Imported Upstream version 5.0.2

author: Yves-Alexis Perez <corsac@debian.org> 2013-02-07 13:27:27 +0100
committer: Yves-Alexis Perez <corsac@debian.org> 2013-02-07 13:27:27 +0100
commit: 7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
tree: e4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/libstrongswan/credentials
parent: c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
download: vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz
vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip
22 files changed, 239 insertions, 26 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 6ee4f9b6e..a718de3dc 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -17,8 +17,8 @@
 #include "auth_cfg.h"
 
 #include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <utils/identification.h>
 #include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 79484a04c..d87935589 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -22,7 +22,7 @@
 #ifndef AUTH_CFG_H_
 #define AUTH_CFG_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 
 typedef struct auth_cfg_t auth_cfg_t;
 typedef enum auth_rule_t auth_rule_t;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index d3157c80e..f5858382f 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -19,6 +19,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_FROM_FILE",
 	"BUILD_FROM_FD",
 	"BUILD_AGENT_SOCKET",
+	"BUILD_BLOB",
 	"BUILD_BLOB_ASN1_DER",
 	"BUILD_BLOB_PEM",
 	"BUILD_BLOB_PGP",
@@ -36,6 +37,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_NOT_AFTER_TIME",
 	"BUILD_SERIAL",
 	"BUILD_DIGEST_ALG",
+	"BUILD_ENCRYPTION_ALG",
 	"BUILD_IETF_GROUP_ATTR",
 	"BUILD_CA_CERT",
 	"BUILD_CERT",
@@ -53,6 +55,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_REVOKED_ENUMERATOR",
 	"BUILD_BASE_CRL",
 	"BUILD_CHALLENGE_PWD",
+	"BUILD_PKCS7_ATTRIBUTE",
 	"BUILD_PKCS11_MODULE",
 	"BUILD_PKCS11_SLOT",
 	"BUILD_PKCS11_KEYID",
@@ -64,6 +67,9 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_RSA_EXP1",
 	"BUILD_RSA_EXP2",
 	"BUILD_RSA_COEFF",
+	"BUILD_SAFE_PRIMES",
+	"BUILD_SHARES",
+	"BUILD_THRESHOLD",
 	"BUILD_END",
 );
 
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 41250ccae..740041aac 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -49,6 +49,8 @@ enum builder_part_t {
 	BUILD_FROM_FD,
 	/** unix socket of a ssh/pgp agent, char* */
 	BUILD_AGENT_SOCKET,
+	/** An arbitrary blob of data, chunk_t */
+	BUILD_BLOB,
 	/** DER encoded ASN.1 blob, chunk_t */
 	BUILD_BLOB_ASN1_DER,
 	/** PEM encoded ASN.1/PGP blob, chunk_t */
@@ -81,8 +83,10 @@ enum builder_part_t {
 	BUILD_NOT_AFTER_TIME,
 	/** a serial number in binary form, chunk_t */
 	BUILD_SERIAL,
-	/** digest algorithm to be used for signature, int */
+	/** digest algorithm to be used for signature, hash_algorithm_t */
 	BUILD_DIGEST_ALG,
+	/** encryption algorithm to use, encryption_algorithm_t */
+	BUILD_ENCRYPTION_ALG,
 	/** a comma-separated list of ietf group attributes, char* */
 	BUILD_IETF_GROUP_ATTR,
 	/** a ca certificate, certificate_t* */
@@ -117,6 +121,8 @@ enum builder_part_t {
 	BUILD_BASE_CRL,
 	/** PKCS#10 challenge password */
 	BUILD_CHALLENGE_PWD,
+	/** PKCS#7 attribute, int oid, chunk_t with ASN1 type encoded value */
+	BUILD_PKCS7_ATTRIBUTE,
 	/** friendly name of a PKCS#11 module, null terminated char* */
 	BUILD_PKCS11_MODULE,
 	/** slot specifier for a token in a PKCS#11 module, int */
@@ -139,6 +145,12 @@ enum builder_part_t {
 	BUILD_RSA_EXP2,
 	/** coefficient (coeff) of a RSA key, chunk_t */
 	BUILD_RSA_COEFF,
+	/** generate (p) and (q) as safe primes */
+	BUILD_SAFE_PRIMES,
+	/** number of private key shares */
+	BUILD_SHARES,
+	/** minimum number of participating private key shares */
+	BUILD_THRESHOLD,
 	/** end of variable argument builder list */
 	BUILD_END,
 };
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 33ba4e907..bc4209ca7 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,7 +15,7 @@
 
 #include "certificate.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 69bd80b84..09fd0bfc8 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
 
 #include "crl.h"
 
-#include <debug.h>
+#include <utils/debug.h>
 
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
index 9a4979757..2f35eb6a5 100644
--- a/src/libstrongswan/credentials/certificates/pkcs10.h
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -21,7 +21,7 @@
 #ifndef PKCS10_H_
 #define PKCS10_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 typedef struct pkcs10_t pkcs10_t;
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 00171a718..4e8d4317f 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -21,7 +21,7 @@
 #ifndef X509_H_
 #define X509_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
 /* constraints are currently restricted to the range 0..127 */
diff --git a/src/libstrongswan/credentials/containers/container.c b/src/libstrongswan/credentials/containers/container.c
new file mode 100644
index 000000000..d1e67b21b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "container.h"
+
+ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS7_ENVELOPED_DATA,
+	"PKCS7",
+	"PKCS7_DATA",
+	"PKCS7_SIGNED_DATA",
+	"PKCS7_ENVELOPED_DATA",
+);
diff --git a/src/libstrongswan/credentials/containers/container.h b/src/libstrongswan/credentials/containers/container.h
new file mode 100644
index 000000000..fc5c09041
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup container container
+ * @{ @ingroup containers
+ */
+
+#ifndef CONTAINER_H_
+#define CONTAINER_H_
+
+typedef struct container_t container_t;
+typedef enum container_type_t container_type_t;
+
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
+
+/**
+ * Type of the container.
+ */
+enum container_type_t {
+	/** Any kind of PKCS7/CMS container */
+	CONTAINER_PKCS7,
+	/** PKCS7/CMS plain "data" */
+	CONTAINER_PKCS7_DATA,
+	/** PKCS7/CMS "signed-data" */
+	CONTAINER_PKCS7_SIGNED_DATA,
+	/** PKCS7/CMS "enveloped-data" */
+	CONTAINER_PKCS7_ENVELOPED_DATA,
+};
+
+/**
+ * Enum names for container_type_t
+ */
+extern enum_name_t *container_type_names;
+
+/**
+ * Generic interface for cryptographic containers.
+ */
+struct container_t {
+
+	/**
+	 * Get the type of the container.
+	 *
+	 * @return		container type
+	 */
+	container_type_t (*get_type)(container_t *this);
+
+	/**
+	 * Create an enumerator over trustchains for valid container signatures.
+	 *
+	 * @return		enumerator over auth_cfg_t*
+	 */
+	enumerator_t* (*create_signature_enumerator)(container_t *this);
+
+	/**
+	 * Get signed/decrypted data wrapped in this container.
+	 *
+	 * This function does not verify any associated signatures, use
+	 * create_signature_enumerator() to verify them.
+	 *
+	 * @param data	allocated data wrapped in this container
+	 * @return		TRUE if data decrypted successfully
+	 */
+	bool (*get_data)(container_t *this, chunk_t *data);
+
+	/**
+	 * Get the encoding of the full signed/encrypted container.
+	 *
+	 * @param data	allocated container encoding
+	 * @return		TRUE if encodign successful
+	 */
+	bool (*get_encoding)(container_t *this, chunk_t *encoding);
+
+	/**
+	 * Destroy a container_t.
+	 */
+	void (*destroy)(container_t *this);
+};
+
+#endif /** CONTAINER_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs7.h b/src/libstrongswan/credentials/containers/pkcs7.h
new file mode 100644
index 000000000..d42d82b0b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs7.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7 pkcs7
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS7_H_
+#define PKCS7_H_
+
+#include <credentials/containers/container.h>
+
+typedef struct pkcs7_t pkcs7_t;
+
+/**
+ * PKCS#7/CMS container type.
+ */
+struct pkcs7_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+
+	/**
+	 * Get an authenticated PKCS#9 attribute from PKCS#7 signerInfo.
+	 *
+	 * To select the signerInfo structure to get the attribute from, pass
+	 * the enumerator position from container_t.create_signature_enumerator().
+	 *
+	 * The attribute returned does not contain type information and must be
+	 * freed after use.
+	 *
+	 * @param oid			OID from the attribute to get
+	 * @param enumerator	enumerator to select signerInfo
+	 * @param value			chunk receiving attribute value, allocated
+	 * @return				TRUE if attribute found
+	 */
+	bool (*get_attribute)(pkcs7_t *this, int oid, enumerator_t *enumerator,
+						  chunk_t *value);
+
+	/**
+	 * Create an enumerator over attached certificates.
+	 *
+	 * @return				enumerator over certificate_t
+	 */
+	enumerator_t* (*create_cert_enumerator)(pkcs7_t *this);
+};
+
+#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 4865984dd..53ac13cbb 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -17,8 +17,8 @@
 
 #include <stdint.h>
 
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
 typedef struct private_cred_encoding_t private_cred_encoding_t;
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index ff621012f..94c7820e1 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -17,17 +17,18 @@
 
 #include "credential_factory.h"
 
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
 #include <threading/thread_value.h>
 #include <threading/rwlock.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/container.h>
 
-ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CONTAINER,
 	"CRED_PRIVATE_KEY",
 	"CRED_PUBLIC_KEY",
 	"CRED_CERTIFICATE",
-	"CRED_PLUTO_CERT",
+	"CRED_CONTAINER",
 );
 
 typedef struct private_credential_factory_t private_credential_factory_t;
@@ -139,11 +140,21 @@ METHOD(credential_factory_t, create, void*,
 
 	if (!construct && !level)
 	{
-		enum_name_t *names = key_type_names;
+		enum_name_t *names;
 
-		if (type == CRED_CERTIFICATE)
+		switch (type)
 		{
-			names = certificate_type_names;
+			case CRED_CERTIFICATE:
+				names = certificate_type_names;
+				break;
+			case CRED_CONTAINER:
+				names = container_type_names;
+				break;
+			case CRED_PRIVATE_KEY:
+			case CRED_PUBLIC_KEY:
+			default:
+				names = key_type_names;
+				break;
 		}
 		DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
 			 credential_type_names, type, names, subtype, failures);
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index c31601245..55b669529 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -28,6 +28,9 @@ typedef enum credential_type_t credential_type_t;
 
 /**
  * Kind of credential.
+ *
+ * While crypto containers are not really credentials, we still use the
+ * credential factory and builders create them.
  */
 enum credential_type_t {
 	/** private key, implemented in private_key_t */
@@ -36,6 +39,8 @@ enum credential_type_t {
 	CRED_PUBLIC_KEY,
 	/** certificates, implemented in certificate_t */
 	CRED_CERTIFICATE,
+	/** crypto container, implemented in container_t */
+	CRED_CONTAINER,
 };
 
 /**
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index a96abdc69..9e40c5a10 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -16,11 +16,11 @@
 #include "credential_manager.h"
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 #include <threading/thread_value.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <credentials/sets/cert_cache.h>
 #include <credentials/sets/auth_cfg_wrapper.h>
 #include <credentials/certificates/x509.h>
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index d9a47b7d7..73c585734 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -24,7 +24,7 @@
 typedef struct credential_manager_t credential_manager_t;
 
 #include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <credentials/auth_cfg.h>
 #include <credentials/credential_set.h>
 #include <credentials/keys/private_key.h>
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index fb18fb53d..49af5a079 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -17,7 +17,7 @@
 #include <asn1/oid.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 #include <utils/lexparser.h>
 
 #include "ietf_attributes.h"
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index d00b8d12e..900c6613e 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -21,7 +21,7 @@
 #ifndef SHARED_KEY_H_
 #define SHARED_KEY_H_
 
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
 #include <utils/identification.h>
 
 typedef struct shared_key_t shared_key_t;
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 2cef23328..46bfb5c6e 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -15,7 +15,7 @@
  */
 
 #include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
 
 #include "auth_cfg_wrapper.h"
 
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index a7d0ed8f9..e8f0e7ec0 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -20,7 +20,7 @@
 
 #include <library.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /** cache size, a power of 2 for fast modulo */
 #define CACHE_SIZE 32
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index e023e8443..d697a56ef 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -18,7 +18,7 @@
 #include "mem_cred.h"
 
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_mem_cred_t private_mem_cred_t;
 
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index eb46b065b..20447207c 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -27,7 +27,7 @@ typedef struct mem_cred_t mem_cred_t;
 
 #include <credentials/credential_set.h>
 #include <credentials/certificates/crl.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 /**
  * Generic in-memory credential set.
author	Yves-Alexis Perez <corsac@debian.org>	2013-02-07 13:27:27 +0100
committer	Yves-Alexis Perez <corsac@debian.org>	2013-02-07 13:27:27 +0100
commit	7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
tree	e4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/libstrongswan/credentials
parent	c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
download	vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip