70a4737690
pluto: Fixed expiration date test.
2011-12-23 15:32:06 +01:00
fc726f1359
Fix deadlock in trap_manager_t during acquire.
...
Also fixes a TOCTOU issue regarding the use of entry_t.pending.
The deadlock was caused because the rwlock was being locked while
waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here
is the description by Thomas Egerer (the reporter of this issue):
"
The deadlock occurs when the following happens (in the given order):
a) an IKE_SA is built and a thread is processing the IKE_AUTH request,
which can take a bit longer when a smartcard is involved. This
causes the ike_sa_manager to lock a particular IKE_SA exclusively.
b) an acquire is triggered which causes the rwlock in the trap_manager
to be read-locked, the subsequent call to
ike_sa_manager->checkout_by_config has to wait until a) unlocks
it's ike_sa.
c) a child_cfg contained in the peer_cfg belonging to the ike_sa
a) has locked is routed causes the child_configs contained
in the peer config to be locked by c) while the actual routing
code within trap_manager tries to writelock it's rwlock.
That's about it. As soon as a) finishes authentication of the peer
and tries to find a matching child sa it will try to lock the child
configs of the peer config which is not possible since it has been
locked by c).
Thread | Resource locked | Resource desired
-------+--------------------------------+--------------------------------
(a) | ike_sa in ike_sa_manager | child_cfgs of peer_cfg
| |
(b) | rwlock in trap-manager (read) | ike_sa in ike_sa_manager
| |
(c) | child_cfgs of peer_cfg | rwlock in trap-manager (write)
"
With this patch thread (b) now does not hold the lock while waiting for
the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently
lock the mutex in the peer_cfg which then finally allows (b) to checkout
the IKE_SA.
2011-12-23 11:07:14 +01:00
5317dd6887
Added atomic compare and swap operations.
...
Using a GCC atomic builtin if available or a global mutex otherwise.
2011-12-23 11:04:55 +01:00
d6656f11e4
Fixed flush() method of trap_manager_t.
...
A segmentation fault could have happened during destruction of the trap
manager after calling flush().
2011-12-23 10:38:10 +01:00
a24f2241bc
made ikev2/reauth-late scenario more robust
2011-12-21 06:00:13 +01:00
12b6ba8771
additional state waiting for the EvidenceFinal attribute response
2011-12-20 07:04:21 +01:00
d670adb34a
moved send_message() in front of recommendation evaluation
2011-12-18 21:05:52 +01:00
f994caf665
added case IMV_ATTESTATION_STATE_END
2011-12-18 19:39:25 +01:00
6d3b46668f
TrouSerS expects a bitmask field length of at least 3 bytes
2011-12-18 18:36:36 +01:00
005d981cc2
check for TrouSerS
2011-12-18 18:26:38 +01:00
034b792b90
added Attestation IMC/IMV to UML build
2011-12-18 18:07:47 +01:00
458c52d29d
build PA-TNC message only if there are PA-TNC attributes to send
2011-12-18 17:55:20 +01:00
a98262ff6e
destroy attributes, too
2011-12-18 17:34:53 +01:00
8982b70298
added reference counts to all PA-TNC attribute classes
2011-12-18 17:20:13 +01:00
4f91342702
reworded comments and debug output
2011-12-18 10:51:35 +01:00
5da8b67625
Prepend Debian string to Debian version
2011-12-18 10:27:42 +01:00
3f58e4c562
removed unused variable
2011-12-16 18:10:20 +01:00
cbf2ba54e1
moved management of additional IMC/IMV IDs to agent
2011-12-16 17:32:15 +01:00
cc4b48e886
Also log PGP parsing in ASN log group.
2011-12-16 16:44:38 +01:00
b6e0784385
Log messages for PKCS1 and PEM parsing in ASN log group.
2011-12-16 16:44:38 +01:00
eb497205e3
Log most X.509 related messages in new ASN log group.
2011-12-16 16:44:38 +01:00
c7f3a056dd
Log ASN.1 parsing in new ASN debug group.
2011-12-16 16:44:38 +01:00
54d096a712
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
...
This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.
2011-12-16 16:44:38 +01:00
c17f6f96e2
Log native thread ID when a thread is created.
...
If possible gettid() is used, otherwise pthread_self() is logged (which is
not completely portable, but seems to work on most supported platforms).
2011-12-16 16:44:38 +01:00
b24287c269
Log worker thread ID with two digits.
2011-12-16 16:44:38 +01:00
c27e54a716
fixed caption alignment
2011-12-16 14:26:09 +01:00
0e94ae1286
Revert "fixed caption alignment"
...
This reverts commit d463def798
2011-12-16 14:19:14 +01:00
d463def798
fixed caption alignment
2011-12-16 14:15:46 +01:00
a5951a2861
Make sure the certificate cache is flushed when plugins are unloaded.
...
This avoids segmentation faults when plugins implementing cert_t are
already unloaded when the cache is flushed during destruction.
2011-12-15 12:20:09 +01:00
49b44c98c1
Charon also supports type=passthrough|drop.
2011-12-14 19:01:39 +01:00
64c4fd0a60
Always unlock mutex for installed policies in kernel-netlink plugin.
2011-12-14 18:17:49 +01:00
b768d6a4a5
Documented xauth_identity in ipsec.conf(5) man page.
2011-12-14 18:04:39 +01:00
6d4c6b8f41
Documented binary secrets in ipsec.secrets(5) man page.
2011-12-14 17:46:27 +01:00
3eff54a5ca
Added missing libsimaka files to Android.mk.
2011-12-14 16:38:30 +01:00
406c5a593b
Destroy mediation managers before unloading plugins.
2011-12-14 14:24:37 +01:00
19e9bdda1f
added UML support for IF-MAP interface
2011-12-12 17:00:50 +01:00
60e99b3761
some NEWS entries for 4.6.2
2011-12-12 10:44:53 +01:00
bc74e1aaf0
version bump to 4.6.2dr2
2011-12-12 10:38:23 +01:00
15b3dc5b26
added libimcv.plugins.imc-attestation.aik_blob parameter
2011-12-11 22:03:43 +01:00
63179fd459
upgraded Test IMC/IMV pair to fully support multple IMC IDs
2011-12-11 22:01:49 +01:00
6f04ccff5e
added IETF standard error handling method
2011-12-11 09:41:40 +01:00
54f53f9081
implemented IMC/IMV ReceiveMessageLong functions
2011-12-09 23:32:30 +01:00
ac3331e1cd
added IMC/IMV support for send_message_long() and reserve_additional_id() functions
2011-12-09 17:11:31 +01:00
e4e291d499
store the long and excl flags in the connection state
2011-12-09 11:25:53 +01:00
1ab8dff7fa
IMC/IMV gets v1.3 attributes from TNCC/TNCS
2011-12-09 10:45:00 +01:00
c87acaf541
implemented ReportMessageTypesLong
2011-12-08 22:10:50 +01:00
170f918596
implemented IF-IMC/IMV 1.3 attributes
2011-12-08 17:57:39 +01:00
d6c892169c
added TNC_TNCC_GetAttribute() and TNC_TNCC_SetAttribute() functions
2011-12-08 14:52:08 +01:00
584282d7c9
added TNC_IMC_ReceiveMessageLong() and TNC_IMV_ReceiveMessageLong() support
2011-12-08 12:38:45 +01:00
115d49a748
fixed typo in function name
2011-12-08 12:30:57 +01:00
Tobias Brunner