diff options
Diffstat (limited to 'Source/charon/sa')
| -rw-r--r-- | Source/charon/sa/authenticator.c | 110 | ||||
| -rw-r--r-- | Source/charon/sa/authenticator.h | 8 | ||||
| -rw-r--r-- | Source/charon/sa/child_sa.c | 14 | ||||
| -rw-r--r-- | Source/charon/sa/child_sa.h | 6 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.c | 162 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa.h | 80 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa_id.h | 6 | ||||
| -rw-r--r-- | Source/charon/sa/ike_sa_manager.h | 6 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_auth_requested.c | 18 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_requested.c | 46 | ||||
| -rw-r--r-- | Source/charon/sa/states/ike_sa_init_responded.c | 42 | ||||
| -rw-r--r-- | Source/charon/sa/states/initiator_init.c | 57 | ||||
| -rw-r--r-- | Source/charon/sa/states/initiator_init.h | 8 | ||||
| -rw-r--r-- | Source/charon/sa/states/responder_init.c | 21 | ||||
| -rw-r--r-- | Source/charon/sa/states/responder_init.h | 2 |
15 files changed, 227 insertions, 359 deletions
diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c index f6f09c268..d735b633e 100644 --- a/Source/charon/sa/authenticator.c +++ b/Source/charon/sa/authenticator.c @@ -28,12 +28,7 @@ /** * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE. */ -#define IKE_V2_KEY_PAD "Key Pad for IKEv2" - -/** - * Length of key pad in bytes. - */ -#define IKE_V2_KEY_PAD_LEN strlen(IKE_V2_KEY_PAD) +#define IKEV2_KEY_PAD "Key Pad for IKEv2" typedef struct private_authenticator_t private_authenticator_t; @@ -49,7 +44,7 @@ struct private_authenticator_t { authenticator_t public; /** - * Assigned IKE_SA. Needed to get objects of type prf_t, sa_config_t and logger_t. + * Assigned IKE_SA. Needed to get objects of type prf_t and logger_t. */ protected_ike_sa_t *ike_sa; @@ -99,12 +94,12 @@ struct private_authenticator_t { * AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE. * Memory gets allocated and has to get destroyed by caller. */ - chunk_t (*allocate_auth_data_with_preshared_secret) (private_authenticator_t *this, - chunk_t last_message, - chunk_t nonce, - id_payload_t *id_payload, - bool initiator, - chunk_t preshared_secret); + chunk_t (*build_preshared_secret_signature) (private_authenticator_t *this, + chunk_t last_message, + chunk_t nonce, + id_payload_t *id_payload, + bool initiator, + chunk_t preshared_secret); }; /** @@ -157,37 +152,34 @@ static chunk_t allocate_octets(private_authenticator_t *this, current_pos += other_nonce.len; prf->get_bytes(prf, id_with_header_chunk, current_pos); - this->logger->log_chunk(this->logger,RAW | LEVEL2, "Octets (Mesage + Nonce + prf(Sk_px,Idx)",&octets); + this->logger->log_chunk(this->logger,RAW | LEVEL2, "Octets (Mesage + Nonce + prf(Sk_px,Idx)",octets); return octets; } /** - * Implementation of private_authenticator_t.allocate_auth_data_with_preshared_secret. + * Implementation of private_authenticator_t.build_preshared_secret_signature. */ -static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t *this, +static chunk_t build_preshared_secret_signature(private_authenticator_t *this, chunk_t last_message, chunk_t nonce, id_payload_t *id_payload, bool initiator, chunk_t preshared_secret) { - chunk_t key_pad = {ptr: IKE_V2_KEY_PAD, len:IKE_V2_KEY_PAD_LEN}; + chunk_t key_pad = {ptr: IKEV2_KEY_PAD, len:strlen(IKEV2_KEY_PAD)}; u_int8_t key_buffer[this->prf->get_block_size(this->prf)]; chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)}; chunk_t auth_data; chunk_t octets = this->allocate_octets(this,last_message,nonce,id_payload,initiator); - /* - * AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) - */ - - this->prf->set_key(this->prf,preshared_secret); - this->prf->get_bytes(this->prf,key_pad,key_buffer); - this->prf->set_key(this->prf,key); - this->prf->allocate_bytes(this->prf,octets,&auth_data); + /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */ + this->prf->set_key(this->prf, preshared_secret); + this->prf->get_bytes(this->prf, key_pad, key_buffer); + this->prf->set_key(this->prf, key); + this->prf->allocate_bytes(this->prf, octets, &auth_data); allocator_free_chunk(&octets); - this->logger->log_chunk(this->logger,RAW | LEVEL2, "Authenticated data",&auth_data); + this->logger->log_chunk(this->logger,RAW | LEVEL2, "Authenticated data",auth_data); return auth_data; } @@ -211,28 +203,28 @@ static status_t verify_auth_data (private_authenticator_t *this, chunk_t preshared_secret; status_t status; - status = charon->configuration->get_shared_secret(charon->configuration, - other_id, - &preshared_secret); + status = charon->credentials->get_shared_secret(charon->credentials, + other_id, + &preshared_secret); other_id->destroy(other_id); if (status != SUCCESS) { return status; } - chunk_t my_auth_data = this->allocate_auth_data_with_preshared_secret(this, - last_received_packet, - my_nonce, - other_id_payload, - initiator, - preshared_secret); + chunk_t my_auth_data = this->build_preshared_secret_signature(this, + last_received_packet, + my_nonce, + other_id_payload, + initiator, + preshared_secret); if (auth_data.len != my_auth_data.len) { allocator_free_chunk(&my_auth_data); return FAILED; } - if (memcmp(auth_data.ptr,my_auth_data.ptr,my_auth_data.len) == 0) + if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0) { status = SUCCESS; } @@ -252,16 +244,16 @@ static status_t verify_auth_data (private_authenticator_t *this, auth_data = auth_payload->get_data(auth_payload); - status = charon->configuration->get_rsa_public_key(charon->configuration, - other_id, - &public_key); + status = charon->credentials->get_rsa_public_key(charon->credentials, + other_id, + &public_key); other_id->destroy(other_id); if (status != SUCCESS) { return status; } - octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload,initiator); + octets = this->allocate_octets(this,last_received_packet, my_nonce,other_id_payload, initiator); status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data); @@ -285,19 +277,20 @@ static status_t compute_auth_data (private_authenticator_t *this, id_payload_t *my_id_payload, bool initiator) { - sa_config_t *sa_config = this->ike_sa->get_sa_config(this->ike_sa); + connection_t *connection = this->ike_sa->get_connection(this->ike_sa); - switch(sa_config->get_auth_method(sa_config)) + switch(connection->get_auth_method(connection)) { case SHARED_KEY_MESSAGE_INTEGRITY_CODE: { - identification_t *my_id =my_id_payload->get_identification(my_id_payload); + identification_t *my_id = my_id_payload->get_identification(my_id_payload); chunk_t preshared_secret; - status_t status; + status_t status; + chunk_t auth_data; - status = charon->configuration->get_shared_secret(charon->configuration, - my_id, - &preshared_secret); + status = charon->credentials->get_shared_secret(charon->credentials, + my_id, + &preshared_secret); my_id->destroy(my_id); if (status != SUCCESS) @@ -305,16 +298,11 @@ static status_t compute_auth_data (private_authenticator_t *this, return status; } - chunk_t auth_data = this->allocate_auth_data_with_preshared_secret(this, - last_sent_packet, - other_nonce, - my_id_payload, - initiator, - preshared_secret); - + auth_data = this->build_preshared_secret_signature(this, last_sent_packet, other_nonce, + my_id_payload, initiator, preshared_secret); *auth_payload = auth_payload_create(); - (*auth_payload)->set_auth_method((*auth_payload),SHARED_KEY_MESSAGE_INTEGRITY_CODE); - (*auth_payload)->set_data((*auth_payload),auth_data); + (*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE); + (*auth_payload)->set_data(*auth_payload, auth_data); allocator_free_chunk(&auth_data); return SUCCESS; @@ -326,9 +314,7 @@ static status_t compute_auth_data (private_authenticator_t *this, status_t status; chunk_t octets, auth_data; - status = charon->configuration->get_rsa_private_key(charon->configuration, - my_id, - &private_key); + status = charon->credentials->get_rsa_private_key(charon->credentials, my_id, &private_key); my_id->destroy(my_id); if (status != SUCCESS) { @@ -345,8 +331,8 @@ static status_t compute_auth_data (private_authenticator_t *this, } *auth_payload = auth_payload_create(); - (*auth_payload)->set_auth_method((*auth_payload), RSA_DIGITAL_SIGNATURE); - (*auth_payload)->set_data((*auth_payload),auth_data); + (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE); + (*auth_payload)->set_data(*auth_payload, auth_data); allocator_free_chunk(&auth_data); return SUCCESS; @@ -380,7 +366,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa) /* private functions */ this->allocate_octets = allocate_octets; - this->allocate_auth_data_with_preshared_secret = allocate_auth_data_with_preshared_secret; + this->build_preshared_secret_signature = build_preshared_secret_signature; /* private data */ this->ike_sa = ike_sa; diff --git a/Source/charon/sa/authenticator.h b/Source/charon/sa/authenticator.h index c50ac4f32..b6bc317ac 100644 --- a/Source/charon/sa/authenticator.h +++ b/Source/charon/sa/authenticator.h @@ -20,8 +20,8 @@ * for more details. */ -#ifndef _AUTHENTICATOR_H_ -#define _AUTHENTICATOR_H_ +#ifndef AUTHENTICATOR_H_ +#define AUTHENTICATOR_H_ #include <types.h> #include <sa/ike_sa.h> @@ -122,7 +122,7 @@ struct authenticator_t { * * @warning: The following functions of the assigned protected_ike_sa_t object * must return a valid value: - * - protected_ike_sa_t.get_sa_config + * - protected_ike_sa_t.get_policy * - protected_ike_sa_t.get_prf * - protected_ike_sa_t.get_logger * This preconditions are not given in IKE_SA states INITIATOR_INIT or RESPONDER_INIT! @@ -135,4 +135,4 @@ struct authenticator_t { */ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa); -#endif //_AUTHENTICATOR_H_ +#endif /* AUTHENTICATOR_H_ */ diff --git a/Source/charon/sa/child_sa.c b/Source/charon/sa/child_sa.c index 455a5d318..64257b34b 100644 --- a/Source/charon/sa/child_sa.c +++ b/Source/charon/sa/child_sa.c @@ -27,14 +27,14 @@ #include <daemon.h> -typedef struct policy_t policy_t; +typedef struct sa_policy_t sa_policy_t; /** * Struct used to store information for a policy. This * is needed since we must provide all this information * for deleting a policy... */ -struct policy_t { +struct sa_policy_t { /** * Network on local side @@ -264,7 +264,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus key_size = crypter->get_key_size(crypter); crypter->destroy(crypter); prf_plus->allocate_bytes(prf_plus, key_size, &enc_key); - this->logger->log_chunk(this->logger, PRIVATE, "key:", &enc_key); + this->logger->log_chunk(this->logger, PRIVATE, "key:", enc_key); } else { @@ -285,7 +285,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus key_size = signer->get_key_size(signer); signer->destroy(signer); prf_plus->allocate_bytes(prf_plus, key_size, &int_key); - this->logger->log_chunk(this->logger, PRIVATE, "key:", &int_key); + this->logger->log_chunk(this->logger, PRIVATE, "key:", int_key); } else { @@ -386,7 +386,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list int family; chunk_t from_addr; u_int16_t from_port, to_port; - policy_t *policy; + sa_policy_t *policy; status_t status; other_iter->current(other_iter, (void**)&other_ts); @@ -396,7 +396,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list { continue; } - policy = allocator_alloc_thing(policy_t); + policy = allocator_alloc_thing(sa_policy_t); policy->upper_proto = my_ts->get_protocol(my_ts); /* calculate net and ports for local side */ @@ -468,7 +468,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list static void destroy(private_child_sa_t *this) { /* delete all policys in the kernel */ - policy_t *policy; + sa_policy_t *policy; while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS) { charon->kernel_interface->del_policy(charon->kernel_interface, diff --git a/Source/charon/sa/child_sa.h b/Source/charon/sa/child_sa.h index a43ed0674..34542274c 100644 --- a/Source/charon/sa/child_sa.h +++ b/Source/charon/sa/child_sa.h @@ -21,8 +21,8 @@ */ -#ifndef _CHILD_SA_H_ -#define _CHILD_SA_H_ +#ifndef CHILD_SA_H_ +#define CHILD_SA_H_ #include <types.h> #include <transforms/prf_plus.h> @@ -130,4 +130,4 @@ struct child_sa_t { */ child_sa_t * child_sa_create(host_t *me, host_t *other); -#endif /*_CHILD_SA_H_*/ +#endif /*CHILD_SA_H_*/ diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c index 2f226c227..6517c388c 100644 --- a/Source/charon/sa/ike_sa.c +++ b/Source/charon/sa/ike_sa.c @@ -95,7 +95,7 @@ struct private_ike_sa_t { * - IKE_AUTH_REQUESTED * -IKE_SA_ESTABLISHED */ - init_config_t *init_config; + connection_t *connection; /** * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange. @@ -108,7 +108,7 @@ struct private_ike_sa_t { * - IKE_AUTH_REQUESTED * -IKE_SA_ESTABLISHED */ - sa_config_t *sa_config; + policy_t *policy; /** * This SA's source for random data. @@ -128,20 +128,6 @@ struct private_ike_sa_t { message_t *last_requested_message; /** - * Informations of this host. - */ - struct { - host_t *host; - } me; - - /** - * Informations of the other host. - */ - struct { - host_t *host; - } other; - - /** * Crypter object for initiator. */ crypter_t *crypter_initiator; @@ -276,12 +262,16 @@ static status_t process_message (private_ike_sa_t *this, message_t *message) */ static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message) { - message_t *new_message; + message_t *new_message; + host_t *me, *other; + + me = this->connection->get_my_host(this->connection); + other = this->connection->get_other_host(this->connection); this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message"); new_message = message_create(); - new_message->set_source(new_message, this->me.host->clone(this->me.host)); - new_message->set_destination(new_message, this->other.host->clone(this->other.host)); + new_message->set_source(new_message, me->clone(me)); + new_message->set_destination(new_message, other->clone(other)); new_message->set_exchange_type(new_message, type); new_message->set_request(new_message, request); new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in); @@ -291,12 +281,11 @@ static void build_message(private_ike_sa_t *this, exchange_type_t type, bool req } /** - * Implementation of protected_ike_sa_t.process_configuration. + * Implementation of protected_ike_sa_t.initiate_connection. */ -static status_t initialize_connection(private_ike_sa_t *this, char *name) +static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection) { initiator_init_t *current_state; - status_t status; /* Work is done in state object of type INITIATOR_INIT. All other states are not * initial states and so don't have a initialize_connection function */ @@ -308,8 +297,7 @@ static status_t initialize_connection(private_ike_sa_t *this, char *name) current_state = (initiator_init_t *) this->current_state; - status = current_state->initiate_connection(current_state,name); - return status; + return current_state->initiate_connection(current_state, connection); } /** @@ -432,75 +420,35 @@ static logger_t *get_logger (private_ike_sa_t *this) } /** - * Implementation of protected_ike_sa_t.get_my_host. - */ -static host_t *get_my_host (private_ike_sa_t *this) -{ - return this->me.host; -} - -/** - * Implementation of protected_ike_sa_t.get_other_host. - */ -static host_t *get_other_host (private_ike_sa_t *this) -{ - return this->other.host; -} - -/** - * Implementation of protected_ike_sa_t.get_init_config. - */ -static init_config_t *get_init_config (private_ike_sa_t *this) -{ - return this->init_config; -} - -/** - * Implementation of protected_ike_sa_t.set_init_config. + * Implementation of protected_ike_sa_t.get_connection. */ -static void set_init_config (private_ike_sa_t *this,init_config_t * init_config) +static connection_t *get_connection (private_ike_sa_t *this) { - this->init_config = init_config; + return this->connection; } /** - * Implementation of protected_ike_sa_t.get_sa_config. + * Implementation of protected_ike_sa_t.set_connection. */ -static sa_config_t *get_sa_config (private_ike_sa_t *this) +static void set_connection (private_ike_sa_t *this,connection_t * connection) { - return this->sa_config; + this->connection = connection; } /** - * Implementation of protected_ike_sa_t.set_sa_config. + * Implementation of protected_ike_sa_t.get_policy. */ -static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config) +static policy_t *get_policy (private_ike_sa_t *this) { - this->sa_config = sa_config; + return this->policy; } /** - * Implementation of protected_ike_sa_t.set_my_host. + * Implementation of protected_ike_sa_t.set_policy. */ -static void set_my_host (private_ike_sa_t *this, host_t *my_host) +static void set_policy (private_ike_sa_t *this,policy_t * policy) { - if (this->me.host) - { - this->me.host->destroy(this->me.host); - } - this->me.host = my_host; -} - -/** - * Implementation of protected_ike_sa_t.set_other_host. - */ -static void set_other_host (private_ike_sa_t *this, host_t *other_host) -{ - if (this->other.host) - { - this->other.host->destroy(this->other.host); - } - this->other.host = other_host; + this->policy = policy; } /** @@ -584,10 +532,10 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d /* SKEYSEED = prf(Ni | Nr, g^ir) */ dh->get_shared_secret(dh, &secret); - this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", &secret); + this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", secret); this->prf->set_key(this->prf, nonces); this->prf->allocate_bytes(this->prf, secret, &skeyseed); - this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", &skeyseed); + this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", skeyseed); allocator_free_chunk(&secret); /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) @@ -614,7 +562,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d this->child_prf = prf_create(algo->algorithm); key_size = this->child_prf->get_key_size(this->child_prf); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key); this->child_prf->set_key(this->child_prf, key); allocator_free_chunk(&key); @@ -647,12 +595,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d key_size = this->signer_initiator->get_key_size(this->signer_initiator); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", key); this->signer_initiator->set_key(this->signer_initiator, key); allocator_free_chunk(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", key); this->signer_responder->set_key(this->signer_responder, key); allocator_free_chunk(&key); @@ -686,12 +634,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d key_size = this->crypter_initiator->get_key_size(this->crypter_initiator); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key); this->crypter_initiator->set_key(this->crypter_initiator, key); allocator_free_chunk(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key); this->crypter_responder->set_key(this->crypter_responder, key); allocator_free_chunk(&key); @@ -711,12 +659,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d key_size = this->prf_auth_i->get_key_size(this->prf_auth_i); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key); this->prf_auth_i->set_key(this->prf_auth_i, key); allocator_free_chunk(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); - this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &key); + this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key); this->prf_auth_r->set_key(this->prf_auth_r, key); allocator_free_chunk(&key); @@ -1005,21 +953,6 @@ static void reset_message_buffers (private_ike_sa_t *this) } /** - * Implementation of protected_ike_sa_t.create_delete_established_ike_sa_job. - */ -static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout) -{ - job_t *delete_job; - - this->logger->log(this->logger, CONTROL | LEVEL1, - "Going to create job to delete established IKE_SA in %d ms", - timeout); - - delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id); - charon->event_queue->add_relative(charon->event_queue,delete_job, timeout); -} - -/** * Implementation of protected_ike_sa_t.destroy. */ static void destroy (private_ike_sa_t *this) @@ -1080,14 +1013,6 @@ static void destroy (private_ike_sa_t *this) { this->last_responded_message->destroy(this->last_responded_message); } - if (this->me.host != NULL) - { - this->me.host->destroy(this->me.host); - } - if (this->other.host != NULL) - { - this->other.host->destroy(this->other.host); - } this->randomizer->destroy(this->randomizer); this->current_state->destroy(this->current_state); charon->logger_manager->destroy_logger(charon->logger_manager, this->logger); @@ -1104,7 +1029,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) /* Public functions */ this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message; - this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection; + this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection; this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id; this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request; this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state; @@ -1119,14 +1044,10 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r; this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa; this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger; - this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config; - this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config; - this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config; - this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config; - this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host; - this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host; - this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host; - this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host; + this->protected.set_connection = (void (*) (protected_ike_sa_t *,connection_t *)) set_connection; + this->protected.get_connection = (connection_t *(*) (protected_ike_sa_t *)) get_connection; + this->protected.set_policy = (void (*) (protected_ike_sa_t *,policy_t *)) set_policy; + this->protected.get_policy = (policy_t *(*) (protected_ike_sa_t *)) get_policy; this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer; this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request; this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response; @@ -1140,7 +1061,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers; this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message; this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message; - this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job; this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id; @@ -1154,8 +1074,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->child_sas = linked_list_create(); this->randomizer = randomizer_create(); - this->me.host = NULL; - this->other.host = NULL; this->last_requested_message = NULL; this->last_responded_message = NULL; this->message_id_out = 0; @@ -1169,8 +1087,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->prf_auth_i = NULL; this->prf_auth_r = NULL; this->child_prf = NULL; - this->init_config = NULL; - this->sa_config = NULL; + this->connection = NULL; + this->policy = NULL; /* at creation time, IKE_SA is in a initiator state */ if (ike_sa_id->is_initiator(ike_sa_id)) diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h index e1d27e25d..2bf697889 100644 --- a/Source/charon/sa/ike_sa.h +++ b/Source/charon/sa/ike_sa.h @@ -35,6 +35,8 @@ #include <transforms/prfs/prf.h> #include <transforms/crypters/crypter.h> #include <transforms/signers/signer.h> +#include <config/connection.h> +#include <config/policy.h> /** * Nonce size in bytes for nonces sending to other peer. @@ -75,16 +77,19 @@ struct ike_sa_t { status_t (*process_message) (ike_sa_t *this,message_t *message); /** - * @brief Initiate a new connection with given configuration name. + * @brief Initiate a new connection with given connection_t object. + * + * The connection_t object is owned by the IKE_SA after the call, so + * do not modify or destroy it. * * @param this calling object - * @param name name of the configuration + * @param connection connection to initiate * @return * - SUCCESS if initialization started * - FAILED if in wrong state * - DELETE_ME if initialization failed and IKE_SA MUST be deleted */ - status_t (*initialize_connection) (ike_sa_t *this, char *name); + status_t (*initiate_connection) (ike_sa_t *this, connection_t *connection); /** * @brief Retransmits a request. @@ -176,72 +181,36 @@ struct protected_ike_sa_t { logger_t *(*get_logger) (protected_ike_sa_t *this); /** - * @brief Get the internal stored init_config_t object. + * @brief Get the internal stored connection_t object. * * @param this calling object - * @return pointer to the internal stored init_config_t object + * @return pointer to the internal stored connection_t object */ - init_config_t *(*get_init_config) (protected_ike_sa_t *this); + connection_t *(*get_connection) (protected_ike_sa_t *this); /** - * @brief Set the internal init_config_t object. + * @brief Set the internal connection object. * * @param this calling object - * @param init_config object of type init_config_t + * @param connection object of type connection_t */ - void (*set_init_config) (protected_ike_sa_t *this,init_config_t *init_config); + void (*set_connection) (protected_ike_sa_t *this, connection_t *connection); /** - * @brief Get the internal stored sa_config_t object. + * @brief Get the internal stored policy object. * * @param this calling object - * @return pointer to the internal stored sa_config_t object + * @return pointer to the internal stored policy_t object */ - sa_config_t *(*get_sa_config) (protected_ike_sa_t *this); + policy_t *(*get_policy) (protected_ike_sa_t *this); /** - * @brief Set the internal sa_config_t object. - * - * @param this calling object - * @param sa_config object of type sa_config_t - */ - void (*set_sa_config) (protected_ike_sa_t *this,sa_config_t *sa_config); - - /** - * @brief Get the internal stored host_t object for my host. + * @brief Set the internal policy_t object. * * @param this calling object - * @return pointer to the internal stored host_t object + * @param policy object of type policy_t */ - host_t *(*get_my_host) (protected_ike_sa_t *this); - - /** - * @brief Get the internal stored host_t object for other host. - * - * @param this calling object - * @return pointer to the internal stored host_t object - */ - host_t *(*get_other_host) (protected_ike_sa_t *this); - - /** - * @brief Set the internal stored host_t object for my host. - * - * Allready existing object gets destroyed. object gets not cloned! - * - * @param this calling object - * @param my_host pointer to the new host_t object - */ - void (*set_my_host) (protected_ike_sa_t *this,host_t * my_host); - - /** - * @brief Set the internal stored host_t object for other host. - * - * Allready existing object gets destroyed. object gets not cloned! - * - * @param this calling object - * @param other_host pointer to the new host_t object - */ - void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host); + void (*set_policy) (protected_ike_sa_t *this,policy_t *policy); /** * @brief Derive all keys and create the transforms for IKE communication. @@ -422,15 +391,6 @@ struct protected_ike_sa_t { * @param this calling object */ void (*reset_message_buffers) (protected_ike_sa_t *this); - - /** - * @brief Creates a job of type DELETE_ESTABLISHED_IKE_SA for the current IKE_SA. - * - * @param this calling object - * @param timeout timeout after the IKE_SA gets deleted - * - */ - void (*create_delete_established_ike_sa_job) (protected_ike_sa_t *this,u_int32_t timeout); }; diff --git a/Source/charon/sa/ike_sa_id.h b/Source/charon/sa/ike_sa_id.h index aff710cc8..0f16f7637 100644 --- a/Source/charon/sa/ike_sa_id.h +++ b/Source/charon/sa/ike_sa_id.h @@ -21,8 +21,8 @@ */ -#ifndef _IKE_SA_ID_H_ -#define _IKE_SA_ID_H_ +#ifndef IKE_SA_ID_H_ +#define IKE_SA_ID_H_ #include <types.h> @@ -143,4 +143,4 @@ struct ike_sa_id_t { */ ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi, bool is_initiaor); -#endif /*_IKE_SA_ID_H_*/ +#endif /*IKE_SA_ID_H_*/ diff --git a/Source/charon/sa/ike_sa_manager.h b/Source/charon/sa/ike_sa_manager.h index 292271bd3..5ba9e87d5 100644 --- a/Source/charon/sa/ike_sa_manager.h +++ b/Source/charon/sa/ike_sa_manager.h @@ -20,8 +20,8 @@ * for more details. */ -#ifndef _IKE_SA_MANAGER_H_ -#define _IKE_SA_MANAGER_H_ +#ifndef IKE_SA_MANAGER_H_ +#define IKE_SA_MANAGER_H_ #include <types.h> #include <sa/ike_sa.h> @@ -137,4 +137,4 @@ struct ike_sa_manager_t { */ ike_sa_manager_t *ike_sa_manager_create(); -#endif /*_IKE_SA_MANAGER_H_*/ +#endif /*IKE_SA_MANAGER_H_*/ diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c index ed5360dfe..c80b7f72a 100644 --- a/Source/charon/sa/states/ike_auth_requested.c +++ b/Source/charon/sa/states/ike_auth_requested.c @@ -55,7 +55,7 @@ struct private_ike_auth_requested_t { /** * SA config, just a copy of the one stored in the ike_sa. */ - sa_config_t *sa_config; + policy_t *policy; /** * Received nonce from responder. @@ -185,6 +185,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i host_t *my_host, *other_host; chunk_t seed; prf_plus_t *prf_plus; + connection_t *connection; if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH) { @@ -211,7 +212,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i return status; } - this->sa_config = this->ike_sa->get_sa_config(this->ike_sa); + this->policy = this->ike_sa->get_policy(this->ike_sa); /* we collect all payloads, which are processed later. Notify's are processed * in place, since we don't know how may are there. @@ -352,8 +353,9 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply)); /* create new state */ - my_host = this->ike_sa->get_my_host(this->ike_sa); - other_host = this->ike_sa->get_other_host(this->ike_sa); + connection = this->ike_sa->get_connection(this->ike_sa); + my_host = connection->get_my_host(connection); + other_host = connection->get_other_host(connection); this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", my_host->get_address(my_host), other_host->get_address(other_host), mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload))); @@ -372,7 +374,7 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo other_id = idr_payload->get_identification(idr_payload); - configured_other_id = this->sa_config->get_other_id(this->sa_config); + configured_other_id = this->policy->get_other_id(this->policy); if (configured_other_id) { this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s", @@ -424,7 +426,7 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa } /* we have to re-check here if other's selection is valid */ - proposal = this->sa_config->select_proposal(this->sa_config, proposal_list); + proposal = this->policy->select_proposal(this->policy, proposal_list); /* list not needed anymore */ while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS) { @@ -478,12 +480,12 @@ static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_i /* select ts depending on payload type */ if (ts_initiator) { - ts_selected = this->sa_config->select_my_traffic_selectors(this->sa_config, ts_received); + ts_selected = this->policy->select_my_traffic_selectors(this->policy, ts_received); this->my_ts = ts_selected; } else { - ts_selected = this->sa_config->select_other_traffic_selectors(this->sa_config, ts_received); + ts_selected = this->policy->select_other_traffic_selectors(this->policy, ts_received); this->other_ts = ts_selected; } /* check if the responder selected valid proposals */ diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 06ff238b9..5e641f9b3 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -214,6 +214,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t ike_sa_id_t *ike_sa_id; iterator_t *payloads; host_t *me; + connection_t *connection; message_t *request; status_t status; @@ -340,8 +341,9 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t } /* apply the address on wich we really received the packet */ + connection = this->ike_sa->get_connection(this->ike_sa); me = ike_sa_init_reply->get_destination(ike_sa_init_reply); - this->ike_sa->set_my_host(this->ike_sa, me->clone(me)); + connection->update_my_host(connection, me->clone(me)); /* build empty message */ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request); @@ -418,9 +420,9 @@ status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t { proposal_t *proposal; linked_list_t *proposal_list; - init_config_t *init_config; + connection_t *connection; - init_config = this->ike_sa->get_init_config(this->ike_sa); + connection = this->ike_sa->get_connection(this->ike_sa); /* get the list of selected proposals, the peer has to select only one proposal */ proposal_list = sa_payload->get_proposals (sa_payload); @@ -436,7 +438,7 @@ status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t } /* we have to re-check if the others selection is valid */ - this->proposal = init_config->select_proposal(init_config, proposal_list); + this->proposal = connection->select_proposal(connection, proposal_list); while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) { proposal->destroy(proposal); @@ -467,13 +469,13 @@ status_t process_ke_payload (private_ike_sa_init_requested_t *this, ke_payload_t */ static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *request) { - sa_config_t *sa_config; + policy_t *policy; id_payload_t *new_id_payload; identification_t *identification; - sa_config = this->ike_sa->get_sa_config(this->ike_sa); + policy = this->ike_sa->get_policy(this->ike_sa); /* identification_t object gets NOT cloned here */ - identification = sa_config->get_my_id(sa_config); + identification = policy->get_my_id(policy); new_id_payload = id_payload_create_from_identification(TRUE,identification); this->logger->log(this->logger, CONTROL|LEVEL2, "Add ID payload to message"); @@ -516,14 +518,16 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message { linked_list_t *proposal_list; sa_payload_t *sa_payload; - sa_config_t *sa_config; + policy_t *policy; + connection_t *connection; /* get proposals form config, add to payload */ - sa_config = this->ike_sa->get_sa_config(this->ike_sa); - proposal_list = sa_config->get_proposals(sa_config); + policy = this->ike_sa->get_policy(this->ike_sa); + proposal_list = policy->get_proposals(policy); /* build child sa */ - this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + connection = this->ike_sa->get_connection(this->ike_sa); + this->child_sa = child_sa_create(connection->get_my_host(connection), + connection->get_other_host(connection)); if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS) { this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA"); @@ -550,10 +554,10 @@ static status_t build_tsi_payload (private_ike_sa_init_requested_t *this, messag { linked_list_t *ts_list; ts_payload_t *ts_payload; - sa_config_t *sa_config; + policy_t *policy; - sa_config = this->ike_sa->get_sa_config(this->ike_sa); - ts_list = sa_config->get_my_traffic_selectors(sa_config); + policy = this->ike_sa->get_policy(this->ike_sa); + ts_list = policy->get_my_traffic_selectors(policy); ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list); this->logger->log(this->logger, CONTROL|LEVEL2, "Add TSi payload to message"); @@ -569,10 +573,10 @@ static status_t build_tsr_payload (private_ike_sa_init_requested_t *this, messag { linked_list_t *ts_list; ts_payload_t *ts_payload; - sa_config_t *sa_config; + policy_t *policy; - sa_config = this->ike_sa->get_sa_config(this->ike_sa); - ts_list = sa_config->get_other_traffic_selectors(sa_config); + policy = this->ike_sa->get_policy(this->ike_sa); + ts_list = policy->get_other_traffic_selectors(policy); ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list); this->logger->log(this->logger, CONTROL|LEVEL2, "Add TSr payload to message"); @@ -614,7 +618,7 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no initiator_init_t *initiator_init_state; chunk_t notify_data; diffie_hellman_group_t dh_group; - init_config_t *init_config; + connection_t *connection; notify_data = notify_payload->get_notification_data(notify_payload); dh_group = ntohs(*((u_int16_t*)notify_data.ptr)); @@ -622,8 +626,8 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no this->logger->log(this->logger, ERROR|LEVEL1, "Peer wouldn't accept DH group, it requested %s!", mapping_find(diffie_hellman_group_m, dh_group)); /* check if we can accept this dh group */ - init_config = this->ike_sa->get_init_config(this->ike_sa); - if (!init_config->check_dh_group(init_config, dh_group)) + connection = this->ike_sa->get_connection(this->ike_sa); + if (!connection->check_dh_group(connection, dh_group)) { this->logger->log(this->logger, AUDIT, "Peer does only accept DH group %s, which we do not accept! Aborting", diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 54e70041a..8c93e3275 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -76,7 +76,7 @@ struct private_ike_sa_init_responded_t { /** * SA config to use. */ - sa_config_t *sa_config; + policy_t *policy; /** * CHILD_SA, if set up @@ -182,7 +182,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t signer_t *signer; status_t status; host_t *my_host, *other_host; - + connection_t *connection; if (request->get_exchange_type(request) != IKE_AUTH) { @@ -361,8 +361,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t } /* create new state */ - my_host = this->ike_sa->get_my_host(this->ike_sa); - other_host = this->ike_sa->get_other_host(this->ike_sa); + connection = this->ike_sa->get_connection(this->ike_sa); + my_host = connection->get_my_host(connection); + other_host = connection->get_other_host(connection); this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", my_host->get_address(my_host), other_host->get_address(other_host), mapping_find(auth_method_m, auth_request->get_auth_method(auth_request))); @@ -379,8 +380,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payload_t *request_idi, id_payload_t *request_idr, message_t *response,id_payload_t **response_idr) { identification_t *other_id, *my_id = NULL; - init_config_t *init_config; - status_t status; + connection_t *connection; id_payload_t *idr_response; other_id = request_idi->get_identification(request_idi); @@ -390,19 +390,19 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl } /* build new sa config */ - init_config = this->ike_sa->get_init_config(this->ike_sa); - status = charon->configuration->get_sa_config_for_init_config_and_id(charon->configuration,init_config, other_id,my_id, &(this->sa_config)); - if (status != SUCCESS) + connection = this->ike_sa->get_connection(this->ike_sa); + this->policy = charon->policies->get_policy(charon->policies, my_id, other_id); + if (this->policy == NULL) { if (my_id) { - this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no config for", + this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no policy for", other_id->get_string(other_id),my_id->get_string(my_id)); my_id->destroy(my_id); } else { - this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no config for", + this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no policy for", other_id->get_string(other_id)); } other_id->destroy(other_id); @@ -416,10 +416,10 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl other_id->destroy(other_id); /* get my id, if not requested */ - my_id = this->sa_config->get_my_id(this->sa_config); + my_id = this->policy->get_my_id(this->policy); - /* set sa_config in ike_sa for other states */ - this->ike_sa->set_sa_config(this->ike_sa, this->sa_config); + /* set policy in ike_sa for other states */ + this->ike_sa->set_policy(this->ike_sa, this->policy); /* build response */ idr_response = id_payload_create_from_identification(FALSE, my_id); @@ -440,6 +440,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo chunk_t seed; prf_plus_t *prf_plus; status_t status; + connection_t *connection; /* get proposals from request */ proposal_list = request->get_proposals(request); @@ -455,7 +456,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo /* now select a proposal */ this->logger->log(this->logger, CONTROL|LEVEL1, "Selecting proposals:"); - proposal = this->sa_config->select_proposal(this->sa_config, proposal_list); + proposal = this->policy->select_proposal(this->policy, proposal_list); /* list is not needed anymore */ while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS) { @@ -476,9 +477,10 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo memcpy(seed.ptr + this->received_nonce.len, this->sent_nonce.ptr, this->sent_nonce.len); prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed); allocator_free_chunk(&seed); - - this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa), - this->ike_sa->get_other_host(this->ike_sa)); + + connection = this->ike_sa->get_connection(this->ike_sa); + this->child_sa = child_sa_create(connection->get_my_host(connection), + connection->get_other_host(connection)); status = this->child_sa->add(this->child_sa, proposal, prf_plus); prf_plus->destroy(prf_plus); @@ -543,12 +545,12 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_ /* select ts depending on payload type */ if (ts_initiator) { - ts_selected = this->sa_config->select_other_traffic_selectors(this->sa_config, ts_received); + ts_selected = this->policy->select_other_traffic_selectors(this->policy, ts_received); this->other_ts = ts_selected; } else { - ts_selected = this->sa_config->select_my_traffic_selectors(this->sa_config, ts_received); + ts_selected = this->policy->select_my_traffic_selectors(this->policy, ts_received); this->my_ts = ts_selected; } diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c index 2e5843e5c..e23cd7a44 100644 --- a/Source/charon/sa/states/initiator_init.c +++ b/Source/charon/sa/states/initiator_init.c @@ -108,40 +108,39 @@ struct private_initiator_init_t { /** * Implementation of initiator_init_t.initiate_connection. */ -static status_t initiate_connection (private_initiator_init_t *this, char *name) +static status_t initiate_connection (private_initiator_init_t *this, connection_t *connection) { - init_config_t *init_config; - sa_config_t *sa_config; - status_t status; + policy_t *policy; diffie_hellman_group_t dh_group; + host_t *my_host, *other_host; + identification_t *my_id, *other_id; - this->logger->log(this->logger, CONTROL, "Initializing connection %s",name); + my_host = connection->get_my_host(connection); + other_host = connection->get_other_host(connection); + my_id = connection->get_my_id(connection); + other_id = connection->get_other_id(connection); - /* get configs */ - status = charon->configuration->get_init_config_for_name(charon->configuration,name,&init_config); - if (status != SUCCESS) - { - this->logger->log(this->logger, ERROR | LEVEL1, "Could not retrieve INIT configuration informations for %s",name); - return DELETE_ME; - } - this->ike_sa->set_init_config(this->ike_sa,init_config); - status = charon->configuration->get_sa_config_for_name(charon->configuration,name,&sa_config); - if (status != SUCCESS) + this->logger->log(this->logger, CONTROL, "Initiating connection between %s (%s) - %s (%s)", + my_id->get_string(my_id), my_host->get_address(my_host), + other_id->get_string(other_id), other_host->get_address(other_host)); + + this->ike_sa->set_connection(this->ike_sa, connection); + + /* get policy */ + policy = charon->policies->get_policy(charon->policies, my_id, other_id); + if (policy == NULL) { - this->logger->log(this->logger, ERROR | LEVEL1, "Could not retrieve SA configuration informations for %s",name); + this->logger->log(this->logger, ERROR | LEVEL1, "Could not get a policy for '%s - %s', aborting", + my_id->get_string(my_id), other_id->get_string(other_id)); return DELETE_ME; } - this->ike_sa->set_sa_config(this->ike_sa,sa_config); - - /* host informations are read from configuration */ - this->ike_sa->set_other_host(this->ike_sa,init_config->get_other_host_clone(init_config)); - this->ike_sa->set_my_host(this->ike_sa,init_config->get_my_host_clone(init_config)); + this->ike_sa->set_policy(this->ike_sa,policy); /* we must guess now a DH group. For that we choose our most preferred group */ - dh_group = init_config->get_dh_group(init_config); + dh_group = connection->get_dh_group(connection); /* next step is done in retry_initiate_connection */ - return this->public.retry_initiate_connection(&(this->public), dh_group); + return this->public.retry_initiate_connection(&this->public, dh_group); } /** @@ -151,7 +150,7 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm { ike_sa_init_requested_t *next_state; chunk_t ike_sa_init_request_data; - init_config_t *init_config; + connection_t *connection; ike_sa_id_t *ike_sa_id; message_t *message; status_t status; @@ -162,7 +161,7 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm return DELETE_ME; } - init_config = this->ike_sa->get_init_config(this->ike_sa); + connection = this->ike_sa->get_connection(this->ike_sa); this->diffie_hellman = diffie_hellman_create(dh_group); ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public)); ike_sa_id->set_responder_spi(ike_sa_id,0); @@ -211,13 +210,13 @@ static void build_sa_payload(private_initiator_init_t *this, message_t *request) { sa_payload_t* sa_payload; linked_list_t *proposal_list; - init_config_t *init_config; + connection_t *connection; this->logger->log(this->logger, CONTROL|LEVEL1, "Building SA payload"); - init_config = this->ike_sa->get_init_config(this->ike_sa); + connection = this->ike_sa->get_connection(this->ike_sa); - proposal_list = init_config->get_proposals(init_config); + proposal_list = connection->get_proposals(connection); sa_payload = sa_payload_create_from_proposal_list(proposal_list); @@ -332,7 +331,7 @@ initiator_init_t *initiator_init_create(protected_ike_sa_t *ike_sa) this->public.state_interface.destroy = (void (*) (state_t *)) destroy; /* public functions */ - this->public.initiate_connection = (status_t (*)(initiator_init_t *, char *)) initiate_connection; + this->public.initiate_connection = (status_t (*)(initiator_init_t *, connection_t*)) initiate_connection; this->public.retry_initiate_connection = (status_t (*)(initiator_init_t *, int )) retry_initiate_connection; /* private functions */ diff --git a/Source/charon/sa/states/initiator_init.h b/Source/charon/sa/states/initiator_init.h index 9ce499f92..6b4940a73 100644 --- a/Source/charon/sa/states/initiator_init.h +++ b/Source/charon/sa/states/initiator_init.h @@ -46,15 +46,15 @@ struct initiator_init_t { state_t state_interface; /** - * Initiate a new connection with given configuration name. + * Initiate a new connection with given connection_t object. * * @param this calling object - * @param name name of the configuration + * @param connection connection to initiate * @return * - SUCCESS - * - DELETE_ME if something failed (see log for error) + * - DELETE_ME if something failed */ - status_t (*initiate_connection) (initiator_init_t *this, char *name); + status_t (*initiate_connection) (initiator_init_t *this, connection_t *connection); /** * Retry to initiate a new connection with a specific dh_group_priority. diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index f67e2833c..6db0a662c 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -157,7 +157,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa ke_payload_t *ke_request = NULL; nonce_payload_t *nonce_request = NULL; host_t *source, *destination; - init_config_t *init_config; + connection_t *connection; iterator_t *payloads; message_t *response; status_t status; @@ -177,18 +177,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa source = message->get_source(message); destination = message->get_destination(message); - status = charon->configuration->get_init_config_for_host(charon->configuration,destination,source,&init_config); - if (status != SUCCESS) + connection = charon->connections->get_connection_by_hosts(charon->connections, destination, source); + if (connection == NULL) { - /* no configuration matches given host */ - this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request does not match any available configuration. Deleting IKE_SA"); + /* no configuration matches given hosts */ + this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request does not match any available connection. Deleting IKE_SA"); /* TODO: inform requestor */ return DELETE_ME; } - this->ike_sa->set_init_config(this->ike_sa,init_config); - - this->ike_sa->set_my_host(this->ike_sa, destination->clone(destination)); - this->ike_sa->set_other_host(this->ike_sa, source->clone(source)); + this->ike_sa->set_connection(this->ike_sa,connection); /* parse incoming message */ status = message->parse_body(message, NULL, NULL); @@ -322,11 +319,11 @@ static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa { proposal_t *proposal; linked_list_t *proposal_list; - init_config_t *init_config; + connection_t *connection; sa_payload_t* sa_payload; algorithm_t *algo; - init_config = this->ike_sa->get_init_config(this->ike_sa); + connection = this->ike_sa->get_connection(this->ike_sa); this->logger->log(this->logger, CONTROL | LEVEL2, "Process received SA payload"); @@ -334,7 +331,7 @@ static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa proposal_list = sa_request->get_proposals (sa_request); /* select proposal */ - this->proposal = init_config->select_proposal(init_config, proposal_list); + this->proposal = connection->select_proposal(connection, proposal_list); while(proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) { proposal->destroy(proposal); diff --git a/Source/charon/sa/states/responder_init.h b/Source/charon/sa/states/responder_init.h index 5c7829b5e..c8ba73ea3 100644 --- a/Source/charon/sa/states/responder_init.h +++ b/Source/charon/sa/states/responder_init.h @@ -51,7 +51,7 @@ struct responder_init_t { * The following functions of the assigned protected_ike_sa_t object are being called with * valid values after successfully processing a received message and before changing * to next state IKE_SA_INIT_RESPONDED: - * - protected_ike_sa_t.set_init_config() + * - protected_ike_sa_t.set_connection() * - protected_ike_sa_t.set_my_host() * - protected_ike_sa_t.set_other_host() * - protected_ike_sa_t.compute_secrets() |