From: Martin Willi <martin@revosec.ch>
Date: Fri, 6 Feb 2015 11:21:12 +0000 (+0100)
Subject: stroke: Use separate credential sets for CA/AA certificates
X-Git-Tag: 5.3.0dr1~47^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d69cf39bb45e57bf936b16ca7b9328a5637f6c72;p=thirdparty%2Fstrongswan.git

stroke: Use separate credential sets for CA/AA certificates
---

diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 0ac3f82471..31d9e07232 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -70,10 +70,20 @@ struct private_stroke_cred_t {
 	char *secrets_file;
 
 	/**
-	 * credentials
+	 * credentials: end entity certs, attribute certs, CRLs, etc.
 	 */
 	mem_cred_t *creds;
 
+	/**
+	 * CA certificates
+	 */
+	mem_cred_t *cacerts;
+
+	/**
+	 * Attribute Authority certificates
+	 */
+	mem_cred_t *aacerts;
+
 	/**
 	 * ignore missing CA basic constraint (i.e. treat all certificates in
 	 * ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
@@ -405,7 +415,7 @@ static void load_x509_ca(private_stroke_cred_t *this, char *file)
 		{
 			DBG1(DBG_CFG, "  loaded ca certificate \"%Y\" from '%s'",
 				 cert->get_subject(cert), file);
-			this->creds->add_cert(this->creds, TRUE, cert);
+			this->cacerts->add_cert(this->cacerts, TRUE, cert);
 		}
 	}
 	else
@@ -428,7 +438,7 @@ static void load_x509_aa(private_stroke_cred_t *this, char *file)
 	{
 		DBG1(DBG_CFG, "  loaded AA certificate \"%Y\" from '%s'",
 			 cert->get_subject(cert), file);
-		this->creds->add_cert(this->creds, TRUE, cert);
+		this->aacerts->add_cert(this->aacerts, TRUE, cert);
 	}
 	else
 	{
@@ -1409,7 +1419,11 @@ METHOD(stroke_cred_t, add_shared, void,
 METHOD(stroke_cred_t, destroy, void,
 	private_stroke_cred_t *this)
 {
+	lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set);
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->aacerts->destroy(this->aacerts);
+	this->cacerts->destroy(this->cacerts);
 	this->creds->destroy(this->creds);
 	free(this);
 }
@@ -1442,9 +1456,13 @@ stroke_cred_t *stroke_cred_create()
 								"%s.plugins.stroke.secrets_file", SECRETS_FILE,
 								lib->ns),
 		.creds = mem_cred_create(),
+		.cacerts = mem_cred_create(),
+		.aacerts = mem_cred_create(),
 	);
 
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cacerts->set);
+	lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
 
 	this->force_ca_cert = lib->settings->get_bool(lib->settings,
 						"%s.plugins.stroke.ignore_missing_ca_basic_constraint",