summaryrefslogtreecommitdiff
path: root/src/charon/network
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/network')
-rw-r--r--src/charon/network/packet.c11
-rw-r--r--src/charon/network/packet.h55
-rw-r--r--src/charon/network/receiver.c54
-rw-r--r--src/charon/network/receiver.h33
-rw-r--r--src/charon/network/sender.c31
-rw-r--r--src/charon/network/sender.h34
-rw-r--r--src/charon/network/socket-raw.c12
-rw-r--r--src/charon/network/socket.c12
-rw-r--r--src/charon/network/socket.h66
9 files changed, 132 insertions, 176 deletions
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
index f2fa91569..b47e6322f 100644
--- a/src/charon/network/packet.c
+++ b/src/charon/network/packet.c
@@ -1,10 +1,3 @@
-/**
- * @file packet.c
- *
- * @brief Implementation of packet_t.
- *
- */
-
/*
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -19,12 +12,12 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: packet.c 3589 2008-03-13 14:14:44Z martin $
*/
-
#include "packet.h"
-
typedef struct private_packet_t private_packet_t;
/**
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
index acf953032..2f126d465 100644
--- a/src/charon/network/packet.h
+++ b/src/charon/network/packet.h
@@ -1,10 +1,3 @@
-/**
- * @file packet.h
- *
- * @brief Interface of packet_t.
- *
- */
-
/*
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: packet.h 3589 2008-03-13 14:14:44Z martin $
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup network
*/
#ifndef PACKET_H_
@@ -30,105 +30,88 @@ typedef struct packet_t packet_t;
#include <utils/host.h>
/**
- * @brief Abstraction of an UDP-Packet, contains data, sender and receiver.
- *
- * @b Constructors:
- * - packet_create()
- *
- * @ingroup network
+ * Abstraction of an UDP-Packet, contains data, sender and receiver.
*/
struct packet_t {
/**
- * @brief Set the source address.
+ * Set the source address.
*
* Set host_t is now owned by packet_t, it will destroy
* it if necessary.
*
- * @param this calling object
* @param source address to set as source
*/
void (*set_source) (packet_t *packet, host_t *source);
/**
- * @brief Set the destination address.
+ * Set the destination address.
*
* Set host_t is now owned by packet_t, it will destroy
* it if necessary.
*
- * @param this calling object
* @param source address to set as destination
*/
void (*set_destination) (packet_t *packet, host_t *destination);
/**
- * @brief Get the source address.
+ * Get the source address.
*
* Set host_t is still owned by packet_t, clone it
* if needed.
*
- * @param this calling object
* @return source address
*/
host_t *(*get_source) (packet_t *packet);
/**
- * @brief Get the destination address.
+ * Get the destination address.
*
* Set host_t is still owned by packet_t, clone it
* if needed.
*
- * @param this calling object
* @return destination address
*/
host_t *(*get_destination) (packet_t *packet);
/**
- * @brief Get the data from the packet.
+ * Get the data from the packet.
*
* The data pointed by the chunk is still owned
* by the packet. Clone it if needed.
*
- * @param this calling object
* @return chunk containing the data
*/
chunk_t (*get_data) (packet_t *packet);
/**
- * @brief Set the data in the packet.
+ * Set the data in the packet.
*
* Supplied chunk data is now owned by the
* packet. It will free it.
*
- * @param this calling object
* @param data chunk with data to set
*/
void (*set_data) (packet_t *packet, chunk_t data);
/**
- * @brief Clones a packet_t object.
+ * Clones a packet_t object.
*
- * @param packet calling object
- * @param clone pointer to a packet_t object pointer where the new object is stored
+ * @param clone clone of the packet
*/
packet_t* (*clone) (packet_t *packet);
/**
- * @brief Destroy the packet, freeing contained data.
- *
- * @param packet packet to destroy
+ * Destroy the packet, freeing contained data.
*/
void (*destroy) (packet_t *packet);
};
/**
- * @brief create an empty packet
+ * create an empty packet
*
* @return packet_t object
- *
- * @ingroup network
*/
packet_t *packet_create(void);
-
-#endif /*PACKET_H_*/
+#endif /*PACKET_H_ @} */
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 1de1dd3d2..885280a62 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -1,10 +1,3 @@
-/**
- * @file receiver.c
- *
- * @brief Implementation of receiver_t.
- *
- */
-
/*
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,8 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: receiver.c 3994 2008-05-21 21:52:59Z andreas $
*/
#include <stdlib.h>
@@ -33,9 +28,8 @@
#include <processing/jobs/job.h>
#include <processing/jobs/process_message_job.h>
#include <processing/jobs/callback_job.h>
+#include <crypto/hashers/hasher.h>
-/** length of the full cookie, including time (u_int32_t + SHA1()) */
-#define COOKIE_LENGTH 24
/** lifetime of a cookie, in seconds */
#define COOKIE_LIFETIME 10
/** how many times to reuse the secret */
@@ -94,9 +88,9 @@ struct private_receiver_t {
u_int32_t secret_offset;
/**
- * the randomizer to use for secret generation
+ * the RNG to use for secret generation
*/
- randomizer_t *randomizer;
+ rng_t *rng;
/**
* hasher to use for cookie calculation
@@ -145,11 +139,12 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message,
{
u_int64_t spi = message->get_initiator_spi(message);
host_t *ip = message->get_source(message);
- chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
+ chunk_t input, hash;
/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
chunk_from_thing(t), secret);
+ hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
this->hasher->get_hash(this->hasher, input, hash.ptr);
return chunk_cat("cc", chunk_from_thing(t), hash);
}
@@ -167,7 +162,8 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
now = time(NULL);
t = *(u_int32_t*)cookie.ptr;
- if (cookie.len != COOKIE_LENGTH ||
+ if (cookie.len != sizeof(u_int32_t) +
+ this->hasher->get_hash_size(this->hasher) ||
t < now - this->secret_offset - COOKIE_LIFETIME)
{
DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
@@ -212,7 +208,8 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
packet_t *packet = message->get_packet(message);
chunk_t data = packet->get_data(packet);
if (data.len <
- IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH ||
+ IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
+ sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
*(data.ptr + 16) != NOTIFY ||
*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
{
@@ -222,7 +219,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
else
{
data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
- data.len = COOKIE_LENGTH;
+ data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
if (!cookie_verify(this, message, data))
{
DBG2(DBG_NET, "found cookie, but content invalid");
@@ -307,8 +304,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
DBG1(DBG_NET, "generating new cookie secret after %d uses",
this->secret_used);
memcpy(this->secret_old, this->secret, SECRET_LENGTH);
- this->randomizer->get_pseudo_random_bytes(this->randomizer,
- SECRET_LENGTH, this->secret);
+ this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
this->secret_switch = now;
this->secret_used = 0;
}
@@ -320,7 +316,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
if (peer_to_aggressive(this, message))
{
DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
- "peer to aggressive", message->get_source(message));
+ "peer too aggressive", message->get_source(message));
message->destroy(message);
return JOB_REQUEUE_DIRECT;
}
@@ -336,7 +332,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
static void destroy(private_receiver_t *this)
{
this->job->cancel(this->job);
- this->randomizer->destroy(this->randomizer);
+ this->rng->destroy(this->rng);
this->hasher->destroy(this->hasher);
free(this);
}
@@ -351,13 +347,25 @@ receiver_t *receiver_create()
this->public.destroy = (void(*)(receiver_t*)) destroy;
- this->randomizer = randomizer_create();
- this->hasher = hasher_create(HASH_SHA1);
+ this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
+ if (this->hasher == NULL)
+ {
+ DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
+ free(this);
+ return NULL;
+ }
+ this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+ if (this->rng == NULL)
+ {
+ DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
+ this->hasher->destroy(this->hasher);
+ free(this);
+ return NULL;
+ }
this->secret_switch = now;
this->secret_offset = random() % now;
this->secret_used = 0;
- this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH,
- this->secret);
+ this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
memcpy(this->secret_old, this->secret, SECRET_LENGTH);
this->job = callback_job_create((callback_job_cb_t)receive_packets,
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
index 1bfa7b764..810a51849 100644
--- a/src/charon/network/receiver.h
+++ b/src/charon/network/receiver.h
@@ -1,10 +1,3 @@
-/**
- * @file receiver.h
- *
- * @brief Interface of receiver_t.
- *
- */
-
/*
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: receiver.h 3589 2008-03-13 14:14:44Z martin $
+ */
+
+/**
+ * @defgroup receiver receiver
+ * @{ @ingroup network
*/
#ifndef RECEIVER_H_
@@ -30,7 +30,7 @@ typedef struct receiver_t receiver_t;
#include <utils/host.h>
/**
- * @brief Receives packets from the socket and adds them to the job queue.
+ * Receives packets from the socket and adds them to the job queue.
*
* The receiver starts a thread, wich reads on the blocking socket. A received
* packet is preparsed and a process_message_job is queued in the job queue.
@@ -50,32 +50,23 @@ typedef struct receiver_t receiver_t;
*
* Further, the number of half-initiated IKE_SAs is limited per peer. This
* mades it impossible for a peer to flood the server with its real IP address.
- *
- * @b Constructors:
- * - receiver_create()
- *
- * @ingroup network
*/
struct receiver_t {
/**
- * @brief Destroys a receiver_t object.
- *
- * @param receiver receiver object
+ * Destroys a receiver_t object.
*/
void (*destroy) (receiver_t *receiver);
};
/**
- * @brief Create a receiver_t object.
+ * Create a receiver_t object.
*
* The receiver thread will start working, get data
* from the socket and add those packets to the job queue.
*
- * @return receiver_t object
- *
- * @ingroup network
+ * @return receiver_t object, NULL if initialization fails
*/
receiver_t * receiver_create(void);
-#endif /*RECEIVER_H_*/
+#endif /*RECEIVER_H_ @} */
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index f934dc509..60a08d0c3 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -1,10 +1,3 @@
-/**
- * @file sender.c
- *
- * @brief Implementation of sender_t.
- *
- */
-
/*
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,8 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: sender.c 3742 2008-04-03 09:19:12Z tobias $
*/
#include <stdlib.h>
@@ -58,9 +53,14 @@ struct private_sender_t {
pthread_mutex_t mutex;
/**
- * condvar to signal for packets in list
+ * condvar to signal for packets added to list
*/
- pthread_cond_t condvar;
+ pthread_cond_t gotone;
+
+ /**
+ * condvar to signal for packets sent
+ */
+ pthread_cond_t sentone;
};
/**
@@ -76,8 +76,8 @@ static void send_(private_sender_t *this, packet_t *packet)
pthread_mutex_lock(&this->mutex);
this->list->insert_last(this->list, packet);
+ pthread_cond_signal(&this->gotone);
pthread_mutex_unlock(&this->mutex);
- pthread_cond_signal(&this->condvar);
}
/**
@@ -95,12 +95,13 @@ static job_requeue_t send_packets(private_sender_t * this)
pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex);
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
- pthread_cond_wait(&this->condvar, &this->mutex);
+ pthread_cond_wait(&this->gotone, &this->mutex);
pthread_setcancelstate(oldstate, NULL);
pthread_cleanup_pop(0);
}
this->list->remove_first(this->list, (void**)&packet);
+ pthread_cond_signal(&this->sentone);
pthread_mutex_unlock(&this->mutex);
charon->socket->send(charon->socket, packet);
@@ -114,10 +115,13 @@ static job_requeue_t send_packets(private_sender_t * this)
static void destroy(private_sender_t *this)
{
/* send all packets in the queue */
+ pthread_mutex_lock(&this->mutex);
while (this->list->get_count(this->list))
{
- sched_yield();
+ pthread_cond_wait(&this->sentone, &this->mutex);
}
+ pthread_mutex_unlock(&this->mutex);
+ pthread_mutex_destroy(&this->mutex);
this->job->cancel(this->job);
this->list->destroy(this->list);
free(this);
@@ -135,7 +139,8 @@ sender_t * sender_create()
this->list = linked_list_create();
pthread_mutex_init(&this->mutex, NULL);
- pthread_cond_init(&this->condvar, NULL);
+ pthread_cond_init(&this->gotone, NULL);
+ pthread_cond_init(&this->sentone, NULL);
this->job = callback_job_create((callback_job_cb_t)send_packets,
this, NULL, NULL);
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
index 8d611cc90..4a67c7e72 100644
--- a/src/charon/network/sender.h
+++ b/src/charon/network/sender.h
@@ -1,10 +1,3 @@
-/**
- * @file sender.h
- *
- * @brief Interface of sender_t.
- *
- */
-
/*
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: sender.h 3589 2008-03-13 14:14:44Z martin $
+ */
+
+/**
+ * @defgroup sender sender
+ * @{ @ingroup network
*/
#ifndef SENDER_H_
@@ -30,45 +30,35 @@ typedef struct sender_t sender_t;
#include <network/packet.h>
/**
- * @brief Thread responsible for sending packets over the socket.
- *
- * @b Constructors:
- * - sender_create()
- *
- * @ingroup network
+ * Thread responsible for sending packets over the socket.
*/
struct sender_t {
/**
- * @brief Send a packet over the network.
+ * Send a packet over the network.
*
* This function is non blocking and adds the packet to a queue.
* Whenever the sender thread thinks it's good to send the packet,
* it'll do so.
*
- * @param this calling object
* @param packet packet to send
*/
void (*send) (sender_t *this, packet_t *packet);
/**
- * @brief Destroys a sender object.
- *
- * @param this calling object
+ * Destroys a sender object.
*/
void (*destroy) (sender_t *this);
};
/**
- * @brief Create the sender thread.
+ * Create the sender thread.
*
* The thread will start to work, getting packets
* from its queue and sends them out.
*
* @return created sender object
- *
- * @ingroup network
*/
sender_t * sender_create(void);
-#endif /*SENDER_H_*/
+#endif /*SENDER_H_ @} */
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
index 3b76ae570..5d1623ffd 100644
--- a/src/charon/network/socket-raw.c
+++ b/src/charon/network/socket-raw.c
@@ -1,10 +1,3 @@
-/**
- * @file socket.c
- *
- * @brief Implementation of socket_t.
- *
- */
-
/*
* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
@@ -20,8 +13,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: socket-raw.c 3870 2008-04-24 13:49:20Z martin $
*/
+/* for struct in6_pktinfo */
+#define _GNU_SOURCE
+
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index a4c407579..60ea5f7c8 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -1,10 +1,3 @@
-/**
- * @file socket.c
- *
- * @brief Implementation of socket_t.
- *
- */
-
/*
* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
* Copyright (C) 2005-2007 Martin Willi
@@ -20,8 +13,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: socket.c 3870 2008-04-24 13:49:20Z martin $
*/
+/* for struct in6_pktinfo */
+#define _GNU_SOURCE
+
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index 4d8251325..077da4bba 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -1,10 +1,3 @@
-/**
- * @file socket.h
- *
- * @brief Interface for socket_t.
- *
- */
-
/*
* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
@@ -20,6 +13,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
+ *
+ * $Id: socket.h 3589 2008-03-13 14:14:44Z martin $
+ */
+
+/**
+ * @defgroup socket socket
+ * @{ @ingroup network
*/
#ifndef SOCKET_H_
@@ -33,38 +33,36 @@ typedef struct socket_t socket_t;
#include <utils/linked_list.h>
/**
- * @brief Maximum size of a packet.
- *
- * 3000 Bytes should be sufficient, see IKEv2 RFC.
+ * Maximum size of a packet.
*
- * @ingroup network
+ * 3000 Bytes should be sufficient, see IKEv2 RFC. However, we currently
+ * do not support HASH_AND_URL certificates, so we require to transmit
+ * the full certificates. To run our multi-CA test with 2 intermediate CAs,
+ * 5000 bytes is sufficient.
*/
-#define MAX_PACKET 3000
+#define MAX_PACKET 5000
/**
- * @brief Abstraction of all sockets (IPv6/IPv6 send/receive).
+ * Abstraction of all sockets (IPv4/IPv6 send/receive).
*
* All available sockets are bound and the receive function
- * reads from them. To allow binding of other daemons (pluto) to
- * UDP/500, this implementation uses RAW sockets. An installed
- * "Linux socket filter" filters out all non-IKEv2 traffic and handles
- * just IKEv2 messages. An other daemon (pluto) must handle all traffic
- * seperatly, e.g. ignore IKEv2 traffic, since charon handles that.
- *
- * @b Constructors:
- * - socket_create()
- *
- * @ingroup network
+ * reads from them. There are actually two implementations:
+ * The first uses raw sockets to allow binding of other daemons (pluto) to
+ * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2
+ * traffic and handles just IKEv2 messages. An other daemon (pluto) must
+ * handle all traffic seperatly, e.g. ignore IKEv2 traffic, since charon
+ * handles that.
+ * The other implementation uses normal sockets and is built if
+ * --disable-pluto is given to the configure script.
*/
struct socket_t {
/**
- * @brief Receive a packet.
+ * Receive a packet.
*
* Reads a packet from the socket and sets source/dest
* appropriately.
*
- * @param this socket_t object to work on
* @param packet pinter gets address from allocated packet_t
* @return
* - SUCCESS when packet successfully received
@@ -73,14 +71,13 @@ struct socket_t {
status_t (*receive) (socket_t *this, packet_t **packet);
/**
- * @brief Send a packet.
+ * Send a packet.
*
* Sends a packet to the net using destination from the packet.
* Packet is sent using default routing mechanisms, thus the
* source address in packet is ignored.
*
- * @param this socket_t object to work on
- * @param packet[out] packet_t to send
+ * @param packet packet_t to send
* @return
* - SUCCESS when packet successfully sent
* - FAILED when unable to send
@@ -88,23 +85,16 @@ struct socket_t {
status_t (*send) (socket_t *this, packet_t *packet);
/**
- * @brief Destroy sockets.
- *
- * close sockets and destroy socket_t object
- *
- * @param this socket_t to destroy
+ * Destroy socket.
*/
void (*destroy) (socket_t *this);
};
/**
- * @brief Create a socket_t, wich binds multiple sockets.
+ * Create a socket_t, wich binds multiple sockets.
*
* @return socket_t object
- *
- * @ingroup network
*/
socket_t *socket_create();
-
-#endif /*SOCKET_H_*/
+#endif /*SOCKET_H_ @} */