diff options
Diffstat (limited to 'src/charon/network/receiver.c')
| -rw-r--r-- | src/charon/network/receiver.c | 84 |
1 files changed, 39 insertions, 45 deletions
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c index ab4d6d592..6cd99439b 100644 --- a/src/charon/network/receiver.c +++ b/src/charon/network/receiver.c @@ -17,7 +17,6 @@ #include <stdlib.h> #include <unistd.h> -#include <pthread.h> #include "receiver.h" @@ -50,57 +49,52 @@ struct private_receiver_t { * Public part of a receiver_t object. */ receiver_t public; - + /** * Threads job receiving packets */ callback_job_t *job; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; - + /** * current secret to use for cookie calculation */ char secret[SECRET_LENGTH]; - + /** * previous secret used to verify older cookies */ char secret_old[SECRET_LENGTH]; - + /** * how many times we have used "secret" so far */ u_int32_t secret_used; - + /** * time we did the cookie switch */ u_int32_t secret_switch; - + /** * time offset to use, hides our system time */ u_int32_t secret_offset; - + /** * the RNG to use for secret generation */ rng_t *rng; - + /** * hasher to use for cookie calculation */ hasher_t *hasher; - + /** * require cookies after this many half open IKE_SAs */ u_int32_t cookie_threshold; - + /** * how many half open IKE_SAs per peer before blocking */ @@ -119,7 +113,7 @@ static void send_notify(message_t *request, notify_type_t type, chunk_t data) host_t *src, *dst; packet_t *packet; ike_sa_id_t *ike_sa_id; - + response = message_create(); dst = request->get_source(request); src = request->get_destination(request); @@ -149,7 +143,7 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message, u_int64_t spi = message->get_initiator_spi(message); host_t *ip = message->get_source(message); chunk_t input, hash; - + /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */ input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi), chunk_from_thing(t), secret); @@ -167,18 +161,18 @@ static bool cookie_verify(private_receiver_t *this, message_t *message, u_int32_t t, now; chunk_t reference; chunk_t secret; - - now = time(NULL); + + now = time_monotonic(NULL); t = *(u_int32_t*)cookie.ptr; - + if (cookie.len != sizeof(u_int32_t) + - this->hasher->get_hash_size(this->hasher) || + this->hasher->get_hash_size(this->hasher) || t < now - this->secret_offset - COOKIE_LIFETIME) { DBG2(DBG_NET, "received cookie lifetime expired, rejecting"); - return FALSE; + return FALSE; } - + /* check if cookie is derived from old_secret */ if (t + this->secret_offset > this->secret_switch) { @@ -188,7 +182,7 @@ static bool cookie_verify(private_receiver_t *this, message_t *message, { secret = chunk_from_thing(this->secret_old); } - + /* compare own calculation against received */ reference = cookie_build(this, message, t, secret); if (chunk_equals(reference, cookie)) @@ -206,20 +200,20 @@ static bool cookie_verify(private_receiver_t *this, message_t *message, static bool cookie_required(private_receiver_t *this, message_t *message) { bool failed = FALSE; - + if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, NULL) >= this->cookie_threshold) { /* check for a cookie. We don't use our parser here and do it - * quick and dirty for performance reasons. - * we assume the cookie is the first payload (which is a MUST), and + * quick and dirty for performance reasons. + * we assume the cookie is the first payload (which is a MUST), and * the cookie's SPI length is zero. */ packet_t *packet = message->get_packet(message); chunk_t data = packet->get_data(packet); - if (data.len < + if (data.len < IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) || - *(data.ptr + 16) != NOTIFY || + *(data.ptr + 16) != NOTIFY || *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE)) { /* no cookie found */ @@ -261,14 +255,14 @@ static job_requeue_t receive_packets(private_receiver_t *this) packet_t *packet; message_t *message; job_t *job; - + /* read in a packet */ if (charon->socket->receive(charon->socket, &packet) != SUCCESS) { DBG2(DBG_NET, "receiving from socket failed!"); return JOB_REQUEUE_FAIR; } - + /* parse message header */ message = message_create_from_packet(packet); if (message->parse_header(message) != SUCCESS) @@ -278,28 +272,28 @@ static job_requeue_t receive_packets(private_receiver_t *this) message->destroy(message); return JOB_REQUEUE_DIRECT; } - + /* check IKE major version */ if (message->get_major_version(message) != IKE_MAJOR_VERSION) { DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, " - "sending INVALID_MAJOR_VERSION", message->get_major_version(message), + "sending INVALID_MAJOR_VERSION", message->get_major_version(message), message->get_minor_version(message), packet->get_source(packet)); send_notify(message, INVALID_MAJOR_VERSION, chunk_empty); message->destroy(message); return JOB_REQUEUE_DIRECT; } - + if (message->get_request(message) && message->get_exchange_type(message) == IKE_SA_INIT) { /* check for cookies */ if (this->cookie_threshold && cookie_required(this, message)) { - u_int32_t now = time(NULL); + u_int32_t now = time_monotonic(NULL); chunk_t cookie = cookie_build(this, message, now - this->secret_offset, - chunk_from_thing(this->secret)); - + chunk_from_thing(this->secret)); + DBG2(DBG_NET, "received packet from: %#H to %#H", message->get_source(message), message->get_destination(message)); @@ -312,7 +306,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) /* create new cookie */ DBG1(DBG_NET, "generating new cookie secret after %d uses", this->secret_used); - memcpy(this->secret_old, this->secret, SECRET_LENGTH); + memcpy(this->secret_old, this->secret, SECRET_LENGTH); this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret); this->secret_switch = now; this->secret_used = 0; @@ -320,7 +314,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) message->destroy(message); return JOB_REQUEUE_DIRECT; } - + /* check if peer has not too many IKE_SAs half open */ if (this->block_threshold && peer_to_aggressive(this, message)) { @@ -352,10 +346,10 @@ static void destroy(private_receiver_t *this) receiver_t *receiver_create() { private_receiver_t *this = malloc_thing(private_receiver_t); - u_int32_t now = time(NULL); - + u_int32_t now = time_monotonic(NULL); + this->public.destroy = (void(*)(receiver_t*)) destroy; - + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (this->hasher == NULL) { @@ -385,11 +379,11 @@ receiver_t *receiver_create() this->cookie_threshold = 0; this->block_threshold = 0; } - + this->job = callback_job_create((callback_job_cb_t)receive_packets, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); - + return &this->public; } |