Keep the PDP connections lock while accessing its objects

When we introduce connection timeouts, the state may disappear at any time.
This change prevents that, but is not very clear. We probably have to refactor
connection handling.

3 files changed, 34 insertions, 7 deletions

diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 39939d34e..422c28bc9 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -378,7 +378,10 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 			}
 			this->connections->add(this->connections, nas_id, user_name, peer,
 								   method);
-			method->initiate(method, &out);
+			if (method->initiate(method, &out) == NEED_MORE)
+			{
+				send_response(this, request, code, out, group, msk, source);
+			}
 		}
 		else
 		{
@@ -428,16 +431,16 @@ static void process_eap(private_tnc_pdp_t *this, radius_message_t *request,
 												  in->get_identifier(in));
 			}
 			charon->bus->set_sa(charon->bus, NULL);
+			send_response(this, request, code, out, group, msk, source);
+			this->connections->unlock(this->connections);
 		}
 
-		send_response(this, request, code, out, group, msk, source);
-		out->destroy(out);
-
 		if (code == RMC_ACCESS_ACCEPT || code == RMC_ACCESS_REJECT)
 		{
 			this->connections->remove(this->connections, nas_id, user_name);
 		}
 
+		out->destroy(out);
 end:
 		free(message.ptr);
 		in->destroy(in);
@@ -648,4 +651,3 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
 
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
index 7948ad2f8..3682f8f0d 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
@@ -67,6 +67,11 @@ struct entry_t {
 	 * IKE SA used for bus communication
 	 */
 	ike_sa_t *ike_sa;
+
+	/**
+	 * Timestamp this entry has been created
+	 */
+	time_t created;
 };
 
 /**
@@ -138,6 +143,7 @@ METHOD(tnc_pdp_connections_t, add, void,
 			DBG1(DBG_CFG, "removed stale RADIUS connection");
 			entry->method = method;
 			entry->ike_sa = ike_sa;
+			entry->created = time_monotonic(NULL);
 			break;
 		}
 	}
@@ -151,6 +157,7 @@ METHOD(tnc_pdp_connections_t, add, void,
 			.user_name = chunk_clone(user_name),
 			.method = method,
 			.ike_sa = ike_sa,
+			.created = time_monotonic(NULL),
 		);
 		this->lock->write_lock(this->lock);
 		this->list->insert_last(this->list, entry);
@@ -201,12 +208,21 @@ METHOD(tnc_pdp_connections_t, get_state, eap_method_t*,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
+	if (!found)
+	{
+		this->lock->unlock(this->lock);
+	}
 
 	dbg_nas_user(nas_id, user_name, !found, "found");
 	return found;
 }
 
+METHOD(tnc_pdp_connections_t, unlock, void,
+	private_tnc_pdp_connections_t *this)
+{
+	this->lock->unlock(this->lock);
+}
+
 METHOD(tnc_pdp_connections_t, destroy, void,
 	private_tnc_pdp_connections_t *this)
 {
@@ -227,6 +243,7 @@ tnc_pdp_connections_t *tnc_pdp_connections_create(void)
 			.add = _add,
 			.remove = _remove_,
 			.get_state = _get_state,
+			.unlock = _unlock,
 			.destroy = _destroy,
 		},
 		.list = linked_list_create(),
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
index 16492020e..442f29ce9 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.h
@@ -53,7 +53,10 @@ struct tnc_pdp_connections_t {
 				   chunk_t user_name);
 
 	/**
-	 * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection
+	 * Get the EAP method and IKE_SA of a registered TNC PEP RADIUS Connection.
+	 *
+	 * If this call succeeds, the connection manager is locked. Call unlock
+	 * after using the return objects.
 	 *
 	 * @param nas_id		NAS identifier of Policy Enforcement Point
 	 * @param user_name		User name of TNC Client
@@ -64,6 +67,11 @@ struct tnc_pdp_connections_t {
 							   chunk_t user_name, ike_sa_t **ike_sa);
 
 	/**
+	 * Unlock connections after successfully calling get_state().
+	 */
+	void (*unlock)(tnc_pdp_connections_t *this);
+
+	/**
 	 * Destroys a tnc_pdp_connections_t object.
 	 */
 	void (*destroy)(tnc_pdp_connections_t *this);