diff options
43 files changed, 1289 insertions, 225 deletions
diff --git a/Source/charon/config/Makefile.config b/Source/charon/config/Makefile.config index 7189d404b..f4786be10 100644 --- a/Source/charon/config/Makefile.config +++ b/Source/charon/config/Makefile.config @@ -15,9 +15,6 @@ CONFIG_DIR= $(MAIN_DIR)config/ -OBJS+= $(BUILD_DIR)configuration_manager.o -$(BUILD_DIR)configuration_manager.o : $(CONFIG_DIR)configuration_manager.c $(CONFIG_DIR)configuration_manager.h - $(CC) $(CFLAGS) -c -o $@ $< OBJS+= $(BUILD_DIR)init_config.o $(BUILD_DIR)init_config.o : $(CONFIG_DIR)init_config.c $(CONFIG_DIR)init_config.h @@ -34,3 +31,11 @@ $(BUILD_DIR)traffic_selector.o : $(CONFIG_DIR)traffic_selector.c $(CONFIG_DIR) OBJS+= $(BUILD_DIR)proposal.o $(BUILD_DIR)proposal.o : $(CONFIG_DIR)proposal.c $(CONFIG_DIR)proposal.h $(CC) $(CFLAGS) -c -o $@ $< + +OBJS+= $(BUILD_DIR)static_configuration.o +$(BUILD_DIR)static_configuration.o : $(CONFIG_DIR)static_configuration.c $(CONFIG_DIR)static_configuration.h + $(CC) $(CFLAGS) -c -o $@ $< + +OBJS+= $(BUILD_DIR)starter_configuration.o +$(BUILD_DIR)starter_configuration.o : $(CONFIG_DIR)starter_configuration.c $(CONFIG_DIR)starter_configuration.h + $(CC) $(CFLAGS) -c -o $@ $<
\ No newline at end of file diff --git a/Source/charon/config/configuration_manager.h b/Source/charon/config/configuration.h index f47189980..8aa85bb78 100644..100755 --- a/Source/charon/config/configuration_manager.h +++ b/Source/charon/config/configuration.h @@ -1,7 +1,7 @@ /** - * @file configuration_manager.h + * @file configuration.h * - * @brief Interface of configuration_manager_t. + * @brief Interface configuration_t. * */ @@ -20,8 +20,8 @@ * for more details. */ -#ifndef CONFIGURATION_MANAGER_H_ -#define CONFIGURATION_MANAGER_H_ +#ifndef CONFIGURATION_H_ +#define CONFIGURATION_H_ #include <types.h> #include <config/init_config.h> @@ -30,26 +30,30 @@ #include <transforms/rsa/rsa_public_key.h> -typedef struct configuration_manager_t configuration_manager_t; +typedef struct configuration_t configuration_t; /** - * @brief Manages all configuration aspects of the daemon. + * @brief The interface for a configuration backend. * - * @b Constructors: - * - configuration_manager_create() + * Multiple backends for the configuration are conceivable: + * - ipsec starter from pluto + * - own file backend + * - multiple database backends + * - LDAP backend? * - * @todo Build a (file) backend for the configuration manager. + * @b Constructors: + * - configuration_create() * * @ingroup config */ -struct configuration_manager_t { +struct configuration_t { /** * @brief Returns the configuration information needed for IKE_SA_INIT exchange * for a specific configuration name. * * The returned init_config_t object MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param name name of the configuration @@ -59,14 +63,14 @@ struct configuration_manager_t { * - NOT_FOUND * - SUCCESS */ - status_t (*get_init_config_for_name) (configuration_manager_t *this, char *name, init_config_t **init_config); + status_t (*get_init_config_for_name) (configuration_t *this, char *name, init_config_t **init_config); /** * @brief Returns the configuration information needed for IKE_SA_INIT exchange * for specific host informations. * * The returned init_config_t object MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param my_host my host informations @@ -77,14 +81,14 @@ struct configuration_manager_t { * - NOT_FOUND * - SUCCESS */ - status_t (*get_init_config_for_host) (configuration_manager_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config); + status_t (*get_init_config_for_host) (configuration_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config); /** * @brief Returns the configuration information needed after IKE_SA_INIT exchange * for a specific configuration name. * * The returned sa_config_t object MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param name name of the configuration @@ -94,14 +98,14 @@ struct configuration_manager_t { * - NOT_FOUND * - SUCCESS */ - status_t (*get_sa_config_for_name) (configuration_manager_t *this, char *name, sa_config_t **sa_config); + status_t (*get_sa_config_for_name) (configuration_t *this, char *name, sa_config_t **sa_config); /** * @brief Returns the configuration information needed after IKE_SA_INIT exchange * for specific init_config_t and ID data. * * The returned sa_config_t object MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param init_config init_config_t object @@ -113,12 +117,12 @@ struct configuration_manager_t { * - NOT_FOUND * - SUCCESS */ - status_t (*get_sa_config_for_init_config_and_id) (configuration_manager_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config); + status_t (*get_sa_config_for_init_config_and_id) (configuration_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config); /** * @brief Returns the retransmit timeout. * - * The timeout values are managed by the configuration manager. + * The timeout values are managed by the configuration. * * @param this calling object * @param retransmit_count number of times a message was retransmitted so far @@ -128,7 +132,7 @@ struct configuration_manager_t { * - FAILED, if the message should not be retransmitted * - SUCCESS */ - status_t (*get_retransmit_timeout) (configuration_manager_t *this, u_int32_t retransmit_count, u_int32_t *timeout); + status_t (*get_retransmit_timeout) (configuration_t *this, u_int32_t retransmit_count, u_int32_t *timeout); /** * @brief Returns the timeout for an half open IKE_SA in ms. @@ -143,13 +147,13 @@ struct configuration_manager_t { * @param this calling object * @return timeout in milliseconds (ms) */ - u_int32_t (*get_half_open_ike_sa_timeout) (configuration_manager_t *this); + u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this); /** * @brief Returns the preshared secret of a specific ID. * * The returned preshared secret MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param identification identification_t object identifiying the ID. @@ -159,13 +163,13 @@ struct configuration_manager_t { * - NOT_FOUND if no preshared secrets for specific ID could be found * - SUCCESS */ - status_t (*get_shared_secret) (configuration_manager_t *this, identification_t *identification, chunk_t *preshared_secret); + status_t (*get_shared_secret) (configuration_t *this, identification_t *identification, chunk_t *preshared_secret); /** * @brief Returns the RSA public key of a specific ID. * * The returned rsa_public_key_t object MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param identification identification_t object identifiying the ID. @@ -175,13 +179,13 @@ struct configuration_manager_t { * - NOT_FOUND if no key is configured for specific id * - SUCCESS */ - status_t (*get_rsa_public_key) (configuration_manager_t *this, identification_t *identification, rsa_public_key_t **public_key); + status_t (*get_rsa_public_key) (configuration_t *this, identification_t *identification, rsa_public_key_t **public_key); /** * @brief Returns the RSA private key of a specific ID. * * The returned rsa_private_key_t object MUST NOT be destroyed cause it's managed by - * this configuration_manager_t object. + * this configuration_t object. * * @param this calling object * @param identification identification_t object identifiying the ID. @@ -191,26 +195,14 @@ struct configuration_manager_t { * - NOT_FOUND if no key is configured for specific id * - SUCCESS */ - status_t (*get_rsa_private_key) (configuration_manager_t *this, identification_t *identification, rsa_private_key_t **private_key); + status_t (*get_rsa_private_key) (configuration_t *this, identification_t *identification, rsa_private_key_t **private_key); /** - * @brief Destroys a configuration_manager_t object. + * @brief Destroys a configuration_t object. * * @param this calling object */ - void (*destroy) (configuration_manager_t *this); + void (*destroy) (configuration_t *this); }; -/** - * @brief Creates the mighty configuration manager. - * - * @param first_retransmit_timeout first retransmit timeout in milliseconds - * @param max_retransmit_count max number of tries to retransmitted a requests (0 for infinite) - * @param half_open_ike_sa_timeout timeout after that a half open IKE_SA gets deleted - * @return configuration_manager_t object - * - * @ingroup config - */ -configuration_manager_t *configuration_manager_create(u_int32_t first_retransmit_timeout,u_int32_t max_retransmit_count, u_int32_t half_open_ike_sa_timeout); - -#endif /*CONFIGURATION_MANAGER_H_*/ +#endif /*CONFIGURATION_H_*/ diff --git a/Source/charon/config/proposal.h b/Source/charon/config/proposal.h index 047d653d3..e25d43512 100644 --- a/Source/charon/config/proposal.h +++ b/Source/charon/config/proposal.h @@ -58,7 +58,7 @@ extern mapping_t protocol_id_m[]; typedef enum transform_type_t transform_type_t; /** - * Type of a transform, as in IKEv2 draft 3.3.2. + * Type of a transform, as in IKEv2 RFC 3.3.2. * * @ingroup payloads */ @@ -82,7 +82,7 @@ extern mapping_t transform_type_m[]; typedef enum extended_sequence_numbers_t extended_sequence_numbers_t; /** - * Extended sequence numbers, as in IKEv2 draft 3.3.2. + * Extended sequence numbers, as in IKEv2 RFC 3.3.2. * * @ingroup payloads */ diff --git a/Source/charon/config/sa_config.h b/Source/charon/config/sa_config.h index 6ecf71d32..783e2f568 100644 --- a/Source/charon/config/sa_config.h +++ b/Source/charon/config/sa_config.h @@ -99,7 +99,6 @@ struct sa_config_t { */ linked_list_t *(*get_my_traffic_selectors) (sa_config_t *this); - /** * @brief Get configured traffic selectors for others site. * diff --git a/Source/charon/config/starter_configuration.c b/Source/charon/config/starter_configuration.c new file mode 100755 index 000000000..938a2b7f1 --- /dev/null +++ b/Source/charon/config/starter_configuration.c @@ -0,0 +1,882 @@ +/** + * @file starter_configuration.c + * + * @brief Implementation of starter_configuration_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdlib.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/fcntl.h> +#include <unistd.h> +#include <errno.h> +#include <pthread.h> + +#include "starter_configuration.h" + +#include <types.h> +#include <daemon.h> +#include <utils/allocator.h> + + +/** + * First retransmit timeout in milliseconds. + * + * Timeout value is increasing in each retransmit round. + */ +#define RETRANSMIT_TIMEOUT 3000 + +/** + * Timeout in milliseconds after that a half open IKE_SA gets deleted. + */ +#define HALF_OPEN_IKE_SA_TIMEOUT 30000 + +/** + * Max retransmit count. + * 0 for infinite. The max time a half open IKE_SA is alive is set by + * RETRANSMIT_TIMEOUT. + */ +#define MAX_RETRANSMIT_COUNT 0 + + +struct sockaddr_un socket_addr = { AF_UNIX, "/var/run/pluto.ctl"}; + + +typedef struct preshared_secret_entry_t preshared_secret_entry_t; + +/** + * A preshared secret entry combines an identifier and a + * preshared secret. + */ +struct preshared_secret_entry_t { + + /** + * Identification. + */ + identification_t *identification; + + /** + * Preshared secret as chunk_t. The NULL termination is not included. + */ + chunk_t preshared_secret; +}; + + +typedef struct rsa_private_key_entry_t rsa_private_key_entry_t; + +/** + * Entry for a rsa private key. + */ +struct rsa_private_key_entry_t { + + /** + * Identification. + */ + identification_t *identification; + + /** + * Private key. + */ + rsa_private_key_t* private_key; +}; + +typedef struct rsa_public_key_entry_t rsa_public_key_entry_t; + +/** + * Entry for a rsa private key. + */ +struct rsa_public_key_entry_t { + + /** + * Identification. + */ + identification_t *identification; + + /** + * Private key. + */ + rsa_public_key_t* public_key; +}; + +typedef struct configuration_entry_t configuration_entry_t; + +/** + * A configuration entry combines a configuration name with a init and sa + * configuration represented as init_config_t and sa_config_t objects. + * + * @b Constructors: + * - configuration_entry_create() + */ +struct configuration_entry_t { + + /** + * Configuration name. + * + */ + char *name; + + /** + * Configuration for IKE_SA_INIT exchange. + */ + init_config_t *init_config; + + /** + * Configuration for all phases after IKE_SA_INIT exchange. + */ + sa_config_t *sa_config; + + /** + * Destroys a configuration_entry_t + * + * @param this calling object + */ + void (*destroy) (configuration_entry_t *this); +}; + +/** + * Implementation of configuration_entry_t.destroy. + */ +static void configuration_entry_destroy (configuration_entry_t *this) +{ + allocator_free(this->name); + allocator_free(this); +} + +/** + * @brief Creates a configuration_entry_t object. + * + * @param name name of the configuration entry (gets copied) + * @param init_config object of type init_config_t + * @param sa_config object of type sa_config_t + */ +static configuration_entry_t * configuration_entry_create(char * name, init_config_t * init_config, sa_config_t * sa_config) +{ + configuration_entry_t *entry = allocator_alloc_thing(configuration_entry_t); + + /* functions */ + entry->destroy = configuration_entry_destroy; + + /* private data */ + entry->init_config = init_config; + entry->sa_config = sa_config; + entry->name = allocator_alloc(strlen(name) + 1); + strcpy(entry->name,name); + return entry; +} + +typedef struct private_starter_configuration_t private_starter_configuration_t; + +/** + * Private data of an starter_configuration_t object. + */ +struct private_starter_configuration_t { + + /** + * Public part of starter_configuration_t object. + */ + starter_configuration_t public; + + /** + * Holding all configurations. + */ + linked_list_t *configurations; + + /** + * Holding all managed init_configs. + */ + linked_list_t *init_configs; + + /** + * Holding all managed init_configs. + */ + linked_list_t *sa_configs; + + /** + * Holding all managed preshared secrets. + */ + linked_list_t *preshared_secrets; + + /** + * Holding all managed private secrets. + */ + linked_list_t *rsa_private_keys; + + /** + * Holding all managed public secrets. + */ + linked_list_t *rsa_public_keys; + + /** + * Assigned logger_t object. + */ + logger_t *logger; + + /** + * Max number of requests to be retransmitted. + * 0 for infinite. + */ + u_int32_t max_retransmit_count; + + /** + * First retransmit timeout in ms. + */ + u_int32_t first_retransmit_timeout; + + /** + * Timeout in ms after that time a IKE_SA gets deleted. + */ + u_int32_t half_open_ike_sa_timeout; + + int socket; + + pthread_t assigned_thread; + + /** + * Adds a new IKE_SA configuration. + * + * @param this calling object + * @param name name for the configuration + * @param init_config init_config_t object + * @param sa_config sa_config_t object + */ + void (*add_new_configuration) (private_starter_configuration_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config); + + /** + * Adds a new preshared secret. + * + * @param this calling object + * @param type type of identification + * @param id_string identification as string + * @param preshared_secret preshared secret as string + */ + void (*add_new_preshared_secret) (private_starter_configuration_t *this,id_type_t type, char *id_string, char *preshared_secret); + + /** + * Adds a new rsa private key. + * + * @param this calling object + * @param type type of identification + * @param id_string identification as string + * @param key_pos location of key + * @param key_len length of key + */ + void (*add_new_rsa_private_key) (private_starter_configuration_t *this,id_type_t type, char *id_string, u_int8_t *key_pos, size_t key_len); + + /** + * Adds a new rsa public key. + * + * @param this calling object + * @param type type of identification + * @param id_string identification as string + * @param key_pos location of key + * @param key_len length of key + */ + void (*add_new_rsa_public_key) (private_starter_configuration_t *this,id_type_t type, char *id_string, u_int8_t *key_pos, size_t key_len); + + void (*whack_receive) (private_starter_configuration_t *this); +}; + +/** + * Implementation of private_starter_configuration_t.listen. + */ +static void whack_receive(private_starter_configuration_t *this) +{ + u_int8_t buffer[5000]; + struct sockaddr_un whackaddr; + int whackaddrlen = sizeof(whackaddr); + ssize_t n; + int whackfd; + + while (1) + { + whackfd = accept(this->socket, (struct sockaddr *)&whackaddr, &whackaddrlen); + + if (whackfd < 0) + { + this->logger->log(this->logger, ERROR, "accept() failed in whack_handle()"); + continue; + } + if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0) + { + this->logger->log(this->logger, ERROR, "failed to set CLOEXEC in whack_handle()"); + close(whackfd); + continue; + } + + n = read(whackfd, &buffer, sizeof(buffer)); + + if (n == -1) + { + this->logger->log(this->logger, ERROR, "read() failed in whack_handle()"); + close(whackfd); + continue; + } + this->logger->log_bytes(this->logger, CONTROL, "Whackinput", buffer, n); + } +} + + +/** + * Implementation of starter_configuration_t.get_init_config_for_host. + */ +static status_t get_init_config_for_host (private_starter_configuration_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config) +{ + iterator_t *iterator; + status_t status = NOT_FOUND; + + iterator = this->configurations->create_iterator(this->configurations,TRUE); + + this->logger->log(this->logger, CONTROL|LEVEL1, "getting config for hosts %s - %s", + my_host->get_address(my_host), other_host->get_address(other_host)); + + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + host_t *config_my_host; + host_t *config_other_host; + + iterator->current(iterator,(void **) &entry); + + config_my_host = entry->init_config->get_my_host(entry->init_config); + config_other_host = entry->init_config->get_other_host(entry->init_config); + + /* first check if ip is equal */ + if(config_other_host->ip_is_equal(config_other_host,other_host)) + { + this->logger->log(this->logger, CONTROL|LEVEL2, "config entry with remote host %s", + config_other_host->get_address(config_other_host)); + /* could be right one, check my_host for default route*/ + if (config_my_host->is_default_route(config_my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + /* check now if host informations are the same */ + else if (config_my_host->ip_is_equal(config_my_host,my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + + } + /* Then check for wildcard hosts! + * TODO + * actually its only checked if other host with default route can be found! */ + else if (config_other_host->is_default_route(config_other_host)) + { + /* could be right one, check my_host for default route*/ + if (config_my_host->is_default_route(config_my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + /* check now if host informations are the same */ + else if (config_my_host->ip_is_equal(config_my_host,my_host)) + { + *init_config = entry->init_config; + status = SUCCESS; + break; + } + } + } + + iterator->destroy(iterator); + + return status; +} + +/** + * Implementation of starter_configuration_t.get_init_config_for_name. + */ +static status_t get_init_config_for_name (private_starter_configuration_t *this, char *name, init_config_t **init_config) +{ + iterator_t *iterator; + status_t status = NOT_FOUND; + + iterator = this->configurations->create_iterator(this->configurations,TRUE); + + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + iterator->current(iterator,(void **) &entry); + + if (strcmp(entry->name,name) == 0) + { + + /* found configuration */ + *init_config = entry->init_config; + status = SUCCESS; + break; + } + } + + iterator->destroy(iterator); + + return status; +} + +/** + * Implementation of starter_configuration_t.get_sa_config_for_name. + */ +static status_t get_sa_config_for_name (private_starter_configuration_t *this, char *name, sa_config_t **sa_config) +{ + iterator_t *iterator; + status_t status = NOT_FOUND; + + iterator = this->configurations->create_iterator(this->configurations,TRUE); + + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + iterator->current(iterator,(void **) &entry); + + if (strcmp(entry->name,name) == 0) + { + /* found configuration */ + *sa_config = entry->sa_config; + status = SUCCESS; + break; + } + } + + iterator->destroy(iterator); + + return status; +} + +/** + * Implementation of starter_configuration_t.get_sa_config_for_init_config_and_id. + */ +static status_t get_sa_config_for_init_config_and_id (private_starter_configuration_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config) +{ + iterator_t *iterator; + status_t status = NOT_FOUND; + + iterator = this->configurations->create_iterator(this->configurations,TRUE); + + while (iterator->has_next(iterator)) + { + configuration_entry_t *entry; + iterator->current(iterator,(void **) &entry); + + if (entry->init_config == init_config) + { + identification_t *config_my_id = entry->sa_config->get_my_id(entry->sa_config); + identification_t *config_other_id = entry->sa_config->get_other_id(entry->sa_config); + + /* host informations seem to be the same */ + if (config_other_id->equals(config_other_id,other_id)) + { + /* other ids seems to match */ + + if (my_id == NULL) + { + /* first matching one is selected */ + + /* TODO priorize found entries */ + *sa_config = entry->sa_config; + status = SUCCESS; + break; + } + + if (config_my_id->equals(config_my_id,my_id)) + { + *sa_config = entry->sa_config; + status = SUCCESS; + break; + } + + } + } + } + + iterator->destroy(iterator); + + return status; +} + +/** + * Implementation of private_starter_configuration_t.add_new_configuration. + */ +static void add_new_configuration (private_starter_configuration_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config) +{ + iterator_t *iterator; + bool found; + + iterator = this->init_configs->create_iterator(this->init_configs,TRUE); + found = FALSE; + while (iterator->has_next(iterator)) + { + init_config_t *found_init_config; + iterator->current(iterator,(void **) &found_init_config); + if (init_config == found_init_config) + { + found = TRUE; + break; + } + } + iterator->destroy(iterator); + if (!found) + { + this->init_configs->insert_first(this->init_configs,init_config); + } + + iterator = this->sa_configs->create_iterator(this->sa_configs,TRUE); + found = FALSE; + while (iterator->has_next(iterator)) + { + sa_config_t *found_sa_config; + iterator->current(iterator,(void **) &found_sa_config); + if (sa_config == found_sa_config) + { + found = TRUE; + break; + } + } + iterator->destroy(iterator); + if (!found) + { + this->sa_configs->insert_first(this->sa_configs,sa_config); + } + + this->configurations->insert_last(this->configurations,configuration_entry_create(name,init_config,sa_config)); +} + +/** + * Implementation of private_starter_configuration_t.add_new_preshared_secret. + */ +static void add_new_preshared_secret (private_starter_configuration_t *this,id_type_t type, char *id_string, char *preshared_secret) +{ + preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t); + + entry->identification = identification_create_from_string(type,id_string); + entry->preshared_secret.len = strlen(preshared_secret) + 1; + entry->preshared_secret.ptr = allocator_alloc(entry->preshared_secret.len); + memcpy(entry->preshared_secret.ptr,preshared_secret,entry->preshared_secret.len); + + this->preshared_secrets->insert_last(this->preshared_secrets,entry); +} + +/** + * Implementation of private_starter_configuration_t.add_new_preshared_secret. + */ +static void add_new_rsa_public_key (private_starter_configuration_t *this, id_type_t type, char *id_string, u_int8_t* key_pos, size_t key_len) +{ + chunk_t key; + key.ptr = key_pos; + key.len = key_len; + + rsa_public_key_entry_t *entry = allocator_alloc_thing(rsa_public_key_entry_t); + + entry->identification = identification_create_from_string(type,id_string); + entry->public_key = rsa_public_key_create(); + entry->public_key->set_key(entry->public_key, key); + + this->rsa_public_keys->insert_last(this->rsa_public_keys, entry); +} + +/** + * Implementation of private_starter_configuration_t.add_new_preshared_secret. + */ +static void add_new_rsa_private_key (private_starter_configuration_t *this, id_type_t type, char *id_string, u_int8_t* key_pos, size_t key_len) +{ + chunk_t key; + key.ptr = key_pos; + key.len = key_len; + + rsa_private_key_entry_t *entry = allocator_alloc_thing(rsa_private_key_entry_t); + + entry->identification = identification_create_from_string(type,id_string); + entry->private_key = rsa_private_key_create(); + entry->private_key->set_key(entry->private_key, key); + + this->rsa_private_keys->insert_last(this->rsa_private_keys, entry); +} + +/** + * Implementation of starter_configuration_t.get_shared_secret. + */ +static status_t get_shared_secret(private_starter_configuration_t *this, identification_t *identification, chunk_t *preshared_secret) +{ + iterator_t *iterator; + + iterator = this->preshared_secrets->create_iterator(this->preshared_secrets,TRUE); + while (iterator->has_next(iterator)) + { + preshared_secret_entry_t *entry; + iterator->current(iterator,(void **) &entry); + if (entry->identification->equals(entry->identification,identification)) + { + *preshared_secret = entry->preshared_secret; + iterator->destroy(iterator); + return SUCCESS; + } + } + iterator->destroy(iterator); + return NOT_FOUND; +} + +/** + * Implementation of starter_configuration_t.get_shared_secret. + */ +static status_t get_rsa_public_key(private_starter_configuration_t *this, identification_t *identification, rsa_public_key_t **public_key) +{ + iterator_t *iterator; + + iterator = this->rsa_public_keys->create_iterator(this->rsa_public_keys,TRUE); + while (iterator->has_next(iterator)) + { + rsa_public_key_entry_t *entry; + iterator->current(iterator,(void **) &entry); + if (entry->identification->equals(entry->identification,identification)) + { + *public_key = entry->public_key; + iterator->destroy(iterator); + return SUCCESS; + } + } + iterator->destroy(iterator); + return NOT_FOUND; +} + +/** + * Implementation of starter_configuration_t.get_shared_secret. + */ +static status_t get_rsa_private_key(private_starter_configuration_t *this, identification_t *identification, rsa_private_key_t **private_key) +{ + iterator_t *iterator; + + iterator = this->rsa_private_keys->create_iterator(this->rsa_private_keys,TRUE); + while (iterator->has_next(iterator)) + { + rsa_private_key_entry_t *entry; + iterator->current(iterator,(void **) &entry); + if (entry->identification->equals(entry->identification,identification)) + { + *private_key = entry->private_key; + iterator->destroy(iterator); + return SUCCESS; + } + } + iterator->destroy(iterator); + return NOT_FOUND; +} + +/** + * Implementation of starter_configuration_t.get_retransmit_timeout. + */ +static status_t get_retransmit_timeout (private_starter_configuration_t *this, u_int32_t retransmit_count, u_int32_t *timeout) +{ + int new_timeout = this->first_retransmit_timeout, i; + if ((retransmit_count > this->max_retransmit_count) && (this->max_retransmit_count != 0)) + { + return FAILED; + } + + + for (i = 0; i < retransmit_count; i++) + { + new_timeout *= 2; + } + + *timeout = new_timeout; + + return SUCCESS; +} + +/** + * Implementation of starter_configuration_t.get_half_open_ike_sa_timeout. + */ +static u_int32_t get_half_open_ike_sa_timeout (private_starter_configuration_t *this) +{ + return this->half_open_ike_sa_timeout; +} + +/** + * Implementation of starter_configuration_t.destroy. + */ +static void destroy(private_starter_configuration_t *this) +{ + this->logger->log(this->logger,CONTROL | LEVEL1, "Going to destroy configuration backend "); + + this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy configuration entries"); + while (this->configurations->get_count(this->configurations) > 0) + { + configuration_entry_t *entry; + this->configurations->remove_first(this->configurations,(void **) &entry); + entry->destroy(entry); + } + this->configurations->destroy(this->configurations); + + this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy sa_config_t objects"); + while (this->sa_configs->get_count(this->sa_configs) > 0) + { + sa_config_t *sa_config; + this->sa_configs->remove_first(this->sa_configs,(void **) &sa_config); + sa_config->destroy(sa_config); + } + + this->sa_configs->destroy(this->sa_configs); + + this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy init_config_t objects"); + while (this->init_configs->get_count(this->init_configs) > 0) + { + init_config_t *init_config; + this->init_configs->remove_first(this->init_configs,(void **) &init_config); + init_config->destroy(init_config); + } + this->init_configs->destroy(this->init_configs); + + while (this->preshared_secrets->get_count(this->preshared_secrets) > 0) + { + preshared_secret_entry_t *entry; + this->preshared_secrets->remove_first(this->preshared_secrets,(void **) &entry); + entry->identification->destroy(entry->identification); + allocator_free_chunk(&(entry->preshared_secret)); + allocator_free(entry); + } + this->preshared_secrets->destroy(this->preshared_secrets); + + this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy rsa private keys"); + while (this->rsa_private_keys->get_count(this->rsa_private_keys) > 0) + { + rsa_private_key_entry_t *entry; + this->rsa_private_keys->remove_first(this->rsa_private_keys,(void **) &entry); + entry->identification->destroy(entry->identification); + entry->private_key->destroy(entry->private_key); + allocator_free(entry); + } + this->rsa_private_keys->destroy(this->rsa_private_keys); + + this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy rsa public keys"); + while (this->rsa_public_keys->get_count(this->rsa_public_keys) > 0) + { + rsa_public_key_entry_t *entry; + this->rsa_public_keys->remove_first(this->rsa_public_keys,(void **) &entry); + entry->identification->destroy(entry->identification); + entry->public_key->destroy(entry->public_key); + allocator_free(entry); + } + this->rsa_public_keys->destroy(this->rsa_public_keys); + + this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy assigned logger"); + charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); + close(this->socket); + unlink(socket_addr.sun_path); + allocator_free(this); +} + +/* + * Described in header-file + */ +starter_configuration_t *starter_configuration_create() +{ + private_starter_configuration_t *this = allocator_alloc_thing(private_starter_configuration_t); + mode_t old; + bool on = TRUE; + + /* public functions */ + this->public.configuration_interface.destroy = (void(*)(configuration_t*))destroy; + this->public.configuration_interface.get_init_config_for_name = (status_t (*) (configuration_t *, char *, init_config_t **)) get_init_config_for_name; + this->public.configuration_interface.get_init_config_for_host = (status_t (*) (configuration_t *, host_t *, host_t *,init_config_t **)) get_init_config_for_host; + this->public.configuration_interface.get_sa_config_for_name =(status_t (*) (configuration_t *, char *, sa_config_t **)) get_sa_config_for_name; + this->public.configuration_interface.get_sa_config_for_init_config_and_id =(status_t (*) (configuration_t *, init_config_t *, identification_t *, identification_t *,sa_config_t **)) get_sa_config_for_init_config_and_id; + this->public.configuration_interface.get_retransmit_timeout = (status_t (*) (configuration_t *, u_int32_t retransmit_count, u_int32_t *timeout))get_retransmit_timeout; + this->public.configuration_interface.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t *)) get_half_open_ike_sa_timeout; + this->public.configuration_interface.get_shared_secret = (status_t (*) (configuration_t *, identification_t *, chunk_t *))get_shared_secret; + this->public.configuration_interface.get_rsa_private_key = (status_t (*) (configuration_t *, identification_t *, rsa_private_key_t**))get_rsa_private_key; + this->public.configuration_interface.get_rsa_public_key = (status_t (*) (configuration_t *, identification_t *, rsa_public_key_t**))get_rsa_public_key; + + /* private functions */ + this->add_new_configuration = add_new_configuration; + this->add_new_preshared_secret = add_new_preshared_secret; + this->add_new_rsa_public_key = add_new_rsa_public_key; + this->add_new_rsa_private_key = add_new_rsa_private_key; + this->whack_receive = whack_receive; + + this->logger = charon->logger_manager->create_logger(charon->logger_manager,CONFIG,NULL); + + /* set up unix socket */ + this->socket = socket(AF_UNIX, SOCK_STREAM, 0); + if (this->socket == -1) + { + this->logger->log(this->logger, ERROR, "could not create whack socket"); + charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); + allocator_free(this); + return NULL; + } + if (fcntl(this->socket, F_SETFD, FD_CLOEXEC) < 0) + { + this->logger->log(this->logger, ERROR, "could not FD_CLOEXEC on whack socket"); + charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); + close(this->socket); + allocator_free(this); + return NULL; + } + if (setsockopt(this->socket, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0) + + old = umask(~S_IRWXU); + if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) + { + this->logger->log(this->logger, ERROR, "could not bind whack socket: %s", strerror(errno)); + charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); + close(this->socket); + allocator_free(this); + return NULL; + } + umask(old); + + if (listen(this->socket, 0) < 0) + { + this->logger->log(this->logger, ERROR, "could not listen on whack socket: %s", strerror(errno)); + charon->logger_manager->destroy_logger(charon->logger_manager,this->logger); + close(this->socket); + unlink(socket_addr.sun_path); + allocator_free(this); + return NULL; + } + + /* start a thread reading from the socket */ + if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))this->whack_receive, this) != 0) + { + this->logger->log(this->logger, ERROR, "Could not spawn whack thread"); + charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); + close(this->socket); + unlink(socket_addr.sun_path); + allocator_free(this); + } + + /* private variables */ + this->configurations = linked_list_create(); + this->sa_configs = linked_list_create(); + this->init_configs = linked_list_create(); + this->preshared_secrets = linked_list_create(); + this->rsa_private_keys = linked_list_create(); + this->rsa_public_keys = linked_list_create(); + this->max_retransmit_count = MAX_RETRANSMIT_COUNT; + this->first_retransmit_timeout = RETRANSMIT_TIMEOUT; + this->half_open_ike_sa_timeout = HALF_OPEN_IKE_SA_TIMEOUT; + + return (&this->public); +} diff --git a/Source/charon/config/starter_configuration.h b/Source/charon/config/starter_configuration.h new file mode 100644 index 000000000..408b84e56 --- /dev/null +++ b/Source/charon/config/starter_configuration.h @@ -0,0 +1,60 @@ +/** + * @file starter_configuration_t.h + * + * @brief Interface of starter_configuration_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef STARTER_CONFIGURATION_H_ +#define STARTER_CONFIGURATION_H_ + +#include <config/configuration.h> + + +typedef struct starter_configuration_t starter_configuration_t; + +/** + * @brief A config backend which uses the ipsec starter + * from pluto, wich parses config files. + * + * This configuration implementation opens a Whack-Socket + * and waits for input from ipsec starter. + * + * @b Constructors: + * - starter_configuration_create() + * + * @ingroup config + */ +struct starter_configuration_t { + + /** + * Implements configuration_t interface + */ + configuration_t configuration_interface; +}; + +/** + * @brief Creates an configuration using ipsec starter as input. + * + * @return starter_configuration_t object + * + * @ingroup config + */ +starter_configuration_t *starter_configuration_create(); + +#endif /*STARTER_CONFIGURATION_H_*/ diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/static_configuration.c index d7191b89f..0cec6e195 100644..100755 --- a/Source/charon/config/configuration_manager.c +++ b/Source/charon/config/static_configuration.c @@ -1,7 +1,7 @@ /** - * @file configuration_manager.c + * @file static_configuration.c * - * @brief Implementation of configuration_manager_t. + * @brief Implementation of static_configuration_t. * */ @@ -22,12 +22,31 @@ #include <stdlib.h> -#include "configuration_manager.h" +#include "static_configuration.h" #include <types.h> #include <daemon.h> #include <utils/allocator.h> +/** + * First retransmit timeout in milliseconds. + * + * Timeout value is increasing in each retransmit round. + */ +#define RETRANSMIT_TIMEOUT 3000 + +/** + * Timeout in milliseconds after that a half open IKE_SA gets deleted. + */ +#define HALF_OPEN_IKE_SA_TIMEOUT 30000 + +/** + * Max retransmit count. + * 0 for infinite. The max time a half open IKE_SA is alive is set by + * RETRANSMIT_TIMEOUT. + */ +#define MAX_RETRANSMIT_COUNT 0 + typedef struct preshared_secret_entry_t preshared_secret_entry_t; @@ -150,17 +169,17 @@ configuration_entry_t * configuration_entry_create(char * name, init_config_t * return entry; } -typedef struct private_configuration_manager_t private_configuration_manager_t; +typedef struct private_static_configuration_t private_static_configuration_t; /** - * Private data of an configuration_manager_t object. + * Private data of an static_configuration_t object. */ -struct private_configuration_manager_t { +struct private_static_configuration_t { /** - * Public part of configuration_manager_t object. + * Public part of static_configuration_t object. */ - configuration_manager_t public; + static_configuration_t public; /** * Holding all configurations. @@ -221,7 +240,7 @@ struct private_configuration_manager_t { * @param init_config init_config_t object * @param sa_config sa_config_t object */ - void (*add_new_configuration) (private_configuration_manager_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config); + void (*add_new_configuration) (private_static_configuration_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config); /** * Adds a new preshared secret. @@ -231,7 +250,7 @@ struct private_configuration_manager_t { * @param id_string identification as string * @param preshared_secret preshared secret as string */ - void (*add_new_preshared_secret) (private_configuration_manager_t *this,id_type_t type, char *id_string, char *preshared_secret); + void (*add_new_preshared_secret) (private_static_configuration_t *this,id_type_t type, char *id_string, char *preshared_secret); /** * Adds a new rsa private key. @@ -242,7 +261,7 @@ struct private_configuration_manager_t { * @param key_pos location of key * @param key_len length of key */ - void (*add_new_rsa_private_key) (private_configuration_manager_t *this,id_type_t type, char *id_string, u_int8_t *key_pos, size_t key_len); + void (*add_new_rsa_private_key) (private_static_configuration_t *this,id_type_t type, char *id_string, u_int8_t *key_pos, size_t key_len); /** * Adds a new rsa public key. @@ -253,14 +272,14 @@ struct private_configuration_manager_t { * @param key_pos location of key * @param key_len length of key */ - void (*add_new_rsa_public_key) (private_configuration_manager_t *this,id_type_t type, char *id_string, u_int8_t *key_pos, size_t key_len); + void (*add_new_rsa_public_key) (private_static_configuration_t *this,id_type_t type, char *id_string, u_int8_t *key_pos, size_t key_len); /** * Load default configuration. * * @param this calling object */ - void (*load_default_config) (private_configuration_manager_t *this); + void (*load_default_config) (private_static_configuration_t *this); }; @@ -270,17 +289,17 @@ u_int8_t public_key_2[]; u_int8_t private_key_2[]; /** - * Implementation of private_configuration_manager_t.load_default_config. + * Implementation of private_static_configuration_t.load_default_config. */ -static void load_default_config (private_configuration_manager_t *this) +static void load_default_config (private_static_configuration_t *this) { init_config_t *init_config_a, *init_config_b; proposal_t *proposal; sa_config_t *sa_config_a, *sa_config_b; traffic_selector_t *ts; - init_config_a = init_config_create("192.168.0.1","192.168.0.2",IKEV2_UDP_PORT,IKEV2_UDP_PORT); - init_config_b = init_config_create("192.168.0.2","192.168.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT); + init_config_a = init_config_create("0.0.0.0","192.168.0.2",IKEV2_UDP_PORT,IKEV2_UDP_PORT); + init_config_b = init_config_create("0.0.0.0","192.168.0.1",IKEV2_UDP_PORT,IKEV2_UDP_PORT); /* IKE proposals for alice */ proposal = proposal_create(1); @@ -358,15 +377,10 @@ static void load_default_config (private_configuration_manager_t *this) sa_config_b->add_proposal(sa_config_b, proposal); - - - this->add_new_configuration(this,"sun",init_config_a,sa_config_a); this->add_new_configuration(this,"moon",init_config_b,sa_config_b); - //this->add_new_preshared_secret(this,ID_IPV4_ADDR, "192.168.1.2","verschluesselt"); - this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "192.168.0.1", public_key_1, 256); this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "192.168.0.2", public_key_2, 256); this->add_new_rsa_private_key(this,ID_IPV4_ADDR, "192.168.0.1", private_key_1, 1024); @@ -374,9 +388,9 @@ static void load_default_config (private_configuration_manager_t *this) } /** - * Implementation of configuration_manager_t.get_init_config_for_host. + * Implementation of static_configuration_t.get_init_config_for_host. */ -static status_t get_init_config_for_host (private_configuration_manager_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config) +static status_t get_init_config_for_host (private_static_configuration_t *this, host_t *my_host, host_t *other_host,init_config_t **init_config) { iterator_t *iterator; status_t status = NOT_FOUND; @@ -446,9 +460,9 @@ static status_t get_init_config_for_host (private_configuration_manager_t *this, } /** - * Implementation of configuration_manager_t.get_init_config_for_name. + * Implementation of static_configuration_t.get_init_config_for_name. */ -static status_t get_init_config_for_name (private_configuration_manager_t *this, char *name, init_config_t **init_config) +static status_t get_init_config_for_name (private_static_configuration_t *this, char *name, init_config_t **init_config) { iterator_t *iterator; status_t status = NOT_FOUND; @@ -476,9 +490,9 @@ static status_t get_init_config_for_name (private_configuration_manager_t *this, } /** - * Implementation of configuration_manager_t.get_sa_config_for_name. + * Implementation of static_configuration_t.get_sa_config_for_name. */ -static status_t get_sa_config_for_name (private_configuration_manager_t *this, char *name, sa_config_t **sa_config) +static status_t get_sa_config_for_name (private_static_configuration_t *this, char *name, sa_config_t **sa_config) { iterator_t *iterator; status_t status = NOT_FOUND; @@ -505,9 +519,9 @@ static status_t get_sa_config_for_name (private_configuration_manager_t *this, c } /** - * Implementation of configuration_manager_t.get_sa_config_for_init_config_and_id. + * Implementation of static_configuration_t.get_sa_config_for_init_config_and_id. */ -static status_t get_sa_config_for_init_config_and_id (private_configuration_manager_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config) +static status_t get_sa_config_for_init_config_and_id (private_static_configuration_t *this, init_config_t *init_config, identification_t *other_id, identification_t *my_id,sa_config_t **sa_config) { iterator_t *iterator; status_t status = NOT_FOUND; @@ -556,9 +570,9 @@ static status_t get_sa_config_for_init_config_and_id (private_configuration_mana } /** - * Implementation of private_configuration_manager_t.add_new_configuration. + * Implementation of private_static_configuration_t.add_new_configuration. */ -static void add_new_configuration (private_configuration_manager_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config) +static void add_new_configuration (private_static_configuration_t *this, char *name, init_config_t *init_config, sa_config_t *sa_config) { iterator_t *iterator; bool found; @@ -603,9 +617,9 @@ static void add_new_configuration (private_configuration_manager_t *this, char * } /** - * Implementation of private_configuration_manager_t.add_new_preshared_secret. + * Implementation of private_static_configuration_t.add_new_preshared_secret. */ -static void add_new_preshared_secret (private_configuration_manager_t *this,id_type_t type, char *id_string, char *preshared_secret) +static void add_new_preshared_secret (private_static_configuration_t *this,id_type_t type, char *id_string, char *preshared_secret) { preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t); @@ -618,9 +632,9 @@ static void add_new_preshared_secret (private_configuration_manager_t *this,id_t } /** - * Implementation of private_configuration_manager_t.add_new_preshared_secret. + * Implementation of private_static_configuration_t.add_new_preshared_secret. */ -static void add_new_rsa_public_key (private_configuration_manager_t *this, id_type_t type, char *id_string, u_int8_t* key_pos, size_t key_len) +static void add_new_rsa_public_key (private_static_configuration_t *this, id_type_t type, char *id_string, u_int8_t* key_pos, size_t key_len) { chunk_t key; key.ptr = key_pos; @@ -636,9 +650,9 @@ static void add_new_rsa_public_key (private_configuration_manager_t *this, id_ty } /** - * Implementation of private_configuration_manager_t.add_new_preshared_secret. + * Implementation of private_static_configuration_t.add_new_preshared_secret. */ -static void add_new_rsa_private_key (private_configuration_manager_t *this, id_type_t type, char *id_string, u_int8_t* key_pos, size_t key_len) +static void add_new_rsa_private_key (private_static_configuration_t *this, id_type_t type, char *id_string, u_int8_t* key_pos, size_t key_len) { chunk_t key; key.ptr = key_pos; @@ -654,9 +668,9 @@ static void add_new_rsa_private_key (private_configuration_manager_t *this, id_t } /** - * Implementation of configuration_manager_t.get_shared_secret. + * Implementation of static_configuration_t.get_shared_secret. */ -static status_t get_shared_secret(private_configuration_manager_t *this, identification_t *identification, chunk_t *preshared_secret) +static status_t get_shared_secret(private_static_configuration_t *this, identification_t *identification, chunk_t *preshared_secret) { iterator_t *iterator; @@ -677,9 +691,9 @@ static status_t get_shared_secret(private_configuration_manager_t *this, identif } /** - * Implementation of configuration_manager_t.get_shared_secret. + * Implementation of static_configuration_t.get_shared_secret. */ -static status_t get_rsa_public_key(private_configuration_manager_t *this, identification_t *identification, rsa_public_key_t **public_key) +static status_t get_rsa_public_key(private_static_configuration_t *this, identification_t *identification, rsa_public_key_t **public_key) { iterator_t *iterator; @@ -700,9 +714,9 @@ static status_t get_rsa_public_key(private_configuration_manager_t *this, identi } /** - * Implementation of configuration_manager_t.get_shared_secret. + * Implementation of static_configuration_t.get_shared_secret. */ -static status_t get_rsa_private_key(private_configuration_manager_t *this, identification_t *identification, rsa_private_key_t **private_key) +static status_t get_rsa_private_key(private_static_configuration_t *this, identification_t *identification, rsa_private_key_t **private_key) { iterator_t *iterator; @@ -723,9 +737,9 @@ static status_t get_rsa_private_key(private_configuration_manager_t *this, ident } /** - * Implementation of configuration_manager_t.get_retransmit_timeout. + * Implementation of static_configuration_t.get_retransmit_timeout. */ -static status_t get_retransmit_timeout (private_configuration_manager_t *this, u_int32_t retransmit_count, u_int32_t *timeout) +static status_t get_retransmit_timeout (private_static_configuration_t *this, u_int32_t retransmit_count, u_int32_t *timeout) { int new_timeout = this->first_retransmit_timeout, i; if ((retransmit_count > this->max_retransmit_count) && (this->max_retransmit_count != 0)) @@ -745,19 +759,19 @@ static status_t get_retransmit_timeout (private_configuration_manager_t *this, u } /** - * Implementation of configuration_manager_t.get_half_open_ike_sa_timeout. + * Implementation of static_configuration_t.get_half_open_ike_sa_timeout. */ -static u_int32_t get_half_open_ike_sa_timeout (private_configuration_manager_t *this) +static u_int32_t get_half_open_ike_sa_timeout (private_static_configuration_t *this) { return this->half_open_ike_sa_timeout; } /** - * Implementation of configuration_manager_t.destroy. + * Implementation of static_configuration_t.destroy. */ -static void destroy(private_configuration_manager_t *this) +static void destroy(private_static_configuration_t *this) { - this->logger->log(this->logger,CONTROL | LEVEL1, "Going to destroy configuration manager "); + this->logger->log(this->logger,CONTROL | LEVEL1, "Going to destroy configuration backend "); this->logger->log(this->logger,CONTROL | LEVEL2, "Destroy configuration entries"); while (this->configurations->get_count(this->configurations) > 0) @@ -827,21 +841,21 @@ static void destroy(private_configuration_manager_t *this) /* * Described in header-file */ -configuration_manager_t *configuration_manager_create(u_int32_t first_retransmit_timeout,u_int32_t max_retransmit_count, u_int32_t half_open_ike_sa_timeout) +static_configuration_t *static_configuration_create() { - private_configuration_manager_t *this = allocator_alloc_thing(private_configuration_manager_t); + private_static_configuration_t *this = allocator_alloc_thing(private_static_configuration_t); /* public functions */ - this->public.destroy = (void(*)(configuration_manager_t*))destroy; - this->public.get_init_config_for_name = (status_t (*) (configuration_manager_t *, char *, init_config_t **)) get_init_config_for_name; - this->public.get_init_config_for_host = (status_t (*) (configuration_manager_t *, host_t *, host_t *,init_config_t **)) get_init_config_for_host; - this->public.get_sa_config_for_name =(status_t (*) (configuration_manager_t *, char *, sa_config_t **)) get_sa_config_for_name; - this->public.get_sa_config_for_init_config_and_id =(status_t (*) (configuration_manager_t *, init_config_t *, identification_t *, identification_t *,sa_config_t **)) get_sa_config_for_init_config_and_id; - this->public.get_retransmit_timeout = (status_t (*) (configuration_manager_t *, u_int32_t retransmit_count, u_int32_t *timeout))get_retransmit_timeout; - this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_manager_t *)) get_half_open_ike_sa_timeout; - this->public.get_shared_secret = (status_t (*) (configuration_manager_t *, identification_t *, chunk_t *))get_shared_secret; - this->public.get_rsa_private_key = (status_t (*) (configuration_manager_t *, identification_t *, rsa_private_key_t**))get_rsa_private_key; - this->public.get_rsa_public_key = (status_t (*) (configuration_manager_t *, identification_t *, rsa_public_key_t**))get_rsa_public_key; + this->public.configuration_interface.destroy = (void(*)(configuration_t*))destroy; + this->public.configuration_interface.get_init_config_for_name = (status_t (*) (configuration_t *, char *, init_config_t **)) get_init_config_for_name; + this->public.configuration_interface.get_init_config_for_host = (status_t (*) (configuration_t *, host_t *, host_t *,init_config_t **)) get_init_config_for_host; + this->public.configuration_interface.get_sa_config_for_name =(status_t (*) (configuration_t *, char *, sa_config_t **)) get_sa_config_for_name; + this->public.configuration_interface.get_sa_config_for_init_config_and_id =(status_t (*) (configuration_t *, init_config_t *, identification_t *, identification_t *,sa_config_t **)) get_sa_config_for_init_config_and_id; + this->public.configuration_interface.get_retransmit_timeout = (status_t (*) (configuration_t *, u_int32_t retransmit_count, u_int32_t *timeout))get_retransmit_timeout; + this->public.configuration_interface.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t *)) get_half_open_ike_sa_timeout; + this->public.configuration_interface.get_shared_secret = (status_t (*) (configuration_t *, identification_t *, chunk_t *))get_shared_secret; + this->public.configuration_interface.get_rsa_private_key = (status_t (*) (configuration_t *, identification_t *, rsa_private_key_t**))get_rsa_private_key; + this->public.configuration_interface.get_rsa_public_key = (status_t (*) (configuration_t *, identification_t *, rsa_public_key_t**))get_rsa_public_key; /* private functions */ this->load_default_config = load_default_config; @@ -851,16 +865,16 @@ configuration_manager_t *configuration_manager_create(u_int32_t first_retransmit this->add_new_rsa_private_key = add_new_rsa_private_key; /* private variables */ - this->logger = charon->logger_manager->create_logger(charon->logger_manager,CONFIGURATION_MANAGER,NULL); + this->logger = charon->logger_manager->create_logger(charon->logger_manager,CONFIG,NULL); this->configurations = linked_list_create(); this->sa_configs = linked_list_create(); this->init_configs = linked_list_create(); this->preshared_secrets = linked_list_create(); this->rsa_private_keys = linked_list_create(); this->rsa_public_keys = linked_list_create(); - this->max_retransmit_count = max_retransmit_count; - this->first_retransmit_timeout = first_retransmit_timeout; - this->half_open_ike_sa_timeout = half_open_ike_sa_timeout; + this->max_retransmit_count = MAX_RETRANSMIT_COUNT; + this->first_retransmit_timeout = RETRANSMIT_TIMEOUT; + this->half_open_ike_sa_timeout = HALF_OPEN_IKE_SA_TIMEOUT; this->load_default_config(this); diff --git a/Source/charon/config/static_configuration.h b/Source/charon/config/static_configuration.h new file mode 100644 index 000000000..b63fffe0b --- /dev/null +++ b/Source/charon/config/static_configuration.h @@ -0,0 +1,56 @@ +/** + * @file static_configuration_t.h + * + * @brief Interface of static_configuration_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef STATIC_CONFIGURATION_H_ +#define STATIC_CONFIGURATION_H_ + +#include <config/configuration.h> + + +typedef struct static_configuration_t static_configuration_t; + +/** + * @brief A static hardcoded config for testing purposes. + * + * @b Constructors: + * - static_configuration_create() + * + * @ingroup config + */ +struct static_configuration_t { + + /** + * Implements configuration_t interface + */ + configuration_t configuration_interface; +}; + +/** + * @brief Creates an static configuration + * + * @return static_configuration_t object + * + * @ingroup config + */ +static_configuration_t *static_configuration_create(); + +#endif /*STATIC_CONFIGURATION_H_*/ diff --git a/Source/charon/daemon.c b/Source/charon/daemon.c index 21ed44ef8..db75809d2 100644 --- a/Source/charon/daemon.c +++ b/Source/charon/daemon.c @@ -29,6 +29,8 @@ #include <types.h> #include <utils/allocator.h> #include <queues/jobs/initiate_ike_sa_job.h> +#include <config/static_configuration.h> +#include <config/starter_configuration.h> typedef struct private_daemon_t private_daemon_t; @@ -182,7 +184,7 @@ static void initialize(private_daemon_t *this) this->public.job_queue = job_queue_create(); this->public.event_queue = event_queue_create(); this->public.send_queue = send_queue_create(); - this->public.configuration_manager = configuration_manager_create(RETRANSMIT_TIMEOUT,MAX_RETRANSMIT_COUNT, HALF_OPEN_IKE_SA_TIMEOUT); + this->public.configuration = (configuration_t*)static_configuration_create(); this->public.sender = sender_create(); this->public.receiver = receiver_create(); @@ -236,9 +238,9 @@ static void destroy(private_daemon_t *this) { this->public.socket->destroy(this->public.socket); } - if (this->public.configuration_manager != NULL) + if (this->public.configuration != NULL) { - this->public.configuration_manager->destroy(this->public.configuration_manager); + this->public.configuration->destroy(this->public.configuration); } this->public.logger_manager->destroy(this->public.logger_manager); @@ -273,7 +275,7 @@ private_daemon_t *daemon_create() this->public.job_queue = NULL; this->public.event_queue = NULL; this->public.send_queue = NULL; - this->public.configuration_manager = NULL; + this->public.configuration = NULL; this->public.sender= NULL; this->public.receiver = NULL; this->public.scheduler = NULL; diff --git a/Source/charon/daemon.h b/Source/charon/daemon.h index 343aecb25..3291743e0 100644 --- a/Source/charon/daemon.h +++ b/Source/charon/daemon.h @@ -34,7 +34,7 @@ #include <queues/job_queue.h> #include <queues/event_queue.h> #include <utils/logger_manager.h> -#include <config/configuration_manager.h> +#include <config/configuration.h> /** * Name of the daemon. @@ -55,26 +55,6 @@ #define IKEV2_UDP_PORT 500 /** - * @brief First retransmit timeout in milliseconds. - * - * Timeout value is increasing in each retransmit round. - */ -#define RETRANSMIT_TIMEOUT 3000 - -/** - * Timeout in milliseconds after that a half open IKE_SA gets deleted. - */ -#define HALF_OPEN_IKE_SA_TIMEOUT 30000 - -/** - * @brief Max retransmit count. - * - * 0 for infinite. The max time a half open IKE_SA is alive is set by - * RETRANSMIT_TIMEOUT. - */ -#define MAX_RETRANSMIT_COUNT 0 - -/** * @brief Default loglevel for every logger context. * * This is the maximum allowed level for ever context, the definiton @@ -120,9 +100,9 @@ struct daemon_t { ike_sa_manager_t *ike_sa_manager; /** - * A configuration_manager_t instance. + * A configuration_t instance. */ - configuration_manager_t *configuration_manager; + configuration_t *configuration; /** * The Sender-Thread. diff --git a/Source/charon/encoding/payloads/auth_payload.h b/Source/charon/encoding/payloads/auth_payload.h index 7be3859aa..1df867356 100644 --- a/Source/charon/encoding/payloads/auth_payload.h +++ b/Source/charon/encoding/payloads/auth_payload.h @@ -44,19 +44,19 @@ typedef enum auth_method_t auth_method_t; */ enum auth_method_t { /** - * Computed as specified in section 2.15 of draft using + * Computed as specified in section 2.15 of RFC using * an RSA private key over a PKCS#1 padded hash. */ RSA_DIGITAL_SIGNATURE = 1, /* Computed as specified in - * section 2.15 of draft using the shared key associated with the identity + * section 2.15 of RFC using the shared key associated with the identity * in the ID payload and the negotiated prf function */ SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2, /* Computed as specified in section - * 2.15 of draft using a DSS private key over a SHA-1 hash. + * 2.15 of RFC using a DSS private key over a SHA-1 hash. */ DSS_DIGITAL_SIGNATURE = 3, }; @@ -74,7 +74,7 @@ typedef struct auth_payload_t auth_payload_t; /** * @brief Class representing an IKEv2 AUTH payload. * - * The AUTH payload format is described in draft section 3.8. + * The AUTH payload format is described in RFC section 3.8. * * @b Constructors: * - auth_payload_create() diff --git a/Source/charon/encoding/payloads/cert_payload.h b/Source/charon/encoding/payloads/cert_payload.h index 8553e1a1d..05b210462 100644 --- a/Source/charon/encoding/payloads/cert_payload.h +++ b/Source/charon/encoding/payloads/cert_payload.h @@ -37,7 +37,7 @@ typedef enum cert_encoding_t cert_encoding_t; /** - * @brief Certificate encoding, as described in IKEv2 draft section 3.6 + * @brief Certificate encoding, as described in IKEv2 RFC section 3.6 * * @ingroup payloads */ @@ -69,7 +69,7 @@ typedef struct cert_payload_t cert_payload_t; /** * @brief Class representing an IKEv2 CERT payload. * - * The CERT payload format is described in draft section 3.6. + * The CERT payload format is described in RFC section 3.6. * This is just a dummy implementation to fullfill the standards * requirements. A full implementation would offer setters/getters * for the different encoding types. diff --git a/Source/charon/encoding/payloads/certreq_payload.h b/Source/charon/encoding/payloads/certreq_payload.h index 055bfc79d..c5947ae72 100644 --- a/Source/charon/encoding/payloads/certreq_payload.h +++ b/Source/charon/encoding/payloads/certreq_payload.h @@ -40,7 +40,7 @@ typedef struct certreq_payload_t certreq_payload_t; /** * @brief Class representing an IKEv2 CERTREQ payload. * - * The CERTREQ payload format is described in draft section 3.7. + * The CERTREQ payload format is described in RFC section 3.7. * This is just a dummy implementation to fullfill the standards * requirements. A full implementation would offer setters/getters * for the different encoding types. diff --git a/Source/charon/encoding/payloads/configuration_attribute.h b/Source/charon/encoding/payloads/configuration_attribute.h index ad7d39a61..9de6ac9ea 100644 --- a/Source/charon/encoding/payloads/configuration_attribute.h +++ b/Source/charon/encoding/payloads/configuration_attribute.h @@ -39,7 +39,7 @@ typedef enum configuration_attribute_type_t configuration_attribute_type_t; /** - * Type of the attribute, as in IKEv2 draft 3.15.1. + * Type of the attribute, as in IKEv2 RFC 3.15.1. * * @ingroup payloads */ diff --git a/Source/charon/encoding/payloads/delete_payload.h b/Source/charon/encoding/payloads/delete_payload.h index 522754c95..d4417b59f 100644 --- a/Source/charon/encoding/payloads/delete_payload.h +++ b/Source/charon/encoding/payloads/delete_payload.h @@ -41,7 +41,7 @@ typedef struct delete_payload_t delete_payload_t; /** * @brief Class representing an IKEv2 DELETE payload. * - * The DELETE payload format is described in draft section 3.11. + * The DELETE payload format is described in RFC section 3.11. * * @b Constructors: * - delete_payload_create() diff --git a/Source/charon/encoding/payloads/eap_payload.h b/Source/charon/encoding/payloads/eap_payload.h index a934a1860..4c324c6da 100644 --- a/Source/charon/encoding/payloads/eap_payload.h +++ b/Source/charon/encoding/payloads/eap_payload.h @@ -39,7 +39,7 @@ typedef struct eap_payload_t eap_payload_t; /** * @brief Class representing an IKEv2 EAP payload. * - * The EAP payload format is described in draft section 3.16. + * The EAP payload format is described in RFC section 3.16. * * @b Constructors: * - eap_payload_create() diff --git a/Source/charon/encoding/payloads/id_payload.h b/Source/charon/encoding/payloads/id_payload.h index 137f0ea33..f453ee994 100644 --- a/Source/charon/encoding/payloads/id_payload.h +++ b/Source/charon/encoding/payloads/id_payload.h @@ -41,7 +41,7 @@ typedef struct id_payload_t id_payload_t; /** * Object representing an IKEv2 ID payload. * - * The ID payload format is described in draft section 3.5. + * The ID payload format is described in RFC section 3.5. * * @b Constructors: * - id_payload_create_from_identification() diff --git a/Source/charon/encoding/payloads/nonce_payload.h b/Source/charon/encoding/payloads/nonce_payload.h index 0ddc14186..366dfec15 100644 --- a/Source/charon/encoding/payloads/nonce_payload.h +++ b/Source/charon/encoding/payloads/nonce_payload.h @@ -38,7 +38,7 @@ typedef struct nonce_payload_t nonce_payload_t; /** * Object representing an IKEv2 Nonce payload. * - * The Nonce payload format is described in draft section 3.3. + * The Nonce payload format is described in RFC section 3.3. * * @b Constructors: * - nonce_payload_create() diff --git a/Source/charon/encoding/payloads/notify_payload.h b/Source/charon/encoding/payloads/notify_payload.h index 40995c402..148a8833f 100644 --- a/Source/charon/encoding/payloads/notify_payload.h +++ b/Source/charon/encoding/payloads/notify_payload.h @@ -49,7 +49,7 @@ typedef enum notify_message_type_t notify_message_type_t; /** * @brief Notify message types. * - * See IKEv2 draft 3.10.1. + * See IKEv2 RFC 3.10.1. * * @ingroup payloads */ diff --git a/Source/charon/encoding/payloads/traffic_selector_substructure.h b/Source/charon/encoding/payloads/traffic_selector_substructure.h index 35ef0181a..841877c15 100644 --- a/Source/charon/encoding/payloads/traffic_selector_substructure.h +++ b/Source/charon/encoding/payloads/traffic_selector_substructure.h @@ -41,7 +41,7 @@ typedef struct traffic_selector_substructure_t traffic_selector_substructure_t; /** * @brief Class representing an IKEv2 TRAFFIC SELECTOR. * - * The TRAFFIC SELECTOR format is described in draft section 3.13.1. + * The TRAFFIC SELECTOR format is described in RFC section 3.13.1. * * @b Constructors: * - traffic_selector_substructure_create() diff --git a/Source/charon/encoding/payloads/transform_attribute.h b/Source/charon/encoding/payloads/transform_attribute.h index 732edd023..547699915 100644 --- a/Source/charon/encoding/payloads/transform_attribute.h +++ b/Source/charon/encoding/payloads/transform_attribute.h @@ -30,7 +30,7 @@ typedef enum transform_attribute_type_t transform_attribute_type_t; /** - * Type of the attribute, as in IKEv2 draft 3.3.5. + * Type of the attribute, as in IKEv2 RFC 3.3.5. * * @ingroup payloads */ diff --git a/Source/charon/encoding/payloads/ts_payload.h b/Source/charon/encoding/payloads/ts_payload.h index b7e3b80fb..7e8c2f0a3 100644 --- a/Source/charon/encoding/payloads/ts_payload.h +++ b/Source/charon/encoding/payloads/ts_payload.h @@ -43,7 +43,7 @@ typedef struct ts_payload_t ts_payload_t; /** * @brief Class representing an IKEv2 TS payload. * - * The TS payload format is described in draft section 3.13. + * The TS payload format is described in RFC section 3.13. * * @b Constructors: * - ts_payload_create() diff --git a/Source/charon/encoding/payloads/vendor_id_payload.h b/Source/charon/encoding/payloads/vendor_id_payload.h index 4b047ac14..4733ba243 100644 --- a/Source/charon/encoding/payloads/vendor_id_payload.h +++ b/Source/charon/encoding/payloads/vendor_id_payload.h @@ -39,7 +39,7 @@ typedef struct vendor_id_payload_t vendor_id_payload_t; /** * @brief Class representing an IKEv2 VENDOR ID payload. * - * The VENDOR ID payload format is described in draft section 3.12. + * The VENDOR ID payload format is described in RFC section 3.12. * * @b Constructors: * - vendor_id_payload_create() diff --git a/Source/charon/network/socket.c b/Source/charon/network/socket.c index d02e21476..f8d45ddd1 100644 --- a/Source/charon/network/socket.c +++ b/Source/charon/network/socket.c @@ -34,6 +34,8 @@ #include <fcntl.h> #include <net/if.h> #include <sys/ioctl.h> +#include <netinet/in.h> +#include <linux/filter.h> #include "socket.h" @@ -42,6 +44,43 @@ #include <utils/logger_manager.h> +#define IP_HEADER_LENGTH 20 +#define UDP_HEADER_LENGTH 8 + + +/** + * This filter code filters out all non-IKEv2 traffic on + * a SOCK_RAW IP_PROTP_UDP socket. Handling of other + * IKE versions is done in pluto. + */ +struct sock_filter ikev2_filter_code[] = +{ + /* Protocol must be UDP */ + BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 9), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IPPROTO_UDP, 0, 7), + /* Destination Port must be 500 */ + BPF_STMT(BPF_LD+BPF_H+BPF_ABS, 22), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 500, 0, 5), + /* IKE version must be 2.0 */ + BPF_STMT(BPF_LD+BPF_B+BPF_ABS, 45), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3), + /* packet length is length in IKEv2 header + ip header + udp header */ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 52), + BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, IP_HEADER_LENGTH + UDP_HEADER_LENGTH), + BPF_STMT(BPF_RET+BPF_A, 0), + /* packet doesn't match IKEv2, ignore */ + BPF_STMT(BPF_RET+BPF_K, 0), +}; + +/** + * Filter struct to use with setsockopt + */ +struct sock_fprog ikev2_filter = { + sizeof(ikev2_filter_code) / sizeof(struct sock_filter), + ikev2_filter_code +}; + + typedef struct interface_t interface_t; /** @@ -52,7 +91,7 @@ struct interface_t { /** * Name of the interface */ - char name[IFNAMSIZ+1]; + char name[IFNAMSIZ]; /** * Associated socket @@ -98,10 +137,6 @@ status_t receiver(private_socket_t *this, packet_t **packet) host_t *source, *dest; int bytes_read = 0; - source = host_create(AF_INET, "0.0.0.0", 0); - dest = host_create(AF_INET, "0.0.0.0", 0); - pkt->set_source(pkt, source); - pkt->set_destination(pkt, dest); while (bytes_read >= 0) { @@ -124,7 +159,7 @@ status_t receiver(private_socket_t *this, packet_t **packet) } } iterator->destroy(iterator); - + /* add packet destroy handler for cancellation, enable cancellation */ pthread_cleanup_push((void(*)(void*))pkt->destroy, (void*)pkt); pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); @@ -136,12 +171,6 @@ status_t receiver(private_socket_t *this, packet_t **packet) pthread_setcancelstate(oldstate, NULL); pthread_cleanup_pop(0); - if (bytes_read < 0) - { - this->logger->log(this->logger, ERROR, "error reading from socket: %s", strerror(errno)); - continue; - } - /* read on the first nonblocking socket */ bytes_read = 0; iterator = this->interfaces->create_iterator(this->interfaces, TRUE); @@ -151,28 +180,41 @@ status_t receiver(private_socket_t *this, packet_t **packet) if (FD_ISSET(interface->socket_fd, &readfds)) { /* do the read */ - bytes_read = recvfrom(interface->socket_fd, buffer, MAX_PACKET, 0, - source->get_sockaddr(source), - source->get_sockaddr_len(source)); - getsockname(interface->socket_fd, dest->get_sockaddr(dest), dest->get_sockaddr_len(dest)); + bytes_read = recv(interface->socket_fd, buffer, MAX_PACKET, 0); break; } } iterator->destroy(iterator); - if (bytes_read > 0) + + if (bytes_read < 0) { + this->logger->log(this->logger, ERROR, "error reading from socket: %s", strerror(errno)); + continue; + } + if (bytes_read > IP_HEADER_LENGTH + UDP_HEADER_LENGTH) + { + /* read source/dest from raw IP/UDP header */ + chunk_t source_chunk = {buffer + 12, 4}; + chunk_t dest_chunk = {buffer + 16, 4}; + u_int16_t source_port = ntohs(*(u_int16_t*)(buffer + 20)); + u_int16_t dest_port = ntohs(*(u_int16_t*)(buffer + 22)); + source = host_create_from_chunk(AF_INET, source_chunk, source_port); + dest = host_create_from_chunk(AF_INET, dest_chunk, dest_port); + pkt->set_source(pkt, source); + pkt->set_destination(pkt, dest); break; } + this->logger->log(this->logger, ERROR|LEVEL1, "too short packet received"); } - this->logger->log(this->logger, CONTROL, "received packet from %s:%d", - source->get_address(source), - source->get_port(source)); + this->logger->log(this->logger, CONTROL, "received packet: from %s:%d to %s:%d", + source->get_address(source), source->get_port(source), + dest->get_address(dest), dest->get_port(dest)); /* fill in packet */ - data.len = bytes_read; + data.len = bytes_read - IP_HEADER_LENGTH - UDP_HEADER_LENGTH; data.ptr = allocator_alloc(data.len); - memcpy(data.ptr, buffer, data.len); + memcpy(data.ptr, buffer + IP_HEADER_LENGTH + UDP_HEADER_LENGTH, data.len); pkt->set_data(pkt, data); /* return packet */ @@ -291,7 +333,7 @@ static status_t build_interface_list(private_socket_t *this, u_int16_t port) } /* set up interface socket */ - skt = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + skt = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); if (socket < 0) { this->logger->log(this->logger, ERROR, "unable to open interface socket!"); @@ -311,12 +353,21 @@ static status_t build_interface_list(private_socket_t *this, u_int16_t port) close(skt); continue; } + + if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER, &ikev2_filter, sizeof(ikev2_filter)) < 0) + { + this->logger->log(this->logger, ERROR, "unable to attack IKEv2 filter to interface socket!"); + close(skt); + continue; + } /* add socket with interface name to list */ interface = allocator_alloc_thing(interface_t); memcpy(interface->name, buf[i].ifr_name, IFNAMSIZ); - interface->name[IFNAMSIZ] = '\0'; + interface->name[IFNAMSIZ-1] = '\0'; interface->socket_fd = skt; + this->logger->log(this->logger, CONTROL, "listening on %s (%s)", + interface->name, inet_ntoa(current->sin_addr)); this->interfaces->insert_last(this->interfaces, (void*)interface); } diff --git a/Source/charon/network/socket.h b/Source/charon/network/socket.h index 8a00e88b0..7e43ffab5 100644 --- a/Source/charon/network/socket.h +++ b/Source/charon/network/socket.h @@ -31,7 +31,7 @@ /** * @brief Maximum size of a packet. * - * 3000 Bytes should be sufficient, see IKEv2 draft. + * 3000 Bytes should be sufficient, see IKEv2 RFC. * * @ingroup network */ @@ -41,16 +41,24 @@ typedef struct socket_t socket_t; /** - * @brief Abstraction of one (ipv4), or in future, of multiple sockets. + * @brief Abstraction all sockets (currently IPv4 only). * - * Receiver reads from here, sender writes to here. + * All available IPv4 sockets are bound and the receive function + * reads from them. To allow binding of other daemons (pluto) to + * UDP/500, this implementation uses RAW sockets. An installed + * "Linux socket filter" filters out all non-IKEv2 traffic and handles + * just IKEv2 messages. An other daemon (pluto) must handle all traffic + * seperatly, e.g. ignore IKEv2 traffic, since charon handles that. * * @b Constructors: * - socket_create() * * @todo add IPv6 support * - * @todo allow listening/sending to multiple sockets, depending on address + * @todo We currently use multiple sockets for historic reasons. With the + * new RAW socket mechanism, we could use just one socket and filter + * addresses in userspace (or via linux socket filter). This would allow + * realtime interface/address management in a easy way... * * @ingroup network */ @@ -58,9 +66,8 @@ struct socket_t { /** * @brief Receive a packet. * - * reads a packet from one of the sockets. - * source will be set, dest not implemented - * + * Reads a packet from the socket and sets source/dest + * appropriately. * * @param sock socket_t object to work on * @param packet pinter gets address from allocated packet_t @@ -73,8 +80,9 @@ struct socket_t { /** * @brief Send a packet. * - * sends a packet via desired socket. - * uses source and dest in packet. + * Sends a packet to the net using destination from the packet. + * Packet is sent using default routing mechanisms, thus the + * source address in packet is ignored. * * @param sock socket_t object to work on * @param packet[out] packet_t to send @@ -95,10 +103,10 @@ struct socket_t { }; /** - * @brief socket_t constructor. + * @brief Create a socket_t, wich binds multiple sockets. * * currently creates one socket, listening on all addresses - * on port. + * on "port". * * @param port port to bind socket to * @return socket_t object diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c index 5aaa2d983..f6f09c268 100644 --- a/Source/charon/sa/authenticator.c +++ b/Source/charon/sa/authenticator.c @@ -67,7 +67,7 @@ struct private_authenticator_t { /** * @brief Creates the octets which are signed (RSA) or MACed (shared secret) as described in section - * 2.15 of draft. + * 2.15 of RFC. * * @param this calling object * @param last_message the last message to include in created octets @@ -211,7 +211,7 @@ static status_t verify_auth_data (private_authenticator_t *this, chunk_t preshared_secret; status_t status; - status = charon->configuration_manager->get_shared_secret(charon->configuration_manager, + status = charon->configuration->get_shared_secret(charon->configuration, other_id, &preshared_secret); other_id->destroy(other_id); @@ -252,7 +252,7 @@ static status_t verify_auth_data (private_authenticator_t *this, auth_data = auth_payload->get_data(auth_payload); - status = charon->configuration_manager->get_rsa_public_key(charon->configuration_manager, + status = charon->configuration->get_rsa_public_key(charon->configuration, other_id, &public_key); other_id->destroy(other_id); @@ -295,7 +295,7 @@ static status_t compute_auth_data (private_authenticator_t *this, chunk_t preshared_secret; status_t status; - status = charon->configuration_manager->get_shared_secret(charon->configuration_manager, + status = charon->configuration->get_shared_secret(charon->configuration, my_id, &preshared_secret); @@ -326,7 +326,7 @@ static status_t compute_auth_data (private_authenticator_t *this, status_t status; chunk_t octets, auth_data; - status = charon->configuration_manager->get_rsa_private_key(charon->configuration_manager, + status = charon->configuration->get_rsa_private_key(charon->configuration, my_id, &private_key); my_id->destroy(my_id); diff --git a/Source/charon/sa/authenticator.h b/Source/charon/sa/authenticator.h index 2160eaec5..c50ac4f32 100644 --- a/Source/charon/sa/authenticator.h +++ b/Source/charon/sa/authenticator.h @@ -40,7 +40,7 @@ typedef struct authenticator_t authenticator_t; * - RSA_DIGITAL_SIGNATURE * * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.) - * over an internal stored protected_ike_sa_t object or directly from the configuration_manager_t over + * over an internal stored protected_ike_sa_t object or directly from the configuration_t over * the daemon_t object "charon". * * @b Constructors: diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 55c03ef92..7e4f7c772 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -484,6 +484,10 @@ static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config) */ static void set_my_host (private_ike_sa_t *this, host_t *my_host) { + if (this->me.host) + { + this->me.host->destroy(this->me.host); + } this->me.host = my_host; } @@ -492,6 +496,10 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host) */ static void set_other_host (private_ike_sa_t *this, host_t *other_host) { + if (this->other.host) + { + this->other.host->destroy(this->other.host); + } this->other.host = other_host; } @@ -814,7 +822,7 @@ static status_t send_request (private_ike_sa_t *this,message_t * message) retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id); - status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager, + status = charon->configuration->get_retransmit_timeout (charon->configuration, retransmit_job->get_retransmit_count(retransmit_job),&timeout); if (status != SUCCESS) diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index b15a8eaab..e1d27e25d 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -29,7 +29,7 @@ #include <sa/ike_sa_id.h> #include <sa/child_sa.h> #include <sa/states/state.h> -#include <config/configuration_manager.h> +#include <config/configuration.h> #include <utils/logger.h> #include <utils/randomizer.h> #include <transforms/prfs/prf.h> diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 7f80c3477..06ff238b9 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -213,6 +213,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t u_int64_t responder_spi; ike_sa_id_t *ike_sa_id; iterator_t *payloads; + host_t *me; message_t *request; status_t status; @@ -338,6 +339,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t return DELETE_ME; } + /* apply the address on wich we really received the packet */ + me = ike_sa_init_reply->get_destination(ike_sa_init_reply); + this->ike_sa->set_my_host(this->ike_sa, me->clone(me)); + /* build empty message */ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request); diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 379eaebe1..54e70041a 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -391,7 +391,7 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl /* build new sa config */ init_config = this->ike_sa->get_init_config(this->ike_sa); - status = charon->configuration_manager->get_sa_config_for_init_config_and_id(charon->configuration_manager,init_config, other_id,my_id, &(this->sa_config)); + status = charon->configuration->get_sa_config_for_init_config_and_id(charon->configuration,init_config, other_id,my_id, &(this->sa_config)); if (status != SUCCESS) { if (my_id) diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c index f27dcb559..46cbbcdbe 100644 --- a/Source/charon/sa/states/initiator_init.c +++ b/Source/charon/sa/states/initiator_init.c @@ -118,14 +118,14 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name) this->logger->log(this->logger, CONTROL, "Initializing connection %s",name); /* get configs */ - status = charon->configuration_manager->get_init_config_for_name(charon->configuration_manager,name,&init_config); + status = charon->configuration->get_init_config_for_name(charon->configuration,name,&init_config); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | LEVEL1, "Could not retrieve INIT configuration informations for %s",name); return DELETE_ME; } this->ike_sa->set_init_config(this->ike_sa,init_config); - status = charon->configuration_manager->get_sa_config_for_name(charon->configuration_manager,name,&sa_config); + status = charon->configuration->get_sa_config_for_name(charon->configuration,name,&sa_config); if (status != SUCCESS) { this->logger->log(this->logger, ERROR | LEVEL1, "Could not retrieve SA configuration informations for %s",name); diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index c85f12efc..f67e2833c 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -177,7 +177,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa source = message->get_source(message); destination = message->get_destination(message); - status = charon->configuration_manager->get_init_config_for_host(charon->configuration_manager,destination,source,&init_config); + status = charon->configuration->get_init_config_for_host(charon->configuration,destination,source,&init_config); if (status != SUCCESS) { /* no configuration matches given host */ diff --git a/Source/charon/testcases/testcases.c b/Source/charon/testcases/testcases.c index b4eadef91..8b3bfa9b9 100644 --- a/Source/charon/testcases/testcases.c +++ b/Source/charon/testcases/testcases.c @@ -28,7 +28,7 @@ #include <queues/job_queue.h> #include <queues/event_queue.h> #include <queues/send_queue.h> -#include <config/configuration_manager.h> +#include <config/configuration.h> #include <sa/ike_sa_manager.h> #include <network/socket.h> #include <utils/logger_manager.h> @@ -141,7 +141,7 @@ static void daemon_kill(daemon_t *this, char* none) this->event_queue->destroy(this->event_queue); this->send_queue->destroy(this->send_queue); this->kernel_interface->destroy(this->kernel_interface); - //this->configuration_manager->destroy(this->configuration_manager); + //this->configuration->destroy(this->configuration); allocator_free(charon); } @@ -164,7 +164,7 @@ daemon_t *daemon_create() charon->event_queue = event_queue_create(); charon->send_queue = send_queue_create(); charon->kernel_interface = kernel_interface_create(); - //charon->configuration_manager = configuration_manager_create(RETRANSMIT_TIMEOUT,MAX_RETRANSMIT_COUNT,HALF_OPEN_IKE_SA_TIMEOUT); + //charon->configuration = configuration_create(RETRANSMIT_TIMEOUT,MAX_RETRANSMIT_COUNT,HALF_OPEN_IKE_SA_TIMEOUT); charon->sender = NULL; charon->receiver = NULL; charon->scheduler = NULL; diff --git a/Source/charon/threads/kernel_interface.c b/Source/charon/threads/kernel_interface.c index 7b0c163ce..c42a09129 100644 --- a/Source/charon/threads/kernel_interface.c +++ b/Source/charon/threads/kernel_interface.c @@ -273,7 +273,7 @@ static status_t add_sa( private_kernel_interface_t *this, request.sa.id.proto = (protocol == ESP) ? KERNEL_ESP : KERNEL_AH; request.sa.family = me->get_family(me); request.sa.mode = TRUE; /* tunnel mode */ - request.sa.replay_window = 0; //sa->replay_window; ??? + request.sa.replay_window = 32; request.sa.reqid = reqid; request.sa.lft.soft_byte_limit = XFRM_INF; request.sa.lft.soft_packet_limit = XFRM_INF; diff --git a/Source/charon/threads/thread_pool.c b/Source/charon/threads/thread_pool.c index ac926a30b..e4c94d9ad 100644 --- a/Source/charon/threads/thread_pool.c +++ b/Source/charon/threads/thread_pool.c @@ -298,7 +298,7 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa if (status == CREATED) { this->worker_logger->log(this->worker_logger, CONTROL|LEVEL3, "Create Job to delete half open IKE_SA."); - this->create_delete_half_open_ike_sa_job(this,ike_sa_id,charon->configuration_manager->get_half_open_ike_sa_timeout(charon->configuration_manager)); + this->create_delete_half_open_ike_sa_job(this,ike_sa_id,charon->configuration->get_half_open_ike_sa_timeout(charon->configuration)); } status = ike_sa->process_message(ike_sa, message); @@ -349,25 +349,25 @@ static void process_initiate_ike_sa_job(private_thread_pool_t *this, initiate_ik charon->ike_sa_manager->create_and_checkout(charon->ike_sa_manager, &ike_sa); - this->worker_logger->log(this->worker_logger, CONTROL, "Initializing connection \"%s\"", + this->worker_logger->log(this->worker_logger, CONTROL, "Initiating connection \"%s\"", job->get_configuration_name(job)); status = ike_sa->initialize_connection(ike_sa, job->get_configuration_name(job)); if (status != SUCCESS) { - this->worker_logger->log(this->worker_logger, ERROR, "%s: By initialize_conection, going to delete IKE_SA.", + this->worker_logger->log(this->worker_logger, ERROR, "Initiation returned %s, going to delete IKE_SA.", mapping_find(status_m, status)); charon->ike_sa_manager->checkin_and_delete(charon->ike_sa_manager, ike_sa); return; } this->worker_logger->log(this->worker_logger, CONTROL|LEVEL3, "Create Job to delete half open IKE_SA."); - this->create_delete_half_open_ike_sa_job(this,ike_sa->get_id(ike_sa),charon->configuration_manager->get_half_open_ike_sa_timeout(charon->configuration_manager)); + this->create_delete_half_open_ike_sa_job(this,ike_sa->get_id(ike_sa),charon->configuration->get_half_open_ike_sa_timeout(charon->configuration)); this->worker_logger->log(this->worker_logger, CONTROL|LEVEL2, "Checking in IKE SA"); status = charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); if (status != SUCCESS) { - this->worker_logger->log(this->worker_logger, ERROR, "%s: Could not checkin IKE_SA.", + this->worker_logger->log(this->worker_logger, ERROR, "Could not checkin IKE_SA (%s)", mapping_find(status_m, status)); } } @@ -510,7 +510,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm } job->increase_retransmit_count(job); - status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,job->get_retransmit_count(job),&timeout); + status = charon->configuration->get_retransmit_timeout (charon->configuration,job->get_retransmit_count(job),&timeout); if (status != SUCCESS) { this->worker_logger->log(this->worker_logger, CONTROL | LEVEL2, "Message will not be anymore retransmitted"); diff --git a/Source/charon/transforms/crypters/crypter.h b/Source/charon/transforms/crypters/crypter.h index 7f371de8a..9c219f5cc 100644 --- a/Source/charon/transforms/crypters/crypter.h +++ b/Source/charon/transforms/crypters/crypter.h @@ -28,7 +28,7 @@ typedef enum encryption_algorithm_t encryption_algorithm_t; /** - * @brief Encryption algorithm, as in IKEv2 draft 3.3.2. + * @brief Encryption algorithm, as in IKEv2 RFC 3.3.2. * * Currently only the following algorithms are implemented and therefore supported: * - ENCR_AES_CBC diff --git a/Source/charon/transforms/diffie_hellman.h b/Source/charon/transforms/diffie_hellman.h index d4f956325..9a3608aea 100644 --- a/Source/charon/transforms/diffie_hellman.h +++ b/Source/charon/transforms/diffie_hellman.h @@ -33,7 +33,7 @@ typedef enum diffie_hellman_group_t diffie_hellman_group_t; * * The modulus (or group) to use for a Diffie-Hellman calculation. * - * See IKEv2 draft 3.3.2 and RFC 3526. + * See IKEv2 RFC 3.3.2 and RFC 3526. * * @warning Use of big modulus sizes can be cpu consuming. * diff --git a/Source/charon/transforms/prf_plus.h b/Source/charon/transforms/prf_plus.h index 538724c48..829191786 100644 --- a/Source/charon/transforms/prf_plus.h +++ b/Source/charon/transforms/prf_plus.h @@ -30,12 +30,12 @@ typedef struct prf_plus_t prf_plus_t; /** - * @brief Implementation of the prf+ function described in IKEv2 draft. + * @brief Implementation of the prf+ function described in IKEv2 RFC. * * This class implements the prf+ algorithm. Internally it uses a pseudo random * function, which implements the prf_t interface. * - * See IKEv2 draft 2.13. + * See IKEv2 RFC 2.13. * * @b Constructors: * - prf_plus_create() diff --git a/Source/charon/transforms/prfs/prf.h b/Source/charon/transforms/prfs/prf.h index 17b1110b2..b1c1e6a66 100644 --- a/Source/charon/transforms/prfs/prf.h +++ b/Source/charon/transforms/prfs/prf.h @@ -28,7 +28,7 @@ typedef enum pseudo_random_function_t pseudo_random_function_t; /** - * @brief Pseudo random function, as in IKEv2 draft 3.3.2. + * @brief Pseudo random function, as in IKEv2 RFC 3.3.2. * * Currently only the following algorithms are implemented and therefore supported: * - PRF_HMAC_MD5 diff --git a/Source/charon/transforms/signers/signer.h b/Source/charon/transforms/signers/signer.h index 1c339178c..9625af813 100644 --- a/Source/charon/transforms/signers/signer.h +++ b/Source/charon/transforms/signers/signer.h @@ -29,7 +29,7 @@ typedef enum integrity_algorithm_t integrity_algorithm_t; /** - * @brief Integrity algorithm, as in IKEv2 draft 3.3.2. + * @brief Integrity algorithm, as in IKEv2 RFC 3.3.2. * * Currently only the following algorithms are implemented and therefore supported: * - AUTH_HMAC_MD5_96 diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c index 1a2da19bc..bdc8aae0a 100644 --- a/Source/charon/utils/logger_manager.c +++ b/Source/charon/utils/logger_manager.c @@ -45,7 +45,7 @@ mapping_t logger_context_t_mappings[] = { {SOCKET, "SOCKET"}, {TESTER, "TESTER"}, {DAEMON, "DAEMON"}, - {CONFIGURATION_MANAGER, "CONFIG"}, + {CONFIG, "CONFIG"}, {ENCRYPTION_PAYLOAD, "ENCPLD"}, {MAPPING_END, NULL}, }; @@ -175,13 +175,15 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t log_thread_ids = TRUE; break; case IKE_SA: + logger_level |= LEVEL1; log_thread_ids = TRUE; break; case CHILD_SA: logger_level |= LEVEL1; log_thread_ids = TRUE; break; - case CONFIGURATION_MANAGER: + case CONFIG: + logger_level |= FULL; log_thread_ids = TRUE; break; case MESSAGE: diff --git a/Source/charon/utils/logger_manager.h b/Source/charon/utils/logger_manager.h index 41466b2a9..e934435aa 100644 --- a/Source/charon/utils/logger_manager.h +++ b/Source/charon/utils/logger_manager.h @@ -50,7 +50,7 @@ enum logger_context_t { SOCKET, TESTER, DAEMON, - CONFIGURATION_MANAGER, + CONFIG, ENCRYPTION_PAYLOAD, }; |