]>
git.ipfire.org Git - thirdparty/strongswan.git/log
Thomas Egerer [Mon, 16 Jan 2012 16:41:47 +0000 (17:41 +0100)]
Destroy active task list before queued tasks
Since active task's destruction might result in adopting tasks from a
rekeyed ike sa it seems better to first destroy the active task list and
then destroy all queued tasks. This way adoption is possible at all,
while otherwise the queued task list would be empty.
Adrian-Ken Rueegsegger [Fri, 6 Jan 2012 16:37:59 +0000 (17:37 +0100)]
Various style, typo and whitespace corrections
Tobias Brunner [Thu, 12 Jan 2012 18:16:18 +0000 (19:16 +0100)]
Starter depends on whack/stroke on Android.
With this change whack and stroke get installed automatically if starter is
enabled.
Tobias Brunner [Thu, 12 Jan 2012 18:14:11 +0000 (19:14 +0100)]
Android 4 requires LOCAL_MODULE_TAGS to be set for all modules.
Because all packages are now marked as optional executables that are to
be installed on the final system have to be added to PRODUCT_PACKAGES in
build/target/product/core.mk. Dependencies (such as libraries) are
installed automatically.
Tobias Brunner [Thu, 12 Jan 2012 10:41:34 +0000 (11:41 +0100)]
Fixed additional typos in comments and log messages.
Adrian-Ken Rueegsegger [Thu, 5 Jan 2012 17:52:36 +0000 (18:52 +0100)]
Fix whitespaces
Adrian-Ken Rueegsegger [Wed, 4 Jan 2012 10:11:47 +0000 (11:11 +0100)]
Some documentation corrections
Tobias Brunner [Thu, 12 Jan 2012 10:08:22 +0000 (11:08 +0100)]
Fix gettid() on Android, which is defined in unistd.h there.
Tobias Brunner [Tue, 10 Jan 2012 17:31:33 +0000 (18:31 +0100)]
Use native gettid() if available (which is the case on Android).
Tobias Brunner [Wed, 4 Jan 2012 12:19:29 +0000 (13:19 +0100)]
pluto: Use srand() to initialize the C library PRNG.
Otherwise rekey and DPD times would always be the same after a restart.
Martin Willi [Sat, 31 Dec 2011 11:49:18 +0000 (12:49 +0100)]
Use the TLS socket splicing in tls_test script
Martin Willi [Sat, 31 Dec 2011 11:37:08 +0000 (12:37 +0100)]
Added a tls_socket_t.splice method to wrap a file descriptor into TLS
Martin Willi [Sat, 31 Dec 2011 00:41:56 +0000 (01:41 +0100)]
Implemented TLS session resumption both as client and as server
Martin Willi [Sat, 31 Dec 2011 00:39:17 +0000 (01:39 +0100)]
Implemented a TLS session cache
Martin Willi [Fri, 30 Dec 2011 17:29:55 +0000 (18:29 +0100)]
Check for cipherspec changes after each handshake message
Martin Willi [Fri, 30 Dec 2011 17:29:11 +0000 (18:29 +0100)]
Separated cipherspec checking and switching, allowing us to defer the second
Tobias Brunner [Thu, 29 Dec 2011 17:41:39 +0000 (18:41 +0100)]
Make number of concurrently handled stroke messages configurable.
Tobias Brunner [Thu, 29 Dec 2011 17:39:34 +0000 (18:39 +0100)]
Limit the number of concurrently handled stroke messages.
This avoids clogging the thread pool with potentially blocking jobs.
Andreas Steffen [Sun, 25 Dec 2011 13:30:52 +0000 (14:30 +0100)]
register aik certificate via ipsec attest
Martin Willi [Sat, 24 Dec 2011 12:26:24 +0000 (13:26 +0100)]
Be less verbose about TLS extensions
Martin Willi [Sat, 24 Dec 2011 11:35:28 +0000 (12:35 +0100)]
In TLS 1.2, PRF and HASH function use at least SHA-256, not the MAC hash function
Martin Willi [Sat, 24 Dec 2011 10:02:57 +0000 (11:02 +0100)]
Added a getter for the tls_socket file descriptor
Tobias Brunner [Fri, 23 Dec 2011 17:01:31 +0000 (18:01 +0100)]
Allow callers to force ASN.1 date encoding as GENERALIZEDTIME.
Tobias Brunner [Fri, 23 Dec 2011 15:36:59 +0000 (16:36 +0100)]
Avoid integer overflow when parsing ASN.1 dates.
This only works properly if sizeof(time_t) > 4.
Tobias Brunner [Fri, 23 Dec 2011 15:33:24 +0000 (16:33 +0100)]
pki: Avoid integer overflow when calculating certificate lifetimes.
This only works properly if sizeof(time_t) > 4.
Tobias Brunner [Fri, 23 Dec 2011 15:29:41 +0000 (16:29 +0100)]
Properly ASN.1 encode dates in certificates depending on the year.
Tobias Brunner [Fri, 23 Dec 2011 14:32:06 +0000 (15:32 +0100)]
pluto: Fixed expiration date test.
Tobias Brunner [Fri, 23 Dec 2011 10:07:14 +0000 (11:07 +0100)]
Fix deadlock in trap_manager_t during acquire.
Also fixes a TOCTOU issue regarding the use of entry_t.pending.
The deadlock was caused because the rwlock was being locked while
waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here
is the description by Thomas Egerer (the reporter of this issue):
"
The deadlock occurs when the following happens (in the given order):
a) an IKE_SA is built and a thread is processing the IKE_AUTH request,
which can take a bit longer when a smartcard is involved. This
causes the ike_sa_manager to lock a particular IKE_SA exclusively.
b) an acquire is triggered which causes the rwlock in the trap_manager
to be read-locked, the subsequent call to
ike_sa_manager->checkout_by_config has to wait until a) unlocks
it's ike_sa.
c) a child_cfg contained in the peer_cfg belonging to the ike_sa
a) has locked is routed causes the child_configs contained
in the peer config to be locked by c) while the actual routing
code within trap_manager tries to writelock it's rwlock.
That's about it. As soon as a) finishes authentication of the peer
and tries to find a matching child sa it will try to lock the child
configs of the peer config which is not possible since it has been
locked by c).
Thread | Resource locked | Resource desired
-------+--------------------------------+--------------------------------
(a) | ike_sa in ike_sa_manager | child_cfgs of peer_cfg
| |
(b) | rwlock in trap-manager (read) | ike_sa in ike_sa_manager
| |
(c) | child_cfgs of peer_cfg | rwlock in trap-manager (write)
"
With this patch thread (b) now does not hold the lock while waiting for
the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently
lock the mutex in the peer_cfg which then finally allows (b) to checkout
the IKE_SA.
Tobias Brunner [Fri, 23 Dec 2011 10:04:55 +0000 (11:04 +0100)]
Added atomic compare and swap operations.
Using a GCC atomic builtin if available or a global mutex otherwise.
Tobias Brunner [Fri, 23 Dec 2011 09:38:10 +0000 (10:38 +0100)]
Fixed flush() method of trap_manager_t.
A segmentation fault could have happened during destruction of the trap
manager after calling flush().
Andreas Steffen [Wed, 21 Dec 2011 05:00:13 +0000 (06:00 +0100)]
made ikev2/reauth-late scenario more robust
Andreas Steffen [Tue, 20 Dec 2011 06:04:21 +0000 (07:04 +0100)]
additional state waiting for the EvidenceFinal attribute response
Andreas Steffen [Sun, 18 Dec 2011 20:05:52 +0000 (21:05 +0100)]
moved send_message() in front of recommendation evaluation
Andreas Steffen [Sun, 18 Dec 2011 18:39:25 +0000 (19:39 +0100)]
added case IMV_ATTESTATION_STATE_END
Sansar Choinyambuu [Sun, 18 Dec 2011 17:36:36 +0000 (18:36 +0100)]
TrouSerS expects a bitmask field length of at least 3 bytes
Andreas Steffen [Sun, 18 Dec 2011 17:26:38 +0000 (18:26 +0100)]
check for TrouSerS
Andreas Steffen [Sun, 18 Dec 2011 17:07:47 +0000 (18:07 +0100)]
added Attestation IMC/IMV to UML build
Andreas Steffen [Sun, 18 Dec 2011 16:55:20 +0000 (17:55 +0100)]
build PA-TNC message only if there are PA-TNC attributes to send
Andreas Steffen [Sun, 18 Dec 2011 16:34:53 +0000 (17:34 +0100)]
destroy attributes, too
Andreas Steffen [Sun, 18 Dec 2011 16:20:13 +0000 (17:20 +0100)]
added reference counts to all PA-TNC attribute classes
Andreas Steffen [Sun, 18 Dec 2011 09:51:35 +0000 (10:51 +0100)]
reworded comments and debug output
Andreas Steffen [Sun, 18 Dec 2011 09:27:42 +0000 (10:27 +0100)]
Prepend Debian string to Debian version
Andreas Steffen [Thu, 15 Dec 2011 08:30:13 +0000 (09:30 +0100)]
removed unused variable
Andreas Steffen [Fri, 16 Dec 2011 16:32:00 +0000 (17:32 +0100)]
moved management of additional IMC/IMV IDs to agent
Tobias Brunner [Fri, 16 Dec 2011 15:34:56 +0000 (16:34 +0100)]
Also log PGP parsing in ASN log group.
Tobias Brunner [Fri, 16 Dec 2011 15:32:47 +0000 (16:32 +0100)]
Log messages for PKCS1 and PEM parsing in ASN log group.
Tobias Brunner [Fri, 16 Dec 2011 15:31:50 +0000 (16:31 +0100)]
Log most X.509 related messages in new ASN log group.
Tobias Brunner [Fri, 16 Dec 2011 15:29:48 +0000 (16:29 +0100)]
Log ASN.1 parsing in new ASN debug group.
Tobias Brunner [Fri, 16 Dec 2011 15:27:28 +0000 (16:27 +0100)]
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.
Tobias Brunner [Fri, 16 Dec 2011 15:21:01 +0000 (16:21 +0100)]
Log native thread ID when a thread is created.
If possible gettid() is used, otherwise pthread_self() is logged (which is
not completely portable, but seems to work on most supported platforms).
Tobias Brunner [Fri, 16 Dec 2011 13:40:57 +0000 (14:40 +0100)]
Log worker thread ID with two digits.
Andreas Steffen [Fri, 16 Dec 2011 13:26:09 +0000 (14:26 +0100)]
fixed caption alignment
Andreas Steffen [Fri, 16 Dec 2011 13:19:14 +0000 (14:19 +0100)]
Revert "fixed caption alignment"
This reverts commit
d463def798ed339b143ee9500c2781532394171e .
Andreas Steffen [Fri, 16 Dec 2011 13:15:25 +0000 (14:15 +0100)]
fixed caption alignment
Tobias Brunner [Thu, 15 Dec 2011 11:20:09 +0000 (12:20 +0100)]
Make sure the certificate cache is flushed when plugins are unloaded.
This avoids segmentation faults when plugins implementing cert_t are
already unloaded when the cache is flushed during destruction.
Tobias Brunner [Wed, 14 Dec 2011 18:01:39 +0000 (19:01 +0100)]
Charon also supports type=passthrough|drop.
Thomas Egerer [Wed, 14 Dec 2011 17:17:49 +0000 (18:17 +0100)]
Always unlock mutex for installed policies in kernel-netlink plugin.
Tobias Brunner [Wed, 14 Dec 2011 17:04:39 +0000 (18:04 +0100)]
Documented xauth_identity in ipsec.conf(5) man page.
Tobias Brunner [Wed, 14 Dec 2011 16:41:07 +0000 (17:41 +0100)]
Documented binary secrets in ipsec.secrets(5) man page.
Tobias Brunner [Wed, 14 Dec 2011 15:38:30 +0000 (16:38 +0100)]
Added missing libsimaka files to Android.mk.
Tobias Brunner [Wed, 14 Dec 2011 13:24:15 +0000 (14:24 +0100)]
Destroy mediation managers before unloading plugins.
Andreas Steffen [Mon, 12 Dec 2011 16:00:50 +0000 (17:00 +0100)]
added UML support for IF-MAP interface
Andreas Steffen [Mon, 12 Dec 2011 09:44:53 +0000 (10:44 +0100)]
some NEWS entries for 4.6.2
Andreas Steffen [Mon, 12 Dec 2011 09:38:23 +0000 (10:38 +0100)]
version bump to 4.6.2dr2
Andreas Steffen [Sun, 11 Dec 2011 21:03:43 +0000 (22:03 +0100)]
added libimcv.plugins.imc-attestation.aik_blob parameter
Andreas Steffen [Sun, 11 Dec 2011 21:01:49 +0000 (22:01 +0100)]
upgraded Test IMC/IMV pair to fully support multple IMC IDs
Andreas Steffen [Sun, 11 Dec 2011 08:41:40 +0000 (09:41 +0100)]
added IETF standard error handling method
Andreas Steffen [Fri, 9 Dec 2011 22:32:30 +0000 (23:32 +0100)]
implemented IMC/IMV ReceiveMessageLong functions
Andreas Steffen [Fri, 9 Dec 2011 16:11:31 +0000 (17:11 +0100)]
added IMC/IMV support for send_message_long() and reserve_additional_id() functions
Andreas Steffen [Fri, 9 Dec 2011 10:25:53 +0000 (11:25 +0100)]
store the long and excl flags in the connection state
Andreas Steffen [Fri, 9 Dec 2011 09:45:00 +0000 (10:45 +0100)]
IMC/IMV gets v1.3 attributes from TNCC/TNCS
Andreas Steffen [Thu, 8 Dec 2011 21:10:50 +0000 (22:10 +0100)]
implemented ReportMessageTypesLong
Andreas Steffen [Thu, 8 Dec 2011 16:57:39 +0000 (17:57 +0100)]
implemented IF-IMC/IMV 1.3 attributes
Andreas Steffen [Thu, 8 Dec 2011 13:52:08 +0000 (14:52 +0100)]
added TNC_TNCC_GetAttribute() and TNC_TNCC_SetAttribute() functions
Andreas Steffen [Thu, 8 Dec 2011 11:38:45 +0000 (12:38 +0100)]
added TNC_IMC_ReceiveMessageLong() and TNC_IMV_ReceiveMessageLong() support
Andreas Steffen [Thu, 8 Dec 2011 11:30:57 +0000 (12:30 +0100)]
fixed typo in function name
Andreas Steffen [Wed, 7 Dec 2011 16:55:26 +0000 (17:55 +0100)]
added TNC_TNCS_ReserveAdditionalIMVID() function
Andreas Steffen [Wed, 7 Dec 2011 16:36:04 +0000 (17:36 +0100)]
return with TNC_RESULT_SUCCESS
Andreas Steffen [Wed, 7 Dec 2011 16:31:49 +0000 (17:31 +0100)]
added TNC_TNCC_ReserveAdditionalIMCID() function
Martin Willi [Wed, 7 Dec 2011 12:40:38 +0000 (13:40 +0100)]
Be less verbose if plugin dependecy not satisfied
Martin Willi [Wed, 7 Dec 2011 10:29:13 +0000 (11:29 +0100)]
Create a dummy pthread key for value "0", as some buggy PKCS#11 libraries mangle it
Andreas Steffen [Wed, 7 Dec 2011 10:44:29 +0000 (11:44 +0100)]
added TNC_TNCC_SendMessageLong() and TNC_TNCS_SendMessageLong() functions
Andreas Steffen [Wed, 7 Dec 2011 10:42:34 +0000 (11:42 +0100)]
fixed typo in tncif.h
Andreas Steffen [Tue, 6 Dec 2011 23:12:15 +0000 (00:12 +0100)]
corrected function name in error message
Andreas Steffen [Tue, 6 Dec 2011 23:00:44 +0000 (00:00 +0100)]
defined SUBTYPE_ANY for all known Vendor IDs
Andreas Steffen [Tue, 6 Dec 2011 22:39:01 +0000 (23:39 +0100)]
added TNC_TNCC_ReportMessageTypesLong() and TNC_TNCS_ReportMessageTypesLong() messages
Andreas Steffen [Sun, 4 Dec 2011 11:53:47 +0000 (12:53 +0100)]
fixed copy-and-paste error
Andreas Steffen [Sun, 4 Dec 2011 11:48:30 +0000 (12:48 +0100)]
upgraded IF-IMC/IMV inteface definitions to version 1.3
Andreas Steffen [Mon, 28 Nov 2011 21:03:46 +0000 (22:03 +0100)]
differences incurred by rebasing - thanks Linus
Andreas Steffen [Mon, 28 Nov 2011 13:27:03 +0000 (14:27 +0100)]
improved performance of database access by caching primary keys
Andreas Steffen [Mon, 28 Nov 2011 12:01:55 +0000 (13:01 +0100)]
increased number of PCR registers used by IMA
Andreas Steffen [Mon, 28 Nov 2011 00:13:23 +0000 (01:13 +0100)]
fixed measurement rollback
Andreas Steffen [Sun, 27 Nov 2011 23:53:24 +0000 (00:53 +0100)]
automatically registering component measurements
Andreas Steffen [Sun, 27 Nov 2011 18:10:29 +0000 (19:10 +0100)]
bound functional component measurements to AIK
Andreas Steffen [Fri, 25 Nov 2011 23:24:23 +0000 (00:24 +0100)]
implemented Linux IMA functional component
Andreas Steffen [Fri, 25 Nov 2011 12:18:13 +0000 (13:18 +0100)]
defined various measurement hash and pcr functions
Andreas Steffen [Fri, 25 Nov 2011 12:14:45 +0000 (13:14 +0100)]
updated attest_usage text
Andreas Steffen [Thu, 24 Nov 2011 23:18:58 +0000 (00:18 +0100)]
moved attestation plugins to libpts in order to resolve circular reference with libimcv
Andreas Steffen [Thu, 24 Nov 2011 20:52:44 +0000 (21:52 +0100)]
add and delete components
Andreas Steffen [Thu, 24 Nov 2011 16:02:20 +0000 (17:02 +0100)]
mark PCR registers as file type 2 in database