summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials')
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c327
-rw-r--r--src/libstrongswan/credentials/auth_cfg.h15
-rw-r--r--src/libstrongswan/credentials/builder.c7
-rw-r--r--src/libstrongswan/credentials/builder.h16
-rw-r--r--src/libstrongswan/credentials/cert_validator.h20
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.c7
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.h8
-rw-r--r--src/libstrongswan/credentials/certificates/crl.c2
-rw-r--r--src/libstrongswan/credentials/certificates/pkcs10.h2
-rw-r--r--src/libstrongswan/credentials/certificates/x509.h4
-rw-r--r--src/libstrongswan/credentials/containers/container.c25
-rw-r--r--src/libstrongswan/credentials/containers/container.h100
-rw-r--r--src/libstrongswan/credentials/containers/pkcs12.c173
-rw-r--r--src/libstrongswan/credentials/containers/pkcs12.h78
-rw-r--r--src/libstrongswan/credentials/containers/pkcs7.h63
-rw-r--r--src/libstrongswan/credentials/cred_encoding.c4
-rw-r--r--src/libstrongswan/credentials/cred_encoding.h2
-rw-r--r--src/libstrongswan/credentials/credential_factory.c25
-rw-r--r--src/libstrongswan/credentials/credential_factory.h5
-rw-r--r--src/libstrongswan/credentials/credential_manager.c365
-rw-r--r--src/libstrongswan/credentials/credential_manager.h68
-rw-r--r--src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c2
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h2
-rw-r--r--src/libstrongswan/credentials/keys/shared_key.h2
-rw-r--r--src/libstrongswan/credentials/sets/auth_cfg_wrapper.c2
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c30
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.h4
-rw-r--r--src/libstrongswan/credentials/sets/mem_cred.c63
-rw-r--r--src/libstrongswan/credentials/sets/mem_cred.h14
29 files changed, 1205 insertions, 230 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 12f75b240..2203519e2 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -17,26 +17,30 @@
#include "auth_cfg.h"
#include <library.h>
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/array.h>
#include <utils/identification.h>
#include <eap/eap.h>
#include <credentials/certificates/certificate.h>
-ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_XAUTH,
"any",
"public key",
"pre-shared key",
"EAP",
+ "XAuth",
);
ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
"RULE_IDENTITY",
+ "RULE_IDENTITY_LOOSE",
"RULE_AUTH_CLASS",
"RULE_AAA_IDENTITY",
"RULE_EAP_IDENTITY",
"RULE_EAP_TYPE",
"RULE_EAP_VENDOR",
+ "RULE_XAUTH_BACKEND",
+ "RULE_XAUTH_IDENTITY",
"RULE_CA_CERT",
"RULE_IM_CERT",
"RULE_SUBJECT_CERT",
@@ -45,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
"RULE_GROUP",
"RULE_RSA_STRENGTH",
"RULE_ECDSA_STRENGTH",
+ "RULE_SIGNATURE_SCHEME",
"RULE_CERT_POLICY",
"HELPER_IM_CERT",
"HELPER_SUBJECT_CERT",
@@ -66,9 +71,11 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
- case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_RULE_XAUTH_IDENTITY:
+ case AUTH_RULE_XAUTH_BACKEND:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_SUBJECT_HASH_URL:
case AUTH_RULE_MAX:
@@ -76,9 +83,11 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_GROUP:
+ case AUTH_RULE_SUBJECT_CERT:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_CERT_POLICY:
+ case AUTH_RULE_SIGNATURE_SCHEME:
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_REVOCATION_CERT:
@@ -100,9 +109,9 @@ struct private_auth_cfg_t {
auth_cfg_t public;
/**
- * list of entry_t
+ * Array of entry_t
*/
- linked_list_t *entries;
+ array_t *entries;
};
typedef struct entry_t entry_t;
@@ -175,21 +184,20 @@ METHOD(auth_cfg_t, create_enumerator, enumerator_t*,
.enumerate = (void*)enumerate,
.destroy = (void*)entry_enumerator_destroy,
},
- .inner = this->entries->create_enumerator(this->entries),
+ .inner = array_create_enumerator(this->entries),
);
return &enumerator->public;
}
/**
- * Create an entry from the given arguments.
+ * Initialize an entry.
*/
-static entry_t *entry_create(auth_rule_t type, va_list args)
+static void init_entry(entry_t *this, auth_rule_t type, va_list args)
{
- entry_t *this = malloc_thing(entry_t);
-
this->type = type;
switch (type)
{
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -197,12 +205,15 @@ static entry_t *entry_create(auth_rule_t type, va_list args)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_SIGNATURE_SCHEME:
/* integer type */
this->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_XAUTH_BACKEND:
+ case AUTH_RULE_XAUTH_IDENTITY:
case AUTH_RULE_GROUP:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
@@ -220,7 +231,6 @@ static entry_t *entry_create(auth_rule_t type, va_list args)
this->value = NULL;
break;
}
- return this;
}
/**
@@ -234,6 +244,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
}
switch (e1->type)
{
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -241,6 +252,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_SIGNATURE_SCHEME:
{
return e1->value == e2->value;
}
@@ -261,6 +273,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_XAUTH_IDENTITY:
case AUTH_RULE_GROUP:
{
identification_t *id1, *id2;
@@ -271,6 +284,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
return id1->equals(id1, id2);
}
case AUTH_RULE_CERT_POLICY:
+ case AUTH_RULE_XAUTH_BACKEND:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
@@ -293,6 +307,7 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_GROUP:
+ case AUTH_RULE_XAUTH_IDENTITY:
{
identification_t *id = (identification_t*)entry->value;
id->destroy(id);
@@ -310,12 +325,14 @@ static void destroy_entry_value(entry_t *entry)
break;
}
case AUTH_RULE_CERT_POLICY:
+ case AUTH_RULE_XAUTH_BACKEND:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
free(entry->value);
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -323,6 +340,7 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_SIGNATURE_SCHEME:
case AUTH_RULE_MAX:
break;
}
@@ -345,6 +363,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
entry->type = type;
switch (type)
{
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -352,12 +371,15 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_SIGNATURE_SCHEME:
/* integer type */
entry->value = (void*)(uintptr_t)va_arg(args, u_int);
break;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_XAUTH_BACKEND:
+ case AUTH_RULE_XAUTH_IDENTITY:
case AUTH_RULE_GROUP:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
@@ -423,12 +445,18 @@ METHOD(auth_cfg_t, get, void*,
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
return (void*)0;
+ case AUTH_RULE_SIGNATURE_SCHEME:
+ return HASH_UNKNOWN;
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
return (void*)VALIDATION_FAILED;
+ case AUTH_RULE_IDENTITY_LOOSE:
+ return (void*)FALSE;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_XAUTH_BACKEND:
+ case AUTH_RULE_XAUTH_IDENTITY:
case AUTH_RULE_GROUP:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
@@ -450,21 +478,21 @@ METHOD(auth_cfg_t, get, void*,
*/
static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
{
- entry_t *entry;
+ entry_t entry;
va_list args;
va_start(args, type);
- entry = entry_create(type, args);
+ init_entry(&entry, type, args);
va_end(args);
if (is_multi_value_rule(type))
{ /* insert rules that may occur multiple times at the end */
- this->entries->insert_last(this->entries, entry);
+ array_insert(this->entries, ARRAY_TAIL, &entry);
}
else
{ /* insert rules we expect only once at the front (get() will return
* the latest value) */
- this->entries->insert_first(this->entries, entry);
+ array_insert(this->entries, ARRAY_HEAD, &entry);
}
}
@@ -472,7 +500,11 @@ METHOD(auth_cfg_t, complies, bool,
private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
{
enumerator_t *e1, *e2;
- bool success = TRUE, has_group = FALSE, group_match = FALSE;
+ bool success = TRUE, group_match = FALSE, cert_match = FALSE;
+ identification_t *require_group = NULL;
+ certificate_t *require_cert = NULL;
+ signature_scheme_t scheme = SIGN_UNKNOWN;
+ u_int strength = 0;
auth_rule_t t1, t2;
void *value;
@@ -508,20 +540,21 @@ METHOD(auth_cfg_t, complies, bool,
}
case AUTH_RULE_SUBJECT_CERT:
{
- certificate_t *c1, *c2;
+ certificate_t *cert;
- c1 = (certificate_t*)value;
- c2 = get(this, AUTH_RULE_SUBJECT_CERT);
- if (!c2 || !c1->equals(c1, c2))
+ /* for certs, a match of a single cert is sufficient */
+ require_cert = (certificate_t*)value;
+
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &cert))
{
- success = FALSE;
- if (log_error)
+ if (t2 == AUTH_RULE_SUBJECT_CERT &&
+ cert->equals(cert, require_cert))
{
- DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated with peer cert '%Y'.",
- c1->get_subject(c1));
+ cert_match = TRUE;
}
}
+ e2->destroy(e2);
break;
}
case AUTH_RULE_CRL_VALIDATION:
@@ -571,6 +604,7 @@ METHOD(auth_cfg_t, complies, bool,
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
+ case AUTH_RULE_XAUTH_IDENTITY:
{
identification_t *id1, *id2;
@@ -578,6 +612,17 @@ METHOD(auth_cfg_t, complies, bool,
id2 = get(this, t1);
if (!id2 || !id2->matches(id2, id1))
{
+ if (t1 == AUTH_RULE_IDENTITY &&
+ constraints->get(constraints, AUTH_RULE_IDENTITY_LOOSE))
+ { /* also verify identity against subjectAltNames */
+ certificate_t *cert;
+
+ cert = get(this, AUTH_HELPER_SUBJECT_CERT);
+ if (cert && cert->has_subject(cert, id1))
+ {
+ break;
+ }
+ }
success = FALSE;
if (log_error)
{
@@ -633,15 +678,15 @@ METHOD(auth_cfg_t, complies, bool,
}
case AUTH_RULE_GROUP:
{
- identification_t *id1, *id2;
+ identification_t *group;
/* for groups, a match of a single group is sufficient */
- has_group = TRUE;
- id1 = (identification_t*)value;
+ require_group = (identification_t*)value;
e2 = create_enumerator(this);
- while (e2->enumerate(e2, &t2, &id2))
+ while (e2->enumerate(e2, &t2, &group))
{
- if (t2 == AUTH_RULE_GROUP && id2->matches(id2, id1))
+ if (t2 == AUTH_RULE_GROUP &&
+ group->matches(group, require_group))
{
group_match = TRUE;
}
@@ -652,44 +697,12 @@ METHOD(auth_cfg_t, complies, bool,
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
{
- uintptr_t strength;
-
- e2 = create_enumerator(this);
- while (e2->enumerate(e2, &t2, &strength))
- {
- if (t2 == t1)
- {
- if ((uintptr_t)value > strength)
- {
- success = FALSE;
- if (log_error)
- {
- DBG1(DBG_CFG, "constraint requires %d bit "
- "public keys, but %d bit key used",
- (uintptr_t)value, strength);
- }
- }
- }
- else if (t2 == AUTH_RULE_RSA_STRENGTH)
- {
- success = FALSE;
- if (log_error)
- {
- DBG1(DBG_CFG, "constraint requires %d bit ECDSA, "
- "but RSA used", (uintptr_t)value);
- }
- }
- else if (t2 == AUTH_RULE_ECDSA_STRENGTH)
- {
- success = FALSE;
- if (log_error)
- {
- DBG1(DBG_CFG, "constraint requires %d bit RSA, "
- "but ECDSA used", (uintptr_t)value);
- }
- }
- }
- e2->destroy(e2);
+ strength = (uintptr_t)value;
+ break;
+ }
+ case AUTH_RULE_SIGNATURE_SCHEME:
+ {
+ scheme = (uintptr_t)value;
break;
}
case AUTH_RULE_CERT_POLICY:
@@ -714,6 +727,10 @@ METHOD(auth_cfg_t, complies, bool,
}
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
+ /* just an indication when verifying AUTH_RULE_IDENTITY */
+ case AUTH_RULE_XAUTH_BACKEND:
+ /* not enforced, just a hint for local authentication */
case AUTH_HELPER_IM_CERT:
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_IM_HASH_URL:
@@ -730,11 +747,94 @@ METHOD(auth_cfg_t, complies, bool,
}
e1->destroy(e1);
- if (has_group && !group_match)
+ /* Check if we have a matching constraint (or none at all) for used
+ * signature schemes. */
+ if (success && scheme != SIGN_UNKNOWN)
+ {
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &scheme))
+ {
+ if (t2 == AUTH_RULE_SIGNATURE_SCHEME)
+ {
+ success = FALSE;
+ e1 = constraints->create_enumerator(constraints);
+ while (e1->enumerate(e1, &t1, &value))
+ {
+ if (t1 == AUTH_RULE_SIGNATURE_SCHEME &&
+ (uintptr_t)value == scheme)
+ {
+ success = TRUE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ if (!success)
+ {
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "signature scheme %N not acceptable",
+ signature_scheme_names, (int)scheme);
+ }
+ break;
+ }
+ }
+ }
+ e2->destroy(e2);
+ }
+
+ /* Check if we have a matching constraint (or none at all) for used
+ * public key strength */
+ if (success && strength)
+ {
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &strength))
+ {
+ if (t2 == AUTH_RULE_RSA_STRENGTH ||
+ t2 == AUTH_RULE_ECDSA_STRENGTH)
+ {
+ success = FALSE;
+ e1 = constraints->create_enumerator(constraints);
+ while (e1->enumerate(e1, &t1, &value))
+ {
+ if (t1 == t2 && (uintptr_t)value <= strength)
+ {
+ success = TRUE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ if (!success)
+ {
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "%s-%d signatures not acceptable",
+ t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA",
+ strength);
+ }
+ break;
+ }
+ }
+ }
+ e2->destroy(e2);
+ }
+
+ if (require_group && !group_match)
{
if (log_error)
{
- DBG1(DBG_CFG, "constraint check failed: group membership required");
+ DBG1(DBG_CFG, "constraint check failed: group membership to "
+ "'%Y' required", require_group);
+ }
+ return FALSE;
+ }
+
+ if (require_cert && !cert_match)
+ {
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: peer not "
+ "authenticated with peer cert '%Y'.",
+ require_cert->get_subject(require_cert));
}
return FALSE;
}
@@ -774,6 +874,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
add(this, type, cert->get_ref(cert));
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_AUTH_CLASS:
@@ -781,6 +882,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_SIGNATURE_SCHEME:
{
add(this, type, (uintptr_t)value);
break;
@@ -789,12 +891,14 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_GROUP:
+ case AUTH_RULE_XAUTH_IDENTITY:
{
identification_t *id = (identification_t*)value;
add(this, type, id->clone(id));
break;
}
+ case AUTH_RULE_XAUTH_BACKEND:
case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
@@ -810,20 +914,20 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
}
else
{
- entry_t *entry;
+ entry_t entry;
- while (other->entries->remove_first(other->entries,
- (void**)&entry) == SUCCESS)
+ while (array_remove(other->entries, ARRAY_HEAD, &entry))
{
- this->entries->insert_last(this->entries, entry);
+ array_insert(this->entries, ARRAY_TAIL, &entry);
}
+ array_compress(other->entries);
}
}
/**
- * Implementation of auth_cfg_t.equals.
+ * Compare two auth_cfg_t objects for equality.
*/
-static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+static bool auth_cfg_equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
{
enumerator_t *e1, *e2;
entry_t *i1, *i2;
@@ -831,12 +935,12 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
/* the rule count does not have to be equal for the two, as we only compare
* the first value found for some rules */
- e1 = this->entries->create_enumerator(this->entries);
+ e1 = array_create_enumerator(this->entries);
while (e1->enumerate(e1, &i1))
{
found = FALSE;
- e2 = other->entries->create_enumerator(other->entries);
+ e2 = array_create_enumerator(other->entries);
while (e2->enumerate(e2, &i2))
{
if (entry_equals(i1, i2))
@@ -860,30 +964,38 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
return equal;
}
+/**
+ * Implementation of auth_cfg_t.equals.
+ */
+static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+{
+ if (auth_cfg_equals(this, other))
+ {
+ /* as 'other' might contain entries that 'this' doesn't we also check
+ * the other way around */
+ return auth_cfg_equals(other, this);
+ }
+ return FALSE;
+}
+
METHOD(auth_cfg_t, purge, void,
private_auth_cfg_t *this, bool keep_ca)
{
+ enumerator_t *enumerator;
entry_t *entry;
- linked_list_t *cas;
- cas = linked_list_create();
- while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+ enumerator = array_create_enumerator(this->entries);
+ while (enumerator->enumerate(enumerator, &entry))
{
- if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
- {
- cas->insert_first(cas, entry);
- }
- else
+ if (!keep_ca || entry->type != AUTH_RULE_CA_CERT)
{
+ array_remove_at(this->entries, enumerator);
destroy_entry_value(entry);
- free(entry);
}
}
- while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
- {
- this->entries->insert_first(this->entries, entry);
- }
- cas->destroy(cas);
+ enumerator->destroy(enumerator);
+
+ array_compress(this->entries);
}
METHOD(auth_cfg_t, clone_, auth_cfg_t*,
@@ -891,22 +1003,24 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
{
enumerator_t *enumerator;
auth_cfg_t *clone;
- entry_t *entry;
+ auth_rule_t type;
+ void *value;
clone = auth_cfg_create();
/* this enumerator skips duplicates for rules we expect only once */
- enumerator = this->entries->create_enumerator(this->entries);
- while (enumerator->enumerate(enumerator, &entry))
+ enumerator = create_enumerator(this);
+ while (enumerator->enumerate(enumerator, &type, &value))
{
- switch (entry->type)
+ switch (type)
{
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_GROUP:
+ case AUTH_RULE_XAUTH_IDENTITY:
{
- identification_t *id = (identification_t*)entry->value;
- clone->add(clone, entry->type, id->clone(id));
+ identification_t *id = (identification_t*)value;
+ clone->add(clone, type, id->clone(id));
break;
}
case AUTH_RULE_CA_CERT:
@@ -916,17 +1030,19 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
case AUTH_HELPER_SUBJECT_CERT:
case AUTH_HELPER_REVOCATION_CERT:
{
- certificate_t *cert = (certificate_t*)entry->value;
- clone->add(clone, entry->type, cert->get_ref(cert));
+ certificate_t *cert = (certificate_t*)value;
+ clone->add(clone, type, cert->get_ref(cert));
break;
}
+ case AUTH_RULE_XAUTH_BACKEND:
case AUTH_RULE_CERT_POLICY:
case AUTH_HELPER_IM_HASH_URL:
case AUTH_HELPER_SUBJECT_HASH_URL:
{
- clone->add(clone, entry->type, strdup(entry->value));
+ clone->add(clone, type, strdup(value));
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -934,7 +1050,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
- clone->add(clone, entry->type, (uintptr_t)entry->value);
+ case AUTH_RULE_SIGNATURE_SCHEME:
+ clone->add(clone, type, (uintptr_t)value);
break;
case AUTH_RULE_MAX:
break;
@@ -948,7 +1065,7 @@ METHOD(auth_cfg_t, destroy, void,
private_auth_cfg_t *this)
{
purge(this, FALSE);
- this->entries->destroy(this->entries);
+ array_destroy(this->entries);
free(this);
}
@@ -972,7 +1089,7 @@ auth_cfg_t *auth_cfg_create()
.clone = _clone_,
.destroy = _destroy,
},
- .entries = linked_list_create(),
+ .entries = array_create(sizeof(entry_t), 0),
);
return &this->public;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 4d12a9c14..d87935589 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -22,7 +22,7 @@
#ifndef AUTH_CFG_H_
#define AUTH_CFG_H_
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
typedef struct auth_cfg_t auth_cfg_t;
typedef enum auth_rule_t auth_rule_t;
@@ -42,6 +42,8 @@ enum auth_class_t {
AUTH_CLASS_PSK = 2,
/** authentication using EAP */
AUTH_CLASS_EAP = 3,
+ /** authentication using IKEv1 XAUTH */
+ AUTH_CLASS_XAUTH = 4,
};
/**
@@ -65,6 +67,9 @@ extern enum_name_t *auth_class_names;
enum auth_rule_t {
/** identity to use for IKEv2 authentication exchange, identification_t* */
AUTH_RULE_IDENTITY,
+ /** if TRUE don't send IDr as initiator, but verify the identity after
+ * receiving IDr (but also verify it against subjectAltNames), bool */
+ AUTH_RULE_IDENTITY_LOOSE,
/** authentication class, auth_class_t */
AUTH_RULE_AUTH_CLASS,
/** AAA-backend identity for EAP methods supporting it, identification_t* */
@@ -75,6 +80,10 @@ enum auth_rule_t {
AUTH_RULE_EAP_TYPE,
/** EAP vendor for vendor specific type, u_int32_t */
AUTH_RULE_EAP_VENDOR,
+ /** XAUTH backend name to use, char* */
+ AUTH_RULE_XAUTH_BACKEND,
+ /** XAuth identity to use or require, identification_t* */
+ AUTH_RULE_XAUTH_IDENTITY,
/** certificate authority, certificate_t* */
AUTH_RULE_CA_CERT,
/** intermediate certificate in trustchain, certificate_t* */
@@ -93,6 +102,8 @@ enum auth_rule_t {
AUTH_RULE_RSA_STRENGTH,
/** required ECDSA public key strength, u_int in bits */
AUTH_RULE_ECDSA_STRENGTH,
+ /** required signature scheme, signature_scheme_t */
+ AUTH_RULE_SIGNATURE_SCHEME,
/** certificatePolicy constraint, numerical OID as char* */
AUTH_RULE_CERT_POLICY,
@@ -172,7 +183,7 @@ struct auth_cfg_t {
* For rules we expect only once the latest value is returned.
*
* @param rule rule type
- * @return bool if item has been found
+ * @return rule or NULL (or an appropriate default) if not found
*/
void* (*get)(auth_cfg_t *this, auth_rule_t rule);
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index d3157c80e..6710dfb54 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -19,10 +19,12 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_FROM_FILE",
"BUILD_FROM_FD",
"BUILD_AGENT_SOCKET",
+ "BUILD_BLOB",
"BUILD_BLOB_ASN1_DER",
"BUILD_BLOB_PEM",
"BUILD_BLOB_PGP",
"BUILD_BLOB_DNSKEY",
+ "BUILD_BLOB_SSHKEY",
"BUILD_BLOB_ALGID_PARAMS",
"BUILD_KEY_SIZE",
"BUILD_SIGNING_KEY",
@@ -36,6 +38,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_NOT_AFTER_TIME",
"BUILD_SERIAL",
"BUILD_DIGEST_ALG",
+ "BUILD_ENCRYPTION_ALG",
"BUILD_IETF_GROUP_ATTR",
"BUILD_CA_CERT",
"BUILD_CERT",
@@ -53,6 +56,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_REVOKED_ENUMERATOR",
"BUILD_BASE_CRL",
"BUILD_CHALLENGE_PWD",
+ "BUILD_PKCS7_ATTRIBUTE",
"BUILD_PKCS11_MODULE",
"BUILD_PKCS11_SLOT",
"BUILD_PKCS11_KEYID",
@@ -64,6 +68,9 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_RSA_EXP1",
"BUILD_RSA_EXP2",
"BUILD_RSA_COEFF",
+ "BUILD_SAFE_PRIMES",
+ "BUILD_SHARES",
+ "BUILD_THRESHOLD",
"BUILD_END",
);
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 41250ccae..5ab462fa8 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -49,6 +49,8 @@ enum builder_part_t {
BUILD_FROM_FD,
/** unix socket of a ssh/pgp agent, char* */
BUILD_AGENT_SOCKET,
+ /** An arbitrary blob of data, chunk_t */
+ BUILD_BLOB,
/** DER encoded ASN.1 blob, chunk_t */
BUILD_BLOB_ASN1_DER,
/** PEM encoded ASN.1/PGP blob, chunk_t */
@@ -57,6 +59,8 @@ enum builder_part_t {
BUILD_BLOB_PGP,
/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
BUILD_BLOB_DNSKEY,
+ /** SSH public key blob (RFC 4253), chunk_t */
+ BUILD_BLOB_SSHKEY,
/** parameters from algorithmIdentifier (ASN.1 blob), chunk_t */
BUILD_BLOB_ALGID_PARAMS,
/** key size in bits, as used for key generation, u_int */
@@ -81,8 +85,10 @@ enum builder_part_t {
BUILD_NOT_AFTER_TIME,
/** a serial number in binary form, chunk_t */
BUILD_SERIAL,
- /** digest algorithm to be used for signature, int */
+ /** digest algorithm to be used for signature, hash_algorithm_t */
BUILD_DIGEST_ALG,
+ /** encryption algorithm to use, encryption_algorithm_t */
+ BUILD_ENCRYPTION_ALG,
/** a comma-separated list of ietf group attributes, char* */
BUILD_IETF_GROUP_ATTR,
/** a ca certificate, certificate_t* */
@@ -117,6 +123,8 @@ enum builder_part_t {
BUILD_BASE_CRL,
/** PKCS#10 challenge password */
BUILD_CHALLENGE_PWD,
+ /** PKCS#7 attribute, int oid, chunk_t with ASN1 type encoded value */
+ BUILD_PKCS7_ATTRIBUTE,
/** friendly name of a PKCS#11 module, null terminated char* */
BUILD_PKCS11_MODULE,
/** slot specifier for a token in a PKCS#11 module, int */
@@ -139,6 +147,12 @@ enum builder_part_t {
BUILD_RSA_EXP2,
/** coefficient (coeff) of a RSA key, chunk_t */
BUILD_RSA_COEFF,
+ /** generate (p) and (q) as safe primes */
+ BUILD_SAFE_PRIMES,
+ /** number of private key shares */
+ BUILD_SHARES,
+ /** minimum number of participating private key shares */
+ BUILD_THRESHOLD,
/** end of variable argument builder list */
BUILD_END,
};
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 00e30d7a0..6b28f35c1 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -35,14 +35,34 @@ typedef struct cert_validator_t cert_validator_t;
struct cert_validator_t {
/**
+ * Check the lifetime of a certificate.
+ *
+ * If this function returns SUCCESS or FAILED, the certificate lifetime is
+ * considered definitely (in-)valid, without asking other validators.
+ * If all registered validaters return NEED_MORE, the default
+ * lifetime check is performed.
+ *
+ * @param cert certificate to check lifetime
+ * @param pathlen the current length of the path bottom-up
+ * @param anchor is certificate trusted root anchor?
+ * @param auth container for resulting authentication info
+ * @return SUCCESS, FAILED or NEED_MORE to ask next validator
+ */
+ status_t (*check_lifetime)(cert_validator_t *this, certificate_t *cert,
+ int pathlen, bool anchor, auth_cfg_t *auth);
+ /**
* Validate a subject certificate in relation to its issuer.
*
+ * If FALSE is returned, the validator should call_hook() on the
+ * credential manager with an appropriate type and the certificate.
+ *
* @param subject subject certificate to check
* @param issuer issuer of subject
* @param online whether to do online revocation checking
* @param pathlen the current length of the path bottom-up
* @param anchor is issuer trusted root anchor
* @param auth container for resulting authentication info
+ * @return TRUE if subject certificate valid
*/
bool (*validate)(cert_validator_t *this, certificate_t *subject,
certificate_t *issuer, bool online, u_int pathlen,
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 33ba4e907..b281c1669 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,10 +15,10 @@
#include "certificate.h"
-#include <debug.h>
+#include <utils/debug.h>
#include <credentials/certificates/x509.h>
-ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
+ENUM(certificate_type_names, CERT_ANY, CERT_GPG,
"ANY",
"X509",
"X509_CRL",
@@ -28,9 +28,6 @@ ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
"TRUSTED_PUBKEY",
"PKCS10_REQUEST",
"PGP",
- "PLUTO_CERT",
- "PLUTO_AC",
- "PLUTO_CRL",
);
ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 2f471da5b..d59126bd5 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -52,10 +52,6 @@ enum certificate_type_t {
CERT_PKCS10_REQUEST,
/** PGP certificate */
CERT_GPG,
- /** Pluto cert_t (not a certificate_t), either x509 or PGP */
- CERT_PLUTO_CERT,
- /** Pluto x509crl_t (not a certificate_t), certificate revocation list */
- CERT_PLUTO_CRL,
};
/**
@@ -143,9 +139,11 @@ struct certificate_t {
* Check if this certificate is issued and signed by a specific issuer.
*
* @param issuer issuer's certificate
+ * @param scheme receives signature scheme used during verification
* @return TRUE if certificate issued by issuer and trusted
*/
- bool (*issued_by)(certificate_t *this, certificate_t *issuer);
+ bool (*issued_by)(certificate_t *this, certificate_t *issuer,
+ signature_scheme_t *scheme);
/**
* Get the public key associated to this certificate.
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 69bd80b84..09fd0bfc8 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
#include "crl.h"
-#include <debug.h>
+#include <utils/debug.h>
ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
"unspecified",
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
index 9a4979757..2f35eb6a5 100644
--- a/src/libstrongswan/credentials/certificates/pkcs10.h
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -21,7 +21,7 @@
#ifndef PKCS10_H_
#define PKCS10_H_
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
#include <credentials/certificates/certificate.h>
typedef struct pkcs10_t pkcs10_t;
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 5125aca26..4e8d4317f 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -21,7 +21,7 @@
#ifndef X509_H_
#define X509_H_
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
#include <credentials/certificates/certificate.h>
/* constraints are currently restricted to the range 0..127 */
@@ -56,6 +56,8 @@ enum x509_flag_t {
X509_IP_ADDR_BLOCKS = (1<<6),
/** cert has CRL sign key usage */
X509_CRL_SIGN = (1<<7),
+ /** cert has iKEIntermediate key usage */
+ X509_IKE_INTERMEDIATE = (1<<8),
};
/**
diff --git a/src/libstrongswan/credentials/containers/container.c b/src/libstrongswan/credentials/containers/container.c
new file mode 100644
index 000000000..7456d43db
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.c
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "container.h"
+
+ENUM(container_type_names, CONTAINER_PKCS7, CONTAINER_PKCS12,
+ "PKCS7",
+ "PKCS7_DATA",
+ "PKCS7_SIGNED_DATA",
+ "PKCS7_ENVELOPED_DATA",
+ "PKCS7_ENCRYPTED_DATA",
+ "PKCS12",
+);
diff --git a/src/libstrongswan/credentials/containers/container.h b/src/libstrongswan/credentials/containers/container.h
new file mode 100644
index 000000000..ee329881d
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/container.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup container container
+ * @{ @ingroup containers
+ */
+
+#ifndef CONTAINER_H_
+#define CONTAINER_H_
+
+typedef struct container_t container_t;
+typedef enum container_type_t container_type_t;
+
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
+
+/**
+ * Type of the container.
+ */
+enum container_type_t {
+ /** Any kind of PKCS#7/CMS container */
+ CONTAINER_PKCS7,
+ /** PKCS#7/CMS plain "data" */
+ CONTAINER_PKCS7_DATA,
+ /** PKCS#7/CMS "signed-data" */
+ CONTAINER_PKCS7_SIGNED_DATA,
+ /** PKCS#7/CMS "enveloped-data" */
+ CONTAINER_PKCS7_ENVELOPED_DATA,
+ /** PKCS#7/CMS "encrypted-data" */
+ CONTAINER_PKCS7_ENCRYPTED_DATA,
+ /** A PKCS#12 container */
+ CONTAINER_PKCS12,
+};
+
+/**
+ * Enum names for container_type_t
+ */
+extern enum_name_t *container_type_names;
+
+/**
+ * Generic interface for cryptographic containers.
+ */
+struct container_t {
+
+ /**
+ * Get the type of the container.
+ *
+ * @return container type
+ */
+ container_type_t (*get_type)(container_t *this);
+
+ /**
+ * Create an enumerator over trustchains for valid container signatures.
+ *
+ * @return enumerator over auth_cfg_t*
+ */
+ enumerator_t* (*create_signature_enumerator)(container_t *this);
+
+ /**
+ * Get signed/decrypted data wrapped in this container.
+ *
+ * This function does not verify any associated signatures, use
+ * create_signature_enumerator() to verify them.
+ *
+ * @param data allocated data wrapped in this container
+ * @return TRUE if data decrypted successfully
+ */
+ bool (*get_data)(container_t *this, chunk_t *data);
+
+ /**
+ * Get the encoding of the full signed/encrypted container.
+ *
+ * @param data allocated container encoding
+ * @return TRUE if encodign successful
+ */
+ bool (*get_encoding)(container_t *this, chunk_t *encoding);
+
+ /**
+ * Destroy a container_t.
+ */
+ void (*destroy)(container_t *this);
+};
+
+#endif /** CONTAINER_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
new file mode 100644
index 000000000..7b812d27d
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs12.h"
+
+#include <utils/debug.h>
+
+/**
+ * v * ceiling(len/v)
+ */
+#define PKCS12_LEN(len, v) (((len) + v-1) & ~(v-1))
+
+/**
+ * Copy src to dst as many times as possible
+ */
+static inline void copy_chunk(chunk_t dst, chunk_t src)
+{
+ size_t i;
+
+ for (i = 0; i < dst.len; i++)
+ {
+ dst.ptr[i] = src.ptr[i % src.len];
+ }
+}
+
+/**
+ * Treat two chunks as integers in network order and add them together.
+ * The result is stored in the first chunk, if the second chunk is longer or the
+ * result overflows this is ignored.
+ */
+static void add_chunks(chunk_t a, chunk_t b)
+{
+ u_int16_t sum;
+ u_int8_t rem = 0;
+ ssize_t i, j;
+
+ for (i = a.len - 1, j = b.len -1; i >= 0 && j >= 0; i--, j--)
+ {
+ sum = a.ptr[i] + b.ptr[j] + rem;
+ a.ptr[i] = (u_char)sum;
+ rem = sum >> 8;
+ }
+ for (; i >= 0 && rem; i--)
+ {
+ sum = a.ptr[i] + rem;
+ a.ptr[i] = (u_char)sum;
+ rem = sum >> 8;
+ }
+}
+
+/**
+ * Do the actual key derivation with the given hasher, password and id.
+ */
+static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
+ u_int64_t iterations, char id, chunk_t result)
+{
+ chunk_t out = result, D, S, P = chunk_empty, I, Ai, B, Ij;
+ hasher_t *hasher;
+ size_t Slen, v, u;
+ u_int64_t i;
+ bool success = FALSE;
+
+ hasher = lib->crypto->create_hasher(lib->crypto, hash);
+ if (!hasher)
+ {
+ DBG1(DBG_ASN, " %N hash algorithm not available",
+ hash_algorithm_names, hash);
+ return FALSE;
+ }
+ switch (hash)
+ {
+ case HASH_MD2:
+ case HASH_MD5:
+ case HASH_SHA1:
+ case HASH_SHA224:
+ case HASH_SHA256:
+ v = 64;
+ break;
+ case HASH_SHA384:
+ case HASH_SHA512:
+ v = 128;
+ break;
+ default:
+ goto end;
+ }
+ u = hasher->get_hash_size(hasher);
+
+ D = chunk_alloca(v);
+ memset(D.ptr, id, D.len);
+
+ Slen = PKCS12_LEN(salt.len, v);
+ I = chunk_alloca(Slen + PKCS12_LEN(unicode.len, v));
+ S = chunk_create(I.ptr, Slen);
+ P = chunk_create(I.ptr + Slen, I.len - Slen);
+ copy_chunk(S, salt);
+ copy_chunk(P, unicode);
+
+ Ai = chunk_alloca(u);
+ B = chunk_alloca(v);
+
+ while (TRUE)
+ {
+ if (!hasher->get_hash(hasher, D, NULL) ||
+ !hasher->get_hash(hasher, I, Ai.ptr))
+ {
+ goto end;
+ }
+ for (i = 1; i < iterations; i++)
+ {
+ if (!hasher->get_hash(hasher, Ai, Ai.ptr))
+ {
+ goto end;
+ }
+ }
+ memcpy(out.ptr, Ai.ptr, min(out.len, Ai.len));
+ out = chunk_skip(out, Ai.len);
+ if (!out.len)
+ {
+ break;
+ }
+ copy_chunk(B, Ai);
+ /* B = B+1 */
+ add_chunks(B, chunk_from_chars(0x01));
+ Ij = chunk_create(I.ptr, v);
+ for (i = 0; i < I.len; i += v, Ij.ptr += v)
+ { /* Ij = Ij + B + 1 */
+ add_chunks(Ij, B);
+ }
+ }
+ success = TRUE;
+end:
+ hasher->destroy(hasher);
+ return success;
+}
+
+/*
+ * Described in header
+ */
+bool pkcs12_derive_key(hash_algorithm_t hash, chunk_t password, chunk_t salt,
+ u_int64_t iterations, pkcs12_key_type_t type, chunk_t key)
+{
+ chunk_t unicode = chunk_empty;
+ bool success;
+ int i;
+
+ if (password.len)
+ { /* convert the password to UTF-16BE (without BOM) with 0 terminator */
+ unicode = chunk_alloca(password.len * 2 + 2);
+ for (i = 0; i < password.len; i++)
+ {
+ unicode.ptr[i * 2] = 0;
+ unicode.ptr[i * 2 + 1] = password.ptr[i];
+ }
+ unicode.ptr[i * 2] = 0;
+ unicode.ptr[i * 2 + 1] = 0;
+ }
+
+ success = derive_key(hash, unicode, salt, iterations, type, key);
+ memwipe(unicode.ptr, unicode.len);
+ return success;
+}
diff --git a/src/libstrongswan/credentials/containers/pkcs12.h b/src/libstrongswan/credentials/containers/pkcs12.h
new file mode 100644
index 000000000..f22ef045a
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs12.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs12 pkcs12
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS12_H_
+#define PKCS12_H_
+
+#include <credentials/containers/container.h>
+#include <crypto/hashers/hasher.h>
+
+typedef enum pkcs12_key_type_t pkcs12_key_type_t;
+typedef struct pkcs12_t pkcs12_t;
+
+/**
+ * The types of password based keys used by PKCS#12.
+ */
+enum pkcs12_key_type_t {
+ PKCS12_KEY_ENCRYPTION = 1,
+ PKCS12_KEY_IV = 2,
+ PKCS12_KEY_MAC = 3,
+};
+
+/**
+ * PKCS#12/PFX container type.
+ */
+struct pkcs12_t {
+
+ /**
+ * Implements container_t.
+ */
+ container_t container;
+
+ /**
+ * Create an enumerator over extracted certificates.
+ *
+ * @return enumerator over certificate_t
+ */
+ enumerator_t* (*create_cert_enumerator)(pkcs12_t *this);
+
+ /**
+ * Create an enumerator over extracted private keys.
+ *
+ * @return enumerator over private_key_t
+ */
+ enumerator_t* (*create_key_enumerator)(pkcs12_t *this);
+};
+
+/**
+ * Derive the keys used in PKCS#12 for password integrity/privacy mode.
+ *
+ * @param hash hash algorithm to use for key derivation
+ * @param password password (ASCII)
+ * @param salt salt value
+ * @param iterations number of iterations
+ * @param type type of key to derive
+ * @param key the returned key, must be allocated of desired length
+ * @return TRUE on success
+ */
+bool pkcs12_derive_key(hash_algorithm_t hash, chunk_t password, chunk_t salt,
+ u_int64_t iterations, pkcs12_key_type_t type, chunk_t key);
+
+#endif /** PKCS12_H_ @}*/
diff --git a/src/libstrongswan/credentials/containers/pkcs7.h b/src/libstrongswan/credentials/containers/pkcs7.h
new file mode 100644
index 000000000..d42d82b0b
--- /dev/null
+++ b/src/libstrongswan/credentials/containers/pkcs7.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7 pkcs7
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS7_H_
+#define PKCS7_H_
+
+#include <credentials/containers/container.h>
+
+typedef struct pkcs7_t pkcs7_t;
+
+/**
+ * PKCS#7/CMS container type.
+ */
+struct pkcs7_t {
+
+ /**
+ * Implements container_t.
+ */
+ container_t container;
+
+ /**
+ * Get an authenticated PKCS#9 attribute from PKCS#7 signerInfo.
+ *
+ * To select the signerInfo structure to get the attribute from, pass
+ * the enumerator position from container_t.create_signature_enumerator().
+ *
+ * The attribute returned does not contain type information and must be
+ * freed after use.
+ *
+ * @param oid OID from the attribute to get
+ * @param enumerator enumerator to select signerInfo
+ * @param value chunk receiving attribute value, allocated
+ * @return TRUE if attribute found
+ */
+ bool (*get_attribute)(pkcs7_t *this, int oid, enumerator_t *enumerator,
+ chunk_t *value);
+
+ /**
+ * Create an enumerator over attached certificates.
+ *
+ * @return enumerator over certificate_t
+ */
+ enumerator_t* (*create_cert_enumerator)(pkcs7_t *this);
+};
+
+#endif /** PKCS7_H_ @}*/
diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c
index 4865984dd..53ac13cbb 100644
--- a/src/libstrongswan/credentials/cred_encoding.c
+++ b/src/libstrongswan/credentials/cred_encoding.c
@@ -17,8 +17,8 @@
#include <stdint.h>
-#include <utils/linked_list.h>
-#include <utils/hashtable.h>
+#include <collections/linked_list.h>
+#include <collections/hashtable.h>
#include <threading/rwlock.h>
typedef struct private_cred_encoding_t private_cred_encoding_t;
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index b029fe2ac..41481f376 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -85,6 +85,8 @@ enum cred_encoding_type_t {
/** PGP key encoding */
PUBKEY_PGP,
PRIVKEY_PGP,
+ /** DNSKEY encoding */
+ PUBKEY_DNSKEY,
/** ASN.1 DER encoded certificate */
CERT_ASN1_DER,
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index ff621012f..94c7820e1 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -17,17 +17,18 @@
#include "credential_factory.h"
-#include <debug.h>
-#include <utils/linked_list.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
#include <threading/thread_value.h>
#include <threading/rwlock.h>
#include <credentials/certificates/x509.h>
+#include <credentials/containers/container.h>
-ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CONTAINER,
"CRED_PRIVATE_KEY",
"CRED_PUBLIC_KEY",
"CRED_CERTIFICATE",
- "CRED_PLUTO_CERT",
+ "CRED_CONTAINER",
);
typedef struct private_credential_factory_t private_credential_factory_t;
@@ -139,11 +140,21 @@ METHOD(credential_factory_t, create, void*,
if (!construct && !level)
{
- enum_name_t *names = key_type_names;
+ enum_name_t *names;
- if (type == CRED_CERTIFICATE)
+ switch (type)
{
- names = certificate_type_names;
+ case CRED_CERTIFICATE:
+ names = certificate_type_names;
+ break;
+ case CRED_CONTAINER:
+ names = container_type_names;
+ break;
+ case CRED_PRIVATE_KEY:
+ case CRED_PUBLIC_KEY:
+ default:
+ names = key_type_names;
+ break;
}
DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
credential_type_names, type, names, subtype, failures);
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index c31601245..55b669529 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -28,6 +28,9 @@ typedef enum credential_type_t credential_type_t;
/**
* Kind of credential.
+ *
+ * While crypto containers are not really credentials, we still use the
+ * credential factory and builders create them.
*/
enum credential_type_t {
/** private key, implemented in private_key_t */
@@ -36,6 +39,8 @@ enum credential_type_t {
CRED_PUBLIC_KEY,
/** certificates, implemented in certificate_t */
CRED_CERTIFICATE,
+ /** crypto container, implemented in container_t */
+ CRED_CONTAINER,
};
/**
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index b3461b810..de19c8d96 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -16,11 +16,11 @@
#include "credential_manager.h"
#include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
#include <threading/thread_value.h>
#include <threading/mutex.h>
#include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
#include <credentials/sets/cert_cache.h>
#include <credentials/sets/auth_cfg_wrapper.h>
#include <credentials/certificates/x509.h>
@@ -53,6 +53,11 @@ struct private_credential_manager_t {
thread_value_t *local_sets;
/**
+ * Exclusive local sets, linked_list_t with credential_set_t
+ */
+ thread_value_t *exclusive_local_sets;
+
+ /**
* trust relationship and certificate cache
*/
cert_cache_t *cache;
@@ -76,6 +81,16 @@ struct private_credential_manager_t {
* mutex for cache queue
*/
mutex_t *queue_mutex;
+
+ /**
+ * Registered hook to call on validation errors
+ */
+ credential_hook_t hook;
+
+ /**
+ * Registered data to pass to hook
+ */
+ void *hook_data;
};
/** data to pass to create_private_enumerator */
@@ -117,12 +132,39 @@ typedef struct {
enumerator_t *global;
/** enumerator over local sets */
enumerator_t *local;
+ /** enumerator over exclusive local sets */
+ enumerator_t *exclusive;
} sets_enumerator_t;
+METHOD(credential_manager_t, set_hook, void,
+ private_credential_manager_t *this, credential_hook_t hook, void *data)
+{
+ this->hook = hook;
+ this->hook_data = data;
+}
+
+METHOD(credential_manager_t, call_hook, void,
+ private_credential_manager_t *this, credential_hook_type_t type,
+ certificate_t *cert)
+{
+ if (this->hook)
+ {
+ this->hook(this->hook_data, type, cert);
+ }
+}
METHOD(enumerator_t, sets_enumerate, bool,
sets_enumerator_t *this, credential_set_t **set)
{
+ if (this->exclusive)
+ {
+ if (this->exclusive->enumerate(this->exclusive, set))
+ { /* only enumerate last added */
+ this->exclusive->destroy(this->exclusive);
+ this->exclusive = NULL;
+ return TRUE;
+ }
+ }
if (this->global)
{
if (this->global->enumerate(this->global, set))
@@ -145,6 +187,7 @@ METHOD(enumerator_t, sets_destroy, void,
{
DESTROY_IF(this->global);
DESTROY_IF(this->local);
+ DESTROY_IF(this->exclusive);
free(this);
}
@@ -154,19 +197,28 @@ METHOD(enumerator_t, sets_destroy, void,
static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
{
sets_enumerator_t *enumerator;
- linked_list_t *local;
+ linked_list_t *list;
INIT(enumerator,
.public = {
.enumerate = (void*)_sets_enumerate,
.destroy = _sets_destroy,
},
- .global = this->sets->create_enumerator(this->sets),
);
- local = this->local_sets->get(this->local_sets);
- if (local)
+
+ list = this->exclusive_local_sets->get(this->exclusive_local_sets);
+ if (list && list->get_count(list))
{
- enumerator->local = local->create_enumerator(local);
+ enumerator->exclusive = list->create_enumerator(list);
+ }
+ else
+ {
+ enumerator->global = this->sets->create_enumerator(this->sets);
+ list = this->local_sets->get(this->local_sets);
+ if (list)
+ {
+ enumerator->local = list->create_enumerator(list);
+ }
}
return &enumerator->public;
}
@@ -352,8 +404,8 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
identification_t *me, identification_t *other)
{
shared_key_t *current, *found = NULL;
- id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE;
- id_match_t *match_me, *match_other;
+ id_match_t best_me = ID_MATCH_NONE, best_other = ID_MATCH_NONE;
+ id_match_t match_me, match_other;
enumerator_t *enumerator;
enumerator = create_shared_enumerator(this, type, me, other);
@@ -367,32 +419,76 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
best_me = match_me;
best_other = match_other;
}
+ if (best_me == ID_MATCH_PERFECT && best_other == ID_MATCH_PERFECT)
+ {
+ break;
+ }
}
enumerator->destroy(enumerator);
return found;
}
METHOD(credential_manager_t, add_local_set, void,
- private_credential_manager_t *this, credential_set_t *set)
+ private_credential_manager_t *this, credential_set_t *set, bool exclusive)
{
linked_list_t *sets;
+ thread_value_t *tv;
- sets = this->local_sets->get(this->local_sets);
+ if (exclusive)
+ {
+ tv = this->exclusive_local_sets;
+ }
+ else
+ {
+ tv = this->local_sets;
+ }
+ sets = tv->get(tv);
if (!sets)
- { /* first invocation */
+ {
sets = linked_list_create();
- this->local_sets->set(this->local_sets, sets);
+ tv->set(tv, sets);
+ }
+ if (exclusive)
+ {
+ sets->insert_first(sets, set);
+ }
+ else
+ {
+ sets->insert_last(sets, set);
}
- sets->insert_last(sets, set);
}
METHOD(credential_manager_t, remove_local_set, void,
private_credential_manager_t *this, credential_set_t *set)
{
linked_list_t *sets;
+ thread_value_t *tv;
- sets = this->local_sets->get(this->local_sets);
- sets->remove(sets, set, NULL);
+ tv = this->local_sets;
+ sets = tv->get(tv);
+ if (sets && sets->remove(sets, set, NULL) && sets->get_count(sets) == 0)
+ {
+ tv->set(tv, NULL);
+ sets->destroy(sets);
+ }
+ tv = this->exclusive_local_sets;
+ sets = tv->get(tv);
+ if (sets && sets->remove(sets, set, NULL) && sets->get_count(sets) == 0)
+ {
+ tv->set(tv, NULL);
+ sets->destroy(sets);
+ }
+}
+
+METHOD(credential_manager_t, issued_by, bool,
+ private_credential_manager_t *this, certificate_t *subject,
+ certificate_t *issuer, signature_scheme_t *scheme)
+{
+ if (this->cache)
+ {
+ return this->cache->issued_by(this->cache, subject, issuer, scheme);
+ }
+ return subject->issued_by(subject, issuer, scheme);
}
METHOD(credential_manager_t, cache_cert, void,
@@ -449,32 +545,76 @@ static void cache_queue(private_credential_manager_t *this)
}
/**
+ * Use validators to check the lifetime of certificates
+ */
+static bool check_lifetime(private_credential_manager_t *this,
+ certificate_t *cert, char *label,
+ int pathlen, bool trusted, auth_cfg_t *auth)
+{
+ time_t not_before, not_after;
+ cert_validator_t *validator;
+ enumerator_t *enumerator;
+ status_t status = NEED_MORE;
+
+ enumerator = this->validators->create_enumerator(this->validators);
+ while (enumerator->enumerate(enumerator, &validator))
+ {
+ if (!validator->check_lifetime)
+ {
+ continue;
+ }
+ status = validator->check_lifetime(validator, cert,
+ pathlen, trusted, auth);
+ if (status != NEED_MORE)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ switch (status)
+ {
+ case NEED_MORE:
+ if (!cert->get_validity(cert, NULL, &not_before, &not_after))
+ {
+ DBG1(DBG_CFG, "%s certificate invalid (valid from %T to %T)",
+ label, &not_before, FALSE, &not_after, FALSE);
+ break;
+ }
+ return TRUE;
+ case SUCCESS:
+ return TRUE;
+ case FAILED:
+ default:
+ break;
+ }
+ call_hook(this, CRED_HOOK_EXPIRED, cert);
+ return FALSE;
+}
+
+/**
* check a certificate for its lifetime
*/
static bool check_certificate(private_credential_manager_t *this,
certificate_t *subject, certificate_t *issuer, bool online,
int pathlen, bool trusted, auth_cfg_t *auth)
{
- time_t not_before, not_after;
cert_validator_t *validator;
enumerator_t *enumerator;
- if (!subject->get_validity(subject, NULL, &not_before, &not_after))
+ if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) ||
+ !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth))
{
- DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)",
- &not_before, FALSE, &not_after, FALSE);
- return FALSE;
- }
- if (!issuer->get_validity(issuer, NULL, &not_before, &not_after))
- {
- DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)",
- &not_before, FALSE, &not_after, FALSE);
return FALSE;
}
enumerator = this->validators->create_enumerator(this->validators);
while (enumerator->enumerate(enumerator, &validator))
{
+ if (!validator->validate)
+ {
+ continue;
+ }
if (!validator->validate(validator, subject, issuer,
online, pathlen, trusted, auth))
{
@@ -514,7 +654,8 @@ static certificate_t *get_pretrusted_cert(private_credential_manager_t *this,
* Get the issuing certificate of a subject certificate
*/
static certificate_t *get_issuer_cert(private_credential_manager_t *this,
- certificate_t *subject, bool trusted)
+ certificate_t *subject, bool trusted,
+ signature_scheme_t *scheme)
{
enumerator_t *enumerator;
certificate_t *issuer = NULL, *candidate;
@@ -523,7 +664,7 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
subject->get_issuer(subject), trusted);
while (enumerator->enumerate(enumerator, &candidate))
{
- if (this->cache->issued_by(this->cache, subject, candidate))
+ if (issued_by(this, subject, candidate, scheme))
{
issuer = candidate->get_ref(candidate);
break;
@@ -573,6 +714,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
{
certificate_t *current, *issuer;
auth_cfg_t *auth;
+ signature_scheme_t scheme;
int pathlen;
auth = auth_cfg_create();
@@ -582,11 +724,11 @@ static bool verify_trust_chain(private_credential_manager_t *this,
for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++)
{
- issuer = get_issuer_cert(this, current, TRUE);
+ issuer = get_issuer_cert(this, current, TRUE, &scheme);
if (issuer)
{
/* accept only self-signed CAs as trust anchor */
- if (this->cache->issued_by(this->cache, issuer, issuer))
+ if (issued_by(this, issuer, issuer, NULL))
{
auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
@@ -599,27 +741,31 @@ static bool verify_trust_chain(private_credential_manager_t *this,
DBG1(DBG_CFG, " using trusted intermediate ca certificate "
"\"%Y\"", issuer->get_subject(issuer));
}
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
}
else
{
- issuer = get_issuer_cert(this, current, FALSE);
+ issuer = get_issuer_cert(this, current, FALSE, &scheme);
if (issuer)
{
if (current->equals(current, issuer))
{
- DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted",
- current->get_subject(current));
+ DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not "
+ "trusted", current->get_subject(current));
issuer->destroy(issuer);
+ call_hook(this, CRED_HOOK_UNTRUSTED_ROOT, current);
break;
}
auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using untrusted intermediate certificate "
"\"%Y\"", issuer->get_subject(issuer));
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
}
else
{
DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
current->get_subject(current));
+ call_hook(this, CRED_HOOK_NO_ISSUER, current);
break;
}
}
@@ -638,8 +784,8 @@ static bool verify_trust_chain(private_credential_manager_t *this,
current = issuer;
if (trusted)
{
- DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d",
- pathlen);
+ DBG1(DBG_CFG, " reached self-signed root ca with a "
+ "path length of %d", pathlen);
break;
}
}
@@ -647,6 +793,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
if (pathlen > MAX_TRUST_PATH_LEN)
{
DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN);
+ call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject);
}
if (trusted)
{
@@ -708,8 +855,7 @@ METHOD(enumerator_t, trusted_enumerate, bool,
/* if we find a trusted self signed certificate, we just accept it.
* However, in order to fulfill authorization rules, we try to build
* the trust chain if it is not self signed */
- if (this->this->cache->issued_by(this->this->cache,
- this->pretrusted, this->pretrusted) ||
+ if (issued_by(this->this, this->pretrusted, this->pretrusted, NULL) ||
verify_trust_chain(this->this, this->pretrusted, this->auth,
TRUE, this->online))
{
@@ -859,7 +1005,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
if (auth)
{
enumerator->wrapper = auth_cfg_wrapper_create(auth);
- add_local_set(this, &enumerator->wrapper->set);
+ add_local_set(this, &enumerator->wrapper->set, FALSE);
}
this->lock->read_lock(this->lock);
return &enumerator->public;
@@ -916,8 +1062,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
}
else
{
- if (!has_anchor &&
- this->cache->issued_by(this->cache, current, current))
+ if (!has_anchor && issued_by(this, current, current, NULL))
{ /* If no trust anchor specified, accept any CA */
trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
return trustchain;
@@ -928,7 +1073,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
{
break;
}
- issuer = get_issuer_cert(this, current, FALSE);
+ issuer = get_issuer_cert(this, current, FALSE, NULL);
if (!issuer)
{
if (!has_anchor)
@@ -973,6 +1118,29 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this,
return private;
}
+/**
+ * Move the actually used certificate to front, so it gets returned with get()
+ */
+static void prefer_cert(auth_cfg_t *auth, certificate_t *cert)
+{
+ enumerator_t *enumerator;
+ auth_rule_t rule;
+ certificate_t *current;
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &current))
+ {
+ if (rule == AUTH_RULE_SUBJECT_CERT)
+ {
+ current->get_ref(current);
+ auth->replace(auth, enumerator, AUTH_RULE_SUBJECT_CERT, cert);
+ cert = current;
+ }
+ }
+ enumerator->destroy(enumerator);
+ auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
+}
+
METHOD(credential_manager_t, get_private, private_key_t*,
private_credential_manager_t *this, key_type_t type, identification_t *id,
auth_cfg_t *auth)
@@ -981,6 +1149,7 @@ METHOD(credential_manager_t, get_private, private_key_t*,
certificate_t *cert;
private_key_t *private = NULL;
auth_cfg_t *trustchain;
+ auth_rule_t rule;
/* check if this is a lookup by key ID, and do it if so */
if (id && id->get_type(id) == ID_KEY_ID)
@@ -992,42 +1161,73 @@ METHOD(credential_manager_t, get_private, private_key_t*,
}
}
- /* if a specific certificate is preferred, check for a matching key */
- cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
- if (cert)
+ if (auth)
{
- private = get_private_by_cert(this, cert, type);
- if (private)
+ /* try to find a trustchain with one of the configured subject certs */
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &cert))
{
- trustchain = build_trustchain(this, cert, auth);
- if (trustchain)
+ if (rule == AUTH_RULE_SUBJECT_CERT)
{
- auth->merge(auth, trustchain, FALSE);
- trustchain->destroy(trustchain);
+ private = get_private_by_cert(this, cert, type);
+ if (private)
+ {
+ trustchain = build_trustchain(this, cert, auth);
+ if (trustchain)
+ {
+ auth->merge(auth, trustchain, FALSE);
+ prefer_cert(auth, cert->get_ref(cert));
+ trustchain->destroy(trustchain);
+ break;
+ }
+ private->destroy(private);
+ private = NULL;
+ }
}
+ }
+ enumerator->destroy(enumerator);
+ if (private)
+ {
return private;
}
- }
- /* try to build a trust chain for each certificate found */
- enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
- while (enumerator->enumerate(enumerator, &cert))
- {
- private = get_private_by_cert(this, cert, type);
- if (private)
+ /* if none yielded a trustchain, enforce the first configured cert */
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (cert)
{
- trustchain = build_trustchain(this, cert, auth);
- if (trustchain)
+ private = get_private_by_cert(this, cert, type);
+ if (private)
{
- auth->merge(auth, trustchain, FALSE);
- trustchain->destroy(trustchain);
- break;
+ trustchain = build_trustchain(this, cert, auth);
+ if (trustchain)
+ {
+ auth->merge(auth, trustchain, FALSE);
+ trustchain->destroy(trustchain);
+ }
+ return private;
+ }
+ }
+
+ /* try to build a trust chain for each certificate found */
+ enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ private = get_private_by_cert(this, cert, type);
+ if (private)
+ {
+ trustchain = build_trustchain(this, cert, auth);
+ if (trustchain)
+ {
+ auth->merge(auth, trustchain, FALSE);
+ trustchain->destroy(trustchain);
+ break;
+ }
+ private->destroy(private);
+ private = NULL;
}
- private->destroy(private);
- private = NULL;
}
+ enumerator->destroy(enumerator);
}
- enumerator->destroy(enumerator);
/* if no valid trustchain was found, fall back to the first usable cert */
if (!private)
@@ -1038,7 +1238,10 @@ METHOD(credential_manager_t, get_private, private_key_t*,
private = get_private_by_cert(this, cert, type);
if (private)
{
- auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+ if (auth)
+ {
+ auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+ }
break;
}
}
@@ -1050,14 +1253,10 @@ METHOD(credential_manager_t, get_private, private_key_t*,
METHOD(credential_manager_t, flush_cache, void,
private_credential_manager_t *this, certificate_type_t type)
{
- this->cache->flush(this->cache, type);
-}
-
-METHOD(credential_manager_t, issued_by, bool,
- private_credential_manager_t *this, certificate_t *subject,
- certificate_t *issuer)
-{
- return this->cache->issued_by(this->cache, subject, issuer);
+ if (this->cache)
+ {
+ this->cache->flush(this->cache, type);
+ }
}
METHOD(credential_manager_t, add_set, void,
@@ -1097,10 +1296,14 @@ METHOD(credential_manager_t, destroy, void,
{
cache_queue(this);
this->cache_queue->destroy(this->cache_queue);
- this->sets->remove(this->sets, this->cache, NULL);
+ if (this->cache)
+ {
+ this->sets->remove(this->sets, this->cache, NULL);
+ this->cache->destroy(this->cache);
+ }
this->sets->destroy(this->sets);
this->local_sets->destroy(this->local_sets);
- this->cache->destroy(this->cache);
+ this->exclusive_local_sets->destroy(this->exclusive_local_sets);
this->validators->destroy(this->validators);
this->lock->destroy(this->lock);
this->queue_mutex->destroy(this->queue_mutex);
@@ -1133,18 +1336,24 @@ credential_manager_t *credential_manager_create()
.remove_local_set = _remove_local_set,
.add_validator = _add_validator,
.remove_validator = _remove_validator,
+ .set_hook = _set_hook,
+ .call_hook = _call_hook,
.destroy = _destroy,
},
.sets = linked_list_create(),
.validators = linked_list_create(),
- .cache = cert_cache_create(),
.cache_queue = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
.queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
);
this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
- this->sets->insert_first(this->sets, this->cache);
+ this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
+ if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE))
+ {
+ this->cache = cert_cache_create();
+ this->sets->insert_first(this->sets, this->cache);
+ }
return &this->public;
}
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 8e8f04b8c..445ea3f9c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -22,9 +22,10 @@
#define CREDENTIAL_MANAGER_H_
typedef struct credential_manager_t credential_manager_t;
+typedef enum credential_hook_type_t credential_hook_type_t;
#include <utils/identification.h>
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
#include <credentials/auth_cfg.h>
#include <credentials/credential_set.h>
#include <credentials/keys/private_key.h>
@@ -33,6 +34,37 @@ typedef struct credential_manager_t credential_manager_t;
#include <credentials/cert_validator.h>
/**
+ * Type of a credential hook error/event.
+ */
+enum credential_hook_type_t {
+ /** The certificate has expired (or is not yet valid) */
+ CRED_HOOK_EXPIRED,
+ /** The certificate has been revoked */
+ CRED_HOOK_REVOKED,
+ /** Checking certificate revocation failed. This does not necessarily mean
+ * the certificate is rejected, just that revocation checking failed. */
+ CRED_HOOK_VALIDATION_FAILED,
+ /** No trusted issuer certificate has been found for this certificate */
+ CRED_HOOK_NO_ISSUER,
+ /** Encountered a self-signed (root) certificate, but it is not trusted */
+ CRED_HOOK_UNTRUSTED_ROOT,
+ /** Maximum trust chain length exceeded for certificate */
+ CRED_HOOK_EXCEEDED_PATH_LEN,
+ /** The certificate violates some other kind of policy and gets rejected */
+ CRED_HOOK_POLICY_VIOLATION,
+};
+
+/**
+ * Hook function to invoke on certificate validation errors.
+ *
+ * @param data user data supplied during hook registration
+ * @param type type of validation error/event
+ * @param cert associated certificate
+ */
+typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
+ certificate_t *cert);
+
+/**
* Manages credentials using credential_sets.
*
* The credential manager is the entry point of the credential framework. It
@@ -89,7 +121,7 @@ struct credential_manager_t {
* @param type kind of requested shared key
* @param first first subject between key is shared
* @param second second subject between key is shared
- * @return enumerator over shared keys
+ * @return enumerator over (shared_key_t*,id_match_t,id_match_t)
*/
enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
shared_key_type_t type,
@@ -204,10 +236,12 @@ struct credential_manager_t {
*
* @param subject subject certificate to check
* @param issuer issuer certificate that potentially has signed subject
+ * @param scheme receives used signature scheme, if given
* @return TRUE if issuer signed subject
*/
bool (*issued_by)(credential_manager_t *this,
- certificate_t *subject, certificate_t *issuer);
+ certificate_t *subject, certificate_t *issuer,
+ signature_scheme_t *scheme);
/**
* Register a credential set to the manager.
@@ -230,10 +264,14 @@ struct credential_manager_t {
* operation, sets may be added for the calling thread only. This
* does not require a write lock and is therefore a much cheaper
* operation.
+ * The exclusive option allows to disable all other credential sets
+ * until the set is deregistered.
*
* @param set set to register
+ * @param exclusive TRUE to disable all other sets for this thread
*/
- void (*add_local_set)(credential_manager_t *this, credential_set_t *set);
+ void (*add_local_set)(credential_manager_t *this, credential_set_t *set,
+ bool exclusive);
/**
* Unregister a thread local credential set from the manager.
@@ -257,6 +295,28 @@ struct credential_manager_t {
void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
/**
+ * Set a hook to call on certain credential validation errors.
+ *
+ * @param hook hook to register, NULL to unregister
+ * @param data data to pass to hook
+ */
+ void (*set_hook)(credential_manager_t *this, credential_hook_t hook,
+ void *data);
+
+ /**
+ * Call the registered credential hook, if any.
+ *
+ * While hooks are usually called by the credential manager itself, some
+ * validator plugins might raise hooks as well if they consider certificates
+ * invalid.
+ *
+ * @param type type of the event
+ * @param cert associated certificate
+ */
+ void (*call_hook)(credential_manager_t *this, credential_hook_type_t type,
+ certificate_t *cert);
+
+ /**
* Destroy a credential_manager instance.
*/
void (*destroy)(credential_manager_t *this);
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index fb18fb53d..49af5a079 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -17,7 +17,7 @@
#include <asn1/oid.h>
#include <asn1/asn1.h>
#include <asn1/asn1_parser.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
#include <utils/lexparser.h>
#include "ietf_attributes.h"
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index fdbe17f2c..2afcf8325 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -192,7 +192,7 @@ struct public_key_t {
/**
* Get the key in an encoded form as a chunk.
*
- * @param type type of the encoding, one of PRIVKEY_*
+ * @param type type of the encoding, one of PUBKEY_*
* @param encoding encoding of the key, allocated
* @return TRUE if encoding supported
*/
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
index d00b8d12e..900c6613e 100644
--- a/src/libstrongswan/credentials/keys/shared_key.h
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -21,7 +21,7 @@
#ifndef SHARED_KEY_H_
#define SHARED_KEY_H_
-#include <utils/enumerator.h>
+#include <collections/enumerator.h>
#include <utils/identification.h>
typedef struct shared_key_t shared_key_t;
diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
index 2cef23328..46bfb5c6e 100644
--- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
+++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c
@@ -15,7 +15,7 @@
*/
#include <library.h>
-#include <debug.h>
+#include <utils/debug.h>
#include "auth_cfg_wrapper.h"
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 968c3e31e..e8f0e7ec0 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -20,7 +20,7 @@
#include <library.h>
#include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
/** cache size, a power of 2 for fast modulo */
#define CACHE_SIZE 32
@@ -47,6 +47,11 @@ struct relation_t {
certificate_t *issuer;
/**
+ * Signature scheme used to sign this relation
+ */
+ signature_scheme_t scheme;
+
+ /**
* Cache hits
*/
u_int hits;
@@ -77,7 +82,8 @@ struct private_cert_cache_t {
* Cache relation in a free slot/replace an other
*/
static void cache(private_cert_cache_t *this,
- certificate_t *subject, certificate_t *issuer)
+ certificate_t *subject, certificate_t *issuer,
+ signature_scheme_t scheme)
{
relation_t *rel;
int i, offset, try;
@@ -95,6 +101,7 @@ static void cache(private_cert_cache_t *this,
{
rel->subject = subject->get_ref(subject);
rel->issuer = issuer->get_ref(issuer);
+ rel->scheme = scheme;
return rel->lock->unlock(rel->lock);
}
rel->lock->unlock(rel->lock);
@@ -123,6 +130,7 @@ static void cache(private_cert_cache_t *this,
}
rel->subject = subject->get_ref(subject);
rel->issuer = issuer->get_ref(issuer);
+ rel->scheme = scheme;
rel->hits = 0;
return rel->lock->unlock(rel->lock);
}
@@ -133,9 +141,11 @@ static void cache(private_cert_cache_t *this,
}
METHOD(cert_cache_t, issued_by, bool,
- private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer)
+ private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
+ signature_scheme_t *schemep)
{
relation_t *found = NULL, *current;
+ signature_scheme_t scheme;
int i;
for (i = 0; i < CACHE_SIZE; i++)
@@ -154,7 +164,11 @@ METHOD(cert_cache_t, issued_by, bool,
{
/* write hit counter is not locked, but not critical */
current->hits++;
- found = current;
+ found = current;;
+ if (schemep)
+ {
+ *schemep = current->scheme;
+ }
}
}
}
@@ -165,9 +179,13 @@ METHOD(cert_cache_t, issued_by, bool,
}
}
/* no cache hit, check and cache signature */
- if (subject->issued_by(subject, issuer))
+ if (subject->issued_by(subject, issuer, &scheme))
{
- cache(this, subject, issuer);
+ cache(this, subject, issuer, scheme);
+ if (schemep)
+ {
+ *schemep = scheme;
+ }
return TRUE;
}
return FALSE;
diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h
index d2721866e..2bcdbe464 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.h
+++ b/src/libstrongswan/credentials/sets/cert_cache.h
@@ -45,10 +45,12 @@ struct cert_cache_t {
*
* @param subject certificate to verify
* @param issuer issuing certificate to verify subject
+ * @param scheme receives used signature scheme, if given
* @return TRUE if subject issued by issuer
*/
bool (*issued_by)(cert_cache_t *this,
- certificate_t *subject, certificate_t *issuer);
+ certificate_t *subject, certificate_t *issuer,
+ signature_scheme_t *scheme);
/**
* Flush the certificate cache.
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index e023e8443..b8da3f620 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
* Hochschule fuer Technik Rapperwsil
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
@@ -18,7 +18,7 @@
#include "mem_cred.h"
#include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
typedef struct private_mem_cred_t private_mem_cred_t;
@@ -555,14 +555,66 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
}
-METHOD(mem_cred_t, clear_secrets, void,
- private_mem_cred_t *this)
+static void reset_secrets(private_mem_cred_t *this)
{
- this->lock->write_lock(this->lock);
this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
this->keys = linked_list_create();
this->shared = linked_list_create();
+}
+
+METHOD(mem_cred_t, replace_secrets, void,
+ private_mem_cred_t *this, mem_cred_t *other_set, bool clone)
+{
+ private_mem_cred_t *other = (private_mem_cred_t*)other_set;
+ enumerator_t *enumerator;
+ shared_entry_t *entry, *new_entry;
+ private_key_t *key;
+
+ this->lock->write_lock(this->lock);
+
+ reset_secrets(this);
+
+ if (clone)
+ {
+ enumerator = other->keys->create_enumerator(other->keys);
+ while (enumerator->enumerate(enumerator, &key))
+ {
+ this->keys->insert_last(this->keys, key->get_ref(key));
+ }
+ enumerator->destroy(enumerator);
+ enumerator = other->shared->create_enumerator(other->shared);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ INIT(new_entry,
+ .shared = entry->shared->get_ref(entry->shared),
+ .owners = entry->owners->clone_offset(entry->owners,
+ offsetof(identification_t, clone)),
+ );
+ this->shared->insert_last(this->shared, new_entry);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ while (other->keys->remove_first(other->keys, (void**)&key) == SUCCESS)
+ {
+ this->keys->insert_last(this->keys, key);
+ }
+ while (other->shared->remove_first(other->shared,
+ (void**)&entry) == SUCCESS)
+ {
+ this->shared->insert_last(this->shared, entry);
+ }
+ }
+ this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, clear_secrets, void,
+ private_mem_cred_t *this)
+{
+ this->lock->write_lock(this->lock);
+ reset_secrets(this);
this->lock->unlock(this->lock);
}
@@ -619,6 +671,7 @@ mem_cred_t *mem_cred_create()
.add_shared = _add_shared,
.add_shared_list = _add_shared_list,
.add_cdp = _add_cdp,
+ .replace_secrets = _replace_secrets,
.clear = _clear_,
.clear_secrets = _clear_secrets,
.destroy = _destroy,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index eb46b065b..d0dd51da1 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
@@ -27,7 +27,7 @@ typedef struct mem_cred_t mem_cred_t;
#include <credentials/credential_set.h>
#include <credentials/certificates/crl.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
/**
* Generic in-memory credential set.
@@ -101,6 +101,16 @@ struct mem_cred_t {
identification_t *id, char *uri);
/**
+ * Replace all secrets (private and shared keys) in this credential set
+ * with those of another.
+ *
+ * @param other credential set to get secrets from
+ * @param clone TRUE to clone secrets, FALSE to adopt them (they
+ * get removed from the other set)
+ */
+ void (*replace_secrets)(mem_cred_t *this, mem_cred_t *other, bool clone);
+
+ /**
* Clear all credentials from the credential set.
*/
void (*clear)(mem_cred_t *this);