New upstream release.

9 files changed, 1219 insertions, 0 deletions

diff --git a/src/libcharon/network/packet.c b/src/libcharon/network/packet.c
new file mode 100644
index 000000000..19db362f7
--- /dev/null
+++ b/src/libcharon/network/packet.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "packet.h"
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+
+	/**
+	 * source address
+	 */
+	host_t *source;
+
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+};
+
+METHOD(packet_t, set_source, void,
+	private_packet_t *this, host_t *source)
+{
+	DESTROY_IF(this->source);
+	this->source = source;
+}
+
+METHOD(packet_t, set_destination, void,
+	private_packet_t *this, host_t *destination)
+{
+	DESTROY_IF(this->destination);
+	this->destination = destination;
+}
+
+METHOD(packet_t, get_source, host_t*,
+	private_packet_t *this)
+{
+	return this->source;
+}
+
+METHOD(packet_t, get_destination, host_t*,
+	private_packet_t *this)
+{
+	return this->destination;
+}
+
+METHOD(packet_t, get_data, chunk_t,
+	private_packet_t *this)
+{
+	return this->data;
+}
+
+METHOD(packet_t, set_data, void,
+	private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->data = data;
+}
+
+METHOD(packet_t, destroy, void,
+	private_packet_t *this)
+{
+	DESTROY_IF(this->source);
+	DESTROY_IF(this->destination);
+	free(this->data.ptr);
+	free(this);
+}
+
+METHOD(packet_t, clone_, packet_t*,
+	private_packet_t *this)
+{
+	packet_t *other;
+
+	other = packet_create();
+	if (this->destination != NULL)
+	{
+		other->set_destination(other, this->destination->clone(this->destination));
+	}
+	if (this->source != NULL)
+	{
+		other->set_source(other, this->source->clone(this->source));
+	}
+	if (this->data.ptr != NULL)
+	{
+		other->set_data(other, chunk_clone(this->data));
+	}
+	return other;
+}
+
+/*
+ * Documented in header
+ */
+packet_t *packet_create(void)
+{
+	private_packet_t *this;
+
+	INIT(this,
+		.public = {
+			.set_data = _set_data,
+			.get_data = _get_data,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/packet.h b/src/libcharon/network/packet.h
new file mode 100644
index 000000000..18d82c6fc
--- /dev/null
+++ b/src/libcharon/network/packet.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup network
+ */
+
+#ifndef PACKET_H_
+#define PACKET_H_
+
+typedef struct packet_t packet_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Abstraction of an UDP-Packet, contains data, sender and receiver.
+ */
+struct packet_t {
+
+	/**
+	 * Set the source address.
+	 *
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 *
+	 * @param source	address to set as source
+	 */
+	void (*set_source) (packet_t *packet, host_t *source);
+
+	/**
+	 * Set the destination address.
+	 *
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 *
+	 * @param source	address to set as destination
+	 */
+	void (*set_destination) (packet_t *packet, host_t *destination);
+
+	/**
+	 * Get the source address.
+	 *
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 *
+	 * @return			source address
+	 */
+	host_t *(*get_source) (packet_t *packet);
+
+	/**
+	 * Get the destination address.
+	 *
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 *
+	 * @return			destination address
+	 */
+	host_t *(*get_destination) (packet_t *packet);
+
+	/**
+	 * Get the data from the packet.
+	 *
+	 * The data pointed by the chunk is still owned
+	 * by the packet. Clone it if needed.
+	 *
+	 * @return			chunk containing the data
+	 */
+	chunk_t (*get_data) (packet_t *packet);
+
+	/**
+	 * Set the data in the packet.
+	 *
+	 * Supplied chunk data is now owned by the
+	 * packet. It will free it.
+	 *
+	 * @param data		chunk with data to set
+	 */
+	void (*set_data) (packet_t *packet, chunk_t data);
+
+	/**
+	 * Clones a packet_t object.
+	 *
+	 * @param clone		clone of the packet
+	 */
+	packet_t* (*clone) (packet_t *packet);
+
+	/**
+	 * Destroy the packet, freeing contained data.
+	 */
+	void (*destroy) (packet_t *packet);
+};
+
+/**
+ * create an empty packet
+ *
+ * @return packet_t object
+ */
+packet_t *packet_create(void);
+
+#endif /** PACKET_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
new file mode 100644
index 000000000..df897021a
--- /dev/null
+++ b/src/libcharon/network/receiver.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "receiver.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+#include <network/packet.h>
+#include <processing/jobs/job.h>
+#include <processing/jobs/process_message_job.h>
+#include <processing/jobs/callback_job.h>
+#include <crypto/hashers/hasher.h>
+
+/** lifetime of a cookie, in seconds */
+#define COOKIE_LIFETIME 10
+/** how many times to reuse the secret */
+#define COOKIE_REUSE 10000
+/** default value for private_receiver_t.cookie_threshold */
+#define COOKIE_THRESHOLD_DEFAULT 10
+/** default value for private_receiver_t.block_threshold */
+#define BLOCK_THRESHOLD_DEFAULT 5
+/** length of the secret to use for cookie calculation */
+#define SECRET_LENGTH 16
+
+typedef struct private_receiver_t private_receiver_t;
+
+/**
+ * Private data of a receiver_t object.
+ */
+struct private_receiver_t {
+	/**
+	 * Public part of a receiver_t object.
+	 */
+	receiver_t public;
+
+	/**
+	 * Threads job receiving packets
+	 */
+	callback_job_t *job;
+
+	/**
+	 * current secret to use for cookie calculation
+	 */
+	char secret[SECRET_LENGTH];
+
+	/**
+	 * previous secret used to verify older cookies
+	 */
+	char secret_old[SECRET_LENGTH];
+
+	/**
+	 * how many times we have used "secret" so far
+	 */
+	u_int32_t secret_used;
+
+	/**
+	 * time we did the cookie switch
+	 */
+	u_int32_t secret_switch;
+
+	/**
+	 * time offset to use, hides our system time
+	 */
+	u_int32_t secret_offset;
+
+	/**
+	 * the RNG to use for secret generation
+	 */
+	rng_t *rng;
+
+	/**
+	 * hasher to use for cookie calculation
+	 */
+	hasher_t *hasher;
+
+	/**
+	 * require cookies after this many half open IKE_SAs
+	 */
+	u_int32_t cookie_threshold;
+
+	/**
+	 * how many half open IKE_SAs per peer before blocking
+	 */
+	u_int32_t block_threshold;
+
+	/**
+	 * Delay for receiving incoming packets, to simulate larger RTT
+	 */
+	u_int receive_delay;
+};
+
+/**
+ * send a notify back to the sender
+ */
+static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+{
+	if (request->get_request(request) &&
+		request->get_exchange_type(request) == IKE_SA_INIT)
+	{
+		message_t *response;
+		host_t *src, *dst;
+		packet_t *packet;
+		ike_sa_id_t *ike_sa_id;
+
+		response = message_create();
+		dst = request->get_source(request);
+		src = request->get_destination(request);
+		response->set_source(response, src->clone(src));
+		response->set_destination(response, dst->clone(dst));
+		response->set_exchange_type(response, request->get_exchange_type(request));
+		response->set_request(response, FALSE);
+		response->set_message_id(response, 0);
+		ike_sa_id = request->get_ike_sa_id(request);
+		ike_sa_id->switch_initiator(ike_sa_id);
+		response->set_ike_sa_id(response, ike_sa_id);
+		response->add_notify(response, FALSE, type, data);
+		if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
+		{
+			charon->sender->send(charon->sender, packet);
+			response->destroy(response);
+		}
+	}
+}
+
+/**
+ * build a cookie
+ */
+static chunk_t cookie_build(private_receiver_t *this, message_t *message,
+							u_int32_t t, chunk_t secret)
+{
+	u_int64_t spi = message->get_initiator_spi(message);
+	host_t *ip = message->get_source(message);
+	chunk_t input, hash;
+
+	/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
+	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
+					  chunk_from_thing(t), secret);
+	hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
+	this->hasher->get_hash(this->hasher, input, hash.ptr);
+	return chunk_cat("cc", chunk_from_thing(t), hash);
+}
+
+/**
+ * verify a received cookie
+ */
+static bool cookie_verify(private_receiver_t *this, message_t *message,
+						  chunk_t cookie)
+{
+	u_int32_t t, now;
+	chunk_t reference;
+	chunk_t secret;
+
+	now = time_monotonic(NULL);
+	t = *(u_int32_t*)cookie.ptr;
+
+	if (cookie.len != sizeof(u_int32_t) +
+			this->hasher->get_hash_size(this->hasher) ||
+		t < now - this->secret_offset - COOKIE_LIFETIME)
+	{
+		DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
+		return FALSE;
+	}
+
+	/* check if cookie is derived from old_secret */
+	if (t + this->secret_offset > this->secret_switch)
+	{
+		secret = chunk_from_thing(this->secret);
+	}
+	else
+	{
+		secret = chunk_from_thing(this->secret_old);
+	}
+
+	/* compare own calculation against received */
+	reference = cookie_build(this, message, t, secret);
+	if (chunk_equals(reference, cookie))
+	{
+		chunk_free(&reference);
+		return TRUE;
+	}
+	chunk_free(&reference);
+	return FALSE;
+}
+
+/**
+ * check if cookies are required, and if so, a valid cookie is included
+ */
+static bool cookie_required(private_receiver_t *this, message_t *message)
+{
+	bool failed = FALSE;
+
+	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+												NULL) >= this->cookie_threshold)
+	{
+		/* check for a cookie. We don't use our parser here and do it
+		 * quick and dirty for performance reasons.
+		 * we assume the cookie is the first payload (which is a MUST), and
+		 * the cookie's SPI length is zero. */
+		packet_t *packet = message->get_packet(message);
+		chunk_t data = packet->get_data(packet);
+		if (data.len <
+			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
+			 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
+			*(data.ptr + 16) != NOTIFY ||
+			*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
+		{
+			/* no cookie found */
+			failed = TRUE;
+		}
+		else
+		{
+			data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
+			data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
+			if (!cookie_verify(this, message, data))
+			{
+				DBG2(DBG_NET, "found cookie, but content invalid");
+				failed = TRUE;
+			}
+		}
+		packet->destroy(packet);
+	}
+	return failed;
+}
+
+/**
+ * check if peer has to many half open IKE_SAs
+ */
+static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
+{
+	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+						message->get_source(message)) >= this->block_threshold)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Job callback to receive packets
+ */
+static job_requeue_t receive_packets(private_receiver_t *this)
+{
+	packet_t *packet;
+	message_t *message;
+	job_t *job;
+
+	/* read in a packet */
+	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+	{
+		DBG2(DBG_NET, "receiving from socket failed!");
+		return JOB_REQUEUE_FAIR;
+	}
+
+	/* parse message header */
+	message = message_create_from_packet(packet);
+	if (message->parse_header(message) != SUCCESS)
+	{
+		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
+			 packet->get_source(packet));
+		message->destroy(message);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	/* check IKE major version */
+	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+	{
+		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
+			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+			 message->get_minor_version(message), packet->get_source(packet));
+		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
+		message->destroy(message);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		/* check for cookies */
+		if (this->cookie_threshold && cookie_required(this, message))
+		{
+			u_int32_t now = time_monotonic(NULL);
+			chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
+										  chunk_from_thing(this->secret));
+
+			DBG2(DBG_NET, "received packet from: %#H to %#H",
+				 message->get_source(message),
+				 message->get_destination(message));
+			DBG2(DBG_NET, "sending COOKIE notify to %H",
+				 message->get_source(message));
+			send_notify(message, COOKIE, cookie);
+			chunk_free(&cookie);
+			if (++this->secret_used > COOKIE_REUSE)
+			{
+				/* create new cookie */
+				DBG1(DBG_NET, "generating new cookie secret after %d uses",
+					 this->secret_used);
+				memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+				this->rng->get_bytes(this->rng,	SECRET_LENGTH, this->secret);
+				this->secret_switch = now;
+				this->secret_used = 0;
+			}
+			message->destroy(message);
+			return JOB_REQUEUE_DIRECT;
+		}
+
+		/* check if peer has not too many IKE_SAs half open */
+		if (this->block_threshold && peer_to_aggressive(this, message))
+		{
+			DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
+				 "peer too aggressive", message->get_source(message));
+			message->destroy(message);
+			return JOB_REQUEUE_DIRECT;
+		}
+	}
+	job = (job_t*)process_message_job_create(message);
+	if (this->receive_delay)
+	{
+		charon->scheduler->schedule_job_ms(charon->scheduler,
+										   job, this->receive_delay);
+	}
+	else
+	{
+		charon->processor->queue_job(charon->processor, job);
+	}
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(receiver_t, destroy, void,
+	private_receiver_t *this)
+{
+	this->job->cancel(this->job);
+	this->rng->destroy(this->rng);
+	this->hasher->destroy(this->hasher);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+receiver_t *receiver_create()
+{
+	private_receiver_t *this;
+	u_int32_t now = time_monotonic(NULL);
+
+	INIT(this,
+		.public.destroy = _destroy,
+		.secret_switch = now,
+		.secret_offset = random() % now,
+	);
+
+	if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
+	{
+		this->cookie_threshold = lib->settings->get_int(lib->settings,
+						"charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
+		this->block_threshold = lib->settings->get_int(lib->settings,
+						"charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
+	}
+	this->receive_delay = lib->settings->get_int(lib->settings,
+						"charon.receive_delay", 0);
+
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
+	if (this->hasher == NULL)
+	{
+		DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
+		free(this);
+		return NULL;
+	}
+	this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (this->rng == NULL)
+	{
+		DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
+		this->hasher->destroy(this->hasher);
+		free(this);
+		return NULL;
+	}
+	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
+	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+
+	this->job = callback_job_create((callback_job_cb_t)receive_packets,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h
new file mode 100644
index 000000000..690d8dbab
--- /dev/null
+++ b/src/libcharon/network/receiver.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup receiver receiver
+ * @{ @ingroup network
+ */
+
+#ifndef RECEIVER_H_
+#define RECEIVER_H_
+
+typedef struct receiver_t receiver_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Receives packets from the socket and adds them to the job queue.
+ *
+ * The receiver starts a thread, wich reads on the blocking socket. A received
+ * packet is preparsed and a process_message_job is queued in the job queue.
+ *
+ * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
+ * open. The calculation of cookies is slightly different from the proposed
+ * method in RFC4306. We do not include a nonce, because we think the advantage
+ * we gain does not justify the overhead to parse the whole message.
+ * Instead of VersionIdOfSecret, we include a timestamp. This allows us to
+ * find out wich key was used for cookie creation. Further, we can set a
+ * lifetime for the cookie, which allows us to reuse the secret for a longer
+ * time.
+ *		 COOKIE = time | sha1( IPi | SPIi | time | secret )
+ *
+ * The secret is changed after a certain amount of cookies sent. The old
+ * secret is stored to allow a clean migration between secret changes.
+ *
+ * Further, the number of half-initiated IKE_SAs is limited per peer. This
+ * mades it impossible for a peer to flood the server with its real IP address.
+ */
+struct receiver_t {
+
+	/**
+	 * Destroys a receiver_t object.
+	 */
+	void (*destroy) (receiver_t *receiver);
+};
+
+/**
+ * Create a receiver_t object.
+ *
+ * The receiver thread will start working, get data
+ * from the socket and add those packets to the job queue.
+ *
+ * @return	receiver_t object, NULL if initialization fails
+ */
+receiver_t * receiver_create(void);
+
+#endif /** RECEIVER_H_ @}*/
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
new file mode 100644
index 000000000..c18f1138e
--- /dev/null
+++ b/src/libcharon/network/sender.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include "sender.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+#include <processing/jobs/callback_job.h>
+#include <threading/thread.h>
+#include <threading/condvar.h>
+#include <threading/mutex.h>
+
+
+typedef struct private_sender_t private_sender_t;
+
+/**
+ * Private data of a sender_t object.
+ */
+struct private_sender_t {
+	/**
+	 * Public part of a sender_t object.
+	 */
+	sender_t public;
+
+	/**
+	 * Sender threads job.
+	 */
+	callback_job_t *job;
+
+	/**
+	 * The packets are stored in a linked list
+	 */
+	linked_list_t *list;
+
+	/**
+	 * mutex to synchronize access to list
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * condvar to signal for packets added to list
+	 */
+	condvar_t *got;
+
+	/**
+	 * condvar to signal for packets sent
+	 */
+	condvar_t *sent;
+
+	/**
+	 * Delay for sending outgoing packets, to simulate larger RTT
+	 */
+	int send_delay;
+};
+
+METHOD(sender_t, send_, void,
+	private_sender_t *this, packet_t *packet)
+{
+	host_t *src, *dst;
+
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	if (this->send_delay)
+	{
+		usleep(this->send_delay * 1000);
+	}
+
+	this->mutex->lock(this->mutex);
+	this->list->insert_last(this->list, packet);
+	this->got->signal(this->got);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Job callback function to send packets
+ */
+static job_requeue_t send_packets(private_sender_t * this)
+{
+	packet_t *packet;
+	bool oldstate;
+
+	this->mutex->lock(this->mutex);
+	while (this->list->get_count(this->list) == 0)
+	{
+		/* add cleanup handler, wait for packet, remove cleanup handler */
+		thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
+		oldstate = thread_cancelability(TRUE);
+
+		this->got->wait(this->got, this->mutex);
+
+		thread_cancelability(oldstate);
+		thread_cleanup_pop(FALSE);
+	}
+	this->list->remove_first(this->list, (void**)&packet);
+	this->sent->signal(this->sent);
+	this->mutex->unlock(this->mutex);
+
+	charon->socket->send(charon->socket, packet);
+	packet->destroy(packet);
+	return JOB_REQUEUE_DIRECT;
+}
+
+METHOD(sender_t, destroy, void,
+	private_sender_t *this)
+{
+	/* send all packets in the queue */
+	this->mutex->lock(this->mutex);
+	while (this->list->get_count(this->list))
+	{
+		this->sent->wait(this->sent, this->mutex);
+	}
+	this->mutex->unlock(this->mutex);
+	this->job->cancel(this->job);
+	this->list->destroy(this->list);
+	this->got->destroy(this->got);
+	this->sent->destroy(this->sent);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sender_t * sender_create()
+{
+	private_sender_t *this;
+
+	INIT(this,
+		.public = {
+			.send = _send_,
+			.destroy = _destroy,
+		},
+		.list = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.got = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.sent = condvar_create(CONDVAR_TYPE_DEFAULT),
+		.job = callback_job_create((callback_job_cb_t)send_packets,
+									this, NULL, NULL),
+		.send_delay = lib->settings->get_int(lib->settings,
+											 "charon.send_delay", 0),
+	);
+
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h
new file mode 100644
index 000000000..f77fadab2
--- /dev/null
+++ b/src/libcharon/network/sender.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sender sender
+ * @{ @ingroup network
+ */
+
+#ifndef SENDER_H_
+#define SENDER_H_
+
+typedef struct sender_t sender_t;
+
+#include <library.h>
+#include <network/packet.h>
+
+/**
+ * Thread responsible for sending packets over the socket.
+ */
+struct sender_t {
+
+	/**
+	 * Send a packet over the network.
+	 *
+	 * This function is non blocking and adds the packet to a queue.
+	 * Whenever the sender thread thinks it's good to send the packet,
+	 * it'll do so.
+	 *
+	 * @param packet	packet to send
+	 */
+	void (*send) (sender_t *this, packet_t *packet);
+
+	/**
+	 * Destroys a sender object.
+	 */
+	void (*destroy) (sender_t *this);
+};
+
+/**
+ * Create the sender thread.
+ *
+ * The thread will start to work, getting packets
+ * from its queue and sends them out.
+ *
+ * @return		created sender object
+ */
+sender_t * sender_create(void);
+
+#endif /** SENDER_H_ @}*/
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
new file mode 100644
index 000000000..5c5a4edfb
--- /dev/null
+++ b/src/libcharon/network/socket.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket socket
+ * @{ @ingroup network
+ */
+
+#ifndef SOCKET_H_
+#define SOCKET_H_
+
+typedef struct socket_t socket_t;
+
+#include <library.h>
+#include <network/packet.h>
+#include <utils/enumerator.h>
+
+/**
+ * Socket interface definition.
+ */
+struct socket_t {
+
+	/**
+	 * Receive a packet.
+	 *
+	 * Reads a packet from the socket and sets source/dest
+	 * appropriately.
+	 *
+	 * @param packet		pinter gets address from allocated packet_t
+	 * @return
+	 * 						- SUCCESS when packet successfully received
+	 * 						- FAILED when unable to receive
+	 */
+	status_t (*receive) (socket_t *this, packet_t **packet);
+
+	/**
+	 * Send a packet.
+	 *
+	 * Sends a packet to the net using source and destination addresses of
+	 * the packet.
+	 *
+	 * @param packet		packet_t to send
+	 * @return
+	 * 						- SUCCESS when packet successfully sent
+	 * 						- FAILED when unable to send
+	 */
+	status_t (*send) (socket_t *this, packet_t *packet);
+};
+
+#endif /** SOCKET_H_ @}*/
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
new file mode 100644
index 000000000..0dbce4b1b
--- /dev/null
+++ b/src/libcharon/network/socket_manager.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "socket_manager.h"
+
+#include <daemon.h>
+#include <threading/thread.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+typedef struct private_socket_manager_t private_socket_manager_t;
+
+/**
+ * Private data of an socket_manager_t object.
+ */
+struct private_socket_manager_t {
+
+	/**
+	 * Public socket_manager_t interface.
+	 */
+	socket_manager_t public;
+
+	/**
+	 * List of registered socket
+	 */
+	linked_list_t *sockets;
+
+	/**
+	 * Lock for sockets list
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(socket_manager_t, receiver, status_t,
+	private_socket_manager_t *this, packet_t **packet)
+{
+	socket_t *socket;
+	status_t status;
+
+	this->lock->read_lock(this->lock);
+	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	{
+		DBG1(DBG_NET, "no socket implementation registered, receiving failed");
+		this->lock->unlock(this->lock);
+		return NOT_SUPPORTED;
+	}
+	/* receive is blocking and the thread can be cancelled */
+	thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock);
+	status = socket->receive(socket, packet);
+	thread_cleanup_pop(TRUE);
+	return status;
+}
+
+METHOD(socket_manager_t, sender, status_t,
+	private_socket_manager_t *this, packet_t *packet)
+{
+	socket_t *socket;
+	status_t status;
+
+	this->lock->read_lock(this->lock);
+	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	{
+		DBG1(DBG_NET, "no socket implementation registered, sending failed");
+		this->lock->unlock(this->lock);
+		return NOT_SUPPORTED;
+	}
+	status = socket->send(socket, packet);
+	this->lock->unlock(this->lock);
+	return status;
+}
+
+METHOD(socket_manager_t, add_socket, void,
+	private_socket_manager_t *this, socket_t *socket)
+{
+	this->lock->write_lock(this->lock);
+	this->sockets->insert_last(this->sockets, socket);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(socket_manager_t, remove_socket, void,
+	private_socket_manager_t *this, socket_t *socket)
+{
+	this->lock->write_lock(this->lock);
+	this->sockets->remove(this->sockets, socket, NULL);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(socket_manager_t, destroy, void,
+	private_socket_manager_t *this)
+{
+	this->sockets->destroy(this->sockets);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+socket_manager_t *socket_manager_create()
+{
+	private_socket_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.send = _sender,
+			.receive = _receiver,
+			.add_socket = _add_socket,
+			.remove_socket = _remove_socket,
+			.destroy = _destroy,
+		},
+		.sockets = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
new file mode 100644
index 000000000..b33d5c71c
--- /dev/null
+++ b/src/libcharon/network/socket_manager.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup socket_manager socket_manager
+ * @{ @ingroup network
+ */
+
+#ifndef SOCKET_MANAGER_H_
+#define SOCKET_MANAGER_H_
+
+#include <network/socket.h>
+
+typedef struct socket_manager_t socket_manager_t;
+
+/**
+ * Handle pluggable socket implementations and send/receive packets through it.
+ */
+struct socket_manager_t {
+
+	/**
+	 * Receive a packet using the registered socket.
+	 *
+	 * @param packet		allocated packet that has been received
+	 * @return
+	 *						- SUCCESS when packet successfully received
+	 *						- FAILED when unable to receive
+	 */
+	status_t (*receive) (socket_manager_t *this, packet_t **packet);
+
+	/**
+	 * Send a packet using the registered socket.
+	 *
+	 * @param packet		packet to send out
+	 * @return
+	 *						- SUCCESS when packet successfully sent
+	 *						- FAILED when unable to send
+	 */
+	status_t (*send) (socket_manager_t *this, packet_t *packet);
+
+	/**
+	 * Register a socket implementation.
+	 */
+	void (*add_socket)(socket_manager_t *this, socket_t *socket);
+
+	/**
+	 * Unregister a registered socket implementation.
+	 */
+	void (*remove_socket)(socket_manager_t *this, socket_t *socket);
+
+	/**
+	 * Destroy a socket_manager_t.
+	 */
+	void (*destroy)(socket_manager_t *this);
+};
+
+/**
+ * Create a socket_manager instance.
+ */
+socket_manager_t *socket_manager_create();
+
+#endif /** SOCKET_MANAGER_H_ @}*/