diff options
author | Yves-Alexis Perez <corsac@corsac.net> | 2012-06-28 21:16:07 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@corsac.net> | 2012-06-28 21:16:07 +0200 |
commit | b34738ed08c2227300d554b139e2495ca5da97d6 (patch) | |
tree | 62f33b52820f2e49f0e53c0f8c636312037c8054 /src/libstrongswan/credentials | |
parent | 0a9d51a49042a68daa15b0c74a2b7f152f52606b (diff) | |
download | vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.tar.gz vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.zip |
Imported Upstream version 4.6.4
Diffstat (limited to 'src/libstrongswan/credentials')
24 files changed, 515 insertions, 426 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 23a3f62d9..12f75b240 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -1,6 +1,6 @@ /* + * Copyright (C) 2008-2012 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -30,6 +30,63 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, "EAP", ); +ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT, + "RULE_IDENTITY", + "RULE_AUTH_CLASS", + "RULE_AAA_IDENTITY", + "RULE_EAP_IDENTITY", + "RULE_EAP_TYPE", + "RULE_EAP_VENDOR", + "RULE_CA_CERT", + "RULE_IM_CERT", + "RULE_SUBJECT_CERT", + "RULE_CRL_VALIDATION", + "RULE_OCSP_VALIDATION", + "RULE_GROUP", + "RULE_RSA_STRENGTH", + "RULE_ECDSA_STRENGTH", + "RULE_CERT_POLICY", + "HELPER_IM_CERT", + "HELPER_SUBJECT_CERT", + "HELPER_IM_HASH_URL", + "HELPER_SUBJECT_HASH_URL", + "HELPER_REVOCATION_CERT", +); + +/** + * Check if the given rule is a rule for which there may be multiple values. + */ +static inline bool is_multi_value_rule(auth_rule_t type) +{ + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_RULE_MAX: + return FALSE; + case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_CERT_POLICY: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: + return TRUE; + } + return FALSE; +} + typedef struct private_auth_cfg_t private_auth_cfg_t; /** @@ -67,6 +124,8 @@ typedef struct { enumerator_t *inner; /** current entry */ entry_t *current; + /** types we have already enumerated */ + bool enumerated[AUTH_RULE_MAX]; } entry_enumerator_t; /** @@ -76,11 +135,22 @@ static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value) { entry_t *entry; - if (this->inner->enumerate(this->inner, &entry)) + while (this->inner->enumerate(this->inner, &entry)) { + if (!is_multi_value_rule(entry->type) && this->enumerated[entry->type]) + { + continue; + } + this->enumerated[entry->type] = TRUE; this->current = entry; - *type = entry->type; - *value = entry->value; + if (type) + { + *type = entry->type; + } + if (value) + { + *value = entry->value; + } return TRUE; } return FALSE; @@ -95,22 +165,124 @@ static void entry_enumerator_destroy(entry_enumerator_t *this) free(this); } -/** - * Implementation of auth_cfg_t.create_enumerator. - */ -static enumerator_t* create_enumerator(private_auth_cfg_t *this) +METHOD(auth_cfg_t, create_enumerator, enumerator_t*, + private_auth_cfg_t *this) { entry_enumerator_t *enumerator; - enumerator = malloc_thing(entry_enumerator_t); - enumerator->inner = this->entries->create_enumerator(this->entries); - enumerator->public.enumerate = (void*)enumerate; - enumerator->public.destroy = (void*)entry_enumerator_destroy; - enumerator->current = NULL; + INIT(enumerator, + .public = { + .enumerate = (void*)enumerate, + .destroy = (void*)entry_enumerator_destroy, + }, + .inner = this->entries->create_enumerator(this->entries), + ); return &enumerator->public; } /** + * Create an entry from the given arguments. + */ +static entry_t *entry_create(auth_rule_t type, va_list args) +{ + entry_t *this = malloc_thing(entry_t); + + this->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + /* integer type */ + this->value = (void*)(uintptr_t)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: + case AUTH_RULE_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: + /* pointer type */ + this->value = va_arg(args, void*); + break; + case AUTH_RULE_MAX: + this->value = NULL; + break; + } + return this; +} + +/** + * Compare two entries for equality. + */ +static bool entry_equals(entry_t *e1, entry_t *e2) +{ + if (e1->type != e2->type) + { + return FALSE; + } + switch (e1->type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + { + return e1->value == e2->value; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)e1->value; + c2 = (certificate_t*)e2->value; + + return c1->equals(c1, c2); + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AAA_IDENTITY: + case AUTH_RULE_GROUP: + { + identification_t *id1, *id2; + + id1 = (identification_t*)e1->value; + id2 = (identification_t*)e2->value; + + return id1->equals(id1, id2); + } + case AUTH_RULE_CERT_POLICY: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + return streq(e1->value, e2->value); + } + case AUTH_RULE_MAX: + break; + } + return FALSE; +} + +/** * Destroy the value associated with an entry */ static void destroy_entry_value(entry_t *entry) @@ -151,6 +323,7 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_OCSP_VALIDATION: case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_MAX: break; } } @@ -158,17 +331,18 @@ static void destroy_entry_value(entry_t *entry) /** * Implementation of auth_cfg_t.replace. */ -static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, +static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, auth_rule_t type, ...) { if (enumerator->current) { + entry_t *entry; va_list args; va_start(args, type); - - destroy_entry_value(enumerator->current); - enumerator->current->type = type; + entry = enumerator->current; + destroy_entry_value(entry); + entry->type = type; switch (type) { case AUTH_RULE_AUTH_CLASS: @@ -179,7 +353,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_RSA_STRENGTH: case AUTH_RULE_ECDSA_STRENGTH: /* integer type */ - enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); + entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: @@ -195,17 +369,18 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: /* pointer type */ - enumerator->current->value = va_arg(args, void*); + entry->value = va_arg(args, void*); + break; + case AUTH_RULE_MAX: + entry->value = NULL; break; } va_end(args); } } -/** - * Implementation of auth_cfg_t.get. - */ -static void* get(private_auth_cfg_t *this, auth_rule_t type) +METHOD(auth_cfg_t, get, void*, + private_auth_cfg_t *this, auth_rule_t type) { enumerator_t *enumerator; void *current_value, *best_value = NULL; @@ -264,9 +439,10 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: - default: - return NULL; + case AUTH_RULE_MAX: + break; } + return NULL; } /** @@ -274,49 +450,26 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) */ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) { - entry_t *entry = malloc_thing(entry_t); + entry_t *entry; va_list args; va_start(args, type); - entry->type = type; - switch (type) - { - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - case AUTH_RULE_RSA_STRENGTH: - case AUTH_RULE_ECDSA_STRENGTH: - /* integer type */ - entry->value = (void*)(uintptr_t)va_arg(args, u_int); - break; - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AAA_IDENTITY: - case AUTH_RULE_GROUP: - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_RULE_CERT_POLICY: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - case AUTH_HELPER_REVOCATION_CERT: - /* pointer type */ - entry->value = va_arg(args, void*); - break; - } + entry = entry_create(type, args); va_end(args); - this->entries->insert_last(this->entries, entry); + + if (is_multi_value_rule(type)) + { /* insert rules that may occur multiple times at the end */ + this->entries->insert_last(this->entries, entry); + } + else + { /* insert rules we expect only once at the front (get() will return + * the latest value) */ + this->entries->insert_first(this->entries, entry); + } } -/** - * Implementation of auth_cfg_t.complies. - */ -static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, - bool log_error) +METHOD(auth_cfg_t, complies, bool, + private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { enumerator_t *e1, *e2; bool success = TRUE, has_group = FALSE, group_match = FALSE; @@ -566,6 +719,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_RULE_MAX: /* skip helpers */ continue; } @@ -602,6 +756,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy auth_rule_t type; void *value; + /* this enumerator skips duplicates for rules we expect only once */ enumerator = create_enumerator(other); while (enumerator->enumerate(enumerator, &type, &value)) { @@ -647,6 +802,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, strdup((char*)value)); break; } + case AUTH_RULE_MAX: + break; } } enumerator->destroy(enumerator); @@ -672,85 +829,23 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) entry_t *i1, *i2; bool equal = TRUE, found; - if (this->entries->get_count(this->entries) != - other->entries->get_count(other->entries)) - { - return FALSE; - } + /* the rule count does not have to be equal for the two, as we only compare + * the first value found for some rules */ e1 = this->entries->create_enumerator(this->entries); while (e1->enumerate(e1, &i1)) { found = FALSE; + e2 = other->entries->create_enumerator(other->entries); while (e2->enumerate(e2, &i2)) { - if (i1->type == i2->type) + if (entry_equals(i1, i2)) { - switch (i1->type) - { - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - case AUTH_RULE_RSA_STRENGTH: - case AUTH_RULE_ECDSA_STRENGTH: - { - if (i1->value == i2->value) - { - found = TRUE; - break; - } - continue; - } - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - case AUTH_HELPER_REVOCATION_CERT: - { - certificate_t *c1, *c2; - - c1 = (certificate_t*)i1->value; - c2 = (certificate_t*)i2->value; - - if (c1->equals(c1, c2)) - { - found = TRUE; - break; - } - continue; - } - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AAA_IDENTITY: - case AUTH_RULE_GROUP: - { - identification_t *id1, *id2; - - id1 = (identification_t*)i1->value; - id2 = (identification_t*)i2->value; - - if (id1->equals(id1, id2)) - { - found = TRUE; - break; - } - continue; - } - case AUTH_RULE_CERT_POLICY: - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - { - if (streq(i1->value, i2->value)) - { - found = TRUE; - break; - } - continue; - } - } + found = TRUE; + break; + } + else if (i1->type == i2->type && !is_multi_value_rule(i1->type)) + { /* we continue our search, only for multi valued rules */ break; } } @@ -765,10 +860,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) return equal; } -/** - * Implementation of auth_cfg_t.purge - */ -static void purge(private_auth_cfg_t *this, bool keep_ca) +METHOD(auth_cfg_t, purge, void, + private_auth_cfg_t *this, bool keep_ca) { entry_t *entry; linked_list_t *cas; @@ -793,16 +886,15 @@ static void purge(private_auth_cfg_t *this, bool keep_ca) cas->destroy(cas); } -/** - * Implementation of auth_cfg_t.clone - */ -static auth_cfg_t* clone_(private_auth_cfg_t *this) +METHOD(auth_cfg_t, clone_, auth_cfg_t*, + private_auth_cfg_t *this) { enumerator_t *enumerator; auth_cfg_t *clone; entry_t *entry; clone = auth_cfg_create(); + /* this enumerator skips duplicates for rules we expect only once */ enumerator = this->entries->create_enumerator(this->entries); while (enumerator->enumerate(enumerator, &entry)) { @@ -844,16 +936,16 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_ECDSA_STRENGTH: clone->add(clone, entry->type, (uintptr_t)entry->value); break; + case AUTH_RULE_MAX: + break; } } enumerator->destroy(enumerator); return clone; } -/** - * Implementation of auth_cfg_t.destroy - */ -static void destroy(private_auth_cfg_t *this) +METHOD(auth_cfg_t, destroy, void, + private_auth_cfg_t *this) { purge(this, FALSE); this->entries->destroy(this->entries); @@ -865,20 +957,23 @@ static void destroy(private_auth_cfg_t *this) */ auth_cfg_t *auth_cfg_create() { - private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t); - - this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add; - this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get; - this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator; - this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace; - this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies; - this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge; - this->public.purge = (void(*)(auth_cfg_t*,bool))purge; - this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals; - this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_; - this->public.destroy = (void(*)(auth_cfg_t*))destroy; - - this->entries = linked_list_create(); + private_auth_cfg_t *this; + + INIT(this, + .public = { + .add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add, + .get = _get, + .create_enumerator = _create_enumerator, + .replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace, + .complies = _complies, + .merge = (void(*)(auth_cfg_t*,auth_cfg_t*,bool))merge, + .purge = _purge, + .equals = (bool(*)(auth_cfg_t*,auth_cfg_t*))equals, + .clone = _clone_, + .destroy = _destroy, + }, + .entries = linked_list_create(), + ); return &this->public; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 489ce1134..4d12a9c14 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -1,6 +1,6 @@ /* + * Copyright (C) 2008-2012 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -31,7 +31,7 @@ typedef enum auth_class_t auth_class_t; /** * Class of authentication to use. This is different to auth_method_t in that * it does not specify a method, but a class of acceptable methods. The found - * certificate finally dictates wich method is used. + * certificate finally dictates which method is used. */ enum auth_class_t { /** any class acceptable */ @@ -57,13 +57,12 @@ extern enum_name_t *auth_class_names; * - For configs specifying local authentication behavior, the rules define * which authentication method in which way. * - For configs specifying remote peer authentication, the rules define - * constraints the peer has to fullfill. + * constraints the peer has to fulfill. * * Additionally to the rules, there is a set of helper items. These are used * to transport credentials during the authentication process. */ enum auth_rule_t { - /** identity to use for IKEv2 authentication exchange, identification_t* */ AUTH_RULE_IDENTITY, /** authentication class, auth_class_t */ @@ -107,6 +106,9 @@ enum auth_rule_t { AUTH_HELPER_SUBJECT_HASH_URL, /** revocation certificate (CRL, OCSP), certificate_t* */ AUTH_HELPER_REVOCATION_CERT, + + /** helper to determine the number of elements in this enum */ + AUTH_RULE_MAX, }; /** @@ -119,8 +121,8 @@ extern enum_name_t *auth_rule_names; * * RFC4739 defines multiple authentication rounds. This class defines such * a round from a configuration perspective, either for the local or the remote - * peer. Local config are called "rulesets", as they define how we authenticate. - * Remote peer configs are called "constraits", they define what is needed to + * peer. Local configs are called "rulesets". They define how we authenticate. + * Remote peer configs are called "constraits". They define what is needed to * complete the authentication round successfully. * * @verbatim @@ -144,13 +146,20 @@ extern enum_name_t *auth_rule_names; @endverbatim * - * Values for each items are either pointers (casted to void*) or short + * Values for each item are either pointers (casted to void*) or short * integers (use uintptr_t cast). */ struct auth_cfg_t { /** - * Add an rule to the set. + * Add a rule to the set. + * + * Rules we expect only once (e.g. identities) implicitly replace previous + * rules of the same type (but pointers to previous values will remain + * valid until the auth_cfg_t object is destroyed). + * Rules that may occur multiple times (e.g. CA certificates) are inserted + * so that they can be enumerated in the order in which they were added. + * For these get() will return the value added first. * * @param rule rule type * @param ... associated value to rule @@ -158,7 +167,9 @@ struct auth_cfg_t { void (*add)(auth_cfg_t *this, auth_rule_t rule, ...); /** - * Get an rule value. + * Get a rule value. + * + * For rules we expect only once the latest value is returned. * * @param rule rule type * @return bool if item has been found @@ -168,14 +179,17 @@ struct auth_cfg_t { /** * Create an enumerator over added rules. * + * Refer to add() regarding the order in which rules are enumerated. + * For rules we expect only once the latest value is enumerated only. + * * @return enumerator over (auth_rule_t, union{void*,uintpr_t}) */ enumerator_t* (*create_enumerator)(auth_cfg_t *this); /** - * Replace an rule at enumerator position. + * Replace a rule at enumerator position. * - * @param pos enumerator position position + * @param pos enumerator position * @param rule rule type * @param ... associated value to rule */ @@ -186,7 +200,7 @@ struct auth_cfg_t { * Check if a used config fulfills a set of configured constraints. * * @param constraints required authorization rules - * @param log_error wheter to log compliance errors + * @param log_error whether to log compliance errors * @return TRUE if this complies with constraints */ bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error); @@ -202,20 +216,22 @@ struct auth_cfg_t { /** * Purge all rules in a config. * - * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries + * @param keep_ca whether to keep AUTH_RULE_CA_CERT entries */ void (*purge)(auth_cfg_t *this, bool keep_ca); /** * Check two configs for equality. * - * @param other other config to compaire against this + * For rules we expect only once the latest value is compared only. + * + * @param other other config to compare against this * @return TRUE if auth infos identical */ bool (*equals)(auth_cfg_t *this, auth_cfg_t *other); /** - * Clone a authentication config, including all rules. + * Clone an authentication config, including all rules. * * @return cloned configuration */ diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index f9a277a2c..d3157c80e 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -23,8 +23,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_BLOB_PEM", "BUILD_BLOB_PGP", "BUILD_BLOB_DNSKEY", - "BUILD_PASSPHRASE", - "BUILD_PASSPHRASE_CALLBACK", + "BUILD_BLOB_ALGID_PARAMS", "BUILD_KEY_SIZE", "BUILD_SIGNING_KEY", "BUILD_SIGNING_CERT", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 325b668cd..41250ccae 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -28,8 +28,8 @@ typedef enum builder_part_t builder_part_t; /** * Constructor function to build credentials. * - * Any added parts are cloned/refcounted by the builder implementation, a - * caller may need to free the passed ressources themself. + * Any added parts are cloned/refcounted by the builder implementation. + * Callers may need to free the passed resources themselves. * * @param subtype constructor specific subtype, e.g. a certificate_type_t * @param args list of builder part types, followed by parts, BUILD_END @@ -53,10 +53,12 @@ enum builder_part_t { BUILD_BLOB_ASN1_DER, /** PEM encoded ASN.1/PGP blob, chunk_t */ BUILD_BLOB_PEM, - /** OpenPGP key blob, chunk_t */ + /** OpenPGP key blob, chunk_t */ BUILD_BLOB_PGP, /** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */ BUILD_BLOB_DNSKEY, + /** parameters from algorithmIdentifier (ASN.1 blob), chunk_t */ + BUILD_BLOB_ALGID_PARAMS, /** key size in bits, as used for key generation, u_int */ BUILD_KEY_SIZE, /** private key to use for signing, private_key_t* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 733d9d612..00e30d7a0 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -39,7 +39,7 @@ struct cert_validator_t { * * @param subject subject certificate to check * @param issuer issuer of subject - * @param online wheter to do online revocation checking + * @param online whether to do online revocation checking * @param pathlen the current length of the path bottom-up * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h index fef7f8c65..57b44adca 100644 --- a/src/libstrongswan/credentials/certificates/ac.h +++ b/src/libstrongswan/credentials/certificates/ac.h @@ -79,7 +79,6 @@ struct ac_t { /** * @brief Checks if two attribute certificates belong to the same holder * - * @param this calling attribute certificate * @param that other attribute certificate * @return TRUE if same holder */ diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 661b69e36..33ba4e907 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -38,6 +38,7 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "SKIPPED", "STALE", "FAILED", + "ON_HOLD", "REVOKED", ); diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index 43bfe3dc1..2f471da5b 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -77,6 +77,8 @@ enum cert_validation_t { VALIDATION_STALE, /** validation failed due to a processing error */ VALIDATION_FAILED, + /** certificate is on hold (i.e. temporary revokation) */ + VALIDATION_ON_HOLD, /** certificate has been revoked */ VALIDATION_REVOKED, }; @@ -115,7 +117,7 @@ struct certificate_t { * not returned by get_subject (e.g. subjectAltNames) * * @param subject subject identity - * @return matching value of best match + * @return matching value of best match */ id_match_t (*has_subject)(certificate_t *this, identification_t *subject); @@ -132,8 +134,8 @@ struct certificate_t { * A certificate may contain additional issuer identifiers, which are * not returned by get_issuer (e.g. issuerAltNames) * - * @param subject isser identity - * @return matching value of best match + * @param subject issuer identity + * @return matching value of best match */ id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer); @@ -141,7 +143,7 @@ struct certificate_t { * Check if this certificate is issued and signed by a specific issuer. * * @param issuer issuer's certificate - * @return TRUE if certificate issued by issuer and trusted + * @return TRUE if certificate issued by issuer and trusted */ bool (*issued_by)(certificate_t *this, certificate_t *issuer); @@ -176,7 +178,7 @@ struct certificate_t { /** * Check if two certificates are equal. * - * @param other certificate to compair against this + * @param other certificate to compare against this * @return TRUE if certificates are equal */ bool (*equals)(certificate_t *this, certificate_t *other); @@ -197,10 +199,10 @@ struct certificate_t { /** * Generic check if a given certificate is newer than another. * - * @param this first certificate to check - * @param other second certificate + * @param cert certificate + * @param other certificate to compare to * @return TRUE if this newer than other */ -bool certificate_is_newer(certificate_t *this, certificate_t *other); +bool certificate_is_newer(certificate_t *cert, certificate_t *other); #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 2f3497474..4191c5935 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -100,10 +100,10 @@ struct crl_t { /** * Generic check if a given CRL is newer than another. * - * @param this first CRL to check - * @param other second CRL + * @param crl CRL + * @param other CRL to compare to * @return TRUE if this newer than other */ -bool crl_is_newer(crl_t *this, crl_t *other); +bool crl_is_newer(crl_t *crl, crl_t *other); #endif /** CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index fec02dbad..5125aca26 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -41,13 +41,13 @@ enum x509_flag_t { /** cert has no constraints */ X509_NONE = 0, /** cert has CA constraint */ - X509_CA = (1<<0), + X509_CA = (1<<0), /** cert has AA constraint */ - X509_AA = (1<<1), + X509_AA = (1<<1), /** cert has OCSP signer constraint */ - X509_OCSP_SIGNER = (1<<2), + X509_OCSP_SIGNER = (1<<2), /** cert has serverAuth key usage */ - X509_SERVER_AUTH = (1<<3), + X509_SERVER_AUTH = (1<<3), /** cert has clientAuth key usage */ X509_CLIENT_AUTH = (1<<4), /** cert is self-signed */ @@ -76,12 +76,12 @@ enum x509_constraint_t { * X.509 certPolicy extension. */ struct x509_cert_policy_t { - /** OID of certPolicy */ - chunk_t oid; /** Certification Practice Statement URI qualifier */ char *cps_uri; /** UserNotice Text qualifier */ char *unotice_text; + /** OID of certPolicy */ + chunk_t oid; }; /** diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c index ac3266f4c..4865984dd 100644 --- a/src/libstrongswan/credentials/cred_encoding.c +++ b/src/libstrongswan/credentials/cred_encoding.c @@ -110,15 +110,13 @@ static bool equals(void *key1, void *key2) return key1 == key2; } -/** - * Implementation of cred_encoding_t.get_cache - */ -static bool get_cache(private_cred_encoding_t *this, cred_encoding_type_t type, - void *cache, chunk_t *encoding) +METHOD(cred_encoding_t, get_cache, bool, + private_cred_encoding_t *this, cred_encoding_type_t type, void *cache, + chunk_t *encoding) { chunk_t *chunk; - if (type >= CRED_ENCODING_MAX || type < 0) + if (type >= CRED_ENCODING_MAX || (int)type < 0) { return FALSE; } @@ -144,7 +142,7 @@ static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type, bool success = FALSE; chunk_t *chunk; - if (type >= CRED_ENCODING_MAX || type < 0) + if (type >= CRED_ENCODING_MAX || (int)type < 0) { return FALSE; } @@ -191,15 +189,13 @@ static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type, return success; } -/** - * Implementation of cred_encoding_t.cache - */ -static void cache(private_cred_encoding_t *this, cred_encoding_type_t type, - void *cache, chunk_t encoding) +METHOD(cred_encoding_t, cache, void, + private_cred_encoding_t *this, cred_encoding_type_t type, void *cache, + chunk_t encoding) { chunk_t *chunk; - if (type >= CRED_ENCODING_MAX || type < 0) + if (type >= CRED_ENCODING_MAX || (int)type < 0) { return free(encoding.ptr); } @@ -216,10 +212,8 @@ static void cache(private_cred_encoding_t *this, cred_encoding_type_t type, } } -/** - * Implementation of cred_encoding_t.clear_cache - */ -static void clear_cache(private_cred_encoding_t *this, void *cache) +METHOD(cred_encoding_t, clear_cache, void, + private_cred_encoding_t *this, void *cache) { cred_encoding_type_t type; chunk_t *chunk; @@ -237,30 +231,24 @@ static void clear_cache(private_cred_encoding_t *this, void *cache) this->lock->unlock(this->lock); } -/** - * Implementation of cred_encoding_t.add_encoder - */ -static void add_encoder(private_cred_encoding_t *this, cred_encoder_t encoder) +METHOD(cred_encoding_t, add_encoder, void, + private_cred_encoding_t *this, cred_encoder_t encoder) { this->lock->write_lock(this->lock); this->encoders->insert_last(this->encoders, encoder); this->lock->unlock(this->lock); } -/** - * Implementation of cred_encoding_t.remove_encoder - */ -static void remove_encoder(private_cred_encoding_t *this, cred_encoder_t encoder) +METHOD(cred_encoding_t, remove_encoder, void, + private_cred_encoding_t *this, cred_encoder_t encoder) { this->lock->write_lock(this->lock); this->encoders->remove(this->encoders, encoder, NULL); this->lock->unlock(this->lock); } -/** - * Implementation of cred_encoder_t.destroy. - */ -static void destroy(private_cred_encoding_t *this) +METHOD(cred_encoding_t, destroy, void, + private_cred_encoding_t *this) { cred_encoding_type_t type; @@ -282,23 +270,27 @@ static void destroy(private_cred_encoding_t *this) */ cred_encoding_t *cred_encoding_create() { - private_cred_encoding_t *this = malloc_thing(private_cred_encoding_t); + private_cred_encoding_t *this; cred_encoding_type_t type; - this->public.encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode; - this->public.get_cache = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding))get_cache; - this->public.cache = (void(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t encoding))cache; - this->public.clear_cache = (void(*)(cred_encoding_t*, void *cache))clear_cache; - this->public.add_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))add_encoder; - this->public.remove_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))remove_encoder; - this->public.destroy = (void(*)(cred_encoding_t*))destroy; + INIT(this, + .public = { + .encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode, + .get_cache = _get_cache, + .cache = _cache, + .clear_cache = _clear_cache, + .add_encoder = _add_encoder, + .remove_encoder = _remove_encoder, + .destroy = _destroy, + }, + .encoders = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); for (type = 0; type < CRED_ENCODING_MAX; type++) { this->cache[type] = hashtable_create(hash, equals, 8); } - this->encoders = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h index e2d69691e..b029fe2ac 100644 --- a/src/libstrongswan/credentials/cred_encoding.h +++ b/src/libstrongswan/credentials/cred_encoding.h @@ -59,7 +59,7 @@ bool cred_encoding_args(va_list args, ...); /** * Encoding type of a fingerprint/credential. * - * Fingerprints have have the KEYID_*, public keys the PUBKEY_* and + * Fingerprints have the KEYID_*, public keys the PUBKEY_* and * private keys the PRIVKEY_* prefix. */ enum cred_encoding_type_t { diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h index 709dc916a..c31601245 100644 --- a/src/libstrongswan/credentials/credential_factory.h +++ b/src/libstrongswan/credentials/credential_factory.h @@ -54,7 +54,7 @@ struct credential_factory_t { * The variable argument list takes builder_part_t types followed * by the type specific value. The list must be terminated using BUILD_END. * All passed parts get cloned/refcounted by the builder functions, - * so free up allocated ressources after successful and unsuccessful + * so free up allocated resources after successful and unsuccessful * invocations. * * @param type credential type to build diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 27b97eab3..b3461b810 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -866,7 +866,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, } /** - * Check if an helper contains a certificate as trust anchor + * Check if a helper contains a certificate as trust anchor */ static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) { @@ -949,7 +949,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, } /** - * find a private key of a give certificate + * find a private key of a given certificate */ static private_key_t *get_private_by_cert(private_credential_manager_t *this, certificate_t *cert, key_type_t type) diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index 04269cfbf..8e8f04b8c 100644 --- a/src/libstrongswan/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -36,11 +36,11 @@ typedef struct credential_manager_t credential_manager_t; * Manages credentials using credential_sets. * * The credential manager is the entry point of the credential framework. It - * uses so called "sets" to access credentials in a modular fashion, these + * uses so called "sets" to access credentials in a modular fashion. These * are implemented through the credential_set_t interface. * The manager additionally does trust chain verification and trust status - * chaching. A set may call the managers methods if it needs credentials itself, - * the manager uses recursive locking. + * caching. A set may call the managers methods if it needs credentials itself. + * The manager uses recursive locking. * * @verbatim @@ -62,8 +62,8 @@ typedef struct credential_manager_t credential_manager_t; @endverbatim * - * The credential manager uses rwlocks for performance reasons, credential - * sets must be fully thread save. + * The credential manager uses rwlocks for performance reasons. Credential + * sets must be fully thread-safe. */ struct credential_manager_t { @@ -84,7 +84,7 @@ struct credential_manager_t { * * The enumerator enumerates over: * shared_key_t*, id_match_t me, id_match_t other - * But must accepts values for the id_matches. + * But must accept values for the id_matches. * * @param type kind of requested shared key * @param first first subject between key is shared @@ -120,7 +120,7 @@ struct credential_manager_t { * * @param type kind of requested shared key * @param me own identity - * @param other peers identity + * @param other peer identity * @return shared_key_t, NULL if none found */ shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type, @@ -130,7 +130,7 @@ struct credential_manager_t { * * The get_private() method gets a secret private key identified by either * the keyid itself or an id the key belongs to. - * The auth parameter contains additional information, such as receipients + * The auth parameter contains additional information, such as recipients * trusted CA certs. Auth gets filled with subject and CA certificates * needed to validate a created signature. * @@ -146,7 +146,7 @@ struct credential_manager_t { * Create an enumerator over trusted certificates. * * This method creates an enumerator over trusted certificates. The auth - * parameter (if given) recevies the trustchain used to validate + * parameter (if given) receives the trustchain used to validate * the certificate. The resulting enumerator enumerates over * certificate_t*, auth_cfg_t*. * If online is set, revocations are checked online for the whole @@ -163,7 +163,7 @@ struct credential_manager_t { /** * Create an enumerator over trusted public keys. * - * This method gets a an enumerator over trusted public keys to verify a + * This method creates an enumerator over trusted public keys to verify a * signature created by id. The auth parameter contains additional * authentication infos, e.g. peer and intermediate certificates. * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *, @@ -180,7 +180,7 @@ struct credential_manager_t { key_type_t type, identification_t *id, auth_cfg_t *auth); /** - * Cache a certificate by invoking cache_cert() on all registerd sets. + * Cache a certificate by invoking cache_cert() on all registered sets. * * @param cert certificate to cache */ @@ -199,8 +199,8 @@ struct credential_manager_t { /** * Check if a given subject certificate is issued by an issuer certificate. * - * This operation does signature verification, but uses the credential - * managers cache for to speed up the operation. + * This operation does signature verification using the credential + * manager's cache to speed up the operation. * * @param subject subject certificate to check * @param issuer issuer certificate that potentially has signed subject @@ -228,7 +228,7 @@ struct credential_manager_t { * * To add a credential set for the current trustchain verification * operation, sets may be added for the calling thread only. This - * does not require a write lock and is therefore a much less expensive + * does not require a write lock and is therefore a much cheaper * operation. * * @param set set to register diff --git a/src/libstrongswan/credentials/credential_set.h b/src/libstrongswan/credentials/credential_set.h index 0eee237cb..8673c484f 100644 --- a/src/libstrongswan/credentials/credential_set.h +++ b/src/libstrongswan/credentials/credential_set.h @@ -38,7 +38,7 @@ typedef struct credential_set_t credential_set_t; * A credential set enumerator may not block the credential set, i.e. multiple * threads must be able to hold multiple enumerators, as the credential manager * is higly parallelized. The best way to achieve this is by using shared - * read locks for the enumerators only. Otherwiese deadlocks will occur. + * read locks for the enumerators only. Otherwise deadlocks will occur. * The writing cache_cert() routine is called by the manager only if no * enumerator is alive, so it is save to use a write lock there. */ @@ -97,7 +97,7 @@ struct credential_set_t { /** * Cache a certificate in the credential set. * - * The caching policy is implementation dependent, the sets may cache the + * The caching policy is implementation dependent. The sets may cache the * certificate in-memory, persistent on disk or not at all. * * @param cert certificate to cache diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c index fecc9910e..fb18fb53d 100644 --- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c +++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c @@ -102,15 +102,14 @@ static void ietf_attr_destroy(ietf_attr_t *this) */ static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value) { - ietf_attr_t *this = malloc_thing(ietf_attr_t); + ietf_attr_t *this; - /* initialize */ - this->type = type; - this->value = chunk_clone(value); - - /* function */ - this->compare = ietf_attr_compare; - this->destroy = ietf_attr_destroy; + INIT(this, + .compare = ietf_attr_compare, + .destroy = ietf_attr_destroy, + .type = type, + .value = chunk_clone(value), + ); return this; } @@ -142,10 +141,8 @@ struct private_ietf_attributes_t { refcount_t ref; }; -/** - * Implementation of ietf_attributes_t.get_string. - */ -static char* get_string(private_ietf_attributes_t *this) +METHOD(ietf_attributes_t, get_string, char*, + private_ietf_attributes_t *this) { if (this->string == NULL) { @@ -217,10 +214,8 @@ static char* get_string(private_ietf_attributes_t *this) return this->string; } -/** - * Implementation of ietf_attributes_t.get_encoding. - */ -static chunk_t get_encoding(private_ietf_attributes_t *this) +METHOD(ietf_attributes_t, get_encoding, chunk_t, + private_ietf_attributes_t *this) { chunk_t values; size_t size = 0; @@ -270,7 +265,11 @@ static chunk_t get_encoding(private_ietf_attributes_t *this) return asn1_wrap(ASN1_SEQUENCE, "m", values); } -static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *other) +/** + * Implementation of ietf_attributes_t.equals. + */ +static bool equals(private_ietf_attributes_t *this, + private_ietf_attributes_t *other) { bool result = TRUE; @@ -304,7 +303,11 @@ static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *o return result; } -static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *other) +/** + * Implementation of ietf_attributes_t.matches. + */ +static bool matches(private_ietf_attributes_t *this, + private_ietf_attributes_t *other) { bool result = FALSE; ietf_attr_t *attr_a, *attr_b; @@ -364,19 +367,15 @@ static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t * return result; } -/** - * Implementation of ietf_attributes_t.get_ref - */ -static private_ietf_attributes_t* get_ref(private_ietf_attributes_t *this) +METHOD(ietf_attributes_t, get_ref, ietf_attributes_t*, + private_ietf_attributes_t *this) { ref_get(&this->ref); - return this; + return &this->public; } -/** - * Implementation of ietf_attributes_t.destroy. - */ -static void destroy(private_ietf_attributes_t *this) +METHOD(ietf_attributes_t, destroy, void, + private_ietf_attributes_t *this) { if (ref_put(&this->ref)) { @@ -388,18 +387,21 @@ static void destroy(private_ietf_attributes_t *this) static private_ietf_attributes_t* create_empty(void) { - private_ietf_attributes_t *this = malloc_thing(private_ietf_attributes_t); - - this->public.get_string = (char* (*)(ietf_attributes_t*))get_string; - this->public.get_encoding = (chunk_t (*)(ietf_attributes_t*))get_encoding; - this->public.equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals; - this->public.matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches; - this->public.get_ref = (ietf_attributes_t* (*)(ietf_attributes_t*))get_ref; - this->public.destroy = (void (*)(ietf_attributes_t*))destroy; - - this->list = linked_list_create(); - this->string = NULL; - this->ref = 1; + private_ietf_attributes_t *this; + + INIT(this, + .public = { + .get_string = _get_string, + .get_encoding = _get_encoding, + .equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals, + .matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .list = linked_list_create(), + .ref = 1, + ); + return this; } @@ -410,34 +412,24 @@ static void ietf_attributes_add(private_ietf_attributes_t *this, ietf_attr_t *attr) { ietf_attr_t *current_attr; - bool found = FALSE; - iterator_t *iterator; + enumerator_t *enumerator; + int cmp = -1; - iterator = this->list->create_iterator(this->list, TRUE); - while (iterator->iterate(iterator, (void **)¤t_attr)) + enumerator = this->list->create_enumerator(this->list); + while (enumerator->enumerate(enumerator, (void **)¤t_attr) && + (cmp = attr->compare(attr, current_attr)) > 0) { - int cmp = attr->compare(attr, current_attr); - - if (cmp > 0) - { - continue; - } - if (cmp == 0) - { - attr->destroy(attr); - } - else - { - iterator->insert_before(iterator, attr); - } - found = TRUE; - break; + continue; } - iterator->destroy(iterator); - if (!found) + if (cmp == 0) { - this->list->insert_last(this->list, attr); + attr->destroy(attr); + } + else + { /* the enumerator either points to the end or to the attribute > attr */ + this->list->insert_before(this->list, enumerator, attr); } + enumerator->destroy(enumerator); } /* @@ -527,7 +519,7 @@ ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded) ietf_attr_t *attr; type = (objectID - IETF_ATTR_OCTETS) / 2; - attr = ietf_attr_create(type, object); + attr = ietf_attr_create(type, object); ietf_attributes_add(this, attr); } break; diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index e57d3f5a5..b9f7dad55 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -133,11 +133,11 @@ struct private_key_t { /** * Generic private key equals() implementation, usable by implementors. * - * @param this first key to compare - * @param other second key to compare + * @param private private key to check + * @param other key to compare * @return TRUE if this is equal to other */ -bool private_key_equals(private_key_t *this, private_key_t *other); +bool private_key_equals(private_key_t *private, private_key_t *other); /** * Generic private key belongs_to() implementation, usable by implementors. @@ -151,10 +151,10 @@ bool private_key_belongs_to(private_key_t *private, public_key_t *public); /** * Generic private key has_fingerprint() implementation, usable by implementors. * - * @param this key to check fingerprint + * @param private private key to check * @param fingerprint fingerprint to check * @return TRUE if key has given fingerprint */ -bool private_key_has_fingerprint(private_key_t *this, chunk_t fingerprint); +bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint); #endif /** PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index 22df5dd1b..37bba77d1 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -17,7 +17,8 @@ #include "public_key.h" -ENUM(key_type_names, KEY_RSA, KEY_DSA, +ENUM(key_type_names, KEY_ANY, KEY_DSA, + "ANY", "RSA", "ECDSA", "DSA" diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index d20d2736b..fdbe17f2c 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -151,7 +151,7 @@ struct public_key_t { * @param scheme encryption scheme to use * @param plain chunk containing plaintext data * @param crypto where to allocate encrypted data - * @return TRUE if data successfully encrypted + * @return TRUE if data successfully encrypted */ bool (*encrypt)(public_key_t *this, encryption_scheme_t scheme, chunk_t plain, chunk_t *crypto); @@ -215,20 +215,20 @@ struct public_key_t { /** * Generic public key equals() implementation, usable by implementors. * - * @param this first key to compare - * @param other second key to compare + * @param public public key to check + * @param other key to compare * @return TRUE if this is equal to other */ -bool public_key_equals(public_key_t *this, public_key_t *other); +bool public_key_equals(public_key_t *public, public_key_t *other); /** * Generic public key has_fingerprint() implementation, usable by implementors. * - * @param this key to check fingerprint + * @param public public key to check * @param fingerprint fingerprint to check * @return TRUE if key has given fingerprint */ -bool public_key_has_fingerprint(public_key_t *this, chunk_t fingerprint); +bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint); /** * Conversion of ASN.1 signature or hash OID to signature scheme. diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c index f695c078d..1c2d31167 100644 --- a/src/libstrongswan/credentials/keys/shared_key.c +++ b/src/libstrongswan/credentials/keys/shared_key.c @@ -51,35 +51,27 @@ struct private_shared_key_t { refcount_t ref; }; -/** - * Implements shared_key_t.get_type - */ -static shared_key_type_t get_type(private_shared_key_t *this) +METHOD(shared_key_t, get_type, shared_key_type_t, + private_shared_key_t *this) { return this->type; } -/** - * Implements shared_key_t.get_key - */ -static chunk_t get_key(private_shared_key_t *this) +METHOD(shared_key_t, get_key, chunk_t, + private_shared_key_t *this) { return this->key; } -/** - * Implements shared_key_t.get_ref - */ -static shared_key_t* get_ref(private_shared_key_t *this) +METHOD(shared_key_t, get_ref, shared_key_t*, + private_shared_key_t *this) { ref_get(&this->ref); return &this->public; } -/** - * Implementation of shared_key_t.destroy - */ -static void destroy(private_shared_key_t *this) +METHOD(shared_key_t, destroy, void, + private_shared_key_t *this) { if (ref_put(&this->ref)) { @@ -93,16 +85,19 @@ static void destroy(private_shared_key_t *this) */ shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key) { - private_shared_key_t *this = malloc_thing(private_shared_key_t); - - this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type; - this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key; - this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref; - this->public.destroy = (void(*)(shared_key_t*))destroy; - - this->type = type; - this->key = key; - this->ref = 1; + private_shared_key_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .get_key = _get_key, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .type = type, + .key = key, + .ref = 1, + ); return &this->public; } diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 225fabe31..2cef23328 100644 --- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -172,12 +172,9 @@ static void wrapper_enumerator_destroy(wrapper_enumerator_t *this) free(this); } -/** - * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator - */ -static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) +METHOD(credential_set_t, create_enumerator, enumerator_t*, + private_auth_cfg_wrapper_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) { wrapper_enumerator_t *enumerator; @@ -196,10 +193,8 @@ static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this, return &enumerator->public; } -/** - * Implementation of auth_cfg_wrapper_t.destroy - */ -static void destroy(private_auth_cfg_wrapper_t *this) +METHOD(auth_cfg_wrapper_t, destroy, void, + private_auth_cfg_wrapper_t *this) { free(this); } @@ -209,16 +204,20 @@ static void destroy(private_auth_cfg_wrapper_t *this) */ auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth) { - private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)create_enumerator; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)nop; - this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy; - - this->auth = auth; + private_auth_cfg_wrapper_t *this; + + INIT(this, + .public = { + .set = { + .create_cert_enumerator = _create_enumerator, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .destroy = _destroy, + }, + .auth = auth, + ); return &this->public; } diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 7161ac9ac..968c3e31e 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -132,11 +132,8 @@ static void cache(private_cert_cache_t *this, } } -/** - * Implementation of cert_cache_t.issued_by. - */ -static bool issued_by(private_cert_cache_t *this, - certificate_t *subject, certificate_t *issuer) +METHOD(cert_cache_t, issued_by, bool, + private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer) { relation_t *found = NULL, *current; int i; @@ -270,12 +267,9 @@ static void cert_enumerator_destroy(cert_enumerator_t *this) free(this); } -/** - * implementation of credential_set_t.create_cert_enumerator - */ -static enumerator_t *create_enumerator(private_cert_cache_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) +METHOD(credential_set_t, create_enumerator, enumerator_t*, + private_cert_cache_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) { cert_enumerator_t *enumerator; @@ -296,10 +290,8 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this, return &enumerator->public; } -/** - * Implementation of cert_cache_t.flush. - */ -static void flush(private_cert_cache_t *this, certificate_type_t type) +METHOD(cert_cache_t, flush, void, + private_cert_cache_t *this, certificate_type_t type) { relation_t *rel; int i; @@ -339,10 +331,8 @@ static void flush(private_cert_cache_t *this, certificate_type_t type) } } -/** - * Implementation of cert_cache_t.destroy - */ -static void destroy(private_cert_cache_t *this) +METHOD(cert_cache_t, destroy, void, + private_cert_cache_t *this) { relation_t *rel; int i; @@ -368,15 +358,20 @@ cert_cache_t *cert_cache_create() private_cert_cache_t *this; int i; - this = malloc_thing(private_cert_cache_t); - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)create_enumerator; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)nop; - this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by; - this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush; - this->public.destroy = (void(*)(cert_cache_t*))destroy; + INIT(this, + .public = { + .set = { + .create_cert_enumerator = _create_enumerator, + .create_private_enumerator = (void*)return_null, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .issued_by = _issued_by, + .flush = _flush, + .destroy = _destroy, + }, + ); for (i = 0; i < CACHE_SIZE; i++) { @@ -385,5 +380,6 @@ cert_cache_t *cert_cache_create() this->relations[i].hits = 0; this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); } + return &this->public; } diff --git a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c index 4786495da..151d69216 100644 --- a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c +++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c @@ -94,12 +94,9 @@ static void enumerator_destroy(wrapper_enumerator_t *this) free(this); } -/** - * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator - */ -static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) +METHOD(credential_set_t, create_enumerator, enumerator_t*, + private_ocsp_response_wrapper_t *this,certificate_type_t cert, + key_type_t key, identification_t *id, bool trusted) { wrapper_enumerator_t *enumerator; @@ -118,10 +115,8 @@ static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this, return &enumerator->public; } -/** - * Implementation of ocsp_response_wrapper_t.destroy - */ -static void destroy(private_ocsp_response_wrapper_t *this) +METHOD(ocsp_response_wrapper_t, destroy, void, + private_ocsp_response_wrapper_t *this) { free(this); } @@ -131,16 +126,21 @@ static void destroy(private_ocsp_response_wrapper_t *this) */ ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response) { - private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)create_enumerator; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)nop; - this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy; - - this->response = response; + private_ocsp_response_wrapper_t *this; + + INIT(this, + .public = { + .set = { + .create_cert_enumerator = _create_enumerator, + .create_private_enumerator = (void*)return_null, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .destroy = _destroy, + }, + .response = response, + ); return &this->public; } |