diff options
Diffstat (limited to 'src/charon/network')
-rw-r--r-- | src/charon/network/packet.c | 11 | ||||
-rw-r--r-- | src/charon/network/packet.h | 55 | ||||
-rw-r--r-- | src/charon/network/receiver.c | 54 | ||||
-rw-r--r-- | src/charon/network/receiver.h | 33 | ||||
-rw-r--r-- | src/charon/network/sender.c | 31 | ||||
-rw-r--r-- | src/charon/network/sender.h | 34 | ||||
-rw-r--r-- | src/charon/network/socket-raw.c | 12 | ||||
-rw-r--r-- | src/charon/network/socket.c | 12 | ||||
-rw-r--r-- | src/charon/network/socket.h | 66 |
9 files changed, 132 insertions, 176 deletions
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c index f2fa91569..b47e6322f 100644 --- a/src/charon/network/packet.c +++ b/src/charon/network/packet.c @@ -1,10 +1,3 @@ -/** - * @file packet.c - * - * @brief Implementation of packet_t. - * - */ - /* * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,12 +12,12 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: packet.c 3589 2008-03-13 14:14:44Z martin $ */ - #include "packet.h" - typedef struct private_packet_t private_packet_t; /** diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h index acf953032..2f126d465 100644 --- a/src/charon/network/packet.h +++ b/src/charon/network/packet.h @@ -1,10 +1,3 @@ -/** - * @file packet.h - * - * @brief Interface of packet_t. - * - */ - /* * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: packet.h 3589 2008-03-13 14:14:44Z martin $ + */ + +/** + * @defgroup packet packet + * @{ @ingroup network */ #ifndef PACKET_H_ @@ -30,105 +30,88 @@ typedef struct packet_t packet_t; #include <utils/host.h> /** - * @brief Abstraction of an UDP-Packet, contains data, sender and receiver. - * - * @b Constructors: - * - packet_create() - * - * @ingroup network + * Abstraction of an UDP-Packet, contains data, sender and receiver. */ struct packet_t { /** - * @brief Set the source address. + * Set the source address. * * Set host_t is now owned by packet_t, it will destroy * it if necessary. * - * @param this calling object * @param source address to set as source */ void (*set_source) (packet_t *packet, host_t *source); /** - * @brief Set the destination address. + * Set the destination address. * * Set host_t is now owned by packet_t, it will destroy * it if necessary. * - * @param this calling object * @param source address to set as destination */ void (*set_destination) (packet_t *packet, host_t *destination); /** - * @brief Get the source address. + * Get the source address. * * Set host_t is still owned by packet_t, clone it * if needed. * - * @param this calling object * @return source address */ host_t *(*get_source) (packet_t *packet); /** - * @brief Get the destination address. + * Get the destination address. * * Set host_t is still owned by packet_t, clone it * if needed. * - * @param this calling object * @return destination address */ host_t *(*get_destination) (packet_t *packet); /** - * @brief Get the data from the packet. + * Get the data from the packet. * * The data pointed by the chunk is still owned * by the packet. Clone it if needed. * - * @param this calling object * @return chunk containing the data */ chunk_t (*get_data) (packet_t *packet); /** - * @brief Set the data in the packet. + * Set the data in the packet. * * Supplied chunk data is now owned by the * packet. It will free it. * - * @param this calling object * @param data chunk with data to set */ void (*set_data) (packet_t *packet, chunk_t data); /** - * @brief Clones a packet_t object. + * Clones a packet_t object. * - * @param packet calling object - * @param clone pointer to a packet_t object pointer where the new object is stored + * @param clone clone of the packet */ packet_t* (*clone) (packet_t *packet); /** - * @brief Destroy the packet, freeing contained data. - * - * @param packet packet to destroy + * Destroy the packet, freeing contained data. */ void (*destroy) (packet_t *packet); }; /** - * @brief create an empty packet + * create an empty packet * * @return packet_t object - * - * @ingroup network */ packet_t *packet_create(void); - -#endif /*PACKET_H_*/ +#endif /*PACKET_H_ @} */ diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c index 1de1dd3d2..885280a62 100644 --- a/src/charon/network/receiver.c +++ b/src/charon/network/receiver.c @@ -1,10 +1,3 @@ -/** - * @file receiver.c - * - * @brief Implementation of receiver_t. - * - */ - /* * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: receiver.c 3994 2008-05-21 21:52:59Z andreas $ */ #include <stdlib.h> @@ -33,9 +28,8 @@ #include <processing/jobs/job.h> #include <processing/jobs/process_message_job.h> #include <processing/jobs/callback_job.h> +#include <crypto/hashers/hasher.h> -/** length of the full cookie, including time (u_int32_t + SHA1()) */ -#define COOKIE_LENGTH 24 /** lifetime of a cookie, in seconds */ #define COOKIE_LIFETIME 10 /** how many times to reuse the secret */ @@ -94,9 +88,9 @@ struct private_receiver_t { u_int32_t secret_offset; /** - * the randomizer to use for secret generation + * the RNG to use for secret generation */ - randomizer_t *randomizer; + rng_t *rng; /** * hasher to use for cookie calculation @@ -145,11 +139,12 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message, { u_int64_t spi = message->get_initiator_spi(message); host_t *ip = message->get_source(message); - chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher)); + chunk_t input, hash; /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */ input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi), chunk_from_thing(t), secret); + hash = chunk_alloca(this->hasher->get_hash_size(this->hasher)); this->hasher->get_hash(this->hasher, input, hash.ptr); return chunk_cat("cc", chunk_from_thing(t), hash); } @@ -167,7 +162,8 @@ static bool cookie_verify(private_receiver_t *this, message_t *message, now = time(NULL); t = *(u_int32_t*)cookie.ptr; - if (cookie.len != COOKIE_LENGTH || + if (cookie.len != sizeof(u_int32_t) + + this->hasher->get_hash_size(this->hasher) || t < now - this->secret_offset - COOKIE_LIFETIME) { DBG2(DBG_NET, "received cookie lifetime expired, rejecting"); @@ -212,7 +208,8 @@ static bool cookie_required(private_receiver_t *this, message_t *message) packet_t *packet = message->get_packet(message); chunk_t data = packet->get_data(packet); if (data.len < - IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH || + IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + + sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) || *(data.ptr + 16) != NOTIFY || *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE)) { @@ -222,7 +219,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message) else { data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH; - data.len = COOKIE_LENGTH; + data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher); if (!cookie_verify(this, message, data)) { DBG2(DBG_NET, "found cookie, but content invalid"); @@ -307,8 +304,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) DBG1(DBG_NET, "generating new cookie secret after %d uses", this->secret_used); memcpy(this->secret_old, this->secret, SECRET_LENGTH); - this->randomizer->get_pseudo_random_bytes(this->randomizer, - SECRET_LENGTH, this->secret); + this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret); this->secret_switch = now; this->secret_used = 0; } @@ -320,7 +316,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) if (peer_to_aggressive(this, message)) { DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " - "peer to aggressive", message->get_source(message)); + "peer too aggressive", message->get_source(message)); message->destroy(message); return JOB_REQUEUE_DIRECT; } @@ -336,7 +332,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) static void destroy(private_receiver_t *this) { this->job->cancel(this->job); - this->randomizer->destroy(this->randomizer); + this->rng->destroy(this->rng); this->hasher->destroy(this->hasher); free(this); } @@ -351,13 +347,25 @@ receiver_t *receiver_create() this->public.destroy = (void(*)(receiver_t*)) destroy; - this->randomizer = randomizer_create(); - this->hasher = hasher_create(HASH_SHA1); + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); + if (this->hasher == NULL) + { + DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported"); + free(this); + return NULL; + } + this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + if (this->rng == NULL) + { + DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported"); + this->hasher->destroy(this->hasher); + free(this); + return NULL; + } this->secret_switch = now; this->secret_offset = random() % now; this->secret_used = 0; - this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH, - this->secret); + this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret); memcpy(this->secret_old, this->secret, SECRET_LENGTH); this->job = callback_job_create((callback_job_cb_t)receive_packets, diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h index 1bfa7b764..810a51849 100644 --- a/src/charon/network/receiver.h +++ b/src/charon/network/receiver.h @@ -1,10 +1,3 @@ -/** - * @file receiver.h - * - * @brief Interface of receiver_t. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: receiver.h 3589 2008-03-13 14:14:44Z martin $ + */ + +/** + * @defgroup receiver receiver + * @{ @ingroup network */ #ifndef RECEIVER_H_ @@ -30,7 +30,7 @@ typedef struct receiver_t receiver_t; #include <utils/host.h> /** - * @brief Receives packets from the socket and adds them to the job queue. + * Receives packets from the socket and adds them to the job queue. * * The receiver starts a thread, wich reads on the blocking socket. A received * packet is preparsed and a process_message_job is queued in the job queue. @@ -50,32 +50,23 @@ typedef struct receiver_t receiver_t; * * Further, the number of half-initiated IKE_SAs is limited per peer. This * mades it impossible for a peer to flood the server with its real IP address. - * - * @b Constructors: - * - receiver_create() - * - * @ingroup network */ struct receiver_t { /** - * @brief Destroys a receiver_t object. - * - * @param receiver receiver object + * Destroys a receiver_t object. */ void (*destroy) (receiver_t *receiver); }; /** - * @brief Create a receiver_t object. + * Create a receiver_t object. * * The receiver thread will start working, get data * from the socket and add those packets to the job queue. * - * @return receiver_t object - * - * @ingroup network + * @return receiver_t object, NULL if initialization fails */ receiver_t * receiver_create(void); -#endif /*RECEIVER_H_*/ +#endif /*RECEIVER_H_ @} */ diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c index f934dc509..60a08d0c3 100644 --- a/src/charon/network/sender.c +++ b/src/charon/network/sender.c @@ -1,10 +1,3 @@ -/** - * @file sender.c - * - * @brief Implementation of sender_t. - * - */ - /* * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: sender.c 3742 2008-04-03 09:19:12Z tobias $ */ #include <stdlib.h> @@ -58,9 +53,14 @@ struct private_sender_t { pthread_mutex_t mutex; /** - * condvar to signal for packets in list + * condvar to signal for packets added to list */ - pthread_cond_t condvar; + pthread_cond_t gotone; + + /** + * condvar to signal for packets sent + */ + pthread_cond_t sentone; }; /** @@ -76,8 +76,8 @@ static void send_(private_sender_t *this, packet_t *packet) pthread_mutex_lock(&this->mutex); this->list->insert_last(this->list, packet); + pthread_cond_signal(&this->gotone); pthread_mutex_unlock(&this->mutex); - pthread_cond_signal(&this->condvar); } /** @@ -95,12 +95,13 @@ static job_requeue_t send_packets(private_sender_t * this) pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex); pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - pthread_cond_wait(&this->condvar, &this->mutex); + pthread_cond_wait(&this->gotone, &this->mutex); pthread_setcancelstate(oldstate, NULL); pthread_cleanup_pop(0); } this->list->remove_first(this->list, (void**)&packet); + pthread_cond_signal(&this->sentone); pthread_mutex_unlock(&this->mutex); charon->socket->send(charon->socket, packet); @@ -114,10 +115,13 @@ static job_requeue_t send_packets(private_sender_t * this) static void destroy(private_sender_t *this) { /* send all packets in the queue */ + pthread_mutex_lock(&this->mutex); while (this->list->get_count(this->list)) { - sched_yield(); + pthread_cond_wait(&this->sentone, &this->mutex); } + pthread_mutex_unlock(&this->mutex); + pthread_mutex_destroy(&this->mutex); this->job->cancel(this->job); this->list->destroy(this->list); free(this); @@ -135,7 +139,8 @@ sender_t * sender_create() this->list = linked_list_create(); pthread_mutex_init(&this->mutex, NULL); - pthread_cond_init(&this->condvar, NULL); + pthread_cond_init(&this->gotone, NULL); + pthread_cond_init(&this->sentone, NULL); this->job = callback_job_create((callback_job_cb_t)send_packets, this, NULL, NULL); diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h index 8d611cc90..4a67c7e72 100644 --- a/src/charon/network/sender.h +++ b/src/charon/network/sender.h @@ -1,10 +1,3 @@ -/** - * @file sender.h - * - * @brief Interface of sender_t. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: sender.h 3589 2008-03-13 14:14:44Z martin $ + */ + +/** + * @defgroup sender sender + * @{ @ingroup network */ #ifndef SENDER_H_ @@ -30,45 +30,35 @@ typedef struct sender_t sender_t; #include <network/packet.h> /** - * @brief Thread responsible for sending packets over the socket. - * - * @b Constructors: - * - sender_create() - * - * @ingroup network + * Thread responsible for sending packets over the socket. */ struct sender_t { /** - * @brief Send a packet over the network. + * Send a packet over the network. * * This function is non blocking and adds the packet to a queue. * Whenever the sender thread thinks it's good to send the packet, * it'll do so. * - * @param this calling object * @param packet packet to send */ void (*send) (sender_t *this, packet_t *packet); /** - * @brief Destroys a sender object. - * - * @param this calling object + * Destroys a sender object. */ void (*destroy) (sender_t *this); }; /** - * @brief Create the sender thread. + * Create the sender thread. * * The thread will start to work, getting packets * from its queue and sends them out. * * @return created sender object - * - * @ingroup network */ sender_t * sender_create(void); -#endif /*SENDER_H_*/ +#endif /*SENDER_H_ @} */ diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c index 3b76ae570..5d1623ffd 100644 --- a/src/charon/network/socket-raw.c +++ b/src/charon/network/socket-raw.c @@ -1,10 +1,3 @@ -/** - * @file socket.c - * - * @brief Implementation of socket_t. - * - */ - /* * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi @@ -20,8 +13,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: socket-raw.c 3870 2008-04-24 13:49:20Z martin $ */ +/* for struct in6_pktinfo */ +#define _GNU_SOURCE + #include <pthread.h> #include <sys/types.h> #include <sys/socket.h> diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index a4c407579..60ea5f7c8 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -1,10 +1,3 @@ -/** - * @file socket.c - * - * @brief Implementation of socket_t. - * - */ - /* * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger * Copyright (C) 2005-2007 Martin Willi @@ -20,8 +13,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: socket.c 3870 2008-04-24 13:49:20Z martin $ */ +/* for struct in6_pktinfo */ +#define _GNU_SOURCE + #include <pthread.h> #include <sys/types.h> #include <sys/socket.h> diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h index 4d8251325..077da4bba 100644 --- a/src/charon/network/socket.h +++ b/src/charon/network/socket.h @@ -1,10 +1,3 @@ -/** - * @file socket.h - * - * @brief Interface for socket_t. - * - */ - /* * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger * Copyright (C) 2005-2006 Martin Willi @@ -20,6 +13,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: socket.h 3589 2008-03-13 14:14:44Z martin $ + */ + +/** + * @defgroup socket socket + * @{ @ingroup network */ #ifndef SOCKET_H_ @@ -33,38 +33,36 @@ typedef struct socket_t socket_t; #include <utils/linked_list.h> /** - * @brief Maximum size of a packet. - * - * 3000 Bytes should be sufficient, see IKEv2 RFC. + * Maximum size of a packet. * - * @ingroup network + * 3000 Bytes should be sufficient, see IKEv2 RFC. However, we currently + * do not support HASH_AND_URL certificates, so we require to transmit + * the full certificates. To run our multi-CA test with 2 intermediate CAs, + * 5000 bytes is sufficient. */ -#define MAX_PACKET 3000 +#define MAX_PACKET 5000 /** - * @brief Abstraction of all sockets (IPv6/IPv6 send/receive). + * Abstraction of all sockets (IPv4/IPv6 send/receive). * * All available sockets are bound and the receive function - * reads from them. To allow binding of other daemons (pluto) to - * UDP/500, this implementation uses RAW sockets. An installed - * "Linux socket filter" filters out all non-IKEv2 traffic and handles - * just IKEv2 messages. An other daemon (pluto) must handle all traffic - * seperatly, e.g. ignore IKEv2 traffic, since charon handles that. - * - * @b Constructors: - * - socket_create() - * - * @ingroup network + * reads from them. There are actually two implementations: + * The first uses raw sockets to allow binding of other daemons (pluto) to + * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2 + * traffic and handles just IKEv2 messages. An other daemon (pluto) must + * handle all traffic seperatly, e.g. ignore IKEv2 traffic, since charon + * handles that. + * The other implementation uses normal sockets and is built if + * --disable-pluto is given to the configure script. */ struct socket_t { /** - * @brief Receive a packet. + * Receive a packet. * * Reads a packet from the socket and sets source/dest * appropriately. * - * @param this socket_t object to work on * @param packet pinter gets address from allocated packet_t * @return * - SUCCESS when packet successfully received @@ -73,14 +71,13 @@ struct socket_t { status_t (*receive) (socket_t *this, packet_t **packet); /** - * @brief Send a packet. + * Send a packet. * * Sends a packet to the net using destination from the packet. * Packet is sent using default routing mechanisms, thus the * source address in packet is ignored. * - * @param this socket_t object to work on - * @param packet[out] packet_t to send + * @param packet packet_t to send * @return * - SUCCESS when packet successfully sent * - FAILED when unable to send @@ -88,23 +85,16 @@ struct socket_t { status_t (*send) (socket_t *this, packet_t *packet); /** - * @brief Destroy sockets. - * - * close sockets and destroy socket_t object - * - * @param this socket_t to destroy + * Destroy socket. */ void (*destroy) (socket_t *this); }; /** - * @brief Create a socket_t, wich binds multiple sockets. + * Create a socket_t, wich binds multiple sockets. * * @return socket_t object - * - * @ingroup network */ socket_t *socket_create(); - -#endif /*SOCKET_H_*/ +#endif /*SOCKET_H_ @} */ |