aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* | Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE stateMartin Willi2012-02-021-0/+26
| |
* | Destroy active task list before queued tasksThomas Egerer2012-01-181-3/+3
| | | | | | | | | | | | | | Since active task's destruction might result in adopting tasks from a rekeyed ike sa it seems better to first destroy the active task list and then destroy all queued tasks. This way adoption is possible at all, while otherwise the queued task list would be empty.
* | Fixed additional typos in comments and log messages.Tobias Brunner2012-01-121-1/+1
| |
* | Fix deadlock in trap_manager_t during acquire.Tobias Brunner2011-12-231-28/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Also fixes a TOCTOU issue regarding the use of entry_t.pending. The deadlock was caused because the rwlock was being locked while waiting for an IKE_SA. Triggering the deadlock was a bit tricky, here is the description by Thomas Egerer (the reporter of this issue): " The deadlock occurs when the following happens (in the given order): a) an IKE_SA is built and a thread is processing the IKE_AUTH request, which can take a bit longer when a smartcard is involved. This causes the ike_sa_manager to lock a particular IKE_SA exclusively. b) an acquire is triggered which causes the rwlock in the trap_manager to be read-locked, the subsequent call to ike_sa_manager->checkout_by_config has to wait until a) unlocks it's ike_sa. c) a child_cfg contained in the peer_cfg belonging to the ike_sa a) has locked is routed causes the child_configs contained in the peer config to be locked by c) while the actual routing code within trap_manager tries to writelock it's rwlock. That's about it. As soon as a) finishes authentication of the peer and tries to find a matching child sa it will try to lock the child configs of the peer config which is not possible since it has been locked by c). Thread | Resource locked | Resource desired -------+--------------------------------+-------------------------------- (a) | ike_sa in ike_sa_manager | child_cfgs of peer_cfg | | (b) | rwlock in trap-manager (read) | ike_sa in ike_sa_manager | | (c) | child_cfgs of peer_cfg | rwlock in trap-manager (write) " With this patch thread (b) now does not hold the lock while waiting for the IKE_SA. Thus (c) can get the write lock, and (a) can subsequently lock the mutex in the peer_cfg which then finally allows (b) to checkout the IKE_SA.
* | Fixed flush() method of trap_manager_t.Tobias Brunner2011-12-231-3/+9
|/ | | | | A segmentation fault could have happened during destruction of the trap manager after calling flush().
* Change order of destroy/get_ref function callsThomas Egerer2011-11-041-1/+1
| | | | | Since DESTROY_IF might destroy the peer_cfg, a get_ref on a freed object is subject to fail.
* Log if charon failed to establish a CHILD_SA but keeps the IKE_SA up.Tobias Brunner2011-10-211-0/+4
|
* Don't use union members directly in plugin_feature_t.Tobias Brunner2011-10-141-1/+1
|
* Added a generic callback to register EAP methods using plugin featuresMartin Willi2011-10-142-0/+35
|
* Fixed unintentional fall-through in task_manager.Tobias Brunner2011-10-061-0/+1
| | | | Reported by Howard Windsor.
* Fixed compilation of ike_me_t.Tobias Brunner2011-10-041-2/+2
|
* Migrated child_delete to INIT/METHOD macrosAndreas Steffen2011-10-041-49/+36
|
* Migrated child_rekey to INIT/METHOD macrosAndreas Steffen2011-10-041-50/+36
|
* Migrated ike_auth_lifetime to INIT/METHOD macrosAndreas Steffen2011-10-041-39/+30
|
* Migrated ike_cert_post to INIT/METHOD macrosAndreas Steffen2011-10-041-40/+31
|
* Migrated ike_cert_pre to INIT/METHOD macrosAndreas Steffen2011-10-041-42/+31
|
* Migrated ike_config to INIT/METHOD macrosAndreas Steffen2011-10-031-42/+32
|
* Migrated ike_delete to INIT/METHOD macrosAndreas Steffen2011-10-031-42/+31
|
* Migrated ike_dpd to INIT/METHOD macrosAndreas Steffen2011-10-031-31/+26
|
* Migrated ike_init to INIT/METHOD macrosAndreas Steffen2011-10-031-66/+49
|
* Migrated ike_me to INIT/METHOD macrosAndreas Steffen2011-10-031-88/+61
|
* Migrated ike_natd to INIT/METHOD macrosAndreas Steffen2011-10-031-55/+38
|
* Migrated ike_reauth to INIT/METHOD macrosAndreas Steffen2011-10-031-30/+25
|
* Migrated mediation_manager_t to INIT/METHOD macros.Tobias Brunner2011-10-031-41/+32
|
* Migrated connect_manager_t to INIT/METHOD macros.Tobias Brunner2011-10-031-109/+93
|
* Migrated ike_sa_id_t to INIT/METHOD macros.Tobias Brunner2011-10-031-60/+43
|
* Clear traps during shutdown before unloading kernel pluginsMartin Willi2011-09-122-0/+12
|
* log entry for outbound hash-and-urlAndreas Steffen2011-08-241-0/+1
|
* Try to detect Windows Clients by looking for INTERNAL_IP4/6_SERVER attributeMartin Willi2011-08-192-0/+10
|
* fix double delete of old IKE_SA during reauthenticationAndreas Steffen2011-08-161-2/+2
|
* some more typosAndreas Steffen2011-08-157-7/+7
|
* typos: initator->initiator, authenticaion->authentication.Tobias Brunner2011-08-158-8/+8
|
* If we close a duplicate SA, it is also no authentication failure.Tobias Brunner2011-08-121-2/+4
|
* If local authentication fails, it is not really a peer auth failure.Tobias Brunner2011-08-121-1/+1
|
* Throw an alert if authentication of the peer fails (not only for initiator).Tobias Brunner2011-08-121-34/+27
|
* Throw an alert when the peer address cannot be resolved during initiation.Tobias Brunner2011-08-121-0/+1
|
* Throw an alert via bus_t when remote authentication fails.Tobias Brunner2011-08-121-9/+14
|
* Migrated all SIM/AKA code to libsimaka, use SIM and AKA backend managers ↵Martin Willi2011-08-085-1127/+0
| | | | registered by name
* Properly initialize ike_sa_t.Tobias Brunner2011-08-011-1/+1
|
* Update fallback drop policies if required.Tobias Brunner2011-07-291-2/+20
|
* Install fallback drop policies for all three directions.Tobias Brunner2011-07-281-65/+66
|
* Install fallback drop policies to avoid transmitting unencrypted packets.Tobias Brunner2011-07-271-0/+17
| | | | | | | During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy is first uninstalled and then the new one is installed. In the short time in between, where no policy is available in the kernel, unencrypted packets could have been transmitted.
* Remove policies in kernel interfaces based on their priority.Tobias Brunner2011-07-272-21/+30
| | | | | | This allows to unroute a connection while the same connection is currently established. In this case both CHILD_SAs share the same reqid but the installed policies have different priorities.
* Inherit authentication information during IKE_SA rekeyingMartin Willi2011-07-251-0/+16
|
* fixed some more misspellingsAndreas Steffen2011-07-201-3/+3
|
* Fixed common misspellings.Tobias Brunner2011-07-206-18/+18
| | | | Mostly found by 'codespell'.
* shunt manager installs policies with %any hostsAndreas Steffen2011-07-141-3/+6
|
* Adapted shunt manager to changed kernel interface (reqid in del_policy).Tobias Brunner2011-07-061-3/+6
|
* Replaced more complex iterator usages.Tobias Brunner2011-07-061-25/+14
|
* Replaced ike_sa_t.create_additional_address_iterator with enumerator.Tobias Brunner2011-07-063-31/+33
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-14 18:33:54 +0000