strongswan.git
8 years agopki: Avoid integer overflow when calculating certificate lifetimes.
Tobias Brunner [Fri, 23 Dec 2011 15:33:24 +0000 (16:33 +0100)]
pki: Avoid integer overflow when calculating certificate lifetimes.

This only works properly if sizeof(time_t) > 4.

8 years agoProperly ASN.1 encode dates in certificates depending on the year.
Tobias Brunner [Fri, 23 Dec 2011 15:29:41 +0000 (16:29 +0100)]
Properly ASN.1 encode dates in certificates depending on the year.

8 years agopluto: Fixed expiration date test.
Tobias Brunner [Fri, 23 Dec 2011 14:32:06 +0000 (15:32 +0100)]
pluto: Fixed expiration date test.

8 years agoFix deadlock in trap_manager_t during acquire.
Tobias Brunner [Fri, 23 Dec 2011 10:07:14 +0000 (11:07 +0100)]
Fix deadlock in trap_manager_t during acquire.

Also fixes a TOCTOU issue regarding the use of entry_t.pending.

The deadlock was caused because the rwlock was being locked while
waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here
is the description by Thomas Egerer (the reporter of this issue):

"
The deadlock occurs when the following happens (in the given order):

a) an IKE_SA is built and a thread is processing the IKE_AUTH request,
   which can take a bit longer when a smartcard is involved. This
   causes the ike_sa_manager to lock a particular IKE_SA exclusively.
b) an acquire is triggered which causes the rwlock in the trap_manager
   to be read-locked, the subsequent call to
   ike_sa_manager->checkout_by_config has to wait until a) unlocks
   it's ike_sa.
c) a child_cfg contained in the peer_cfg belonging to the ike_sa
   a) has locked is routed causes the child_configs contained
   in the peer config to be locked by c) while the actual routing
   code within trap_manager tries to writelock it's rwlock.

That's about it. As soon as a) finishes authentication of the peer
and tries to find a matching child sa it will try to lock the child
configs of the peer config which is not possible since it has been
locked by c).

Thread | Resource locked                | Resource desired
-------+--------------------------------+--------------------------------
  (a)  | ike_sa in ike_sa_manager       | child_cfgs of peer_cfg
       |                                |
  (b)  | rwlock in trap-manager (read)  | ike_sa in ike_sa_manager
       |                                |
  (c)  | child_cfgs of peer_cfg         | rwlock in trap-manager (write)
"

With this patch thread (b) now does not hold the lock while waiting for
the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently
lock the mutex in the peer_cfg which then finally allows (b) to checkout
the IKE_SA.

8 years agoAdded atomic compare and swap operations.
Tobias Brunner [Fri, 23 Dec 2011 10:04:55 +0000 (11:04 +0100)]
Added atomic compare and swap operations.

Using a GCC atomic builtin if available or a global mutex otherwise.

8 years agoFixed flush() method of trap_manager_t.
Tobias Brunner [Fri, 23 Dec 2011 09:38:10 +0000 (10:38 +0100)]
Fixed flush() method of trap_manager_t.

A segmentation fault could have happened during destruction of the trap
manager after calling flush().

8 years agomade ikev2/reauth-late scenario more robust
Andreas Steffen [Wed, 21 Dec 2011 05:00:13 +0000 (06:00 +0100)]
made ikev2/reauth-late scenario more robust

8 years agoadditional state waiting for the EvidenceFinal attribute response
Andreas Steffen [Tue, 20 Dec 2011 06:04:21 +0000 (07:04 +0100)]
additional state waiting for the EvidenceFinal attribute response

8 years agomoved send_message() in front of recommendation evaluation
Andreas Steffen [Sun, 18 Dec 2011 20:05:52 +0000 (21:05 +0100)]
moved send_message() in front of recommendation evaluation

8 years agoadded case IMV_ATTESTATION_STATE_END
Andreas Steffen [Sun, 18 Dec 2011 18:39:25 +0000 (19:39 +0100)]
added case IMV_ATTESTATION_STATE_END

8 years agoTrouSerS expects a bitmask field length of at least 3 bytes
Sansar Choinyambuu [Sun, 18 Dec 2011 17:36:36 +0000 (18:36 +0100)]
TrouSerS expects a bitmask field length of at least 3 bytes

8 years agocheck for TrouSerS
Andreas Steffen [Sun, 18 Dec 2011 17:26:38 +0000 (18:26 +0100)]
check for TrouSerS

8 years agoadded Attestation IMC/IMV to UML build
Andreas Steffen [Sun, 18 Dec 2011 17:07:47 +0000 (18:07 +0100)]
added Attestation IMC/IMV to UML build

8 years agobuild PA-TNC message only if there are PA-TNC attributes to send
Andreas Steffen [Sun, 18 Dec 2011 16:55:20 +0000 (17:55 +0100)]
build PA-TNC message only if there are PA-TNC attributes to send

8 years agodestroy attributes, too
Andreas Steffen [Sun, 18 Dec 2011 16:34:53 +0000 (17:34 +0100)]
destroy attributes, too

8 years agoadded reference counts to all PA-TNC attribute classes
Andreas Steffen [Sun, 18 Dec 2011 16:20:13 +0000 (17:20 +0100)]
added reference counts to all PA-TNC attribute classes

8 years agoreworded comments and debug output
Andreas Steffen [Sun, 18 Dec 2011 09:51:35 +0000 (10:51 +0100)]
reworded comments and debug output

8 years agoPrepend Debian string to Debian version
Andreas Steffen [Sun, 18 Dec 2011 09:27:42 +0000 (10:27 +0100)]
Prepend Debian string to Debian version

8 years agoremoved unused variable
Andreas Steffen [Thu, 15 Dec 2011 08:30:13 +0000 (09:30 +0100)]
removed unused variable

8 years agomoved management of additional IMC/IMV IDs to agent
Andreas Steffen [Fri, 16 Dec 2011 16:32:00 +0000 (17:32 +0100)]
moved management of additional IMC/IMV IDs to agent

8 years agoAlso log PGP parsing in ASN log group.
Tobias Brunner [Fri, 16 Dec 2011 15:34:56 +0000 (16:34 +0100)]
Also log PGP parsing in ASN log group.

8 years agoLog messages for PKCS1 and PEM parsing in ASN log group.
Tobias Brunner [Fri, 16 Dec 2011 15:32:47 +0000 (16:32 +0100)]
Log messages for PKCS1 and PEM parsing in ASN log group.

8 years agoLog most X.509 related messages in new ASN log group.
Tobias Brunner [Fri, 16 Dec 2011 15:31:50 +0000 (16:31 +0100)]
Log most X.509 related messages in new ASN log group.

8 years agoLog ASN.1 parsing in new ASN debug group.
Tobias Brunner [Fri, 16 Dec 2011 15:29:48 +0000 (16:29 +0100)]
Log ASN.1 parsing in new ASN debug group.

8 years agoAdded ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
Tobias Brunner [Fri, 16 Dec 2011 15:27:28 +0000 (16:27 +0100)]
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).

This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.

8 years agoLog native thread ID when a thread is created.
Tobias Brunner [Fri, 16 Dec 2011 15:21:01 +0000 (16:21 +0100)]
Log native thread ID when a thread is created.

If possible gettid() is used, otherwise pthread_self() is logged (which is
not completely portable, but seems to work on most supported platforms).

8 years agoLog worker thread ID with two digits.
Tobias Brunner [Fri, 16 Dec 2011 13:40:57 +0000 (14:40 +0100)]
Log worker thread ID with two digits.

8 years agofixed caption alignment
Andreas Steffen [Fri, 16 Dec 2011 13:26:09 +0000 (14:26 +0100)]
fixed caption alignment

8 years agoRevert "fixed caption alignment"
Andreas Steffen [Fri, 16 Dec 2011 13:19:14 +0000 (14:19 +0100)]
Revert "fixed caption alignment"

This reverts commit d463def798ed339b143ee9500c2781532394171e.

8 years agofixed caption alignment
Andreas Steffen [Fri, 16 Dec 2011 13:15:25 +0000 (14:15 +0100)]
fixed caption alignment

8 years agoMake sure the certificate cache is flushed when plugins are unloaded.
Tobias Brunner [Thu, 15 Dec 2011 11:20:09 +0000 (12:20 +0100)]
Make sure the certificate cache is flushed when plugins are unloaded.

This avoids segmentation faults when plugins implementing cert_t are
already unloaded when the cache is flushed during destruction.

8 years agoCharon also supports type=passthrough|drop.
Tobias Brunner [Wed, 14 Dec 2011 18:01:39 +0000 (19:01 +0100)]
Charon also supports type=passthrough|drop.

8 years agoAlways unlock mutex for installed policies in kernel-netlink plugin.
Thomas Egerer [Wed, 14 Dec 2011 17:17:49 +0000 (18:17 +0100)]
Always unlock mutex for installed policies in kernel-netlink plugin.

8 years agoDocumented xauth_identity in ipsec.conf(5) man page.
Tobias Brunner [Wed, 14 Dec 2011 17:04:39 +0000 (18:04 +0100)]
Documented xauth_identity in ipsec.conf(5) man page.

8 years agoDocumented binary secrets in ipsec.secrets(5) man page.
Tobias Brunner [Wed, 14 Dec 2011 16:41:07 +0000 (17:41 +0100)]
Documented binary secrets in ipsec.secrets(5) man page.

8 years agoAdded missing libsimaka files to Android.mk.
Tobias Brunner [Wed, 14 Dec 2011 15:38:30 +0000 (16:38 +0100)]
Added missing libsimaka files to Android.mk.

8 years agoDestroy mediation managers before unloading plugins.
Tobias Brunner [Wed, 14 Dec 2011 13:24:15 +0000 (14:24 +0100)]
Destroy mediation managers before unloading plugins.

8 years agoadded UML support for IF-MAP interface
Andreas Steffen [Mon, 12 Dec 2011 16:00:50 +0000 (17:00 +0100)]
added UML support for IF-MAP interface

8 years agosome NEWS entries for 4.6.2
Andreas Steffen [Mon, 12 Dec 2011 09:44:53 +0000 (10:44 +0100)]
some NEWS entries for 4.6.2

8 years agoversion bump to 4.6.2dr2
Andreas Steffen [Mon, 12 Dec 2011 09:38:23 +0000 (10:38 +0100)]
version bump to 4.6.2dr2

8 years agoadded libimcv.plugins.imc-attestation.aik_blob parameter
Andreas Steffen [Sun, 11 Dec 2011 21:03:43 +0000 (22:03 +0100)]
added libimcv.plugins.imc-attestation.aik_blob parameter

8 years agoupgraded Test IMC/IMV pair to fully support multple IMC IDs
Andreas Steffen [Sun, 11 Dec 2011 21:01:49 +0000 (22:01 +0100)]
upgraded Test IMC/IMV pair to fully support multple IMC IDs

8 years agoadded IETF standard error handling method
Andreas Steffen [Sun, 11 Dec 2011 08:41:40 +0000 (09:41 +0100)]
added IETF standard error handling method

8 years agoimplemented IMC/IMV ReceiveMessageLong functions
Andreas Steffen [Fri, 9 Dec 2011 22:32:30 +0000 (23:32 +0100)]
implemented IMC/IMV ReceiveMessageLong functions

8 years agoadded IMC/IMV support for send_message_long() and reserve_additional_id() functions
Andreas Steffen [Fri, 9 Dec 2011 16:11:31 +0000 (17:11 +0100)]
added IMC/IMV support for send_message_long() and reserve_additional_id() functions

8 years agostore the long and excl flags in the connection state
Andreas Steffen [Fri, 9 Dec 2011 10:25:53 +0000 (11:25 +0100)]
store the long and excl flags in the connection state

8 years agoIMC/IMV gets v1.3 attributes from TNCC/TNCS
Andreas Steffen [Fri, 9 Dec 2011 09:45:00 +0000 (10:45 +0100)]
IMC/IMV gets v1.3 attributes from TNCC/TNCS

8 years agoimplemented ReportMessageTypesLong
Andreas Steffen [Thu, 8 Dec 2011 21:10:50 +0000 (22:10 +0100)]
implemented ReportMessageTypesLong

8 years agoimplemented IF-IMC/IMV 1.3 attributes
Andreas Steffen [Thu, 8 Dec 2011 16:57:39 +0000 (17:57 +0100)]
implemented IF-IMC/IMV 1.3 attributes

8 years agoadded TNC_TNCC_GetAttribute() and TNC_TNCC_SetAttribute() functions
Andreas Steffen [Thu, 8 Dec 2011 13:52:08 +0000 (14:52 +0100)]
added TNC_TNCC_GetAttribute() and TNC_TNCC_SetAttribute() functions

8 years agoadded TNC_IMC_ReceiveMessageLong() and TNC_IMV_ReceiveMessageLong() support
Andreas Steffen [Thu, 8 Dec 2011 11:38:45 +0000 (12:38 +0100)]
added TNC_IMC_ReceiveMessageLong() and TNC_IMV_ReceiveMessageLong() support

8 years agofixed typo in function name
Andreas Steffen [Thu, 8 Dec 2011 11:30:57 +0000 (12:30 +0100)]
fixed typo in function name

8 years agoadded TNC_TNCS_ReserveAdditionalIMVID() function
Andreas Steffen [Wed, 7 Dec 2011 16:55:26 +0000 (17:55 +0100)]
added TNC_TNCS_ReserveAdditionalIMVID() function

8 years agoreturn with TNC_RESULT_SUCCESS
Andreas Steffen [Wed, 7 Dec 2011 16:36:04 +0000 (17:36 +0100)]
return with TNC_RESULT_SUCCESS

8 years agoadded TNC_TNCC_ReserveAdditionalIMCID() function
Andreas Steffen [Wed, 7 Dec 2011 16:31:49 +0000 (17:31 +0100)]
added TNC_TNCC_ReserveAdditionalIMCID() function

8 years agoBe less verbose if plugin dependecy not satisfied
Martin Willi [Wed, 7 Dec 2011 12:40:38 +0000 (13:40 +0100)]
Be less verbose if plugin dependecy not satisfied

8 years agoCreate a dummy pthread key for value "0", as some buggy PKCS#11 libraries mangle it
Martin Willi [Wed, 7 Dec 2011 10:29:13 +0000 (11:29 +0100)]
Create a dummy pthread key for value "0", as some buggy PKCS#11 libraries mangle it

8 years agoadded TNC_TNCC_SendMessageLong() and TNC_TNCS_SendMessageLong() functions
Andreas Steffen [Wed, 7 Dec 2011 10:44:29 +0000 (11:44 +0100)]
added TNC_TNCC_SendMessageLong() and TNC_TNCS_SendMessageLong() functions

8 years agofixed typo in tncif.h
Andreas Steffen [Wed, 7 Dec 2011 10:42:34 +0000 (11:42 +0100)]
fixed typo in tncif.h

8 years agocorrected function name in error message
Andreas Steffen [Tue, 6 Dec 2011 23:12:15 +0000 (00:12 +0100)]
corrected function name in error message

8 years agodefined SUBTYPE_ANY for all known Vendor IDs
Andreas Steffen [Tue, 6 Dec 2011 23:00:44 +0000 (00:00 +0100)]
defined SUBTYPE_ANY for all known Vendor IDs

8 years agoadded TNC_TNCC_ReportMessageTypesLong() and TNC_TNCS_ReportMessageTypesLong() messages
Andreas Steffen [Tue, 6 Dec 2011 22:39:01 +0000 (23:39 +0100)]
added TNC_TNCC_ReportMessageTypesLong() and TNC_TNCS_ReportMessageTypesLong() messages

8 years agofixed copy-and-paste error
Andreas Steffen [Sun, 4 Dec 2011 11:53:47 +0000 (12:53 +0100)]
fixed copy-and-paste error

8 years agoupgraded IF-IMC/IMV inteface definitions to version 1.3
Andreas Steffen [Sun, 4 Dec 2011 11:48:30 +0000 (12:48 +0100)]
upgraded IF-IMC/IMV inteface definitions to version 1.3

8 years agodifferences incurred by rebasing - thanks Linus
Andreas Steffen [Mon, 28 Nov 2011 21:03:46 +0000 (22:03 +0100)]
differences incurred by rebasing - thanks Linus

8 years agoimproved performance of database access by caching primary keys
Andreas Steffen [Mon, 28 Nov 2011 13:27:03 +0000 (14:27 +0100)]
improved performance of database access by caching primary keys

8 years agoincreased number of PCR registers used by IMA
Andreas Steffen [Mon, 28 Nov 2011 12:01:55 +0000 (13:01 +0100)]
increased number of PCR registers used by IMA

8 years agofixed measurement rollback
Andreas Steffen [Mon, 28 Nov 2011 00:13:23 +0000 (01:13 +0100)]
fixed measurement rollback

8 years agoautomatically registering component measurements
Andreas Steffen [Sun, 27 Nov 2011 23:53:24 +0000 (00:53 +0100)]
automatically registering component measurements

8 years agobound functional component measurements to AIK
Andreas Steffen [Sun, 27 Nov 2011 18:10:29 +0000 (19:10 +0100)]
bound functional component measurements to AIK

8 years agoimplemented Linux IMA functional component
Andreas Steffen [Fri, 25 Nov 2011 23:24:23 +0000 (00:24 +0100)]
implemented Linux IMA functional component

8 years agodefined various measurement hash and pcr functions
Andreas Steffen [Fri, 25 Nov 2011 12:18:13 +0000 (13:18 +0100)]
defined various measurement hash and pcr functions

8 years agoupdated attest_usage text
Andreas Steffen [Fri, 25 Nov 2011 12:14:45 +0000 (13:14 +0100)]
updated attest_usage text

8 years agomoved attestation plugins to libpts in order to resolve circular reference with libimcv
Andreas Steffen [Thu, 24 Nov 2011 23:18:58 +0000 (00:18 +0100)]
moved attestation plugins to libpts in order to resolve circular reference with libimcv

8 years agoadd and delete components
Andreas Steffen [Thu, 24 Nov 2011 20:52:44 +0000 (21:52 +0100)]
add and delete components

8 years agomark PCR registers as file type 2 in database
Andreas Steffen [Thu, 24 Nov 2011 16:02:20 +0000 (17:02 +0100)]
mark PCR registers as file type 2 in database

8 years agomoved measurement and metadata flags to product_file table
Andreas Steffen [Thu, 24 Nov 2011 15:38:44 +0000 (16:38 +0100)]
moved measurement and metadata flags to product_file table

8 years agoupdate attest_usage to include add and del operations
Andreas Steffen [Thu, 24 Nov 2011 14:32:16 +0000 (15:32 +0100)]
update attest_usage to include add and del operations

8 years agogenerate integrity checksums for libimcv libpts and attest
Andreas Steffen [Thu, 24 Nov 2011 13:59:19 +0000 (14:59 +0100)]
generate integrity checksums for libimcv libpts and attest

8 years agoattest can query components
Andreas Steffen [Thu, 24 Nov 2011 13:36:10 +0000 (14:36 +0100)]
attest can query components

8 years agoautomatically construct attest plugin list
Andreas Steffen [Thu, 24 Nov 2011 11:46:14 +0000 (12:46 +0100)]
automatically construct attest plugin list

8 years agoslightly refactored ita_comp_tboot
Andreas Steffen [Thu, 24 Nov 2011 10:40:38 +0000 (11:40 +0100)]
slightly refactored ita_comp_tboot

8 years agoadded pcr00 to prc23 registers to database
Andreas Steffen [Thu, 24 Nov 2011 10:40:07 +0000 (11:40 +0100)]
added pcr00 to prc23 registers to database

8 years agocomponent measurement entries into the database for Ubuntu 11.10 platform
Andreas Steffen [Wed, 23 Nov 2011 19:19:57 +0000 (20:19 +0100)]
component measurement entries into the database for Ubuntu 11.10 platform

8 years agocosmetics in debug output
Andreas Steffen [Wed, 23 Nov 2011 19:18:33 +0000 (20:18 +0100)]
cosmetics in debug output

8 years agoCheck enough data available to read
Sansar Choinyambuu [Wed, 23 Nov 2011 14:23:57 +0000 (15:23 +0100)]
Check enough data available to read

8 years agohandling of missing component measurement
Sansar Choinyambuu [Wed, 23 Nov 2011 14:12:18 +0000 (15:12 +0100)]
handling of missing component measurement

8 years agoAdded enum names for measurement algorithms
Sansar Choinyambuu [Wed, 23 Nov 2011 14:11:53 +0000 (15:11 +0100)]
Added enum names for measurement algorithms

8 years agoSet pcr transform field depending on measuring algorithm
Sansar Choinyambuu [Wed, 23 Nov 2011 11:02:00 +0000 (12:02 +0100)]
Set pcr transform field depending on measuring algorithm

8 years agosub-component depth from pts database on component evidence request
Sansar Choinyambuu [Wed, 23 Nov 2011 10:25:06 +0000 (11:25 +0100)]
sub-component depth from pts database on component evidence request
component hashes are entries in file_hashes table
implemented verify function of tboot component

8 years agoFixed memory corruption on tpm version info
Sansar Choinyambuu [Wed, 23 Nov 2011 10:23:52 +0000 (11:23 +0100)]
Fixed memory corruption on tpm version info

8 years agoFixed warning, freeing tpm context memory in extend_pcr function
Sansar Choinyambuu [Wed, 23 Nov 2011 08:53:36 +0000 (09:53 +0100)]
Fixed warning, freeing tpm context memory in extend_pcr function

8 years agofixed some more memory leaks
Andreas Steffen [Tue, 22 Nov 2011 23:26:02 +0000 (00:26 +0100)]
fixed some more memory leaks

8 years agofixed memory leaks
Andreas Steffen [Tue, 22 Nov 2011 21:29:40 +0000 (22:29 +0100)]
fixed memory leaks

8 years agorefactored simple_evid_final attribute
Andreas Steffen [Tue, 22 Nov 2011 20:18:13 +0000 (21:18 +0100)]
refactored simple_evid_final attribute

8 years agorenamed pts_req_func_comp_evid flags
Andreas Steffen [Tue, 22 Nov 2011 17:21:07 +0000 (18:21 +0100)]
renamed pts_req_func_comp_evid flags

8 years agofixed memory leak in tcg_pts_attr_simple_comp_evid.c
Andreas Steffen [Tue, 22 Nov 2011 16:14:13 +0000 (17:14 +0100)]
fixed memory leak in  tcg_pts_attr_simple_comp_evid.c

8 years agorefactored PCR functionality
Andreas Steffen [Tue, 22 Nov 2011 16:00:38 +0000 (17:00 +0100)]
refactored PCR functionality

8 years agofixed double free
Andreas Steffen [Mon, 21 Nov 2011 22:35:44 +0000 (23:35 +0100)]
fixed double free

8 years agofixed two memory leaks
Andreas Steffen [Mon, 21 Nov 2011 22:32:39 +0000 (23:32 +0100)]
fixed two memory leaks