Imported Upstream version 5.1.0

1 files changed, 45 insertions, 8 deletions

diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index f4cd9b9e6..de19c8d96 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -81,6 +81,16 @@ struct private_credential_manager_t {
 	 * mutex for cache queue
 	 */
 	mutex_t *queue_mutex;
+
+	/**
+	 * Registered hook to call on validation errors
+	 */
+	credential_hook_t hook;
+
+	/**
+	 * Registered data to pass to hook
+	 */
+	void *hook_data;
 };
 
 /** data to pass to create_private_enumerator */
@@ -126,6 +136,22 @@ typedef struct {
 	enumerator_t *exclusive;
 } sets_enumerator_t;
 
+METHOD(credential_manager_t, set_hook, void,
+	private_credential_manager_t *this, credential_hook_t hook, void *data)
+{
+	this->hook = hook;
+	this->hook_data = data;
+}
+
+METHOD(credential_manager_t, call_hook, void,
+	private_credential_manager_t *this, credential_hook_type_t type,
+	certificate_t *cert)
+{
+	if (this->hook)
+	{
+		this->hook(this->hook_data, type, cert);
+	}
+}
 
 METHOD(enumerator_t, sets_enumerate, bool,
 	sets_enumerator_t *this, credential_set_t **set)
@@ -378,8 +404,8 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 	identification_t *me, identification_t *other)
 {
 	shared_key_t *current, *found = NULL;
-	id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
-	id_match_t *match_me, *match_other;
+	id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE;
+	id_match_t match_me, match_other;
 	enumerator_t *enumerator;
 
 	enumerator = create_shared_enumerator(this, type, me, other);
@@ -393,6 +419,10 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 			best_me = match_me;
 			best_other = match_other;
 		}
+		if (best_me == ID_MATCH_PERFECT && best_other == ID_MATCH_PERFECT)
+		{
+			break;
+		}
 	}
 	enumerator->destroy(enumerator);
 	return found;
@@ -549,15 +579,17 @@ static bool check_lifetime(private_credential_manager_t *this,
 			{
 				DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)",
 					 label, &not_before, FALSE, &not_after, FALSE);
-				return FALSE;
+				break;
 			}
 			return TRUE;
 		case SUCCESS:
 			return TRUE;
 		case FAILED:
 		default:
-			return FALSE;
+			break;
 	}
+	call_hook(this, CRED_HOOK_EXPIRED, cert);
+	return FALSE;
 }
 
 /**
@@ -718,9 +750,10 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				if (current->equals(current, issuer))
 				{
-					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not trusted",
-						 current->get_subject(current));
+					DBG1(DBG_CFG, "  self-signed certificate \"%Y\" is not "
+						 "trusted", current->get_subject(current));
 					issuer->destroy(issuer);
+					call_hook(this, CRED_HOOK_UNTRUSTED_ROOT, current);
 					break;
 				}
 				auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
@@ -732,6 +765,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 			{
 				DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
 					 current->get_subject(current));
+				call_hook(this, CRED_HOOK_NO_ISSUER, current);
 				break;
 			}
 		}
@@ -750,8 +784,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 		current = issuer;
 		if (trusted)
 		{
-			DBG1(DBG_CFG, "  reached self-signed root ca with a path length of %d",
-						  pathlen);
+			DBG1(DBG_CFG, "  reached self-signed root ca with a "
+				 "path length of %d", pathlen);
 			break;
 		}
 	}
@@ -759,6 +793,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
 	if (pathlen > MAX_TRUST_PATH_LEN)
 	{
 		DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+		call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
 	}
 	if (trusted)
 	{
@@ -1301,6 +1336,8 @@ credential_manager_t *credential_manager_create()
 			.remove_local_set = _remove_local_set,
 			.add_validator = _add_validator,
 			.remove_validator = _remove_validator,
+			.set_hook = _set_hook,
+			.call_hook = _call_hook,
 			.destroy = _destroy,
 		},
 		.sets = linked_list_create(),