9 files changed, 96 insertions, 161 deletions

diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
index f2fa91569..fb5f9920f 100644
--- a/src/charon/network/packet.c
+++ b/src/charon/network/packet.c
@@ -1,10 +1,3 @@
-/**
- * @file packet.c
- * 
- * @brief Implementation of packet_t.
- * 
- */
-
 /*
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -19,12 +12,12 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
  */
 
-
 #include "packet.h"
 
-
 typedef struct private_packet_t private_packet_t;
 
 /**
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
index acf953032..c9818be6f 100644
--- a/src/charon/network/packet.h
+++ b/src/charon/network/packet.h
@@ -1,10 +1,3 @@
-/**
- * @file packet.h
- * 
- * @brief Interface of packet_t.
- * 
- */
-
 /*
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup packet packet
+ * @{ @ingroup network
  */
 
 #ifndef PACKET_H_
@@ -30,105 +30,88 @@ typedef struct packet_t packet_t;
 #include <utils/host.h>
 
 /**
- * @brief Abstraction of an UDP-Packet, contains data, sender and receiver.
- *
- * @b Constructors:
- * - packet_create()
- *
- * @ingroup network
+ * Abstraction of an UDP-Packet, contains data, sender and receiver.
  */
 struct packet_t {
 
 	/**
-	 * @brief Set the source address.
+	 * Set the source address.
 	 * 
 	 * Set host_t is now owned by packet_t, it will destroy
 	 * it if necessary.
 	 * 
-	 * @param this		calling object
 	 * @param source	address to set as source
 	 */
 	void (*set_source) (packet_t *packet, host_t *source);
 	
 	/**
-	 * @brief Set the destination address.
+	 * Set the destination address.
 	 * 
 	 * Set host_t is now owned by packet_t, it will destroy
 	 * it if necessary.
 	 * 
-	 * @param this		calling object
 	 * @param source	address to set as destination
 	 */
 	void (*set_destination) (packet_t *packet, host_t *destination);
 	
 	/**
-	 * @brief Get the source address.
+	 * Get the source address.
 	 * 
 	 * Set host_t is still owned by packet_t, clone it
 	 * if needed.
 	 * 
-	 * @param this		calling object
 	 * @return			source address
 	 */
 	host_t *(*get_source) (packet_t *packet);
 	
 	/**
-	 * @brief Get the destination address.
+	 * Get the destination address.
 	 * 
 	 * Set host_t is still owned by packet_t, clone it
 	 * if needed.
 	 * 
-	 * @param this		calling object
 	 * @return			destination address
 	 */
 	host_t *(*get_destination) (packet_t *packet);
 	
 	/**
-	 * @brief Get the data from the packet.
+	 * Get the data from the packet.
 	 * 
 	 * The data pointed by the chunk is still owned 
 	 * by the packet. Clone it if needed.
 	 * 
-	 * @param this		calling object
 	 * @return			chunk containing the data
 	 */
 	chunk_t (*get_data) (packet_t *packet);
 	
 	/**
-	 * @brief Set the data in the packet.
+	 * Set the data in the packet.
 	 * 
 	 * Supplied chunk data is now owned by the 
 	 * packet. It will free it.
 	 * 
-	 * @param this		calling object
 	 * @param data		chunk with data to set
 	 */
 	void (*set_data) (packet_t *packet, chunk_t data);
 	
 	/**
-	 * @brief Clones a packet_t object.
+	 * Clones a packet_t object.
 	 *  
-	 * @param packet	calling object
-	 * @param clone		pointer to a packet_t object pointer where the new object is stored
+	 * @param clone		clone of the packet
 	 */
 	packet_t* (*clone) (packet_t *packet);
 	
 	/**
-	 * @brief Destroy the packet, freeing contained data.
-	 *  
-	 * @param packet	packet to destroy	
+	 * Destroy the packet, freeing contained data.
 	 */
 	void (*destroy) (packet_t *packet);
 };
 
 /**
- * @brief create an empty packet
+ * create an empty packet
  *  
  * @return packet_t object
- * 
- * @ingroup network
  */
 packet_t *packet_create(void);
 
-
-#endif /*PACKET_H_*/
+#endif /*PACKET_H_ @} */
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 1de1dd3d2..2f3bf6cb2 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -1,10 +1,3 @@
-/**
- * @file receiver.c
- *
- * @brief Implementation of receiver_t.
- *
- */
-
 /*
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
  */
 
 #include <stdlib.h>
@@ -33,9 +28,8 @@
 #include <processing/jobs/job.h>
 #include <processing/jobs/process_message_job.h>
 #include <processing/jobs/callback_job.h>
+#include <crypto/hashers/hasher.h>
 
-/** length of the full cookie, including time (u_int32_t + SHA1()) */
-#define COOKIE_LENGTH 24
 /** lifetime of a cookie, in seconds */
 #define COOKIE_LIFETIME 10
 /** how many times to reuse the secret */
@@ -145,11 +139,12 @@ static chunk_t cookie_build(private_receiver_t *this, message_t *message,
 {
 	u_int64_t spi = message->get_initiator_spi(message);
 	host_t *ip = message->get_source(message);
-	chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
+	chunk_t input, hash;
 	
 	/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
 	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
 					  chunk_from_thing(t), secret);
+	hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
 	this->hasher->get_hash(this->hasher, input, hash.ptr);
 	return chunk_cat("cc", chunk_from_thing(t), hash);
 }
@@ -167,7 +162,8 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
 	now = time(NULL);
 	t = *(u_int32_t*)cookie.ptr;
 
-	if (cookie.len != COOKIE_LENGTH || 
+	if (cookie.len != sizeof(u_int32_t) +
+			this->hasher->get_hash_size(this->hasher) || 
 		t < now - this->secret_offset - COOKIE_LIFETIME)
 	{
 		DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
@@ -212,7 +208,8 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
 		packet_t *packet = message->get_packet(message);
 		chunk_t data = packet->get_data(packet);
 		if (data.len < 
-			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH ||
+			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
+			 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
 			*(data.ptr + 16) != NOTIFY || 
 			*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
 		{
@@ -222,7 +219,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message)
 		else
 		{
 			data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
-			data.len = COOKIE_LENGTH;
+			data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
 			if (!cookie_verify(this, message, data))
 			{
 				DBG2(DBG_NET, "found cookie, but content invalid");
@@ -351,8 +348,14 @@ receiver_t *receiver_create()
 
 	this->public.destroy = (void(*)(receiver_t*)) destroy;
 	
+	this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
+	if (this->hasher == NULL)
+	{
+		DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
+		free(this);
+		return NULL;
+	}
 	this->randomizer = randomizer_create();
-	this->hasher = hasher_create(HASH_SHA1);
 	this->secret_switch = now;
 	this->secret_offset = random() % now;
 	this->secret_used = 0;
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
index 1bfa7b764..00315490a 100644
--- a/src/charon/network/receiver.h
+++ b/src/charon/network/receiver.h
@@ -1,10 +1,3 @@
-/**
- * @file receiver.h
- *
- * @brief Interface of receiver_t.
- *
- */
-
 /*
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup receiver receiver
+ * @{ @ingroup network
  */
 
 #ifndef RECEIVER_H_
@@ -30,7 +30,7 @@ typedef struct receiver_t receiver_t;
 #include <utils/host.h>
 
 /**
- * @brief Receives packets from the socket and adds them to the job queue.
+ * Receives packets from the socket and adds them to the job queue.
  * 
  * The receiver starts a thread, wich reads on the blocking socket. A received
  * packet is preparsed and a process_message_job is queued in the job queue.
@@ -50,32 +50,23 @@ typedef struct receiver_t receiver_t;
  * 
  * Further, the number of half-initiated IKE_SAs is limited per peer. This
  * mades it impossible for a peer to flood the server with its real IP address.
- * 
- * @b Constructors:
- *  - receiver_create()
- * 
- * @ingroup network
  */
 struct receiver_t {
 	
 	/**
-	 * @brief Destroys a receiver_t object.
-	 *
-	 * @param receiver 	receiver object
+	 * Destroys a receiver_t object.
 	 */
 	void (*destroy) (receiver_t *receiver);
 };
 
 /**
- * @brief Create a receiver_t object.
+ * Create a receiver_t object.
  * 
  * The receiver thread will start working, get data
  * from the socket and add those packets to the job queue.
  * 
- * @return	receiver_t object
- * 
- * @ingroup network
+ * @return	receiver_t object, NULL if initialization fails
  */
 receiver_t * receiver_create(void);
 
-#endif /*RECEIVER_H_*/
+#endif /*RECEIVER_H_ @} */
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index f934dc509..942401a82 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -1,10 +1,3 @@
-/**
- * @file sender.c
- *
- * @brief Implementation of sender_t.
- *
- */
-
 /*
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
  */
 
 #include <stdlib.h>
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
index 8d611cc90..6b62dcc97 100644
--- a/src/charon/network/sender.h
+++ b/src/charon/network/sender.h
@@ -1,10 +1,3 @@
-/**
- * @file sender.h
- *
- * @brief Interface of sender_t.
- *
- */
-
 /*
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -19,6 +12,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup sender sender
+ * @{ @ingroup network
  */
 
 #ifndef SENDER_H_
@@ -30,45 +30,35 @@ typedef struct sender_t sender_t;
 #include <network/packet.h>
 
 /**
- * @brief Thread responsible for sending packets over the socket.
- * 
- * @b Constructors:
- *  - sender_create()
- * 
- * @ingroup network
+ * Thread responsible for sending packets over the socket.
  */
 struct sender_t {
 	
 	/**
-	 * @brief Send a packet over the network.
+	 * Send a packet over the network.
 	 *
 	 * This function is non blocking and adds the packet to a queue.
 	 * Whenever the sender thread thinks it's good to send the packet,
 	 * it'll do so.
 	 *
-	 * @param this		calling object
  	 * @param packet	packet to send
 	 */
 	void (*send) (sender_t *this, packet_t *packet);
 	
 	/**
-	 * @brief Destroys a sender object.
-	 *
-	 * @param this	 	calling object
+	 * Destroys a sender object.
 	 */
 	void (*destroy) (sender_t *this);
 };
 
 /**
- * @brief Create the sender thread.
+ * Create the sender thread.
  * 
  * The thread will start to work, getting packets
  * from its queue and sends them out.
  * 
  * @return		created sender object
- * 
- * @ingroup network
  */
 sender_t * sender_create(void);
 
-#endif /*SENDER_H_*/
+#endif /*SENDER_H_ @} */
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
index 3b76ae570..72ee6bbca 100644
--- a/src/charon/network/socket-raw.c
+++ b/src/charon/network/socket-raw.c
@@ -1,10 +1,3 @@
-/**
- * @file socket.c
- *
- * @brief Implementation of socket_t.
- *
- */
-
 /*
  * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
@@ -20,6 +13,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
  */
 
 #include <pthread.h>
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index a4c407579..cedfc0890 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -1,10 +1,3 @@
-/**
- * @file socket.c
- *
- * @brief Implementation of socket_t.
- *
- */
-
 /*
  * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
  * Copyright (C) 2005-2007 Martin Willi
@@ -20,6 +13,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
  */
 
 #include <pthread.h>
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index 4d8251325..7ddde6190 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -1,10 +1,3 @@
-/**
- * @file socket.h
- * 
- * @brief Interface for socket_t.
- * 
- */
-
 /*
  * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
@@ -20,6 +13,13 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup socket socket
+ * @{ @ingroup network
  */
 
 #ifndef SOCKET_H_
@@ -33,38 +33,36 @@ typedef struct socket_t socket_t;
 #include <utils/linked_list.h>
 
 /**
- * @brief Maximum size of a packet.
- *
- * 3000 Bytes should be sufficient, see IKEv2 RFC.
+ * Maximum size of a packet.
  *
- * @ingroup network
+ * 3000 Bytes should be sufficient, see IKEv2 RFC. However, we currently
+ * do not support HASH_AND_URL certificates, so we require to transmit
+ * the full certificates. To run our multi-CA test with 2 intermediate CAs,
+ * 5000 bytes is sufficient.
  */
-#define MAX_PACKET 3000
+#define MAX_PACKET 5000
 
 /**
- * @brief Abstraction of all sockets (IPv6/IPv6 send/receive).
+ * Abstraction of all sockets (IPv4/IPv6 send/receive).
  *
  * All available sockets are bound and the receive function
- * reads from them. To allow binding of other daemons (pluto) to
- * UDP/500, this implementation uses RAW sockets. An installed
- * "Linux socket filter" filters out all non-IKEv2 traffic and handles
- * just IKEv2 messages. An other daemon (pluto) must handle all traffic
- * seperatly, e.g. ignore IKEv2 traffic, since charon handles that. 
- * 
- * @b Constructors:
- * - socket_create()
- * 
- * @ingroup network
+ * reads from them. There are actually two implementations:
+ * The first uses raw sockets to allow binding of other daemons (pluto) to
+ * UDP/500. An installed "Linux socket filter" filters out all non-IKEv2 
+ * traffic and handles just IKEv2 messages. An other daemon (pluto) must 
+ * handle all traffic seperatly, e.g. ignore IKEv2 traffic, since charon 
+ * handles that.
+ * The other implementation uses normal sockets and is built if
+ * --disable-pluto is given to the configure script.
  */
 struct socket_t {
 	
 	/**
-	 * @brief Receive a packet.
+	 * Receive a packet.
 	 * 
 	 * Reads a packet from the socket and sets source/dest
 	 * appropriately.
 	 * 
-	 * @param this			socket_t object to work on
 	 * @param packet		pinter gets address from allocated packet_t
 	 * @return 				
 	 * 						- SUCCESS when packet successfully received
@@ -73,14 +71,13 @@ struct socket_t {
 	status_t (*receive) (socket_t *this, packet_t **packet);
 	
 	/**
-	 * @brief Send a packet.
+	 * Send a packet.
 	 * 
 	 * Sends a packet to the net using destination from the packet.
 	 * Packet is sent using default routing mechanisms, thus the 
 	 * source address in packet is ignored.
 	 * 
-	 * @param this			socket_t object to work on
-	 * @param packet[out]	packet_t to send
+	 * @param packet		packet_t to send
 	 * @return 				
 	 * 						- SUCCESS when packet successfully sent
 	 * 						- FAILED when unable to send
@@ -88,23 +85,16 @@ struct socket_t {
 	status_t (*send) (socket_t *this, packet_t *packet);
 	
 	/**
-	 * @brief Destroy sockets.
-	 * 
-	 * close sockets and destroy socket_t object
-	 * 
-	 * @param this 			socket_t to destroy
+	 * Destroy socket.
 	 */
 	void (*destroy) (socket_t *this);
 };
 
 /**
- * @brief Create a socket_t, wich binds multiple sockets.
+ * Create a socket_t, wich binds multiple sockets.
  *
  * @return  				socket_t object
- *
- * @ingroup network
  */
 socket_t *socket_create();
 
-
-#endif /*SOCKET_H_*/
+#endif /*SOCKET_H_ @} */