Various stylistic fixes
authorAdrian-Ken Rueegsegger <ken@codelabs.ch>
Mon, 18 Mar 2013 17:47:16 +0000 (18:47 +0100)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 14:24:36 +0000 (15:24 +0100)
12 files changed:
src/charon-tkm/src/tkm/tkm.c
src/charon-tkm/src/tkm/tkm_chunk_map.h
src/charon-tkm/src/tkm/tkm_cred.c
src/charon-tkm/src/tkm/tkm_id_manager.c
src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
src/charon-tkm/src/tkm/tkm_kernel_sad.c
src/charon-tkm/src/tkm/tkm_keymat.c
src/charon-tkm/src/tkm/tkm_listener.c
src/charon-tkm/src/tkm/tkm_nonceg.c
src/charon-tkm/src/tkm/tkm_private_key.c
src/charon-tkm/src/tkm/tkm_utils.c
src/charon-tkm/src/tkm/tkm_utils.h

index 9cf54b0..a39221d 100644 (file)
@@ -52,23 +52,16 @@ tkm_t *tkm = NULL;
 bool tkm_init()
 {
        private_tkm_t *this;
-
        active_requests_type max_requests;
-       nc_id_type nc;
-       dh_id_type dh;
-       cc_id_type cc;
-       ae_id_type ae;
-       isa_id_type isa;
-       esa_id_type esa;
+       char *ikesock, *eessock;
+       tkm_limits_t limits;
 
        /* initialize TKM client library */
        tkmlib_init();
        ehandler_init();
 
-       const char * const ikesock = lib->settings->get_str(lib->settings,
-                                                                                                               "%s.ike_socket",
-                                                                                                               IKE_SOCKET,
-                                                                                                               charon->name);
+       ikesock = lib->settings->get_str(lib->settings, "%s.ike_socket", IKE_SOCKET,
+                                                                        charon->name);
        if (ike_init(ikesock) != TKM_OK)
        {
                tkmlib_final();
@@ -76,10 +69,8 @@ bool tkm_init()
        }
        DBG1(DBG_DMN, "connected to TKM via socket '%s'", ikesock);
 
-       const char * const eessock = lib->settings->get_str(lib->settings,
-                                                                                                               "%s.ees_socket",
-                                                                                                               EES_SOCKET,
-                                                                                                               charon->name);
+       eessock = lib->settings->get_str(lib->settings, "%s.ees_socket", EES_SOCKET,
+                                                                        charon->name);
        ees_server_init(eessock);
        DBG1(DBG_DMN, "serving EES requests on socket '%s'", eessock);
 
@@ -91,15 +82,15 @@ bool tkm_init()
        }
 
        /* get limits from tkm */
-       if (ike_tkm_limits(&max_requests, &nc, &dh, &cc, &ae, &isa, &esa) != TKM_OK)
+       if (ike_tkm_limits(&max_requests, &limits[TKM_CTX_NONCE], &limits[TKM_CTX_DH],
+                                          &limits[TKM_CTX_CC], &limits[TKM_CTX_AE],
+                                          &limits[TKM_CTX_ISA], &limits[TKM_CTX_ESA]) != TKM_OK)
        {
                ees_server_finalize();
                tkmlib_final();
                return FALSE;
        }
 
-       const tkm_limits_t limits = {nc, dh, cc, isa, ae, esa};
-
        INIT(this,
                .public = {
                        .idmgr = tkm_id_manager_create(limits),
index 2d8ea8f..6482575 100644 (file)
@@ -39,7 +39,7 @@ struct tkm_chunk_map_t {
         * @param id    id associated with data
         */
        void (*insert)(tkm_chunk_map_t * const this, const chunk_t * const data,
-                       const uint64_t id);
+                                  const uint64_t id);
 
        /**
         * Get id for given chunk.
index cf591d4..d9517f9 100644 (file)
@@ -54,20 +54,22 @@ struct private_tkm_cred_t {
 METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
        private_tkm_cred_t *this, key_type_t type, identification_t *id)
 {
+       identification_t *entry;
+
        if (!id)
        {
                return this->known_keys->create_enumerator(this->known_keys);
        }
 
-       identification_t *entry;
        this->lock->write_lock(this->lock);
        entry = this->known_keys->get(this->known_keys, id);
 
        if (!entry)
        {
                identification_t *clone = id->clone(id);
-               DBG1(DBG_CFG, "adding private key proxy for id '%Y'", clone);
                tkm_private_key_t *key = tkm_private_key_init(id);
+
+               DBG1(DBG_CFG, "adding private key proxy for id '%Y'", clone);
                if (!key)
                {
                        DBG1(DBG_CFG, "unable to create private key for id '%Y'", clone);
index 63377e6..407d0a8 100644 (file)
@@ -81,7 +81,7 @@ METHOD(tkm_id_manager_t, acquire_id, int,
        if (!is_valid_kind(kind))
        {
                DBG1(DBG_LIB, "tried to acquire id for invalid context kind '%d'",
-                                         kind);
+                        kind);
                return 0;
        }
 
@@ -99,8 +99,8 @@ METHOD(tkm_id_manager_t, acquire_id, int,
 
        if (!id)
        {
-               DBG1(DBG_LIB, "acquiring %N context id failed",
-                                         tkm_context_kind_names, kind);
+               DBG1(DBG_LIB, "acquiring %N context id failed", tkm_context_kind_names,
+                        kind);
        }
 
        return id;
@@ -115,7 +115,7 @@ METHOD(tkm_id_manager_t, release_id, bool,
        if (!is_valid_kind(kind))
        {
                DBG1(DBG_LIB, "tried to release id %d for invalid context kind '%d'",
-                                         id, kind);
+                        id, kind);
                return FALSE;
        }
 
@@ -160,8 +160,8 @@ tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits)
                this->limits[i] = limits[i];
                this->ctxids[i] = calloc(limits[i], sizeof(bool));
                this->locks[i] = rwlock_create(RWLOCK_TYPE_DEFAULT);
-               DBG2(DBG_LIB, "%N initialized, %llu slot(s)",
-                               tkm_context_kind_names, i, limits[i]);
+               DBG2(DBG_LIB, "%N initialized, %llu slot(s)", tkm_context_kind_names, i,
+                        limits[i]);
        }
 
        return &this->public;
index 7d14ba7..69aefea 100644 (file)
@@ -62,6 +62,8 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
        private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
        u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
+       bool result;
+
        if (!this->rng)
        {
                this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
@@ -73,8 +75,8 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
        }
 
        DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-       const bool result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
-                                                                                        (u_int8_t *)spi);
+       result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
+                                                                 (u_int8_t *)spi);
        return result ? SUCCESS : FAILED;
 }
 
@@ -93,12 +95,21 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        u_int16_t cpi, bool encap, bool esn, bool inbound,
        traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
+       esa_info_t esa;
+       bool initiator;
+       esp_spi_type spi_loc, spi_rem;
+       host_t *local, *peer;
+       chunk_t *nonce_loc, *nonce_rem;
+       nc_id_type nonce_loc_id;
+       esa_id_type esa_id;
+       nonce_type nc_rem;
+
        if (enc_key.ptr == NULL)
        {
                DBG1(DBG_KNL, "Unable to get ESA information");
                return FAILED;
        }
-       esa_info_t esa = *(esa_info_t *)(enc_key.ptr);
+       esa = *(esa_info_t *)(enc_key.ptr);
 
        /* only handle the case where we have both distinct ESP spi's available */
        if (esa.spi_r == spi)
@@ -109,11 +120,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        }
 
        /* Initiator if encr_r is passed as enc_key to the inbound add_sa call */
-       const bool initiator = esa.is_encr_r && inbound;
-
-       esp_spi_type spi_loc, spi_rem;
-       host_t *local, *peer;
-       chunk_t *nonce_loc, *nonce_rem;
+       initiator = esa.is_encr_r && inbound;
        if (initiator)
        {
                spi_loc = spi;
@@ -133,10 +140,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                nonce_rem = &esa.nonce_i;
        }
 
-       const nc_id_type nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map,
-                                                                                                                  nonce_loc);
-
-       const esa_id_type esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
+       esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
        if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol))
        {
                DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
@@ -147,6 +151,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
         * creation of first CHILD SA:
         * no nonce and no dh contexts because the ones from the IKE SA are re-used
         */
+       nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce_loc);
        if (nonce_loc_id == 0 && esa.dh_id == 0)
        {
                if (ike_esa_create_first(esa_id, esa.isa_id, reqid, 1, spi_loc, spi_rem)
@@ -159,7 +164,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        /* creation of child SA without PFS: no dh context */
        else if (nonce_loc_id != 0 && esa.dh_id == 0)
        {
-               nonce_type nc_rem;
                chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
                if (ike_esa_create_no_pfs(esa_id, esa.isa_id, reqid, 1, nonce_loc_id,
                                                                  nc_rem, initiator, spi_loc, spi_rem)
@@ -173,7 +177,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
        /* creation of subsequent child SA with PFS: nonce and dh context are set */
        else
        {
-               nonce_type nc_rem;
                chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type));
                if (ike_esa_create(esa_id, esa.isa_id, reqid, 1, esa.dh_id, nonce_loc_id,
                                                   nc_rem, initiator, spi_loc, spi_rem) != TKM_OK)
@@ -222,8 +225,9 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
        private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
        u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
-       const esa_id_type esa_id = this->sad->get_esa_id(this->sad, src, dst, spi,
-                                                                                                        protocol);
+       esa_id_type esa_id;
+
+       esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol);
        if (esa_id)
        {
                DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
@@ -314,14 +318,14 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
        if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
        {
                DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-                                          strerror(errno));
+                        strerror(errno));
                return FALSE;
        }
        policy.dir = XFRM_POLICY_IN;
        if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
        {
                DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
-                                          strerror(errno));
+                        strerror(errno));
                return FALSE;
        }
        return TRUE;
index 02b6ddc..360a47b 100644 (file)
@@ -129,8 +129,9 @@ METHOD(tkm_kernel_sad_t, insert, bool,
        const host_t * const src, const host_t * const dst, const u_int32_t spi,
        const u_int8_t proto)
 {
-
+       status_t result;
        sad_entry_t *new_entry;
+
        INIT(new_entry,
                 .esa_id = esa_id,
                 .src = (host_t *)src,
@@ -140,9 +141,9 @@ METHOD(tkm_kernel_sad_t, insert, bool,
        );
 
        this->mutex->lock(this->mutex);
-       const status_t result = this->data->find_first(this->data,
-                                                                                                  (linked_list_match_t)sad_entry_equal,
-                                                                                                  NULL, new_entry);
+       result = this->data->find_first(this->data,
+                                                                       (linked_list_match_t)sad_entry_equal, NULL,
+                                                                       new_entry);
        if (result == NOT_FOUND)
        {
                DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, "
@@ -192,8 +193,10 @@ METHOD(tkm_kernel_sad_t, _remove, bool,
 {
        sad_entry_t *current;
        bool removed = FALSE;
+       enumerator_t *enumerator;
+
        this->mutex->lock(this->mutex);
-       enumerator_t *enumerator = this->data->create_enumerator(this->data);
+       enumerator = this->data->create_enumerator(this->data);
        while (enumerator->enumerate(enumerator, (void **)&current))
        {
                if (current->esa_id == esa_id)
index fe4caf9..772fac8 100644 (file)
@@ -94,9 +94,11 @@ static void aead_create_from_keys(aead_t **in, aead_t **out,
           const u_int16_t key_size, bool initiator)
 {
        *in = *out = NULL;
+       signer_t *signer_i, *signer_r;
+       crypter_t *crypter_i, *crypter_r;
 
-       signer_t * const signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
-       signer_t * const signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+       signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+       signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
        if (signer_i == NULL || signer_r == NULL)
        {
                DBG1(DBG_IKE, "%N %N not supported!",
@@ -104,10 +106,8 @@ static void aead_create_from_keys(aead_t **in, aead_t **out,
                         integrity_algorithm_names, int_alg);
                return;
        }
-       crypter_t * const crypter_i = lib->crypto->create_crypter(lib->crypto,
-                       enc_alg, key_size);
-       crypter_t * const crypter_r = lib->crypto->create_crypter(lib->crypto,
-                       enc_alg, key_size);
+       crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
+       crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
        if (crypter_i == NULL || crypter_r == NULL)
        {
                signer_i->destroy(signer_i);
@@ -174,41 +174,50 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
        chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
        pseudo_random_function_t rekey_function, chunk_t rekey_skd)
 {
-       /* Check encryption and integrity algorithms */
        u_int16_t enc_alg, int_alg, key_size;
-       if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, &key_size))
+       u_int64_t nc_id, spi_loc, spi_rem;
+       chunk_t *nonce, c_ai, c_ar, c_ei, c_er;
+       tkm_diffie_hellman_t *tkm_dh;
+       dh_id_type dh_id;
+       nonce_type nonce_rem;
+       result_type res;
+       key_type sk_ai, sk_ar, sk_ei, sk_er;
+
+       /* Check encryption and integrity algorithms */
+       if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
+                                                                &key_size))
        {
                DBG1(DBG_IKE, "no %N selected", transform_type_names,
-                               ENCRYPTION_ALGORITHM);
+                        ENCRYPTION_ALGORITHM);
                return FALSE;
        }
        if (encryption_algorithm_is_aead(enc_alg))
        {
                DBG1(DBG_IKE, "AEAD algorithm %N not supported",
-                          encryption_algorithm_names, enc_alg);
+                        encryption_algorithm_names, enc_alg);
                return FALSE;
        }
        if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
        {
                DBG1(DBG_IKE, "no %N selected", transform_type_names,
-                               INTEGRITY_ALGORITHM);
+                        INTEGRITY_ALGORITHM);
                return FALSE;
        }
        if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
-                       int_alg == AUTH_HMAC_SHA2_512_256))
+                 int_alg == AUTH_HMAC_SHA2_512_256))
        {
-               DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
-                               " update your configuration");
+               DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, "
+                        "please update your configuration");
                return FALSE;
        }
 
        DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
-                       encryption_algorithm_names, enc_alg,
-                       integrity_algorithm_names, int_alg);
+                encryption_algorithm_names, enc_alg, integrity_algorithm_names,
+                int_alg);
 
        /* Acquire nonce context id */
-       chunk_t * const nonce = this->initiator ? &nonce_i : &nonce_r;
-       const uint64_t nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
+       nonce = this->initiator ? &nonce_i : &nonce_r;
+       nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
        if (!nc_id)
        {
                DBG1(DBG_IKE, "unable to acquire context id for nonce");
@@ -216,11 +225,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
        }
 
        /* Get DH context id */
-       tkm_diffie_hellman_t * const tkm_dh = (tkm_diffie_hellman_t *)dh;
-       const dh_id_type dh_id = tkm_dh->get_id(tkm_dh);
-
-       nonce_type nonce_rem;
-       u_int64_t spi_loc, spi_rem;
+       tkm_dh = (tkm_diffie_hellman_t *)dh;
+       dh_id = tkm_dh->get_id(tkm_dh);
 
        if (this->initiator)
        {
@@ -235,8 +241,6 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
                spi_rem = id->get_initiator_spi(id);
        }
 
-       result_type res;
-       key_type sk_ai, sk_ar, sk_ei, sk_er;
        if (rekey_function == PRF_UNDEFINED)
        {
                this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE);
@@ -253,12 +257,14 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
        }
        else
        {
+               isa_info_t isa_info;
+
                if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t))
                {
                        DBG1(DBG_IKE, "unable to retrieve parent isa info");
                        return FALSE;
                }
-               const isa_info_t isa_info = *((isa_info_t *)(rekey_skd.ptr));
+               isa_info = *((isa_info_t *)(rekey_skd.ptr));
                DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
                         "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id,
                         isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem);
@@ -276,15 +282,14 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
                return FALSE;
        }
 
-       chunk_t c_ai, c_ar, c_ei, c_er;
        sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
        sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
        sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
        sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
 
-       aead_create_from_keys(&this->aead_in, &this->aead_out,
-                       &c_ai, &c_ar, &c_ei, &c_er,
-                       enc_alg, int_alg, key_size / 8, this->initiator);
+       aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei,
+                                                 &c_er, enc_alg, int_alg, key_size / 8,
+                                                 this->initiator);
 
        chunk_clear(&c_ai);
        chunk_clear(&c_ar);
@@ -315,8 +320,8 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
        chunk_t *encr_r, chunk_t *integ_r)
 {
        esa_info_t *esa_info_i, *esa_info_r;
-
        dh_id_type dh_id = 0;
+
        if (dh)
        {
                dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
@@ -362,6 +367,8 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
        private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
        chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
 {
+       sign_info_t *sign;
+
        if (verify)
        {
                /* store peer init message for authentication step */
@@ -370,7 +377,6 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
                return TRUE;
        }
 
-       sign_info_t *sign;
        INIT(sign,
                 .isa_id = this->isa_ctx_id,
                 .init_message = chunk_clone(ike_sa_init),
index 47cfef5..0505864 100644 (file)
@@ -56,7 +56,9 @@ static ri_id_type get_remote_identity_id(peer_cfg_t *peer)
 {
        ri_id_type remote_id = 0;
        child_cfg_t *child;
-       enumerator_t* children = peer->create_child_cfg_enumerator(peer);
+       enumerator_t* children;
+
+       children = peer->create_child_cfg_enumerator(peer);
 
        /* pick the reqid of the first child, no need to enumerate all children. */
        children->enumerate(children, &child);
@@ -76,20 +78,26 @@ static ri_id_type get_remote_identity_id(peer_cfg_t *peer)
  */
 static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
 {
-       DBG1(DBG_IKE, "building certificate chain context %llu for IKE SA %s",
-                cc_id, ike_sa->get_name((ike_sa_t *)ike_sa));
-
        auth_cfg_t *auth;
        certificate_t *cert;
        enumerator_t *rounds;
+
+       DBG1(DBG_IKE, "building certificate chain context %llu for IKE SA %s",
+                cc_id, ike_sa->get_name((ike_sa_t *)ike_sa));
+
        rounds = ike_sa->create_auth_cfg_enumerator((ike_sa_t *)ike_sa, FALSE);
        while (rounds->enumerate(rounds, &auth))
        {
                cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
                if (cert)
                {
-                       /* set user certificate */
                        chunk_t enc_user_cert;
+                       ri_id_type ri_id;
+                       certificate_type user_cert;
+                       auth_rule_t rule;
+                       enumerator_t *enumerator;
+
+                       /* set user certificate */
                        if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_user_cert))
                        {
                                DBG1(DBG_IKE, "unable to extract encoded user certificate");
@@ -97,10 +105,8 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
                                return FALSE;
                        }
 
-                       ri_id_type ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa));
-                       certificate_type user_cert;
-                       chunk_to_sequence(&enc_user_cert, &user_cert,
-                                                         sizeof(certificate_type));
+                       ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa));
+                       chunk_to_sequence(&enc_user_cert, &user_cert, sizeof(certificate_type));
                        chunk_free(&enc_user_cert);
                        if (ike_cc_set_user_certificate(cc_id, ri_id, 1, user_cert) != TKM_OK)
                        {
@@ -111,23 +117,23 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
                        }
 
                        /* process intermediate CA certificates */
-                       auth_rule_t rule;
-                       enumerator_t *enumerator = auth->create_enumerator(auth);
+                       enumerator = auth->create_enumerator(auth);
                        while (enumerator->enumerate(enumerator, &rule, &cert))
                        {
                                if (rule == AUTH_RULE_IM_CERT)
                                {
                                        chunk_t enc_im_cert;
+                                       certificate_type im_cert;
+
                                        if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_im_cert))
                                        {
                                                DBG1(DBG_IKE, "unable to extract encoded intermediate CA"
-                                                       " certificate");
+                                                        " certificate");
                                                rounds->destroy(rounds);
                                                enumerator->destroy(enumerator);
                                                return FALSE;
                                        }
 
-                                       certificate_type im_cert;
                                        chunk_to_sequence(&enc_im_cert, &im_cert,
                                                                          sizeof(certificate_type));
                                        chunk_free(&enc_im_cert);
@@ -147,7 +153,10 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
                        cert = auth->get(auth, AUTH_RULE_CA_CERT);
                        if (cert)
                        {
+                               const ca_id_type ca_id = 1;
+                               certificate_type ca_cert;
                                chunk_t enc_ca_cert;
+
                                if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_ca_cert))
                                {
                                        DBG1(DBG_IKE, "unable to extract encoded CA certificate");
@@ -155,8 +164,6 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id)
                                        return FALSE;
                                }
 
-                               const ca_id_type ca_id = 1;
-                               certificate_type ca_cert;
                                chunk_to_sequence(&enc_ca_cert, &ca_cert,
                                                                  sizeof(certificate_type));
                                chunk_free(&enc_ca_cert);
@@ -200,8 +207,12 @@ METHOD(listener_t, alert, bool,
 {
        if (alert == ALERT_KEEP_ON_CHILD_SA_FAILURE)
        {
-               tkm_keymat_t * const keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
-               const isa_id_type isa_id = keymat->get_isa_id(keymat);
+               tkm_keymat_t *keymat;
+               isa_id_type isa_id;
+
+               keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+               isa_id = keymat->get_isa_id(keymat);
+
                DBG1(DBG_IKE, "TKM alert listener called for ISA context %llu", isa_id);
                if (ike_isa_skip_create_first(isa_id) != TKM_OK)
                {
@@ -217,47 +228,51 @@ METHOD(listener_t, authorize, bool,
        private_tkm_listener_t *this, ike_sa_t *ike_sa,
        bool final, bool *success)
 {
+       tkm_keymat_t *keymat;
+       isa_id_type isa_id;
+       cc_id_type cc_id;
+       chunk_t *auth, *other_init_msg;
+       signature_type signature;
+       init_message_type init_msg;
+
        if (!final)
        {
                return TRUE;
        }
 
-       tkm_keymat_t * const keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
-       const isa_id_type isa_id = keymat->get_isa_id(keymat);
+       keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+       isa_id = keymat->get_isa_id(keymat);
        DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id);
 
-       const cc_id_type cc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_CC);
+       cc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_CC);
        if (!cc_id)
        {
                DBG1(DBG_IKE, "unable to acquire CC context id");
                *success = FALSE;
                return TRUE;
        }
-       const bool cc_success = build_cert_chain(ike_sa, cc_id);
-       if (!cc_success)
+       if (!build_cert_chain(ike_sa, cc_id))
        {
                DBG1(DBG_IKE, "unable to build certificate chain");
                *success = FALSE;
                return TRUE;
        }
 
-       const chunk_t * const auth = keymat->get_auth_payload(keymat);
+       auth = keymat->get_auth_payload(keymat);
        if (!auth->ptr)
        {
                DBG1(DBG_IKE, "no AUTHENTICATION data available");
                *success = FALSE;
        }
 
-       const chunk_t * const other_init_msg = keymat->get_peer_init_msg(keymat);
+       other_init_msg = keymat->get_peer_init_msg(keymat);
        if (!other_init_msg->ptr)
        {
                DBG1(DBG_IKE, "no peer init message available");
                *success = FALSE;
        }
 
-       signature_type signature;
        chunk_to_sequence(auth, &signature, sizeof(signature_type));
-       init_message_type init_msg;
        chunk_to_sequence(other_init_msg, &init_msg, sizeof(init_message_type));
 
        if (ike_isa_auth(isa_id, cc_id, init_msg, signature) != TKM_OK)
@@ -280,21 +295,27 @@ METHOD(listener_t, message, bool,
        private_tkm_listener_t *this, ike_sa_t *ike_sa,
        message_t *message, bool incoming, bool plain)
 {
+       tkm_keymat_t *keymat;
+       isa_id_type isa_id;
+       auth_payload_t *auth_payload;
+
        if (!incoming || !plain || message->get_exchange_type(message) != IKE_AUTH)
        {
                return TRUE;
        }
 
-       tkm_keymat_t * const keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
-       const isa_id_type isa_id = keymat->get_isa_id(keymat);
+       keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
+       isa_id = keymat->get_isa_id(keymat);
        DBG1(DBG_IKE, "saving AUTHENTICATION payload for authorize hook"
-                  " (ISA context %llu)", isa_id);
+            " (ISA context %llu)", isa_id);
 
-       auth_payload_t * const auth_payload =
-               (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+       auth_payload = (auth_payload_t*)message->get_payload(message,
+                                                                                                                AUTHENTICATION);
        if (auth_payload)
        {
-               const chunk_t auth_data = auth_payload->get_data(auth_payload);
+               chunk_t auth_data;
+
+               auth_data = auth_payload->get_data(auth_payload);
                keymat->set_auth_payload(keymat, &auth_data);
        }
        else
index 2723a3e..a073267 100644 (file)
@@ -43,6 +43,7 @@ METHOD(nonce_gen_t, get_nonce, bool,
        private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer)
 {
        nonce_type nonce;
+
        if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK)
        {
                return FALSE;
index 9e3f96c..db57ec1 100644 (file)
@@ -63,16 +63,18 @@ METHOD(private_key_t, sign, bool,
 {
        signature_type sig;
        init_message_type msg;
+       sign_info_t sign;
+       isa_id_type isa_id;
 
        if (data.ptr == NULL)
        {
                DBG1(DBG_LIB, "unable to get signature information");
                return FALSE;
        }
-       sign_info_t sign = *(sign_info_t *)(data.ptr);
+       sign = *(sign_info_t *)(data.ptr);
 
        chunk_to_sequence(&sign.init_message, &msg, sizeof(init_message_type));
-       const isa_id_type isa_id = sign.isa_id;
+       isa_id = sign.isa_id;
        chunk_free(&sign.init_message);
 
        if (ike_isa_sign(isa_id, 1, msg, &sig) != TKM_OK)
@@ -141,6 +143,8 @@ METHOD(private_key_t, destroy, void,
 tkm_private_key_t *tkm_private_key_init(identification_t * const id)
 {
        private_tkm_private_key_t *this;
+       certificate_t *cert;
+       public_key_t *pubkey;
 
        INIT(this,
                .public = {
@@ -164,7 +168,6 @@ tkm_private_key_t *tkm_private_key_init(identification_t * const id)
        );
 
        /* get key type from associated public key */
-       certificate_t *cert;
        cert = lib->credmgr->get_cert(lib->credmgr, CERT_ANY, KEY_ANY, id, FALSE);
        if (!cert)
        {
@@ -172,7 +175,7 @@ tkm_private_key_t *tkm_private_key_init(identification_t * const id)
                return NULL;
        }
 
-       public_key_t *pubkey = cert->get_public_key(cert);
+       pubkey = cert->get_public_key(cert);
        if (!pubkey)
        {
                cert->destroy(cert);
index e0c3e57..e0692b8 100644 (file)
@@ -26,18 +26,19 @@ struct sequence_type {
 typedef struct sequence_type sequence_type;
 
 void sequence_to_chunk(const byte_t * const first, const uint32_t len,
-               chunk_t * const chunk)
+                                          chunk_t * const chunk)
 {
        *chunk = chunk_alloc(len);
        memcpy(chunk->ptr, first, len);
 }
 
 void chunk_to_sequence(const chunk_t * const chunk, void *sequence,
-               const uint32_t typelen)
+                                          const uint32_t typelen)
 {
        const uint32_t seqlenmax = typelen - sizeof(uint32_t);
-       memset(sequence, 0, typelen);
        sequence_type *seq = sequence;
+
+       memset(sequence, 0, typelen);
        if (chunk->len > seqlenmax)
        {
                DBG1(DBG_LIB, "chunk too large to fit into sequence %d > %d, limiting"
index ac8fac7..308c58f 100644 (file)
@@ -33,7 +33,7 @@
  * @param chunk                pointer to chunk struct
  */
 void sequence_to_chunk(const byte_t * const first, const uint32_t len,
-               chunk_t * const chunk);
+                                          chunk_t * const chunk);
 
 /**
  * Convert chunk to variable-length byte sequence.
@@ -43,6 +43,6 @@ void sequence_to_chunk(const byte_t * const first, const uint32_t len,
  * @param typelen      length of sequence type
  */
 void chunk_to_sequence(const chunk_t * const chunk, void *sequence,
-               const uint32_t typelen);
+                                          const uint32_t typelen);
 
 #endif /** TKM_UTILS_H_ @}*/