Adrian-Ken Rueegsegger
5ed3e3a7e6
Various style, typo and whitespace corrections
2012-01-13 16:27:35 +01:00
Tobias Brunner
9d17c1a679
Starter depends on whack/stroke on Android.
...
With this change whack and stroke get installed automatically if starter is
enabled.
2012-01-12 19:19:47 +01:00
Tobias Brunner
2e0b478a01
Android 4 requires LOCAL_MODULE_TAGS to be set for all modules.
...
Because all packages are now marked as optional executables that are to
be installed on the final system have to be added to PRODUCT_PACKAGES in
build/target/product/core.mk. Dependencies (such as libraries) are
installed automatically.
2012-01-12 19:18:35 +01:00
Tobias Brunner
35a1986142
Fixed additional typos in comments and log messages.
2012-01-12 11:42:42 +01:00
Adrian-Ken Rueegsegger
d887b8e134
Fix whitespaces
2012-01-12 11:25:18 +01:00
Adrian-Ken Rueegsegger
2a375e62f3
Some documentation corrections
2012-01-12 11:25:12 +01:00
Tobias Brunner
17e3a92661
Fix gettid() on Android, which is defined in unistd.h there.
2012-01-12 11:08:22 +01:00
Tobias Brunner
66f16d9629
Use native gettid() if available (which is the case on Android).
2012-01-10 18:31:33 +01:00
Tobias Brunner
190cd8a475
pluto: Use srand() to initialize the C library PRNG.
...
Otherwise rekey and DPD times would always be the same after a restart.
2012-01-04 13:19:29 +01:00
Martin Willi
f8b2906929
Use the TLS socket splicing in tls_test script
2011-12-31 13:14:49 +01:00
Martin Willi
3a87c89b1b
Added a tls_socket_t.splice method to wrap a file descriptor into TLS
2011-12-31 13:14:49 +01:00
Martin Willi
6a5c86b7ad
Implemented TLS session resumption both as client and as server
2011-12-31 13:14:49 +01:00
Martin Willi
ca5767621b
Implemented a TLS session cache
2011-12-31 13:14:49 +01:00
Martin Willi
703c0db894
Check for cipherspec changes after each handshake message
2011-12-31 13:14:49 +01:00
Martin Willi
4caa380625
Separated cipherspec checking and switching, allowing us to defer the second
2011-12-31 13:14:49 +01:00
Tobias Brunner
7c0c2349a9
Make number of concurrently handled stroke messages configurable.
2011-12-29 18:41:39 +01:00
Tobias Brunner
8ff513a863
Limit the number of concurrently handled stroke messages.
...
This avoids clogging the thread pool with potentially blocking jobs.
2011-12-29 18:39:34 +01:00
Andreas Steffen
cb4da3f610
register aik certificate via ipsec attest
2011-12-25 14:31:26 +01:00
Martin Willi
84da59f609
Be less verbose about TLS extensions
2011-12-24 14:14:25 +01:00
Martin Willi
ed57dfca3f
In TLS 1.2, PRF and HASH function use at least SHA-256, not the MAC hash function
2011-12-24 12:42:28 +01:00
Martin Willi
6b01216422
Added a getter for the tls_socket file descriptor
2011-12-24 12:42:25 +01:00
Tobias Brunner
e86b685da5
Allow callers to force ASN.1 date encoding as GENERALIZEDTIME.
2011-12-23 18:07:39 +01:00
Tobias Brunner
f4095fdc8a
Avoid integer overflow when parsing ASN.1 dates.
...
This only works properly if sizeof(time_t) > 4.
2011-12-23 16:38:28 +01:00
Tobias Brunner
20d752b4ff
pki: Avoid integer overflow when calculating certificate lifetimes.
...
This only works properly if sizeof(time_t) > 4.
2011-12-23 16:33:24 +01:00
Tobias Brunner
1267127c11
Properly ASN.1 encode dates in certificates depending on the year.
2011-12-23 16:29:41 +01:00
Tobias Brunner
70a4737690
pluto: Fixed expiration date test.
2011-12-23 15:32:06 +01:00
Tobias Brunner
fc726f1359
Fix deadlock in trap_manager_t during acquire.
...
Also fixes a TOCTOU issue regarding the use of entry_t.pending.
The deadlock was caused because the rwlock was being locked while
waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here
is the description by Thomas Egerer (the reporter of this issue):
"
The deadlock occurs when the following happens (in the given order):
a) an IKE_SA is built and a thread is processing the IKE_AUTH request,
which can take a bit longer when a smartcard is involved. This
causes the ike_sa_manager to lock a particular IKE_SA exclusively.
b) an acquire is triggered which causes the rwlock in the trap_manager
to be read-locked, the subsequent call to
ike_sa_manager->checkout_by_config has to wait until a) unlocks
it's ike_sa.
c) a child_cfg contained in the peer_cfg belonging to the ike_sa
a) has locked is routed causes the child_configs contained
in the peer config to be locked by c) while the actual routing
code within trap_manager tries to writelock it's rwlock.
That's about it. As soon as a) finishes authentication of the peer
and tries to find a matching child sa it will try to lock the child
configs of the peer config which is not possible since it has been
locked by c).
Thread | Resource locked | Resource desired
-------+--------------------------------+--------------------------------
(a) | ike_sa in ike_sa_manager | child_cfgs of peer_cfg
| |
(b) | rwlock in trap-manager (read) | ike_sa in ike_sa_manager
| |
(c) | child_cfgs of peer_cfg | rwlock in trap-manager (write)
"
With this patch thread (b) now does not hold the lock while waiting for
the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently
lock the mutex in the peer_cfg which then finally allows (b) to checkout
the IKE_SA.
2011-12-23 11:07:14 +01:00
Tobias Brunner
5317dd6887
Added atomic compare and swap operations.
...
Using a GCC atomic builtin if available or a global mutex otherwise.
2011-12-23 11:04:55 +01:00
Tobias Brunner
d6656f11e4
Fixed flush() method of trap_manager_t.
...
A segmentation fault could have happened during destruction of the trap
manager after calling flush().
2011-12-23 10:38:10 +01:00
Andreas Steffen
a24f2241bc
made ikev2/reauth-late scenario more robust
2011-12-21 06:00:13 +01:00
Andreas Steffen
12b6ba8771
additional state waiting for the EvidenceFinal attribute response
2011-12-20 07:04:21 +01:00
Andreas Steffen
d670adb34a
moved send_message() in front of recommendation evaluation
2011-12-18 21:05:52 +01:00
Andreas Steffen
f994caf665
added case IMV_ATTESTATION_STATE_END
2011-12-18 19:39:25 +01:00
Sansar Choinyambuu
6d3b46668f
TrouSerS expects a bitmask field length of at least 3 bytes
2011-12-18 18:36:36 +01:00
Andreas Steffen
005d981cc2
check for TrouSerS
2011-12-18 18:26:38 +01:00
Andreas Steffen
034b792b90
added Attestation IMC/IMV to UML build
2011-12-18 18:07:47 +01:00
Andreas Steffen
458c52d29d
build PA-TNC message only if there are PA-TNC attributes to send
2011-12-18 17:55:20 +01:00
Andreas Steffen
a98262ff6e
destroy attributes, too
2011-12-18 17:34:53 +01:00
Andreas Steffen
8982b70298
added reference counts to all PA-TNC attribute classes
2011-12-18 17:20:13 +01:00
Andreas Steffen
4f91342702
reworded comments and debug output
2011-12-18 10:51:35 +01:00
Andreas Steffen
5da8b67625
Prepend Debian string to Debian version
2011-12-18 10:27:42 +01:00
Andreas Steffen
3f58e4c562
removed unused variable
2011-12-16 18:10:20 +01:00
Andreas Steffen
cbf2ba54e1
moved management of additional IMC/IMV IDs to agent
2011-12-16 17:32:15 +01:00
Tobias Brunner
cc4b48e886
Also log PGP parsing in ASN log group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
b6e0784385
Log messages for PKCS1 and PEM parsing in ASN log group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
eb497205e3
Log most X.509 related messages in new ASN log group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
c7f3a056dd
Log ASN.1 parsing in new ASN debug group.
2011-12-16 16:44:38 +01:00
Tobias Brunner
54d096a712
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
...
This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.
2011-12-16 16:44:38 +01:00
Tobias Brunner
c17f6f96e2
Log native thread ID when a thread is created.
...
If possible gettid() is used, otherwise pthread_self() is logged (which is
not completely portable, but seems to work on most supported platforms).
2011-12-16 16:44:38 +01:00
Tobias Brunner
b24287c269
Log worker thread ID with two digits.
2011-12-16 16:44:38 +01:00