinitializing libstrongswan due to leak detective.

Fixes #2460.
 2017-11-10 10:55:43 +01:00
Thomas Egerer
9cc61baaf5 unit-tests: Rename targets for libstrongswan and kernel-netlink 
libstrongswan and kernel-netlink are the only two components which do
not adhere to the naming scheme used for all other tests. If the tests
are run by an external application this imposes problems due to clashing
names.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2017-11-09 09:11:42 +01:00
Tobias Brunner
1c4b392a5b Merge branch 'rsassa-pss' 
This adds support for RSASSA-PSS signatures in IKEv2 digital signature
authentication (RFC 7427), certificates and CRLs etc., and when signing
credentials via pki tool.  For interoperability with older versions, the
default is to use classic PKCS#1 signatures.  To use PSS padding either enable
rsa_pss via strongswan.conf or explicitly use it either via ike:rsa/pss...
auth token or the --rsa-padding option of the pki tool.

References #2427.
 2017-11-08 16:53:35 +01:00
Tobias Brunner
fde0c763b6 auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf 
Also document the rsa/pss prefix.
 2017-11-08 16:48:10 +01:00
Tobias Brunner
27a79326c7 pki: Enable PSS padding if enabled in strongswan.conf 2017-11-08 16:48:10 +01:00
Tobias Brunner
d57af8dde0 pki: Optionally generate RSA/PSS signatures 2017-11-08 16:48:10 +01:00
Tobias Brunner
9b828ee85f pki: Indent usage lines properly automatically 2017-11-08 16:48:10 +01:00
Tobias Brunner
364395d2de Treat RSASSA-PSS keys like rsaEncryption RSA keys 
In theory we should treat any parameters and the identifier itself as
restriction to only use the key to create signatures accordingly (e.g.
only use RSA with PSS padding or even use specific hash algorithms).
But that's currently tricky as we'd have to store and pass this information
along with our private keys (i.e. use PKCS#8 to store them and change the
builder calls to pass along the identifier and parameters). That would
require quite some work.
 2017-11-08 16:48:10 +01:00
Tobias Brunner
fb63012e0c openssl: Add support for signature schemes with parameters 2017-11-08 16:48:10 +01:00
Tobias Brunner
dc83bc147e pki: Properly forward digest to attribute certificate builder 2017-11-08 16:48:10 +01:00
Tobias Brunner
bbfe39f597 x509: Add support for signature schemes with parameters 
Also adds support for specifying the hash algorithm for attribute
certificate signatures.
 2017-11-08 16:48:10 +01:00
Tobias Brunner
0c23a5693c builder: Add builder option to pass signature scheme and params 2017-11-08 16:48:10 +01:00
Tobias Brunner
3fc66e5743 ikev2: Use helpers to build signature auth data 2017-11-08 16:48:10 +01:00
Tobias Brunner
eae80fdedc signature-params: Add helpers to parse/build ASN.1 algorithmIdentifier for signature schemes 2017-11-08 16:48:10 +01:00
Tobias Brunner
6f97c0d50b ikev2: Enumerate RSA/PSS schemes and use them if enabled 2017-11-08 16:48:10 +01:00
Tobias Brunner
24b2ede283 ikev2: Support signing with RSASSA-PSS via RFC 7427 signature auth 2017-11-08 16:48:10 +01:00
Tobias Brunner
a4aaef7477 signature-params: Use helper to build MGF1 algorithmIdentifier 2017-11-08 16:48:10 +01:00
Tobias Brunner
f89348d035 asn1: Add helper function to create algorithmIdentifier with parameters 2017-11-08 16:48:10 +01:00
Tobias Brunner
5f7be58177 ikev2: Verify RSASSA-PSS signatures via RFC 7427 signature auth 2017-11-08 16:48:10 +01:00
Tobias Brunner
84b1c06d0e keymat_v2: Pass/receive signature schemes as signature_param_t objects 2017-11-08 16:48:10 +01:00
Tobias Brunner
634c6ba8ce auth-cfg: Parse rsa/pss auth tokens 2017-11-08 16:48:10 +01:00
Tobias Brunner
54f8d09261 auth-cfg: Store signature schemes as signature_params_t objects 
Due to circular references the hasher_from_signature_scheme() helper
does not take a signature_params_t object.
 2017-11-08 16:48:10 +01:00
Tobias Brunner
024b979522 certificate: Return signature scheme and parameters from issued_by() method 
This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.
 2017-11-08 16:48:10 +01:00
Tobias Brunner
c2935b03c4 signature-params: Add helper struct for signature scheme and parameters 2017-11-08 16:48:10 +01:00
Tobias Brunner
72b7c0ffd8 android: Add support for creating RSASSA-PSS signatures via JNI 2017-11-08 16:48:10 +01:00
Tobias Brunner
414f255561 unit-tests: Add RSA-PSS signature tests with specific salts 2017-11-08 16:48:10 +01:00
Tobias Brunner
37efb9787b gcrypt: Add support for static salts when signing with RSA-PSS 2017-11-08 16:48:10 +01:00
Tobias Brunner
f241a981aa gmp: Add support for static salts when signing with RSA-PSS 2017-11-08 16:48:10 +01:00
Tobias Brunner
c380608a89 signature-params: Optionally pass a specific salt value when signing 2017-11-08 16:48:10 +01:00
Tobias Brunner
fa7f5e2d0c unit-tests: Warn if we skip RSA tests due to dependencies 2017-11-08 16:48:10 +01:00
Tobias Brunner
4c5dd39aa3 unit-tests: Add ability to issue a warning message for a test case 
This way we can warn if we e.g. skipped actually doing something due to
dependencies (otherwise the test case would just appear to have succeeded).
 2017-11-08 16:48:10 +01:00
Tobias Brunner
90a3bc5075 mgf1: Add support for SHA-224/384 based MGF1 2017-11-08 16:48:10 +01:00
Tobias Brunner
720a76c229 xof: Add identifiers for MGF1 XOFs based on SHA-224/384 2017-11-08 16:48:10 +01:00
Tobias Brunner
126fd8af09 gmp: Use helper to determine XOF type 2017-11-08 16:48:10 +01:00
Tobias Brunner
883e7fcd65 xof: Add helper to determine MGF1 XOF type from hash algorithm 2017-11-08 16:48:10 +01:00
Tobias Brunner
3ce8b0556a gcrypt: Add support for RSA-PSS signatures 
For salt lengths other than 20 this requires 0bd8137e68c2 ("cipher:
Add option to specify salt length for PSS verification."), which was
included in libgcrypt 1.7.0 (for Ubuntu requires 17.04).  As that makes
it pretty much useless for us (SHA-1 is a MUST NOT), we require that version
to even provide the feature.
 2017-11-08 16:48:10 +01:00