Merge tag 'v5.1.0-1' into sid

tag strongSwan 5.1.0-1

9 files changed, 431 insertions, 371 deletions

diff --git a/src/libcharon/network/packet.c b/src/libcharon/network/packet.c
deleted file mode 100644
index 19db362f7..000000000
--- a/src/libcharon/network/packet.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "packet.h"
-
-typedef struct private_packet_t private_packet_t;
-
-/**
- * Private data of an packet_t object.
- */
-struct private_packet_t {
-
-	/**
-	 * Public part of a packet_t object.
-	 */
-	packet_t public;
-
-	/**
-	 * source address
-	 */
-	host_t *source;
-
-	/**
-	 * destination address
-	 */
-	host_t *destination;
-
-	 /**
-	  * message data
-	  */
-	chunk_t data;
-};
-
-METHOD(packet_t, set_source, void,
-	private_packet_t *this, host_t *source)
-{
-	DESTROY_IF(this->source);
-	this->source = source;
-}
-
-METHOD(packet_t, set_destination, void,
-	private_packet_t *this, host_t *destination)
-{
-	DESTROY_IF(this->destination);
-	this->destination = destination;
-}
-
-METHOD(packet_t, get_source, host_t*,
-	private_packet_t *this)
-{
-	return this->source;
-}
-
-METHOD(packet_t, get_destination, host_t*,
-	private_packet_t *this)
-{
-	return this->destination;
-}
-
-METHOD(packet_t, get_data, chunk_t,
-	private_packet_t *this)
-{
-	return this->data;
-}
-
-METHOD(packet_t, set_data, void,
-	private_packet_t *this, chunk_t data)
-{
-	free(this->data.ptr);
-	this->data = data;
-}
-
-METHOD(packet_t, destroy, void,
-	private_packet_t *this)
-{
-	DESTROY_IF(this->source);
-	DESTROY_IF(this->destination);
-	free(this->data.ptr);
-	free(this);
-}
-
-METHOD(packet_t, clone_, packet_t*,
-	private_packet_t *this)
-{
-	packet_t *other;
-
-	other = packet_create();
-	if (this->destination != NULL)
-	{
-		other->set_destination(other, this->destination->clone(this->destination));
-	}
-	if (this->source != NULL)
-	{
-		other->set_source(other, this->source->clone(this->source));
-	}
-	if (this->data.ptr != NULL)
-	{
-		other->set_data(other, chunk_clone(this->data));
-	}
-	return other;
-}
-
-/*
- * Documented in header
- */
-packet_t *packet_create(void)
-{
-	private_packet_t *this;
-
-	INIT(this,
-		.public = {
-			.set_data = _set_data,
-			.get_data = _get_data,
-			.set_source = _set_source,
-			.get_source = _get_source,
-			.set_destination = _set_destination,
-			.get_destination = _get_destination,
-			.clone = _clone_,
-			.destroy = _destroy,
-		},
-	);
-
-	return &this->public;
-}
-
diff --git a/src/libcharon/network/packet.h b/src/libcharon/network/packet.h
deleted file mode 100644
index 18d82c6fc..000000000
--- a/src/libcharon/network/packet.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup packet packet
- * @{ @ingroup network
- */
-
-#ifndef PACKET_H_
-#define PACKET_H_
-
-typedef struct packet_t packet_t;
-
-#include <library.h>
-#include <utils/host.h>
-
-/**
- * Abstraction of an UDP-Packet, contains data, sender and receiver.
- */
-struct packet_t {
-
-	/**
-	 * Set the source address.
-	 *
-	 * Set host_t is now owned by packet_t, it will destroy
-	 * it if necessary.
-	 *
-	 * @param source	address to set as source
-	 */
-	void (*set_source) (packet_t *packet, host_t *source);
-
-	/**
-	 * Set the destination address.
-	 *
-	 * Set host_t is now owned by packet_t, it will destroy
-	 * it if necessary.
-	 *
-	 * @param source	address to set as destination
-	 */
-	void (*set_destination) (packet_t *packet, host_t *destination);
-
-	/**
-	 * Get the source address.
-	 *
-	 * Set host_t is still owned by packet_t, clone it
-	 * if needed.
-	 *
-	 * @return			source address
-	 */
-	host_t *(*get_source) (packet_t *packet);
-
-	/**
-	 * Get the destination address.
-	 *
-	 * Set host_t is still owned by packet_t, clone it
-	 * if needed.
-	 *
-	 * @return			destination address
-	 */
-	host_t *(*get_destination) (packet_t *packet);
-
-	/**
-	 * Get the data from the packet.
-	 *
-	 * The data pointed by the chunk is still owned
-	 * by the packet. Clone it if needed.
-	 *
-	 * @return			chunk containing the data
-	 */
-	chunk_t (*get_data) (packet_t *packet);
-
-	/**
-	 * Set the data in the packet.
-	 *
-	 * Supplied chunk data is now owned by the
-	 * packet. It will free it.
-	 *
-	 * @param data		chunk with data to set
-	 */
-	void (*set_data) (packet_t *packet, chunk_t data);
-
-	/**
-	 * Clones a packet_t object.
-	 *
-	 * @param clone		clone of the packet
-	 */
-	packet_t* (*clone) (packet_t *packet);
-
-	/**
-	 * Destroy the packet, freeing contained data.
-	 */
-	void (*destroy) (packet_t *packet);
-};
-
-/**
- * create an empty packet
- *
- * @return packet_t object
- */
-packet_t *packet_create(void);
-
-#endif /** PACKET_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index cfb1408ef..b8eb8419d 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -20,13 +20,15 @@
 
 #include "receiver.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <network/socket.h>
-#include <network/packet.h>
 #include <processing/jobs/job.h>
 #include <processing/jobs/process_message_job.h>
 #include <processing/jobs/callback_job.h>
 #include <crypto/hashers/hasher.h>
+#include <threading/mutex.h>
+#include <networking/packet.h>
 
 /** lifetime of a cookie, in seconds */
 #define COOKIE_LIFETIME 10
@@ -40,6 +42,8 @@
 #define BLOCK_THRESHOLD_DEFAULT 5
 /** length of the secret to use for cookie calculation */
 #define SECRET_LENGTH 16
+/** Length of a notify payload header */
+#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
 
 typedef struct private_receiver_t private_receiver_t;
 
@@ -53,9 +57,17 @@ struct private_receiver_t {
 	receiver_t public;
 
 	/**
-	 * Threads job receiving packets
+	 * Registered callback for ESP packets
 	 */
-	callback_job_t *job;
+	struct {
+		receiver_esp_cb_t cb;
+		void *data;
+	} esp_cb;
+
+	/**
+	 * Mutex for ESP callback
+	 */
+	mutex_t *esp_cb_mutex;
 
 	/**
 	 * current secret to use for cookie calculation
@@ -136,46 +148,52 @@ struct private_receiver_t {
 	 * Delay response messages?
 	 */
 	bool receive_delay_response;
+
+	/**
+	 * Endpoint is allowed to act as an initiator only
+	 */
+	bool initiator_only;
+
 };
 
 /**
  * send a notify back to the sender
  */
-static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+static void send_notify(message_t *request, int major, exchange_type_t exchange,
+						notify_type_t type, chunk_t data)
 {
-	if (request->get_request(request) &&
-		request->get_exchange_type(request) == IKE_SA_INIT)
+	ike_sa_id_t *ike_sa_id;
+	message_t *response;
+	host_t *src, *dst;
+	packet_t *packet;
+
+	response = message_create(major, 0);
+	response->set_exchange_type(response, exchange);
+	response->add_notify(response, FALSE, type, data);
+	dst = request->get_source(request);
+	src = request->get_destination(request);
+	response->set_source(response, src->clone(src));
+	response->set_destination(response, dst->clone(dst));
+	if (major == IKEV2_MAJOR_VERSION)
 	{
-		message_t *response;
-		host_t *src, *dst;
-		packet_t *packet;
-		ike_sa_id_t *ike_sa_id;
-
-		response = message_create();
-		dst = request->get_source(request);
-		src = request->get_destination(request);
-		response->set_source(response, src->clone(src));
-		response->set_destination(response, dst->clone(dst));
-		response->set_exchange_type(response, request->get_exchange_type(request));
 		response->set_request(response, FALSE);
-		response->set_message_id(response, 0);
-		ike_sa_id = request->get_ike_sa_id(request);
-		ike_sa_id->switch_initiator(ike_sa_id);
-		response->set_ike_sa_id(response, ike_sa_id);
-		response->add_notify(response, FALSE, type, data);
-		if (response->generate(response, NULL, &packet) == SUCCESS)
-		{
-			charon->sender->send(charon->sender, packet);
-			response->destroy(response);
-		}
 	}
+	response->set_message_id(response, 0);
+	ike_sa_id = request->get_ike_sa_id(request);
+	ike_sa_id->switch_initiator(ike_sa_id);
+	response->set_ike_sa_id(response, ike_sa_id);
+	if (response->generate(response, NULL, &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	response->destroy(response);
 }
 
 /**
  * build a cookie
  */
-static chunk_t cookie_build(private_receiver_t *this, message_t *message,
-							u_int32_t t, chunk_t secret)
+static bool cookie_build(private_receiver_t *this, message_t *message,
+						 u_int32_t t, chunk_t secret, chunk_t *cookie)
 {
 	u_int64_t spi = message->get_initiator_spi(message);
 	host_t *ip = message->get_source(message);
@@ -185,8 +203,12 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message,
 	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
 					  chunk_from_thing(t), secret);
 	hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
-	this->hasher->get_hash(this->hasher, input, hash.ptr);
-	return chunk_cat("cc", chunk_from_thing(t), hash);
+	if (!this->hasher->get_hash(this->hasher, input, hash.ptr))
+	{
+		return FALSE;
+	}
+	*cookie = chunk_cat("cc", chunk_from_thing(t), hash);
+	return TRUE;
 }
 
 /**
@@ -221,7 +243,10 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 	}
 
 	/* compare own calculation against received */
-	reference = cookie_build(this, message, t, secret);
+	if (!cookie_build(this, message, t, secret, &reference))
+	{
+		return FALSE;
+	}
 	if (chunk_equals(reference, cookie))
 	{
 		chunk_free(&reference);
@@ -236,15 +261,13 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
  */
 static bool check_cookie(private_receiver_t *this, message_t *message)
 {
-	packet_t *packet;
 	chunk_t data;
 
 	/* check for a cookie. We don't use our parser here and do it
 	 * quick and dirty for performance reasons.
 	 * we assume the cookie is the first payload (which is a MUST), and
 	 * the cookie's SPI length is zero. */
-	packet = message->get_packet(message);
-	data = packet->get_data(packet);
+	data = message->get_packet_data(message);
 	if (data.len <
 		 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
 		 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
@@ -252,7 +275,6 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 		*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 	{
 		/* no cookie found */
-		packet->destroy(packet);
 		return FALSE;
 	}
 	data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
@@ -260,7 +282,6 @@ static bool check_cookie(private_receiver_t *this, message_t *message)
 	if (!cookie_verify(this, message, data))
 	{
 		DBG2(DBG_NET, "found cookie, but content invalid");
-		packet->destroy(packet);
 		return FALSE;
 	}
 	return TRUE;
@@ -277,7 +298,7 @@ static bool cookie_required(private_receiver_t *this,
 		this->last_cookie = now;
 		return TRUE;
 	}
-	if (now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
+	if (this->last_cookie && now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
 	{
 		/* We don't disable cookies unless we haven't seen IKE_SA_INITs
 		 * for COOKIE_CALMDOWN_DELAY seconds. This avoids jittering between
@@ -308,29 +329,42 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
 	half_open = charon->ike_sa_manager->get_half_open_count(
 										charon->ike_sa_manager, NULL);
 
-	/* check for cookies */
-	if (cookie_required(this, half_open, now) && !check_cookie(this, message))
+	/* check for cookies in IKEv2 */
+	if (message->get_major_version(message) == IKEV2_MAJOR_VERSION &&
+		cookie_required(this, half_open, now) && !check_cookie(this, message))
 	{
 		chunk_t cookie;
 
-		cookie = cookie_build(this, message, now - this->secret_offset,
-							  chunk_from_thing(this->secret));
 		DBG2(DBG_NET, "received packet from: %#H to %#H",
 			 message->get_source(message),
 			 message->get_destination(message));
+		if (!cookie_build(this, message, now - this->secret_offset,
+						  chunk_from_thing(this->secret), &cookie))
+		{
+			return TRUE;
+		}
 		DBG2(DBG_NET, "sending COOKIE notify to %H",
 			 message->get_source(message));
-		send_notify(message, COOKIE, cookie);
+		send_notify(message, IKEV2_MAJOR_VERSION, IKE_SA_INIT, COOKIE, cookie);
 		chunk_free(&cookie);
 		if (++this->secret_used > COOKIE_REUSE)
 		{
-			/* create new cookie */
+			char secret[SECRET_LENGTH];
+
 			DBG1(DBG_NET, "generating new cookie secret after %d uses",
 				 this->secret_used);
-			memcpy(this->secret_old, this->secret, SECRET_LENGTH);
-			this->rng->get_bytes(this->rng,	SECRET_LENGTH, this->secret);
-			this->secret_switch = now;
-			this->secret_used = 0;
+			if (this->rng->get_bytes(this->rng, SECRET_LENGTH, secret))
+			{
+				memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+				memcpy(this->secret, secret, SECRET_LENGTH);
+				memwipe(secret, SECRET_LENGTH);
+				this->secret_switch = now;
+				this->secret_used = 0;
+			}
+			else
+			{
+				DBG1(DBG_NET, "failed to allocated cookie secret, keeping old");
+			}
 		}
 		return TRUE;
 	}
@@ -380,16 +414,18 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
  */
 static job_requeue_t receive_packets(private_receiver_t *this)
 {
+	ike_sa_id_t *id;
 	packet_t *packet;
 	message_t *message;
+	host_t *src, *dst;
 	status_t status;
+	bool supported = TRUE;
+	chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
 
 	/* read in a packet */
 	status = charon->socket->receive(charon->socket, &packet);
 	if (status == NOT_SUPPORTED)
 	{
-		/* the processor destroys this job  */
-		this->job = NULL;
 		return JOB_REQUEUE_NONE;
 	}
 	else if (status != SUCCESS)
@@ -398,36 +434,133 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 		return JOB_REQUEUE_FAIR;
 	}
 
+	data = packet->get_data(packet);
+	if (data.len == 1 && data.ptr[0] == 0xFF)
+	{	/* silently drop NAT-T keepalives */
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+	else if (data.len < marker.len)
+	{	/* drop packets that are too small */
+		DBG3(DBG_NET, "received packet is too short (%d bytes)", data.len);
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	dst = packet->get_destination(packet);
+	src = packet->get_source(packet);
+	if (!hydra->kernel_interface->all_interfaces_usable(hydra->kernel_interface)
+		&& !hydra->kernel_interface->get_interface(hydra->kernel_interface,
+												   dst, NULL))
+	{
+		DBG3(DBG_NET, "received packet from %#H to %#H on ignored interface",
+			 src, dst);
+		packet->destroy(packet);
+		return JOB_REQUEUE_DIRECT;
+	}
+
+	/* if neither source nor destination port is 500 we assume an IKE packet
+	 * with Non-ESP marker or an ESP packet */
+	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+		src->get_port(src) != IKEV2_UDP_PORT)
+	{
+		if (memeq(data.ptr, marker.ptr, marker.len))
+		{	/* remove Non-ESP marker */
+			packet->skip_bytes(packet, marker.len);
+		}
+		else
+		{	/* this seems to be an ESP packet */
+			this->esp_cb_mutex->lock(this->esp_cb_mutex);
+			if (this->esp_cb.cb)
+			{
+				this->esp_cb.cb(this->esp_cb.data, packet);
+			}
+			else
+			{
+				packet->destroy(packet);
+			}
+			this->esp_cb_mutex->unlock(this->esp_cb_mutex);
+			return JOB_REQUEUE_DIRECT;
+		}
+	}
+
 	/* parse message header */
 	message = message_create_from_packet(packet);
 	if (message->parse_header(message) != SUCCESS)
 	{
 		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
 			 packet->get_source(packet));
+		charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_HEADER, message);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
 
 	/* check IKE major version */
-	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+	switch (message->get_major_version(message))
+	{
+		case IKEV2_MAJOR_VERSION:
+#ifndef USE_IKEV2
+			if (message->get_exchange_type(message) == IKE_SA_INIT &&
+				message->get_request(message))
+			{
+				send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
+							INVALID_MAJOR_VERSION, chunk_empty);
+				supported = FALSE;
+			}
+#endif /* USE_IKEV2 */
+			break;
+		case IKEV1_MAJOR_VERSION:
+#ifndef USE_IKEV1
+			if (message->get_exchange_type(message) == ID_PROT ||
+				message->get_exchange_type(message) == AGGRESSIVE)
+			{
+				send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
+							INVALID_MAJOR_VERSION, chunk_empty);
+				supported = FALSE;
+			}
+#endif /* USE_IKEV1 */
+			break;
+		default:
+#ifdef USE_IKEV2
+			send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
+						INVALID_MAJOR_VERSION, chunk_empty);
+#endif /* USE_IKEV2 */
+#ifdef USE_IKEV1
+			send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
+						INVALID_MAJOR_VERSION, chunk_empty);
+#endif /* USE_IKEV1 */
+			supported = FALSE;
+			break;
+	}
+	if (!supported)
 	{
-		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
-			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
+		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, sending "
+			 "INVALID_MAJOR_VERSION", message->get_major_version(message),
 			 message->get_minor_version(message), packet->get_source(packet));
-		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
 		message->destroy(message);
 		return JOB_REQUEUE_DIRECT;
 	}
-
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		if (drop_ike_sa_init(this, message))
+		if (this->initiator_only || drop_ike_sa_init(this, message))
 		{
 			message->destroy(message);
 			return JOB_REQUEUE_DIRECT;
 		}
 	}
+	if (message->get_exchange_type(message) == ID_PROT ||
+		message->get_exchange_type(message) == AGGRESSIVE)
+	{
+		id = message->get_ike_sa_id(message);
+		if (id->get_responder_spi(id) == 0 &&
+		   (this->initiator_only || drop_ike_sa_init(this, message)))
+		{
+			message->destroy(message);
+			return JOB_REQUEUE_DIRECT;
+		}
+	}
+
 	if (this->receive_delay)
 	{
 		if (this->receive_delay_type == 0 ||
@@ -450,15 +583,33 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 	return JOB_REQUEUE_DIRECT;
 }
 
-METHOD(receiver_t, destroy, void,
-	private_receiver_t *this)
+METHOD(receiver_t, add_esp_cb, void,
+	private_receiver_t *this, receiver_esp_cb_t callback, void *data)
+{
+	this->esp_cb_mutex->lock(this->esp_cb_mutex);
+	this->esp_cb.cb = callback;
+	this->esp_cb.data = data;
+	this->esp_cb_mutex->unlock(this->esp_cb_mutex);
+}
+
+METHOD(receiver_t, del_esp_cb, void,
+	private_receiver_t *this, receiver_esp_cb_t callback)
 {
-	if (this->job)
+	this->esp_cb_mutex->lock(this->esp_cb_mutex);
+	if (this->esp_cb.cb == callback)
 	{
-		this->job->cancel(this->job);
+		this->esp_cb.cb = NULL;
+		this->esp_cb.data = NULL;
 	}
+	this->esp_cb_mutex->unlock(this->esp_cb_mutex);
+}
+
+METHOD(receiver_t, destroy, void,
+	private_receiver_t *this)
+{
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
+	this->esp_cb_mutex->destroy(this->esp_cb_mutex);
 	free(this);
 }
 
@@ -472,53 +623,64 @@ receiver_t *receiver_create()
 
 	INIT(this,
 		.public = {
+			.add_esp_cb = _add_esp_cb,
+			.del_esp_cb = _del_esp_cb,
 			.destroy = _destroy,
 		},
+		.esp_cb_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.secret_switch = now,
 		.secret_offset = random() % now,
 	);
 
-	if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
+	if (lib->settings->get_bool(lib->settings,
+				"%s.dos_protection", TRUE, charon->name))
 	{
 		this->cookie_threshold = lib->settings->get_int(lib->settings,
-						"charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
+				"%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, charon->name);
 		this->block_threshold = lib->settings->get_int(lib->settings,
-						"charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
+				"%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, charon->name);
 	}
 	this->init_limit_job_load = lib->settings->get_int(lib->settings,
-						"charon.init_limit_job_load", 0);
+				"%s.init_limit_job_load", 0, charon->name);
 	this->init_limit_half_open = lib->settings->get_int(lib->settings,
-						"charon.init_limit_half_open", 0);
+				"%s.init_limit_half_open", 0, charon->name);
 	this->receive_delay = lib->settings->get_int(lib->settings,
-						"charon.receive_delay", 0);
+				"%s.receive_delay", 0, charon->name);
 	this->receive_delay_type = lib->settings->get_int(lib->settings,
-						"charon.receive_delay_type", 0),
+				"%s.receive_delay_type", 0, charon->name),
 	this->receive_delay_request = lib->settings->get_bool(lib->settings,
-						"charon.receive_delay_request", TRUE),
-	this->receive_delay_response = lib->settings->get_int(lib->settings,
-						"charon.receive_delay_response", TRUE),
+				"%s.receive_delay_request", TRUE, charon->name),
+	this->receive_delay_response = lib->settings->get_bool(lib->settings,
+				"%s.receive_delay_response", TRUE, charon->name),
+	this->initiator_only = lib->settings->get_bool(lib->settings,
+				"%s.initiator_only", FALSE, charon->name),
 
 	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
-	if (this->hasher == NULL)
+	if (!this->hasher)
 	{
 		DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
 		free(this);
 		return NULL;
 	}
 	this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
-	if (this->rng == NULL)
+	if (!this->rng)
 	{
 		DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
 		this->hasher->destroy(this->hasher);
 		free(this);
 		return NULL;
 	}
-	this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
+	if (!this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret))
+	{
+		DBG1(DBG_NET, "creating cookie secret failed");
+		destroy(this);
+		return NULL;
+	}
 	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
 
-	this->job = callback_job_create_with_prio((callback_job_cb_t)receive_packets,
-										this, NULL, NULL, JOB_PRIO_CRITICAL);
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h
index 1d9d4871e..58bfe4a96 100644
--- a/src/libcharon/network/receiver.h
+++ b/src/libcharon/network/receiver.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,15 +26,28 @@
 typedef struct receiver_t receiver_t;
 
 #include <library.h>
-#include <utils/host.h>
+#include <networking/host.h>
+#include <networking/packet.h>
+
+/**
+ * Callback called for any received UDP encapsulated ESP packet.
+ *
+ * Implementation should be quick as the receiver doesn't receive any packets
+ * while calling this function.
+ *
+ * @param data			data supplied during registration of the callback
+ * @param packet		decapsulated ESP packet
+ */
+typedef void (*receiver_esp_cb_t)(void *data, packet_t *packet);
 
 /**
  * Receives packets from the socket and adds them to the job queue.
  *
- * The receiver starts a thread, which reads on the blocking socket. A received
- * packet is preparsed and a process_message_job is queued in the job queue.
+ * The receiver uses a callback job, which reads on the blocking socket.
+ * A received packet is preparsed and a process_message_job is queued in the
+ * job queue.
  *
- * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
+ * To endure DoS attacks, cookies are enabled when too many IKE_SAs are half
  * open. The calculation of cookies is slightly different from the proposed
  * method in RFC4306. We do not include a nonce, because we think the advantage
  * we gain does not justify the overhead to parse the whole message.
@@ -47,14 +61,32 @@ typedef struct receiver_t receiver_t;
  * secret is stored to allow a clean migration between secret changes.
  *
  * Further, the number of half-initiated IKE_SAs is limited per peer. This
- * mades it impossible for a peer to flood the server with its real IP address.
+ * makes it impossible for a peer to flood the server with its real IP address.
  */
 struct receiver_t {
 
 	/**
+	 * Register a callback which is called for any incoming ESP packets.
+	 *
+	 * @note Only the last callback registered will receive any packets.
+	 *
+	 * @param callback		callback to register
+	 * @param data			data provided to callback
+	 */
+	void (*add_esp_cb)(receiver_t *this, receiver_esp_cb_t callback,
+					   void *data);
+
+	/**
+	 * Unregister a previously registered callback for ESP packets.
+	 *
+	 * @param callback		previously registered callback
+	 */
+	void (*del_esp_cb)(receiver_t *this, receiver_esp_cb_t callback);
+
+	/**
 	 * Destroys a receiver_t object.
 	 */
-	void (*destroy) (receiver_t *receiver);
+	void (*destroy)(receiver_t *this);
 };
 
 /**
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index 4df930b15..dd8efc1ec 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -39,11 +40,6 @@ struct private_sender_t {
 	sender_t public;
 
 	/**
-	 * Sender threads job.
-	 */
-	callback_job_t *job;
-
-	/**
 	 * The packets are stored in a linked list
 	 */
 	linked_list_t *list;
@@ -84,6 +80,15 @@ struct private_sender_t {
 	bool send_delay_response;
 };
 
+METHOD(sender_t, send_no_marker, void,
+	private_sender_t *this, packet_t *packet)
+{
+	this->mutex->lock(this->mutex);
+	this->list->insert_last(this->list, packet);
+	this->got->signal(this->got);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(sender_t, send_, void,
 	private_sender_t *this, packet_t *packet)
 {
@@ -91,7 +96,9 @@ METHOD(sender_t, send_, void,
 
 	src = packet->get_source(packet);
 	dst = packet->get_destination(packet);
-	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+
+	DBG1(DBG_NET, "sending packet: from %#H to %#H (%zu bytes)", src, dst,
+		 packet->get_data(packet).len);
 
 	if (this->send_delay)
 	{
@@ -114,16 +121,23 @@ METHOD(sender_t, send_, void,
 		message->destroy(message);
 	}
 
-	this->mutex->lock(this->mutex);
-	this->list->insert_last(this->list, packet);
-	this->got->signal(this->got);
-	this->mutex->unlock(this->mutex);
+	/* if neither source nor destination port is 500 we add a Non-ESP marker */
+	if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+		src->get_port(src) != IKEV2_UDP_PORT)
+	{
+		chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
+
+		data = chunk_cat("cc", marker, packet->get_data(packet));
+		packet->set_data(packet, data);
+	}
+
+	send_no_marker(this, packet);
 }
 
 /**
  * Job callback function to send packets
  */
-static job_requeue_t send_packets(private_sender_t * this)
+static job_requeue_t send_packets(private_sender_t *this)
 {
 	packet_t *packet;
 	bool oldstate;
@@ -149,7 +163,7 @@ static job_requeue_t send_packets(private_sender_t * this)
 	return JOB_REQUEUE_DIRECT;
 }
 
-METHOD(sender_t, destroy, void,
+METHOD(sender_t, flush, void,
 	private_sender_t *this)
 {
 	/* send all packets in the queue */
@@ -159,8 +173,12 @@ METHOD(sender_t, destroy, void,
 		this->sent->wait(this->sent, this->mutex);
 	}
 	this->mutex->unlock(this->mutex);
-	this->job->cancel(this->job);
-	this->list->destroy(this->list);
+}
+
+METHOD(sender_t, destroy, void,
+	private_sender_t *this)
+{
+	this->list->destroy_offset(this->list, offsetof(packet_t, destroy));
 	this->got->destroy(this->got);
 	this->sent->destroy(this->sent);
 	this->mutex->destroy(this->mutex);
@@ -177,25 +195,27 @@ sender_t * sender_create()
 	INIT(this,
 		.public = {
 			.send = _send_,
+			.send_no_marker = _send_no_marker,
+			.flush = _flush,
 			.destroy = _destroy,
 		},
 		.list = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.got = condvar_create(CONDVAR_TYPE_DEFAULT),
 		.sent = condvar_create(CONDVAR_TYPE_DEFAULT),
-		.job = callback_job_create_with_prio((callback_job_cb_t)send_packets,
-										this, NULL, NULL, JOB_PRIO_CRITICAL),
 		.send_delay = lib->settings->get_int(lib->settings,
-											"charon.send_delay", 0),
+								"%s.send_delay", 0, charon->name),
 		.send_delay_type = lib->settings->get_int(lib->settings,
-											"charon.send_delay_type", 0),
+								"%s.send_delay_type", 0, charon->name),
 		.send_delay_request = lib->settings->get_bool(lib->settings,
-											"charon.send_delay_request", TRUE),
-		.send_delay_response = lib->settings->get_int(lib->settings,
-											"charon.send_delay_response", TRUE),
+								"%s.send_delay_request", TRUE, charon->name),
+		.send_delay_response = lib->settings->get_bool(lib->settings,
+								"%s.send_delay_response", TRUE, charon->name),
 	);
 
-	lib->processor->queue_job(lib->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
+			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h
index f77fadab2..080559b89 100644
--- a/src/libcharon/network/sender.h
+++ b/src/libcharon/network/sender.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,10 +26,10 @@
 typedef struct sender_t sender_t;
 
 #include <library.h>
-#include <network/packet.h>
+#include <networking/packet.h>
 
 /**
- * Thread responsible for sending packets over the socket.
+ * Callback job responsible for sending IKE packets over the socket.
  */
 struct sender_t {
 
@@ -44,6 +45,20 @@ struct sender_t {
 	void (*send) (sender_t *this, packet_t *packet);
 
 	/**
+	 * The same as send() but does not add Non-ESP markers automatically.
+	 *
+	 * @param packet	packet to send
+	 */
+	void (*send_no_marker) (sender_t *this, packet_t *packet);
+
+	/**
+	 * Enforce a flush of the send queue.
+	 *
+	 * This function blocks until all queued packets have been sent.
+	 */
+	void (*flush)(sender_t *this);
+
+	/**
 	 * Destroys a sender object.
 	 */
 	void (*destroy) (sender_t *this);
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index be875035b..e3cda3bea 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 Tobias Brunner
+ * Copyright (C) 2006-2013 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -25,10 +25,11 @@
 #define SOCKET_H_
 
 typedef struct socket_t socket_t;
+typedef enum socket_family_t socket_family_t;
 
 #include <library.h>
-#include <network/packet.h>
-#include <utils/enumerator.h>
+#include <networking/packet.h>
+#include <collections/enumerator.h>
 #include <plugins/plugin.h>
 
 /**
@@ -37,6 +38,31 @@ typedef struct socket_t socket_t;
 typedef socket_t *(*socket_constructor_t)();
 
 /**
+ * Address families supported by socket implementations.
+ */
+enum socket_family_t {
+	/**
+	 * No address families supported
+	 */
+	SOCKET_FAMILY_NONE = 0,
+
+	/**
+	 * IPv4
+	 */
+	SOCKET_FAMILY_IPV4 = (1 << 0),
+
+	/**
+	 * IPv6
+	 */
+	SOCKET_FAMILY_IPV6 = (1 << 1),
+
+	/**
+	 * Both address families supported
+	 */
+	SOCKET_FAMILY_BOTH = (1 << 2) - 1,
+};
+
+/**
  * Socket interface definition.
  */
 struct socket_t {
@@ -52,7 +78,7 @@ struct socket_t {
 	 *						- SUCCESS when packet successfully received
 	 *						- FAILED when unable to receive
 	 */
-	status_t (*receive) (socket_t *this, packet_t **packet);
+	status_t (*receive)(socket_t *this, packet_t **packet);
 
 	/**
 	 * Send a packet.
@@ -65,12 +91,27 @@ struct socket_t {
 	 *						- SUCCESS when packet successfully sent
 	 *						- FAILED when unable to send
 	 */
-	status_t (*send) (socket_t *this, packet_t *packet);
+	status_t (*send)(socket_t *this, packet_t *packet);
+
+	/**
+	 * Get the port this socket is listening on.
+	 *
+	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
+	 * @return				the port
+	 */
+	u_int16_t (*get_port)(socket_t *this, bool nat_t);
+
+	/**
+	 * Get the address families this socket is listening on.
+	 *
+	 * @return				supported families
+	 */
+	socket_family_t (*supported_families)(socket_t *this);
 
 	/**
 	 * Destroy a socket implementation.
 	 */
-	void (*destroy) (socket_t *this);
+	void (*destroy)(socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index 72a454301..2a07e503c 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2012 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -20,7 +20,7 @@
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
-#include <utils/linked_list.h>
+#include <collections/linked_list.h>
 
 typedef struct private_socket_manager_t private_socket_manager_t;
 
@@ -89,6 +89,32 @@ METHOD(socket_manager_t, sender, status_t,
 	return status;
 }
 
+METHOD(socket_manager_t, get_port, u_int16_t,
+	private_socket_manager_t *this, bool nat_t)
+{
+	u_int16_t port = 0;
+	this->lock->read_lock(this->lock);
+	if (this->socket)
+	{
+		port = this->socket->get_port(this->socket, nat_t);
+	}
+	this->lock->unlock(this->lock);
+	return port;
+}
+
+METHOD(socket_manager_t, supported_families, socket_family_t,
+	private_socket_manager_t *this)
+{
+	socket_family_t families = SOCKET_FAMILY_NONE;
+	this->lock->read_lock(this->lock);
+	if (this->socket)
+	{
+		families = this->socket->supported_families(this->socket);
+	}
+	this->lock->unlock(this->lock);
+	return families;
+}
+
 static void create_socket(private_socket_manager_t *this)
 {
 	socket_constructor_t create;
@@ -153,6 +179,8 @@ socket_manager_t *socket_manager_create()
 		.public = {
 			.send = _sender,
 			.receive = _receiver,
+			.get_port = _get_port,
+			.supported_families = _supported_families,
 			.add_socket = _add_socket,
 			.remove_socket = _remove_socket,
 			.destroy = _destroy,
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
index 94185d21c..a07d0804c 100644
--- a/src/libcharon/network/socket_manager.h
+++ b/src/libcharon/network/socket_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2010-2013 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -40,7 +40,7 @@ struct socket_manager_t {
 	 *						- SUCCESS when packet successfully received
 	 *						- FAILED when unable to receive
 	 */
-	status_t (*receive) (socket_manager_t *this, packet_t **packet);
+	status_t (*receive)(socket_manager_t *this, packet_t **packet);
 
 	/**
 	 * Send a packet using the registered socket.
@@ -50,7 +50,22 @@ struct socket_manager_t {
 	 *						- SUCCESS when packet successfully sent
 	 *						- FAILED when unable to send
 	 */
-	status_t (*send) (socket_manager_t *this, packet_t *packet);
+	status_t (*send)(socket_manager_t *this, packet_t *packet);
+
+	/**
+	 * Get the port the registered socket is listening on.
+	 *
+	 * @param nat_t			TRUE to get the port used to float in case of NAT-T
+	 * @return				the port, or 0, if no socket is registered
+	 */
+	u_int16_t (*get_port)(socket_manager_t *this, bool nat_t);
+
+	/**
+	 * Get the address families the registered socket is listening on.
+	 *
+	 * @return				address families
+	 */
+	socket_family_t (*supported_families)(socket_manager_t *this);
 
 	/**
 	 * Register a socket constructor.