[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)

10 files changed, 216 insertions, 62 deletions

diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index fb99b4756..fef7f8c65 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -1,9 +1,7 @@
 /*
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2002-2009 Andreas Steffen
  *
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,6 +24,7 @@
 
 #include <library.h>
 #include <credentials/certificates/certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
 
 typedef struct ac_t ac_t;
 
@@ -41,14 +40,14 @@ struct ac_t {
 	 * Implements the certificate_t interface
 	 */
 	certificate_t certificate;
-	
+
 	/**
 	 * Get the attribute certificate's serial number.
 	 *
 	 * @return			chunk pointing to serialNumber
 	 */
 	chunk_t (*get_serial)(ac_t *this);
-	
+
 	/**
 	 * Get the serial number of the holder certificate.
 	 *
@@ -64,11 +63,18 @@ struct ac_t {
 	identification_t* (*get_holderIssuer)(ac_t *this);
 
 	/**
-	 * Get the thauthorityKeyIdentifier.
+	 * Get the authorityKeyIdentifier.
+	 *
+	 * @return			authKeyIdentifier as chunk_t, to internal data
+	 */
+	chunk_t (*get_authKeyIdentifier)(ac_t *this);
+
+	/**
+	 * Get the group memberships as a list of IETF attributes
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			object containing a list of IETF attributes
 	 */
-	identification_t* (*get_authKeyIdentifier)(ac_t *this);
+	ietf_attributes_t* (*get_groups)(ac_t *this);
 
 	/**
 	 * @brief Checks if two attribute certificates belong to the same holder
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 041e2f1db..156d12358 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -17,16 +17,19 @@
 
 #include <credentials/certificates/x509.h>
 
-ENUM(certificate_type_names, CERT_ANY, CERT_PGP,
+ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
 	"ANY",
 	"X509",
 	"X509_CRL",
 	"X509_OCSP_REQUEST",
 	"X509_OCSP_RESPONSE",
 	"X509_AC",
-	"X509_CHAIN",
 	"TRUSTED_PUBKEY",
+	"PKCS10_REQUEST",
 	"PGP",
+	"PLUTO_CERT",
+	"PLUTO_AC",
+	"PLUTO_CRL",
 );
 
 ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 81fce5508..a4f9aa3e0 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -47,8 +47,14 @@ enum certificate_type_t {
 	CERT_X509_AC,
 	/** trusted, preinstalled public key */
 	CERT_TRUSTED_PUBKEY,
+	/** PKCS#10 certificate request */
+	CERT_PKCS10_REQUEST,
 	/** PGP certificate */
-	CERT_PGP,
+	CERT_GPG,
+	/** Pluto cert_t (not a certificate_t), either x509 or PGP */
+	CERT_PLUTO_CERT,
+	/** Pluto x509crl_t (not a certificate_t), certificate revocation list */
+	CERT_PLUTO_CRL,
 };
 
 /**
@@ -82,7 +88,7 @@ extern enum_name_t *cert_validation_names;
 /**
  * An abstract certificate.
  *
- * A certificate designs a subject-issuer relationship. It may have an 
+ * A certificate designs a subject-issuer relationship. It may have an
  * associated public key.
  */
 struct certificate_t {
@@ -90,7 +96,7 @@ struct certificate_t {
 	/**
 	 * Get the type of the certificate.
 	 *
-	 * @return			certifcate type
+	 * @return			certificate type
 	 */
 	certificate_type_t (*get_type)(certificate_t *this);
 
@@ -100,7 +106,7 @@ struct certificate_t {
 	 * @return			subject identity
 	 */
 	identification_t* (*get_subject)(certificate_t *this);
-	
+
 	/**
 	 * Check if certificate contains a subject ID.
 	 *
@@ -111,14 +117,14 @@ struct certificate_t {
 	 * @return 			matching value of best match
 	 */
 	id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
-		
+
 	/**
 	 * Get the issuer which signed this certificate.
 	 *
 	 * @return			issuer identity
 	 */
 	identification_t* (*get_issuer)(certificate_t *this);
-	
+
 	/**
 	 * Check if certificate contains an issuer ID.
 	 *
@@ -129,7 +135,7 @@ struct certificate_t {
 	 * @return 			matching value of best match
 	 */
 	id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
-	
+
 	/**
 	 * Check if this certificate is issued and signed by a specific issuer.
 	 *
@@ -137,14 +143,14 @@ struct certificate_t {
 	 * @return 			TRUE if certificate issued by issuer and trusted
 	 */
 	bool (*issued_by)(certificate_t *this, certificate_t *issuer);
-	
+
 	/**
 	 * Get the public key associated to this certificate.
 	 *
 	 * @return			newly referenced public_key, NULL if none available
 	 */
 	public_key_t* (*get_public_key)(certificate_t *this);
-	
+
 	/**
 	 * Check the lifetime of the certificate.
 	 *
@@ -155,21 +161,21 @@ struct certificate_t {
 	 */
 	bool (*get_validity)(certificate_t *this, time_t *when,
 						 time_t *not_before, time_t *not_after);
-	
+
 	/**
 	 * Is this newer than that?
 	 *
 	 * @return			TRUE if newer, FALSE otherwise
 	 */
 	bool (*is_newer)(certificate_t *this, certificate_t *that);
-	
+
 	/**
 	 * Get the certificate in an encoded form.
 	 *
 	 * @return				allocated chunk of encoded cert
 	 */
 	chunk_t (*get_encoding)(certificate_t *this);
-	
+
 	/**
 	 * Check if two certificates are equal.
 	 *
@@ -177,18 +183,18 @@ struct certificate_t {
 	 * @return				TRUE if certificates are equal
 	 */
 	bool (*equals)(certificate_t *this, certificate_t *other);
-	
+
 	/**
 	 * Get a new reference to the certificate.
 	 *
-	 * @return			this, with an increased refcount 
+	 * @return			this, with an increased refcount
 	 */
 	certificate_t* (*get_ref)(certificate_t *this);
-	
+
 	/**
-     * Destroy a certificate.
-     */
-    void (*destroy)(certificate_t *this);
+	 * Destroy a certificate.
+	 */
+	void (*destroy)(certificate_t *this);
 };
 
 #endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 0d6654075..085ad16cc 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
 
 #include "crl.h"
 
-ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL,
+ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
 	"key compromise",
 	"ca compromise",
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 3fef0d710..4b612390c 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -32,14 +32,14 @@ typedef enum crl_reason_t crl_reason_t;
  * RFC 2459 CRL reason codes
  */
 enum crl_reason_t {
-    CRL_UNSPECIFIED 			= 0,
-    CRL_KEY_COMPROMISE			= 1,
-    CRL_CA_COMPROMISE			= 2,
-    CRL_AFFILIATION_CHANGED		= 3,
-    CRL_SUPERSEDED				= 4,
-    CRL_CESSATION_OF_OPERATON	= 5,
-    CRL_CERTIFICATE_HOLD		= 6,
-    CRL_REMOVE_FROM_CRL			= 8,
+	CRL_REASON_UNSPECIFIED			= 0,
+	CRL_REASON_KEY_COMPROMISE		 = 1,
+	CRL_REASON_CA_COMPROMISE		  = 2,
+	CRL_REASON_AFFILIATION_CHANGED	= 3,
+	CRL_REASON_SUPERSEDED			 = 4,
+	CRL_REASON_CESSATION_OF_OPERATON  = 5,
+	CRL_REASON_CERTIFICATE_HOLD	   = 6,
+	CRL_REASON_REMOVE_FROM_CRL		= 8,
 };
 
 /**
@@ -56,21 +56,21 @@ struct crl_t {
 	 * Implements (parts of) the certificate_t interface
 	 */
 	certificate_t certificate;
-	
+
 	/**
 	 * Get the CRL serial number.
 	 *
 	 * @return			chunk pointing to internal crlNumber
 	 */
 	chunk_t (*get_serial)(crl_t *this);
-	
+
 	/**
 	 * Get the the authorityKeyIdentifier.
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			authKeyIdentifier chunk, point to internal data
 	 */
-	identification_t* (*get_authKeyIdentifier)(crl_t *this);
-	
+	chunk_t (*get_authKeyIdentifier)(crl_t *this);
+
 	/**
 	 * Create an enumerator over all revoked certificates.
 	 *
@@ -80,7 +80,7 @@ struct crl_t {
 	 * @return			enumerator over revoked certificates.
 	 */
 	enumerator_t* (*create_enumerator)(crl_t *this);
-	
+
 };
 
 #endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index a70f3eee4..157577458 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -28,7 +28,7 @@ typedef struct ocsp_response_t ocsp_response_t;
 typedef enum ocsp_status_t ocsp_status_t;
 
 /**
- * OCSP response status 
+ * OCSP response status
  */
 enum ocsp_status_t {
 	OCSP_SUCCESSFUL 		= 0,
@@ -53,7 +53,7 @@ struct ocsp_response_t {
 	 * Implements certificiate_t interface
 	 */
 	certificate_t certificate;
-	
+
 	/**
 	 * Check the status of a certificate by this OCSP response.
 	 *
@@ -65,18 +65,18 @@ struct ocsp_response_t {
 	 * @param next_update		exptected time of next revocation list
 	 * @return					certificate revocation status
 	 */
-	cert_validation_t (*get_status)(ocsp_response_t *this, 
+	cert_validation_t (*get_status)(ocsp_response_t *this,
 									x509_t *subject, x509_t *issuer,
 									time_t *revocation_time,
 									crl_reason_t *revocation_reason,
 									time_t *this_update, time_t *next_update);
-	
+
 	/**
 	 * Create an enumerator over the contained certificates.
 	 *
 	 * @return					enumerator over certificate_t*
 	 */
-	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);	
+	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
 };
 
 #endif /** OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/pgp_certificate.h b/src/libstrongswan/credentials/certificates/pgp_certificate.h
new file mode 100644
index 000000000..94a31e14d
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/pgp_certificate.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_certificate pgp_certificate
+ * @{ @ingroup certificates
+ */
+
+#ifndef PGP_CERTIFICATE_H_
+#define PGP_CERTIFICATE_H_
+
+#include <credentials/certificates/certificate.h>
+
+typedef struct pgp_certificate_t pgp_certificate_t;
+
+/**
+ * PGP certificate interface.
+ */
+struct pgp_certificate_t {
+
+	/**
+	 * Implements certificate_t.
+	 */
+	certificate_t interface;
+
+	/**
+	 * Get the v3 or v4 fingerprint of the PGP public key
+	 *
+	 * @return	fingerprint as chunk_t, internal data
+	 */
+	chunk_t (*get_fingerprint)(pgp_certificate_t *this);
+};
+
+#endif /** PGP_CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
new file mode 100644
index 000000000..9a4979757
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup req req
+ * @{ @ingroup certificates
+ */
+
+#ifndef PKCS10_H_
+#define PKCS10_H_
+
+#include <utils/enumerator.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct pkcs10_t pkcs10_t;
+
+/**
+ * PKCS#10 certificate request interface.
+ *
+ * This interface adds additional methods to the certificate_t type to
+ * allow further operations on a certificate request.
+ */
+struct pkcs10_t {
+
+	/**
+	 * Implements certificate_t.
+	 */
+	certificate_t interface;
+
+	/**
+	 * Get the challenge password
+	 *
+	 * @return			challenge password as a chunk_t
+	 */
+	chunk_t (*get_challengePassword)(pkcs10_t *this);
+
+	/**
+	 * Get.
+	 *
+	 * @return			enumerator over subjectAltNames as identification_t*
+	 */
+	enumerator_t* (*create_subjectAltName_enumerator)(pkcs10_t *this);
+};
+
+#endif /** PKCS10_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
index 5d53f0c68..66dc192c1 100644
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -15,10 +15,14 @@
 
 #include "x509.h"
 
-ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED,
+ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS,
+	"X509_NONE",
 	"X509_CA",
 	"X509_AA",
 	"X509_OCSP_SIGNER",
+	"X509_SERVER_AUTH",
+	"X509_CLIENT_AUTH",
 	"X509_SELF_SIGNED",
+	"X509_IP_ADDR_BLOCKS",
 );
 
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index eedab78f7..172bd9696 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,6 +24,9 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
+#define X509_NO_PATH_LEN_CONSTRAINT		-1
+#define X509_MAX_PATH_LEN				 7
+
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;
 
@@ -31,14 +34,22 @@ typedef enum x509_flag_t x509_flag_t;
  * X.509 certificate flags.
  */
 enum x509_flag_t {
+	/** cert has no constraints */
+	X509_NONE =				0,
 	/** cert has CA constraint */
-	X509_CA = 			(1<<0),
+	X509_CA = 				(1<<0),
 	/** cert has AA constraint */
-	X509_AA = 			(1<<1),
+	X509_AA = 				(1<<1),
 	/** cert has OCSP signer constraint */
-	X509_OCSP_SIGNER = 	(1<<2),
+	X509_OCSP_SIGNER = 		(1<<2),
+	/** cert has serverAuth key usage */
+	X509_SERVER_AUTH = 		(1<<3),
+	/** cert has clientAuth key usage */
+	X509_CLIENT_AUTH =		(1<<4),
 	/** cert is self-signed */
-	X509_SELF_SIGNED =  (1<<3),
+	X509_SELF_SIGNED =		(1<<5),
+	/** cert has an ipAddrBlocks extension */
+	X509_IP_ADDR_BLOCKS =	(1<<6),
 };
 
 /**
@@ -58,48 +69,69 @@ struct x509_t {
 	 * Implements certificate_t.
 	 */
 	certificate_t interface;
-	
+
 	/**
 	 * Get the flags set for this certificate.
 	 *
 	 * @return			set of flags
 	 */
 	x509_flag_t (*get_flags)(x509_t *this);
-	
+
 	/**
 	 * Get the certificate serial number.
 	 *
 	 * @return			chunk pointing to internal serial number
 	 */
 	chunk_t (*get_serial)(x509_t *this);
-	
+
+	/**
+	 * Get the the subjectKeyIdentifier.
+	 *
+	 * @return			subjectKeyIdentifier as chunk_t, internal data
+	 */
+	chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
+
 	/**
 	 * Get the the authorityKeyIdentifier.
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			authKeyIdentifier as chunk_t, internal data
 	 */
-	identification_t* (*get_authKeyIdentifier)(x509_t *this);
-	
+	chunk_t (*get_authKeyIdentifier)(x509_t *this);
+
+	/**
+	 * Get an optional path length constraint.
+	 *
+	 * @return			pathLenConstraint, -1 if no constraint exists
+	 */
+	int (*get_pathLenConstraint)(x509_t *this);
+
 	/**
 	 * Create an enumerator over all subjectAltNames.
 	 *
 	 * @return			enumerator over subjectAltNames as identification_t*
 	 */
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
-	
+
 	/**
 	 * Create an enumerator over all CRL URIs.
 	 *
 	 * @return			enumerator over URIs as char*
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
-	
+
 	/**
 	 * Create an enumerator over all OCSP URIs.
 	 *
 	 * @return			enumerator over URIs as char*
 	 */
 	enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over all ipAddrBlocks.
+	 *
+	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
+	 */
+	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
 };
 
 #endif /** X509_H_ @}*/