diff options
| author | Adrian-Ken Rueegsegger <ken@codelabs.ch> | 2013-03-18 18:47:16 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2013-03-19 15:24:36 +0100 |
| commit | 7cc6fa1a983a668bd884e08f0e453637d4702cbe (patch) | |
| tree | 3dc37f41df2b66b0c50c602b3f677cae9861b446 | |
| parent | db50a35ad86c95e7b2aeb13e7dae50d3f7127336 (diff) | |
| download | strongswan-7cc6fa1a983a668bd884e08f0e453637d4702cbe.tar.bz2 strongswan-7cc6fa1a983a668bd884e08f0e453637d4702cbe.tar.xz | |
Various stylistic fixes
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm.c | 27 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_chunk_map.h | 2 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_cred.c | 6 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_id_manager.c | 12 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_kernel_ipsec.c | 40 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_kernel_sad.c | 13 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_keymat.c | 70 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_listener.c | 85 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_nonceg.c | 1 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_private_key.c | 11 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_utils.c | 7 | ||||
| -rw-r--r-- | src/charon-tkm/src/tkm/tkm_utils.h | 4 |
12 files changed, 155 insertions, 123 deletions
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c index 9cf54b087..a39221dc2 100644 --- a/src/charon-tkm/src/tkm/tkm.c +++ b/src/charon-tkm/src/tkm/tkm.c @@ -52,23 +52,16 @@ tkm_t *tkm = NULL; bool tkm_init() { private_tkm_t *this; - active_requests_type max_requests; - nc_id_type nc; - dh_id_type dh; - cc_id_type cc; - ae_id_type ae; - isa_id_type isa; - esa_id_type esa; + char *ikesock, *eessock; + tkm_limits_t limits; /* initialize TKM client library */ tkmlib_init(); ehandler_init(); - const char * const ikesock = lib->settings->get_str(lib->settings, - "%s.ike_socket", - IKE_SOCKET, - charon->name); + ikesock = lib->settings->get_str(lib->settings, "%s.ike_socket", IKE_SOCKET, + charon->name); if (ike_init(ikesock) != TKM_OK) { tkmlib_final(); @@ -76,10 +69,8 @@ bool tkm_init() } DBG1(DBG_DMN, "connected to TKM via socket '%s'", ikesock); - const char * const eessock = lib->settings->get_str(lib->settings, - "%s.ees_socket", - EES_SOCKET, - charon->name); + eessock = lib->settings->get_str(lib->settings, "%s.ees_socket", EES_SOCKET, + charon->name); ees_server_init(eessock); DBG1(DBG_DMN, "serving EES requests on socket '%s'", eessock); @@ -91,15 +82,15 @@ bool tkm_init() } /* get limits from tkm */ - if (ike_tkm_limits(&max_requests, &nc, &dh, &cc, &ae, &isa, &esa) != TKM_OK) + if (ike_tkm_limits(&max_requests, &limits[TKM_CTX_NONCE], &limits[TKM_CTX_DH], + &limits[TKM_CTX_CC], &limits[TKM_CTX_AE], + &limits[TKM_CTX_ISA], &limits[TKM_CTX_ESA]) != TKM_OK) { ees_server_finalize(); tkmlib_final(); return FALSE; } - const tkm_limits_t limits = {nc, dh, cc, isa, ae, esa}; - INIT(this, .public = { .idmgr = tkm_id_manager_create(limits), diff --git a/src/charon-tkm/src/tkm/tkm_chunk_map.h b/src/charon-tkm/src/tkm/tkm_chunk_map.h index 2d8ea8f76..648257574 100644 --- a/src/charon-tkm/src/tkm/tkm_chunk_map.h +++ b/src/charon-tkm/src/tkm/tkm_chunk_map.h @@ -39,7 +39,7 @@ struct tkm_chunk_map_t { * @param id id associated with data */ void (*insert)(tkm_chunk_map_t * const this, const chunk_t * const data, - const uint64_t id); + const uint64_t id); /** * Get id for given chunk. diff --git a/src/charon-tkm/src/tkm/tkm_cred.c b/src/charon-tkm/src/tkm/tkm_cred.c index cf591d4e3..d9517f908 100644 --- a/src/charon-tkm/src/tkm/tkm_cred.c +++ b/src/charon-tkm/src/tkm/tkm_cred.c @@ -54,20 +54,22 @@ struct private_tkm_cred_t { METHOD(credential_set_t, create_private_enumerator, enumerator_t*, private_tkm_cred_t *this, key_type_t type, identification_t *id) { + identification_t *entry; + if (!id) { return this->known_keys->create_enumerator(this->known_keys); } - identification_t *entry; this->lock->write_lock(this->lock); entry = this->known_keys->get(this->known_keys, id); if (!entry) { identification_t *clone = id->clone(id); - DBG1(DBG_CFG, "adding private key proxy for id '%Y'", clone); tkm_private_key_t *key = tkm_private_key_init(id); + + DBG1(DBG_CFG, "adding private key proxy for id '%Y'", clone); if (!key) { DBG1(DBG_CFG, "unable to create private key for id '%Y'", clone); diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c index 63377e65d..407d0a87f 100644 --- a/src/charon-tkm/src/tkm/tkm_id_manager.c +++ b/src/charon-tkm/src/tkm/tkm_id_manager.c @@ -81,7 +81,7 @@ METHOD(tkm_id_manager_t, acquire_id, int, if (!is_valid_kind(kind)) { DBG1(DBG_LIB, "tried to acquire id for invalid context kind '%d'", - kind); + kind); return 0; } @@ -99,8 +99,8 @@ METHOD(tkm_id_manager_t, acquire_id, int, if (!id) { - DBG1(DBG_LIB, "acquiring %N context id failed", - tkm_context_kind_names, kind); + DBG1(DBG_LIB, "acquiring %N context id failed", tkm_context_kind_names, + kind); } return id; @@ -115,7 +115,7 @@ METHOD(tkm_id_manager_t, release_id, bool, if (!is_valid_kind(kind)) { DBG1(DBG_LIB, "tried to release id %d for invalid context kind '%d'", - id, kind); + id, kind); return FALSE; } @@ -160,8 +160,8 @@ tkm_id_manager_t *tkm_id_manager_create(const tkm_limits_t limits) this->limits[i] = limits[i]; this->ctxids[i] = calloc(limits[i], sizeof(bool)); this->locks[i] = rwlock_create(RWLOCK_TYPE_DEFAULT); - DBG2(DBG_LIB, "%N initialized, %llu slot(s)", - tkm_context_kind_names, i, limits[i]); + DBG2(DBG_LIB, "%N initialized, %llu slot(s)", tkm_context_kind_names, i, + limits[i]); } return &this->public; diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c index 7d14ba702..69aefea97 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c @@ -62,6 +62,8 @@ METHOD(kernel_ipsec_t, get_spi, status_t, private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { + bool result; + if (!this->rng) { this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); @@ -73,8 +75,8 @@ METHOD(kernel_ipsec_t, get_spi, status_t, } DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid); - const bool result = this->rng->get_bytes(this->rng, sizeof(u_int32_t), - (u_int8_t *)spi); + result = this->rng->get_bytes(this->rng, sizeof(u_int32_t), + (u_int8_t *)spi); return result ? SUCCESS : FAILED; } @@ -93,12 +95,21 @@ METHOD(kernel_ipsec_t, add_sa, status_t, u_int16_t cpi, bool encap, bool esn, bool inbound, traffic_selector_t* src_ts, traffic_selector_t* dst_ts) { + esa_info_t esa; + bool initiator; + esp_spi_type spi_loc, spi_rem; + host_t *local, *peer; + chunk_t *nonce_loc, *nonce_rem; + nc_id_type nonce_loc_id; + esa_id_type esa_id; + nonce_type nc_rem; + if (enc_key.ptr == NULL) { DBG1(DBG_KNL, "Unable to get ESA information"); return FAILED; } - esa_info_t esa = *(esa_info_t *)(enc_key.ptr); + esa = *(esa_info_t *)(enc_key.ptr); /* only handle the case where we have both distinct ESP spi's available */ if (esa.spi_r == spi) @@ -109,11 +120,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, } /* Initiator if encr_r is passed as enc_key to the inbound add_sa call */ - const bool initiator = esa.is_encr_r && inbound; - - esp_spi_type spi_loc, spi_rem; - host_t *local, *peer; - chunk_t *nonce_loc, *nonce_rem; + initiator = esa.is_encr_r && inbound; if (initiator) { spi_loc = spi; @@ -133,10 +140,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, nonce_rem = &esa.nonce_i; } - const nc_id_type nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, - nonce_loc); - - const esa_id_type esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA); + esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA); if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol)) { DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id); @@ -147,6 +151,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, * creation of first CHILD SA: * no nonce and no dh contexts because the ones from the IKE SA are re-used */ + nonce_loc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce_loc); if (nonce_loc_id == 0 && esa.dh_id == 0) { if (ike_esa_create_first(esa_id, esa.isa_id, reqid, 1, spi_loc, spi_rem) @@ -159,7 +164,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t, /* creation of child SA without PFS: no dh context */ else if (nonce_loc_id != 0 && esa.dh_id == 0) { - nonce_type nc_rem; chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type)); if (ike_esa_create_no_pfs(esa_id, esa.isa_id, reqid, 1, nonce_loc_id, nc_rem, initiator, spi_loc, spi_rem) @@ -173,7 +177,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t, /* creation of subsequent child SA with PFS: nonce and dh context are set */ else { - nonce_type nc_rem; chunk_to_sequence(nonce_rem, &nc_rem, sizeof(nonce_type)); if (ike_esa_create(esa_id, esa.isa_id, reqid, 1, esa.dh_id, nonce_loc_id, nc_rem, initiator, spi_loc, spi_rem) != TKM_OK) @@ -222,8 +225,9 @@ METHOD(kernel_ipsec_t, del_sa, status_t, private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark) { - const esa_id_type esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, - protocol); + esa_id_type esa_id; + + esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol); if (esa_id) { DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id, @@ -314,14 +318,14 @@ METHOD(kernel_ipsec_t, bypass_socket, bool, if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); + strerror(errno)); return FALSE; } policy.dir = XFRM_POLICY_IN; if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s", - strerror(errno)); + strerror(errno)); return FALSE; } return TRUE; diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c index 02b6ddc7c..360a47bdc 100644 --- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c +++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c @@ -129,8 +129,9 @@ METHOD(tkm_kernel_sad_t, insert, bool, const host_t * const src, const host_t * const dst, const u_int32_t spi, const u_int8_t proto) { - + status_t result; sad_entry_t *new_entry; + INIT(new_entry, .esa_id = esa_id, .src = (host_t *)src, @@ -140,9 +141,9 @@ METHOD(tkm_kernel_sad_t, insert, bool, ); this->mutex->lock(this->mutex); - const status_t result = this->data->find_first(this->data, - (linked_list_match_t)sad_entry_equal, - NULL, new_entry); + result = this->data->find_first(this->data, + (linked_list_match_t)sad_entry_equal, NULL, + new_entry); if (result == NOT_FOUND) { DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, " @@ -192,8 +193,10 @@ METHOD(tkm_kernel_sad_t, _remove, bool, { sad_entry_t *current; bool removed = FALSE; + enumerator_t *enumerator; + this->mutex->lock(this->mutex); - enumerator_t *enumerator = this->data->create_enumerator(this->data); + enumerator = this->data->create_enumerator(this->data); while (enumerator->enumerate(enumerator, (void **)¤t)) { if (current->esa_id == esa_id) diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index fe4caf9ec..772fac8b0 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -94,9 +94,11 @@ static void aead_create_from_keys(aead_t **in, aead_t **out, const u_int16_t key_size, bool initiator) { *in = *out = NULL; + signer_t *signer_i, *signer_r; + crypter_t *crypter_i, *crypter_r; - signer_t * const signer_i = lib->crypto->create_signer(lib->crypto, int_alg); - signer_t * const signer_r = lib->crypto->create_signer(lib->crypto, int_alg); + signer_i = lib->crypto->create_signer(lib->crypto, int_alg); + signer_r = lib->crypto->create_signer(lib->crypto, int_alg); if (signer_i == NULL || signer_r == NULL) { DBG1(DBG_IKE, "%N %N not supported!", @@ -104,10 +106,8 @@ static void aead_create_from_keys(aead_t **in, aead_t **out, integrity_algorithm_names, int_alg); return; } - crypter_t * const crypter_i = lib->crypto->create_crypter(lib->crypto, - enc_alg, key_size); - crypter_t * const crypter_r = lib->crypto->create_crypter(lib->crypto, - enc_alg, key_size); + crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size); + crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size); if (crypter_i == NULL || crypter_r == NULL) { signer_i->destroy(signer_i); @@ -174,41 +174,50 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t rekey_function, chunk_t rekey_skd) { - /* Check encryption and integrity algorithms */ u_int16_t enc_alg, int_alg, key_size; - if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, &key_size)) + u_int64_t nc_id, spi_loc, spi_rem; + chunk_t *nonce, c_ai, c_ar, c_ei, c_er; + tkm_diffie_hellman_t *tkm_dh; + dh_id_type dh_id; + nonce_type nonce_rem; + result_type res; + key_type sk_ai, sk_ar, sk_ei, sk_er; + + /* Check encryption and integrity algorithms */ + if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, + &key_size)) { DBG1(DBG_IKE, "no %N selected", transform_type_names, - ENCRYPTION_ALGORITHM); + ENCRYPTION_ALGORITHM); return FALSE; } if (encryption_algorithm_is_aead(enc_alg)) { DBG1(DBG_IKE, "AEAD algorithm %N not supported", - encryption_algorithm_names, enc_alg); + encryption_algorithm_names, enc_alg); return FALSE; } if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL)) { DBG1(DBG_IKE, "no %N selected", transform_type_names, - INTEGRITY_ALGORITHM); + INTEGRITY_ALGORITHM); return FALSE; } if (!(enc_alg == ENCR_AES_CBC && key_size == 256 && - int_alg == AUTH_HMAC_SHA2_512_256)) + int_alg == AUTH_HMAC_SHA2_512_256)) { - DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please" - " update your configuration"); + DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, " + "please update your configuration"); return FALSE; } DBG2(DBG_IKE, "using %N for encryption, %N for integrity", - encryption_algorithm_names, enc_alg, - integrity_algorithm_names, int_alg); + encryption_algorithm_names, enc_alg, integrity_algorithm_names, + int_alg); /* Acquire nonce context id */ - chunk_t * const nonce = this->initiator ? &nonce_i : &nonce_r; - const uint64_t nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce); + nonce = this->initiator ? &nonce_i : &nonce_r; + nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce); if (!nc_id) { DBG1(DBG_IKE, "unable to acquire context id for nonce"); @@ -216,11 +225,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, } /* Get DH context id */ - tkm_diffie_hellman_t * const tkm_dh = (tkm_diffie_hellman_t *)dh; - const dh_id_type dh_id = tkm_dh->get_id(tkm_dh); - - nonce_type nonce_rem; - u_int64_t spi_loc, spi_rem; + tkm_dh = (tkm_diffie_hellman_t *)dh; + dh_id = tkm_dh->get_id(tkm_dh); if (this->initiator) { @@ -235,8 +241,6 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, spi_rem = id->get_initiator_spi(id); } - result_type res; - key_type sk_ai, sk_ar, sk_ei, sk_er; if (rekey_function == PRF_UNDEFINED) { this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE); @@ -253,12 +257,14 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, } else { + isa_info_t isa_info; + if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t)) { DBG1(DBG_IKE, "unable to retrieve parent isa info"); return FALSE; } - const isa_info_t isa_info = *((isa_info_t *)(rekey_skd.ptr)); + isa_info = *((isa_info_t *)(rekey_skd.ptr)); DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu," "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id, isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem); @@ -276,15 +282,14 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, return FALSE; } - chunk_t c_ai, c_ar, c_ei, c_er; sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai); sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar); sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei); sequence_to_chunk(sk_er.data, sk_er.size, &c_er); - aead_create_from_keys(&this->aead_in, &this->aead_out, - &c_ai, &c_ar, &c_ei, &c_er, - enc_alg, int_alg, key_size / 8, this->initiator); + aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei, + &c_er, enc_alg, int_alg, key_size / 8, + this->initiator); chunk_clear(&c_ai); chunk_clear(&c_ar); @@ -315,8 +320,8 @@ METHOD(keymat_v2_t, derive_child_keys, bool, chunk_t *encr_r, chunk_t *integ_r) { esa_info_t *esa_info_i, *esa_info_r; - dh_id_type dh_id = 0; + if (dh) { dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh); @@ -362,6 +367,8 @@ METHOD(keymat_v2_t, get_auth_octets, bool, private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets) { + sign_info_t *sign; + if (verify) { /* store peer init message for authentication step */ @@ -370,7 +377,6 @@ METHOD(keymat_v2_t, get_auth_octets, bool, return TRUE; } - sign_info_t *sign; INIT(sign, .isa_id = this->isa_ctx_id, .init_message = chunk_clone(ike_sa_init), diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c index 47cfef5ac..050586456 100644 --- a/src/charon-tkm/src/tkm/tkm_listener.c +++ b/src/charon-tkm/src/tkm/tkm_listener.c @@ -56,7 +56,9 @@ static ri_id_type get_remote_identity_id(peer_cfg_t *peer) { ri_id_type remote_id = 0; child_cfg_t *child; - enumerator_t* children = peer->create_child_cfg_enumerator(peer); + enumerator_t* children; + + children = peer->create_child_cfg_enumerator(peer); /* pick the reqid of the first child, no need to enumerate all children. */ children->enumerate(children, &child); @@ -76,20 +78,26 @@ static ri_id_type get_remote_identity_id(peer_cfg_t *peer) */ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id) { - DBG1(DBG_IKE, "building certificate chain context %llu for IKE SA %s", - cc_id, ike_sa->get_name((ike_sa_t *)ike_sa)); - auth_cfg_t *auth; certificate_t *cert; enumerator_t *rounds; + + DBG1(DBG_IKE, "building certificate chain context %llu for IKE SA %s", + cc_id, ike_sa->get_name((ike_sa_t *)ike_sa)); + rounds = ike_sa->create_auth_cfg_enumerator((ike_sa_t *)ike_sa, FALSE); while (rounds->enumerate(rounds, &auth)) { cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); if (cert) { - /* set user certificate */ chunk_t enc_user_cert; + ri_id_type ri_id; + certificate_type user_cert; + auth_rule_t rule; + enumerator_t *enumerator; + + /* set user certificate */ if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_user_cert)) { DBG1(DBG_IKE, "unable to extract encoded user certificate"); @@ -97,10 +105,8 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id) return FALSE; } - ri_id_type ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa)); - certificate_type user_cert; - chunk_to_sequence(&enc_user_cert, &user_cert, - sizeof(certificate_type)); + ri_id = get_remote_identity_id(ike_sa->get_peer_cfg((ike_sa_t *)ike_sa)); + chunk_to_sequence(&enc_user_cert, &user_cert, sizeof(certificate_type)); chunk_free(&enc_user_cert); if (ike_cc_set_user_certificate(cc_id, ri_id, 1, user_cert) != TKM_OK) { @@ -111,23 +117,23 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id) } /* process intermediate CA certificates */ - auth_rule_t rule; - enumerator_t *enumerator = auth->create_enumerator(auth); + enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &cert)) { if (rule == AUTH_RULE_IM_CERT) { chunk_t enc_im_cert; + certificate_type im_cert; + if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_im_cert)) { DBG1(DBG_IKE, "unable to extract encoded intermediate CA" - " certificate"); + " certificate"); rounds->destroy(rounds); enumerator->destroy(enumerator); return FALSE; } - certificate_type im_cert; chunk_to_sequence(&enc_im_cert, &im_cert, sizeof(certificate_type)); chunk_free(&enc_im_cert); @@ -147,7 +153,10 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id) cert = auth->get(auth, AUTH_RULE_CA_CERT); if (cert) { + const ca_id_type ca_id = 1; + certificate_type ca_cert; chunk_t enc_ca_cert; + if (!cert->get_encoding(cert, CERT_ASN1_DER, &enc_ca_cert)) { DBG1(DBG_IKE, "unable to extract encoded CA certificate"); @@ -155,8 +164,6 @@ static bool build_cert_chain(const ike_sa_t * const ike_sa, cc_id_type cc_id) return FALSE; } - const ca_id_type ca_id = 1; - certificate_type ca_cert; chunk_to_sequence(&enc_ca_cert, &ca_cert, sizeof(certificate_type)); chunk_free(&enc_ca_cert); @@ -200,8 +207,12 @@ METHOD(listener_t, alert, bool, { if (alert == ALERT_KEEP_ON_CHILD_SA_FAILURE) { - tkm_keymat_t * const keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); - const isa_id_type isa_id = keymat->get_isa_id(keymat); + tkm_keymat_t *keymat; + isa_id_type isa_id; + + keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); + isa_id = keymat->get_isa_id(keymat); + DBG1(DBG_IKE, "TKM alert listener called for ISA context %llu", isa_id); if (ike_isa_skip_create_first(isa_id) != TKM_OK) { @@ -217,47 +228,51 @@ METHOD(listener_t, authorize, bool, private_tkm_listener_t *this, ike_sa_t *ike_sa, bool final, bool *success) { + tkm_keymat_t *keymat; + isa_id_type isa_id; + cc_id_type cc_id; + chunk_t *auth, *other_init_msg; + signature_type signature; + init_message_type init_msg; + if (!final) { return TRUE; } - tkm_keymat_t * const keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); - const isa_id_type isa_id = keymat->get_isa_id(keymat); + keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); + isa_id = keymat->get_isa_id(keymat); DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id); - const cc_id_type cc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_CC); + cc_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_CC); if (!cc_id) { DBG1(DBG_IKE, "unable to acquire CC context id"); *success = FALSE; return TRUE; } - const bool cc_success = build_cert_chain(ike_sa, cc_id); - if (!cc_success) + if (!build_cert_chain(ike_sa, cc_id)) { DBG1(DBG_IKE, "unable to build certificate chain"); *success = FALSE; return TRUE; } - const chunk_t * const auth = keymat->get_auth_payload(keymat); + auth = keymat->get_auth_payload(keymat); if (!auth->ptr) { DBG1(DBG_IKE, "no AUTHENTICATION data available"); *success = FALSE; } - const chunk_t * const other_init_msg = keymat->get_peer_init_msg(keymat); + other_init_msg = keymat->get_peer_init_msg(keymat); if (!other_init_msg->ptr) { DBG1(DBG_IKE, "no peer init message available"); *success = FALSE; } - signature_type signature; chunk_to_sequence(auth, &signature, sizeof(signature_type)); - init_message_type init_msg; chunk_to_sequence(other_init_msg, &init_msg, sizeof(init_message_type)); if (ike_isa_auth(isa_id, cc_id, init_msg, signature) != TKM_OK) @@ -280,21 +295,27 @@ METHOD(listener_t, message, bool, private_tkm_listener_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain) { + tkm_keymat_t *keymat; + isa_id_type isa_id; + auth_payload_t *auth_payload; + if (!incoming || !plain || message->get_exchange_type(message) != IKE_AUTH) { return TRUE; } - tkm_keymat_t * const keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); - const isa_id_type isa_id = keymat->get_isa_id(keymat); + keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa); + isa_id = keymat->get_isa_id(keymat); DBG1(DBG_IKE, "saving AUTHENTICATION payload for authorize hook" - " (ISA context %llu)", isa_id); + " (ISA context %llu)", isa_id); - auth_payload_t * const auth_payload = - (auth_payload_t*)message->get_payload(message, AUTHENTICATION); + auth_payload = (auth_payload_t*)message->get_payload(message, + AUTHENTICATION); if (auth_payload) { - const chunk_t auth_data = auth_payload->get_data(auth_payload); + chunk_t auth_data; + + auth_data = auth_payload->get_data(auth_payload); keymat->set_auth_payload(keymat, &auth_data); } else diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c index 2723a3ee5..a07326798 100644 --- a/src/charon-tkm/src/tkm/tkm_nonceg.c +++ b/src/charon-tkm/src/tkm/tkm_nonceg.c @@ -43,6 +43,7 @@ METHOD(nonce_gen_t, get_nonce, bool, private_tkm_nonceg_t *this, size_t size, u_int8_t *buffer) { nonce_type nonce; + if (ike_nc_create(this->context_id, size, &nonce) != TKM_OK) { return FALSE; diff --git a/src/charon-tkm/src/tkm/tkm_private_key.c b/src/charon-tkm/src/tkm/tkm_private_key.c index 9e3f96c95..db57ec1c7 100644 --- a/src/charon-tkm/src/tkm/tkm_private_key.c +++ b/src/charon-tkm/src/tkm/tkm_private_key.c @@ -63,16 +63,18 @@ METHOD(private_key_t, sign, bool, { signature_type sig; init_message_type msg; + sign_info_t sign; + isa_id_type isa_id; if (data.ptr == NULL) { DBG1(DBG_LIB, "unable to get signature information"); return FALSE; } - sign_info_t sign = *(sign_info_t *)(data.ptr); + sign = *(sign_info_t *)(data.ptr); chunk_to_sequence(&sign.init_message, &msg, sizeof(init_message_type)); - const isa_id_type isa_id = sign.isa_id; + isa_id = sign.isa_id; chunk_free(&sign.init_message); if (ike_isa_sign(isa_id, 1, msg, &sig) != TKM_OK) @@ -141,6 +143,8 @@ METHOD(private_key_t, destroy, void, tkm_private_key_t *tkm_private_key_init(identification_t * const id) { private_tkm_private_key_t *this; + certificate_t *cert; + public_key_t *pubkey; INIT(this, .public = { @@ -164,7 +168,6 @@ tkm_private_key_t *tkm_private_key_init(identification_t * const id) ); /* get key type from associated public key */ - certificate_t *cert; cert = lib->credmgr->get_cert(lib->credmgr, CERT_ANY, KEY_ANY, id, FALSE); if (!cert) { @@ -172,7 +175,7 @@ tkm_private_key_t *tkm_private_key_init(identification_t * const id) return NULL; } - public_key_t *pubkey = cert->get_public_key(cert); + pubkey = cert->get_public_key(cert); if (!pubkey) { cert->destroy(cert); diff --git a/src/charon-tkm/src/tkm/tkm_utils.c b/src/charon-tkm/src/tkm/tkm_utils.c index e0c3e5752..e0692b893 100644 --- a/src/charon-tkm/src/tkm/tkm_utils.c +++ b/src/charon-tkm/src/tkm/tkm_utils.c @@ -26,18 +26,19 @@ struct sequence_type { typedef struct sequence_type sequence_type; void sequence_to_chunk(const byte_t * const first, const uint32_t len, - chunk_t * const chunk) + chunk_t * const chunk) { *chunk = chunk_alloc(len); memcpy(chunk->ptr, first, len); } void chunk_to_sequence(const chunk_t * const chunk, void *sequence, - const uint32_t typelen) + const uint32_t typelen) { const uint32_t seqlenmax = typelen - sizeof(uint32_t); - memset(sequence, 0, typelen); sequence_type *seq = sequence; + + memset(sequence, 0, typelen); if (chunk->len > seqlenmax) { DBG1(DBG_LIB, "chunk too large to fit into sequence %d > %d, limiting" diff --git a/src/charon-tkm/src/tkm/tkm_utils.h b/src/charon-tkm/src/tkm/tkm_utils.h index ac8fac742..308c58fbb 100644 --- a/src/charon-tkm/src/tkm/tkm_utils.h +++ b/src/charon-tkm/src/tkm/tkm_utils.h @@ -33,7 +33,7 @@ * @param chunk pointer to chunk struct */ void sequence_to_chunk(const byte_t * const first, const uint32_t len, - chunk_t * const chunk); + chunk_t * const chunk); /** * Convert chunk to variable-length byte sequence. @@ -43,6 +43,6 @@ void sequence_to_chunk(const byte_t * const first, const uint32_t len, * @param typelen length of sequence type */ void chunk_to_sequence(const chunk_t * const chunk, void *sequence, - const uint32_t typelen); + const uint32_t typelen); #endif /** TKM_UTILS_H_ @}*/ |