diff options
Diffstat (limited to 'src/charon/sa/tasks')
35 files changed, 875 insertions, 788 deletions
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index 3947a84d1..d933d6267 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -1,10 +1,3 @@ -/** - * @file child_create.c - * - * @brief Implementation of the child_create task. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "child_create.h" @@ -450,7 +445,7 @@ static void process_payloads(private_child_create_t *this, message_t *message) if (!this->initiator) { this->dh_group = ke_payload->get_dh_group_number(ke_payload); - this->dh = diffie_hellman_create(this->dh_group); + this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group); } if (this->dh) { @@ -580,7 +575,7 @@ static status_t build_i(private_child_create_t *this, message_t *message) if (this->dh_group != MODP_NONE) { - this->dh = diffie_hellman_create(this->dh_group); + this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group); } build_payloads(this, message); diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h index 9f4815215..1a14cd5f9 100644 --- a/src/charon/sa/tasks/child_create.h +++ b/src/charon/sa/tasks/child_create.h @@ -1,10 +1,3 @@ -/** - * @file child_create.h - * - * @brief Interface child_create_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup child_create child_create + * @{ @ingroup tasks */ #ifndef CHILD_CREATE_H_ @@ -31,15 +31,10 @@ typedef struct child_create_t child_create_t; #include <config/child_cfg.h> /** - * @brief Task of type CHILD_CREATE, established a new CHILD_SA. + * Task of type CHILD_CREATE, established a new CHILD_SA. * * This task may be included in the IKE_AUTH message or in a separate * CREATE_CHILD_SA exchange. - * - * @b Constructors: - * - child_create_create() - * - * @ingroup tasks */ struct child_create_t { @@ -49,35 +44,32 @@ struct child_create_t { task_t task; /** - * @brief Use a specific reqid for the CHILD_SA. + * Use a specific reqid for the CHILD_SA. * * When this task is used for rekeying, the same reqid is used * for the new CHILD_SA. * - * @param this calling object * @param reqid reqid to use */ void (*use_reqid) (child_create_t *this, u_int32_t reqid); /** - * @brief Get the lower of the two nonces, used for rekey collisions. + * Get the lower of the two nonces, used for rekey collisions. * - * @param this calling object * @return lower nonce */ chunk_t (*get_lower_nonce) (child_create_t *this); /** - * @brief Get the CHILD_SA established/establishing by this task. + * Get the CHILD_SA established/establishing by this task. * - * @param this calling object * @return child_sa */ child_sa_t* (*get_child) (child_create_t *this); }; /** - * @brief Create a new child_create task. + * Create a new child_create task. * * @param ike_sa IKE_SA this task works for * @param config child_cfg if task initiator, NULL if responder @@ -85,4 +77,4 @@ struct child_create_t { */ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config); -#endif /* CHILD_CREATE_H_ */ +#endif /* CHILD_CREATE_H_ @} */ diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c index d0b34a276..2c1db2ad0 100644 --- a/src/charon/sa/tasks/child_delete.c +++ b/src/charon/sa/tasks/child_delete.c @@ -1,10 +1,3 @@ -/** - * @file child_delete.c - * - * @brief Implementation of the child_delete task. - * - */ - /* * Copyright (C) 2006-2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "child_delete.h" diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h index a7e676a50..1aa60993e 100644 --- a/src/charon/sa/tasks/child_delete.h +++ b/src/charon/sa/tasks/child_delete.h @@ -1,10 +1,3 @@ -/** - * @file child_delete.h - * - * @brief Interface child_delete_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup child_delete child_delete + * @{ @ingroup tasks */ #ifndef CHILD_DELETE_H_ @@ -31,12 +31,7 @@ typedef struct child_delete_t child_delete_t; #include <sa/child_sa.h> /** - * @brief Task of type child_delete, delete a CHILD_SA. - * - * @b Constructors: - * - child_delete_create() - * - * @ingroup tasks + * Task of type child_delete, delete a CHILD_SA. */ struct child_delete_t { @@ -46,16 +41,15 @@ struct child_delete_t { task_t task; /** - * @brief Get the CHILD_SA to delete by this task. + * Get the CHILD_SA to delete by this task. * - * @param this calling object * @return child_sa */ child_sa_t* (*get_child) (child_delete_t *this); }; /** - * @brief Create a new child_delete task. + * Create a new child_delete task. * * @param ike_sa IKE_SA this task works for * @param child_sa CHILD_SA to delete, or NULL as responder @@ -63,4 +57,4 @@ struct child_delete_t { */ child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa); -#endif /* CHILD_DELETE_H_ */ +#endif /* CHILD_DELETE_H_ @} */ diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c index 3667d8fad..6d741b760 100644 --- a/src/charon/sa/tasks/child_rekey.c +++ b/src/charon/sa/tasks/child_rekey.c @@ -1,10 +1,3 @@ -/** - * @file child_rekey.c - * - * @brief Implementation of the child_rekey task. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "child_rekey.h" diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h index 3515f0c3f..382cf4a31 100644 --- a/src/charon/sa/tasks/child_rekey.h +++ b/src/charon/sa/tasks/child_rekey.h @@ -1,10 +1,3 @@ -/** - * @file child_rekey.h - * - * @brief Interface child_rekey_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup child_rekey child_rekey + * @{ @ingroup tasks */ #ifndef CHILD_REKEY_H_ @@ -31,12 +31,7 @@ typedef struct child_rekey_t child_rekey_t; #include <sa/tasks/task.h> /** - * @brief Task of type CHILD_REKEY, rekey an established CHILD_SA. - * - * @b Constructors: - * - child_rekey_create() - * - * @ingroup tasks + * Task of type CHILD_REKEY, rekey an established CHILD_SA. */ struct child_rekey_t { @@ -46,20 +41,19 @@ struct child_rekey_t { task_t task; /** - * @brief Register a rekeying task which collides with this one + * Register a rekeying task which collides with this one * * If two peers initiate rekeying at the same time, the collision must * be handled gracefully. The task manager is aware of what exchanges * are going on and notifies the outgoing task by passing the incoming. * - * @param this task initated by us * @param other incoming task */ void (*collide)(child_rekey_t* this, task_t *other); }; /** - * @brief Create a new CHILD_REKEY task. + * Create a new CHILD_REKEY task. * * @param ike_sa IKE_SA this task works for * @param child_sa child_sa to rekey, NULL if responder @@ -67,4 +61,4 @@ struct child_rekey_t { */ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa); -#endif /* CHILD_REKEY_H_ */ +#endif /* CHILD_REKEY_H_ @} */ diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index de88a0abe..11382047a 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -1,10 +1,3 @@ -/** - * @file ike_auth.c - * - * @brief Implementation of the ike_auth task. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -18,7 +11,9 @@ * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. + * for more details + * + * $Id$ */ #include "ike_auth.h" @@ -231,7 +226,7 @@ static status_t process_id(private_ike_auth_t *this, message_t *message) { id = idr->get_identification(idr); req = this->ike_sa->get_other_id(this->ike_sa); - if (!id->matches(id, req, NULL)) + if (!id->matches(id, req)) { SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req); id->destroy(id); @@ -525,13 +520,13 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) this->eap_auth = eap_authenticator_create(this->ike_sa); break; default: - break; + return NEED_MORE; } config = charon->backends->get_peer_cfg(charon->backends, this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa), - this->ike_sa->get_other_ca(this->ike_sa)); + this->ike_sa->get_other_auth(this->ike_sa)); if (config) { this->ike_sa->set_peer_cfg(this->ike_sa, config); @@ -557,6 +552,13 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return collect_my_init_data(this, message); } + if (!this->peer_authenticated && this->eap_auth == NULL) + { + /* peer not authenticated, nor does it want to use EAP */ + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); + return FAILED; + } + config = this->ike_sa->get_peer_cfg(this->ike_sa); if (config == NULL) { @@ -587,13 +589,6 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return SUCCESS; } - if (this->eap_auth == NULL) - { - /* peer not authenticated, nor does it want to use EAP */ - message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); - return FAILED; - } - /* initiate EAP authenitcation */ eap_type = config->get_eap_type(config, &eap_vendor); status = this->eap_auth->initiate(this->eap_auth, eap_type, @@ -618,6 +613,8 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) { iterator_t *iterator; payload_t *payload; + peer_cfg_t *config; + auth_info_t *auth; if (message->get_exchange_type(message) == IKE_SA_INIT) { @@ -687,10 +684,18 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return process_eap_i(this, message); } + config = this->ike_sa->get_peer_cfg(this->ike_sa); + auth = this->ike_sa->get_other_auth(this->ike_sa); + if (!auth->complies(auth, config->get_auth(config))) + { + SIG(IKE_UP_FAILED, "authorization of %D for config %s failed", + this->ike_sa->get_other_id(this->ike_sa), config->get_name(config)); + return FAILED; + } this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED); SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %D[%H]...[%H]%D", this->ike_sa->get_name(this->ike_sa), - this->ike_sa->get_my_id(this->ike_sa), + this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_my_host(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); diff --git a/src/charon/sa/tasks/ike_auth.h b/src/charon/sa/tasks/ike_auth.h index d7326c988..f44aa7ce6 100644 --- a/src/charon/sa/tasks/ike_auth.h +++ b/src/charon/sa/tasks/ike_auth.h @@ -1,10 +1,3 @@ -/** - * @file ike_auth.h - * - * @brief Interface ike_auth_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_auth ike_auth + * @{ @ingroup tasks */ #ifndef IKE_AUTH_H_ @@ -30,7 +30,7 @@ typedef struct ike_auth_t ike_auth_t; #include <sa/tasks/task.h> /** - * @brief Task of type ike_auth, authenticates an IKE_SA using authenticators. + * Task of type ike_auth, authenticates an IKE_SA using authenticators. * * The ike_auth task authenticates the IKE_SA using the IKE_AUTH * exchange. It processes and build IDi and IDr payloads and also @@ -38,11 +38,6 @@ typedef struct ike_auth_t ike_auth_t; * which do the actual authentication process. If the ike_auth task is used * with EAP authentication, it stays alive over multiple exchanges until * EAP has completed. - * - * @b Constructors: - * - ike_auth_create() - * - * @ingroup tasks */ struct ike_auth_t { @@ -53,7 +48,7 @@ struct ike_auth_t { }; /** - * @brief Create a new task of type IKE_AUTHENTICATE. + * Create a new task of type IKE_AUTHENTICATE. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if thask is the initator of an exchange @@ -61,4 +56,4 @@ struct ike_auth_t { */ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_AUTH_H_ */ +#endif /* IKE_AUTH_H_ @} */ diff --git a/src/charon/sa/tasks/ike_auth_lifetime.c b/src/charon/sa/tasks/ike_auth_lifetime.c index 9d37ec608..969e21c2b 100644 --- a/src/charon/sa/tasks/ike_auth_lifetime.c +++ b/src/charon/sa/tasks/ike_auth_lifetime.c @@ -1,10 +1,3 @@ -/** - * @file ike_auth_lifetime.c - * - * @brief Implementation of the ike_auth_lifetime task. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_auth_lifetime.h" diff --git a/src/charon/sa/tasks/ike_auth_lifetime.h b/src/charon/sa/tasks/ike_auth_lifetime.h index 500b89d39..df69ce29c 100644 --- a/src/charon/sa/tasks/ike_auth_lifetime.h +++ b/src/charon/sa/tasks/ike_auth_lifetime.h @@ -1,10 +1,3 @@ -/** - * @file ike_auth_lifetime.h - * - * @brief Interface ike_auth_lifetime_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_auth_lifetime ike_auth_lifetime + * @{ @ingroup tasks */ #ifndef IKE_AUTH_LIFETIME_H_ @@ -30,15 +30,10 @@ typedef struct ike_auth_lifetime_t ike_auth_lifetime_t; #include <sa/tasks/task.h> /** - * @brief Task of type IKE_AUTH_LIFETIME, implements RFC4478. + * Task of type IKE_AUTH_LIFETIME, implements RFC4478. * * This task exchanges lifetimes for IKE_AUTH to force a client to * reauthenticate before the responders lifetime reaches the limit. - * - * @b Constructors: - * - ike_auth_lifetime_create() - * - * @ingroup tasks */ struct ike_auth_lifetime_t { @@ -49,7 +44,7 @@ struct ike_auth_lifetime_t { }; /** - * @brief Create a new IKE_AUTH_LIFETIME task. + * Create a new IKE_AUTH_LIFETIME task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if taks is initiated by us @@ -57,5 +52,4 @@ struct ike_auth_lifetime_t { */ ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_MOBIKE_H_ */ - +#endif /* IKE_MOBIKE_H_ @} */ diff --git a/src/charon/sa/tasks/ike_cert.c b/src/charon/sa/tasks/ike_cert.c deleted file mode 100644 index 880ed9c42..000000000 --- a/src/charon/sa/tasks/ike_cert.c +++ /dev/null @@ -1,366 +0,0 @@ -/** - * @file ike_cert.c - * - * @brief Implementation of the ike_cert task. - * - */ - -/* - * Copyright (C) 2006-2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "ike_cert.h" - -#include <daemon.h> -#include <sa/ike_sa.h> -#include <crypto/hashers/hasher.h> -#include <encoding/payloads/cert_payload.h> -#include <encoding/payloads/certreq_payload.h> - - -typedef struct private_ike_cert_t private_ike_cert_t; - -/** - * Private members of a ike_cert_t task. - */ -struct private_ike_cert_t { - - /** - * Public methods and task_t interface. - */ - ike_cert_t public; - - /** - * Assigned IKE_SA. - */ - ike_sa_t *ike_sa; - - /** - * Are we the initiator? - */ - bool initiator; - - /** - * list of CA cert hashes requested, items point to 20 byte chunk - */ - linked_list_t *cas; - - /** - * have we seen a certificate request? - */ - bool certreq_seen; -}; - -/** - * read certificate requests - */ -static void process_certreqs(private_ike_cert_t *this, message_t *message) -{ - iterator_t *iterator; - payload_t *payload; - - iterator = message->get_payload_iterator(message); - while (iterator->iterate(iterator, (void**)&payload)) - { - if (payload->get_type(payload) == CERTIFICATE_REQUEST) - { - certreq_payload_t *certreq = (certreq_payload_t*)payload; - cert_encoding_t encoding; - chunk_t keyids, keyid; - - this->certreq_seen = TRUE; - - encoding = certreq->get_cert_encoding(certreq); - if (encoding != CERT_X509_SIGNATURE) - { - DBG1(DBG_IKE, "certreq payload %N not supported - ignored", - cert_encoding_names, encoding); - continue; - } - - keyids = certreq->get_data(certreq); - - while (keyids.len >= HASH_SIZE_SHA1) - { - keyid = chunk_create(keyids.ptr, HASH_SIZE_SHA1); - keyid = chunk_clone(keyid); - this->cas->insert_last(this->cas, keyid.ptr); - keyids = chunk_skip(keyids, HASH_SIZE_SHA1); - } - } - } - iterator->destroy(iterator); -} - -/** - * import certificates - */ -static void process_certs(private_ike_cert_t *this, message_t *message) -{ - iterator_t *iterator; - payload_t *payload; - - iterator = message->get_payload_iterator(message); - while (iterator->iterate(iterator, (void**)&payload)) - { - if (payload->get_type(payload) == CERTIFICATE) - { - cert_encoding_t encoding; - x509_t *cert; - chunk_t cert_data; - bool found; - cert_payload_t *cert_payload = (cert_payload_t*)payload; - - encoding = cert_payload->get_cert_encoding(cert_payload); - if (encoding != CERT_X509_SIGNATURE) - { - DBG1(DBG_IKE, "certificate payload %N not supported - ignored", - cert_encoding_names, encoding); - continue; - } - - cert_data = cert_payload->get_data_clone(cert_payload); - cert = x509_create_from_chunk(cert_data, 0); - if (cert) - { - if (charon->credentials->verify(charon->credentials, cert, &found)) - { - DBG2(DBG_IKE, "received end entity certificate is trusted - " - "added to store"); - if (found) - { - cert->destroy(cert); - } - else - { - charon->credentials->add_end_certificate(charon->credentials, cert); - } - } - else - { - DBG1(DBG_IKE, "received end entity certificate is not trusted - " - "discarded"); - cert->destroy(cert); - } - } - else - { - DBG1(DBG_IKE, "parsing of received certificate failed - discarded"); - chunk_free(&cert_data); - } - } - } - iterator->destroy(iterator); -} - -/** - * build certificate requests - */ -static void build_certreqs(private_ike_cert_t *this, message_t *message) -{ - ike_cfg_t *ike_cfg; - peer_cfg_t *peer_cfg; - identification_t *ca; - certreq_payload_t *certreq; - - ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); - - if (ike_cfg->send_certreq(ike_cfg) != CERT_NEVER_SEND) - { - peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - - if (peer_cfg) - { - ca = peer_cfg->get_other_ca(peer_cfg); - - if (ca && ca->get_type(ca) != ID_ANY) - { - certreq = certreq_payload_create_from_cacert(ca); - } - else - { - certreq = certreq_payload_create_from_cacerts(); - } - } - else - { - certreq = certreq_payload_create_from_cacerts(); - } - - if (certreq) - { - message->add_payload(message, (payload_t*)certreq); - } - } -} - -/** - * add certificates to message - */ -static void build_certs(private_ike_cert_t *this, message_t *message) -{ - peer_cfg_t *peer_cfg; - x509_t *cert; - cert_payload_t *payload; - - peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - - if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == AUTH_RSA) - { - switch (peer_cfg->get_cert_policy(peer_cfg)) - { - case CERT_NEVER_SEND: - break; - case CERT_SEND_IF_ASKED: - if (!this->certreq_seen) - { - break; - } - /* FALL */ - case CERT_ALWAYS_SEND: - { - /* TODO: respect CA cert request */ - cert = charon->credentials->get_certificate(charon->credentials, - peer_cfg->get_my_id(peer_cfg)); - if (cert) - { - payload = cert_payload_create_from_x509(cert); - message->add_payload(message, (payload_t*)payload); - } - } - } - } -} - -/** - * Implementation of task_t.process for initiator - */ -static status_t build_i(private_ike_cert_t *this, message_t *message) -{ - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - return NEED_MORE; - } - - build_certreqs(this, message); - build_certs(this, message); - - return NEED_MORE; -} - -/** - * Implementation of task_t.process for responder - */ -static status_t process_r(private_ike_cert_t *this, message_t *message) -{ - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - return NEED_MORE; - } - - process_certreqs(this, message); - process_certs(this, message); - - return NEED_MORE; -} - -/** - * Implementation of task_t.build for responder - */ -static status_t build_r(private_ike_cert_t *this, message_t *message) -{ - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - build_certreqs(this, message); - return NEED_MORE; - } - - build_certs(this, message); - - return SUCCESS; -} - -/** - * Implementation of task_t.process for initiator - */ -static status_t process_i(private_ike_cert_t *this, message_t *message) -{ - if (message->get_exchange_type(message) == IKE_SA_INIT) - { - process_certreqs(this, message); - return NEED_MORE; - } - - process_certs(this, message); - return SUCCESS; -} - -/** - * Implementation of task_t.get_type - */ -static task_type_t get_type(private_ike_cert_t *this) -{ - return IKE_CERT; -} - -/** - * Implementation of task_t.migrate - */ -static void migrate(private_ike_cert_t *this, ike_sa_t *ike_sa) -{ - this->ike_sa = ike_sa; - - this->cas->destroy_function(this->cas, free); - this->cas = linked_list_create(); - this->certreq_seen = FALSE; -} - -/** - * Implementation of task_t.destroy - */ -static void destroy(private_ike_cert_t *this) -{ - this->cas->destroy_function(this->cas, free); - free(this); -} - -/* - * Described in header. - */ -ike_cert_t *ike_cert_create(ike_sa_t *ike_sa, bool initiator) -{ - private_ike_cert_t *this = malloc_thing(private_ike_cert_t); - - this->public.task.get_type = (task_type_t(*)(task_t*))get_type; - this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; - this->public.task.destroy = (void(*)(task_t*))destroy; - - if (initiator) - { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; - } - else - { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; - } - - this->ike_sa = ike_sa; - this->initiator = initiator; - this->cas = linked_list_create(); - this->certreq_seen = FALSE; - - return &this->public; -} diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c new file mode 100644 index 000000000..a3cad0b40 --- /dev/null +++ b/src/charon/sa/tasks/ike_cert_post.c @@ -0,0 +1,210 @@ +/* + * Copyright (C) 2006-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "ike_cert_post.h" + +#include <daemon.h> +#include <sa/ike_sa.h> +#include <encoding/payloads/cert_payload.h> +#include <encoding/payloads/certreq_payload.h> +#include <credentials/certificates/x509.h> + + +typedef struct private_ike_cert_post_t private_ike_cert_post_t; + +/** + * Private members of a ike_cert_post_t task. + */ +struct private_ike_cert_post_t { + + /** + * Public methods and task_t interface. + */ + ike_cert_post_t public; + + /** + * Assigned IKE_SA. + */ + ike_sa_t *ike_sa; + + /** + * Are we the initiator? + */ + bool initiator; +}; + +/** + * add certificates to message + */ +static void build_certs(private_ike_cert_post_t *this, message_t *message) +{ + peer_cfg_t *peer_cfg; + + peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == AUTH_RSA) + { + switch (peer_cfg->get_cert_policy(peer_cfg)) + { + case CERT_NEVER_SEND: + break; + case CERT_SEND_IF_ASKED: + if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN)) + { + break; + } + /* FALL */ + case CERT_ALWAYS_SEND: + { + cert_payload_t *payload; + enumerator_t *enumerator; + certificate_t *cert; + auth_info_t *auth; + auth_item_t item; + + auth = this->ike_sa->get_my_auth(this->ike_sa); + /* get subject cert first, then issuing certificates */ + if (!auth->get_item(auth, AUTHZ_SUBJECT_CERT, (void**)&cert)) + { + break; + } + payload = cert_payload_create_from_cert(cert); + if (!payload) + { + break; + } + DBG1(DBG_IKE, "sending end entity cert %D", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + + enumerator = auth->create_item_enumerator(auth); + while (enumerator->enumerate(enumerator, &item, &cert)) + { + if (item == AUTHZ_IM_CERT) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "sending issuer cert %D", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); + } + } + } +} + +/** + * Implementation of task_t.process for initiator + */ +static status_t build_i(private_ike_cert_post_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + return NEED_MORE; + } + build_certs(this, message); + return SUCCESS; +} + +/** + * Implementation of task_t.process for responder + */ +static status_t process_r(private_ike_cert_post_t *this, message_t *message) +{ + return NEED_MORE; +} + +/** + * Implementation of task_t.build for responder + */ +static status_t build_r(private_ike_cert_post_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + return NEED_MORE; + } + build_certs(this, message); + return SUCCESS; +} + +/** + * Implementation of task_t.process for initiator + */ +static status_t process_i(private_ike_cert_post_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + return NEED_MORE; + } + return SUCCESS; +} + +/** + * Implementation of task_t.get_type + */ +static task_type_t get_type(private_ike_cert_post_t *this) +{ + return IKE_CERT_POST; +} + +/** + * Implementation of task_t.migrate + */ +static void migrate(private_ike_cert_post_t *this, ike_sa_t *ike_sa) +{ + this->ike_sa = ike_sa; +} + +/** + * Implementation of task_t.destroy + */ +static void destroy(private_ike_cert_post_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator) +{ + private_ike_cert_post_t *this = malloc_thing(private_ike_cert_post_t); + + this->public.task.get_type = (task_type_t(*)(task_t*))get_type; + this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; + this->public.task.destroy = (void(*)(task_t*))destroy; + + if (initiator) + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; + } + else + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + } + + this->ike_sa = ike_sa; + this->initiator = initiator; + + return &this->public; +} + diff --git a/src/charon/sa/tasks/ike_cert.h b/src/charon/sa/tasks/ike_cert_post.h index ba0283953..3291d9ab3 100644 --- a/src/charon/sa/tasks/ike_cert.h +++ b/src/charon/sa/tasks/ike_cert_post.h @@ -1,12 +1,5 @@ -/** - * @file ike_cert.h - * - * @brief Interface ike_cert_t. - * - */ - /* - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2007-2008 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,27 +11,28 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ -#ifndef IKE_CERT_H_ -#define IKE_CERT_H_ +/** + * @defgroup ike_cert_post ike_cert_post + * @{ @ingroup tasks + */ -typedef struct ike_cert_t ike_cert_t; +#ifndef IKE_CERT_POST_H_ +#define IKE_CERT_POST_H_ + +typedef struct ike_cert_post_t ike_cert_post_t; #include <library.h> #include <sa/ike_sa.h> #include <sa/tasks/task.h> /** - * @brief Task of type ike_cert, exchanges certificates and - * certificate requests. - * - * @b Constructors: - * - ike_cert_create() - * - * @ingroup tasks + * Task of type ike_cert_post, certificate processing after authentication. */ -struct ike_cert_t { +struct ike_cert_post_t { /** * Implements the task_t interface @@ -47,15 +41,15 @@ struct ike_cert_t { }; /** - * @brief Create a new ike_cert task. + * Create a new ike_cert_post task. * * The initiator parameter means the original initiator, not the initiator * of the certificate request. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if thask is the original initator - * @return ike_cert task to handle by the task_manager + * @return ike_cert_post task to handle by the task_manager */ -ike_cert_t *ike_cert_create(ike_sa_t *ike_sa, bool initiator); +ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_CERT_H_ */ +#endif /* IKE_CERT_POST_H_ @} */ diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c new file mode 100644 index 000000000..aa1cfb18a --- /dev/null +++ b/src/charon/sa/tasks/ike_cert_pre.c @@ -0,0 +1,346 @@ +/* + * Copyright (C) 2006-2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "ike_cert_pre.h" + +#include <daemon.h> +#include <sa/ike_sa.h> +#include <encoding/payloads/cert_payload.h> +#include <encoding/payloads/certreq_payload.h> +#include <credentials/certificates/x509.h> + + +typedef struct private_ike_cert_pre_t private_ike_cert_pre_t; + +/** + * Private members of a ike_cert_pre_t task. + */ +struct private_ike_cert_pre_t { + + /** + * Public methods and task_t interface. + */ + ike_cert_pre_t public; + + /** + * Assigned IKE_SA. + */ + ike_sa_t *ike_sa; + + /** + * Are we the initiator? + */ + bool initiator; +}; + +/** + * read certificate requests + */ +static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) +{ + iterator_t *iterator; + payload_t *payload; + auth_info_t *auth; + bool ca_found = FALSE; + + auth = this->ike_sa->get_my_auth(this->ike_sa); + + iterator = message->get_payload_iterator(message); + while (iterator->iterate(iterator, (void**)&payload)) + { + if (payload->get_type(payload) == CERTIFICATE_REQUEST) + { + certreq_payload_t *certreq = (certreq_payload_t*)payload; + chunk_t keyid; + enumerator_t *enumerator; + + this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); + + if (certreq->get_cert_type(certreq) != CERT_X509) + { + DBG1(DBG_IKE, "cert payload %N not supported - ignored", + certificate_type_names, certreq->get_cert_type(certreq)); + continue; + } + enumerator = certreq->create_keyid_enumerator(certreq); + while (enumerator->enumerate(enumerator, &keyid)) + { + identification_t *id; + certificate_t *cert; + + id = identification_create_from_encoding( + ID_PUBKEY_INFO_SHA1, keyid); + cert = charon->credentials->get_cert(charon->credentials, + CERT_X509, KEY_ANY, id, TRUE); + if (cert) + { + DBG1(DBG_IKE, "received cert request for %D", + cert->get_subject(cert)); + auth->add_item(auth, AUTHN_CA_CERT, cert); + cert->destroy(cert); + ca_found = TRUE; + } + id->destroy(id); + } + enumerator->destroy(enumerator); + } + } + iterator->destroy(iterator); + + if (this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN) && !ca_found) + { + DBG1(DBG_IKE, "received cert request, but no such CA cert found"); + } +} + +/** + * import certificates + */ +static void process_certs(private_ike_cert_pre_t *this, message_t *message) +{ + iterator_t *iterator; + payload_t *payload; + auth_info_t *auth; + bool first = TRUE; + + auth = this->ike_sa->get_other_auth(this->ike_sa); + + iterator = message->get_payload_iterator(message); + while (iterator->iterate(iterator, (void**)&payload)) + { + if (payload->get_type(payload) == CERTIFICATE) + { + certificate_t *cert; + cert_payload_t *cert_payload = (cert_payload_t*)payload; + + cert = cert_payload->get_cert(cert_payload); + if (cert) + { + if (first) + { /* the first certificate MUST be an end entity one */ + + DBG1(DBG_IKE, "received end entity cert %D", + cert->get_subject(cert)); + auth->add_item(auth, AUTHN_SUBJECT_CERT, cert); + first = FALSE; + } + else + { + DBG1(DBG_IKE, "received issuer cert %D", + cert->get_subject(cert)); + auth->add_item(auth, AUTHN_IM_CERT, cert); + } + } + cert->destroy(cert); + } + } + iterator->destroy(iterator); +} + +/** + * add a certificate request to the message, building request payload if required. + */ +static void add_certreq_payload(message_t *message, certreq_payload_t **reqp, + certificate_t *cert) +{ + public_key_t *public; + certreq_payload_t *req; + + public = cert->get_public_key(cert); + if (!public) + { + return; + } + switch (cert->get_type(cert)) + { + case CERT_X509: + { + identification_t *keyid; + x509_t *x509 = (x509_t*)cert; + + if (!(x509->get_flags(x509) & X509_CA)) + { /* no CA cert, skip */ + break; + } + if (*reqp == NULL) + { + *reqp = certreq_payload_create_type(CERT_X509); + message->add_payload(message, (payload_t*)*reqp); + } + req = *reqp; + keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1); + req->add_keyid(req, keyid->get_encoding(keyid)); + DBG1(DBG_IKE, "sending cert request for %D", + cert->get_subject(cert)); + break; + } + default: + break; + } + public->destroy(public); +} + +/** + * build certificate requests + */ +static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) +{ + ike_cfg_t *ike_cfg; + enumerator_t *enumerator; + certificate_t *cert; + auth_info_t *auth; + bool restricted = FALSE; + auth_item_t item; + certreq_payload_t *x509_req = NULL; + + ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); + if (ike_cfg->send_certreq(ike_cfg) == CERT_NEVER_SEND) + { + return; + } + auth = this->ike_sa->get_other_auth(this->ike_sa); + + /* check if we require a specific CA for that peer */ + enumerator = auth->create_item_enumerator(auth); + while (enumerator->enumerate(enumerator, &item, &cert)) + { + if (item == AUTHN_CA_CERT) + { + restricted = TRUE; + add_certreq_payload(message, &x509_req, cert); + } + } + enumerator->destroy(enumerator); + + if (!restricted) + { + /* otherwise include all trusted CA certificates */ + enumerator = charon->credentials->create_cert_enumerator( + charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE); + while (enumerator->enumerate(enumerator, &cert, TRUE)) + { + add_certreq_payload(message, &x509_req, cert); + } + enumerator->destroy(enumerator); + } +} + +/** + * Implementation of task_t.process for initiator + */ +static status_t build_i(private_ike_cert_pre_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + return NEED_MORE; + } + build_certreqs(this, message); + return NEED_MORE; +} + +/** + * Implementation of task_t.process for responder + */ +static status_t process_r(private_ike_cert_pre_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + return NEED_MORE; + } + process_certreqs(this, message); + process_certs(this, message); + return NEED_MORE; +} + +/** + * Implementation of task_t.build for responder + */ +static status_t build_r(private_ike_cert_pre_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + build_certreqs(this, message); + return NEED_MORE; + } + return SUCCESS; +} + +/** + * Implementation of task_t.process for initiator + */ +static status_t process_i(private_ike_cert_pre_t *this, message_t *message) +{ + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_certreqs(this, message); + return NEED_MORE; + } + process_certs(this, message); + return SUCCESS; +} + +/** + * Implementation of task_t.get_type + */ +static task_type_t get_type(private_ike_cert_pre_t *this) +{ + return IKE_CERT_PRE; +} + +/** + * Implementation of task_t.migrate + */ +static void migrate(private_ike_cert_pre_t *this, ike_sa_t *ike_sa) +{ + this->ike_sa = ike_sa; +} + +/** + * Implementation of task_t.destroy + */ +static void destroy(private_ike_cert_pre_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator) +{ + private_ike_cert_pre_t *this = malloc_thing(private_ike_cert_pre_t); + + this->public.task.get_type = (task_type_t(*)(task_t*))get_type; + this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; + this->public.task.destroy = (void(*)(task_t*))destroy; + + if (initiator) + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; + } + else + { + this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; + this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + } + + this->ike_sa = ike_sa; + this->initiator = initiator; + + return &this->public; +} diff --git a/src/charon/sa/tasks/ike_cert_pre.h b/src/charon/sa/tasks/ike_cert_pre.h new file mode 100644 index 000000000..c7422e629 --- /dev/null +++ b/src/charon/sa/tasks/ike_cert_pre.h @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2007-2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_cert_pre ike_cert_pre + * @{ @ingroup tasks + */ + +#ifndef IKE_CERT_PRE_H_ +#define IKE_CERT_PRE_H_ + +typedef struct ike_cert_pre_t ike_cert_pre_t; + +#include <library.h> +#include <sa/ike_sa.h> +#include <sa/tasks/task.h> + +/** + * Task of type ike_cert_post, certificate processing before authentication. + */ +struct ike_cert_pre_t { + + /** + * Implements the task_t interface + */ + task_t task; +}; + +/** + * Create a new ike_cert_pre task. + * + * The initiator parameter means the original initiator, not the initiator + * of the certificate request. + * + * @param ike_sa IKE_SA this task works for + * @param initiator TRUE if thask is the original initator + * @return ike_cert_pre task to handle by the task_manager + */ +ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator); + +#endif /* IKE_CERT_PRE_H_ @} */ diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c index 3c73395a5..2af0aed96 100644 --- a/src/charon/sa/tasks/ike_config.c +++ b/src/charon/sa/tasks/ike_config.c @@ -1,10 +1,3 @@ -/** - * @file ike_config.c - * - * @brief Implementation of the ike_config task. - * - */ - /* * Copyright (C) 2007 Martin Willi * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_config.h" diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h index a7cfddff0..9ee2f59be 100644 --- a/src/charon/sa/tasks/ike_config.h +++ b/src/charon/sa/tasks/ike_config.h @@ -1,10 +1,3 @@ -/** - * @file ike_config.h - * - * @brief Interface ike_config_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_config ike_config + * @{ @ingroup tasks */ #ifndef IKE_CONFIG_H_ @@ -30,13 +30,8 @@ typedef struct ike_config_t ike_config_t; #include <sa/tasks/task.h> /** - * @brief Task of type IKE_CONFIG, sets up a virtual IP and other + * Task of type IKE_CONFIG, sets up a virtual IP and other * configurations for an IKE_SA. - * - * @b Constructors: - * - ike_config_create() - * - * @ingroup tasks */ struct ike_config_t { @@ -47,7 +42,7 @@ struct ike_config_t { }; /** - * @brief Create a new ike_config task. + * Create a new ike_config task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE for initiator @@ -55,4 +50,4 @@ struct ike_config_t { */ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_CONFIG_H_ */ +#endif /* IKE_CONFIG_H_ @} */ diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index 1a3656ca6..6e1ee8b10 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -1,10 +1,3 @@ -/** - * @file ike_delete.c - * - * @brief Implementation of the ike_delete task. - * - */ - /* * Copyright (C) 2006-2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_delete.h" diff --git a/src/charon/sa/tasks/ike_delete.h b/src/charon/sa/tasks/ike_delete.h index e8ec5ebbe..f9cb4dc64 100644 --- a/src/charon/sa/tasks/ike_delete.h +++ b/src/charon/sa/tasks/ike_delete.h @@ -1,10 +1,3 @@ -/** - * @file ike_delete.h - * - * @brief Interface ike_delete_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_delete ike_delete + * @{ @ingroup tasks */ #ifndef IKE_DELETE_H_ @@ -30,12 +30,7 @@ typedef struct ike_delete_t ike_delete_t; #include <sa/tasks/task.h> /** - * @brief Task of type ike_delete, delete an IKE_SA. - * - * @b Constructors: - * - ike_delete_create() - * - * @ingroup tasks + * Task of type ike_delete, delete an IKE_SA. */ struct ike_delete_t { @@ -46,7 +41,7 @@ struct ike_delete_t { }; /** - * @brief Create a new ike_delete task. + * Create a new ike_delete task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if we initiate the delete @@ -54,4 +49,4 @@ struct ike_delete_t { */ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_DELETE_H_ */ +#endif /* IKE_DELETE_H_ @} */ diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c index be751766e..04c5a66d1 100644 --- a/src/charon/sa/tasks/ike_dpd.c +++ b/src/charon/sa/tasks/ike_dpd.c @@ -1,10 +1,3 @@ -/** - * @file ike_dpd.c - * - * @brief Implementation of the ike_dpd task. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_dpd.h" diff --git a/src/charon/sa/tasks/ike_dpd.h b/src/charon/sa/tasks/ike_dpd.h index 531b0502d..56bbee399 100644 --- a/src/charon/sa/tasks/ike_dpd.h +++ b/src/charon/sa/tasks/ike_dpd.h @@ -1,10 +1,3 @@ -/** - * @file ike_dpd.h - * - * @brief Interface ike_dpd_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_dpd ike_dpd + * @{ @ingroup tasks */ #ifndef IKE_DPD_H_ @@ -30,14 +30,9 @@ typedef struct ike_dpd_t ike_dpd_t; #include <sa/tasks/task.h> /** - * @brief Task of type ike_dpd, detects dead peers. + * Task of type ike_dpd, detects dead peers. * * The DPD task actually does nothing, as a DPD has no associated payloads. - * - * @b Constructors: - * - ike_dpd_create() - * - * @ingroup tasks */ struct ike_dpd_t { @@ -48,11 +43,11 @@ struct ike_dpd_t { }; /** - * @brief Create a new ike_dpd task. + * Create a new ike_dpd task. * * @param initiator TRUE if thask is the original initator * @return ike_dpd task to handle by the task_manager */ ike_dpd_t *ike_dpd_create(bool initiator); -#endif /* IKE_DPD_H_ */ +#endif /* IKE_DPD_H_ @} */ diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c index 42b47a82f..6bb3688ea 100644 --- a/src/charon/sa/tasks/ike_init.c +++ b/src/charon/sa/tasks/ike_init.c @@ -1,10 +1,3 @@ -/** - * @file ike_init.c - * - * @brief Implementation of the ike_init task. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_init.h" @@ -195,7 +190,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message) this->dh_group = ke_payload->get_dh_group_number(ke_payload); if (!this->initiator) { - this->dh = diffie_hellman_create(this->dh_group); + this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group); } if (this->dh) { @@ -241,7 +236,7 @@ static status_t build_i(private_ike_init_t *this, message_t *message) if (!this->dh) { this->dh_group = this->config->get_dh_group(this->config); - this->dh = diffie_hellman_create(this->dh_group); + this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group); if (this->dh == NULL) { SIG(IKE_UP_FAILED, "configured DH group %N not supported", @@ -532,7 +527,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa) this->ike_sa = ike_sa; this->proposal = NULL; - this->dh = diffie_hellman_create(this->dh_group); + this->dh = lib->crypto->create_dh(lib->crypto, this->dh_group); } /** diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h index f60c096e8..67afd2b8d 100644 --- a/src/charon/sa/tasks/ike_init.h +++ b/src/charon/sa/tasks/ike_init.h @@ -1,10 +1,3 @@ -/** - * @file ike_init.h - * - * @brief Interface ike_init_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_init ike_init + * @{ @ingroup tasks */ #ifndef IKE_INIT_H_ @@ -30,14 +30,9 @@ typedef struct ike_init_t ike_init_t; #include <sa/tasks/task.h> /** - * @brief Task of type IKE_INIT, creates an IKE_SA without authentication. + * Task of type IKE_INIT, creates an IKE_SA without authentication. * * The authentication of is handle in the ike_auth task. - * - * @b Constructors: - * - ike_init_create() - * - * @ingroup tasks */ struct ike_init_t { @@ -47,16 +42,15 @@ struct ike_init_t { task_t task; /** - * @brief Get the lower of the two nonces, used for rekey collisions. + * Get the lower of the two nonces, used for rekey collisions. * - * @param this calling object * @return lower nonce */ chunk_t (*get_lower_nonce) (ike_init_t *this); }; /** - * @brief Create a new IKE_INIT task. + * Create a new IKE_INIT task. * * @param ike_sa IKE_SA this task works for (new one when rekeying) * @param initiator TRUE if thask is the original initator @@ -65,4 +59,4 @@ struct ike_init_t { */ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa); -#endif /* IKE_INIT_H_ */ +#endif /* IKE_INIT_H_ @} */ diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c index a53c243f0..62a1ad3cd 100644 --- a/src/charon/sa/tasks/ike_mobike.c +++ b/src/charon/sa/tasks/ike_mobike.c @@ -1,10 +1,3 @@ -/** - * @file ike_mobike.c - * - * @brief Implementation of the ike_mobike task. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_mobike.h" diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h index bb5150723..7325f5a6f 100644 --- a/src/charon/sa/tasks/ike_mobike.h +++ b/src/charon/sa/tasks/ike_mobike.h @@ -1,10 +1,3 @@ -/** - * @file ike_mobike.h - * - * @brief Interface ike_mobike_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_mobike ike_mobike + * @{ @ingroup tasks */ #ifndef IKE_MOBIKE_H_ @@ -31,7 +31,7 @@ typedef struct ike_mobike_t ike_mobike_t; #include <network/packet.h> /** - * @brief Task of type ike_mobike, detects and handles MOBIKE extension. + * Task of type ike_mobike, detects and handles MOBIKE extension. * * The MOBIKE extension is defined in RFC4555. It allows to update IKE * and IPsec tunnel addresses. @@ -39,11 +39,6 @@ typedef struct ike_mobike_t ike_mobike_t; * support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update * endpoints. - * - * @b Constructors: - * - ike_mobike_create() - * - * @ingroup tasks */ struct ike_mobike_t { @@ -53,36 +48,33 @@ struct ike_mobike_t { task_t task; /** - * @brief Use the task to roam to other addresses. + * Use the task to roam to other addresses. * - * @param this calling object * @param address TRUE to include address list update */ void (*roam)(ike_mobike_t *this, bool address); /** - * @brief Transmision hook, called by task manager. + * Transmision hook, called by task manager. * * The task manager calls this hook whenever it transmits a packet. It * allows the mobike task to send the packet on multiple paths to do path * probing. * - * @param this calling object * @param packet the packet to transmit */ void (*transmit)(ike_mobike_t *this, packet_t *packet); /** - * @brief Check if this task is probing for routability. + * Check if this task is probing for routability. * - * @param this calling object * @return TRUE if task is probing */ bool (*is_probing)(ike_mobike_t *this); }; /** - * @brief Create a new ike_mobike task. + * Create a new ike_mobike task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if taks is initiated by us @@ -90,5 +82,4 @@ struct ike_mobike_t { */ ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_MOBIKE_H_ */ - +#endif /* IKE_MOBIKE_H_ @} */ diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c index 4c64ff8ba..1662a3268 100644 --- a/src/charon/sa/tasks/ike_natd.c +++ b/src/charon/sa/tasks/ike_natd.c @@ -1,10 +1,3 @@ -/** - * @file ike_natd.c - * - * @brief Implementation of the ike_natd task. - * - */ - /* * Copyright (C) 2006-2007 Martin Willi * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_natd.h" @@ -308,6 +303,12 @@ static status_t build_i(private_ike_natd_t *this, message_t *message) iterator_t *iterator; host_t *host; + if (this->hasher == NULL) + { + DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported"); + return NEED_MORE; + } + /* destination is always set */ host = message->get_destination(message); notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host); @@ -368,6 +369,12 @@ static status_t build_r(private_ike_natd_t *this, message_t *message) if (this->src_seen && this->dst_seen) { + if (this->hasher == NULL) + { + DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported"); + return SUCCESS; + } + /* initiator seems to support NAT detection, add response */ me = message->get_source(message); notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me); @@ -415,7 +422,7 @@ static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa) */ static void destroy(private_ike_natd_t *this) { - this->hasher->destroy(this->hasher); + DESTROY_IF(this->hasher); free(this); } @@ -443,7 +450,7 @@ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator) this->ike_sa = ike_sa; this->initiator = initiator; - this->hasher = hasher_create(HASH_SHA1); + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); this->src_seen = FALSE; this->dst_seen = FALSE; this->src_matched = FALSE; diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h index 8d0cb58b4..793408797 100644 --- a/src/charon/sa/tasks/ike_natd.h +++ b/src/charon/sa/tasks/ike_natd.h @@ -1,10 +1,3 @@ -/** - * @file ike_natd.h - * - * @brief Interface ike_natd_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_natd ike_natd + * @{ @ingroup tasks */ #ifndef IKE_NATD_H_ @@ -30,12 +30,7 @@ typedef struct ike_natd_t ike_natd_t; #include <sa/tasks/task.h> /** - * @brief Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange. - * - * @b Constructors: - * - ike_natd_create() - * - * @ingroup tasks + * Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange. */ struct ike_natd_t { @@ -46,7 +41,7 @@ struct ike_natd_t { }; /** - * @brief Create a new ike_natd task. + * Create a new ike_natd task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if thask is the original initator @@ -54,4 +49,4 @@ struct ike_natd_t { */ ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_NATD_H_ */ +#endif /* IKE_NATD_H_ @} */ diff --git a/src/charon/sa/tasks/ike_p2p.c b/src/charon/sa/tasks/ike_p2p.c index 6f632733a..ce3a3fd00 100644 --- a/src/charon/sa/tasks/ike_p2p.c +++ b/src/charon/sa/tasks/ike_p2p.c @@ -1,10 +1,3 @@ -/** - * @file ike_p2p.c - * - * @brief Implementation of the ike_p2p task. - * - */ - /* * Copyright (C) 2007 Tobias Brunner * Hochschule fuer Technik Rapperswil @@ -18,8 +11,10 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ - + #include "ike_p2p.h" #include <string.h> diff --git a/src/charon/sa/tasks/ike_p2p.h b/src/charon/sa/tasks/ike_p2p.h index 327ac49d8..fe6bbd1a2 100644 --- a/src/charon/sa/tasks/ike_p2p.h +++ b/src/charon/sa/tasks/ike_p2p.h @@ -1,10 +1,3 @@ -/** - * @file ike_p2p.h - * - * @brief Interface ike_p2p_t. - * - */ - /* * Copyright (C) 2007 Tobias Brunner * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_p2p ike_p2p + * @{ @ingroup tasks */ #ifndef IKE_P2P_H_ @@ -30,7 +30,7 @@ typedef struct ike_p2p_t ike_p2p_t; #include <sa/tasks/task.h> /** - * @brief Task of type IKE_P2P, detects and handles P2P-NAT-T extensions. + * Task of type IKE_P2P, detects and handles P2P-NAT-T extensions. * * This tasks handles the P2P_MEDIATION notify exchange to setup a mediation * connection, allows to initiate mediated connections using P2P_CONNECT @@ -40,11 +40,6 @@ typedef struct ike_p2p_t ike_p2p_t; * @note This task has to be activated before the IKE_AUTH task, because that * task generates the IKE_SA_INIT message so that no more payloads can be added * to it afterwards. - * - * @b Constructors: - * - ike_p2p_create() - * - * @ingroup tasks */ struct ike_p2p_t { @@ -54,38 +49,34 @@ struct ike_p2p_t { task_t task; /** - * @brief Initiates a connection with another peer (i.e. sends a P2P_CONNECT + * Initiates a connection with another peer (i.e. sends a P2P_CONNECT * to the mediation server) * - * @param this object * @param peer_id ID of the other peer (gets cloned) */ void (*connect)(ike_p2p_t *this, identification_t *peer_id); /** - * @brief Responds to a P2P_CONNECT from another peer (i.e. sends a P2P_CONNECT + * Responds to a P2P_CONNECT from another peer (i.e. sends a P2P_CONNECT * to the mediation server) * - * @param this object * @param peer_id ID of the other peer (gets cloned) * @param session_id the session ID as provided by the initiator (gets cloned) */ void (*respond)(ike_p2p_t *this, identification_t *peer_id, chunk_t session_id); /** - * @brief Sends a P2P_CALLBACK to a peer that previously requested another peer. + * Sends a P2P_CALLBACK to a peer that previously requested another peer. * - * @param this object * @param peer_id ID of the other peer (gets cloned) */ void (*callback)(ike_p2p_t *this, identification_t *peer_id); /** - * @brief Relays data to another peer (i.e. sends a P2P_CONNECT to the peer) + * Relays data to another peer (i.e. sends a P2P_CONNECT to the peer) * * Data gets cloned. * - * @param this object * @param requester ID of the requesting peer * @param session_id content of the P2P_SESSIONID notify * @param session_key content of the P2P_SESSIONKEY notify @@ -98,7 +89,7 @@ struct ike_p2p_t { }; /** - * @brief Create a new ike_p2p task. + * Create a new ike_p2p task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE if taks is initiated by us @@ -106,5 +97,4 @@ struct ike_p2p_t { */ ike_p2p_t *ike_p2p_create(ike_sa_t *ike_sa, bool initiator); - -#endif /*IKE_P2P_H_*/ +#endif /*IKE_P2P_H_ @} */ diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c index 0e98382a8..7b69a938f 100644 --- a/src/charon/sa/tasks/ike_reauth.c +++ b/src/charon/sa/tasks/ike_reauth.c @@ -1,10 +1,3 @@ -/** - * @file ike_reauth.c - * - * @brief Implementation of the ike_reauth task. - * - */ - /* * Copyright (C) 2006-2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_reauth.h" diff --git a/src/charon/sa/tasks/ike_reauth.h b/src/charon/sa/tasks/ike_reauth.h index 3c872e1e1..f5599fd76 100644 --- a/src/charon/sa/tasks/ike_reauth.h +++ b/src/charon/sa/tasks/ike_reauth.h @@ -1,10 +1,3 @@ -/** - * @file ike_reauth.h - * - * @brief Interface ike_reauth_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_reauth ike_reauth + * @{ @ingroup tasks */ #ifndef IKE_REAUTH_H_ @@ -30,12 +30,7 @@ typedef struct ike_reauth_t ike_reauth_t; #include <sa/tasks/task.h> /** - * @brief Task of type ike_reauth, reestablishes an IKE_SA. - * - * @b Constructors: - * - ike_reauth_create() - * - * @ingroup tasks + * Task of type ike_reauth, reestablishes an IKE_SA. */ struct ike_reauth_t { @@ -46,7 +41,7 @@ struct ike_reauth_t { }; /** - * @brief Create a new ike_reauth task. + * Create a new ike_reauth task. * * This task is initiator only. * @@ -55,5 +50,4 @@ struct ike_reauth_t { */ ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa); -#endif /* IKE_REAUTH_H_ */ - +#endif /* IKE_REAUTH_H_ @} */ diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index 827f95156..1428d5699 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -1,10 +1,3 @@ -/** - * @file ike_rekey.c - * - * @brief Implementation of the ike_rekey task. - * - */ - /* * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "ike_rekey.h" diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h index 125422efd..06889cb39 100644 --- a/src/charon/sa/tasks/ike_rekey.h +++ b/src/charon/sa/tasks/ike_rekey.h @@ -1,10 +1,3 @@ -/** - * @file ike_rekey.h - * - * @brief Interface ike_rekey_t. - * - */ - /* * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil @@ -18,6 +11,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup ike_rekey ike_rekey + * @{ @ingroup tasks */ #ifndef IKE_REKEY_H_ @@ -30,12 +30,7 @@ typedef struct ike_rekey_t ike_rekey_t; #include <sa/tasks/task.h> /** - * @brief Task of type IKE_REKEY, rekey an established IKE_SA. - * - * @b Constructors: - * - ike_rekey_create() - * - * @ingroup tasks + * Task of type IKE_REKEY, rekey an established IKE_SA. */ struct ike_rekey_t { @@ -45,20 +40,19 @@ struct ike_rekey_t { task_t task; /** - * @brief Register a rekeying task which collides with this one. + * Register a rekeying task which collides with this one. * * If two peers initiate rekeying at the same time, the collision must * be handled gracefully. The task manager is aware of what exchanges * are going on and notifies the outgoing task by passing the incoming. * - * @param this task initated by us * @param other incoming task */ void (*collide)(ike_rekey_t* this, task_t *other); }; /** - * @brief Create a new IKE_REKEY task. + * Create a new IKE_REKEY task. * * @param ike_sa IKE_SA this task works for * @param initiator TRUE for initiator, FALSE for responder @@ -66,4 +60,4 @@ struct ike_rekey_t { */ ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator); -#endif /* IKE_REKEY_H_ */ +#endif /* IKE_REKEY_H_ @} */ diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c index cc20a8861..0ff2afd77 100644 --- a/src/charon/sa/tasks/task.c +++ b/src/charon/sa/tasks/task.c @@ -1,10 +1,3 @@ -/** - * @file task.c - * - * @brief Enum values for task types - * - */ - /* * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2007 Martin Willi @@ -19,6 +12,8 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ */ #include "task.h" @@ -29,7 +24,8 @@ ENUM(task_type_names, IKE_INIT, CHILD_REKEY, "IKE_MOBIKE", "IKE_AUTHENTICATE", "IKE_AUTH_LIFETIME", - "IKE_CERT", + "IKE_CERT_PRE", + "IKE_CERT_POST", "IKE_CONFIG", "IKE_REKEY", "IKE_REAUTH", diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h index a59207711..773bc60c6 100644 --- a/src/charon/sa/tasks/task.h +++ b/src/charon/sa/tasks/task.h @@ -1,10 +1,3 @@ -/** - * @file task.h - * - * @brief Interface task_t. - * - */ - /* * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2006 Martin Willi @@ -19,6 +12,13 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id$ + */ + +/** + * @defgroup task task + * @{ @ingroup tasks */ #ifndef TASK_H_ @@ -32,9 +32,7 @@ typedef struct task_t task_t; #include <encoding/message.h> /** - * @brief Different kinds of tasks. - * - * @ingroup tasks + * Different kinds of tasks. */ enum task_type_t { /** establish an unauthenticated IKE_SA */ @@ -47,8 +45,10 @@ enum task_type_t { IKE_AUTHENTICATE, /** AUTH_LIFETIME negotiation, RFC4478 */ IKE_AUTH_LIFETIME, - /** exchange certificates and requests */ - IKE_CERT, + /** certificate processing before authentication (certreqs, cert parsing) */ + IKE_CERT_PRE, + /** certificate processing after authentication (certs payload generation) */ + IKE_CERT_POST, /** Configuration payloads, virtual IP and such */ IKE_CONFIG, /** rekey an IKE_SA */ @@ -77,7 +77,7 @@ enum task_type_t { extern enum_name_t *task_type_names; /** - * @brief Interface for a task, an operation handled within exchanges. + * Interface for a task, an operation handled within exchanges. * * A task is an elemantary operation. It may be handled by a single or by * multiple exchanges. An exchange may even complete multiple tasks. @@ -94,18 +94,12 @@ extern enum_name_t *task_type_names; * the task needs further build()/process() calls to complete, the manager * leaves the taks in the queue. A returned FAILED indicates a critical failure. * The manager closes the IKE_SA whenever a task returns FAILED. - * - * @b Constructors: - * - None, use implementations specific constructors - * - * @ingroup tasks */ struct task_t { /** - * @brief Build a request or response message for this task. + * Build a request or response message for this task. * - * @param this calling object * @param message message to add payloads to * @return * - FAILED if a critical error occured @@ -115,9 +109,8 @@ struct task_t { status_t (*build) (task_t *this, message_t *message); /** - * @brief Process a request or response message for this task. + * Process a request or response message for this task. * - * @param this calling object * @param message message to read payloads from * @return * - FAILED if a critical error occured @@ -127,14 +120,12 @@ struct task_t { status_t (*process) (task_t *this, message_t *message); /** - * @brief Get the type of the task implementation. - * - * @param this calling object + * Get the type of the task implementation. */ task_type_t (*get_type) (task_t *this); /** - * @brief Migrate a task to a new IKE_SA. + * Migrate a task to a new IKE_SA. * * After migrating a task, it goes back to a state where it can be * used again to initate an exchange. This is useful when a task @@ -144,17 +135,14 @@ struct task_t { * try. * The ike_sa is the new IKE_SA this task belongs to and operates on. * - * @param this calling object * @param ike_sa new IKE_SA this task works for */ void (*migrate) (task_t *this, ike_sa_t *ike_sa); /** - * @brief Destroys a task_t object. - * - * @param this calling object + * Destroys a task_t object. */ void (*destroy) (task_t *this); }; -#endif /* TASK_H_ */ +#endif /* TASK_H_ @} */ |