From b8064f4099997a9e2179f3ad4ace605f5ccac3a1 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Mon, 9 Aug 2010 08:09:54 +0000
Subject: [svn-upgrade] new version strongswan (4.4.1)

---
 .../credentials/certificates/certificate.c         | 22 +++++++++++++++++
 .../credentials/certificates/certificate.h         | 26 ++++++++++++--------
 src/libstrongswan/credentials/certificates/crl.c   | 28 ++++++++++++++++++++++
 src/libstrongswan/credentials/certificates/crl.h   | 10 +++++++-
 src/libstrongswan/credentials/certificates/x509.h  |  1 -
 5 files changed, 75 insertions(+), 12 deletions(-)

(limited to 'src/libstrongswan/credentials/certificates')

diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 156d12358..661b69e36 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -15,6 +15,7 @@
 
 #include "certificate.h"
 
+#include <debug.h>
 #include <credentials/certificates/x509.h>
 
 ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
@@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
 	"REVOKED",
 );
 
+/**
+ * See header
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other)
+{
+	time_t this_update, that_update;
+	char *type = "certificate";
+	bool newer;
+
+	if (this->get_type(this) == CERT_X509_CRL)
+	{
+		type = "crl";
+	}
+	this->get_validity(this, NULL, &this_update, NULL);
+	other->get_validity(other, NULL, &that_update, NULL);
+	newer = this_update > that_update;
+	DBG1(DBG_LIB, "  %s from %T is %s - existing %s from %T %s",
+		 type, &this_update, FALSE, newer ? "newer" : "not newer",
+		 type, &that_update, FALSE, newer ? "replaced" : "retained");
+	return newer;
+}
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index a4f9aa3e0..43bfe3dc1 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -28,6 +28,7 @@ typedef enum cert_validation_t cert_validation_t;
 #include <library.h>
 #include <utils/identification.h>
 #include <credentials/keys/public_key.h>
+#include <credentials/cred_encoding.h>
 
 /**
  * Kind of a certificate_t
@@ -163,18 +164,14 @@ struct certificate_t {
 						 time_t *not_before, time_t *not_after);
 
 	/**
-	 * Is this newer than that?
+	 * Get the certificate in an encoded form as a chunk.
 	 *
-	 * @return			TRUE if newer, FALSE otherwise
+	 * @param type		type of the encoding, one of CERT_*
+	 * @param encoding	encoding of the key, allocated
+	 * @return			TRUE if encoding supported
 	 */
-	bool (*is_newer)(certificate_t *this, certificate_t *that);
-
-	/**
-	 * Get the certificate in an encoded form.
-	 *
-	 * @return				allocated chunk of encoded cert
-	 */
-	chunk_t (*get_encoding)(certificate_t *this);
+	bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type,
+						 chunk_t *encoding);
 
 	/**
 	 * Check if two certificates are equal.
@@ -197,4 +194,13 @@ struct certificate_t {
 	void (*destroy)(certificate_t *this);
 };
 
+/**
+ * Generic check if a given certificate is newer than another.
+ *
+ * @param this			first certificate to check
+ * @param other			second certificate
+ * @return				TRUE if this newer than other
+ */
+bool certificate_is_newer(certificate_t *this, certificate_t *other);
+
 #endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 085ad16cc..69bd80b84 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,6 +16,8 @@
 
 #include "crl.h"
 
+#include <debug.h>
+
 ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"unspecified",
 	"key compromise",
@@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
 	"reason #7",
 	"remove from crl",
 );
+
+/**
+ * Check if this CRL is newer
+ */
+bool crl_is_newer(crl_t *this, crl_t *other)
+{
+	chunk_t this_num, other_num;
+	bool newer;
+
+	this_num = this->get_serial(this);
+	other_num = other->get_serial(other);
+
+	/* compare crlNumbers if available - otherwise use generic cert compare */
+	if (this_num.ptr != NULL && other_num.ptr != NULL)
+	{
+		newer = chunk_compare(this_num, other_num) > 0;
+		DBG1(DBG_LIB, "  crl #%#B is %s - existing crl #%#B %s",
+			 &this_num, newer ? "newer" : "not newer",
+			 &other_num, newer ? "replaced" : "retained");
+	}
+	else
+	{
+		newer = certificate_is_newer(&this->certificate, &other->certificate);
+	}
+	return newer;
+}
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 4b612390c..9425311fb 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -80,7 +80,15 @@ struct crl_t {
 	 * @return			enumerator over revoked certificates.
 	 */
 	enumerator_t* (*create_enumerator)(crl_t *this);
-
 };
 
+/**
+ * Generic check if a given CRL is newer than another.
+ *
+ * @param this			first CRL to check
+ * @param other			second CRL
+ * @return				TRUE if this newer than other
+ */
+bool crl_is_newer(crl_t *this, crl_t *other);
+
 #endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 172bd9696..6e0a5002a 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -25,7 +25,6 @@
 #include <credentials/certificates/certificate.h>
 
 #define X509_NO_PATH_LEN_CONSTRAINT		-1
-#define X509_MAX_PATH_LEN				 7
 
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;
-- 
cgit v1.2.3