- New upstream release.

6 files changed, 128 insertions, 44 deletions

diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c
index cd748bc97..028ca35c9 100644
--- a/src/charon/credentials/auth_info.c
+++ b/src/charon/credentials/auth_info.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: auth_info.c 3838 2008-04-18 11:24:45Z tobias $
+ * $Id: auth_info.c 4276 2008-08-22 10:44:51Z martin $
  */
 
 
@@ -25,6 +25,10 @@
 #include <credentials/certificates/certificate.h>
 
 ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP,
+	"AUTHN_AUTH_CLASS",
+	"AUTHN_EAP_TYPE",
+	"AUTHN_EAP_VENDOR",
+	"AUTHN_EAP_IDENTITY",
 	"AUTHN_CA_CERT",
 	"AUTHN_CA_CERT_KEYID",
 	"AUTHN_CA_CERT_NAME",
@@ -208,14 +212,18 @@ static void add_item(private_auth_info_t *this, auth_item_t type, void *value)
 			item->value = validation;
 			break;
 		}
+		case AUTHN_AUTH_CLASS:
+		case AUTHN_EAP_TYPE:
+		case AUTHN_EAP_VENDOR:
 		case AUTHZ_EAP:
 		{
-			eap_method_t *method = malloc_thing(eap_method_t);
+			u_int *intval = malloc_thing(u_int);
 
-			*method = *(eap_method_t*)value;
-			item->value = method;
+			*intval = *(u_int*)value;
+			item->value = intval;
 			break;
 		}
+		case AUTHN_EAP_IDENTITY:
 		case AUTHN_CA_CERT_KEYID:
 		case AUTHN_CA_CERT_NAME:
 		case AUTHZ_CA_CERT_NAME:
@@ -246,6 +254,10 @@ static bool complies(private_auth_info_t *this, auth_info_t *constraints)
 	{
 		switch (t1)
 		{
+			case AUTHN_AUTH_CLASS:
+			case AUTHN_EAP_TYPE:
+			case AUTHN_EAP_VENDOR:
+			case AUTHN_EAP_IDENTITY:
 			case AUTHN_CA_CERT_KEYID:
 			case AUTHN_CA_CERT:
 			case AUTHN_CA_CERT_NAME:
@@ -444,6 +456,7 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other)
 						}
 						continue;
 					}
+					case AUTHN_EAP_IDENTITY:
 					case AUTHN_CA_CERT_KEYID:
 					case AUTHN_CA_CERT_NAME:
 					case AUTHZ_CA_CERT_NAME:
@@ -460,6 +473,16 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other)
 						}
 						continue;
 					}
+					case AUTHN_AUTH_CLASS:
+					case AUTHN_EAP_TYPE:
+					case AUTHN_EAP_VENDOR:
+					{
+						if (*(u_int*)i1->value == *(u_int*)i2->value)
+						{
+							found = TRUE;
+							break;
+						}
+					}
 					case AUTHZ_PUBKEY:
 					case AUTHZ_PSK:
 					case AUTHZ_EAP:
@@ -511,6 +534,9 @@ static void destroy_item_value(item_t *item)
 			cert->destroy(cert);
 			break;
 		}
+		case AUTHN_AUTH_CLASS:
+		case AUTHN_EAP_TYPE:
+		case AUTHN_EAP_VENDOR:
 		case AUTHN_IM_HASH_URL:
 		case AUTHN_SUBJECT_HASH_URL:
 		case AUTHZ_CRL_VALIDATION:
@@ -520,6 +546,7 @@ static void destroy_item_value(item_t *item)
 			free(item->value);
 			break;
 		}
+		case AUTHN_EAP_IDENTITY:
 		case AUTHN_CA_CERT_KEYID:
 		case AUTHN_CA_CERT_NAME:
 		case AUTHZ_CA_CERT_NAME:
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
index 5fe2919f8..52433433a 100644
--- a/src/charon/credentials/auth_info.h
+++ b/src/charon/credentials/auth_info.h
@@ -60,6 +60,14 @@ enum auth_item_t {
 	 * items provided to authentication process
 	 */
 	
+	/** authentication class to use, value is auth_class_t* */
+	AUTHN_AUTH_CLASS,
+	/** EAP method to request from peer, value is eap_type_t* */
+	AUTHN_EAP_TYPE,
+	/** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
+	AUTHN_EAP_VENDOR,
+	/** EAP identity to use within EAP-Identity exchange */
+	AUTHN_EAP_IDENTITY,
 	/** CA certificate to use for authentication, value is certificate_t* */
 	AUTHN_CA_CERT,
 	/** Keyid of a CA certificate to use, value is identification_t* */
@@ -83,7 +91,7 @@ enum auth_item_t {
 	AUTHZ_PUBKEY,
 	/** subject has ben authenticated using preshared secrets, value is shared_key_t* */ 
 	AUTHZ_PSK,
-	/** subject has been authenticated using EAP, value is eap_method_t */
+	/** subject has been authenticated using EAP, value is eap_type_t* */
 	AUTHZ_EAP,
 	/** certificate authority, value is certificate_t* */
 	AUTHZ_CA_CERT,
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 251559141..b11cdc0df 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_manager.c 3953 2008-05-14 06:49:31Z martin $
+ * $Id: credential_manager.c 4317 2008-09-02 11:00:13Z martin $
  */
 
 /* some clibs need it for rwlocks */
@@ -61,6 +61,11 @@ struct private_credential_manager_t {
 	cert_cache_t *cache;
 	
 	/**
+	 * certificates queued for persistent caching
+	 */
+	linked_list_t *cache_queue;
+	
+	/**
 	 * read-write lock to sets list
 	 */
 	pthread_rwlock_t lock;
@@ -270,7 +275,7 @@ static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
 }
 
 /**
- * Implementation of credential_manager_t.get_private_by_keyid.
+ * Implementation of credential_manager_t.create_private_enumerator.
  */
 static enumerator_t* create_private_enumerator(
 									private_credential_manager_t *this,
@@ -407,17 +412,51 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
 	credential_set_t *set;
 	enumerator_t *enumerator;
 	
-	pthread_rwlock_rdlock(&this->lock);
-	enumerator = this->sets->create_enumerator(this->sets);
-	while (enumerator->enumerate(enumerator, &set))
+	if (pthread_rwlock_trywrlock(&this->lock) == 0)
 	{
-		set->cache_cert(set, cert);
+		enumerator = this->sets->create_enumerator(this->sets);
+		while (enumerator->enumerate(enumerator, &set))
+		{
+			set->cache_cert(set, cert);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{	/* we can't cache now as other threads are active, queue for later */
+		pthread_rwlock_rdlock(&this->lock);
+		this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
 	}
-	enumerator->destroy(enumerator);
 	pthread_rwlock_unlock(&this->lock);
 }
 
 /**
+ * Try to cache certificates queued for caching
+ */
+static void cache_queue(private_credential_manager_t *this)
+{
+	credential_set_t *set;
+	certificate_t *cert;
+	enumerator_t *enumerator;
+	
+	if (this->cache_queue->get_count(this->cache_queue) > 0 &&
+		pthread_rwlock_trywrlock(&this->lock) == 0)
+	{
+		while (this->cache_queue->remove_last(this->cache_queue,
+											  (void**)&cert) == SUCCESS)
+		{
+			enumerator = this->sets->create_enumerator(this->sets);
+			while (enumerator->enumerate(enumerator, &set))
+			{
+				set->cache_cert(set, cert);
+			}
+			enumerator->destroy(enumerator);
+			cert->destroy(cert);
+		}
+		pthread_rwlock_unlock(&this->lock);
+	}
+}
+
+/**
  * forward declaration 
  */
 static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
@@ -435,8 +474,8 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 	/* TODO: requestor name, signature */
 	request = lib->creds->create(lib->creds,
 						CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
-						BUILD_CA_CERT, issuer->get_ref(issuer),
-						BUILD_CERT, subject->get_ref(subject), BUILD_END);
+						BUILD_CA_CERT, issuer,
+						BUILD_CERT, subject, BUILD_END);
 	if (!request)
 	{
 		DBG1(DBG_CFG, "generating ocsp request failed");
@@ -461,6 +500,7 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
 	response = lib->creds->create(lib->creds,
 								  CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
 								  BUILD_BLOB_ASN1_DER, receive, BUILD_END);
+	chunk_free(&receive);
 	if (!response)
 	{
 		DBG1(DBG_CFG, "parsing ocsp response failed");
@@ -1142,6 +1182,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
 				verify_trust_chain(this->this, this->pretrusted, this->auth,
 								   TRUE, this->crl, this->ocsp))
 			{
+				this->auth->add_item(this->auth, AUTHZ_CA_CERT, this->pretrusted);
 				DBG1(DBG_CFG, "  using trusted certificate \"%D\"",
 					 this->pretrusted->get_subject(this->pretrusted));
 				*cert = this->pretrusted;
@@ -1262,6 +1303,9 @@ static void public_destroy(public_enumerator_t *this)
 		this->wrapper->destroy(this->wrapper);
 	}
 	pthread_rwlock_unlock(&this->this->lock);
+	
+	/* check for delayed certificate cache queue */
+	cache_queue(this->this);
 	free(this);
 }
 
@@ -1501,6 +1545,8 @@ static void remove_set(private_credential_manager_t *this, credential_set_t *set
  */
 static void destroy(private_credential_manager_t *this)
 {
+	cache_queue(this);
+	this->cache_queue->destroy(this->cache_queue);
 	this->sets->remove(this->sets, this->cache, NULL);
 	this->sets->destroy(this->sets);
 	pthread_key_delete(this->local_sets);
@@ -1532,6 +1578,7 @@ credential_manager_t *credential_manager_create()
 	this->sets = linked_list_create();
 	pthread_key_create(&this->local_sets, (void*)this->sets->destroy);
 	this->cache = cert_cache_create();
+	this->cache_queue = linked_list_create();
 	this->sets->insert_first(this->sets, this->cache);
 	pthread_rwlock_init(&this->lock, NULL);
 	
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index b5f3b95cd..4166d05a3 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: credential_set.h 3820 2008-04-17 11:22:37Z martin $
+ * $Id: credential_set.h 4229 2008-07-30 11:38:44Z martin $
  */
 
 /**
@@ -36,6 +36,13 @@ typedef struct credential_set_t credential_set_t;
  * Enumerators are used because queries might return multiple matches.
  * Filter parameters restrict enumeration over specific items only.
  * See credential_manager_t for an overview of the credential framework.
+ *
+ * A credential set enumerator may not block the credential set, i.e. multiple
+ * threads must be able to hold multiple enumerators, as the credential manager
+ * is higly parallelized. The best way to achieve this is by using shared
+ * read locks for the enumerators only. Otherwiese deadlocks will occur.
+ * The writing cache_cert() routine is called by the manager only if no
+ * enumerator is alive, so it is save to use a write lock there.
  */
 struct credential_set_t {
 	
diff --git a/src/charon/credentials/sets/auth_info_wrapper.c b/src/charon/credentials/sets/auth_info_wrapper.c
index 32783ff93..7ec75be15 100644
--- a/src/charon/credentials/sets/auth_info_wrapper.c
+++ b/src/charon/credentials/sets/auth_info_wrapper.c
@@ -73,7 +73,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
 	certificate_t *cert;
 	
 	DBG1(DBG_CFG, "  fetching certificate from '%s' ...", url);
-	if (lib->fetcher->fetch(lib->fetcher, url, &data) != SUCCESS)
+	if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
 	{
 		DBG1(DBG_CFG, "  fetching certificate failed");
 		/* we set the item to NULL, so we can skip it */
@@ -83,6 +83,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
 	
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+	free(data.ptr);
 	
 	if (!cert)
 	{
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 8af8bb619..4a9a97149 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -15,11 +15,13 @@
  * $Id$
  */
 
+#define _GNU_SOURCE
+#include <pthread.h>
+
 #include "cert_cache.h"
 
 #include <daemon.h>
 #include <utils/linked_list.h>
-#include <utils/mutex.h>
 
 #define CACHE_SIZE 30
 
@@ -44,7 +46,7 @@ struct private_cert_cache_t {
 	/**
 	 * do we have an active enumerator
 	 */
-	bool enumerating;
+	refcount_t enumerating;
 	
 	/**
 	 * have we increased the cache without a check_cache?
@@ -52,9 +54,9 @@ struct private_cert_cache_t {
 	bool check_required;
 	
 	/**
-	 * mutex to lock relations list
+	 * read-write lock to sets list
 	 */
-	mutex_t *mutex;
+	pthread_rwlock_t lock;
 };
 
 /**
@@ -88,8 +90,8 @@ static void check_cache(private_cert_cache_t *this)
 	{
 		this->check_required = TRUE;
 	}
-	else
-	{
+	else if (pthread_rwlock_trywrlock(&this->lock) == 0)
+	{	/* never blocks, only done if lock is available */
 		while (this->relations->get_count(this->relations) > CACHE_SIZE)
 		{
 			relation_t *oldest = NULL, *current;
@@ -108,6 +110,7 @@ static void check_cache(private_cert_cache_t *this)
 			relation_destroy(oldest);
 		}
 		this->check_required = FALSE;
+		pthread_rwlock_unlock(&this->lock);
 	}
 }
 
@@ -121,7 +124,7 @@ static bool issued_by(private_cert_cache_t *this,
 	enumerator_t *enumerator;
 	
 	/* lookup cache */
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_rdlock(&this->lock);
 	enumerator = this->relations->create_enumerator(this->relations);
 	while (enumerator->enumerate(enumerator, &current))
 	{
@@ -146,7 +149,7 @@ static bool issued_by(private_cert_cache_t *this,
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 	if (found)
 	{
 		return TRUE;
@@ -161,10 +164,9 @@ static bool issued_by(private_cert_cache_t *this,
 	found->subject = subject->get_ref(subject);
 	found->issuer = issuer->get_ref(issuer);
 	found->last_use = time(NULL);
-	this->mutex->lock(this->mutex);
+	/* insert should be ok without lock */
 	this->relations->insert_last(this->relations, found);
 	check_cache(this);
-	this->mutex->unlock(this->mutex);
 	return TRUE;
 }
 
@@ -230,12 +232,12 @@ static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out
  */
 static void certs_destroy(cert_data_t *data)
 {
-	data->this->enumerating--;
+	ref_put(&data->this->enumerating);
+	pthread_rwlock_unlock(&data->this->lock);
 	if (data->this->check_required)
 	{
 		check_cache(data->this);
 	}
-	data->this->mutex->unlock(data->this->mutex);
 	free(data);
 }
 
@@ -258,22 +260,14 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
 	data->id = id;
 	data->this = this;
 	
-	this->mutex->lock(this->mutex);
-	this->enumerating++;
+	pthread_rwlock_rdlock(&this->lock);
+	ref_get(&this->enumerating);
 	return enumerator_create_filter(
 							this->relations->create_enumerator(this->relations),
 							(void*)certs_filter, data, (void*)certs_destroy);
 }
 
 /**
- * Implementation of credential_set_t.cache_cert.
- */
-static void cache_cert(private_cert_cache_t *this, certificate_t *cert)
-{
-	/* TODO: implement caching */
-}
-
-/**
  * Implementation of cert_cache_t.flush.
  */
 static void flush(private_cert_cache_t *this, certificate_type_t type)
@@ -281,7 +275,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 	enumerator_t *enumerator;
 	relation_t *relation;
 	
-	this->mutex->lock(this->mutex);
+	pthread_rwlock_wrlock(&this->lock);
 	enumerator = this->relations->create_enumerator(this->relations);
 	while (enumerator->enumerate(enumerator, &relation))
 	{
@@ -293,7 +287,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 		}
 	}
 	enumerator->destroy(enumerator);
-	this->mutex->unlock(this->mutex);
+	pthread_rwlock_unlock(&this->lock);
 }
 
 /**
@@ -302,7 +296,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
 static void destroy(private_cert_cache_t *this)
 {
 	this->relations->destroy_function(this->relations, (void*)relation_destroy);
-	this->mutex->destroy(this->mutex);
+	pthread_rwlock_destroy(&this->lock);
 	free(this);
 }
 
@@ -317,15 +311,15 @@ cert_cache_t *cert_cache_create()
 	this->public.set.create_cert_enumerator = (void*)create_enumerator;
 	this->public.set.create_shared_enumerator = (void*)return_null;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
-	this->public.set.cache_cert = (void*)cache_cert;
+	this->public.set.cache_cert = (void*)nop;
 	this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
 	this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
 	this->public.destroy = (void(*)(cert_cache_t*))destroy;
 	
 	this->relations = linked_list_create();
-	this->enumerating = FALSE;
+	this->enumerating = 0;
 	this->check_required = FALSE;
-	this->mutex = mutex_create(MUTEX_RECURSIVE);
+	pthread_rwlock_init(&this->lock, NULL);
 	
 	return &this->public;
 }