extended credential_set_t interface by a cache_cert() method
authorMartin Willi <martin@strongswan.org>
Thu, 17 Apr 2008 11:22:37 +0000 (11:22 -0000)
committerMartin Willi <martin@strongswan.org>
Thu, 17 Apr 2008 11:22:37 +0000 (11:22 -0000)
allows persistent or in-memory caching of fetched certificates

12 files changed:
src/charon/control/controller.c
src/charon/credentials/credential_manager.c
src/charon/credentials/credential_manager.h
src/charon/credentials/credential_set.h
src/charon/credentials/sets/auth_info_wrapper.c
src/charon/credentials/sets/cert_cache.c
src/charon/credentials/sets/ocsp_response_wrapper.c
src/charon/plugins/med_db/med_db_creds.c
src/charon/plugins/sql/sql_cred.c
src/charon/plugins/stroke/stroke_cred.c
src/libstrongswan/utils.c
src/libstrongswan/utils.h

index 6a03bab..3410384 100644 (file)
@@ -106,14 +106,6 @@ struct interface_job_t {
 };
 
 /**
- * Implements the famous nop operation
- */
-static void nop(job_t *job)
-{
-       /* NOP */
-}
-
-/**
  * Implementation of controller_t.create_ike_sa_iterator.
  */
 static enumerator_t* create_ike_sa_enumerator(controller_t *this)
index 5e71af8..f803192 100644 (file)
@@ -1438,6 +1438,24 @@ static void flush_cache(private_credential_manager_t *this,
 }
 
 /**
+ * Implementation of credential_manager_t.cache_cert.
+ */
+static void cache_cert(private_credential_manager_t *this, certificate_t *cert)
+{
+       credential_set_t *set;
+       enumerator_t *enumerator;
+       
+       pthread_rwlock_rdlock(&this->lock);
+       enumerator = this->sets->create_enumerator(this->sets);
+       while (enumerator->enumerate(enumerator, &set))
+       {
+               set->cache_cert(set, cert);
+       }
+       enumerator->destroy(enumerator);
+       pthread_rwlock_unlock(&this->lock);
+}      
+
+/**
  * Implementation of credential_manager_t.add_set.
  */
 static void add_set(private_credential_manager_t *this,
@@ -1486,6 +1504,7 @@ credential_manager_t *credential_manager_create()
        this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_info_t*))get_private;
        this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_info_t *aut))create_public_enumerator;
        this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache;
+       this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert;
        this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
        this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set;
        this->public.destroy = (void(*)(credential_manager_t*))destroy;
index 7c84c43..0848f5f 100644 (file)
@@ -163,8 +163,18 @@ struct credential_manager_t {
                                        key_type_t type, identification_t *id, auth_info_t *auth);
        
        /**
+        * Cache a certificate by invoking cache_cert() on all registerd sets.
+        *
+        * @param cert          certificate to cache
+        */
+       void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
+       
+       /**
         * Flush the certificate cache.
         *
+        * Only the managers local cache is flushed, but not the sets cache filled
+        * by the cache_cert() method.
+        *
         * @param type          type of certificate to flush, or CERT_ANY
         */
        void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
index a4e891a..41c5b16 100644 (file)
@@ -87,7 +87,17 @@ struct credential_set_t {
         * @return                      an enumerator over CDPs as char*
         */
        enumerator_t *(*create_cdp_enumerator)(credential_set_t *this,
-                                               certificate_type_t type, identification_t *id); 
+                                               certificate_type_t type, identification_t *id);
+       
+       /**
+        * Cache a certificate in the credential set.
+        *
+        * The caching policy is implementation dependent, the sets may cache the
+        * certificate in-memory, persistent on disk or not at all.
+        *
+        * @param cert          certificate to cache
+        */
+       void (*cache_cert)(credential_set_t *this, certificate_t *cert);        
 };
 
 #endif /* CREDENTIAL_SET_H_ @} */
index 12349b5..b7576a5 100644 (file)
@@ -145,6 +145,7 @@ auth_info_wrapper_t *auth_info_wrapper_create(auth_info_t *auth)
        this->public.set.create_cert_enumerator = (void*)create_enumerator;
        this->public.set.create_shared_enumerator = (void*)return_null;
        this->public.set.create_cdp_enumerator = (void*)return_null;
+       this->public.set.cache_cert = (void*)nop;
        this->public.destroy = (void(*)(auth_info_wrapper_t*))destroy;
        
        this->auth = auth;
index 6a1587f..8af8bb6 100644 (file)
@@ -266,6 +266,14 @@ static enumerator_t *create_enumerator(private_cert_cache_t *this,
 }
 
 /**
+ * Implementation of credential_set_t.cache_cert.
+ */
+static void cache_cert(private_cert_cache_t *this, certificate_t *cert)
+{
+       /* TODO: implement caching */
+}
+
+/**
  * Implementation of cert_cache_t.flush.
  */
 static void flush(private_cert_cache_t *this, certificate_type_t type)
@@ -309,6 +317,7 @@ cert_cache_t *cert_cache_create()
        this->public.set.create_cert_enumerator = (void*)create_enumerator;
        this->public.set.create_shared_enumerator = (void*)return_null;
        this->public.set.create_cdp_enumerator = (void*)return_null;
+       this->public.set.cache_cert = (void*)cache_cert;
        this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by;
        this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush;
        this->public.destroy = (void(*)(cert_cache_t*))destroy;
index 6241a5a..c4d3a5b 100644 (file)
@@ -139,6 +139,7 @@ ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response)
        this->public.set.create_cert_enumerator = (void*)create_enumerator;
        this->public.set.create_shared_enumerator = (void*)return_null;
        this->public.set.create_cdp_enumerator = (void*)return_null;
+       this->public.set.cache_cert = (void*)nop;
        this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy;
        
        this->response = response;
index 364e039..0f55ec1 100644 (file)
@@ -144,6 +144,7 @@ med_db_creds_t *med_db_creds_create(database_t *db)
        this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
        this->public.set.create_shared_enumerator = (void*)return_null;
        this->public.set.create_cdp_enumerator = (void*)return_null;
+       this->public.set.cache_cert = (void*)nop;
 
        this->public.destroy = (void (*)(med_db_creds_t*))destroy;
        
index a504b23..9d91973 100644 (file)
@@ -332,13 +332,20 @@ static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
 }
 
 /**
+ * Implementation of credential_set_t.cache_cert.
+ */
+static void cache_cert(private_sql_cred_t *this, certificate_t *cert)
+{
+       /* TODO: implement CRL caching to database */
+}
+
+/**
  * Implementation of sql_cred_t.destroy.
  */
 static void destroy(private_sql_cred_t *this)
 {
        free(this);
 }
-
 /**
  * Described in header.
  */
@@ -350,6 +357,7 @@ sql_cred_t *sql_cred_create(database_t *db)
        this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
        this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
        this->public.set.create_cdp_enumerator = (void*)return_null;
+       this->public.set.cache_cert = (void*)cache_cert;
        this->public.destroy = (void(*)(sql_cred_t*))destroy;
        
        this->db = db;
index 4ac46ab..6f387bf 100644 (file)
@@ -305,6 +305,14 @@ static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
 }
 
 /**
+ * Implementation of credential_set_t.cache_cert.
+ */
+static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
+{
+       /* TODO: implement crl writeback to ipsec.d/crls */
+}
+
+/**
  * Add a certificate to chain
  */
 static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
@@ -868,6 +876,7 @@ stroke_cred_t *stroke_cred_create()
        this->public.set.create_private_enumerator = (void*)create_private_enumerator;
        this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
        this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
+       this->public.set.cache_cert = (void*)cache_cert;
        this->public.set.create_cdp_enumerator = (void*)return_null;
        this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
        this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
index 953ef50..416c8ef 100644 (file)
@@ -72,6 +72,13 @@ void *return_null()
 }
 
 /**
+ * nop operation
+ */
+void nop()
+{
+}
+
+/**
  * We use a single mutex for all refcount variables. This
  * is not optimal for performance, but the critical section
  * is not that long...
index aae368a..8b1a8aa 100644 (file)
@@ -215,6 +215,11 @@ void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
 void *return_null();
 
 /**
+ * No-Operation function
+ */
+void nop();
+
+/**
  * Special type to count references
  */
 typedef volatile u_int refcount_t;