summaryrefslogtreecommitdiff
path: root/src/charon/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/credentials')
-rw-r--r--src/charon/credentials/auth_info.c35
-rw-r--r--src/charon/credentials/auth_info.h10
-rw-r--r--src/charon/credentials/credential_manager.c65
-rw-r--r--src/charon/credentials/credential_set.h9
-rw-r--r--src/charon/credentials/sets/auth_info_wrapper.c3
-rw-r--r--src/charon/credentials/sets/cert_cache.c50
6 files changed, 128 insertions, 44 deletions
diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c
index cd748bc97..028ca35c9 100644
--- a/src/charon/credentials/auth_info.c
+++ b/src/charon/credentials/auth_info.c
@@ -13,7 +13,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: auth_info.c 3838 2008-04-18 11:24:45Z tobias $
+ * $Id: auth_info.c 4276 2008-08-22 10:44:51Z martin $
*/
@@ -25,6 +25,10 @@
#include <credentials/certificates/certificate.h>
ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP,
+ "AUTHN_AUTH_CLASS",
+ "AUTHN_EAP_TYPE",
+ "AUTHN_EAP_VENDOR",
+ "AUTHN_EAP_IDENTITY",
"AUTHN_CA_CERT",
"AUTHN_CA_CERT_KEYID",
"AUTHN_CA_CERT_NAME",
@@ -208,14 +212,18 @@ static void add_item(private_auth_info_t *this, auth_item_t type, void *value)
item->value = validation;
break;
}
+ case AUTHN_AUTH_CLASS:
+ case AUTHN_EAP_TYPE:
+ case AUTHN_EAP_VENDOR:
case AUTHZ_EAP:
{
- eap_method_t *method = malloc_thing(eap_method_t);
+ u_int *intval = malloc_thing(u_int);
- *method = *(eap_method_t*)value;
- item->value = method;
+ *intval = *(u_int*)value;
+ item->value = intval;
break;
}
+ case AUTHN_EAP_IDENTITY:
case AUTHN_CA_CERT_KEYID:
case AUTHN_CA_CERT_NAME:
case AUTHZ_CA_CERT_NAME:
@@ -246,6 +254,10 @@ static bool complies(private_auth_info_t *this, auth_info_t *constraints)
{
switch (t1)
{
+ case AUTHN_AUTH_CLASS:
+ case AUTHN_EAP_TYPE:
+ case AUTHN_EAP_VENDOR:
+ case AUTHN_EAP_IDENTITY:
case AUTHN_CA_CERT_KEYID:
case AUTHN_CA_CERT:
case AUTHN_CA_CERT_NAME:
@@ -444,6 +456,7 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other)
}
continue;
}
+ case AUTHN_EAP_IDENTITY:
case AUTHN_CA_CERT_KEYID:
case AUTHN_CA_CERT_NAME:
case AUTHZ_CA_CERT_NAME:
@@ -460,6 +473,16 @@ static bool equals(private_auth_info_t *this, private_auth_info_t *other)
}
continue;
}
+ case AUTHN_AUTH_CLASS:
+ case AUTHN_EAP_TYPE:
+ case AUTHN_EAP_VENDOR:
+ {
+ if (*(u_int*)i1->value == *(u_int*)i2->value)
+ {
+ found = TRUE;
+ break;
+ }
+ }
case AUTHZ_PUBKEY:
case AUTHZ_PSK:
case AUTHZ_EAP:
@@ -511,6 +534,9 @@ static void destroy_item_value(item_t *item)
cert->destroy(cert);
break;
}
+ case AUTHN_AUTH_CLASS:
+ case AUTHN_EAP_TYPE:
+ case AUTHN_EAP_VENDOR:
case AUTHN_IM_HASH_URL:
case AUTHN_SUBJECT_HASH_URL:
case AUTHZ_CRL_VALIDATION:
@@ -520,6 +546,7 @@ static void destroy_item_value(item_t *item)
free(item->value);
break;
}
+ case AUTHN_EAP_IDENTITY:
case AUTHN_CA_CERT_KEYID:
case AUTHN_CA_CERT_NAME:
case AUTHZ_CA_CERT_NAME:
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
index 5fe2919f8..52433433a 100644
--- a/src/charon/credentials/auth_info.h
+++ b/src/charon/credentials/auth_info.h
@@ -60,6 +60,14 @@ enum auth_item_t {
* items provided to authentication process
*/
+ /** authentication class to use, value is auth_class_t* */
+ AUTHN_AUTH_CLASS,
+ /** EAP method to request from peer, value is eap_type_t* */
+ AUTHN_EAP_TYPE,
+ /** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
+ AUTHN_EAP_VENDOR,
+ /** EAP identity to use within EAP-Identity exchange */
+ AUTHN_EAP_IDENTITY,
/** CA certificate to use for authentication, value is certificate_t* */
AUTHN_CA_CERT,
/** Keyid of a CA certificate to use, value is identification_t* */
@@ -83,7 +91,7 @@ enum auth_item_t {
AUTHZ_PUBKEY,
/** subject has ben authenticated using preshared secrets, value is shared_key_t* */
AUTHZ_PSK,
- /** subject has been authenticated using EAP, value is eap_method_t */
+ /** subject has been authenticated using EAP, value is eap_type_t* */
AUTHZ_EAP,
/** certificate authority, value is certificate_t* */
AUTHZ_CA_CERT,
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 251559141..b11cdc0df 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: credential_manager.c 3953 2008-05-14 06:49:31Z martin $
+ * $Id: credential_manager.c 4317 2008-09-02 11:00:13Z martin $
*/
/* some clibs need it for rwlocks */
@@ -61,6 +61,11 @@ struct private_credential_manager_t {
cert_cache_t *cache;
/**
+ * certificates queued for persistent caching
+ */
+ linked_list_t *cache_queue;
+
+ /**
* read-write lock to sets list
*/
pthread_rwlock_t lock;
@@ -270,7 +275,7 @@ static enumerator_t *create_private(credential_set_t *set, private_data_t *data)
}
/**
- * Implementation of credential_manager_t.get_private_by_keyid.
+ * Implementation of credential_manager_t.create_private_enumerator.
*/
static enumerator_t* create_private_enumerator(
private_credential_manager_t *this,
@@ -407,17 +412,51 @@ static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
credential_set_t *set;
enumerator_t *enumerator;
- pthread_rwlock_rdlock(&this->lock);
- enumerator = this->sets->create_enumerator(this->sets);
- while (enumerator->enumerate(enumerator, &set))
+ if (pthread_rwlock_trywrlock(&this->lock) == 0)
{
- set->cache_cert(set, cert);
+ enumerator = this->sets->create_enumerator(this->sets);
+ while (enumerator->enumerate(enumerator, &set))
+ {
+ set->cache_cert(set, cert);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ { /* we can't cache now as other threads are active, queue for later */
+ pthread_rwlock_rdlock(&this->lock);
+ this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert));
}
- enumerator->destroy(enumerator);
pthread_rwlock_unlock(&this->lock);
}
/**
+ * Try to cache certificates queued for caching
+ */
+static void cache_queue(private_credential_manager_t *this)
+{
+ credential_set_t *set;
+ certificate_t *cert;
+ enumerator_t *enumerator;
+
+ if (this->cache_queue->get_count(this->cache_queue) > 0 &&
+ pthread_rwlock_trywrlock(&this->lock) == 0)
+ {
+ while (this->cache_queue->remove_last(this->cache_queue,
+ (void**)&cert) == SUCCESS)
+ {
+ enumerator = this->sets->create_enumerator(this->sets);
+ while (enumerator->enumerate(enumerator, &set))
+ {
+ set->cache_cert(set, cert);
+ }
+ enumerator->destroy(enumerator);
+ cert->destroy(cert);
+ }
+ pthread_rwlock_unlock(&this->lock);
+ }
+}
+
+/**
* forward declaration
*/
static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
@@ -435,8 +474,8 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
/* TODO: requestor name, signature */
request = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
- BUILD_CA_CERT, issuer->get_ref(issuer),
- BUILD_CERT, subject->get_ref(subject), BUILD_END);
+ BUILD_CA_CERT, issuer,
+ BUILD_CERT, subject, BUILD_END);
if (!request)
{
DBG1(DBG_CFG, "generating ocsp request failed");
@@ -461,6 +500,7 @@ static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url,
response = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
BUILD_BLOB_ASN1_DER, receive, BUILD_END);
+ chunk_free(&receive);
if (!response)
{
DBG1(DBG_CFG, "parsing ocsp response failed");
@@ -1142,6 +1182,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
verify_trust_chain(this->this, this->pretrusted, this->auth,
TRUE, this->crl, this->ocsp))
{
+ this->auth->add_item(this->auth, AUTHZ_CA_CERT, this->pretrusted);
DBG1(DBG_CFG, " using trusted certificate \"%D\"",
this->pretrusted->get_subject(this->pretrusted));
*cert = this->pretrusted;
@@ -1262,6 +1303,9 @@ static void public_destroy(public_enumerator_t *this)
this->wrapper->destroy(this->wrapper);
}
pthread_rwlock_unlock(&this->this->lock);
+
+ /* check for delayed certificate cache queue */
+ cache_queue(this->this);
free(this);
}
@@ -1501,6 +1545,8 @@ static void remove_set(private_credential_manager_t *this, credential_set_t *set
*/
static void destroy(private_credential_manager_t *this)
{
+ cache_queue(this);
+ this->cache_queue->destroy(this->cache_queue);
this->sets->remove(this->sets, this->cache, NULL);
this->sets->destroy(this->sets);
pthread_key_delete(this->local_sets);
@@ -1532,6 +1578,7 @@ credential_manager_t *credential_manager_create()
this->sets = linked_list_create();
pthread_key_create(&this->local_sets, (void*)this->sets->destroy);
this->cache = cert_cache_create();
+ this->cache_queue = linked_list_create();
this->sets->insert_first(this->sets, this->cache);
pthread_rwlock_init(&this->lock, NULL);
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index b5f3b95cd..4166d05a3 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * $Id: credential_set.h 3820 2008-04-17 11:22:37Z martin $
+ * $Id: credential_set.h 4229 2008-07-30 11:38:44Z martin $
*/
/**
@@ -36,6 +36,13 @@ typedef struct credential_set_t credential_set_t;
* Enumerators are used because queries might return multiple matches.
* Filter parameters restrict enumeration over specific items only.
* See credential_manager_t for an overview of the credential framework.
+ *
+ * A credential set enumerator may not block the credential set, i.e. multiple
+ * threads must be able to hold multiple enumerators, as the credential manager
+ * is higly parallelized. The best way to achieve this is by using shared
+ * read locks for the enumerators only. Otherwiese deadlocks will occur.
+ * The writing cache_cert() routine is called by the manager only if no
+ * enumerator is alive, so it is save to use a write lock there.
*/
struct credential_set_t {
diff --git a/src/charon/credentials/sets/auth_info_wrapper.c b/src/charon/credentials/sets/auth_info_wrapper.c
index 32783ff93..7ec75be15 100644
--- a/src/charon/credentials/sets/auth_info_wrapper.c
+++ b/src/charon/credentials/sets/auth_info_wrapper.c
@@ -73,7 +73,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
certificate_t *cert;
DBG1(DBG_CFG, " fetching certificate from '%s' ...", url);
- if (lib->fetcher->fetch(lib->fetcher, url, &data) != SUCCESS)
+ if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS)
{
DBG1(DBG_CFG, " fetching certificate failed");
/* we set the item to NULL, so we can skip it */
@@ -83,6 +83,7 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, data, BUILD_END);
+ free(data.ptr);
if (!cert)
{
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 8af8bb619..4a9a97149 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -15,11 +15,13 @@
* $Id$
*/
+#define _GNU_SOURCE
+#include <pthread.h>
+
#include "cert_cache.h"
#include <daemon.h>
#include <utils/linked_list.h>
-#include <utils/mutex.h>
#define CACHE_SIZE 30
@@ -44,7 +46,7 @@ struct private_cert_cache_t {
/**
* do we have an active enumerator
*/
- bool enumerating;
+ refcount_t enumerating;
/**
* have we increased the cache without a check_cache?
@@ -52,9 +54,9 @@ struct private_cert_cache_t {
bool check_required;
/**
- * mutex to lock relations list
+ * read-write lock to sets list
*/
- mutex_t *mutex;
+ pthread_rwlock_t lock;
};
/**
@@ -88,8 +90,8 @@ static void check_cache(private_cert_cache_t *this)
{
this->check_required = TRUE;
}
- else
- {
+ else if (pthread_rwlock_trywrlock(&this->lock) == 0)
+ { /* never blocks, only done if lock is available */
while (this->relations->get_count(this->relations) > CACHE_SIZE)
{
relation_t *oldest = NULL, *current;
@@ -108,6 +110,7 @@ static void check_cache(private_cert_cache_t *this)
relation_destroy(oldest);
}
this->check_required = FALSE;
+ pthread_rwlock_unlock(&this->lock);
}
}
@@ -121,7 +124,7 @@ static bool issued_by(private_cert_cache_t *this,
enumerator_t *enumerator;
/* lookup cache */
- this->mutex->lock(this->mutex);
+ pthread_rwlock_rdlock(&this->lock);
enumerator = this->relations->create_enumerator(this->relations);
while (enumerator->enumerate(enumerator, &current))
{
@@ -146,7 +149,7 @@ static bool issued_by(private_cert_cache_t *this,
}
}
enumerator->destroy(enumerator);
- this->mutex->unlock(this->mutex);
+ pthread_rwlock_unlock(&this->lock);
if (found)
{
return TRUE;
@@ -161,10 +164,9 @@ static bool issued_by(private_cert_cache_t *this,
found->subject = subject->get_ref(subject);
found->issuer = issuer->get_ref(issuer);
found->last_use = time(NULL);
- this->mutex->lock(this->mutex);
+ /* insert should be ok without lock */
this->relations->insert_last(this->relations, found);
check_cache(this);
- this->mutex->unlock(this->mutex);
return TRUE;
}
@@ -230,12 +232,12 @@ static bool certs_filter(cert_data_t *data, relation_t **in, certificate_t **out
*/
static void certs_destroy(cert_data_t *data)
{
- data->this->enumerating--;
+ ref_put(&data->this->enumerating);
+ pthread_rwlock_unlock(&data->this->lock);
if (data->this->check_required)
{
check_cache(data->this);
}
- data->this->mutex->unlock(data->this->mutex);
free(data);
}
@@ -258,22 +260,14 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
data->id = id;
data->this = this;
- this->mutex->lock(this->mutex);
- this->enumerating++;
+ pthread_rwlock_rdlock(&this->lock);
+ ref_get(&this->enumerating);
return enumerator_create_filter(
this->relations->create_enumerator(this->relations),
(void*)certs_filter, data, (void*)certs_destroy);
}
/**
- * Implementation of credential_set_t.cache_cert.
- */
-static void cache_cert(private_cert_cache_t *this, certificate_t *cert)
-{
- /* TODO: implement caching */
-}
-
-/**
* Implementation of cert_cache_t.flush.
*/
static void flush(private_cert_cache_t *this, certificate_type_t type)
@@ -281,7 +275,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
enumerator_t *enumerator;
relation_t *relation;
- this->mutex->lock(this->mutex);
+ pthread_rwlock_wrlock(&this->lock);
enumerator = this->relations->create_enumerator(this->relations);
while (enumerator->enumerate(enumerator, &relation))
{
@@ -293,7 +287,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
}
}
enumerator->destroy(enumerator);
- this->mutex->unlock(this->mutex);
+ pthread_rwlock_unlock(&this->lock);
}
/**
@@ -302,7 +296,7 @@ static void flush(private_cert_cache_t *this, certificate_type_t type)
static void destroy(private_cert_cache_t *this)
{
this->relations->destroy_function(this->relations, (void*)relation_destroy);
- this->mutex->destroy(this->mutex);
+ pthread_rwlock_destroy(&this->lock);
free(this);
}
@@ -317,15 +311,15 @@ cert_cache_t *cert_cache_create()
this->public.set.create_cert_enumerator = (void*)create_enumerator;
this->public.set.create_shared_enumerator = (void*)return_null;
this->public.set.create_cdp_enumerator = (void*)return_null;
- this->public.set.cache_cert = (void*)cache_cert;
+ this->public.set.cache_cert = (void*)nop;
this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
this->public.destroy = (void(*)(cert_cache_t*))destroy;
this->relations = linked_list_create();
- this->enumerating = FALSE;
+ this->enumerating = 0;
this->check_required = FALSE;
- this->mutex = mutex_create(MUTEX_RECURSIVE);
+ pthread_rwlock_init(&this->lock, NULL);
return &this->public;
}