diff options
| -rw-r--r-- | Source/charon/sa/authenticator.c | 83 | ||||
| -rw-r--r-- | Source/charon/sa/authenticator.h | 51 | ||||
| -rw-r--r-- | Source/charon/sa/child_sa.h | 6 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.c | 119 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.h | 134 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa_manager.c | 86 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa_manager.h | 31 | ||||
| -rw-r--r-- | Source/charon/utils/logger.c | 4 |
8 files changed, 316 insertions, 198 deletions
diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c index b86cac38e..7d40c78c2 100644 --- a/Source/charon/sa/authenticator.c +++ b/Source/charon/sa/authenticator.c @@ -1,7 +1,7 @@ /** * @file authenticator.c * - * @brief Implementation of authenticator. + * @brief Implementation of authenticator_t. * */ @@ -35,6 +35,7 @@ */ #define IKE_V2_KEY_PAD_LEN strlen(IKE_V2_KEY_PAD) + typedef struct private_authenticator_t private_authenticator_t; /** @@ -65,7 +66,7 @@ struct private_authenticator_t { logger_t *logger; /** - * Creates the octets which are signed (RSA) or MACed (shared secret) as described in section + * @brief Creates the octets which are signed (RSA) or MACed (shared secret) as described in section * 2.15 of draft. * * @param this calling object @@ -77,10 +78,14 @@ struct private_authenticator_t { * @return octets as described in section 2.15. Memory gets allocated and has to get * destroyed by caller. */ - chunk_t (*allocate_octets) (private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id, bool initiator); + chunk_t (*allocate_octets) (private_authenticator_t *this, + chunk_t last_message, + chunk_t other_nonce, + id_payload_t *my_id, + bool initiator); /** - * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE. + * @brief Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE. * * @param this calling object * @param last_message the last message @@ -88,17 +93,28 @@ struct private_authenticator_t { * @param nonce Nonce data to include in auth data compution * @param id_payload id_payload_t object representing an ID payload * @param initiator Type of peer. TRUE, if it is original initiator, FALSE otherwise - * @param shared_secret shared secret as chunk_t. If shared secret is a string, the NULL termination is not included. - * @return AUTH data as dscribed in section 2.15 for AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE. + * @param shared_secret shared secret as chunk_t. If shared secret is a string, + * the NULL termination is not included. + * @return AUTH data as dscribed in section 2.15 for + * AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE. * Memory gets allocated and has to get destroyed by caller. */ - chunk_t (*allocate_auth_data_with_preshared_secret) (private_authenticator_t *this,chunk_t last_message, chunk_t nonce,id_payload_t *id_payload, bool initiator,chunk_t preshared_secret); + chunk_t (*allocate_auth_data_with_preshared_secret) (private_authenticator_t *this, + chunk_t last_message, + chunk_t nonce, + id_payload_t *id_payload, + bool initiator, + chunk_t preshared_secret); }; /** * Implementation of private_authenticator_t.allocate_octets. */ -static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_message, chunk_t other_nonce,id_payload_t *my_id, bool initiator) +static chunk_t allocate_octets(private_authenticator_t *this, + chunk_t last_message, + chunk_t other_nonce, + id_payload_t *my_id, + bool initiator) { chunk_t id_chunk = my_id->get_data(my_id); u_int8_t id_with_header[4 + id_chunk.len]; @@ -148,7 +164,12 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag /** * Implementation of private_authenticator_t.allocate_auth_data_with_preshared_secret. */ -static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t *this,chunk_t last_message, chunk_t nonce,id_payload_t *id_payload, bool initiator,chunk_t preshared_secret) +static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t *this, + chunk_t last_message, + chunk_t nonce, + id_payload_t *id_payload, + bool initiator, + chunk_t preshared_secret) { chunk_t key_pad = {ptr: IKE_V2_KEY_PAD, len:IKE_V2_KEY_PAD_LEN}; u_int8_t key_buffer[this->prf->get_block_size(this->prf)]; @@ -174,7 +195,12 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t /** * Implementation of authenticator_t.verify_auth_data. */ -static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator) +static status_t verify_auth_data (private_authenticator_t *this, + auth_payload_t *auth_payload, + chunk_t last_received_packet, + chunk_t my_nonce, + id_payload_t *other_id_payload, + bool initiator) { switch(auth_payload->get_auth_method(auth_payload)) { @@ -185,14 +211,21 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t * chunk_t preshared_secret; status_t status; - status = charon->configuration_manager->get_shared_secret(charon->configuration_manager,other_id,&preshared_secret); + status = charon->configuration_manager->get_shared_secret(charon->configuration_manager, + other_id, + &preshared_secret); other_id->destroy(other_id); if (status != SUCCESS) { return status; } - chunk_t my_auth_data = this->allocate_auth_data_with_preshared_secret(this,last_received_packet,my_nonce,other_id_payload,initiator,preshared_secret); + chunk_t my_auth_data = this->allocate_auth_data_with_preshared_secret(this, + last_received_packet, + my_nonce, + other_id_payload, + initiator, + preshared_secret); if (auth_data.len != my_auth_data.len) { @@ -219,7 +252,9 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t * auth_data = auth_payload->get_data(auth_payload); - status = charon->configuration_manager->get_rsa_public_key(charon->configuration_manager, other_id, &public_key); + status = charon->configuration_manager->get_rsa_public_key(charon->configuration_manager, + other_id, + &public_key); other_id->destroy(other_id); if (status != SUCCESS) { @@ -243,7 +278,12 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t * /** * Implementation of authenticator_t.compute_auth_data. */ -static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t **auth_payload, chunk_t last_sent_packet,chunk_t other_nonce,id_payload_t *my_id_payload,bool initiator) +static status_t compute_auth_data (private_authenticator_t *this, + auth_payload_t **auth_payload, + chunk_t last_sent_packet, + chunk_t other_nonce, + id_payload_t *my_id_payload, + bool initiator) { sa_config_t *sa_config = this->ike_sa->get_sa_config(this->ike_sa); @@ -255,7 +295,9 @@ static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t chunk_t preshared_secret; status_t status; - status = charon->configuration_manager->get_shared_secret(charon->configuration_manager,my_id,&preshared_secret); + status = charon->configuration_manager->get_shared_secret(charon->configuration_manager, + my_id, + &preshared_secret); my_id->destroy(my_id); if (status != SUCCESS) @@ -263,7 +305,12 @@ static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t return status; } - chunk_t auth_data = this->allocate_auth_data_with_preshared_secret(this,last_sent_packet,other_nonce,my_id_payload,initiator,preshared_secret); + chunk_t auth_data = this->allocate_auth_data_with_preshared_secret(this, + last_sent_packet, + other_nonce, + my_id_payload, + initiator, + preshared_secret); *auth_payload = auth_payload_create(); (*auth_payload)->set_auth_method((*auth_payload),SHARED_KEY_MESSAGE_INTEGRITY_CODE); @@ -279,7 +326,9 @@ static status_t compute_auth_data (private_authenticator_t *this,auth_payload_t status_t status; chunk_t octets, auth_data; - status = charon->configuration_manager->get_rsa_private_key(charon->configuration_manager, my_id, &private_key); + status = charon->configuration_manager->get_rsa_private_key(charon->configuration_manager, + my_id, + &private_key); my_id->destroy(my_id); if (status != SUCCESS) { diff --git a/Source/charon/sa/authenticator.h b/Source/charon/sa/authenticator.h index 64cb1d602..0154652d3 100644 --- a/Source/charon/sa/authenticator.h +++ b/Source/charon/sa/authenticator.h @@ -24,16 +24,16 @@ #define _AUTHENTICATOR_H_ #include <types.h> +#include <sa/ike_sa.h> +#include <network/packet.h> #include <encoding/payloads/auth_payload.h> #include <encoding/payloads/id_payload.h> -#include <network/packet.h> -#include <sa/ike_sa.h> typedef struct authenticator_t authenticator_t; /** - * @brief Class authenticator_t. Used to authenticate a peer. + * @brief Class used to authenticate a peer. * * Currently the following two AUTH methods are supported: * - SHARED_KEY_MESSAGE_INTEGRITY_CODE @@ -41,7 +41,10 @@ typedef struct authenticator_t authenticator_t; * * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.) * over an internal stored protected_ike_sa_t object or directly from the configuration_manager_t over - * the daemon_t object charon. + * the daemon_t object "charon". + * + * @b Constructors: + * - authenticator_create() * * @ingroup sa */ @@ -55,18 +58,21 @@ struct authenticator_t { * - the nonce value sent to the other peer * - the ID payload of the other peer * - * @param this authenticator_t object + * @param this calling object * @param last_received_packet binary representation of the last received IKEv2-Message - * @param my_nonce The sent nonce (without payload header) - * @param other_id_payload The ID payload received from other peer - * @param initiator Type of other peer. TRUE, if it is original initiator, FALSE otherwise + * @param my_nonce the sent nonce (without payload header) + * @param other_id_payload the ID payload received from other peer + * @param initiator type of other peer. TRUE, if it is original initiator, FALSE otherwise + * + * @todo Document RSA error status types * * @return - * - SUCCESS if verification could be processed (does not mean the data could be verified) + * - SUCCESS if verification could be processed + * (does not mean the data could be verified) * - FAILED if verification failed * - NOT_SUPPORTED if AUTH method not supported - * - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key) - * - TODO rsa errors!! + * - NOT_FOUND if the data for specific AUTH method could not be found + * (e.g. shared secret, rsa key) */ status_t (*verify_auth_data) (authenticator_t *this, auth_payload_t *auth_payload, @@ -83,18 +89,19 @@ struct authenticator_t { * - the nonce value received from the other peer * - the ID payload of myself * - * @param this authenticator_t object + * @param this calling object * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location * @param last_sent_packet binary representation of the last sent IKEv2-Message - * @param other_nonce The received nonce (without payload header) - * @param my_id_payload The ID payload going to send to other peer - * @param initiator Type of myself. TRUE, if I'm original initiator, FALSE otherwise - + * @param other_nonce the received nonce (without payload header) + * @param my_id_payload the ID payload going to send to other peer + * @param initiator type of myself. TRUE, if I'm original initiator, FALSE otherwise + * + * @todo Document RSA error status types + * * @return * - SUCCESS if authentication data could be computed * - NOT_SUPPORTED if AUTH method not supported * - NOT_FOUND if the data for AUTH method could not be found - * - TODO rsa errors!! */ status_t (*compute_auth_data) (authenticator_t *this, auth_payload_t **auth_payload, @@ -106,7 +113,7 @@ struct authenticator_t { /** * @brief Destroys a authenticator_t object. * - * @param this authenticator_t object + * @param this calling object */ void (*destroy) (authenticator_t *this); }; @@ -116,13 +123,15 @@ struct authenticator_t { * * @warning: The following functions of the assigned protected_ike_sa_t object * must return a valid value: - * - protected_ike_sa_t.get_sa_config - * - protected_ike_sa_t.get_prf - * - protected_ike_sa_t.get_logger + * - protected_ike_sa_t.get_sa_config + * - protected_ike_sa_t.get_prf + * - protected_ike_sa_t.get_logger * This preconditions are not given in IKE_SA states INITIATOR_INIT or RESPONDER_INIT! * * @param ike_sa object of type protected_ike_sa_t * + * @return authenticator_t object + * * @ingroup sa */ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa); diff --git a/Source/charon/sa/child_sa.h b/Source/charon/sa/child_sa.h index 3e8a6fea4..593187d02 100644 --- a/Source/charon/sa/child_sa.h +++ b/Source/charon/sa/child_sa.h @@ -21,8 +21,8 @@ */ -#ifndef CHILD_SA_H_ -#define CHILD_SA_H_ +#ifndef _CHILD_SA_H_ +#define _CHILD_SA_H_ #include <types.h> #include <transforms/prf_plus.h> @@ -70,4 +70,4 @@ struct child_sa_t { */ child_sa_t * child_sa_create(protocol_id_t protocol_id, prf_plus_t *prf_plus); -#endif /*CHILD_SA_H_*/ +#endif /*_CHILD_SA_H_*/ diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 3a4f831cb..063b1ec4e 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -285,7 +285,8 @@ static status_t process_message (private_ike_sa_t *this, message_t *message) is_request = message->get_request(message); exchange_type = message->get_exchange_type(message); - this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",(is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type)); + this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s", + (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type)); message_id = message->get_message_id(message); @@ -305,7 +306,9 @@ static status_t process_message (private_ike_sa_t *this, message_t *message) /* In a request, the message has to be this->message_id_in (other case is already handled) */ if (message_id != this->message_id_in) { - this->logger->log(this->logger, ERROR | LEVEL1, "Message request with message id %d received, but %d expected",message_id,this->message_id_in); + this->logger->log(this->logger, ERROR | LEVEL1, + "Message request with message id %d received, but %d expected", + message_id,this->message_id_in); return FAILED; } } @@ -314,7 +317,9 @@ static status_t process_message (private_ike_sa_t *this, message_t *message) /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/ if (message_id != (this->message_id_out - 1)) { - this->logger->log(this->logger, ERROR | LEVEL1, "Message reply with message id %d received, but %d expected",message_id,this->message_id_in); + this->logger->log(this->logger, ERROR | LEVEL1, + "Message reply with message id %d received, but %d expected", + message_id,this->message_id_in); return FAILED; } } @@ -379,7 +384,10 @@ static ike_sa_id_t* get_id(private_ike_sa_t *this) /** * Implementation of protected_ike_sa_t.compute_secrets. */ -static void compute_secrets(private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce) +static void compute_secrets(private_ike_sa_t *this, + chunk_t dh_shared_secret, + chunk_t initiator_nonce, + chunk_t responder_nonce) { u_int8_t ei_buffer[this->crypter_initiator->get_block_size(this->crypter_initiator)]; chunk_t ei_key = {ptr: ei_buffer, len: sizeof(ei_buffer)}; @@ -454,10 +462,14 @@ static void compute_secrets(private_ike_sa_t *this,chunk_t dh_shared_secret,chun this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(er_key)); this->crypter_responder->set_key(this->crypter_responder,er_key); - prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key)); + prf_plus->allocate_bytes(prf_plus, + this->crypter_responder->get_block_size(this->crypter_responder), + &(this->secrets.pi_key)); this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key)); - prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key)); + prf_plus->allocate_bytes(prf_plus, + this->crypter_responder->get_block_size(this->crypter_responder), + &(this->secrets.pr_key)); this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key)); prf_plus->destroy(prf_plus); @@ -619,11 +631,17 @@ static chunk_t get_key_pi (private_ike_sa_t *this) */ static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal) { - this->logger->log(this->logger, CONTROL|LEVEL1, "Going to create transform objects for proposal"); - - this->logger->log(this->logger, CONTROL|LEVEL1, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),proposal->encryption_algorithm_key_length); - this->logger->log(this->logger, CONTROL|LEVEL1, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),proposal->integrity_algorithm_key_length); - this->logger->log(this->logger, CONTROL|LEVEL1, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),proposal->pseudo_random_function_key_length); + this->logger->log(this->logger, CONTROL|LEVEL2, "Going to create transform objects for proposal"); + + this->logger->log(this->logger, CONTROL|LEVEL2, "Encryption algorithm: %s with keylength %d", + mapping_find(encryption_algorithm_m,proposal->encryption_algorithm), + proposal->encryption_algorithm_key_length); + this->logger->log(this->logger, CONTROL|LEVEL2, "Integrity algorithm: %s with keylength %d", + mapping_find(integrity_algorithm_m,proposal->integrity_algorithm), + proposal->integrity_algorithm_key_length); + this->logger->log(this->logger, CONTROL|LEVEL2, "PRF: %s with keylength %d", + mapping_find(pseudo_random_function_m,proposal->pseudo_random_function), + proposal->pseudo_random_function_key_length); if (this->prf != NULL) { @@ -632,7 +650,8 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_prop this->prf = prf_create(proposal->pseudo_random_function); if (this->prf == NULL) { - this->logger->log(this->logger, ERROR|LEVEL1, "prf not supported!"); + this->logger->log(this->logger, ERROR|LEVEL1, "PRF %s not supported!", + mapping_find(pseudo_random_function_m,proposal->pseudo_random_function)); return FAILED; } @@ -640,10 +659,11 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_prop { this->crypter_initiator->destroy(this->crypter_initiator); } - this->crypter_initiator = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length); + this->crypter_initiator = crypter_create(proposal->encryption_algorithm, + proposal->encryption_algorithm_key_length); if (this->crypter_initiator == NULL) { - this->logger->log(this->logger, ERROR|LEVEL1, "encryption algorithm %s not supported!", + this->logger->log(this->logger, ERROR|LEVEL1, "Encryption algorithm %s not supported!", mapping_find(encryption_algorithm_m,proposal->encryption_algorithm)); return FAILED; } @@ -652,7 +672,8 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_prop { this->crypter_responder->destroy(this->crypter_responder); } - this->crypter_responder = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length); + this->crypter_responder = crypter_create(proposal->encryption_algorithm, + proposal->encryption_algorithm_key_length); /* check must not be done again */ if (this->signer_initiator != NULL) @@ -662,7 +683,8 @@ static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_prop this->signer_initiator = signer_create(proposal->integrity_algorithm); if (this->signer_initiator == NULL) { - this->logger->log(this->logger, ERROR|LEVEL1, "integrity algorithm not supported!"); + this->logger->log(this->logger, ERROR|LEVEL1, "Integrity algorithm %s not supported!", + mapping_find(integrity_algorithm_m,proposal->integrity_algorithm)); return FAILED; } @@ -742,7 +764,9 @@ static status_t send_request (private_ike_sa_t *this,message_t * message) return FAILED; } - this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue"); + this->logger->log(this->logger, CONTROL|LEVEL3, + "Add request packet with message id %d to global send queue", + this->message_id_out); charon->send_queue->add(charon->send_queue, packet); if (this->last_requested_message != NULL) @@ -751,12 +775,13 @@ static status_t send_request (private_ike_sa_t *this,message_t * message) this->last_requested_message->destroy(this->last_requested_message); } - this->logger->log(this->logger, CONTROL|LEVEL2, "replace last requested message with new one"); + this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one"); this->last_requested_message = message; retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id); - status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,retransmit_job->get_retransmit_count(retransmit_job),&timeout); + status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager, + retransmit_job->get_retransmit_count(retransmit_job),&timeout); if (status != SUCCESS) { @@ -770,7 +795,9 @@ static status_t send_request (private_ike_sa_t *this,message_t * message) } /* message counter can now be increased */ - this->logger->log(this->logger, CONTROL|LEVEL2, "Increase message counter for outgoing messages from %d",this->message_id_out); + this->logger->log(this->logger, CONTROL|LEVEL3, + "Increase message counter for outgoing messages from %d", + this->message_id_out); this->message_id_out++; return SUCCESS; } @@ -785,7 +812,7 @@ static status_t send_response (private_ike_sa_t *this,message_t * message) if (message->get_message_id(message) != this->message_id_in) { - this->logger->log(this->logger, CONTROL|LEVEL2, "Message could not be sent cause id was not as expected"); + this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected"); return FAILED; } @@ -796,7 +823,9 @@ static status_t send_response (private_ike_sa_t *this,message_t * message) return FAILED; } - this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue"); + this->logger->log(this->logger, CONTROL|LEVEL3, + "Add response packet with message id %d to global send queue", + this->message_id_in); charon->send_queue->add(charon->send_queue, packet); if (this->last_responded_message != NULL) @@ -805,11 +834,11 @@ static status_t send_response (private_ike_sa_t *this,message_t * message) this->last_responded_message->destroy(this->last_responded_message); } - this->logger->log(this->logger, CONTROL|LEVEL2, "replace last responded message with new one"); + this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one"); this->last_responded_message = message; /* message counter can now be increased */ - this->logger->log(this->logger, CONTROL|LEVEL2, "Increase message counter for incoming messages"); + this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages"); this->message_id_in++; return SUCCESS; @@ -839,6 +868,9 @@ static message_t * get_last_requested_message (private_ike_sa_t *this) return this->last_requested_message; } +/** + * Implementation of protected_ike_sa_t.get_state. + */ static ike_sa_state_t get_state (private_ike_sa_t *this) { return this->current_state->get_state(this->current_state); @@ -869,11 +901,16 @@ static void reset_message_buffers (private_ike_sa_t *this) this->last_replied_message_id = -1; } +/** + * Implementation of protected_ike_sa_t.create_delete_established_ike_sa_job. + */ static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout) { job_t *delete_job; - this->logger->log(this->logger, CONTROL | LEVEL1, "Going to create job to delete established IKE_SA in %d ms", timeout); + this->logger->log(this->logger, CONTROL | LEVEL1, + "Going to create job to delete established IKE_SA in %d ms", + timeout); delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id); charon->event_queue->add_relative(charon->event_queue,delete_job, timeout); @@ -890,7 +927,7 @@ static void destroy (private_ike_sa_t *this) this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder"); /* destroy child sa's */ - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy all child_sa's"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy all child_sa's"); while (this->child_sas->get_count(this->child_sas) > 0) { void *child_sa; @@ -902,86 +939,86 @@ static void destroy (private_ike_sa_t *this) } this->child_sas->destroy(this->child_sas); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy secrets"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy secrets"); allocator_free(this->secrets.d_key.ptr); allocator_free(this->secrets.pi_key.ptr); allocator_free(this->secrets.pr_key.ptr); if (this->crypter_initiator != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy initiator crypter_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator crypter_t object"); this->crypter_initiator->destroy(this->crypter_initiator); } if (this->crypter_responder != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy responder crypter_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder crypter_t object"); this->crypter_responder->destroy(this->crypter_responder); } if (this->signer_initiator != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy initiator signer_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator signer_t object"); this->signer_initiator->destroy(this->signer_initiator); } if (this->signer_responder != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy responder signer_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder signer_t object"); this->signer_responder->destroy(this->signer_responder); } if (this->prf != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy prf_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy prf_t object"); this->prf->destroy(this->prf); } /* destroy ike_sa_id */ - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy ike_sa_id object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_id object"); this->ike_sa_id->destroy(this->ike_sa_id); /* destroy stored requested message */ if (this->last_requested_message != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy last requested message"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last requested message"); this->last_requested_message->destroy(this->last_requested_message); } /* destroy stored responded messages */ if (this->last_responded_message != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy last responded message"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last responded message"); this->last_responded_message->destroy(this->last_responded_message); } /* destroy stored host_t objects */ if (this->me.host != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy my host_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy my host_t object"); this->me.host->destroy(this->me.host); } /* destroy stored host_t objects */ if (this->other.host != NULL) { - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy other host_t object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy other host_t object"); this->other.host->destroy(this->other.host); } this->randomizer->destroy(this->randomizer); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy current state object"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy current state object"); this->current_state->destroy(this->current_state); - this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy logger of IKE_SA"); + this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy logger of IKE_SA"); charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); allocator_free(this); } /* - * Described in Header + * Described in header. */ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) { @@ -1057,10 +1094,12 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) /* at creation time, IKE_SA is in a initiator state */ if (ike_sa_id->is_initiator(ike_sa_id)) { + this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT"); this->current_state = (state_t *) initiator_init_create(&(this->protected)); } else { + this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT"); this->current_state = (state_t *) responder_init_create(&(this->protected)); } return &(this->protected.public); diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index 5aecb216d..3c5d0faf4 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -1,7 +1,7 @@ /** * @file ike_sa.h * - * @brief Interface of ike_sa_id_t. + * @brief Interface of ike_sa_t. * */ @@ -36,19 +36,23 @@ #include <transforms/signers/signer.h> /** - * Nonce size in bytes of all sent nonces + * Nonce size in bytes for nonces sending to other peer. + * + * @warning Nonce size MUST be between 16 and 256 bytes. * * @ingroup sa */ #define NONCE_SIZE 16 + typedef struct ike_sa_t ike_sa_t; /** - * @brief Class ike_sa_t. An object of this type is managed by an - * ike_sa_manager_t object and represents an IKE_SA. Message processing - * is split up in different states. They will handle all related things - * for their state. + * @brief Class ike_sa_t representing an IKE_SA. + * + * An object of this type is managed by an ike_sa_manager_t object + * and represents an IKE_SA. Message processing is split up in different states. + * They will handle all related things for the state they represent. * * @b Constructors: * - ike_sa_create() @@ -58,11 +62,14 @@ typedef struct ike_sa_t ike_sa_t; struct ike_sa_t { /** - * @brief Processes a incoming IKEv2-Message of type message_t + * @brief Processes a incoming IKEv2-Message of type message_t. * * @param this ike_sa_t object object * @param[in] message message_t object to process - * @return SUCCESSFUL if succeeded, FAILED otherwise + * @return + * - SUCCESS + * - FAILED + * - DELETE_ME if this IKE_SA MUST be deleted */ status_t (*process_message) (ike_sa_t *this,message_t *message); @@ -74,7 +81,7 @@ struct ike_sa_t { * @return * - SUCCESS if initialization started * - FAILED if in wrong state - * - DELETE_ME if initialization faild and SA should be deleted + * - DELETE_ME if initialization failed and IKE_SA MUST be deleted */ status_t (*initialize_connection) (ike_sa_t *this, char *name); @@ -91,8 +98,10 @@ struct ike_sa_t { /** * @brief Get the id of the SA. + * + * Returned ike_sa_id_t object is not getting cloned! * - * @param this ike_sa_t object object + * @param this calling object * @return ike_sa's ike_sa_id_t */ ike_sa_id_t* (*get_id) (ike_sa_t *this); @@ -100,7 +109,7 @@ struct ike_sa_t { /** * @brief Get the state of type of associated state object. * - * @param this ike_sa_t object object + * @param this calling object * @return state of IKE_SA */ ike_sa_state_t (*get_state) (ike_sa_t *this); @@ -108,7 +117,7 @@ struct ike_sa_t { /** * @brief Destroys a ike_sa_t object. * - * @param this ike_sa_t object + * @param this calling object */ void (*destroy) (ike_sa_t *this); }; @@ -117,27 +126,27 @@ struct ike_sa_t { typedef struct protected_ike_sa_t protected_ike_sa_t; /** - * @brief Protected data of an ike_sa_t object. + * @brief Protected functions of an ike_sa_t object. * - * This members should only be accessed from - * the varius state classes. + * This members are only accessed out from + * the various state_t implementations. * * @ingroup sa */ struct protected_ike_sa_t { /** - * Public part of a ike_sa_t object + * Public interface of an ike_sa_t object. */ ike_sa_t public; /** - * Builds an empty IKEv2-Message and fills in default informations. + * @brief Build an empty IKEv2-Message and fills in default informations. * * Depending on the type of message (request or response), the message id is * either message_id_out or message_id_in. * - * Used in every state. + * Used in state_t Implementation to build an empty IKEv2-Message. * * @param this calling object * @param type exchange type of new message @@ -147,17 +156,25 @@ struct protected_ike_sa_t { void (*build_message) (protected_ike_sa_t *this, exchange_type_t type, bool request, message_t **message); /** - * Initiate a new connection with given configuration name + * @brief Compute the shared secrets needed for encryption, signing, etc. + * + * Preconditions: + * - Call of function protected_ike_sa_t.create_transforms_from_proposal * * @param this calling object * @param dh_shared_secret shared secret of diffie hellman exchange * @param initiator_nonce nonce of initiator * @param responder_nonce nonce of responder */ - void (*compute_secrets) (protected_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce); + void (*compute_secrets) (protected_ike_sa_t *this, + chunk_t dh_shared_secret, + chunk_t initiator_nonce, + chunk_t responder_nonce); /** - * Gets the internal stored logger_t object for given ike_sa_t object. + * @brief Get the internal stored logger_t object for given ike_sa_t object. + * + * @warning Returned logger_t object is original one and managed by this object. * * @param this calling object * @return pointer to the internal stored logger_t object @@ -165,9 +182,7 @@ struct protected_ike_sa_t { logger_t *(*get_logger) (protected_ike_sa_t *this); /** - * Gets the internal stored init_config_t object. - * - * Returned value has to get checked for NULL value! + * @brief Get the internal stored init_config_t object. * * @param this calling object * @return pointer to the internal stored init_config_t object @@ -175,7 +190,7 @@ struct protected_ike_sa_t { init_config_t *(*get_init_config) (protected_ike_sa_t *this); /** - * Sets the internal init_config_t object. + * @brief Set the internal init_config_t object. * * @param this calling object * @param init_config object of type init_config_t @@ -183,9 +198,7 @@ struct protected_ike_sa_t { void (*set_init_config) (protected_ike_sa_t *this,init_config_t *init_config); /** - * Gets the internal stored sa_config_t object. - * - * Returned value has to get checked for NULL value! + * @brief Get the internal stored sa_config_t object. * * @param this calling object * @return pointer to the internal stored sa_config_t object @@ -193,7 +206,7 @@ struct protected_ike_sa_t { sa_config_t *(*get_sa_config) (protected_ike_sa_t *this); /** - * Sets the internal sa_config_t object. + * @brief Set the internal sa_config_t object. * * @param this calling object * @param sa_config object of type sa_config_t @@ -201,7 +214,7 @@ struct protected_ike_sa_t { void (*set_sa_config) (protected_ike_sa_t *this,sa_config_t *sa_config); /** - * Gets the internal stored host_t object for my host. + * @brief Get the internal stored host_t object for my host. * * @param this calling object * @return pointer to the internal stored host_t object @@ -209,7 +222,7 @@ struct protected_ike_sa_t { host_t *(*get_my_host) (protected_ike_sa_t *this); /** - * Gets the internal stored host_t object for other host. + * @brief Get the internal stored host_t object for other host. * * @param this calling object * @return pointer to the internal stored host_t object @@ -217,7 +230,7 @@ struct protected_ike_sa_t { host_t *(*get_other_host) (protected_ike_sa_t *this); /** - * Sets the internal stored host_t object for my host. + * @brief Set the internal stored host_t object for my host. * * Allready existing object gets destroyed. object gets not cloned! * @@ -227,7 +240,7 @@ struct protected_ike_sa_t { void (*set_my_host) (protected_ike_sa_t *this,host_t * my_host); /** - * Sets the internal stored host_t object for other host. + * @brief Set the internal stored host_t object for other host. * * Allready existing object gets destroyed. object gets not cloned! * @@ -237,8 +250,8 @@ struct protected_ike_sa_t { void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host); /** - * Creates all needed transform objects for given ike_sa_t using - * the informations stored in a ike_proposal_t object + * @brief Create all needed transform objects for this IKE_SA using + * the informations stored in a ike_proposal_t object. * * Allready existing objects get destroyed. * @@ -249,11 +262,11 @@ struct protected_ike_sa_t { status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,ike_proposal_t * proposal); /** - * Sends the next request message. + * @brief Send the next request message. * * Also the first retransmit job is created. * - * Stored requested message gets destroyed. object gets not cloned! + * Last stored requested message gets destroyed. Object gets not cloned! * * @param this calling object * @param message pointer to the message which should be sent @@ -264,9 +277,9 @@ struct protected_ike_sa_t { status_t (*send_request) (protected_ike_sa_t *this,message_t * message); /** - * Sends the next response message. + * @brief Send the next response message. * - * Stored responded message gets destroyed. object gets not cloned! + * Last stored responded message gets destroyed. Object gets not cloned! * * @param this calling object * @param message pointer to the message which should be sent @@ -277,7 +290,7 @@ struct protected_ike_sa_t { status_t (*send_response) (protected_ike_sa_t *this,message_t * message); /** - * Gets the internal stored randomizer_t object. + * @brief Get the internal stored randomizer_t object. * * @param this calling object * @return pointer to the internal randomizer_t object @@ -285,10 +298,10 @@ struct protected_ike_sa_t { randomizer_t *(*get_randomizer) (protected_ike_sa_t *this); /** - * Sets the new state_t object of the IKE_SA object. + * @brief Set the new state_t object of the IKE_SA object. * * The old state_t object gets not destroyed. It's the callers duty to - * make sure old state is destroyed (Normally the old state is the caller ). + * make sure old state is destroyed (Normally the old state is the caller). * * @param this calling object * @param state pointer to the new state_t object @@ -296,7 +309,7 @@ struct protected_ike_sa_t { void (*set_new_state) (protected_ike_sa_t *this,state_t *state); /** - * Sets the last replied message id. + * @brief Set the last replied message id. * * @param this calling object * @param message_id message id @@ -304,7 +317,7 @@ struct protected_ike_sa_t { void (*set_last_replied_message_id) (protected_ike_sa_t *this,u_int32_t message_id); /** - * Gets the internal stored initiator crypter_t object. + * @brief Get the internal stored initiator crypter_t object. * * @param this calling object * @return pointer to crypter_t object @@ -312,7 +325,7 @@ struct protected_ike_sa_t { crypter_t *(*get_crypter_initiator) (protected_ike_sa_t *this); /** - * Gets the internal stored initiator signer object. + * @brief Get the internal stored initiator signer_t object. * * @param this calling object * @return pointer to signer_t object @@ -320,7 +333,7 @@ struct protected_ike_sa_t { signer_t *(*get_signer_initiator) (protected_ike_sa_t *this); /** - * Gets the internal stored responder crypter_t object. + * @brief Get the internal stored responder crypter_t object. * * @param this calling object * @return pointer to crypter_t object @@ -328,7 +341,7 @@ struct protected_ike_sa_t { crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this); /** - * Gets the internal stored responder signer object. + * @brief Get the internal stored responder signer object. * * @param this calling object * @return pointer to signer_t object @@ -336,7 +349,7 @@ struct protected_ike_sa_t { signer_t *(*get_signer_responder) (protected_ike_sa_t *this); /** - * Gets the internal stored prf_t object. + * @brief Get the internal stored prf_t object. * * @param this calling object * @return pointer to prf_t object @@ -344,7 +357,7 @@ struct protected_ike_sa_t { prf_t *(*get_prf) (protected_ike_sa_t *this); /** - * Gets the last responded message. + * @brief Get the last responded message. * * @param this calling object * @return @@ -354,7 +367,7 @@ struct protected_ike_sa_t { message_t *(*get_last_responded_message) (protected_ike_sa_t *this); /** - * Gets the last requested message. + * @brief Get the last requested message. * * @param this calling object * @return @@ -364,7 +377,7 @@ struct protected_ike_sa_t { message_t *(*get_last_requested_message) (protected_ike_sa_t *this); /** - * Gets the Shared key SK_pr. + * @brief Get the Shared key SK_pr. * * Returned value is not cloned! * @@ -374,25 +387,24 @@ struct protected_ike_sa_t { chunk_t (*get_key_pr) (protected_ike_sa_t *this); /** - * Gets the Shared key SK_pi. + * @brief Get the Shared key SK_pi. * * Returned value is not cloned! * * @param this calling object - * @return SK_pr key + * @return SK_pi key */ chunk_t (*get_key_pi) (protected_ike_sa_t *this); /** - * Resets message id counters and does destroy stored received and sent messages. + * @brief Resets message counters and does destroy stored received and sent messages. * * @param this calling object */ void (*reset_message_buffers) (protected_ike_sa_t *this); /** - * Creates a job of type DELETE_ESTABLISHED_IKE_SA for the current IKE_SA. - * + * @brief Creates a job of type DELETE_ESTABLISHED_IKE_SA for the current IKE_SA. * * @param this calling object * @param timeout timeout after the IKE_SA gets deleted @@ -402,17 +414,15 @@ struct protected_ike_sa_t { }; - /** - * Creates an ike_sa_t object with a specific ike_sa_id_t object + * @brief Creates an ike_sa_t object with a specific ID. + * + * @warning the Content of internal ike_sa_id_t object can change over time + * e.g. when a IKE_SA_INIT has been finished. * * @param[in] ike_sa_id ike_sa_id_t object to associate with new IKE_SA. * The object is internal getting cloned * and so has to be destroyed by the caller. - * - * @warning the Content of internal ike_sa_id_t object can change over time - * e.g. when a IKE_SA_INIT has been finished. - * * @return ike_sa_t object * * @ingroup sa diff --git a/Source/charon/sa/ike_sa_manager.c b/Source/charon/sa/ike_sa_manager.c index 78a467d8e..0eec8ea5d 100644 --- a/Source/charon/sa/ike_sa_manager.c +++ b/Source/charon/sa/ike_sa_manager.c @@ -39,41 +39,48 @@ typedef struct ike_sa_entry_t ike_sa_entry_t; */ struct ike_sa_entry_t { /** - * destructor, also destroys ike_sa + * Destructor, also destroys associated ike_sa_t object. */ status_t (*destroy) (ike_sa_entry_t *this); + /** - * Number of threads waiting for this ike_sa + * Number of threads waiting for this ike_sa_t object. */ int waiting_threads; + /** - * condvar where threads can wait until it's free again + * Condvar where threads can wait until ike_sa_t object is free for use again. */ pthread_cond_t condvar; + /** - * is this ike_sa currently checked out? + * Is this ike_sa currently checked out? */ bool checked_out; + /** * Does this SA drives out new threads? */ bool driveout_new_threads; + /** * Does this SA drives out waiting threads? */ bool driveout_waiting_threads; + /** - * identifiaction of ike_sa (SPIs) + * Identifiaction of an IKE_SA (SPIs). */ ike_sa_id_t *ike_sa_id; + /** - * the contained ike_sa + * The contained ike_sa_t object. */ ike_sa_t *ike_sa; }; /** - * Implements ike_sa_entry_t.destroy. + * Implementation of ike_sa_entry_t.destroy. */ static status_t ike_sa_entry_destroy(ike_sa_entry_t *this) { @@ -85,12 +92,12 @@ static status_t ike_sa_entry_destroy(ike_sa_entry_t *this) } /** - * @brief creates a new entry for the ike_sa list + * @brief Creates a new entry for the ike_sa_t list. * * This constructor additionaly creates a new and empty SA. * - * @param ike_sa_id the associated ike_sa_id_t, will be cloned - * @return created entry, with ike_sa and ike_sa_id + * @param ike_sa_id The associated ike_sa_id_t, will be cloned + * @return ike_sa_entry_t object */ static ike_sa_entry_t *ike_sa_entry_create(ike_sa_id_t *ike_sa_id) { @@ -116,36 +123,37 @@ static ike_sa_entry_t *ike_sa_entry_create(ike_sa_id_t *ike_sa_id) return this; } + typedef struct private_ike_sa_manager_t private_ike_sa_manager_t; /** - * Additional private members to ike_sa_manager_t + * Additional private members of ike_sa_manager_t. */ struct private_ike_sa_manager_t { /** - * Public members + * Public interface of ike_sa_manager_t. */ ike_sa_manager_t public; /** - * @brief get next spi - * - * we give out SPIs incremental. + * @brief Get next spi. * + * We give out SPIs incremental starting at 1. + * * @param this the ike_sa_manager * @return the next spi */ u_int64_t (*get_next_spi) (private_ike_sa_manager_t *this); /** - * @brief find the ike_sa_entry in the list by SPIs. + * @brief Find the ike_sa_entry_t object in the list by SPIs. * * This function simply iterates over the linked list. A hash-table * would be more efficient when storing a lot of IKE_SAs... * - * @param this the ike_sa_manager containing the list + * @param this calling object * @param ike_sa_id id of the ike_sa, containing SPIs - * @param entry[out] pointer to set to the found entry + * @param[out] entry pointer to set to the found entry * @return * - SUCCESS when found, * - NOT_FOUND when no such ike_sa_id in list @@ -153,14 +161,14 @@ struct private_ike_sa_manager_t { status_t (*get_entry_by_id) (private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, ike_sa_entry_t **entry); /** - * @brief find the ike_sa_entry in the list by pointer to SA. + * @brief Find the ike_sa_entry_t in the list by pointer to SA. * * This function simply iterates over the linked list. A hash-table * would be more efficient when storing a lot of IKE_SAs... * - * @param this the ike_sa_manager containing the list - * @param ike_sa pointer to the ike_sa - * @param entry[out] pointer to set to the found entry + * @param this calling object + * @param ike_sa pointer to the ike_sa + * @param[out] entry pointer to set to the found entry * @return * - SUCCESS when found, * - NOT_FOUND when no such ike_sa_id in list @@ -168,9 +176,9 @@ struct private_ike_sa_manager_t { status_t (*get_entry_by_sa) (private_ike_sa_manager_t *this, ike_sa_t *ike_sa, ike_sa_entry_t **entry); /** - * @brief delete an entry from the linked list + * @brief Felete an entry from the linked list. * - * @param this the ike_sa_manager containing the list + * @param this calling object * @param entry entry to delete * @return * - SUCCESS when found, @@ -179,28 +187,28 @@ struct private_ike_sa_manager_t { status_t (*delete_entry) (private_ike_sa_manager_t *this, ike_sa_entry_t *entry); /** - * lock for exclusivly accessing the manager + * Lock for exclusivly accessing the manager. */ pthread_mutex_t mutex; /** - * Logger used for this IKE SA Manager + * Logger used for this IKE SA Manager. */ logger_t *logger; /** - * Linked list with entries for the ike_sa + * Linked list with entries for the ike_sa_t objects. */ linked_list_t *ike_sa_list; /** - * Next SPI, needed for incremental creation of SPIs + * Next SPI, needed for incremental creation of SPIs. */ u_int64_t next_spi; }; /** - * Implements private_ike_sa_manager_t.get_entry_by_id. + * Implementation of private_ike_sa_manager_t.get_entry_by_id. */ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, ike_sa_entry_t **entry) { @@ -256,7 +264,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike } /** - * Implements private_ike_sa_manager_t.get_entry_by_sa. + * Implementation of private_ike_sa_manager_t.get_entry_by_sa. */ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa, ike_sa_entry_t **entry) { @@ -288,7 +296,7 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa } /** - * Implements private_ike_sa_manager_s.delete_entry. + * Implementation of private_ike_sa_manager_s.delete_entry. */ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *entry) { @@ -319,7 +327,7 @@ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *ent /** - * Implements private_ike_sa_manager_t.get_next_spi. + * Implementation of private_ike_sa_manager_t.get_next_spi. */ static u_int64_t get_next_spi(private_ike_sa_manager_t *this) { @@ -333,7 +341,7 @@ static u_int64_t get_next_spi(private_ike_sa_manager_t *this) } /** - * Implementation of ike_sa_manager.create_and_checkout. + * Implementation of of ike_sa_manager.create_and_checkout. */ static void create_and_checkout(private_ike_sa_manager_t *this,ike_sa_t **ike_sa) { @@ -363,7 +371,7 @@ static void create_and_checkout(private_ike_sa_manager_t *this,ike_sa_t **ike_sa } /** - * Implementation of ike_sa_manager.checkout. + * Implementation of of ike_sa_manager.checkout. */ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, ike_sa_t **ike_sa) { @@ -482,7 +490,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, } /** - * Implements ike_sa_manager_t.checkin. + * Implementation of ike_sa_manager_t.checkin. */ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { @@ -519,7 +527,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) /** - * Implements ike_sa_manager_t.checkin_and_delete. + * Implementation of ike_sa_manager_t.checkin_and_delete. */ static status_t checkin_and_delete(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { @@ -564,7 +572,7 @@ static status_t checkin_and_delete(private_ike_sa_manager_t *this, ike_sa_t *ike } /** - * Implements ike_sa_manager_t.delete. + * Implementation of ike_sa_manager_t.delete. */ static status_t delete(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) { @@ -607,7 +615,7 @@ static status_t delete(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) } /** - * Implements ike_sa_manager_t.destroy. + * Implementation of ike_sa_manager_t.destroy. */ static void destroy(private_ike_sa_manager_t *this) { @@ -666,7 +674,7 @@ static void destroy(private_ike_sa_manager_t *this) } /* - * Described in header + * Described in header. */ ike_sa_manager_t *ike_sa_manager_create() { diff --git a/Source/charon/sa/ike_sa_manager.h b/Source/charon/sa/ike_sa_manager.h index 0d991554e..292271bd3 100644 --- a/Source/charon/sa/ike_sa_manager.h +++ b/Source/charon/sa/ike_sa_manager.h @@ -20,8 +20,8 @@ * for more details. */ -#ifndef IKE_SA_MANAGER_H_ -#define IKE_SA_MANAGER_H_ +#ifndef _IKE_SA_MANAGER_H_ +#define _IKE_SA_MANAGER_H_ #include <types.h> #include <sa/ike_sa.h> @@ -30,7 +30,7 @@ typedef struct ike_sa_manager_t ike_sa_manager_t; /** - * @brief The IKE_SA-Manager manages the IKE_SAs ;-). + * @brief The IKE_SA-Manager is responsible for managing all initiated and responded IKE_SA's. * * To avoid access from multiple threads, IKE_SAs must be checked out from * the manager, and checked in after usage. @@ -39,6 +39,8 @@ typedef struct ike_sa_manager_t ike_sa_manager_t; * @todo checking of double-checkouts from the same threads would be nice. * This could be done by comparing thread-ids via pthread_self()... * + * @todo Managing of ike_sa_t objects in a hash table instead of linked list. + * * @b Constructors: * - ike_sa_manager_create() * @@ -46,7 +48,7 @@ typedef struct ike_sa_manager_t ike_sa_manager_t; */ struct ike_sa_manager_t { /** - * @brief Checkout an IKE_SA, create it when necesarry + * @brief Checkout an IKE_SA, create it when necesarry. * * Checks out a SA by its ID. An SA will be created, when: * - Responder SPI is not set (when received an IKE_SA_INIT from initiator) @@ -69,19 +71,16 @@ struct ike_sa_manager_t { /** * @brief Create and checkout an IKE_SA as original initator. * - * Creates and checks out a SA as initiator. An SA will be created, when: + * Creates and checks out a SA as initiator. * Management of SPIs is the managers job, he will set it. * - * @warning checking out two times without checking in will - * result in a deadlock! - * * @param ike_sa_manager the manager object * @param ike_sa[out] checked out SA */ void (*create_and_checkout) (ike_sa_manager_t* ike_sa_manager,ike_sa_t **ike_sa); /** - * @brief Checkin the SA after usage + * @brief Checkin the SA after usage. * * @warning the SA pointer MUST NOT be used after checkin! * The SA must be checked out again! @@ -95,7 +94,7 @@ struct ike_sa_manager_t { */ status_t (*checkin) (ike_sa_manager_t* ike_sa_manager, ike_sa_t *ike_sa); /** - * @brief delete a SA, wich was not checked out + * @brief Delete a SA, which was not checked out. * * @warning do not use this when the SA is already checked out, this will * deadlock! @@ -109,7 +108,7 @@ struct ike_sa_manager_t { status_t (*delete) (ike_sa_manager_t* ike_sa_manager, ike_sa_id_t *ike_sa_id); /** - * @brief delete a checked out SA + * @brief Delete a checked out SA. * * @param ike_sa_manager the manager object * @param ike_sa SA to delete @@ -120,9 +119,9 @@ struct ike_sa_manager_t { status_t (*checkin_and_delete) (ike_sa_manager_t* ike_sa_manager, ike_sa_t *ike_sa); /** - * @brief Destroys the manager with all associated SAs + * @brief Destroys the manager with all associated SAs. * - * Threads will be driven out, so all SAs can be deleted cleanly + * Threads will be driven out, so all SAs can be deleted cleanly. * * @param ike_sa_manager the manager object */ @@ -130,12 +129,12 @@ struct ike_sa_manager_t { }; /** - * @brief Create a manager + * @brief Create a manager. * - * @returns ike_sa_manager_t object + * @returns ike_sa_manager_t object * * @ingroup sa */ ike_sa_manager_t *ike_sa_manager_create(); -#endif /*IKE_SA_MANAGER_H_*/ +#endif /*_IKE_SA_MANAGER_H_*/ diff --git a/Source/charon/utils/logger.c b/Source/charon/utils/logger.c index b05d4b0ba..748a76568 100644 --- a/Source/charon/utils/logger.c +++ b/Source/charon/utils/logger.c @@ -97,6 +97,10 @@ static void prepend_prefix(private_logger_t *this, logger_level_t loglevel, char { log_type = '?'; } + else if (loglevel & AUDIT) + { + log_type = '>'; + } else { log_type = '-'; |