diff options
| author | Jan Hutter <jhutter@hsr.ch> | 2005-12-01 17:16:10 +0000 |
|---|---|---|
| committer | Jan Hutter <jhutter@hsr.ch> | 2005-12-01 17:16:10 +0000 |
| commit | a9428251cd1e6fc579204199ca09cbe55a8f2865 (patch) | |
| tree | ea8ad014e885a4ae26a852a8c9f1100a82e58413 /Source/charon | |
| parent | bae00c63f719c06c74d393c65bef0e5ebe25b24c (diff) | |
| download | strongswan-a9428251cd1e6fc579204199ca09cbe55a8f2865.tar.bz2 strongswan-a9428251cd1e6fc579204199ca09cbe55a8f2865.tar.xz | |
- new configuration support added to ike_sa and states
Diffstat (limited to 'Source/charon')
| -rw-r--r-- | Source/charon/config/configuration_manager.c | 542 | ||||
| -rw-r--r-- | Source/charon/config/configuration_manager.h | 143 | ||||
| -rw-r--r-- | Source/charon/config/init_config.c | 38 | ||||
| -rw-r--r-- | Source/charon/config/init_config.h | 24 | ||||
| -rw-r--r-- | Source/charon/daemon.h | 2 | ||||
| -rw-r--r-- | Source/charon/network/host.c | 74 | ||||
| -rw-r--r-- | Source/charon/network/host.h | 20 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.c | 134 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.h | 40 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_requested.c | 51 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_responded.c | 3 | ||||
| -rw-r--r-- | Source/charon/sa/states/initiator_init.c | 98 | ||||
| -rw-r--r-- | Source/charon/sa/states/responder_init.c | 101 | ||||
| -rw-r--r-- | Source/charon/utils/identification.c | 20 | ||||
| -rw-r--r-- | Source/charon/utils/identification.h | 10 | ||||
| -rw-r--r-- | Source/charon/utils/logger_manager.c | 1 |
16 files changed, 738 insertions, 563 deletions
diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c index 0ab8129b4..2d380059a 100644 --- a/Source/charon/config/configuration_manager.c +++ b/Source/charon/config/configuration_manager.c @@ -29,257 +29,423 @@ #include <types.h> #include <daemon.h> #include <utils/allocator.h> -#include <encoding/payloads/nonce_payload.h> -#include <encoding/payloads/proposal_substructure.h> -#include <encoding/payloads/ke_payload.h> -#include <encoding/payloads/transform_attribute.h> -typedef struct private_configuration_manager_t private_configuration_manager_t; +typedef struct configuration_entry_t configuration_entry_t; -/** - * Private data of an configuration_t object +/* A configuration entry combines a configuration name with a init and sa + * configuration represented as init_config_t and sa_config_t objects. */ -struct private_configuration_manager_t { - +struct configuration_entry_t { + /** - * Public part + * Configuration name. + * */ - configuration_manager_t public; + char *name; + + /** + * Configuration for IKE_SA_INIT exchange. + */ + init_config_t *init_config; /** - * Assigned logger object + * Configuration for all phases after IKE_SA_INIT exchange. */ - logger_t *logger; + sa_config_t *sa_config; + + /** + * Destroys a configuration_entry_t + * + * + * @param this calling object + */ + void (*destroy) (configuration_entry_t *this); }; +static void configuration_entry_destroy (configuration_entry_t *this) +{ + allocator_free(this->name); + allocator_free(this); +} + /** - * Implements function configuration_manager_t.get_remote_host. + * Creates a configuration_entry_t object + * + * @param name name of the configuration entry (gets copied) + * @param init_config object of type init_config_t + * @param sa_config object of type sa_config_t */ -static status_t get_remote_host(private_configuration_manager_t *this, char *name, host_t **host) +configuration_entry_t * configuration_entry_create(char * name, init_config_t * init_config, sa_config_t * sa_config) { - /* - * For testing purposes, hard coded host informations for two configurations are returned. - * - * Further improvements could store them in a linked list or hash table. - */ + configuration_entry_t *entry = allocator_alloc_thing(configuration_entry_t); - host_t *remote; - status_t status = SUCCESS; - - if (strcmp(name, "pinflb30") == 0) - { - remote = host_create(AF_INET, "152.96.193.130", 500); - } - else if (strcmp(name, "pinflb31") == 0) - { - remote = host_create(AF_INET, "152.96.193.131", 500); - } - else if (strcmp(name, "localhost") == 0) - { - remote = host_create(AF_INET, "127.0.0.1", 500); - } - else - { - status = NOT_FOUND; - } + /* functions */ + entry->destroy = configuration_entry_destroy; - *host = remote; - return status; + /* private data */ + entry->init_config = init_config; + entry->sa_config = sa_config; + entry->name = allocator_alloc(strlen(name) + 1); + strcpy(entry->name,name); + return entry; } + +typedef struct private_configuration_manager_t private_configuration_manager_t; + /** - * Implements function configuration_manager_t.get_local_host. + * Private data of an configuration_t object */ -static status_t get_local_host(private_configuration_manager_t *this, char *name, host_t **host) -{ - /* - * For testing purposes, only the default route is returned for each configuration. +struct private_configuration_manager_t { + + /** + * Public part of configuration manager. + */ + configuration_manager_t public; + + /** + * Holding all configurations. + */ + linked_list_t *configurations; + + /** + * Holding all init_configs. + */ + linked_list_t *init_configs; + + /** + * Holding all init_configs. + */ + linked_list_t *sa_configs; + + + /** + * Assigned logger object. + */ + logger_t *logger; + + /** + * Load default configuration * - * Further improvements could store different local host informations in a linked list or hash table. + * + * @param this calling object + * @param name name for the configuration + * @param init_config init_config_t object + * @param sa_config sa_config_t object */ - *host = host_create(AF_INET, "0.0.0.0", 0); - return SUCCESS; -} + void (*add_new_configuration) (private_configuration_manager_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config); + + /** + * Load default configuration + * + * + * @param this calling object + */ + void (*load_default_config) (private_configuration_manager_t *this); +}; /** - * Implements function configuration_manager_t.get_dh_group_number. + * Implementation of private_configuration_manager_t.load_default_config. */ -static status_t get_dh_group_number(private_configuration_manager_t *this,char *name, u_int16_t *dh_group_number, u_int16_t priority) +static void load_default_config (private_configuration_manager_t *this) { - /* Currently only two dh_group_numbers are supported for each configuration*/ + init_config_t *init_config1, *init_config2, *init_config3; + ike_proposal_t proposals[2]; + sa_config_t *sa_config; - if (priority == 1) - { - *dh_group_number = MODP_1024_BIT; - } - else - { - *dh_group_number = MODP_768_BIT; - } - return SUCCESS; + init_config1 = init_config_create("152.96.193.130","152.96.193.131",IKEV2_UDP_PORT,IKEV2_UDP_PORT); + init_config2 = init_config_create("152.96.193.131","152.96.193.130",IKEV2_UDP_PORT,IKEV2_UDP_PORT); + init_config3 = init_config_create("0.0.0.0","127.0.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT); + + + proposals[0].encryption_algorithm = ENCR_AES_CBC; + proposals[0].encryption_algorithm_key_length = 20; + proposals[0].integrity_algorithm = AUTH_HMAC_SHA1_96; + proposals[0].integrity_algorithm_key_length = 20; + proposals[0].pseudo_random_function = PRF_HMAC_SHA1; + proposals[0].pseudo_random_function_key_length = 20; + proposals[0].diffie_hellman_group = MODP_768_BIT; + + proposals[1] = proposals[0]; + proposals[1].integrity_algorithm = AUTH_HMAC_MD5_96; + proposals[1].integrity_algorithm_key_length = 16; + proposals[1].pseudo_random_function = PRF_HMAC_MD5; + proposals[1].pseudo_random_function_key_length = 16; + + init_config1->add_proposal(init_config1,1,proposals[0]); + init_config1->add_proposal(init_config1,1,proposals[1]); + init_config2->add_proposal(init_config2,1,proposals[0]); + init_config2->add_proposal(init_config2,1,proposals[1]); + init_config3->add_proposal(init_config3,1,proposals[0]); + init_config3->add_proposal(init_config3,1,proposals[1]); + + this->add_new_configuration(this,"pinflb31",init_config1,sa_config); + this->add_new_configuration(this,"pinflb30",init_config2,sa_config); + this->add_new_configuration(this,"localhost",init_config3,sa_config); + } /** - * Implements function configuration_manager_t.get_proposals_for_host. + * Implementation of configuration_manager_t.get_init_config_for_host. */ -static status_t get_proposals_for_host(private_configuration_manager_t *this, host_t *host, iterator_t *iterator) +static status_t get_init_config_for_host (private_configuration_manager_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config) { - /* - * Currently the following hard coded proposal is created and returned for all hosts: - * - ENCR_AES_CBC 128Bit - * - PRF_HMAC_MD5 128Bit - * - AUTH_HMAC_MD5_96 128Bit - * - MODP_1024_BIT - */ - proposal_substructure_t *proposal; - transform_substructure_t *transform; - transform_attribute_t *attribute; - - proposal = proposal_substructure_create(); + iterator_t *iterator; + status_t status = NOT_FOUND; - proposal->set_proposal_number(proposal, 1); - proposal->set_protocol_id(proposal, 1); + iterator = this->configurations->create_iterator(this->configurations,TRUE); - /* - * Encryption Algorithm - */ - transform = transform_substructure_create(); - - proposal->add_transform_substructure(proposal, transform); - - transform->set_transform_type(transform, ENCRYPTION_ALGORITHM); - transform->set_transform_id(transform, ENCR_AES_CBC); + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + host_t *config_my_host; + host_t *config_other_host; + + iterator->current(iterator,(void **) &entry); + + config_my_host = entry->init_config->get_my_host(entry->init_config); + config_other_host = entry->init_config->get_other_host(entry->init_config); + + /* first check if ip is equal */ + if(config_other_host->ip_is_equal(config_other_host,other_host)) + { + /* could be right one, check my_host for default route*/ + if (config_my_host->is_default_route(config_my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + /* check now if host informations are the same */ + else if (config_my_host->ip_is_equal(config_my_host,my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + + } + /* Then check for wildcard hosts! + * TODO + * actually its only checked if other host with default route can be found! */ + else if (config_other_host->is_default_route(config_other_host)) + { + /* could be right one, check my_host for default route*/ + if (config_my_host->is_default_route(config_my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + /* check now if host informations are the same */ + else if (config_my_host->ip_is_equal(config_my_host,my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + } + } - attribute = transform_attribute_create(); - - transform->add_transform_attribute(transform, attribute); - - attribute->set_attribute_type(attribute, KEY_LENGTH); - attribute->set_value(attribute, 16); + iterator->destroy(iterator); - /* - * Pseudo-random Function - */ - transform = transform_substructure_create(); - - proposal->add_transform_substructure(proposal, transform); + return status; +} - transform->set_transform_type(transform, PSEUDO_RANDOM_FUNCTION); - transform->set_transform_id(transform, PRF_HMAC_MD5); +/** + * Implementation of configuration_manager_t.get_init_config_for_name. + */ +static status_t get_init_config_for_name (private_configuration_manager_t *this, char *name, init_config_t **init_config) +{ + iterator_t *iterator; + status_t status = NOT_FOUND; - attribute = transform_attribute_create(); - - transform->add_transform_attribute(transform, attribute); - - attribute->set_attribute_type(attribute, KEY_LENGTH); - attribute->set_value(attribute, 16); - - - /* - * Integrity Algorithm - */ - transform = transform_substructure_create(); - - proposal->add_transform_substructure(proposal, transform); - - transform->set_transform_type(transform, INTEGRITY_ALGORITHM); - transform->set_transform_id(transform, AUTH_HMAC_MD5_96); + iterator = this->configurations->create_iterator(this->configurations,TRUE); - attribute = transform_attribute_create(); - - transform->add_transform_attribute(transform, attribute); - - attribute->set_attribute_type(attribute, KEY_LENGTH); - attribute->set_value(attribute, 16); - - - /* - * Diffie-Hellman Group - */ - transform = transform_substructure_create(); + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + iterator->current(iterator,(void **) &entry); - proposal->add_transform_substructure(proposal, transform); + if (strcmp(entry->name,name) == 0) + { - transform->set_transform_type(transform, DIFFIE_HELLMAN_GROUP); - transform->set_transform_id(transform, MODP_1024_BIT); + /* found configuration */ + *init_config = entry->init_config; + status = SUCCESS; + break; + } + } - iterator->insert_after(iterator, (void*)proposal); + iterator->destroy(iterator); - return SUCCESS; + return status; } /** - * Implements function configuration_manager_t.select_proposals_for_host. + * Implementation of configuration_manager_t.get_sa_config_for_name. */ -static status_t select_proposals_for_host(private_configuration_manager_t *this, host_t *host, iterator_t *in, iterator_t *out) +static status_t get_sa_config_for_name (private_configuration_manager_t *this, char *name, sa_config_t **sa_config) { - /* Currently the first suggested proposal is selected, cloned and then returned*/ - proposal_substructure_t *first_suggested_proposal; - proposal_substructure_t *selected_proposal; + iterator_t *iterator; + status_t status = NOT_FOUND; + + iterator = this->configurations->create_iterator(this->configurations,TRUE); - this->logger->log(this->logger,CONTROL | MORE, "Going to select first suggested proposal"); - if (!in->has_next(in)) + while (iterator->has_next(iterator)) { - this->logger->log(this->logger,ERROR | MORE, "No proposal suggested"); - /* no suggested proposal! */ - return FAILED; + configuration_entry_t *entry; + iterator->current(iterator,(void **) &entry); + + if (strcmp(entry->name,name) == 0) + { + /* found configuration */ + *sa_config = entry->sa_config; + status = SUCCESS; + break; + } } - in->current(in,(void **) &first_suggested_proposal); - - selected_proposal = first_suggested_proposal->clone(first_suggested_proposal); + iterator->destroy(iterator); - out->insert_after(out,selected_proposal); - return SUCCESS; + return status; } /** - * Implements function configuration_manager_t.check_selected_proposals_for_host. + * Implementation of configuration_manager_t.get_sa_config_for_init_config_and_id. */ -static status_t check_selected_proposals_for_host (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,bool *valid) -{ - /* - * Currently the given proposals are not checked if they are valid for specific host! - * - * The first proposal is taken - */ - - this->logger->log(this->logger,CONTROL|MORE, "Going to check selected proposals"); - return SUCCESS; +static status_t get_sa_config_for_init_config_and_id (private_configuration_manager_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config) +{ + iterator_t *iterator; + status_t status = NOT_FOUND; + + iterator = this->configurations->create_iterator(this->configurations,TRUE); + + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + iterator->current(iterator,(void **) &entry); + + if (entry->init_config == init_config) + { + identification_t *config_my_id = entry->sa_config->get_my_id(entry->sa_config); + identification_t *config_other_id = entry->sa_config->get_other_id(entry->sa_config); + + /* host informations seem to be the same */ + if (config_other_id->equals(config_other_id,other_id)) + { + /* other ids seems to match */ + + if (my_id == NULL) + { + /* first matching one is selected */ + + /* TODO priorize found entries */ + *sa_config = entry->sa_config; + status = SUCCESS; + break; + } + + if (config_my_id->equals(config_my_id,my_id)) + { + *sa_config = entry->sa_config; + status = SUCCESS; + break; + } + + } + } + } + + iterator->destroy(iterator); + + return status; } /** - * Implements function configuration_manager_t.is_dh_group_allowed_for_host. + * Implementation of private_configuration_manager_t.add_new_configuration. */ -static status_t is_dh_group_allowed_for_host(private_configuration_manager_t *this, host_t *host, diffie_hellman_group_t group, bool *allowed) +static void add_new_configuration (private_configuration_manager_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config) { - /* - * Only the two DH groups 768 and 1024 are supported for each configuration - */ + iterator_t *iterator; + bool found; - if (group == MODP_768_BIT || group == MODP_1024_BIT) + iterator = this->init_configs->create_iterator(this->init_configs,TRUE); + found = FALSE; + while (iterator->has_next(iterator)) + { + init_config_t *found_init_config; + iterator->current(iterator,(void **) &found_init_config); + if (init_config == found_init_config) + { + found = TRUE; + break; + } + } + iterator->destroy(iterator); + if (!found) { - *allowed = TRUE; + this->init_configs->insert_first(this->init_configs,init_config); } - *allowed = FALSE; - this->logger->log(this->logger,CONTROL | MORE, "DH group %s is %s",mapping_find(diffie_hellman_group_m, group),(allowed)? "allowed" : "not allowed"); - return SUCCESS; -} + iterator = this->sa_configs->create_iterator(this->sa_configs,TRUE); + found = FALSE; + while (iterator->has_next(iterator)) + { + sa_config_t *found_sa_config; + iterator->current(iterator,(void **) &found_sa_config); + if (sa_config == found_sa_config) + { + found = TRUE; + break; + } + } + iterator->destroy(iterator); + if (!found) + { + this->sa_configs->insert_first(this->sa_configs,sa_config); + } + this->configurations->insert_first(this->configurations,configuration_entry_create(name,init_config,sa_config)); +} /** - * Implements function destroy of configuration_t. - * See #configuration_s.destroy for description. + * Implementation of configuration_manager_t.destroy. */ -static status_t destroy(private_configuration_manager_t *this) +static void destroy(private_configuration_manager_t *this) { this->logger->log(this->logger,CONTROL | MORE, "Going to destroy configuration manager "); + + while (this->configurations->get_count(this->configurations) > 0) + { + configuration_entry_t *entry; + this->configurations->remove_first(this->configurations,(void **) &entry); + entry->destroy(entry); + } + /* todo delete all config objects */ + + this->configurations->destroy(this->configurations); + + while (this->sa_configs->get_count(this->sa_configs) > 0) + { + sa_config_t *sa_config; + this->sa_configs->remove_first(this->sa_configs,(void **) &sa_config); +// sa_config->destroy(sa_config); + } + + this->sa_configs->destroy(this->sa_configs); + + while (this->init_configs->get_count(this->init_configs) > 0) + { + init_config_t *init_config; + this->init_configs->remove_first(this->init_configs,(void **) &init_config); + init_config->destroy(init_config); + } + this->init_configs->destroy(this->init_configs); this->logger->log(this->logger,CONTROL | MOST, "Destroy assigned logger"); charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); allocator_free(this); - return SUCCESS; } /* @@ -290,17 +456,23 @@ configuration_manager_t *configuration_manager_create() private_configuration_manager_t *this = allocator_alloc_thing(private_configuration_manager_t); /* public functions */ - this->public.destroy = (status_t(*)(configuration_manager_t*))destroy; - this->public.get_remote_host = (status_t(*)(configuration_manager_t*,char*,host_t**))get_remote_host; - this->public.get_local_host = (status_t(*)(configuration_manager_t*,char*,host_t**))get_local_host; - this->public.get_dh_group_number = (status_t(*)(configuration_manager_t*,char*,u_int16_t *, u_int16_t))get_dh_group_number; - this->public.get_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*))get_proposals_for_host; - this->public.select_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*,iterator_t*))select_proposals_for_host; - this->public.check_selected_proposals_for_host = (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,bool *)) check_selected_proposals_for_host; - this->public.is_dh_group_allowed_for_host = (status_t(*)(configuration_manager_t*,host_t*,diffie_hellman_group_t,bool*)) is_dh_group_allowed_for_host; - + this->public.destroy = (void(*)(configuration_manager_t*))destroy; + this->public.get_init_config_for_name = (status_t (*) (configuration_manager_t *, char *, init_config_t **)) get_init_config_for_name; + this->public.get_init_config_for_host = (status_t (*) (configuration_manager_t *, host_t *, host_t *,init_config_t **)) get_init_config_for_host; + this->public.get_sa_config_for_name =(status_t (*) (configuration_manager_t *, char *, sa_config_t **)) get_sa_config_for_name; + this->public.get_sa_config_for_init_config_and_id =(status_t (*) (configuration_manager_t *, init_config_t *, identification_t *, identification_t *,sa_config_t **)) get_sa_config_for_init_config_and_id; + + /* private functions */ + this->load_default_config = load_default_config; + this->add_new_configuration = add_new_configuration; + /* private variables */ this->logger = charon->logger_manager->create_logger(charon->logger_manager,CONFIGURATION_MANAGER,NULL); + this->configurations = linked_list_create(); + this->sa_configs = linked_list_create(); + this->init_configs = linked_list_create(); + + this->load_default_config(this); return (&this->public); } diff --git a/Source/charon/config/configuration_manager.h b/Source/charon/config/configuration_manager.h index 787286a1d..9cc6a313b 100644 --- a/Source/charon/config/configuration_manager.h +++ b/Source/charon/config/configuration_manager.h @@ -24,12 +24,8 @@ #define CONFIGURATION_MANAGER_H_ #include <types.h> -#include <utils/linked_list.h> -#include <network/host.h> -#include <encoding/payloads/transform_substructure.h> -#include <transforms/prfs/prf.h> -#include <transforms/signers/signer.h> -#include <transforms/crypters/crypter.h> +#include <config/init_config.h> +#include <config/sa_config.h> typedef struct configuration_manager_t configuration_manager_t; @@ -37,138 +33,77 @@ typedef struct configuration_manager_t configuration_manager_t; /** * @brief Manages all configuration aspects of the daemon. * - * Currently the configuration manager class does not store specific configurations. - * It is expected, that in future different configurations are stored in a linked list - * or a hash map and are managed by this class. - * * @ingroup config * */ struct configuration_manager_t { - + /** - * Gets the remote host information for a specific configuration name. + * Gets the configuration information needed for IKE_SA_INIT exchange + * for a specific configuration name. * - * A host information consist of IP address and UDP port. + * The returned init_config_t object MUST NOT be destroyed cause it's the original one. * - * @param this calling object - * @param name name of the configuration - * @param host remote host information gets stored at this location + * @param this calling object + * @param name name of the configuration + * @param[out] init_config the configuration is stored at this place * * @return * - NOT_FOUND * - SUCCESS */ - status_t (*get_remote_host) (configuration_manager_t *this, char *name, host_t **host); + status_t (*get_init_config_for_name) (configuration_manager_t *this, char *name, init_config_t **init_config); /** - * Gets the local host information for a specific configuration name + * Gets the configuration information needed for IKE_SA_INIT exchange + * for specific host informations. * - * A host information consist of IP address and UDP port. + * The returned init_config_t object MUST NOT be destroyed cause it's the original one. * - * @param this calling object - * @param name name of the configuration - * @param host local host information gets stored at this location + * @param this calling object + * @param my_host my host informations + * @param other_host other host informations + * @param[out] init_config the configuration is stored at this place * * @return - * - NOT_FOUND (not yet implemented) + * - NOT_FOUND * - SUCCESS - */ - status_t (*get_local_host) (configuration_manager_t *this, char *name, host_t **host); + */ + status_t (*get_init_config_for_host) (configuration_manager_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config); /** - * Returns the DH group number to use when initiating a connection. - * - * To make sure that different group numbers are supported in case - * a group number is not supported by other peer, a priority has to get defined. + * Gets the configuration information needed after IKE_SA_INIT exchange. * + * The returned sa_config_t object MUST not be destroyed cause it's the original one. * * @param this calling object * @param name name of the configuration - * @param dh_group_number the DH group number gets stored at this location - * @param priority priority to use for selection of DH group number. - * Highest priority is 1. All higher values have lower - * priority. + * @param[out] sa_config the configuration is stored at this place * * @return - * - FAILED (not yet implemented) - * - NOT_FOUND (not yet implemented) - * - SUCCESS - */ - status_t (*get_dh_group_number) (configuration_manager_t *this, char *name, u_int16_t *dh_group_number, u_int16_t priority); - - /** - * Returns the proposals which should be used to initiate a connection with a specific - * host. - * - * The proposals of type proposal_substructure_t * are returned over the given iterator - * and have to be destroyed by the caller. - * - * - * @param this calling object - * @param host host information used to find the correct proposals - * @param list iterator where the proposals are written to - * - * @return - * - NOT_FOUND (not yet implemented) - * - SUCCESS - */ - status_t (*get_proposals_for_host) (configuration_manager_t *this, host_t *host, iterator_t *list); - - /** - * Checks the suggested proposals passed as iterator in and selects one proposal to be sent as selection - * of this proposals. - * - * Currently there is no check implemented. The first suggested proposal is cloned and then as selected returned. - * - * - * @param this calling object - * @param host host information used to find the correct proposals - * @param in iterator with suggested proposals of type proposal_substructure_t * - * @param out The selected proposals of type proposal_substructure_t * are written to this iterator - * - * @return - * - FAILED - * - NOT_FOUND (not yet implemented) - * - SUCCESS - */ - status_t (*select_proposals_for_host) (configuration_manager_t *this, host_t *host, iterator_t *in, iterator_t *out); - - /** - * Checks if the selected proposals of a remote hosts are valid. - * - * - * @param this calling object - * @param host host information - * @param proposals iterator with selected proposals - * @param[out] valid TRUE if selected proposals are accepted - * - * @return - * - FAILED - * - NOT_FOUND (not yet implemented) - * - SUCCESS + * - NOT_FOUND + * - SUCCESS */ - status_t (*check_selected_proposals_for_host) (configuration_manager_t *this, - host_t *host, - iterator_t *proposals, - bool *valid); + status_t (*get_sa_config_for_name) (configuration_manager_t *this, char *name, sa_config_t **sa_config); /** - * Checks if a given dh_group number is allowed for a specific host + * Gets the configuration information needed after IKE_SA_INIT exchange + * for specific init_config_t and ID data. * + * The returned sa_config_t object MUST NOT be destroyed cause it's the original one. * * @param this calling object - * @param host host information - * @param group DH group number to check if allowed - * @param[out] allowed will be set to TRUE if group number is allowed, FALSE otherwise + * @param init_config init_config_t object + * @param other_id identification of other one + * @param my_id my identification (can be NULL) + * @param[out] sa_config the configuration is stored at this place * * @return - * - FAILED - * - NOT_FOUND (not yet implemented) - * - SUCCESS - */ - status_t (*is_dh_group_allowed_for_host) (configuration_manager_t *this, host_t *host, diffie_hellman_group_t group, bool *allowed); - + * - NOT_FOUND + * - SUCCESS + */ + status_t (*get_sa_config_for_init_config_and_id) (configuration_manager_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config); + /** * Destroys configuration manager * @@ -177,7 +112,7 @@ struct configuration_manager_t { * @return * - SUCCESS */ - status_t (*destroy) (configuration_manager_t *this); + void (*destroy) (configuration_manager_t *this); }; /** diff --git a/Source/charon/config/init_config.c b/Source/charon/config/init_config.c index 495feb7ab..27f669b9d 100644 --- a/Source/charon/config/init_config.c +++ b/Source/charon/config/init_config.c @@ -24,6 +24,7 @@ #include <utils/allocator.h> #include <utils/linked_list.h> +#include <utils/logger.h> typedef struct private_init_config_t private_init_config_t; @@ -58,7 +59,7 @@ struct private_init_config_t { */ static host_t * get_my_host (private_init_config_t *this) { - return this->my_host->clone(this->my_host); + return this->my_host; } /** @@ -66,6 +67,22 @@ static host_t * get_my_host (private_init_config_t *this) */ static host_t * get_other_host (private_init_config_t *this) { + return this->other_host; +} + +/** + * Implementation of init_config_t.get_my_host_clone. + */ +static host_t * get_my_host_clone (private_init_config_t *this) +{ + return this->my_host->clone(this->my_host); +} + +/** + * Implementation of init_config_t.get_other_host_clone. + */ +static host_t * get_other_host_clone (private_init_config_t *this) +{ return this->other_host->clone(this->other_host); } @@ -131,13 +148,21 @@ static status_t select_proposal (private_init_config_t *this, ike_proposal_t *pr { my_iterator->current(my_iterator,(void **) &my_current_proposal); - if (memcmp(my_current_proposal,&proposals[i],sizeof(ike_proposal_t)) == 0) + /* memcmp doesn't work here */ + if ((proposals[i].encryption_algorithm == my_current_proposal->encryption_algorithm) && + (proposals[i].encryption_algorithm_key_length == my_current_proposal->encryption_algorithm_key_length) && + (proposals[i].integrity_algorithm == my_current_proposal->integrity_algorithm) && + (proposals[i].integrity_algorithm_key_length == my_current_proposal->integrity_algorithm_key_length) && + (proposals[i].pseudo_random_function == my_current_proposal->pseudo_random_function) && + (proposals[i].pseudo_random_function_key_length == my_current_proposal->pseudo_random_function_key_length) && + (proposals[i].diffie_hellman_group == my_current_proposal->diffie_hellman_group)) { /* found a matching proposal */ *selected_proposal = *my_current_proposal; my_iterator->destroy(my_iterator); return SUCCESS; } + } } @@ -151,6 +176,7 @@ static status_t select_proposal (private_init_config_t *this, ike_proposal_t *pr static void add_proposal (private_init_config_t *this,size_t priority, ike_proposal_t proposal) { ike_proposal_t * new_proposal = allocator_alloc(sizeof(ike_proposal_t)); + status_t status; *new_proposal = proposal; @@ -161,7 +187,8 @@ static void add_proposal (private_init_config_t *this,size_t priority, ike_propo return; } - this->proposals->insert_at_position(this->proposals,(priority - 1),new_proposal); + status = this->proposals->insert_at_position(this->proposals,(priority - 1),new_proposal); + } /** @@ -180,7 +207,6 @@ static void destroy (private_init_config_t *this) this->my_host->destroy(this->my_host); this->other_host->destroy(this->other_host); - allocator_free(this); } @@ -194,6 +220,8 @@ init_config_t * init_config_create(char * my_ip, char *other_ip, u_int16_t my_po /* public functions */ this->public.get_my_host = (host_t*(*)(init_config_t*))get_my_host; this->public.get_other_host = (host_t*(*)(init_config_t*))get_other_host; + this->public.get_my_host_clone = (host_t*(*)(init_config_t*))get_my_host_clone; + this->public.get_other_host_clone = (host_t*(*)(init_config_t*))get_other_host_clone; this->public.get_dh_group_number = (diffie_hellman_group_t (*)(init_config_t*,size_t))get_dh_group_number; this->public.get_proposals = (size_t(*)(init_config_t*,ike_proposal_t**))get_proposals; this->public.select_proposal = (status_t(*)(init_config_t*,ike_proposal_t*,size_t,ike_proposal_t*))select_proposal; @@ -203,7 +231,7 @@ init_config_t * init_config_create(char * my_ip, char *other_ip, u_int16_t my_po /* private variables */ this->my_host = host_create(AF_INET,my_ip, my_port); this->other_host = host_create(AF_INET,other_ip, other_port); - + this->proposals = linked_list_create(); return (&this->public); diff --git a/Source/charon/config/init_config.h b/Source/charon/config/init_config.h index 7ff46cc54..5e189f9bd 100644 --- a/Source/charon/config/init_config.h +++ b/Source/charon/config/init_config.h @@ -87,7 +87,7 @@ struct init_config_t { /** * Get my host information as host_t object. * - * @warning Object is getting cloned and has to get destroyed by caller. + * @warning Object is NOT getting cloned. * * @param this calling object * @return host information as host_t object @@ -97,7 +97,7 @@ struct init_config_t { /** * Get other host information as host_t object. * - * @warning Object is getting cloned and has to get destroyed by caller. + * @warning Object is NOT getting cloned. * * @param this calling object * @return host information as host_t object @@ -105,6 +105,26 @@ struct init_config_t { host_t * (*get_other_host) (init_config_t *this); /** + * Get my host information as host_t object. + * + * @warning Object is not getting cloned and has to get destroyed by caller. + * + * @param this calling object + * @return host information as host_t object + */ + host_t * (*get_my_host_clone) (init_config_t *this); + + /** + * Get other host information as host_t object. + * + * @warning Object is not getting cloned and has to get destroyed by caller. + * + * @param this calling object + * @return host information as host_t object + */ + host_t * (*get_other_host_clone) (init_config_t *this); + + /** * Get the diffie hellman group to use as initiator with given priority. * * diff --git a/Source/charon/daemon.h b/Source/charon/daemon.h index 651ed0370..8da5eb5eb 100644 --- a/Source/charon/daemon.h +++ b/Source/charon/daemon.h @@ -54,7 +54,7 @@ * Port on which the daemon will * listen for incoming traffic */ -#define IKEV2_UDP_PORT 500 +#define IKEV2_UDP_PORT 4500 /** * Default loglevel to use. This is the diff --git a/Source/charon/network/host.c b/Source/charon/network/host.c index f78e7b810..95a4537c6 100644 --- a/Source/charon/network/host.c +++ b/Source/charon/network/host.c @@ -70,6 +70,34 @@ static socklen_t *get_sockaddr_len(private_host_t *this) } /** + * Implementation of host_t.is_default_route. + */ +static bool is_default_route (private_host_t *this) +{ + switch (this->family) + { + case AF_INET: + { + int i; + for (i = 0; i < 4;i++) + { + struct sockaddr_in *sin = (struct sockaddr_in*)&(this->address); + if (*((&sin->sin_addr.s_addr) + i) != 0) + { + return FALSE; + } + } + return TRUE; + } + default: + { + /* empty chunk is returned */ + return FALSE; + } + } +} + +/** * implements host_t.get_address */ static char *get_address(private_host_t *this) @@ -156,7 +184,7 @@ static private_host_t *clone(private_host_t *this) /** * Impelements host_t.equals */ -static bool equals(private_host_t *this, private_host_t *other) +static bool ip_is_equal(private_host_t *this, private_host_t *other) { switch (this->family) { @@ -166,7 +194,6 @@ static bool equals(private_host_t *this, private_host_t *other) struct sockaddr_in *sin1 = (struct sockaddr_in*)&(this->address); struct sockaddr_in *sin2 = (struct sockaddr_in*)&(other->address); if ((sin1->sin_family == sin2->sin_family) && - (sin1->sin_port == sin2->sin_port) && (sin1->sin_addr.s_addr == sin2->sin_addr.s_addr)) { return TRUE; @@ -177,10 +204,10 @@ static bool equals(private_host_t *this, private_host_t *other) } -/* - * Described in header. +/** + * Creates an empty host_t object */ -host_t *host_create(int family, char *address, u_int16_t port) +static private_host_t *host_create_empty() { private_host_t *this = allocator_alloc_thing(private_host_t); @@ -190,8 +217,20 @@ host_t *host_create(int family, char *address, u_int16_t port) this->public.get_address = (char* (*) (host_t *))get_address; this->public.get_address_as_chunk = (chunk_t (*) (host_t *)) get_address_as_chunk; this->public.get_port = (u_int16_t (*) (host_t *))get_port; + this->public.ip_is_equal = (bool (*) (host_t *,host_t *)) ip_is_equal; + this->public.is_default_route = (bool (*) (host_t *)) is_default_route; this->public.destroy = (void (*) (host_t*))destroy; + return this; +} + +/* + * Described in header. + */ +host_t *host_create(int family, char *address, u_int16_t port) +{ + private_host_t *this = host_create_empty(); + this->family = family; switch (family) @@ -204,11 +243,16 @@ host_t *host_create(int family, char *address, u_int16_t port) sin->sin_addr.s_addr = inet_addr(address); sin->sin_port = htons(port); this->socklen = sizeof(struct sockaddr_in); - return (host_t*)this; + return &(this->public); + } + default: + { + allocator_free(this); + return NULL; + } } - allocator_free(this); - return NULL; + } /* @@ -216,16 +260,7 @@ host_t *host_create(int family, char *address, u_int16_t port) */ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) { - private_host_t *this = allocator_alloc_thing(private_host_t); - - this->public.get_sockaddr = (sockaddr_t* (*) (host_t*))get_sockaddr; - this->public.get_sockaddr_len = (socklen_t*(*) (host_t*))get_sockaddr_len; - this->public.clone = (host_t* (*) (host_t*))clone; - this->public.get_address = (char* (*) (host_t *))get_address; - this->public.get_address_as_chunk = (chunk_t (*) (host_t *)) get_address_as_chunk; - this->public.get_port = (u_int16_t (*) (host_t *))get_port; - this->public.equals = (bool (*) (host_t *,host_t *))equals; - this->public.destroy = (void (*) (host_t*))destroy; + private_host_t *this = host_create_empty(); this->family = family; @@ -241,8 +276,9 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) memcpy(&(sin->sin_addr.s_addr),address.ptr,4); sin->sin_port = htons(port); this->socklen = sizeof(struct sockaddr_in); - return (host_t*)this; + return &(this->public); } + } } allocator_free(this); diff --git a/Source/charon/network/host.h b/Source/charon/network/host.h index 379eab02e..b5223ef4c 100644 --- a/Source/charon/network/host.h +++ b/Source/charon/network/host.h @@ -81,17 +81,27 @@ struct host_t { * Mostly used for debugging purposes. * @warning string must NOT be freed * - * @param this object to clone + * @param this object * @return address string, */ char* (*get_address) (host_t *this); /** + * @brief Checks if the ip address of host is set to default route. + * + * @param this calling object + * @return + * - TRUE if host has IP 0.0.0.0 for default route + * - FALSE otherwise + */ + bool (*is_default_route) (host_t *this); + + /** * @brief get the address of this host as chunk_t * * @warning returned chunk has to get destroyed by caller. * - * @param this object to clone + * @param this object * @return address string, */ chunk_t (*get_address_as_chunk) (host_t *this); @@ -107,13 +117,13 @@ struct host_t { u_int16_t (*get_port) (host_t *this); /** - * @brief Compare two hosts. + * @brief Compare the ips of two hosts hosts. * * @param this object to compare * @param other the other to compare - * @return TRUE if port and address are equal + * @return TRUE if addresses are equal. */ - bool (*equals) (host_t *this, host_t *other); + bool (*ip_is_equal) (host_t *this, host_t *other); /** * @brief Destroy this host object diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 60e608678..1ab5d2fe0 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -81,6 +81,16 @@ struct private_ike_sa_t { * Linked List containing the child sa's of the current IKE_SA */ linked_list_t *child_sas; + + /** + * TODO + */ + init_config_t *init_config; + + /** + * TODO + */ + sa_config_t *sa_config; /** * Current state of the IKE_SA @@ -297,11 +307,7 @@ static status_t initialize_connection(private_ike_sa_t *this, char *name) current_state = (initiator_init_t *) this->current_state; status = current_state->initiate_connection(current_state,name); - - if (status != SUCCESS) - { - this->create_delete_job(this); - } + return status; } @@ -468,15 +474,42 @@ static host_t *get_other_host (private_ike_sa_t *this) } /** + * Implementation of protected_ike_sa_t.get_init_config. + */ +static init_config_t *get_init_config (private_ike_sa_t *this) +{ + return this->init_config; +} + +/** + * Implementation of protected_ike_sa_t.set_init_config. + */ +static void set_init_config (private_ike_sa_t *this,init_config_t * init_config) +{ + this->init_config = init_config; +} + +/** + * Implementation of protected_ike_sa_t.get_sa_config. + */ +static sa_config_t *get_sa_config (private_ike_sa_t *this) +{ + return this->sa_config; +} + +/** + * Implementation of protected_ike_sa_t.set_sa_config. + */ +static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config) +{ + this->sa_config = sa_config; +} + +/** * Implementation of protected_ike_sa_t.set_my_host. */ static void set_my_host (private_ike_sa_t *this, host_t *my_host) { - if (this->me.host != NULL) - { - this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing my host object"); - this->me.host->destroy(this->me.host); - } this->me.host = my_host; } @@ -485,61 +518,25 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host) */ static void set_other_host (private_ike_sa_t *this, host_t *other_host) { - if (this->other.host != NULL) - { - this ->logger->log(this->logger, CONTROL|MOST, "Destroy existing other host object"); - this->other.host->destroy(this->other.host); - } this->other.host = other_host; } /** * Implementation of protected_ike_sa_t.set_prf. */ -static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal_substructure_t *proposal) +static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal) { - status_t status; - u_int16_t encryption_algorithm; - u_int16_t encryption_algorithm_key_length; - u_int16_t integrity_algorithm; - u_int16_t integrity_algorithm_key_length; - u_int16_t pseudo_random_function; - u_int16_t pseudo_random_function_key_length; - this->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal"); - this->logger->log(this->logger, CONTROL|MOST, "Get encryption transform type"); - status = proposal->get_info_for_transform_type(proposal,ENCRYPTION_ALGORITHM,&(encryption_algorithm),&(encryption_algorithm_key_length)); - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR|MORE, "Could not get encryption transform type"); - return status; - } - this->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,encryption_algorithm),encryption_algorithm_key_length); - - this->logger->log(this->logger, CONTROL|MOST, "Get integrity transform type"); - status = proposal->get_info_for_transform_type(proposal,INTEGRITY_ALGORITHM,&(integrity_algorithm),&(integrity_algorithm_key_length)); - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR|MORE, "Could not get integrity transform type"); - return status; - } - this->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,integrity_algorithm),integrity_algorithm_key_length); - - this->logger->log(this->logger, CONTROL|MOST, "Get prf transform type"); - status = proposal->get_info_for_transform_type(proposal,PSEUDO_RANDOM_FUNCTION,&(pseudo_random_function),&(pseudo_random_function_key_length)); - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR|MORE, "Could not prf transform type"); - return status; - } - this->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,pseudo_random_function),pseudo_random_function_key_length); + this->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),proposal->encryption_algorithm_key_length); + this->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),proposal->integrity_algorithm_key_length); + this->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),proposal->pseudo_random_function_key_length); if (this->prf != NULL) { this->prf->destroy(this->prf); } - this->prf = prf_create(pseudo_random_function); + this->prf = prf_create(proposal->pseudo_random_function); if (this->prf == NULL) { this->logger->log(this->logger, ERROR|MORE, "prf not supported!"); @@ -550,7 +547,7 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal { this->crypter_initiator->destroy(this->crypter_initiator); } - this->crypter_initiator = crypter_create(encryption_algorithm,encryption_algorithm_key_length); + this->crypter_initiator = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length); if (this->crypter_initiator == NULL) { this->logger->log(this->logger, ERROR|MORE, "encryption algorithm not supported!"); @@ -561,7 +558,7 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal { this->crypter_responder->destroy(this->crypter_responder); } - this->crypter_responder = crypter_create(encryption_algorithm,encryption_algorithm_key_length); + this->crypter_responder = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length); if (this->crypter_responder == NULL) { this->logger->log(this->logger, ERROR|MORE, "encryption algorithm not supported!"); @@ -572,7 +569,7 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal { this->signer_initiator->destroy(this->signer_initiator); } - this->signer_initiator = signer_create(integrity_algorithm); + this->signer_initiator = signer_create(proposal->integrity_algorithm); if (this->signer_initiator == NULL) { this->logger->log(this->logger, ERROR|MORE, "integrity algorithm not supported!"); @@ -583,7 +580,7 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal { this->signer_responder->destroy(this->signer_responder); } - this->signer_responder = signer_create(integrity_algorithm); + this->signer_responder = signer_create(proposal->integrity_algorithm); if (this->signer_responder == NULL) { this->logger->log(this->logger, ERROR|MORE, "integrity algorithm not supported!"); @@ -733,24 +730,27 @@ static void destroy (private_ike_sa_t *this) this->last_requested_message->destroy(this->last_requested_message); } - /* destroy stored responded messages */ - if (this->last_responded_message != NULL) - { - this->last_responded_message->destroy(this->last_responded_message); - } - - this->randomizer->destroy(this->randomizer); - + /* destroy stored host_t objects */ if (this->me.host != NULL) { this->me.host->destroy(this->me.host); } + /* destroy stored host_t objects */ if (this->other.host != NULL) { this->other.host->destroy(this->other.host); } + + /* destroy stored responded messages */ + if (this->last_responded_message != NULL) + { + this->last_responded_message->destroy(this->last_responded_message); + } + + this->randomizer->destroy(this->randomizer); + this->logger->log(this->logger, CONTROL | MOST, "Destroy current state object"); this->current_state->destroy(this->current_state); @@ -777,6 +777,10 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message; this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets; this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger; + this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config; + this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config; + this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config; + this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config; this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host; this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host; this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host; @@ -784,7 +788,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer; this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message; this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message; - this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,proposal_substructure_t *)) create_transforms_from_proposal; + this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal; this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state; this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator; this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator; @@ -821,6 +825,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->signer_initiator = NULL; this->signer_responder = NULL; this->prf = NULL; + this->init_config = NULL; + this->sa_config = NULL; /* at creation time, IKE_SA is in a initiator state */ if (ike_sa_id->is_initiator(ike_sa_id)) diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index 51d8be4e0..a5cf637d7 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -27,6 +27,7 @@ #include <encoding/message.h> #include <encoding/payloads/proposal_substructure.h> #include <sa/ike_sa_id.h> +#include <config/configuration_manager.h> #include <utils/logger.h> #include <utils/randomizer.h> #include <sa/states/state.h> @@ -137,6 +138,41 @@ struct protected_ike_sa_t { */ logger_t *(*get_logger) (protected_ike_sa_t *this); + /** + * Gets the internal stored init_config_t object. + * + * Returned value has to get checked for NULL value! + * + * @param this calling object + * @return pointer to the internal stored init_config_t object + */ + init_config_t *(*get_init_config) (protected_ike_sa_t *this); + + /** + * Sets the internal init_config_t object. + * + * @param this calling object + * @param init_config object of type init_config_t + */ + void (*set_init_config) (protected_ike_sa_t *this,init_config_t *init_config); + + /** + * Gets the internal stored sa_config_t object. + * + * Returned value has to get checked for NULL value! + * + * @param this calling object + * @return pointer to the internal stored sa_config_t object + */ + sa_config_t *(*get_sa_config) (protected_ike_sa_t *this); + + /** + * Sets the internal sa_config_t object. + * + * @param this calling object + * @param sa_config object of type sa_config_t + */ + void (*set_sa_config) (protected_ike_sa_t *this,sa_config_t *sa_config); /** * Gets the internal stored host_t object for my host. @@ -176,7 +212,7 @@ struct protected_ike_sa_t { /** * Creates all needed transform objects for given ike_sa_t using - * the informations stored in a proposal_substructure_t object + * the informations stored in a ike_proposal_t object * * Allready existing objects get destroyed. * @@ -184,7 +220,7 @@ struct protected_ike_sa_t { * @param proposal proposal used to get informations for transform * objects (algorithms, key lengths, etc.) */ - status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,proposal_substructure_t *proposal); + status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,ike_proposal_t * proposal); /** * Sets the last requested message. diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 5f6679f63..29d6c284a 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -173,57 +173,48 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t case SECURITY_ASSOCIATION: { sa_payload_t *sa_payload = (sa_payload_t*)payload; - iterator_t *suggested_proposals; - proposal_substructure_t *suggested_proposal; - bool valid; - + ike_proposal_t *ike_proposals; + ike_proposal_t selected_proposal; + size_t proposal_count; + init_config_t *init_config; /* get the list of suggested proposals */ - suggested_proposals = sa_payload->create_proposal_substructure_iterator(sa_payload, TRUE); - - - /* now let the configuration-manager check the selected proposals*/ - this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals"); - status = charon->configuration_manager->check_selected_proposals_for_host(charon->configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), suggested_proposals,&valid); + status = sa_payload->get_ike_proposals (sa_payload, &ike_proposals,&proposal_count); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Could not check suggested proposals!"); - suggested_proposals->destroy(suggested_proposals); + this->logger->log(this->logger, ERROR | MORE, "SA payload does not contain IKE proposals"); payloads->destroy(payloads); - return status; + return status; } - - if (!valid) + + if (proposal_count != 1) { - this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not accepted!"); + this->logger->log(this->logger, ERROR | MORE, "More then one proposal selected!"); + allocator_free(ike_proposals); payloads->destroy(payloads); - return status; + return status; } + + /* now let the configuration-manager check the selected proposals*/ + this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals"); + init_config = this->ike_sa->get_init_config(this->ike_sa); - - /* let the ike_sa create their own transforms from proposal informations */ - suggested_proposals->reset(suggested_proposals); - /* TODO check for true*/ - suggested_proposals->has_next(suggested_proposals); - status = suggested_proposals->current(suggested_proposals,(void **)&suggested_proposal); - suggested_proposals->destroy(suggested_proposals); + status = init_config->select_proposal (init_config,ike_proposals,1,&selected_proposal); + allocator_free(ike_proposals); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Could not get first proposal"); + this->logger->log(this->logger, ERROR | MORE, "Selected proposal not a suggested one!"); payloads->destroy(payloads); return status; } - - status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,suggested_proposal); + + status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,&selected_proposal); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal"); payloads->destroy(payloads); return status; } - - /* ok, we have what we need for sa_payload */ break; } diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index cd44fafca..7aa1fd044 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -83,7 +83,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t status_t status; signer_t *signer; crypter_t *crypter; - iterator_t *payloads, *iterator; + iterator_t *payloads; exchange_type_t exchange_type; id_payload_t *idi_payload, *idr_payload; auth_payload_t *auth_payload; @@ -234,7 +234,6 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t static status_t build_id_payload(private_ike_sa_init_responded_t *this, id_payload_t *id_payload) { - return SUCCESS; } diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c index 7ade885d4..2c653ee2f 100644 --- a/Source/charon/sa/states/initiator_init.c +++ b/Source/charon/sa/states/initiator_init.c @@ -72,12 +72,6 @@ struct private_initiator_init_t { * This nonce is passed to the next state of type ike_sa_init_requested_t. */ chunk_t sent_nonce; - - /** - * Proposals used to initiate connection. - * - */ - linked_list_t *proposals; /** * Logger used to log :-) @@ -136,66 +130,43 @@ struct private_initiator_init_t { */ static status_t initiate_connection (private_initiator_init_t *this, char *name) { - iterator_t *proposal_iterator; ike_sa_init_requested_t *next_state; message_t *message; packet_t *packet; status_t status; - host_t *my_host; - host_t *other_host; randomizer_t *randomizer; + init_config_t *init_config; this->logger->log(this->logger, CONTROL, "Initializing connection %s",name); - /* get local host */ - status = charon->configuration_manager->get_local_host(charon->configuration_manager, name, &my_host); - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR | MORE, "Could not retrieve local host configuration information for %s",name); - return INVALID_ARG; - } - this->ike_sa->set_my_host(this->ike_sa,my_host); + /* get init_config_t object */ + status = charon->configuration_manager->get_init_config_for_name(charon->configuration_manager,name,&init_config); - /* get remote host */ - status = charon->configuration_manager->get_remote_host(charon->configuration_manager, name, &other_host); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Could not retrieve remote host configuration information for %s",name); + this->logger->log(this->logger, ERROR | MORE, "Could not retrieve INIT configuration informations for %s",name); return INVALID_ARG; } - this->ike_sa->set_other_host(this->ike_sa,other_host); - /* get dh group */ - status = charon->configuration_manager->get_dh_group_number(charon->configuration_manager, name, &(this->dh_group_number), this->dh_group_priority); - if (status != SUCCESS) + /* configuration can be set */ + this->ike_sa->set_init_config(this->ike_sa,init_config); + + this->ike_sa->set_other_host(this->ike_sa,init_config->get_other_host_clone(init_config)); + this->ike_sa->set_my_host(this->ike_sa,init_config->get_my_host_clone(init_config)); + + this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority); + if (this->dh_group_number == MODP_UNDEFINED) { - this->logger->log(this->logger, ERROR | MORE, "Could not retrieve DH group number configuration for %s",name); + this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority); return INVALID_ARG; } - - /* get proposals */ - proposal_iterator = this->proposals->create_iterator(this->proposals, FALSE); - status = charon->configuration_manager->get_proposals_for_host(charon->configuration_manager, this->ike_sa->get_other_host(this->ike_sa), proposal_iterator); - proposal_iterator->destroy(proposal_iterator); - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR | MORE, "Could not retrieve Proposals for %s",name); - return status; - } - /* a diffie hellman object could allready exist caused by an failed initiate_connection call */ if (this->diffie_hellman == NULL) { this->diffie_hellman = diffie_hellman_create(this->dh_group_number); } - if (this->diffie_hellman == NULL) - { - this->logger->log(this->logger, ERROR, "Object of type diffie_hellman_t could not be created!"); - return FAILED; - } - if (this->sent_nonce.ptr != NULL) { allocator_free(this->sent_nonce.ptr); @@ -286,29 +257,19 @@ static void build_ike_sa_init_request (private_initiator_init_t *this, message_t static void build_sa_payload(private_initiator_init_t *this, payload_t **payload) { sa_payload_t* sa_payload; - iterator_t *proposal_iterator; + size_t proposal_count; + ike_proposal_t *proposals; + init_config_t *init_config; - /* SA payload takes proposals from this->ike_sa_init_data.proposals - * and writes them to the created sa_payload - */ - this->logger->log(this->logger, CONTROL|MORE, "building sa payload"); - proposal_iterator = this->proposals->create_iterator(this->proposals, FALSE); - sa_payload = sa_payload_create(); - - while (proposal_iterator->has_next(proposal_iterator)) - { - proposal_substructure_t *current_proposal; - proposal_substructure_t *current_proposal_clone; - proposal_iterator->current(proposal_iterator,(void **) ¤t_proposal); + init_config = this->ike_sa->get_init_config(this->ike_sa); - current_proposal_clone = current_proposal->clone(current_proposal); - - sa_payload->add_proposal_substructure(sa_payload,current_proposal_clone); - } - proposal_iterator->destroy(proposal_iterator); + proposal_count = init_config->get_proposals(init_config,&proposals); + sa_payload = sa_payload_create_from_ike_proposals(proposals,proposal_count); + + allocator_free(proposals); *payload = (payload_t *) sa_payload; } @@ -375,14 +336,7 @@ static void destroy(private_initiator_init_t *this) /* destroy stored proposal */ this->logger->log(this->logger, CONTROL | MOST, "Destroy stored proposals"); - while (this->proposals->get_count(this->proposals) > 0) - { - proposal_substructure_t *current_proposal; - this->proposals->remove_first(this->proposals,(void **)¤t_proposal); - current_proposal->destroy(current_proposal); - } - this->proposals->destroy(this->proposals); - + /* destroy diffie hellman object */ if (this->diffie_hellman != NULL) { @@ -406,13 +360,6 @@ static void destroy_after_state_change (private_initiator_init_t *this) /* destroy stored proposal */ this->logger->log(this->logger, CONTROL | MOST, "Destroy stored proposals"); - while (this->proposals->get_count(this->proposals) > 0) - { - proposal_substructure_t *current_proposal; - this->proposals->remove_first(this->proposals,(void **)¤t_proposal); - current_proposal->destroy(current_proposal); - } - this->proposals->destroy(this->proposals); allocator_free(this); } @@ -442,7 +389,6 @@ initiator_init_t *initiator_init_create(protected_ike_sa_t *ike_sa) this->ike_sa = ike_sa; this->dh_group_priority = 1; this->logger = this->ike_sa->get_logger(this->ike_sa); - this->proposals = linked_list_create(); this->sent_nonce = CHUNK_INITIALIZER; return &(this->public); diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index 35d85fddc..fd730db86 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -89,10 +89,10 @@ struct private_responder_init_t { logger_t *logger; /** - * Proposals used to initiate connection + * Selected proposal from suggested ones. */ - linked_list_t *proposals; - + ike_proposal_t selected_proposal; + /** * Builds the SA payload for this state. * @@ -147,6 +147,8 @@ static status_t process_message(private_responder_init_t *this, message_t *messa host_t *my_host; host_t *other_host; randomizer_t *randomizer; + init_config_t *init_config; + diffie_hellman_group_t dh_group = MODP_UNDEFINED; exchange_type = message->get_exchange_type(message); if (exchange_type != IKE_SA_INIT) @@ -154,16 +156,26 @@ static status_t process_message(private_responder_init_t *this, message_t *messa this->logger->log(this->logger, ERROR | MORE, "Message of type %s not supported in state responder_init",mapping_find(exchange_type_m,exchange_type)); return FAILED; } - if (!message->get_request(message)) { this->logger->log(this->logger, ERROR | MORE, "Only requests of type IKE_SA_INIT supported in state responder_init"); return FAILED; } - /* this is the first message we process, so copy host infos */ source = message->get_source(message); destination = message->get_destination(message); + + status = charon->configuration_manager->get_init_config_for_host(charon->configuration_manager,destination,source,&init_config); + + if (status != SUCCESS) + { + /* no configuration matches given host */ + this->logger->log(this->logger, ERROR | MORE, "No INIT configuration found for given remote and local hosts"); + return FAILED; + } + + this->ike_sa->set_init_config(this->ike_sa,init_config); + /* we need to clone them, since we destroy the message later */ my_host = destination->clone(destination); @@ -195,44 +207,30 @@ static status_t process_message(private_responder_init_t *this, message_t *messa case SECURITY_ASSOCIATION: { sa_payload_t *sa_payload = (sa_payload_t*)payload; - iterator_t *suggested_proposals, *accepted_proposals; - proposal_substructure_t *accepted_proposal; - - accepted_proposals = this->proposals->create_iterator(this->proposals, FALSE); - + ike_proposal_t *ike_proposals; + size_t proposal_count; + /* get the list of suggested proposals */ - suggested_proposals = sa_payload->create_proposal_substructure_iterator(sa_payload, TRUE); - - /* now let the configuration-manager select a subset of the proposals */ - status = charon->configuration_manager->select_proposals_for_host(charon->configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, accepted_proposals); + status = sa_payload->get_ike_proposals (sa_payload, &ike_proposals,&proposal_count); if (status != SUCCESS) { - this->logger->log(this->logger, CONTROL | MORE, "No proposal of suggested proposals selected"); - suggested_proposals->destroy(suggested_proposals); - accepted_proposals->destroy(accepted_proposals); + this->logger->log(this->logger, ERROR | MORE, "SA payload does not contain IKE proposals"); payloads->destroy(payloads); - return status; + return status; } - - /* iterators are not needed anymore */ - suggested_proposals->destroy(suggested_proposals); - - /* let the ike_sa create their own transforms from proposal informations */ - accepted_proposals->reset(accepted_proposals); - /* TODO check for true*/ - accepted_proposals->has_next(accepted_proposals); - status = accepted_proposals->current(accepted_proposals,(void **)&accepted_proposal); + + status = init_config->select_proposal(init_config, ike_proposals,proposal_count,&(this->selected_proposal)); + allocator_free(ike_proposals); if (status != SUCCESS) { - this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!"); - accepted_proposals->destroy(accepted_proposals); + this->logger->log(this->logger, ERROR | MORE, "No proposal of suggested proposals selected"); payloads->destroy(payloads); return status; } - status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,accepted_proposal); - accepted_proposals->destroy(accepted_proposals); + dh_group = this->selected_proposal.diffie_hellman_group; + + status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,&(this->selected_proposal)); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal"); @@ -253,12 +251,9 @@ static status_t process_message(private_responder_init_t *this, message_t *messa group = ke_payload->get_dh_group_number(ke_payload); - status = charon->configuration_manager->is_dh_group_allowed_for_host(charon->configuration_manager, - this->ike_sa->get_other_host(this->ike_sa), group, &allowed_group); - - if (status != SUCCESS) + if (dh_group == MODP_UNDEFINED) { - this->logger->log(this->logger, ERROR | MORE, "Could not get informations about DH group"); + this->logger->log(this->logger, ERROR | MORE, "Could not get informations about DH group. SA payload before KE payload?"); payloads->destroy(payloads); return status; } @@ -387,27 +382,12 @@ static status_t process_message(private_responder_init_t *this, message_t *messa static void build_sa_payload(private_responder_init_t *this, payload_t **payload) { sa_payload_t* sa_payload; - iterator_t *proposal_iterator; /* SA payload takes proposals from this->ike_sa_init_data.proposals and writes them to the created sa_payload */ this->logger->log(this->logger, CONTROL|MORE, "building sa payload"); - proposal_iterator = this->proposals->create_iterator(this->proposals, FALSE); - - sa_payload = sa_payload_create(); - - while (proposal_iterator->has_next(proposal_iterator)) - { - proposal_substructure_t *current_proposal; - proposal_substructure_t *current_proposal_clone; - - proposal_iterator->current(proposal_iterator,(void **) ¤t_proposal); - current_proposal_clone = current_proposal->clone(current_proposal); - sa_payload->add_proposal_substructure(sa_payload,current_proposal_clone); - } - - proposal_iterator->destroy(proposal_iterator); + sa_payload = sa_payload_create_from_ike_proposals(&(this->selected_proposal),1); *payload = (payload_t *) sa_payload; } @@ -466,13 +446,6 @@ static void destroy(private_responder_init_t *this) /* destroy stored proposal */ this->logger->log(this->logger, CONTROL | MOST, "Destroy stored proposals"); - while (this->proposals->get_count(this->proposals) > 0) - { - proposal_substructure_t *current_proposal; - this->proposals->remove_first(this->proposals,(void **)¤t_proposal); - current_proposal->destroy(current_proposal); - } - this->proposals->destroy(this->proposals); allocator_free(this->sent_nonce.ptr); allocator_free(this->received_nonce.ptr); @@ -493,13 +466,6 @@ static void destroy_after_state_change (private_responder_init_t *this) /* destroy stored proposal */ this->logger->log(this->logger, CONTROL | MOST, "Destroy stored proposals"); - while (this->proposals->get_count(this->proposals) > 0) - { - proposal_substructure_t *current_proposal; - this->proposals->remove_first(this->proposals,(void **)¤t_proposal); - current_proposal->destroy(current_proposal); - } - this->proposals->destroy(this->proposals); /* destroy diffie hellman object */ if (this->diffie_hellman != NULL) @@ -534,7 +500,6 @@ responder_init_t *responder_init_create(protected_ike_sa_t *ike_sa) this->logger = this->ike_sa->get_logger(this->ike_sa); this->sent_nonce = CHUNK_INITIALIZER; this->received_nonce = CHUNK_INITIALIZER; - this->proposals = linked_list_create(); return &(this->public); } diff --git a/Source/charon/utils/identification.c b/Source/charon/utils/identification.c index 270d96232..124ae46fb 100644 --- a/Source/charon/utils/identification.c +++ b/Source/charon/utils/identification.c @@ -81,6 +81,25 @@ static char *get_string(private_identification_t *this) } /** + * Implementation of identification_t.equals. + */ +static bool equals (private_identification_t *this,private_identification_t *other) +{ + if (this->type == other->type) + { + if (this->encoded.len != other->encoded.len) + { + return FALSE; + } + if (memcmp(this->encoded.ptr,other->encoded.ptr,this->encoded.len) == 0) + { + return TRUE; + } + } + return FALSE; +} + +/** * implements identification_t.destroy */ static void destroy(private_identification_t *this) @@ -99,6 +118,7 @@ static private_identification_t *identification_create() private_identification_t *this = allocator_alloc_thing(private_identification_t); /* assign methods */ + this->public.equals = (bool (*) (identification_t*,identification_t*))equals; this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding; this->public.get_type = (id_type_t (*) (identification_t*))get_type; this->public.get_string = (char* (*) (identification_t*))get_string; diff --git a/Source/charon/utils/identification.h b/Source/charon/utils/identification.h index 54e4e02da..0231721a5 100644 --- a/Source/charon/utils/identification.h +++ b/Source/charon/utils/identification.h @@ -76,6 +76,16 @@ struct identification_t { * @return string */ char *(*get_string) (identification_t *this); + + /** + * @brief Check if two identification_t objects are equal. + * + * @param this the identification_t_object + * @param other other identification_t_object + * @return string + */ + bool (*equals) (identification_t *this,identification_t *other); + /** * @brief Destroys a identification_t object. diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c index d030d5cbe..cd73e8ac9 100644 --- a/Source/charon/utils/logger_manager.c +++ b/Source/charon/utils/logger_manager.c @@ -150,6 +150,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t case MESSAGE: case WORKER: logger_level |= ALL; + break; case PARSER: case GENERATOR: case THREAD_POOL: |