summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@corsac.net>2012-06-28 21:16:07 +0200
committerYves-Alexis Perez <corsac@corsac.net>2012-06-28 21:16:07 +0200
commitb34738ed08c2227300d554b139e2495ca5da97d6 (patch)
tree62f33b52820f2e49f0e53c0f8c636312037c8054 /src/libstrongswan/credentials
parent0a9d51a49042a68daa15b0c74a2b7f152f52606b (diff)
downloadvyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.tar.gz
vyos-strongswan-b34738ed08c2227300d554b139e2495ca5da97d6.zip
Imported Upstream version 4.6.4
Diffstat (limited to 'src/libstrongswan/credentials')
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c413
-rw-r--r--src/libstrongswan/credentials/auth_cfg.h46
-rw-r--r--src/libstrongswan/credentials/builder.c3
-rw-r--r--src/libstrongswan/credentials/builder.h8
-rw-r--r--src/libstrongswan/credentials/cert_validator.h2
-rw-r--r--src/libstrongswan/credentials/certificates/ac.h1
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.c1
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.h18
-rw-r--r--src/libstrongswan/credentials/certificates/crl.h6
-rw-r--r--src/libstrongswan/credentials/certificates/x509.h12
-rw-r--r--src/libstrongswan/credentials/cred_encoding.c70
-rw-r--r--src/libstrongswan/credentials/cred_encoding.h2
-rw-r--r--src/libstrongswan/credentials/credential_factory.h2
-rw-r--r--src/libstrongswan/credentials/credential_manager.c4
-rw-r--r--src/libstrongswan/credentials/credential_manager.h28
-rw-r--r--src/libstrongswan/credentials/credential_set.h4
-rw-r--r--src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c118
-rw-r--r--src/libstrongswan/credentials/keys/private_key.h10
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c3
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h12
-rw-r--r--src/libstrongswan/credentials/keys/shared_key.c47
-rw-r--r--src/libstrongswan/credentials/sets/auth_cfg_wrapper.c39
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c52
-rw-r--r--src/libstrongswan/credentials/sets/ocsp_response_wrapper.c40
24 files changed, 515 insertions, 426 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 23a3f62d9..12f75b240 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2008-2012 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -30,6 +30,63 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
"EAP",
);
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
+ "RULE_IDENTITY",
+ "RULE_AUTH_CLASS",
+ "RULE_AAA_IDENTITY",
+ "RULE_EAP_IDENTITY",
+ "RULE_EAP_TYPE",
+ "RULE_EAP_VENDOR",
+ "RULE_CA_CERT",
+ "RULE_IM_CERT",
+ "RULE_SUBJECT_CERT",
+ "RULE_CRL_VALIDATION",
+ "RULE_OCSP_VALIDATION",
+ "RULE_GROUP",
+ "RULE_RSA_STRENGTH",
+ "RULE_ECDSA_STRENGTH",
+ "RULE_CERT_POLICY",
+ "HELPER_IM_CERT",
+ "HELPER_SUBJECT_CERT",
+ "HELPER_IM_HASH_URL",
+ "HELPER_SUBJECT_HASH_URL",
+ "HELPER_REVOCATION_CERT",
+);
+
+/**
+ * Check if the given rule is a rule for which there may be multiple values.
+ */
+static inline bool is_multi_value_rule(auth_rule_t type)
+{
+ switch (type)
+ {
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ case AUTH_RULE_MAX:
+ return FALSE;
+ case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_GROUP:
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_CERT_POLICY:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_REVOCATION_CERT:
+ return TRUE;
+ }
+ return FALSE;
+}
+
typedef struct private_auth_cfg_t private_auth_cfg_t;
/**
@@ -67,6 +124,8 @@ typedef struct {
enumerator_t *inner;
/** current entry */
entry_t *current;
+ /** types we have already enumerated */
+ bool enumerated[AUTH_RULE_MAX];
} entry_enumerator_t;
/**
@@ -76,11 +135,22 @@ static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
{
entry_t *entry;
- if (this->inner->enumerate(this->inner, &entry))
+ while (this->inner->enumerate(this->inner, &entry))
{
+ if (!is_multi_value_rule(entry->type) && this->enumerated[entry->type])
+ {
+ continue;
+ }
+ this->enumerated[entry->type] = TRUE;
this->current = entry;
- *type = entry->type;
- *value = entry->value;
+ if (type)
+ {
+ *type = entry->type;
+ }
+ if (value)
+ {
+ *value = entry->value;
+ }
return TRUE;
}
return FALSE;
@@ -95,22 +165,124 @@ static void entry_enumerator_destroy(entry_enumerator_t *this)
free(this);
}
-/**
- * Implementation of auth_cfg_t.create_enumerator.
- */
-static enumerator_t* create_enumerator(private_auth_cfg_t *this)
+METHOD(auth_cfg_t, create_enumerator, enumerator_t*,
+ private_auth_cfg_t *this)
{
entry_enumerator_t *enumerator;
- enumerator = malloc_thing(entry_enumerator_t);
- enumerator->inner = this->entries->create_enumerator(this->entries);
- enumerator->public.enumerate = (void*)enumerate;
- enumerator->public.destroy = (void*)entry_enumerator_destroy;
- enumerator->current = NULL;
+ INIT(enumerator,
+ .public = {
+ .enumerate = (void*)enumerate,
+ .destroy = (void*)entry_enumerator_destroy,
+ },
+ .inner = this->entries->create_enumerator(this->entries),
+ );
return &enumerator->public;
}
/**
+ * Create an entry from the given arguments.
+ */
+static entry_t *entry_create(auth_rule_t type, va_list args)
+{
+ entry_t *this = malloc_thing(entry_t);
+
+ this->type = type;
+ switch (type)
+ {
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ /* integer type */
+ this->value = (void*)(uintptr_t)va_arg(args, u_int);
+ break;
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_GROUP:
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_CERT_POLICY:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ case AUTH_HELPER_REVOCATION_CERT:
+ /* pointer type */
+ this->value = va_arg(args, void*);
+ break;
+ case AUTH_RULE_MAX:
+ this->value = NULL;
+ break;
+ }
+ return this;
+}
+
+/**
+ * Compare two entries for equality.
+ */
+static bool entry_equals(entry_t *e1, entry_t *e2)
+{
+ if (e1->type != e2->type)
+ {
+ return FALSE;
+ }
+ switch (e1->type)
+ {
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_RSA_STRENGTH:
+ case AUTH_RULE_ECDSA_STRENGTH:
+ {
+ return e1->value == e2->value;
+ }
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_REVOCATION_CERT:
+ {
+ certificate_t *c1, *c2;
+
+ c1 = (certificate_t*)e1->value;
+ c2 = (certificate_t*)e2->value;
+
+ return c1->equals(c1, c2);
+ }
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_GROUP:
+ {
+ identification_t *id1, *id2;
+
+ id1 = (identification_t*)e1->value;
+ id2 = (identification_t*)e2->value;
+
+ return id1->equals(id1, id2);
+ }
+ case AUTH_RULE_CERT_POLICY:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ {
+ return streq(e1->value, e2->value);
+ }
+ case AUTH_RULE_MAX:
+ break;
+ }
+ return FALSE;
+}
+
+/**
* Destroy the value associated with an entry
*/
static void destroy_entry_value(entry_t *entry)
@@ -151,6 +323,7 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_MAX:
break;
}
}
@@ -158,17 +331,18 @@ static void destroy_entry_value(entry_t *entry)
/**
* Implementation of auth_cfg_t.replace.
*/
-static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
+static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
auth_rule_t type, ...)
{
if (enumerator->current)
{
+ entry_t *entry;
va_list args;
va_start(args, type);
-
- destroy_entry_value(enumerator->current);
- enumerator->current->type = type;
+ entry = enumerator->current;
+ destroy_entry_value(entry);
+ entry->type = type;
switch (type)
{
case AUTH_RULE_AUTH_CLASS:
@@ -179,7 +353,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
/* integer type */
- enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
+ entry->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
@@ -195,17 +369,18 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
/* pointer type */
- enumerator->current->value = va_arg(args, void*);
+ entry->value = va_arg(args, void*);
+ break;
+ case AUTH_RULE_MAX:
+ entry->value = NULL;
break;
}
va_end(args);
}
}
-/**
- * Implementation of auth_cfg_t.get.
- */
-static void* get(private_auth_cfg_t *this, auth_rule_t type)
+METHOD(auth_cfg_t, get, void*,
+ private_auth_cfg_t *this, auth_rule_t type)
{
enumerator_t *enumerator;
void *current_value, *best_value = NULL;
@@ -264,9 +439,10 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
- default:
- return NULL;
+ case AUTH_RULE_MAX:
+ break;
}
+ return NULL;
}
/**
@@ -274,49 +450,26 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
*/
static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
{
- entry_t *entry = malloc_thing(entry_t);
+ entry_t *entry;
va_list args;
va_start(args, type);
- entry->type = type;
- switch (type)
- {
- case AUTH_RULE_AUTH_CLASS:
- case AUTH_RULE_EAP_TYPE:
- case AUTH_RULE_EAP_VENDOR:
- case AUTH_RULE_CRL_VALIDATION:
- case AUTH_RULE_OCSP_VALIDATION:
- case AUTH_RULE_RSA_STRENGTH:
- case AUTH_RULE_ECDSA_STRENGTH:
- /* integer type */
- entry->value = (void*)(uintptr_t)va_arg(args, u_int);
- break;
- case AUTH_RULE_IDENTITY:
- case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AAA_IDENTITY:
- case AUTH_RULE_GROUP:
- case AUTH_RULE_CA_CERT:
- case AUTH_RULE_IM_CERT:
- case AUTH_RULE_SUBJECT_CERT:
- case AUTH_RULE_CERT_POLICY:
- case AUTH_HELPER_IM_CERT:
- case AUTH_HELPER_SUBJECT_CERT:
- case AUTH_HELPER_IM_HASH_URL:
- case AUTH_HELPER_SUBJECT_HASH_URL:
- case AUTH_HELPER_REVOCATION_CERT:
- /* pointer type */
- entry->value = va_arg(args, void*);
- break;
- }
+ entry = entry_create(type, args);
va_end(args);
- this->entries->insert_last(this->entries, entry);
+
+ if (is_multi_value_rule(type))
+ { /* insert rules that may occur multiple times at the end */
+ this->entries->insert_last(this->entries, entry);
+ }
+ else
+ { /* insert rules we expect only once at the front (get() will return
+ * the latest value) */
+ this->entries->insert_first(this->entries, entry);
+ }
}
-/**
- * Implementation of auth_cfg_t.complies.
- */
-static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
- bool log_error)
+METHOD(auth_cfg_t, complies, bool,
+ private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
{
enumerator_t *e1, *e2;
bool success = TRUE, has_group = FALSE, group_match = FALSE;
@@ -566,6 +719,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
+ case AUTH_RULE_MAX:
/* skip helpers */
continue;
}
@@ -602,6 +756,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
auth_rule_t type;
void *value;
+ /* this enumerator skips duplicates for rules we expect only once */
enumerator = create_enumerator(other);
while (enumerator->enumerate(enumerator, &type, &value))
{
@@ -647,6 +802,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
add(this, type, strdup((char*)value));
break;
}
+ case AUTH_RULE_MAX:
+ break;
}
}
enumerator->destroy(enumerator);
@@ -672,85 +829,23 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
entry_t *i1, *i2;
bool equal = TRUE, found;
- if (this->entries->get_count(this->entries) !=
- other->entries->get_count(other->entries))
- {
- return FALSE;
- }
+ /* the rule count does not have to be equal for the two, as we only compare
+ * the first value found for some rules */
e1 = this->entries->create_enumerator(this->entries);
while (e1->enumerate(e1, &i1))
{
found = FALSE;
+
e2 = other->entries->create_enumerator(other->entries);
while (e2->enumerate(e2, &i2))
{
- if (i1->type == i2->type)
+ if (entry_equals(i1, i2))
{
- switch (i1->type)
- {
- case AUTH_RULE_AUTH_CLASS:
- case AUTH_RULE_EAP_TYPE:
- case AUTH_RULE_EAP_VENDOR:
- case AUTH_RULE_CRL_VALIDATION:
- case AUTH_RULE_OCSP_VALIDATION:
- case AUTH_RULE_RSA_STRENGTH:
- case AUTH_RULE_ECDSA_STRENGTH:
- {
- if (i1->value == i2->value)
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTH_RULE_CA_CERT:
- case AUTH_RULE_IM_CERT:
- case AUTH_RULE_SUBJECT_CERT:
- case AUTH_HELPER_IM_CERT:
- case AUTH_HELPER_SUBJECT_CERT:
- case AUTH_HELPER_REVOCATION_CERT:
- {
- certificate_t *c1, *c2;
-
- c1 = (certificate_t*)i1->value;
- c2 = (certificate_t*)i2->value;
-
- if (c1->equals(c1, c2))
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTH_RULE_IDENTITY:
- case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AAA_IDENTITY:
- case AUTH_RULE_GROUP:
- {
- identification_t *id1, *id2;
-
- id1 = (identification_t*)i1->value;
- id2 = (identification_t*)i2->value;
-
- if (id1->equals(id1, id2))
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTH_RULE_CERT_POLICY:
- case AUTH_HELPER_IM_HASH_URL:
- case AUTH_HELPER_SUBJECT_HASH_URL:
- {
- if (streq(i1->value, i2->value))
- {
- found = TRUE;
- break;
- }
- continue;
- }
- }
+ found = TRUE;
+ break;
+ }
+ else if (i1->type == i2->type && !is_multi_value_rule(i1->type))
+ { /* we continue our search, only for multi valued rules */
break;
}
}
@@ -765,10 +860,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
return equal;
}
-/**
- * Implementation of auth_cfg_t.purge
- */
-static void purge(private_auth_cfg_t *this, bool keep_ca)
+METHOD(auth_cfg_t, purge, void,
+ private_auth_cfg_t *this, bool keep_ca)
{
entry_t *entry;
linked_list_t *cas;
@@ -793,16 +886,15 @@ static void purge(private_auth_cfg_t *this, bool keep_ca)
cas->destroy(cas);
}
-/**
- * Implementation of auth_cfg_t.clone
- */
-static auth_cfg_t* clone_(private_auth_cfg_t *this)
+METHOD(auth_cfg_t, clone_, auth_cfg_t*,
+ private_auth_cfg_t *this)
{
enumerator_t *enumerator;
auth_cfg_t *clone;
entry_t *entry;
clone = auth_cfg_create();
+ /* this enumerator skips duplicates for rules we expect only once */
enumerator = this->entries->create_enumerator(this->entries);
while (enumerator->enumerate(enumerator, &entry))
{
@@ -844,16 +936,16 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
case AUTH_RULE_ECDSA_STRENGTH:
clone->add(clone, entry->type, (uintptr_t)entry->value);
break;
+ case AUTH_RULE_MAX:
+ break;
}
}
enumerator->destroy(enumerator);
return clone;
}
-/**
- * Implementation of auth_cfg_t.destroy
- */
-static void destroy(private_auth_cfg_t *this)
+METHOD(auth_cfg_t, destroy, void,
+ private_auth_cfg_t *this)
{
purge(this, FALSE);
this->entries->destroy(this->entries);
@@ -865,20 +957,23 @@ static void destroy(private_auth_cfg_t *this)
*/
auth_cfg_t *auth_cfg_create()
{
- private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
-
- this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
- this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
- this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
- this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
- this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
- this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
- this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
- this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
- this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
- this->public.destroy = (void(*)(auth_cfg_t*))destroy;
-
- this->entries = linked_list_create();
+ private_auth_cfg_t *this;
+
+ INIT(this,
+ .public = {
+ .add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add,
+ .get = _get,
+ .create_enumerator = _create_enumerator,
+ .replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace,
+ .complies = _complies,
+ .merge = (void(*)(auth_cfg_t*,auth_cfg_t*,bool))merge,
+ .purge = _purge,
+ .equals = (bool(*)(auth_cfg_t*,auth_cfg_t*))equals,
+ .clone = _clone_,
+ .destroy = _destroy,
+ },
+ .entries = linked_list_create(),
+ );
return &this->public;
}
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 489ce1134..4d12a9c14 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2008-2012 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -31,7 +31,7 @@ typedef enum auth_class_t auth_class_t;
/**
* Class of authentication to use. This is different to auth_method_t in that
* it does not specify a method, but a class of acceptable methods. The found
- * certificate finally dictates wich method is used.
+ * certificate finally dictates which method is used.
*/
enum auth_class_t {
/** any class acceptable */
@@ -57,13 +57,12 @@ extern enum_name_t *auth_class_names;
* - For configs specifying local authentication behavior, the rules define
* which authentication method in which way.
* - For configs specifying remote peer authentication, the rules define
- * constraints the peer has to fullfill.
+ * constraints the peer has to fulfill.
*
* Additionally to the rules, there is a set of helper items. These are used
* to transport credentials during the authentication process.
*/
enum auth_rule_t {
-
/** identity to use for IKEv2 authentication exchange, identification_t* */
AUTH_RULE_IDENTITY,
/** authentication class, auth_class_t */
@@ -107,6 +106,9 @@ enum auth_rule_t {
AUTH_HELPER_SUBJECT_HASH_URL,
/** revocation certificate (CRL, OCSP), certificate_t* */
AUTH_HELPER_REVOCATION_CERT,
+
+ /** helper to determine the number of elements in this enum */
+ AUTH_RULE_MAX,
};
/**
@@ -119,8 +121,8 @@ extern enum_name_t *auth_rule_names;
*
* RFC4739 defines multiple authentication rounds. This class defines such
* a round from a configuration perspective, either for the local or the remote
- * peer. Local config are called "rulesets", as they define how we authenticate.
- * Remote peer configs are called "constraits", they define what is needed to
+ * peer. Local configs are called "rulesets". They define how we authenticate.
+ * Remote peer configs are called "constraits". They define what is needed to
* complete the authentication round successfully.
*
* @verbatim
@@ -144,13 +146,20 @@ extern enum_name_t *auth_rule_names;
@endverbatim
*
- * Values for each items are either pointers (casted to void*) or short
+ * Values for each item are either pointers (casted to void*) or short
* integers (use uintptr_t cast).
*/
struct auth_cfg_t {
/**
- * Add an rule to the set.
+ * Add a rule to the set.
+ *
+ * Rules we expect only once (e.g. identities) implicitly replace previous
+ * rules of the same type (but pointers to previous values will remain
+ * valid until the auth_cfg_t object is destroyed).
+ * Rules that may occur multiple times (e.g. CA certificates) are inserted
+ * so that they can be enumerated in the order in which they were added.
+ * For these get() will return the value added first.
*
* @param rule rule type
* @param ... associated value to rule
@@ -158,7 +167,9 @@ struct auth_cfg_t {
void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
/**
- * Get an rule value.
+ * Get a rule value.
+ *
+ * For rules we expect only once the latest value is returned.
*
* @param rule rule type
* @return bool if item has been found
@@ -168,14 +179,17 @@ struct auth_cfg_t {
/**
* Create an enumerator over added rules.
*
+ * Refer to add() regarding the order in which rules are enumerated.
+ * For rules we expect only once the latest value is enumerated only.
+ *
* @return enumerator over (auth_rule_t, union{void*,uintpr_t})
*/
enumerator_t* (*create_enumerator)(auth_cfg_t *this);
/**
- * Replace an rule at enumerator position.
+ * Replace a rule at enumerator position.
*
- * @param pos enumerator position position
+ * @param pos enumerator position
* @param rule rule type
* @param ... associated value to rule
*/
@@ -186,7 +200,7 @@ struct auth_cfg_t {
* Check if a used config fulfills a set of configured constraints.
*
* @param constraints required authorization rules
- * @param log_error wheter to log compliance errors
+ * @param log_error whether to log compliance errors
* @return TRUE if this complies with constraints
*/
bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
@@ -202,20 +216,22 @@ struct auth_cfg_t {
/**
* Purge all rules in a config.
*
- * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries
+ * @param keep_ca whether to keep AUTH_RULE_CA_CERT entries
*/
void (*purge)(auth_cfg_t *this, bool keep_ca);
/**
* Check two configs for equality.
*
- * @param other other config to compaire against this
+ * For rules we expect only once the latest value is compared only.
+ *
+ * @param other other config to compare against this
* @return TRUE if auth infos identical
*/
bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
/**
- * Clone a authentication config, including all rules.
+ * Clone an authentication config, including all rules.
*
* @return cloned configuration
*/
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index f9a277a2c..d3157c80e 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -23,8 +23,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_BLOB_PEM",
"BUILD_BLOB_PGP",
"BUILD_BLOB_DNSKEY",
- "BUILD_PASSPHRASE",
- "BUILD_PASSPHRASE_CALLBACK",
+ "BUILD_BLOB_ALGID_PARAMS",
"BUILD_KEY_SIZE",
"BUILD_SIGNING_KEY",
"BUILD_SIGNING_CERT",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 325b668cd..41250ccae 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -28,8 +28,8 @@ typedef enum builder_part_t builder_part_t;
/**
* Constructor function to build credentials.
*
- * Any added parts are cloned/refcounted by the builder implementation, a
- * caller may need to free the passed ressources themself.
+ * Any added parts are cloned/refcounted by the builder implementation.
+ * Callers may need to free the passed resources themselves.
*
* @param subtype constructor specific subtype, e.g. a certificate_type_t
* @param args list of builder part types, followed by parts, BUILD_END
@@ -53,10 +53,12 @@ enum builder_part_t {
BUILD_BLOB_ASN1_DER,
/** PEM encoded ASN.1/PGP blob, chunk_t */
BUILD_BLOB_PEM,
- /** OpenPGP key blob, chunk_t */
+ /** OpenPGP key blob, chunk_t */
BUILD_BLOB_PGP,
/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
BUILD_BLOB_DNSKEY,
+ /** parameters from algorithmIdentifier (ASN.1 blob), chunk_t */
+ BUILD_BLOB_ALGID_PARAMS,
/** key size in bits, as used for key generation, u_int */
BUILD_KEY_SIZE,
/** private key to use for signing, private_key_t* */
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 733d9d612..00e30d7a0 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -39,7 +39,7 @@ struct cert_validator_t {
*
* @param subject subject certificate to check
* @param issuer issuer of subject
- * @param online wheter to do online revocation checking
+ * @param online whether to do online revocation checking
* @param pathlen the current length of the path bottom-up
* @param anchor is issuer trusted root anchor
* @param auth container for resulting authentication info
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index fef7f8c65..57b44adca 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -79,7 +79,6 @@ struct ac_t {
/**
* @brief Checks if two attribute certificates belong to the same holder
*
- * @param this calling attribute certificate
* @param that other attribute certificate
* @return TRUE if same holder
*/
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 661b69e36..33ba4e907 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -38,6 +38,7 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
"SKIPPED",
"STALE",
"FAILED",
+ "ON_HOLD",
"REVOKED",
);
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 43bfe3dc1..2f471da5b 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -77,6 +77,8 @@ enum cert_validation_t {
VALIDATION_STALE,
/** validation failed due to a processing error */
VALIDATION_FAILED,
+ /** certificate is on hold (i.e. temporary revokation) */
+ VALIDATION_ON_HOLD,
/** certificate has been revoked */
VALIDATION_REVOKED,
};
@@ -115,7 +117,7 @@ struct certificate_t {
* not returned by get_subject (e.g. subjectAltNames)
*
* @param subject subject identity
- * @return matching value of best match
+ * @return matching value of best match
*/
id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
@@ -132,8 +134,8 @@ struct certificate_t {
* A certificate may contain additional issuer identifiers, which are
* not returned by get_issuer (e.g. issuerAltNames)
*
- * @param subject isser identity
- * @return matching value of best match
+ * @param subject issuer identity
+ * @return matching value of best match
*/
id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
@@ -141,7 +143,7 @@ struct certificate_t {
* Check if this certificate is issued and signed by a specific issuer.
*
* @param issuer issuer's certificate
- * @return TRUE if certificate issued by issuer and trusted
+ * @return TRUE if certificate issued by issuer and trusted
*/
bool (*issued_by)(certificate_t *this, certificate_t *issuer);
@@ -176,7 +178,7 @@ struct certificate_t {
/**
* Check if two certificates are equal.
*
- * @param other certificate to compair against this
+ * @param other certificate to compare against this
* @return TRUE if certificates are equal
*/
bool (*equals)(certificate_t *this, certificate_t *other);
@@ -197,10 +199,10 @@ struct certificate_t {
/**
* Generic check if a given certificate is newer than another.
*
- * @param this first certificate to check
- * @param other second certificate
+ * @param cert certificate
+ * @param other certificate to compare to
* @return TRUE if this newer than other
*/
-bool certificate_is_newer(certificate_t *this, certificate_t *other);
+bool certificate_is_newer(certificate_t *cert, certificate_t *other);
#endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 2f3497474..4191c5935 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -100,10 +100,10 @@ struct crl_t {
/**
* Generic check if a given CRL is newer than another.
*
- * @param this first CRL to check
- * @param other second CRL
+ * @param crl CRL
+ * @param other CRL to compare to
* @return TRUE if this newer than other
*/
-bool crl_is_newer(crl_t *this, crl_t *other);
+bool crl_is_newer(crl_t *crl, crl_t *other);
#endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index fec02dbad..5125aca26 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -41,13 +41,13 @@ enum x509_flag_t {
/** cert has no constraints */
X509_NONE = 0,
/** cert has CA constraint */
- X509_CA = (1<<0),
+ X509_CA = (1<<0),
/** cert has AA constraint */
- X509_AA = (1<<1),
+ X509_AA = (1<<1),
/** cert has OCSP signer constraint */
- X509_OCSP_SIGNER = (1<<2),
+ X509_OCSP_SIGNER = (1<<2),
/** cert has serverAuth key usage */
- X509_SERVER_AUTH = (1<<3),
+ X509_SERVER_AUTH = (1<<3),
/** cert has clientAuth key usage */
X509_CLIENT_AUTH = (1<<4),
/** cert is self-signed */
@@ -76,12 +76,12 @@ enum x509_constraint_t {
* X.509 certPolicy extension.
*/
struct x509_cert_policy_t {
- /** OID of certPolicy */
- chunk_t oid;
/** Certification Practice Statement URI qualifier */
char *cps_uri;
/** UserNotice Text qualifier */
char *unotice_text;
+ /** OID of certPolicy */
+ chunk_t oid;
};
/**
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index ac3266f4c..4865984dd 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -110,15 +110,13 @@ static bool equals(void *key1, void *key2)
return key1 == key2;
}
-/**
- * Implementation of cred_encoding_t.get_cache
- */
-static bool get_cache(private_cred_encoding_t *this, cred_encoding_type_t type,
- void *cache, chunk_t *encoding)
+METHOD(cred_encoding_t, get_cache, bool,
+ private_cred_encoding_t *this, cred_encoding_type_t type, void *cache,
+ chunk_t *encoding)
{
chunk_t *chunk;
- if (type >= CRED_ENCODING_MAX || type < 0)
+ if (type >= CRED_ENCODING_MAX || (int)type < 0)
{
return FALSE;
}
@@ -144,7 +142,7 @@ static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type,
bool success = FALSE;
chunk_t *chunk;
- if (type >= CRED_ENCODING_MAX || type < 0)
+ if (type >= CRED_ENCODING_MAX || (int)type < 0)
{
return FALSE;
}
@@ -191,15 +189,13 @@ static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type,
return success;
}
-/**
- * Implementation of cred_encoding_t.cache
- */
-static void cache(private_cred_encoding_t *this, cred_encoding_type_t type,
- void *cache, chunk_t encoding)
+METHOD(cred_encoding_t, cache, void,
+ private_cred_encoding_t *this, cred_encoding_type_t type, void *cache,
+ chunk_t encoding)
{
chunk_t *chunk;
- if (type >= CRED_ENCODING_MAX || type < 0)
+ if (type >= CRED_ENCODING_MAX || (int)type < 0)
{
return free(encoding.ptr);
}
@@ -216,10 +212,8 @@ static void cache(private_cred_encoding_t *this, cred_encoding_type_t type,
}
}
-/**
- * Implementation of cred_encoding_t.clear_cache
- */
-static void clear_cache(private_cred_encoding_t *this, void *cache)
+METHOD(cred_encoding_t, clear_cache, void,
+ private_cred_encoding_t *this, void *cache)
{
cred_encoding_type_t type;
chunk_t *chunk;
@@ -237,30 +231,24 @@ static void clear_cache(private_cred_encoding_t *this, void *cache)
this->lock->unlock(this->lock);
}
-/**
- * Implementation of cred_encoding_t.add_encoder
- */
-static void add_encoder(private_cred_encoding_t *this, cred_encoder_t encoder)
+METHOD(cred_encoding_t, add_encoder, void,
+ private_cred_encoding_t *this, cred_encoder_t encoder)
{
this->lock->write_lock(this->lock);
this->encoders->insert_last(this->encoders, encoder);
this->lock->unlock(this->lock);
}
-/**
- * Implementation of cred_encoding_t.remove_encoder
- */
-static void remove_encoder(private_cred_encoding_t *this, cred_encoder_t encoder)
+METHOD(cred_encoding_t, remove_encoder, void,
+ private_cred_encoding_t *this, cred_encoder_t encoder)
{
this->lock->write_lock(this->lock);
this->encoders->remove(this->encoders, encoder, NULL);
this->lock->unlock(this->lock);
}
-/**
- * Implementation of cred_encoder_t.destroy.
- */
-static void destroy(private_cred_encoding_t *this)
+METHOD(cred_encoding_t, destroy, void,
+ private_cred_encoding_t *this)
{
cred_encoding_type_t type;
@@ -282,23 +270,27 @@ static void destroy(private_cred_encoding_t *this)
*/
cred_encoding_t *cred_encoding_create()
{
- private_cred_encoding_t *this = malloc_thing(private_cred_encoding_t);
+ private_cred_encoding_t *this;
cred_encoding_type_t type;
- this->public.encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode;
- this->public.get_cache = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding))get_cache;
- this->public.cache = (void(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t encoding))cache;
- this->public.clear_cache = (void(*)(cred_encoding_t*, void *cache))clear_cache;
- this->public.add_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))add_encoder;
- this->public.remove_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))remove_encoder;
- this->public.destroy = (void(*)(cred_encoding_t*))destroy;
+ INIT(this,
+ .public = {
+ .encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode,
+ .get_cache = _get_cache,
+ .cache = _cache,
+ .clear_cache = _clear_cache,
+ .add_encoder = _add_encoder,
+ .remove_encoder = _remove_encoder,
+ .destroy = _destroy,
+ },
+ .encoders = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ );
for (type = 0; type < CRED_ENCODING_MAX; type++)
{
this->cache[type] = hashtable_create(hash, equals, 8);
}
- this->encoders = linked_list_create();
- this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index e2d69691e..b029fe2ac 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -59,7 +59,7 @@ bool cred_encoding_args(va_list args, ...);
/**
* Encoding type of a fingerprint/credential.
*
- * Fingerprints have have the KEYID_*, public keys the PUBKEY_* and
+ * Fingerprints have the KEYID_*, public keys the PUBKEY_* and
* private keys the PRIVKEY_* prefix.
*/
enum cred_encoding_type_t {
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index 709dc916a..c31601245 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -54,7 +54,7 @@ struct credential_factory_t {
* The variable argument list takes builder_part_t types followed
* by the type specific value. The list must be terminated using BUILD_END.
* All passed parts get cloned/refcounted by the builder functions,
- * so free up allocated ressources after successful and unsuccessful
+ * so free up allocated resources after successful and unsuccessful
* invocations.
*
* @param type credential type to build
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 27b97eab3..b3461b810 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -866,7 +866,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
}
/**
- * Check if an helper contains a certificate as trust anchor
+ * Check if a helper contains a certificate as trust anchor
*/
static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
{
@@ -949,7 +949,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
}
/**
- * find a private key of a give certificate
+ * find a private key of a given certificate
*/
static private_key_t *get_private_by_cert(private_credential_manager_t *this,
certificate_t *cert, key_type_t type)
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 04269cfbf..8e8f04b8c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -36,11 +36,11 @@ typedef struct credential_manager_t credential_manager_t;
* Manages credentials using credential_sets.
*
* The credential manager is the entry point of the credential framework. It
- * uses so called "sets" to access credentials in a modular fashion, these
+ * uses so called "sets" to access credentials in a modular fashion. These
* are implemented through the credential_set_t interface.
* The manager additionally does trust chain verification and trust status
- * chaching. A set may call the managers methods if it needs credentials itself,
- * the manager uses recursive locking.
+ * caching. A set may call the managers methods if it needs credentials itself.
+ * The manager uses recursive locking.
*
* @verbatim
@@ -62,8 +62,8 @@ typedef struct credential_manager_t credential_manager_t;
@endverbatim
*
- * The credential manager uses rwlocks for performance reasons, credential
- * sets must be fully thread save.
+ * The credential manager uses rwlocks for performance reasons. Credential
+ * sets must be fully thread-safe.
*/
struct credential_manager_t {
@@ -84,7 +84,7 @@ struct credential_manager_t {
*
* The enumerator enumerates over:
* shared_key_t*, id_match_t me, id_match_t other
- * But must accepts values for the id_matches.
+ * But must accept values for the id_matches.
*
* @param type kind of requested shared key
* @param first first subject between key is shared
@@ -120,7 +120,7 @@ struct credential_manager_t {
*
* @param type kind of requested shared key
* @param me own identity
- * @param other peers identity
+ * @param other peer identity
* @return shared_key_t, NULL if none found
*/
shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
@@ -130,7 +130,7 @@ struct credential_manager_t {
*
* The get_private() method gets a secret private key identified by either
* the keyid itself or an id the key belongs to.
- * The auth parameter contains additional information, such as receipients
+ * The auth parameter contains additional information, such as recipients
* trusted CA certs. Auth gets filled with subject and CA certificates
* needed to validate a created signature.
*
@@ -146,7 +146,7 @@ struct credential_manager_t {
* Create an enumerator over trusted certificates.
*
* This method creates an enumerator over trusted certificates. The auth
- * parameter (if given) recevies the trustchain used to validate
+ * parameter (if given) receives the trustchain used to validate
* the certificate. The resulting enumerator enumerates over
* certificate_t*, auth_cfg_t*.
* If online is set, revocations are checked online for the whole
@@ -163,7 +163,7 @@ struct credential_manager_t {
/**
* Create an enumerator over trusted public keys.
*
- * This method gets a an enumerator over trusted public keys to verify a
+ * This method creates an enumerator over trusted public keys to verify a
* signature created by id. The auth parameter contains additional
* authentication infos, e.g. peer and intermediate certificates.
* The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
@@ -180,7 +180,7 @@ struct credential_manager_t {
key_type_t type, identification_t *id, auth_cfg_t *auth);
/**
- * Cache a certificate by invoking cache_cert() on all registerd sets.
+ * Cache a certificate by invoking cache_cert() on all registered sets.
*
* @param cert certificate to cache
*/
@@ -199,8 +199,8 @@ struct credential_manager_t {
/**
* Check if a given subject certificate is issued by an issuer certificate.
*
- * This operation does signature verification, but uses the credential
- * managers cache for to speed up the operation.
+ * This operation does signature verification using the credential
+ * manager's cache to speed up the operation.
*
* @param subject subject certificate to check
* @param issuer issuer certificate that potentially has signed subject
@@ -228,7 +228,7 @@ struct credential_manager_t {
*
* To add a credential set for the current trustchain verification
* operation, sets may be added for the calling thread only. This
- * does not require a write lock and is therefore a much less expensive
+ * does not require a write lock and is therefore a much cheaper
* operation.
*
* @param set set to register
diff --git a/src/libstrongswan/credentials/credential_set.h b/src/libstrongswan/credentials/credential_set.h
index 0eee237cb..8673c484f 100644
--- a/src/libstrongswan/credentials/credential_set.h
+++ b/src/libstrongswan/credentials/credential_set.h
@@ -38,7 +38,7 @@ typedef struct credential_set_t credential_set_t;
* A credential set enumerator may not block the credential set, i.e. multiple
* threads must be able to hold multiple enumerators, as the credential manager
* is higly parallelized. The best way to achieve this is by using shared
- * read locks for the enumerators only. Otherwiese deadlocks will occur.
+ * read locks for the enumerators only. Otherwise deadlocks will occur.
* The writing cache_cert() routine is called by the manager only if no
* enumerator is alive, so it is save to use a write lock there.
*/
@@ -97,7 +97,7 @@ struct credential_set_t {
/**
* Cache a certificate in the credential set.
*
- * The caching policy is implementation dependent, the sets may cache the
+ * The caching policy is implementation dependent. The sets may cache the
* certificate in-memory, persistent on disk or not at all.
*
* @param cert certificate to cache
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index fecc9910e..fb18fb53d 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -102,15 +102,14 @@ static void ietf_attr_destroy(ietf_attr_t *this)
*/
static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value)
{
- ietf_attr_t *this = malloc_thing(ietf_attr_t);
+ ietf_attr_t *this;
- /* initialize */
- this->type = type;
- this->value = chunk_clone(value);
-
- /* function */
- this->compare = ietf_attr_compare;
- this->destroy = ietf_attr_destroy;
+ INIT(this,
+ .compare = ietf_attr_compare,
+ .destroy = ietf_attr_destroy,
+ .type = type,
+ .value = chunk_clone(value),
+ );
return this;
}
@@ -142,10 +141,8 @@ struct private_ietf_attributes_t {
refcount_t ref;
};
-/**
- * Implementation of ietf_attributes_t.get_string.
- */
-static char* get_string(private_ietf_attributes_t *this)
+METHOD(ietf_attributes_t, get_string, char*,
+ private_ietf_attributes_t *this)
{
if (this->string == NULL)
{
@@ -217,10 +214,8 @@ static char* get_string(private_ietf_attributes_t *this)
return this->string;
}
-/**
- * Implementation of ietf_attributes_t.get_encoding.
- */
-static chunk_t get_encoding(private_ietf_attributes_t *this)
+METHOD(ietf_attributes_t, get_encoding, chunk_t,
+ private_ietf_attributes_t *this)
{
chunk_t values;
size_t size = 0;
@@ -270,7 +265,11 @@ static chunk_t get_encoding(private_ietf_attributes_t *this)
return asn1_wrap(ASN1_SEQUENCE, "m", values);
}
-static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *other)
+/**
+ * Implementation of ietf_attributes_t.equals.
+ */
+static bool equals(private_ietf_attributes_t *this,
+ private_ietf_attributes_t *other)
{
bool result = TRUE;
@@ -304,7 +303,11 @@ static bool equals(private_ietf_attributes_t *this, private_ietf_attributes_t *o
return result;
}
-static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *other)
+/**
+ * Implementation of ietf_attributes_t.matches.
+ */
+static bool matches(private_ietf_attributes_t *this,
+ private_ietf_attributes_t *other)
{
bool result = FALSE;
ietf_attr_t *attr_a, *attr_b;
@@ -364,19 +367,15 @@ static bool matches(private_ietf_attributes_t *this, private_ietf_attributes_t *
return result;
}
-/**
- * Implementation of ietf_attributes_t.get_ref
- */
-static private_ietf_attributes_t* get_ref(private_ietf_attributes_t *this)
+METHOD(ietf_attributes_t, get_ref, ietf_attributes_t*,
+ private_ietf_attributes_t *this)
{
ref_get(&this->ref);
- return this;
+ return &this->public;
}
-/**
- * Implementation of ietf_attributes_t.destroy.
- */
-static void destroy(private_ietf_attributes_t *this)
+METHOD(ietf_attributes_t, destroy, void,
+ private_ietf_attributes_t *this)
{
if (ref_put(&this->ref))
{
@@ -388,18 +387,21 @@ static void destroy(private_ietf_attributes_t *this)
static private_ietf_attributes_t* create_empty(void)
{
- private_ietf_attributes_t *this = malloc_thing(private_ietf_attributes_t);
-
- this->public.get_string = (char* (*)(ietf_attributes_t*))get_string;
- this->public.get_encoding = (chunk_t (*)(ietf_attributes_t*))get_encoding;
- this->public.equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals;
- this->public.matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches;
- this->public.get_ref = (ietf_attributes_t* (*)(ietf_attributes_t*))get_ref;
- this->public.destroy = (void (*)(ietf_attributes_t*))destroy;
-
- this->list = linked_list_create();
- this->string = NULL;
- this->ref = 1;
+ private_ietf_attributes_t *this;
+
+ INIT(this,
+ .public = {
+ .get_string = _get_string,
+ .get_encoding = _get_encoding,
+ .equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals,
+ .matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .list = linked_list_create(),
+ .ref = 1,
+ );
+
return this;
}
@@ -410,34 +412,24 @@ static void ietf_attributes_add(private_ietf_attributes_t *this,
ietf_attr_t *attr)
{
ietf_attr_t *current_attr;
- bool found = FALSE;
- iterator_t *iterator;
+ enumerator_t *enumerator;
+ int cmp = -1;
- iterator = this->list->create_iterator(this->list, TRUE);
- while (iterator->iterate(iterator, (void **)&current_attr))
+ enumerator = this->list->create_enumerator(this->list);
+ while (enumerator->enumerate(enumerator, (void **)&current_attr) &&
+ (cmp = attr->compare(attr, current_attr)) > 0)
{
- int cmp = attr->compare(attr, current_attr);
-
- if (cmp > 0)
- {
- continue;
- }
- if (cmp == 0)
- {
- attr->destroy(attr);
- }
- else
- {
- iterator->insert_before(iterator, attr);
- }
- found = TRUE;
- break;
+ continue;
}
- iterator->destroy(iterator);
- if (!found)
+ if (cmp == 0)
{
- this->list->insert_last(this->list, attr);
+ attr->destroy(attr);
+ }
+ else
+ { /* the enumerator either points to the end or to the attribute > attr */
+ this->list->insert_before(this->list, enumerator, attr);
}
+ enumerator->destroy(enumerator);
}
/*
@@ -527,7 +519,7 @@ ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded)
ietf_attr_t *attr;
type = (objectID - IETF_ATTR_OCTETS) / 2;
- attr = ietf_attr_create(type, object);
+ attr = ietf_attr_create(type, object);
ietf_attributes_add(this, attr);
}
break;
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index e57d3f5a5..b9f7dad55 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -133,11 +133,11 @@ struct private_key_t {
/**
* Generic private key equals() implementation, usable by implementors.
*
- * @param this first key to compare
- * @param other second key to compare
+ * @param private private key to check
+ * @param other key to compare
* @return TRUE if this is equal to other
*/
-bool private_key_equals(private_key_t *this, private_key_t *other);
+bool private_key_equals(private_key_t *private, private_key_t *other);
/**
* Generic private key belongs_to() implementation, usable by implementors.
@@ -151,10 +151,10 @@ bool private_key_belongs_to(private_key_t *private, public_key_t *public);
/**
* Generic private key has_fingerprint() implementation, usable by implementors.
*
- * @param this key to check fingerprint
+ * @param private private key to check
* @param fingerprint fingerprint to check
* @return TRUE if key has given fingerprint
*/
-bool private_key_has_fingerprint(private_key_t *this, chunk_t fingerprint);
+bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint);
#endif /** PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 22df5dd1b..37bba77d1 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -17,7 +17,8 @@
#include "public_key.h"
-ENUM(key_type_names, KEY_RSA, KEY_DSA,
+ENUM(key_type_names, KEY_ANY, KEY_DSA,
+ "ANY",
"RSA",
"ECDSA",
"DSA"
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index d20d2736b..fdbe17f2c 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -151,7 +151,7 @@ struct public_key_t {
* @param scheme encryption scheme to use
* @param plain chunk containing plaintext data
* @param crypto where to allocate encrypted data
- * @return TRUE if data successfully encrypted
+ * @return TRUE if data successfully encrypted
*/
bool (*encrypt)(public_key_t *this, encryption_scheme_t scheme,
chunk_t plain, chunk_t *crypto);
@@ -215,20 +215,20 @@ struct public_key_t {
/**
* Generic public key equals() implementation, usable by implementors.
*
- * @param this first key to compare
- * @param other second key to compare
+ * @param public public key to check
+ * @param other key to compare
* @return TRUE if this is equal to other
*/
-bool public_key_equals(public_key_t *this, public_key_t *other);
+bool public_key_equals(public_key_t *public, public_key_t *other);
/**
* Generic public key has_fingerprint() implementation, usable by implementors.
*
- * @param this key to check fingerprint
+ * @param public public key to check
* @param fingerprint fingerprint to check
* @return TRUE if key has given fingerprint
*/
-bool public_key_has_fingerprint(public_key_t *this, chunk_t fingerprint);
+bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint);
/**
* Conversion of ASN.1 signature or hash OID to signature scheme.
diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c
index f695c078d..1c2d31167 100644
--- a/src/libstrongswan/credentials/keys/shared_key.c
+++ b/src/libstrongswan/credentials/keys/shared_key.c
@@ -51,35 +51,27 @@ struct private_shared_key_t {
refcount_t ref;
};
-/**
- * Implements shared_key_t.get_type
- */
-static shared_key_type_t get_type(private_shared_key_t *this)
+METHOD(shared_key_t, get_type, shared_key_type_t,
+ private_shared_key_t *this)
{
return this->type;
}
-/**
- * Implements shared_key_t.get_key
- */
-static chunk_t get_key(private_shared_key_t *this)
+METHOD(shared_key_t, get_key, chunk_t,
+ private_shared_key_t *this)
{
return this->key;
}
-/**
- * Implements shared_key_t.get_ref
- */
-static shared_key_t* get_ref(private_shared_key_t *this)
+METHOD(shared_key_t, get_ref, shared_key_t*,
+ private_shared_key_t *this)
{
ref_get(&this->ref);
return &this->public;
}
-/**
- * Implementation of shared_key_t.destroy
- */
-static void destroy(private_shared_key_t *this)
+METHOD(shared_key_t, destroy, void,
+ private_shared_key_t *this)
{
if (ref_put(&this->ref))
{
@@ -93,16 +85,19 @@ static void destroy(private_shared_key_t *this)
*/
shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key)
{
- private_shared_key_t *this = malloc_thing(private_shared_key_t);
-
- this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type;
- this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key;
- this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref;
- this->public.destroy = (void(*)(shared_key_t*))destroy;
-
- this->type = type;
- this->key = key;
- this->ref = 1;
+ private_shared_key_t *this;
+
+ INIT(this,
+ .public = {
+ .get_type = _get_type,
+ .get_key = _get_key,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ .type = type,
+ .key = key,
+ .ref = 1,
+ );
return &this->public;
}
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 225fabe31..2cef23328 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -172,12 +172,9 @@ static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
free(this);
}
-/**
- * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
- certificate_type_t cert, key_type_t key,
- identification_t *id, bool trusted)
+METHOD(credential_set_t, create_enumerator, enumerator_t*,
+ private_auth_cfg_wrapper_t *this, certificate_type_t cert, key_type_t key,
+ identification_t *id, bool trusted)
{
wrapper_enumerator_t *enumerator;
@@ -196,10 +193,8 @@ static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
return &enumerator->public;
}
-/**
- * Implementation of auth_cfg_wrapper_t.destroy
- */
-static void destroy(private_auth_cfg_wrapper_t *this)
+METHOD(auth_cfg_wrapper_t, destroy, void,
+ private_auth_cfg_wrapper_t *this)
{
free(this);
}
@@ -209,16 +204,20 @@ static void destroy(private_auth_cfg_wrapper_t *this)
*/
auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
{
- private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
-
- this->public.set.create_private_enumerator = (void*)return_null;
- this->public.set.create_cert_enumerator = (void*)create_enumerator;
- this->public.set.create_shared_enumerator = (void*)return_null;
- this->public.set.create_cdp_enumerator = (void*)return_null;
- this->public.set.cache_cert = (void*)nop;
- this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
-
- this->auth = auth;
+ private_auth_cfg_wrapper_t *this;
+
+ INIT(this,
+ .public = {
+ .set = {
+ .create_cert_enumerator = _create_enumerator,
+ .create_shared_enumerator = (void*)return_null,
+ .create_cdp_enumerator = (void*)return_null,
+ .cache_cert = (void*)nop,
+ },
+ .destroy = _destroy,
+ },
+ .auth = auth,
+ );
return &this->public;
}
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 7161ac9ac..968c3e31e 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -132,11 +132,8 @@ static void cache(private_cert_cache_t *this,
}
}
-/**
- * Implementation of cert_cache_t.issued_by.
- */
-static bool issued_by(private_cert_cache_t *this,
- certificate_t *subject, certificate_t *issuer)
+METHOD(cert_cache_t, issued_by, bool,
+ private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer)
{
relation_t *found = NULL, *current;
int i;
@@ -270,12 +267,9 @@ static void cert_enumerator_destroy(cert_enumerator_t *this)
free(this);
}
-/**
- * implementation of credential_set_t.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_cert_cache_t *this,
- certificate_type_t cert, key_type_t key,
- identification_t *id, bool trusted)
+METHOD(credential_set_t, create_enumerator, enumerator_t*,
+ private_cert_cache_t *this, certificate_type_t cert, key_type_t key,
+ identification_t *id, bool trusted)
{
cert_enumerator_t *enumerator;
@@ -296,10 +290,8 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
return &enumerator->public;
}
-/**
- * Implementation of cert_cache_t.flush.
- */
-static void flush(private_cert_cache_t *this, certificate_type_t type)
+METHOD(cert_cache_t, flush, void,
+ private_cert_cache_t *this, certificate_type_t type)
{
relation_t *rel;
int i;
@@ -339,10 +331,8 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
}
}
-/**
- * Implementation of cert_cache_t.destroy
- */
-static void destroy(private_cert_cache_t *this)
+METHOD(cert_cache_t, destroy, void,
+ private_cert_cache_t *this)
{
relation_t *rel;
int i;
@@ -368,15 +358,20 @@ cert_cache_t *cert_cache_create()
private_cert_cache_t *this;
int i;
- this = malloc_thing(private_cert_cache_t);
- this->public.set.create_private_enumerator = (void*)return_null;
- this->public.set.create_cert_enumerator = (void*)create_enumerator;
- this->public.set.create_shared_enumerator = (void*)return_null;
- this->public.set.create_cdp_enumerator = (void*)return_null;
- this->public.set.cache_cert = (void*)nop;
- this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
- this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
- this->public.destroy = (void(*)(cert_cache_t*))destroy;
+ INIT(this,
+ .public = {
+ .set = {
+ .create_cert_enumerator = _create_enumerator,
+ .create_private_enumerator = (void*)return_null,
+ .create_shared_enumerator = (void*)return_null,
+ .create_cdp_enumerator = (void*)return_null,
+ .cache_cert = (void*)nop,
+ },
+ .issued_by = _issued_by,
+ .flush = _flush,
+ .destroy = _destroy,
+ },
+ );
for (i = 0; i < CACHE_SIZE; i++)
{
@@ -385,5 +380,6 @@ cert_cache_t *cert_cache_create()
this->relations[i].hits = 0;
this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
}
+
return &this->public;
}
diff --git a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c
index 4786495da..151d69216 100644
--- a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c
+++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c
@@ -94,12 +94,9 @@ static void enumerator_destroy(wrapper_enumerator_t *this)
free(this);
}
-/**
- * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator
- */
-static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
- certificate_type_t cert, key_type_t key,
- identification_t *id, bool trusted)
+METHOD(credential_set_t, create_enumerator, enumerator_t*,
+ private_ocsp_response_wrapper_t *this,certificate_type_t cert,
+ key_type_t key, identification_t *id, bool trusted)
{
wrapper_enumerator_t *enumerator;
@@ -118,10 +115,8 @@ static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this,
return &enumerator->public;
}
-/**
- * Implementation of ocsp_response_wrapper_t.destroy
- */
-static void destroy(private_ocsp_response_wrapper_t *this)
+METHOD(ocsp_response_wrapper_t, destroy, void,
+ private_ocsp_response_wrapper_t *this)
{
free(this);
}
@@ -131,16 +126,21 @@ static void destroy(private_ocsp_response_wrapper_t *this)
*/
ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
{
- private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t);
-
- this->public.set.create_private_enumerator = (void*)return_null;
- this->public.set.create_cert_enumerator = (void*)create_enumerator;
- this->public.set.create_shared_enumerator = (void*)return_null;
- this->public.set.create_cdp_enumerator = (void*)return_null;
- this->public.set.cache_cert = (void*)nop;
- this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
-
- this->response = response;
+ private_ocsp_response_wrapper_t *this;
+
+ INIT(this,
+ .public = {
+ .set = {
+ .create_cert_enumerator = _create_enumerator,
+ .create_private_enumerator = (void*)return_null,
+ .create_shared_enumerator = (void*)return_null,
+ .create_cdp_enumerator = (void*)return_null,
+ .cache_cert = (void*)nop,
+ },
+ .destroy = _destroy,
+ },
+ .response = response,
+ );
return &this->public;
}