Tobias Brunner
17e3a92661
Fix gettid() on Android, which is defined in unistd.h there.
2012-01-12 11:08:22 +01:00
Tobias Brunner
66f16d9629
Use native gettid() if available (which is the case on Android).
2012-01-10 18:31:33 +01:00
Tobias Brunner
190cd8a475
pluto: Use srand() to initialize the C library PRNG.
...
Otherwise rekey and DPD times would always be the same after a restart.
2012-01-04 13:19:29 +01:00
Martin Willi
f8b2906929
Use the TLS socket splicing in tls_test script
2011-12-31 13:14:49 +01:00
Martin Willi
3a87c89b1b
Added a tls_socket_t.splice method to wrap a file descriptor into TLS
2011-12-31 13:14:49 +01:00
Martin Willi
6a5c86b7ad
Implemented TLS session resumption both as client and as server
2011-12-31 13:14:49 +01:00
Martin Willi
ca5767621b
Implemented a TLS session cache
2011-12-31 13:14:49 +01:00
Martin Willi
703c0db894
Check for cipherspec changes after each handshake message
2011-12-31 13:14:49 +01:00
Martin Willi
4caa380625
Separated cipherspec checking and switching, allowing us to defer the second
2011-12-31 13:14:49 +01:00
Tobias Brunner
7c0c2349a9
Make number of concurrently handled stroke messages configurable.
2011-12-29 18:41:39 +01:00
Tobias Brunner
8ff513a863
Limit the number of concurrently handled stroke messages.
...
This avoids clogging the thread pool with potentially blocking jobs.
2011-12-29 18:39:34 +01:00
Andreas Steffen
cb4da3f610
register aik certificate via ipsec attest
2011-12-25 14:31:26 +01:00
Martin Willi
84da59f609
Be less verbose about TLS extensions
2011-12-24 14:14:25 +01:00
Martin Willi
ed57dfca3f
In TLS 1.2, PRF and HASH function use at least SHA-256, not the MAC hash function
2011-12-24 12:42:28 +01:00
Martin Willi
6b01216422
Added a getter for the tls_socket file descriptor
2011-12-24 12:42:25 +01:00
Tobias Brunner
e86b685da5
Allow callers to force ASN.1 date encoding as GENERALIZEDTIME.
2011-12-23 18:07:39 +01:00
Tobias Brunner
f4095fdc8a
Avoid integer overflow when parsing ASN.1 dates.
...
This only works properly if sizeof(time_t) > 4.
2011-12-23 16:38:28 +01:00
Tobias Brunner
20d752b4ff
pki: Avoid integer overflow when calculating certificate lifetimes.
...
This only works properly if sizeof(time_t) > 4.
2011-12-23 16:33:24 +01:00
Tobias Brunner
1267127c11
Properly ASN.1 encode dates in certificates depending on the year.
2011-12-23 16:29:41 +01:00
Tobias Brunner
70a4737690
pluto: Fixed expiration date test.
2011-12-23 15:32:06 +01:00
Tobias Brunner
fc726f1359
Fix deadlock in trap_manager_t during acquire.
...
Also fixes a TOCTOU issue regarding the use of entry_t.pending.
The deadlock was caused because the rwlock was being locked while
waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here
is the description by Thomas Egerer (the reporter of this issue):
"
The deadlock occurs when the following happens (in the given order):
a) an IKE_SA is built and a thread is processing the IKE_AUTH request,
which can take a bit longer when a smartcard is involved. This
causes the ike_sa_manager to lock a particular IKE_SA exclusively.
b) an acquire is triggered which causes the rwlock in the trap_manager
to be read-locked, the subsequent call to
ike_sa_manager->checkout_by_config has to wait until a) unlocks
it's ike_sa.
c) a child_cfg contained in the peer_cfg belonging to the ike_sa
a) has locked is routed causes the child_configs contained
in the peer config to be locked by c) while the actual routing
code within trap_manager tries to writelock it's rwlock.
That's about it. As soon as a) finishes authentication of the peer
and tries to find a matching child sa it will try to lock the child
configs of the peer config which is not possible since it has been
locked by c).
Thread | Resource locked | Resource desired
-------+--------------------------------+--------------------------------
(a) | ike_sa in ike_sa_manager | child_cfgs of peer_cfg
| |
(b) | rwlock in trap-manager (read) | ike_sa in ike_sa_manager
| |
(c) | child_cfgs of peer_cfg | rwlock in trap-manager (write)
"
With this patch thread (b) now does not hold the lock while waiting for
the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently
lock the mutex in the peer_cfg which then finally allows (b) to checkout
the IKE_SA.
2011-12-23 11:07:14 +01:00
Tobias Brunner
5317dd6887
Added atomic compare and swap operations.
...
Using a GCC atomic builtin if available or a global mutex otherwise.
2011-12-23 11:04:55 +01:00
Tobias Brunner
d6656f11e4
Fixed flush() method of trap_manager_t.
...
A segmentation fault could have happened during destruction of the trap
manager after calling flush().
2011-12-23 10:38:10 +01:00
Andreas Steffen
a24f2241bc
made ikev2/reauth-late scenario more robust
2011-12-21 06:00:13 +01:00
Andreas Steffen
12b6ba8771
additional state waiting for the EvidenceFinal attribute response
2011-12-20 07:04:21 +01:00
Andreas Steffen
d670adb34a
moved send_message() in front of recommendation evaluation
2011-12-18 21:05:52 +01:00
Andreas Steffen
f994caf665
added case IMV_ATTESTATION_STATE_END
2011-12-18 19:39:25 +01:00
Sansar Choinyambuu
6d3b46668f
TrouSerS expects a bitmask field length of at least 3 bytes
2011-12-18 18:36:36 +01:00
Andreas Steffen
005d981cc2
check for TrouSerS
2011-12-18 18:26:38 +01:00
Andreas Steffen
034b792b90
added Attestation IMC/IMV to UML build
2011-12-18 18:07:47 +01:00
Andreas Steffen
458c52d29d
build PA-TNC message only if there are PA-TNC attributes to send
2011-12-18 17:55:20 +01:00
Andreas Steffen
a98262ff6e
destroy attributes, too
2011-12-18 17:34:53 +01:00
Andreas Steffen
8982b70298
added reference counts to all PA-TNC attribute classes
2011-12-18 17:20:13 +01:00
Andreas Steffen
4f91342702
reworded comments and debug output
2011-12-18 10:51:35 +01:00
Andreas Steffen
5da8b67625
Prepend Debian string to Debian version
2011-12-18 10:27:42 +01:00
Andreas Steffen
3f58e4c562
removed unused variable
2011-12-16 18:10:20 +01:00
Andreas Steffen
cbf2ba54e1
moved management of additional IMC/IMV IDs to agent
2011-12-16 17:32:15 +01:00
Tobias Brunner
cc4b48e886
Also log PGP parsing in ASN log group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
b6e0784385
Log messages for PKCS1 and PEM parsing in ASN log group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
eb497205e3
Log most X.509 related messages in new ASN log group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
c7f3a056dd
Log ASN.1 parsing in new ASN debug group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
54d096a712
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
...
This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.
2011-12-16 16:44:38 +01:00
Tobias Brunner
c17f6f96e2
Log native thread ID when a thread is created.
...
If possible gettid() is used, otherwise pthread_self() is logged (which is
not completely portable, but seems to work on most supported platforms).
2011-12-16 16:44:38 +01:00
Tobias Brunner
b24287c269
Log worker thread ID with two digits.
2011-12-16 16:44:38 +01:00
Andreas Steffen
c27e54a716
fixed caption alignment
2011-12-16 14:26:09 +01:00
Andreas Steffen
0e94ae1286
Revert "fixed caption alignment"
...
This reverts commit d463def798
.
2011-12-16 14:19:14 +01:00
Andreas Steffen
d463def798
fixed caption alignment
2011-12-16 14:15:46 +01:00
Tobias Brunner
a5951a2861
Make sure the certificate cache is flushed when plugins are unloaded.
...
This avoids segmentation faults when plugins implementing cert_t are
already unloaded when the cache is flushed during destruction.
2011-12-15 12:20:09 +01:00
Tobias Brunner
49b44c98c1
Charon also supports type=passthrough|drop.
2011-12-14 19:01:39 +01:00
Thomas Egerer
64c4fd0a60
Always unlock mutex for installed policies in kernel-netlink plugin.
2011-12-14 18:17:49 +01:00