diff options
Diffstat (limited to 'src/libcharon/network')
| -rw-r--r-- | src/libcharon/network/packet.c | 138 | ||||
| -rw-r--r-- | src/libcharon/network/packet.h | 115 | ||||
| -rw-r--r-- | src/libcharon/network/receiver.c | 297 | ||||
| -rw-r--r-- | src/libcharon/network/receiver.h | 42 | ||||
| -rw-r--r-- | src/libcharon/network/sender.c | 60 | ||||
| -rw-r--r-- | src/libcharon/network/sender.h | 19 | ||||
| -rw-r--r-- | src/libcharon/network/socket.h | 12 | ||||
| -rw-r--r-- | src/libcharon/network/socket_manager.c | 16 | ||||
| -rw-r--r-- | src/libcharon/network/socket_manager.h | 10 |
9 files changed, 354 insertions, 355 deletions
diff --git a/src/libcharon/network/packet.c b/src/libcharon/network/packet.c deleted file mode 100644 index 19db362f7..000000000 --- a/src/libcharon/network/packet.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "packet.h" - -typedef struct private_packet_t private_packet_t; - -/** - * Private data of an packet_t object. - */ -struct private_packet_t { - - /** - * Public part of a packet_t object. - */ - packet_t public; - - /** - * source address - */ - host_t *source; - - /** - * destination address - */ - host_t *destination; - - /** - * message data - */ - chunk_t data; -}; - -METHOD(packet_t, set_source, void, - private_packet_t *this, host_t *source) -{ - DESTROY_IF(this->source); - this->source = source; -} - -METHOD(packet_t, set_destination, void, - private_packet_t *this, host_t *destination) -{ - DESTROY_IF(this->destination); - this->destination = destination; -} - -METHOD(packet_t, get_source, host_t*, - private_packet_t *this) -{ - return this->source; -} - -METHOD(packet_t, get_destination, host_t*, - private_packet_t *this) -{ - return this->destination; -} - -METHOD(packet_t, get_data, chunk_t, - private_packet_t *this) -{ - return this->data; -} - -METHOD(packet_t, set_data, void, - private_packet_t *this, chunk_t data) -{ - free(this->data.ptr); - this->data = data; -} - -METHOD(packet_t, destroy, void, - private_packet_t *this) -{ - DESTROY_IF(this->source); - DESTROY_IF(this->destination); - free(this->data.ptr); - free(this); -} - -METHOD(packet_t, clone_, packet_t*, - private_packet_t *this) -{ - packet_t *other; - - other = packet_create(); - if (this->destination != NULL) - { - other->set_destination(other, this->destination->clone(this->destination)); - } - if (this->source != NULL) - { - other->set_source(other, this->source->clone(this->source)); - } - if (this->data.ptr != NULL) - { - other->set_data(other, chunk_clone(this->data)); - } - return other; -} - -/* - * Documented in header - */ -packet_t *packet_create(void) -{ - private_packet_t *this; - - INIT(this, - .public = { - .set_data = _set_data, - .get_data = _get_data, - .set_source = _set_source, - .get_source = _get_source, - .set_destination = _set_destination, - .get_destination = _get_destination, - .clone = _clone_, - .destroy = _destroy, - }, - ); - - return &this->public; -} - diff --git a/src/libcharon/network/packet.h b/src/libcharon/network/packet.h deleted file mode 100644 index 18d82c6fc..000000000 --- a/src/libcharon/network/packet.h +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup packet packet - * @{ @ingroup network - */ - -#ifndef PACKET_H_ -#define PACKET_H_ - -typedef struct packet_t packet_t; - -#include <library.h> -#include <utils/host.h> - -/** - * Abstraction of an UDP-Packet, contains data, sender and receiver. - */ -struct packet_t { - - /** - * Set the source address. - * - * Set host_t is now owned by packet_t, it will destroy - * it if necessary. - * - * @param source address to set as source - */ - void (*set_source) (packet_t *packet, host_t *source); - - /** - * Set the destination address. - * - * Set host_t is now owned by packet_t, it will destroy - * it if necessary. - * - * @param source address to set as destination - */ - void (*set_destination) (packet_t *packet, host_t *destination); - - /** - * Get the source address. - * - * Set host_t is still owned by packet_t, clone it - * if needed. - * - * @return source address - */ - host_t *(*get_source) (packet_t *packet); - - /** - * Get the destination address. - * - * Set host_t is still owned by packet_t, clone it - * if needed. - * - * @return destination address - */ - host_t *(*get_destination) (packet_t *packet); - - /** - * Get the data from the packet. - * - * The data pointed by the chunk is still owned - * by the packet. Clone it if needed. - * - * @return chunk containing the data - */ - chunk_t (*get_data) (packet_t *packet); - - /** - * Set the data in the packet. - * - * Supplied chunk data is now owned by the - * packet. It will free it. - * - * @param data chunk with data to set - */ - void (*set_data) (packet_t *packet, chunk_t data); - - /** - * Clones a packet_t object. - * - * @param clone clone of the packet - */ - packet_t* (*clone) (packet_t *packet); - - /** - * Destroy the packet, freeing contained data. - */ - void (*destroy) (packet_t *packet); -}; - -/** - * create an empty packet - * - * @return packet_t object - */ -packet_t *packet_create(void); - -#endif /** PACKET_H_ @}*/ diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index cfb1408ef..2f87a5ecb 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2012 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -20,13 +20,15 @@ #include "receiver.h" +#include <hydra.h> #include <daemon.h> #include <network/socket.h> -#include <network/packet.h> #include <processing/jobs/job.h> #include <processing/jobs/process_message_job.h> #include <processing/jobs/callback_job.h> #include <crypto/hashers/hasher.h> +#include <threading/mutex.h> +#include <utils/packet.h> /** lifetime of a cookie, in seconds */ #define COOKIE_LIFETIME 10 @@ -40,6 +42,8 @@ #define BLOCK_THRESHOLD_DEFAULT 5 /** length of the secret to use for cookie calculation */ #define SECRET_LENGTH 16 +/** Length of a notify payload header */ +#define NOTIFY_PAYLOAD_HEADER_LENGTH 8 typedef struct private_receiver_t private_receiver_t; @@ -53,9 +57,17 @@ struct private_receiver_t { receiver_t public; /** - * Threads job receiving packets + * Registered callback for ESP packets */ - callback_job_t *job; + struct { + receiver_esp_cb_t cb; + void *data; + } esp_cb; + + /** + * Mutex for ESP callback + */ + mutex_t *esp_cb_mutex; /** * current secret to use for cookie calculation @@ -141,41 +153,41 @@ struct private_receiver_t { /** * send a notify back to the sender */ -static void send_notify(message_t *request, notify_type_t type, chunk_t data) +static void send_notify(message_t *request, int major, exchange_type_t exchange, + notify_type_t type, chunk_t data) { - if (request->get_request(request) && - request->get_exchange_type(request) == IKE_SA_INIT) + ike_sa_id_t *ike_sa_id; + message_t *response; + host_t *src, *dst; + packet_t *packet; + + response = message_create(major, 0); + response->set_exchange_type(response, exchange); + response->add_notify(response, FALSE, type, data); + dst = request->get_source(request); + src = request->get_destination(request); + response->set_source(response, src->clone(src)); + response->set_destination(response, dst->clone(dst)); + if (major == IKEV2_MAJOR_VERSION) { - message_t *response; - host_t *src, *dst; - packet_t *packet; - ike_sa_id_t *ike_sa_id; - - response = message_create(); - dst = request->get_source(request); - src = request->get_destination(request); - response->set_source(response, src->clone(src)); - response->set_destination(response, dst->clone(dst)); - response->set_exchange_type(response, request->get_exchange_type(request)); response->set_request(response, FALSE); - response->set_message_id(response, 0); - ike_sa_id = request->get_ike_sa_id(request); - ike_sa_id->switch_initiator(ike_sa_id); - response->set_ike_sa_id(response, ike_sa_id); - response->add_notify(response, FALSE, type, data); - if (response->generate(response, NULL, &packet) == SUCCESS) - { - charon->sender->send(charon->sender, packet); - response->destroy(response); - } } + response->set_message_id(response, 0); + ike_sa_id = request->get_ike_sa_id(request); + ike_sa_id->switch_initiator(ike_sa_id); + response->set_ike_sa_id(response, ike_sa_id); + if (response->generate(response, NULL, &packet) == SUCCESS) + { + charon->sender->send(charon->sender, packet); + } + response->destroy(response); } /** * build a cookie */ -static chunk_t cookie_build(private_receiver_t *this, message_t *message, - u_int32_t t, chunk_t secret) +static bool cookie_build(private_receiver_t *this, message_t *message, + u_int32_t t, chunk_t secret, chunk_t *cookie) { u_int64_t spi = message->get_initiator_spi(message); host_t *ip = message->get_source(message); @@ -185,8 +197,12 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message, input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi), chunk_from_thing(t), secret); hash = chunk_alloca(this->hasher->get_hash_size(this->hasher)); - this->hasher->get_hash(this->hasher, input, hash.ptr); - return chunk_cat("cc", chunk_from_thing(t), hash); + if (!this->hasher->get_hash(this->hasher, input, hash.ptr)) + { + return FALSE; + } + *cookie = chunk_cat("cc", chunk_from_thing(t), hash); + return TRUE; } /** @@ -221,7 +237,10 @@ static bool cookie_verify(private_receiver_t *this, message_t *message, } /* compare own calculation against received */ - reference = cookie_build(this, message, t, secret); + if (!cookie_build(this, message, t, secret, &reference)) + { + return FALSE; + } if (chunk_equals(reference, cookie)) { chunk_free(&reference); @@ -308,29 +327,42 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message) half_open = charon->ike_sa_manager->get_half_open_count( charon->ike_sa_manager, NULL); - /* check for cookies */ - if (cookie_required(this, half_open, now) && !check_cookie(this, message)) + /* check for cookies in IKEv2 */ + if (message->get_major_version(message) == IKEV2_MAJOR_VERSION && + cookie_required(this, half_open, now) && !check_cookie(this, message)) { chunk_t cookie; - cookie = cookie_build(this, message, now - this->secret_offset, - chunk_from_thing(this->secret)); DBG2(DBG_NET, "received packet from: %#H to %#H", message->get_source(message), message->get_destination(message)); + if (!cookie_build(this, message, now - this->secret_offset, + chunk_from_thing(this->secret), &cookie)) + { + return TRUE; + } DBG2(DBG_NET, "sending COOKIE notify to %H", message->get_source(message)); - send_notify(message, COOKIE, cookie); + send_notify(message, IKEV2_MAJOR_VERSION, IKE_SA_INIT, COOKIE, cookie); chunk_free(&cookie); if (++this->secret_used > COOKIE_REUSE) { - /* create new cookie */ + char secret[SECRET_LENGTH]; + DBG1(DBG_NET, "generating new cookie secret after %d uses", this->secret_used); - memcpy(this->secret_old, this->secret, SECRET_LENGTH); - this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret); - this->secret_switch = now; - this->secret_used = 0; + if (this->rng->get_bytes(this->rng, SECRET_LENGTH, secret)) + { + memcpy(this->secret_old, this->secret, SECRET_LENGTH); + memcpy(this->secret, secret, SECRET_LENGTH); + memwipe(secret, SECRET_LENGTH); + this->secret_switch = now; + this->secret_used = 0; + } + else + { + DBG1(DBG_NET, "failed to allocated cookie secret, keeping old"); + } } return TRUE; } @@ -380,16 +412,18 @@ static bool drop_ike_sa_init(private_receiver_t *this, message_t *message) */ static job_requeue_t receive_packets(private_receiver_t *this) { + ike_sa_id_t *id; packet_t *packet; message_t *message; + host_t *src, *dst; status_t status; + bool supported = TRUE; + chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00); /* read in a packet */ status = charon->socket->receive(charon->socket, &packet); if (status == NOT_SUPPORTED) { - /* the processor destroys this job */ - this->job = NULL; return JOB_REQUEUE_NONE; } else if (status != SUCCESS) @@ -398,6 +432,56 @@ static job_requeue_t receive_packets(private_receiver_t *this) return JOB_REQUEUE_FAIR; } + data = packet->get_data(packet); + if (data.len == 1 && data.ptr[0] == 0xFF) + { /* silently drop NAT-T keepalives */ + packet->destroy(packet); + return JOB_REQUEUE_DIRECT; + } + else if (data.len < marker.len) + { /* drop packets that are too small */ + DBG3(DBG_NET, "received packet is too short (%d bytes)", data.len); + packet->destroy(packet); + return JOB_REQUEUE_DIRECT; + } + + dst = packet->get_destination(packet); + src = packet->get_source(packet); + if (!hydra->kernel_interface->all_interfaces_usable(hydra->kernel_interface) + && !hydra->kernel_interface->get_interface(hydra->kernel_interface, + dst, NULL)) + { + DBG3(DBG_NET, "received packet from %#H to %#H on ignored interface", + src, dst); + packet->destroy(packet); + return JOB_REQUEUE_DIRECT; + } + + /* if neither source nor destination port is 500 we assume an IKE packet + * with Non-ESP marker or an ESP packet */ + if (dst->get_port(dst) != IKEV2_UDP_PORT && + src->get_port(src) != IKEV2_UDP_PORT) + { + if (memeq(data.ptr, marker.ptr, marker.len)) + { /* remove Non-ESP marker */ + packet->skip_bytes(packet, marker.len); + } + else + { /* this seems to be an ESP packet */ + this->esp_cb_mutex->lock(this->esp_cb_mutex); + if (this->esp_cb.cb) + { + this->esp_cb.cb(this->esp_cb.data, packet); + } + else + { + packet->destroy(packet); + } + this->esp_cb_mutex->unlock(this->esp_cb_mutex); + return JOB_REQUEUE_DIRECT; + } + } + /* parse message header */ message = message_create_from_packet(packet); if (message->parse_header(message) != SUCCESS) @@ -409,16 +493,50 @@ static job_requeue_t receive_packets(private_receiver_t *this) } /* check IKE major version */ - if (message->get_major_version(message) != IKE_MAJOR_VERSION) + switch (message->get_major_version(message)) { - DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, " - "sending INVALID_MAJOR_VERSION", message->get_major_version(message), + case IKEV2_MAJOR_VERSION: +#ifndef USE_IKEV2 + if (message->get_exchange_type(message) == IKE_SA_INIT && + message->get_request(message)) + { + send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1, + INVALID_MAJOR_VERSION, chunk_empty); + supported = FALSE; + } +#endif /* USE_IKEV2 */ + break; + case IKEV1_MAJOR_VERSION: +#ifndef USE_IKEV1 + if (message->get_exchange_type(message) == ID_PROT || + message->get_exchange_type(message) == AGGRESSIVE) + { + send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL, + INVALID_MAJOR_VERSION, chunk_empty); + supported = FALSE; + } +#endif /* USE_IKEV1 */ + break; + default: +#ifdef USE_IKEV2 + send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL, + INVALID_MAJOR_VERSION, chunk_empty); +#endif /* USE_IKEV2 */ +#ifdef USE_IKEV1 + send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1, + INVALID_MAJOR_VERSION, chunk_empty); +#endif /* USE_IKEV1 */ + supported = FALSE; + break; + } + if (!supported) + { + DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, sending " + "INVALID_MAJOR_VERSION", message->get_major_version(message), message->get_minor_version(message), packet->get_source(packet)); - send_notify(message, INVALID_MAJOR_VERSION, chunk_empty); message->destroy(message); return JOB_REQUEUE_DIRECT; } - if (message->get_request(message) && message->get_exchange_type(message) == IKE_SA_INIT) { @@ -428,6 +546,18 @@ static job_requeue_t receive_packets(private_receiver_t *this) return JOB_REQUEUE_DIRECT; } } + if (message->get_exchange_type(message) == ID_PROT || + message->get_exchange_type(message) == AGGRESSIVE) + { + id = message->get_ike_sa_id(message); + if (id->get_responder_spi(id) == 0 && + drop_ike_sa_init(this, message)) + { + message->destroy(message); + return JOB_REQUEUE_DIRECT; + } + } + if (this->receive_delay) { if (this->receive_delay_type == 0 || @@ -450,15 +580,33 @@ static job_requeue_t receive_packets(private_receiver_t *this) return JOB_REQUEUE_DIRECT; } -METHOD(receiver_t, destroy, void, - private_receiver_t *this) +METHOD(receiver_t, add_esp_cb, void, + private_receiver_t *this, receiver_esp_cb_t callback, void *data) +{ + this->esp_cb_mutex->lock(this->esp_cb_mutex); + this->esp_cb.cb = callback; + this->esp_cb.data = data; + this->esp_cb_mutex->unlock(this->esp_cb_mutex); +} + +METHOD(receiver_t, del_esp_cb, void, + private_receiver_t *this, receiver_esp_cb_t callback) { - if (this->job) + this->esp_cb_mutex->lock(this->esp_cb_mutex); + if (this->esp_cb.cb == callback) { - this->job->cancel(this->job); + this->esp_cb.cb = NULL; + this->esp_cb.data = NULL; } + this->esp_cb_mutex->unlock(this->esp_cb_mutex); +} + +METHOD(receiver_t, destroy, void, + private_receiver_t *this) +{ this->rng->destroy(this->rng); this->hasher->destroy(this->hasher); + this->esp_cb_mutex->destroy(this->esp_cb_mutex); free(this); } @@ -472,53 +620,62 @@ receiver_t *receiver_create() INIT(this, .public = { + .add_esp_cb = _add_esp_cb, + .del_esp_cb = _del_esp_cb, .destroy = _destroy, }, + .esp_cb_mutex = mutex_create(MUTEX_TYPE_DEFAULT), .secret_switch = now, .secret_offset = random() % now, ); - if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE)) + if (lib->settings->get_bool(lib->settings, + "%s.dos_protection", TRUE, charon->name)) { this->cookie_threshold = lib->settings->get_int(lib->settings, - "charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT); + "%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, charon->name); this->block_threshold = lib->settings->get_int(lib->settings, - "charon.block_threshold", BLOCK_THRESHOLD_DEFAULT); + "%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, charon->name); } this->init_limit_job_load = lib->settings->get_int(lib->settings, - "charon.init_limit_job_load", 0); + "%s.init_limit_job_load", 0, charon->name); this->init_limit_half_open = lib->settings->get_int(lib->settings, - "charon.init_limit_half_open", 0); + "%s.init_limit_half_open", 0, charon->name); this->receive_delay = lib->settings->get_int(lib->settings, - "charon.receive_delay", 0); + "%s.receive_delay", 0, charon->name); this->receive_delay_type = lib->settings->get_int(lib->settings, - "charon.receive_delay_type", 0), + "%s.receive_delay_type", 0, charon->name), this->receive_delay_request = lib->settings->get_bool(lib->settings, - "charon.receive_delay_request", TRUE), - this->receive_delay_response = lib->settings->get_int(lib->settings, - "charon.receive_delay_response", TRUE), + "%s.receive_delay_request", TRUE, charon->name), + this->receive_delay_response = lib->settings->get_bool(lib->settings, + "%s.receive_delay_response", TRUE, charon->name), this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); - if (this->hasher == NULL) + if (!this->hasher) { DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported"); free(this); return NULL; } this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); - if (this->rng == NULL) + if (!this->rng) { DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported"); this->hasher->destroy(this->hasher); free(this); return NULL; } - this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret); + if (!this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret)) + { + DBG1(DBG_NET, "creating cookie secret failed"); + destroy(this); + return NULL; + } memcpy(this->secret_old, this->secret, SECRET_LENGTH); - this->job = callback_job_create_with_prio((callback_job_cb_t)receive_packets, - this, NULL, NULL, JOB_PRIO_CRITICAL); - lib->processor->queue_job(lib->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets, + this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); return &this->public; } diff --git a/src/libcharon/network/receiver.h b/src/libcharon/network/receiver.h index 1d9d4871e..9e8edee45 100644 --- a/src/libcharon/network/receiver.h +++ b/src/libcharon/network/receiver.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -26,14 +27,27 @@ typedef struct receiver_t receiver_t; #include <library.h> #include <utils/host.h> +#include <utils/packet.h> + +/** + * Callback called for any received UDP encapsulated ESP packet. + * + * Implementation should be quick as the receiver doesn't receive any packets + * while calling this function. + * + * @param data data supplied during registration of the callback + * @param packet decapsulated ESP packet + */ +typedef void (*receiver_esp_cb_t)(void *data, packet_t *packet); /** * Receives packets from the socket and adds them to the job queue. * - * The receiver starts a thread, which reads on the blocking socket. A received - * packet is preparsed and a process_message_job is queued in the job queue. + * The receiver uses a callback job, which reads on the blocking socket. + * A received packet is preparsed and a process_message_job is queued in the + * job queue. * - * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half + * To endure DoS attacks, cookies are enabled when too many IKE_SAs are half * open. The calculation of cookies is slightly different from the proposed * method in RFC4306. We do not include a nonce, because we think the advantage * we gain does not justify the overhead to parse the whole message. @@ -47,14 +61,32 @@ typedef struct receiver_t receiver_t; * secret is stored to allow a clean migration between secret changes. * * Further, the number of half-initiated IKE_SAs is limited per peer. This - * mades it impossible for a peer to flood the server with its real IP address. + * makes it impossible for a peer to flood the server with its real IP address. */ struct receiver_t { /** + * Register a callback which is called for any incoming ESP packets. + * + * @note Only the last callback registered will receive any packets. + * + * @param callback callback to register + * @param data data provided to callback + */ + void (*add_esp_cb)(receiver_t *this, receiver_esp_cb_t callback, + void *data); + + /** + * Unregister a previously registered callback for ESP packets. + * + * @param callback previously registered callback + */ + void (*del_esp_cb)(receiver_t *this, receiver_esp_cb_t callback); + + /** * Destroys a receiver_t object. */ - void (*destroy) (receiver_t *receiver); + void (*destroy)(receiver_t *this); }; /** diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c index 4df930b15..059f24b39 100644 --- a/src/libcharon/network/sender.c +++ b/src/libcharon/network/sender.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -39,11 +40,6 @@ struct private_sender_t { sender_t public; /** - * Sender threads job. - */ - callback_job_t *job; - - /** * The packets are stored in a linked list */ linked_list_t *list; @@ -84,11 +80,21 @@ struct private_sender_t { bool send_delay_response; }; +METHOD(sender_t, send_no_marker, void, + private_sender_t *this, packet_t *packet) +{ + this->mutex->lock(this->mutex); + this->list->insert_last(this->list, packet); + this->got->signal(this->got); + this->mutex->unlock(this->mutex); +} + METHOD(sender_t, send_, void, private_sender_t *this, packet_t *packet) { host_t *src, *dst; + /* if neither source nor destination port is 500 we add a Non-ESP marker */ src = packet->get_source(packet); dst = packet->get_destination(packet); DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); @@ -114,16 +120,22 @@ METHOD(sender_t, send_, void, message->destroy(message); } - this->mutex->lock(this->mutex); - this->list->insert_last(this->list, packet); - this->got->signal(this->got); - this->mutex->unlock(this->mutex); + if (dst->get_port(dst) != IKEV2_UDP_PORT && + src->get_port(src) != IKEV2_UDP_PORT) + { + chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00); + + data = chunk_cat("cc", marker, packet->get_data(packet)); + packet->set_data(packet, data); + } + + send_no_marker(this, packet); } /** * Job callback function to send packets */ -static job_requeue_t send_packets(private_sender_t * this) +static job_requeue_t send_packets(private_sender_t *this) { packet_t *packet; bool oldstate; @@ -149,7 +161,7 @@ static job_requeue_t send_packets(private_sender_t * this) return JOB_REQUEUE_DIRECT; } -METHOD(sender_t, destroy, void, +METHOD(sender_t, flush, void, private_sender_t *this) { /* send all packets in the queue */ @@ -159,8 +171,12 @@ METHOD(sender_t, destroy, void, this->sent->wait(this->sent, this->mutex); } this->mutex->unlock(this->mutex); - this->job->cancel(this->job); - this->list->destroy(this->list); +} + +METHOD(sender_t, destroy, void, + private_sender_t *this) +{ + this->list->destroy_offset(this->list, offsetof(packet_t, destroy)); this->got->destroy(this->got); this->sent->destroy(this->sent); this->mutex->destroy(this->mutex); @@ -177,25 +193,27 @@ sender_t * sender_create() INIT(this, .public = { .send = _send_, + .send_no_marker = _send_no_marker, + .flush = _flush, .destroy = _destroy, }, .list = linked_list_create(), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .got = condvar_create(CONDVAR_TYPE_DEFAULT), .sent = condvar_create(CONDVAR_TYPE_DEFAULT), - .job = callback_job_create_with_prio((callback_job_cb_t)send_packets, - this, NULL, NULL, JOB_PRIO_CRITICAL), .send_delay = lib->settings->get_int(lib->settings, - "charon.send_delay", 0), + "%s.send_delay", 0, charon->name), .send_delay_type = lib->settings->get_int(lib->settings, - "charon.send_delay_type", 0), + "%s.send_delay_type", 0, charon->name), .send_delay_request = lib->settings->get_bool(lib->settings, - "charon.send_delay_request", TRUE), - .send_delay_response = lib->settings->get_int(lib->settings, - "charon.send_delay_response", TRUE), + "%s.send_delay_request", TRUE, charon->name), + .send_delay_response = lib->settings->get_bool(lib->settings, + "%s.send_delay_response", TRUE, charon->name), ); - lib->processor->queue_job(lib->processor, (job_t*)this->job); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets, + this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); return &this->public; } diff --git a/src/libcharon/network/sender.h b/src/libcharon/network/sender.h index f77fadab2..9b5c325cc 100644 --- a/src/libcharon/network/sender.h +++ b/src/libcharon/network/sender.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -25,10 +26,10 @@ typedef struct sender_t sender_t; #include <library.h> -#include <network/packet.h> +#include <utils/packet.h> /** - * Thread responsible for sending packets over the socket. + * Callback job responsible for sending IKE packets over the socket. */ struct sender_t { @@ -44,6 +45,20 @@ struct sender_t { void (*send) (sender_t *this, packet_t *packet); /** + * The same as send() but does not add Non-ESP markers automatically. + * + * @param packet packet to send + */ + void (*send_no_marker) (sender_t *this, packet_t *packet); + + /** + * Enforce a flush of the send queue. + * + * This function blocks until all queued packets have been sent. + */ + void (*flush)(sender_t *this); + + /** * Destroys a sender object. */ void (*destroy) (sender_t *this); diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h index be875035b..b8850c6ed 100644 --- a/src/libcharon/network/socket.h +++ b/src/libcharon/network/socket.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2010 Tobias Brunner + * Copyright (C) 2006-2012 Tobias Brunner * Copyright (C) 2005-2010 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger * Copyright (C) 2005 Jan Hutter @@ -27,7 +27,7 @@ typedef struct socket_t socket_t; #include <library.h> -#include <network/packet.h> +#include <utils/packet.h> #include <utils/enumerator.h> #include <plugins/plugin.h> @@ -68,6 +68,14 @@ struct socket_t { status_t (*send) (socket_t *this, packet_t *packet); /** + * Get the port this socket is listening on. + * + * @param nat_t TRUE to get the port used to float in case of NAT-T + * @return the port + */ + u_int16_t (*get_port) (socket_t *this, bool nat_t); + + /** * Destroy a socket implementation. */ void (*destroy) (socket_t *this); diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c index 72a454301..d2736de8e 100644 --- a/src/libcharon/network/socket_manager.c +++ b/src/libcharon/network/socket_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2010-2012 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -89,6 +89,19 @@ METHOD(socket_manager_t, sender, status_t, return status; } +METHOD(socket_manager_t, get_port, u_int16_t, + private_socket_manager_t *this, bool nat_t) +{ + u_int16_t port = 0; + this->lock->read_lock(this->lock); + if (this->socket) + { + port = this->socket->get_port(this->socket, nat_t); + } + this->lock->unlock(this->lock); + return port; +} + static void create_socket(private_socket_manager_t *this) { socket_constructor_t create; @@ -153,6 +166,7 @@ socket_manager_t *socket_manager_create() .public = { .send = _sender, .receive = _receiver, + .get_port = _get_port, .add_socket = _add_socket, .remove_socket = _remove_socket, .destroy = _destroy, diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h index 94185d21c..1909d1f25 100644 --- a/src/libcharon/network/socket_manager.h +++ b/src/libcharon/network/socket_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Tobias Brunner + * Copyright (C) 2010-2012 Tobias Brunner * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG @@ -53,6 +53,14 @@ struct socket_manager_t { status_t (*send) (socket_manager_t *this, packet_t *packet); /** + * Get the port the registered socket is listening on. + * + * @param nat_t TRUE to get the port used to float in case of NAT-T + * @return the port, or 0, if no socket is registered + */ + u_int16_t (*get_port) (socket_manager_t *this, bool nat_t); + + /** * Register a socket constructor. * * @param create constructor for the socket |