diff options
Diffstat (limited to 'src/charon/credentials')
-rw-r--r-- | src/charon/credentials/auth_info.c | 35 | ||||
-rw-r--r-- | src/charon/credentials/auth_info.h | 10 | ||||
-rw-r--r-- | src/charon/credentials/credential_manager.c | 65 | ||||
-rw-r--r-- | src/charon/credentials/credential_set.h | 9 | ||||
-rw-r--r-- | src/charon/credentials/sets/auth_info_wrapper.c | 3 | ||||
-rw-r--r-- | src/charon/credentials/sets/cert_cache.c | 50 |
6 files changed, 128 insertions, 44 deletions
diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c index cd748bc97..028ca35c9 100644 --- a/src/charon/credentials/auth_info.c +++ b/src/charon/credentials/auth_info.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: auth_info.c 3838 2008-04-18 11:24:45Z tobias $ + * $Id: auth_info.c 4276 2008-08-22 10:44:51Z martin $ */ @@ -25,6 +25,10 @@ #include <credentials/certificates/certificate.h> ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP, + "AUTHN_AUTH_CLASS", + "AUTHN_EAP_TYPE", + "AUTHN_EAP_VENDOR", + "AUTHN_EAP_IDENTITY", "AUTHN_CA_CERT", "AUTHN_CA_CERT_KEYID", "AUTHN_CA_CERT_NAME", @@ -208,14 +212,18 @@ static void add_item(private_auth_info_t *this, auth_item_t type, void *value) item->value = validation; break; } + case AUTHN_AUTH_CLASS: + case AUTHN_EAP_TYPE: + case AUTHN_EAP_VENDOR: case AUTHZ_EAP: { - eap_method_t *method = malloc_thing(eap_method_t); + u_int *intval = malloc_thing(u_int); - *method = *(eap_method_t*)value; - item->value = method; + *intval = *(u_int*)value; + item->value = intval; break; } + case AUTHN_EAP_IDENTITY: case AUTHN_CA_CERT_KEYID: case AUTHN_CA_CERT_NAME: case AUTHZ_CA_CERT_NAME: @@ -246,6 +254,10 @@ static bool complies(private_auth_info_t *this, auth_info_t *constraints) { switch (t1) { + case AUTHN_AUTH_CLASS: + case AUTHN_EAP_TYPE: + case AUTHN_EAP_VENDOR: + case AUTHN_EAP_IDENTITY: case AUTHN_CA_CERT_KEYID: case AUTHN_CA_CERT: case AUTHN_CA_CERT_NAME: @@ -444,6 +456,7 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other) } continue; } + case AUTHN_EAP_IDENTITY: case AUTHN_CA_CERT_KEYID: case AUTHN_CA_CERT_NAME: case AUTHZ_CA_CERT_NAME: @@ -460,6 +473,16 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other) } continue; } + case AUTHN_AUTH_CLASS: + case AUTHN_EAP_TYPE: + case AUTHN_EAP_VENDOR: + { + if (*(u_int*)i1->value == *(u_int*)i2->value) + { + found = TRUE; + break; + } + } case AUTHZ_PUBKEY: case AUTHZ_PSK: case AUTHZ_EAP: @@ -511,6 +534,9 @@ static void destroy_item_value(item_t *item) cert->destroy(cert); break; } + case AUTHN_AUTH_CLASS: + case AUTHN_EAP_TYPE: + case AUTHN_EAP_VENDOR: case AUTHN_IM_HASH_URL: case AUTHN_SUBJECT_HASH_URL: case AUTHZ_CRL_VALIDATION: @@ -520,6 +546,7 @@ static void destroy_item_value(item_t *item) free(item->value); break; } + case AUTHN_EAP_IDENTITY: case AUTHN_CA_CERT_KEYID: case AUTHN_CA_CERT_NAME: case AUTHZ_CA_CERT_NAME: diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h index 5fe2919f8..52433433a 100644 --- a/src/charon/credentials/auth_info.h +++ b/src/charon/credentials/auth_info.h @@ -60,6 +60,14 @@ enum auth_item_t { * items provided to authentication process */ + /** authentication class to use, value is auth_class_t* */ + AUTHN_AUTH_CLASS, + /** EAP method to request from peer, value is eap_type_t* */ + AUTHN_EAP_TYPE, + /** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */ + AUTHN_EAP_VENDOR, + /** EAP identity to use within EAP-Identity exchange */ + AUTHN_EAP_IDENTITY, /** CA certificate to use for authentication, value is certificate_t* */ AUTHN_CA_CERT, /** Keyid of a CA certificate to use, value is identification_t* */ @@ -83,7 +91,7 @@ enum auth_item_t { AUTHZ_PUBKEY, /** subject has ben authenticated using preshared secrets, value is shared_key_t* */ AUTHZ_PSK, - /** subject has been authenticated using EAP, value is eap_method_t */ + /** subject has been authenticated using EAP, value is eap_type_t* */ AUTHZ_EAP, /** certificate authority, value is certificate_t* */ AUTHZ_CA_CERT, diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 251559141..b11cdc0df 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: credential_manager.c 3953 2008-05-14 06:49:31Z martin $ + * $Id: credential_manager.c 4317 2008-09-02 11:00:13Z martin $ */ /* some clibs need it for rwlocks */ @@ -61,6 +61,11 @@ struct private_credential_manager_t { cert_cache_t *cache; /** + * certificates queued for persistent caching + */ + linked_list_t *cache_queue; + + /** * read-write lock to sets list */ pthread_rwlock_t lock; @@ -270,7 +275,7 @@ static enumerator_t *create_private(credential_set_t *set, private_data_t *data) } /** - * Implementation of credential_manager_t.get_private_by_keyid. + * Implementation of credential_manager_t.create_private_enumerator. */ static enumerator_t* create_private_enumerator( private_credential_manager_t *this, @@ -407,17 +412,51 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert) credential_set_t *set; enumerator_t *enumerator; - pthread_rwlock_rdlock(&this->lock); - enumerator = this->sets->create_enumerator(this->sets); - while (enumerator->enumerate(enumerator, &set)) + if (pthread_rwlock_trywrlock(&this->lock) == 0) { - set->cache_cert(set, cert); + enumerator = this->sets->create_enumerator(this->sets); + while (enumerator->enumerate(enumerator, &set)) + { + set->cache_cert(set, cert); + } + enumerator->destroy(enumerator); + } + else + { /* we can't cache now as other threads are active, queue for later */ + pthread_rwlock_rdlock(&this->lock); + this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert)); } - enumerator->destroy(enumerator); pthread_rwlock_unlock(&this->lock); } /** + * Try to cache certificates queued for caching + */ +static void cache_queue(private_credential_manager_t *this) +{ + credential_set_t *set; + certificate_t *cert; + enumerator_t *enumerator; + + if (this->cache_queue->get_count(this->cache_queue) > 0 && + pthread_rwlock_trywrlock(&this->lock) == 0) + { + while (this->cache_queue->remove_last(this->cache_queue, + (void**)&cert) == SUCCESS) + { + enumerator = this->sets->create_enumerator(this->sets); + while (enumerator->enumerate(enumerator, &set)) + { + set->cache_cert(set, cert); + } + enumerator->destroy(enumerator); + cert->destroy(cert); + } + pthread_rwlock_unlock(&this->lock); + } +} + +/** * forward declaration */ static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this, @@ -435,8 +474,8 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, /* TODO: requestor name, signature */ request = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, - BUILD_CA_CERT, issuer->get_ref(issuer), - BUILD_CERT, subject->get_ref(subject), BUILD_END); + BUILD_CA_CERT, issuer, + BUILD_CERT, subject, BUILD_END); if (!request) { DBG1(DBG_CFG, "generating ocsp request failed"); @@ -461,6 +500,7 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, response = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, BUILD_BLOB_ASN1_DER, receive, BUILD_END); + chunk_free(&receive); if (!response) { DBG1(DBG_CFG, "parsing ocsp response failed"); @@ -1142,6 +1182,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this, verify_trust_chain(this->this, this->pretrusted, this->auth, TRUE, this->crl, this->ocsp)) { + this->auth->add_item(this->auth, AUTHZ_CA_CERT, this->pretrusted); DBG1(DBG_CFG, " using trusted certificate \"%D\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; @@ -1262,6 +1303,9 @@ static void public_destroy(public_enumerator_t *this) this->wrapper->destroy(this->wrapper); } pthread_rwlock_unlock(&this->this->lock); + + /* check for delayed certificate cache queue */ + cache_queue(this->this); free(this); } @@ -1501,6 +1545,8 @@ static void remove_set(private_credential_manager_t *this, credential_set_t *set */ static void destroy(private_credential_manager_t *this) { + cache_queue(this); + this->cache_queue->destroy(this->cache_queue); this->sets->remove(this->sets, this->cache, NULL); this->sets->destroy(this->sets); pthread_key_delete(this->local_sets); @@ -1532,6 +1578,7 @@ credential_manager_t *credential_manager_create() this->sets = linked_list_create(); pthread_key_create(&this->local_sets, (void*)this->sets->destroy); this->cache = cert_cache_create(); + this->cache_queue = linked_list_create(); this->sets->insert_first(this->sets, this->cache); pthread_rwlock_init(&this->lock, NULL); diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h index b5f3b95cd..4166d05a3 100644 --- a/src/charon/credentials/credential_set.h +++ b/src/charon/credentials/credential_set.h @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * $Id: credential_set.h 3820 2008-04-17 11:22:37Z martin $ + * $Id: credential_set.h 4229 2008-07-30 11:38:44Z martin $ */ /** @@ -36,6 +36,13 @@ typedef struct credential_set_t credential_set_t; * Enumerators are used because queries might return multiple matches. * Filter parameters restrict enumeration over specific items only. * See credential_manager_t for an overview of the credential framework. + * + * A credential set enumerator may not block the credential set, i.e. multiple + * threads must be able to hold multiple enumerators, as the credential manager + * is higly parallelized. The best way to achieve this is by using shared + * read locks for the enumerators only. Otherwiese deadlocks will occur. + * The writing cache_cert() routine is called by the manager only if no + * enumerator is alive, so it is save to use a write lock there. */ struct credential_set_t { diff --git a/src/charon/credentials/sets/auth_info_wrapper.c b/src/charon/credentials/sets/auth_info_wrapper.c index 32783ff93..7ec75be15 100644 --- a/src/charon/credentials/sets/auth_info_wrapper.c +++ b/src/charon/credentials/sets/auth_info_wrapper.c @@ -73,7 +73,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void certificate_t *cert; DBG1(DBG_CFG, " fetching certificate from '%s' ...", url); - if (lib->fetcher->fetch(lib->fetcher, url, &data) != SUCCESS) + if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS) { DBG1(DBG_CFG, " fetching certificate failed"); /* we set the item to NULL, so we can skip it */ @@ -83,6 +83,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_ASN1_DER, data, BUILD_END); + free(data.ptr); if (!cert) { diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c index 8af8bb619..4a9a97149 100644 --- a/src/charon/credentials/sets/cert_cache.c +++ b/src/charon/credentials/sets/cert_cache.c @@ -15,11 +15,13 @@ * $Id$ */ +#define _GNU_SOURCE +#include <pthread.h> + #include "cert_cache.h" #include <daemon.h> #include <utils/linked_list.h> -#include <utils/mutex.h> #define CACHE_SIZE 30 @@ -44,7 +46,7 @@ struct private_cert_cache_t { /** * do we have an active enumerator */ - bool enumerating; + refcount_t enumerating; /** * have we increased the cache without a check_cache? @@ -52,9 +54,9 @@ struct private_cert_cache_t { bool check_required; /** - * mutex to lock relations list + * read-write lock to sets list */ - mutex_t *mutex; + pthread_rwlock_t lock; }; /** @@ -88,8 +90,8 @@ static void check_cache(private_cert_cache_t *this) { this->check_required = TRUE; } - else - { + else if (pthread_rwlock_trywrlock(&this->lock) == 0) + { /* never blocks, only done if lock is available */ while (this->relations->get_count(this->relations) > CACHE_SIZE) { relation_t *oldest = NULL, *current; @@ -108,6 +110,7 @@ static void check_cache(private_cert_cache_t *this) relation_destroy(oldest); } this->check_required = FALSE; + pthread_rwlock_unlock(&this->lock); } } @@ -121,7 +124,7 @@ static bool issued_by(private_cert_cache_t *this, enumerator_t *enumerator; /* lookup cache */ - this->mutex->lock(this->mutex); + pthread_rwlock_rdlock(&this->lock); enumerator = this->relations->create_enumerator(this->relations); while (enumerator->enumerate(enumerator, ¤t)) { @@ -146,7 +149,7 @@ static bool issued_by(private_cert_cache_t *this, } } enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); + pthread_rwlock_unlock(&this->lock); if (found) { return TRUE; @@ -161,10 +164,9 @@ static bool issued_by(private_cert_cache_t *this, found->subject = subject->get_ref(subject); found->issuer = issuer->get_ref(issuer); found->last_use = time(NULL); - this->mutex->lock(this->mutex); + /* insert should be ok without lock */ this->relations->insert_last(this->relations, found); check_cache(this); - this->mutex->unlock(this->mutex); return TRUE; } @@ -230,12 +232,12 @@ static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out */ static void certs_destroy(cert_data_t *data) { - data->this->enumerating--; + ref_put(&data->this->enumerating); + pthread_rwlock_unlock(&data->this->lock); if (data->this->check_required) { check_cache(data->this); } - data->this->mutex->unlock(data->this->mutex); free(data); } @@ -258,22 +260,14 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this, data->id = id; data->this = this; - this->mutex->lock(this->mutex); - this->enumerating++; + pthread_rwlock_rdlock(&this->lock); + ref_get(&this->enumerating); return enumerator_create_filter( this->relations->create_enumerator(this->relations), (void*)certs_filter, data, (void*)certs_destroy); } /** - * Implementation of credential_set_t.cache_cert. - */ -static void cache_cert(private_cert_cache_t *this, certificate_t *cert) -{ - /* TODO: implement caching */ -} - -/** * Implementation of cert_cache_t.flush. */ static void flush(private_cert_cache_t *this, certificate_type_t type) @@ -281,7 +275,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type) enumerator_t *enumerator; relation_t *relation; - this->mutex->lock(this->mutex); + pthread_rwlock_wrlock(&this->lock); enumerator = this->relations->create_enumerator(this->relations); while (enumerator->enumerate(enumerator, &relation)) { @@ -293,7 +287,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type) } } enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); + pthread_rwlock_unlock(&this->lock); } /** @@ -302,7 +296,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type) static void destroy(private_cert_cache_t *this) { this->relations->destroy_function(this->relations, (void*)relation_destroy); - this->mutex->destroy(this->mutex); + pthread_rwlock_destroy(&this->lock); free(this); } @@ -317,15 +311,15 @@ cert_cache_t *cert_cache_create() this->public.set.create_cert_enumerator = (void*)create_enumerator; this->public.set.create_shared_enumerator = (void*)return_null; this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)cache_cert; + this->public.set.cache_cert = (void*)nop; this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by; this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush; this->public.destroy = (void(*)(cert_cache_t*))destroy; this->relations = linked_list_create(); - this->enumerating = FALSE; + this->enumerating = 0; this->check_required = FALSE; - this->mutex = mutex_create(MUTEX_RECURSIVE); + pthread_rwlock_init(&this->lock, NULL); return &this->public; } |