8 years agotls: Check for minimal TLS record length before each record iteration
Martin Willi [Fri, 21 Mar 2014 08:29:44 +0000 (09:29 +0100)]
tls: Check for minimal TLS record length before each record iteration

Fixes fragment reassembling if a buffer contains more than one record, but
the last record contains a partial TLS record header. Thanks to Nick Saunders
and Jamil Nimeh for identifying this issue and providing a fix for it.

8 years agotls: Fix AEAD algorithm filtering, avoid filtering all suites if no AEAD found
Martin Willi [Tue, 11 Mar 2014 09:57:18 +0000 (10:57 +0100)]
tls: Fix AEAD algorithm filtering, avoid filtering all suites if no AEAD found

8 years agotls: Offer TLS signature schemes in ClientHello in order of preference
Martin Willi [Wed, 15 Jan 2014 14:51:03 +0000 (15:51 +0100)]
tls: Offer TLS signature schemes in ClientHello in order of preference

Additionally, we now query plugin features to find out what schemes we exactly

8 years agotls: Define AES-GCM cipher suites from RFC 5288/5289
Martin Willi [Mon, 3 Feb 2014 17:08:11 +0000 (18:08 +0100)]
tls: Define AES-GCM cipher suites from RFC 5288/5289

8 years agotls: Implement the TLS AEAD abstraction for real AEAD modes
Martin Willi [Mon, 3 Feb 2014 17:03:41 +0000 (18:03 +0100)]
tls: Implement the TLS AEAD abstraction for real AEAD modes

8 years agotls: Separate TLS protection to abstracted AEAD modes
Martin Willi [Mon, 3 Feb 2014 12:20:46 +0000 (13:20 +0100)]
tls: Separate TLS protection to abstracted AEAD modes

To better separate the code path for different TLS versions and modes of
operation, we introduce a TLS AEAD abstraction. We provide three implementations
using traditional transforms, and get prepared for TLS AEAD modes.

8 years agoaead: Support custom AEAD salt sizes
Martin Willi [Fri, 31 Jan 2014 14:53:38 +0000 (15:53 +0100)]
aead: Support custom AEAD salt sizes

The salt, or often called implicit nonce, varies between AEAD algorithms and
their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses
3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM.

Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine
until we go for CCM mode support in TLS, which requires 4 byte nonces.

8 years agoikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeying
Martin Willi [Thu, 27 Feb 2014 08:36:46 +0000 (09:36 +0100)]
ikev2: Recreate a CHILD_SA that got a hard lifetime expire without rekeying

Works around issues related to system time changes and kernel backends using
that system time, such as Linux XFRM.

8 years agorevocation: Log error if no OCSP signer candidate found
Martin Willi [Mon, 31 Mar 2014 12:53:15 +0000 (14:53 +0200)]
revocation: Log error if no OCSP signer candidate found

Fixes evaluation of ikev2/ocsp-untrusted-cert.

8 years agoMerge branch 'ocsp-constraints'
Martin Willi [Mon, 31 Mar 2014 12:44:50 +0000 (14:44 +0200)]
Merge branch 'ocsp-constraints'

Limits cached OCSP verification to responses signed by the CA, a directly
delegated signer or a pre-installed OCSP responder certificate. Disables
auth config merge for revocation trust-chain strength checkin, as it breaks
CA constraints in some scenarios.

8 years agorevocation: Restrict OCSP signing to specific certificates
Martin Willi [Tue, 25 Mar 2014 13:34:58 +0000 (14:34 +0100)]
revocation: Restrict OCSP signing to specific certificates

To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:

- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint

The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.

8 years agorevocation: Don't merge auth config of CLR/OCSP trustchain validation
Martin Willi [Thu, 27 Mar 2014 09:59:29 +0000 (10:59 +0100)]
revocation: Don't merge auth config of CLR/OCSP trustchain validation

This behavior was introduced with 6840a6fb to avoid key/signature strength
checking for the revocation trustchain as we do it for end entity certificates.
Unfortunately this breaks CA constraint checking under certain conditions, as
we merge additional intermediate/CA certificates to the auth config.

As key/signature strength checking of the revocation trustchain is a rather
exotic requirement we drop support for that to properly enforce CA constraints.

8 years agohashtable: Make key arguments const
Tobias Brunner [Thu, 27 Mar 2014 10:57:54 +0000 (11:57 +0100)]
hashtable: Make key arguments const

This allows using const strings etc. for lookups without cast. And keys
are not modifiable anyway.

8 years agoProperly hash pointers for hash tables where appropriate
Tobias Brunner [Thu, 27 Mar 2014 10:37:16 +0000 (11:37 +0100)]
Properly hash pointers for hash tables where appropriate

Simply using the pointer is not optimal for our hash table
implementation, which simply masks the key to determine the bucket.

8 years agokernel-pfroute: Let get_nexthop() default to destination address
Tobias Brunner [Tue, 11 Mar 2014 14:19:33 +0000 (15:19 +0100)]
kernel-pfroute: Let get_nexthop() default to destination address

8 years agox509: CERT_DECODE actually requires KEY_ANY
Tobias Brunner [Thu, 6 Mar 2014 11:20:55 +0000 (12:20 +0100)]
x509: CERT_DECODE actually requires KEY_ANY

More specific decoders might still be needed, but the x509
plugin should not care which ones.

8 years agopkcs1: KEY_ANY public key decoder soft depends on specific decoders
Tobias Brunner [Thu, 6 Mar 2014 11:20:05 +0000 (12:20 +0100)]
pkcs1: KEY_ANY public key decoder soft depends on specific decoders

8 years agoeap-radius: Add option to not close IKE_SAs on timeouts during interim accouting...
Tobias Brunner [Wed, 5 Mar 2014 14:17:25 +0000 (15:17 +0100)]
eap-radius: Add option to not close IKE_SAs on timeouts during interim accouting updates

Fixes #528.

8 years agoikev1: Accept SPI size of any length <= 16 in ISAKMP proposal
Tobias Brunner [Mon, 3 Mar 2014 13:03:46 +0000 (14:03 +0100)]
ikev1: Accept SPI size of any length <= 16 in ISAKMP proposal

Fixes #533.

8 years agoproposal: Don't fail DH proposal matching if peer includes NONE
Tobias Brunner [Fri, 28 Feb 2014 14:27:52 +0000 (15:27 +0100)]
proposal: Don't fail DH proposal matching if peer includes NONE

The DH transform is optional for ESP/AH proposals. The initiator can
include NONE (0) in its proposal to indicate that while it prefers to
do a DH exchange, the responder may still decide to not do so.

Fixes #532.

8 years agoconf: Order settings in man page alphabetically
Tobias Brunner [Sat, 1 Mar 2014 16:01:53 +0000 (17:01 +0100)]
conf: Order settings in man page alphabetically

For the config snippets the options are now explicitly ordered before

8 years agoMerge branch 'acerts'
Martin Willi [Mon, 31 Mar 2014 10:11:04 +0000 (12:11 +0200)]
Merge branch 'acerts'

(Re-)Introduces X.509 Attribute Certificate support in IKE, and cleans up the
x509 AC parser/generator. ACs may be stored locally or exchanged in IKEv2
CERT payloads, Attribute Authorities must be installed locally. pki --acert
issues Attribute Certificates and replaces the removed openac utility.

8 years agoNEWS: Add acert and pki changes for 5.1.3
Martin Willi [Mon, 31 Mar 2014 09:23:22 +0000 (11:23 +0200)]
NEWS: Add acert and pki changes for 5.1.3

8 years agoopenac: Remove obsolete openac utility
Martin Willi [Mon, 31 Mar 2014 09:30:51 +0000 (11:30 +0200)]
openac: Remove obsolete openac utility

The same functionality is now provided by the pki --acert subcommand.

8 years agopki: Document --not-before/after and --dateform options in manpages
Martin Willi [Thu, 27 Mar 2014 15:12:29 +0000 (16:12 +0100)]
pki: Document --not-before/after and --dateform options in manpages

8 years agopki: Support absolute --this/next-update CRL lifetimes
Martin Willi [Thu, 27 Mar 2014 14:56:20 +0000 (15:56 +0100)]
pki: Support absolute --this/next-update CRL lifetimes

8 years agopki: Support absolute --not-before/after issued certificate lifetimes
Martin Willi [Thu, 27 Mar 2014 14:45:52 +0000 (15:45 +0100)]
pki: Support absolute --not-before/after issued certificate lifetimes

8 years agopki: Support absolute --not-before/after self-signed certificate lifetimes
Martin Willi [Thu, 27 Mar 2014 14:45:32 +0000 (15:45 +0100)]
pki: Support absolute --not-before/after self-signed certificate lifetimes

8 years agopki: Support absolute --not-before/after acert lifetimes
Martin Willi [Thu, 27 Mar 2014 13:47:18 +0000 (14:47 +0100)]
pki: Support absolute --not-before/after acert lifetimes

8 years agopki: Add a certificate lifetime calculation helper function
Martin Willi [Thu, 27 Mar 2014 13:46:41 +0000 (14:46 +0100)]
pki: Add a certificate lifetime calculation helper function

8 years agotesting: Add an acert test that forces a fallback connection based on groups
Martin Willi [Fri, 7 Feb 2014 10:51:08 +0000 (11:51 +0100)]
testing: Add an acert test that forces a fallback connection based on groups

8 years agotesting: Add an acert test case sending attribute certificates inline
Martin Willi [Fri, 7 Feb 2014 10:22:39 +0000 (11:22 +0100)]
testing: Add an acert test case sending attribute certificates inline

8 years agotesting: Add an acert test using locally cached attribute certificates
Martin Willi [Fri, 7 Feb 2014 09:28:50 +0000 (10:28 +0100)]
testing: Add an acert test using locally cached attribute certificates

8 years agotesting: build strongSwan with acert plugin
Martin Willi [Fri, 7 Feb 2014 09:26:08 +0000 (10:26 +0100)]
testing: build strongSwan with acert plugin

8 years agoikev2: Cache all received attribute certificates to auth config
Martin Willi [Wed, 5 Feb 2014 16:56:05 +0000 (17:56 +0100)]
ikev2: Cache all received attribute certificates to auth config

8 years agoikev2: Send all known and valid attribute certificates for subject cert
Martin Willi [Wed, 5 Feb 2014 16:48:35 +0000 (17:48 +0100)]
ikev2: Send all known and valid attribute certificates for subject cert

8 years agoikev2: Slightly refactor certificate payload construction to separate functions
Martin Willi [Wed, 5 Feb 2014 16:25:48 +0000 (17:25 +0100)]
ikev2: Slightly refactor certificate payload construction to separate functions

8 years agoike: Support encoding of attribute certificates in CERT payloads
Martin Willi [Wed, 5 Feb 2014 16:46:01 +0000 (17:46 +0100)]
ike: Support encoding of attribute certificates in CERT payloads

8 years agoauth-cfg: Declare an attribute certificate helper type to exchange acerts
Martin Willi [Wed, 5 Feb 2014 16:15:45 +0000 (17:15 +0100)]
auth-cfg: Declare an attribute certificate helper type to exchange acerts

8 years agoacert: Implement a plugin finding, validating and evaluating attribute certs
Martin Willi [Wed, 5 Feb 2014 15:59:55 +0000 (16:59 +0100)]
acert: Implement a plugin finding, validating and evaluating attribute certs

This validator checks for any attribute certificate it can find for validated
end entity certificates and tries to extract group membership information
used for connection authorization rules.

8 years agox509: Match acert has_subject() against entityName or holder serial
Martin Willi [Wed, 5 Feb 2014 13:45:47 +0000 (14:45 +0100)]
x509: Match acert has_subject() against entityName or holder serial

This allows us to find attribute certificates for a subject certificate in
credential sets.

8 years agopki: Add acert and extend pki/print manpages
Martin Willi [Wed, 5 Feb 2014 11:49:10 +0000 (12:49 +0100)]
pki: Add acert and extend pki/print manpages

8 years agopki: Implement an acert command to issue attribute certificates
Martin Willi [Wed, 5 Feb 2014 11:28:00 +0000 (12:28 +0100)]
pki: Implement an acert command to issue attribute certificates

8 years agopki: Support printing attribute certificates
Martin Willi [Wed, 5 Feb 2014 11:24:03 +0000 (12:24 +0100)]
pki: Support printing attribute certificates

8 years agopki: Don't generate negative random serial numbers in X.509 certificates
Martin Willi [Wed, 5 Feb 2014 10:05:28 +0000 (11:05 +0100)]
pki: Don't generate negative random serial numbers in X.509 certificates

According to RFC 5280 we MUST force non-negative serial numbers.

8 years agopem: Support encoding of attribute certificates
Martin Willi [Wed, 5 Feb 2014 11:19:34 +0000 (12:19 +0100)]
pem: Support encoding of attribute certificates

While there is no widely used PEM header for attribute certificates, at least

8 years agox509: Replace the comma separated string AC group builder with a list based one
Martin Willi [Tue, 4 Feb 2014 15:24:03 +0000 (16:24 +0100)]
x509: Replace the comma separated string AC group builder with a list based one

8 years agox509: Integrate IETF attribute handling, and obsolete ietf_attributes_t
Martin Willi [Tue, 4 Feb 2014 15:11:37 +0000 (16:11 +0100)]
x509: Integrate IETF attribute handling, and obsolete ietf_attributes_t

The ietf_attributes_t class is used for attribute certificates only these days,
and integrating them to x509_ac_t simplifies things significantly.

8 years agox509: Replace fixed acert group string getter by a more dynamic group enumerator
Martin Willi [Tue, 4 Feb 2014 14:41:09 +0000 (15:41 +0100)]
x509: Replace fixed acert group string getter by a more dynamic group enumerator

8 years agox509: Skip parsing of acert chargingIdentity, as we don't use it anyway
Martin Willi [Tue, 4 Feb 2014 14:16:26 +0000 (15:16 +0100)]
x509: Skip parsing of acert chargingIdentity, as we don't use it anyway

8 years agox509: Fix some whitespaces and do some minor style cleanups in acert
Martin Willi [Tue, 4 Feb 2014 14:05:26 +0000 (15:05 +0100)]
x509: Fix some whitespaces and do some minor style cleanups in acert

8 years agoac: Remove unimplemented equals_holder() method from ac_t
Martin Willi [Tue, 4 Feb 2014 13:41:30 +0000 (14:41 +0100)]
ac: Remove unimplemented equals_holder() method from ac_t

8 years agoAdded libipsec/net2net-3des scenario
Andreas Steffen [Fri, 28 Mar 2014 08:21:51 +0000 (09:21 +0100)]
Added libipsec/net2net-3des scenario

8 years agoRenewed self-signed OCSP signer certificate
Andreas Steffen [Thu, 27 Mar 2014 21:49:53 +0000 (22:49 +0100)]
Renewed self-signed OCSP signer certificate

8 years agounit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms
Tobias Brunner [Thu, 27 Mar 2014 14:35:32 +0000 (15:35 +0100)]
unit-tests: Fix filtered enumerator tests on 64-bit big-endian platforms

In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts
the tests failed as the actual integer value got cut off.

8 years agotravis: Run the "all" test case with leak detective enabled
Tobias Brunner [Tue, 25 Mar 2014 10:46:17 +0000 (11:46 +0100)]
travis: Run the "all" test case with leak detective enabled

But disable the gcrypt plugin, as it causes leaks.

Also disable the backtraces by libunwind as they seem to cause
threads to get cleaned up after the leak detective already has been
disabled, which leads to invalid free()s.

8 years agounit-tests: Fix memory leak in ntru tests
Tobias Brunner [Tue, 25 Mar 2014 10:45:25 +0000 (11:45 +0100)]
unit-tests: Fix memory leak in ntru tests

8 years agoVersion bump to 5.1.3rc1
Andreas Steffen [Wed, 26 Mar 2014 21:00:00 +0000 (22:00 +0100)]
Version bump to 5.1.3rc1

8 years agoCheck that valid OCSP responses are received in the ikev2/ocsp-multi-level scenario
Andreas Steffen [Mon, 24 Mar 2014 22:57:55 +0000 (23:57 +0100)]
Check that valid OCSP responses are received in the ikev2/ocsp-multi-level scenario

8 years agoUpdated expired certificates issued by the Research and Sales Intermediate CAs
Andreas Steffen [Mon, 24 Mar 2014 22:38:45 +0000 (23:38 +0100)]
Updated expired certificates issued by the Research and Sales Intermediate CAs

8 years agoRenewed revoked Research CA certificate 5.1.3dr1
Andreas Steffen [Sat, 22 Mar 2014 14:16:15 +0000 (15:16 +0100)]
Renewed revoked Research CA certificate

8 years agounit-test: added missing TEST_FUNCTION macros
Andreas Steffen [Sat, 22 Mar 2014 09:26:02 +0000 (10:26 +0100)]
unit-test: added missing TEST_FUNCTION macros

8 years agoAdded openssl-ikev2/net2net-pgp-v3 scenario
Andreas Steffen [Thu, 20 Mar 2014 17:21:36 +0000 (18:21 +0100)]
Added openssl-ikev2/net2net-pgp-v3 scenario

8 years agoopenssl: Add default fallback when calculating fingerprints of RSA keys
Tobias Brunner [Fri, 14 Mar 2014 16:33:22 +0000 (17:33 +0100)]
openssl: Add default fallback when calculating fingerprints of RSA keys

We still try to calculate these directly as it can avoid a dependency on
the pkcs1 or other plugins.  But for e.g. PGPv3 keys we need to delegate the
actual fingerprint calculation to the pgp plugin.

8 years agoCompleted integration of ntru_crypto library into ntru plugin
Andreas Steffen [Sat, 22 Mar 2014 08:50:39 +0000 (09:50 +0100)]
Completed integration of ntru_crypto library into ntru plugin

8 years agoMerge branch 'travis-ci'
Tobias Brunner [Thu, 20 Mar 2014 17:49:03 +0000 (18:49 +0100)]
Merge branch 'travis-ci'

Adds a config file and build script for Travis CI. Makes the unit tests
buildable with Clang, and test vectors are now actually verified when
the unit tests are executed.

Also adds options to run only selected test suites and to increase the debug
level during unit tests.

The --enable/disable configure options have been reordered and grouped, and
an option to enable all the features has been added (plus an option to
select a specific printf-hook implementation).

8 years agotravis: Use parallel build
Tobias Brunner [Tue, 18 Mar 2014 14:25:56 +0000 (15:25 +0100)]
travis: Use parallel build

Not sure if 4 jobs is optimal, but according to the docs each build host
has 1.5 virtual cores available (although "getconf _NPROCESSORS_ONLN"
returns 32, which is probably the number of real cores underneath), so
more jobs might not actually reduce the build time much more.

8 years agocrypto-tester: Don't fail if key size is not supported
Tobias Brunner [Fri, 14 Mar 2014 08:56:23 +0000 (09:56 +0100)]
crypto-tester: Don't fail if key size is not supported

The Blowfish and Twofish implementations provided by the gcrypt plugin
only support specific key lengths, which we don't know when testing
against vectors (either during unit tests or during algorithm
registration).  The on_create test with a specific key length will be
skipped anyway, so there is no point in treating this failure differently.

8 years agounit-tests: Add an option to increase the verbosity when running tests
Tobias Brunner [Fri, 14 Mar 2014 08:41:50 +0000 (09:41 +0100)]
unit-tests: Add an option to increase the verbosity when running tests

The TESTS_VERBOSITY option takes an integer from -1 to 4 that sets the
default debug level.

8 years agounit-tests: Add an option to run only a subset of all test suites
Tobias Brunner [Fri, 14 Mar 2014 08:35:50 +0000 (09:35 +0100)]
unit-tests: Add an option to run only a subset of all test suites

The TESTS_SUITES environment variable can contain a comma separated list
of names of test suites to run.

8 years agounit-tests: Actually verify registered algorithms against test vectors
Tobias Brunner [Thu, 13 Mar 2014 15:03:05 +0000 (16:03 +0100)]
unit-tests: Actually verify registered algorithms against test vectors

Previously, the {ns}.crypto_test.on_add option had to be enabled to
actually test the algorithms, which we can't enforce for the tests in
the test_runner as the option is already read when the crypto factory
is initialized.  Even so, we wouldn't want to do this for every unit
test, which would be the result of enabling that option.

8 years agotravis: Add tests for builtin printf hook implementation
Tobias Brunner [Mon, 3 Mar 2014 17:44:29 +0000 (18:44 +0100)]
travis: Add tests for builtin printf hook implementation

We can't test Vstr as it does not properly handle negative int arguments
for custom format callbacks, so some of the enum tests would fail.

8 years agoconfigure: Add an option to select a specific printf hook implementation
Tobias Brunner [Mon, 3 Mar 2014 17:18:47 +0000 (18:18 +0100)]
configure: Add an option to select a specific printf hook implementation

8 years agotravis: Install dependencies for each test dynamically
Tobias Brunner [Sat, 1 Mar 2014 07:49:52 +0000 (08:49 +0100)]
travis: Install dependencies for each test dynamically

Since the installation of all packages alone takes several minutes this
should speed up some test cases.

8 years agotravis: Enable clang build
Tobias Brunner [Sat, 1 Mar 2014 07:40:22 +0000 (08:40 +0100)]
travis: Enable clang build

But build the distribution only once.

8 years agounit-tests: Use TEST_FUNCTION macro in ntru tests
Tobias Brunner [Sat, 1 Mar 2014 07:39:50 +0000 (08:39 +0100)]
unit-tests: Use TEST_FUNCTION macro in ntru tests

8 years agounit-tests: Implement registered functions without __builtin_apply()
Tobias Brunner [Sat, 1 Mar 2014 07:35:59 +0000 (08:35 +0100)]
unit-tests: Implement registered functions without __builtin_apply()

This makes the tests work with clang, which does not implement said

8 years agounit-tests: Call functions with TEST_ prefix in ntru test
Tobias Brunner [Fri, 28 Feb 2014 16:15:47 +0000 (17:15 +0100)]
unit-tests: Call functions with TEST_ prefix in ntru test

8 years agounit-tests: Prefix imported testable functions with TEST_
Tobias Brunner [Fri, 28 Feb 2014 16:13:33 +0000 (17:13 +0100)]
unit-tests: Prefix imported testable functions with TEST_

This avoids any clashes with existing functions in the monolithic build.

8 years agounit-tests: Change how hashtable for testable functions is created
Tobias Brunner [Fri, 28 Feb 2014 16:08:39 +0000 (17:08 +0100)]
unit-tests: Change how hashtable for testable functions is created

Because GCC does not adhere to the priorities defined for constructors
when building with --enable-monolithic (not sure if it was just luck
that it worked in non-monolithic mode - anyway, it's not very portable)
function registration would fail because the hashtable would not be
created yet.

8 years agoAdd Travis CI config and build script
Tobias Brunner [Wed, 26 Feb 2014 16:49:07 +0000 (17:49 +0100)]
Add Travis CI config and build script

8 years agoconfigure: Add an option to enable all optional features/plugins
Tobias Brunner [Thu, 27 Feb 2014 15:28:00 +0000 (16:28 +0100)]
configure: Add an option to enable all optional features/plugins

This has probably no real practical use, but it simplifies testing.

8 years agoconfigure: Reorder and group feature options
Tobias Brunner [Thu, 27 Feb 2014 14:37:01 +0000 (15:37 +0100)]
configure: Reorder and group feature options

8 years agounit-tests: Generate weak keys with gcrypt plugin (but quickly)
Tobias Brunner [Thu, 27 Feb 2014 13:07:06 +0000 (14:07 +0100)]
unit-tests: Generate weak keys with gcrypt plugin (but quickly)

8 years agotnc-pdp: Fix monolithic build
Tobias Brunner [Thu, 27 Feb 2014 16:00:09 +0000 (17:00 +0100)]
tnc-pdp: Fix monolithic build

8 years agoplugin-feature: Hash only the actually used feature argument
Tobias Brunner [Thu, 20 Mar 2014 12:42:57 +0000 (13:42 +0100)]
plugin-feature: Hash only the actually used feature argument

Clang does not initialize padding in union members so hashing the
complete "arg" union could lead to different hashes if the hashed
plugin_feature_t does not have static storage duration.

Fixes #549.

8 years agoAdded TPMRA workitem support for [dummy] Trusted Boot measurements
Andreas Steffen [Wed, 19 Mar 2014 19:26:31 +0000 (20:26 +0100)]
Added TPMRA workitem support for [dummy] Trusted Boot measurements

8 years agopki: When dispatching commands, don't look beyond non-null-terminated array
Martin Willi [Wed, 19 Mar 2014 08:34:41 +0000 (09:34 +0100)]
pki: When dispatching commands, don't look beyond non-null-terminated array

8 years agopki: Check length of commands array before accessing command in --help
Martin Willi [Tue, 11 Mar 2014 18:02:16 +0000 (19:02 +0100)]
pki: Check length of commands array before accessing command in --help

As --help is counted as command as well, the array is not null-terminated
and we have to check for MAX_COMMANDS.

Fixes #550.

8 years agocharon-nm: No additional secrets are required once a password has been entered
Tobias Brunner [Tue, 18 Mar 2014 13:49:14 +0000 (14:49 +0100)]
charon-nm: No additional secrets are required once a password has been entered

Recent versions of NM will call need_secrets() as long as it returns TRUE,
but then fail as the number of calls is limited by an assert.

Fixes #547.

8 years agoarray: Fix removal of elements in the second half of an array
Tobias Brunner [Tue, 18 Mar 2014 13:42:44 +0000 (14:42 +0100)]
array: Fix removal of elements in the second half of an array

Memory beyond the end of the array was moved when array elements in the
second half of an array were removed.

Fixes #548.

8 years agoplugin-loader: Properly initialize modular plugin list if no plugins are enabled
Tobias Brunner [Tue, 18 Mar 2014 09:53:11 +0000 (10:53 +0100)]
plugin-loader: Properly initialize modular plugin list if no plugins are enabled

8 years agoImplemented ntru_private_key class
Andreas Steffen [Tue, 18 Mar 2014 09:03:16 +0000 (10:03 +0100)]
Implemented ntru_private_key class

8 years ago11 bits are needed to encode a maximum index of 1086
Andreas Steffen [Sat, 15 Mar 2014 18:22:16 +0000 (19:22 +0100)]
11 bits are needed to encode a maximum index of 1086

8 years agoMerged libstrongswan options into charon section
Andreas Steffen [Sat, 15 Mar 2014 13:07:02 +0000 (14:07 +0100)]
Merged libstrongswan options into charon section

8 years agostrongswan.conf is not needed on RADIUS server alice
Andreas Steffen [Sat, 15 Mar 2014 13:06:34 +0000 (14:06 +0100)]
strongswan.conf is not needed on RADIUS server alice

8 years agotnc-ifmap: Get a reference to the client cert as it is also used in an auth config
Tobias Brunner [Mon, 10 Mar 2014 13:31:42 +0000 (14:31 +0100)]
tnc-ifmap: Get a reference to the client cert as it is also used in an auth config

8 years agoVersion bump to 5.1.3dr1
Andreas Steffen [Fri, 7 Mar 2014 20:55:46 +0000 (21:55 +0100)]
Version bump to 5.1.3dr1

8 years agoDisable mandatory ECP support for attestion
Andreas Steffen [Fri, 7 Mar 2014 20:54:51 +0000 (21:54 +0100)]
Disable mandatory ECP support for attestion

8 years agoRefactored NTRU parameter set selection
Andreas Steffen [Fri, 7 Mar 2014 16:25:42 +0000 (17:25 +0100)]
Refactored NTRU parameter set selection