diff options
Diffstat (limited to 'src/charon')
95 files changed, 1104 insertions, 1003 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 85e6264a6..913556fc9 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -21,8 +21,11 @@ sa/transactions/delete_child_sa.h sa/transactions/delete_child_sa.c \ sa/transactions/dead_peer_detection.h sa/transactions/dead_peer_detection.c \ sa/transactions/delete_ike_sa.h sa/transactions/delete_ike_sa.c \ sa/transactions/rekey_ike_sa.h sa/transactions/rekey_ike_sa.c \ +sa/authenticators/authenticator.h sa/authenticators/authenticator.c \ +sa/authenticators/rsa_authenticator.h sa/authenticators/rsa_authenticator.c \ +sa/authenticators/psk_authenticator.h sa/authenticators/psk_authenticator.c \ sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \ -sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \ +sa/ike_sa_id.c sa/ike_sa_id.h encoding/payloads/encryption_payload.c \ encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \ encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \ encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \ diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c index 0aff0f303..183263f06 100644 --- a/src/charon/bus/bus.c +++ b/src/charon/bus/bus.c @@ -161,10 +161,10 @@ static int get_thread_number(private_bus_t *this) { static int current_num = 0, stored_num; - stored_num = (int)pthread_getspecific(this->thread_id); + stored_num = (int)(intptr_t)pthread_getspecific(this->thread_id); if (stored_num == 0) { /* first call of current thread */ - pthread_setspecific(this->thread_id, (void*)++current_num); + pthread_setspecific(this->thread_id, (void*)(intptr_t)++current_num); return current_num; } else @@ -237,7 +237,8 @@ static signal_t listen_(private_bus_t *this, level_t *level, int *thread, *thread = listener->thread; *ike_sa = listener->ike_sa; *format = listener->format; - *args = listener->args; + va_copy(*args, listener->args); + va_end(listener->args); return listener->signal; } @@ -285,7 +286,7 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level, bus_listener_t *listener; active_listener_t *active_listener; ike_sa_t *ike_sa; - int thread; + long thread; ike_sa = pthread_getspecific(this->thread_sa); thread = get_thread_number(this); @@ -336,7 +337,6 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level, { pthread_cond_wait(&active_listener->cond, &this->mutex); } - va_end(active_listener->args); } iterator->destroy(iterator); diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h index e1b4f5546..cd5ca37c2 100644 --- a/src/charon/bus/bus.h +++ b/src/charon/bus/bus.h @@ -23,14 +23,17 @@ #ifndef BUS_H_ #define BUS_H_ +typedef enum signal_t signal_t; +typedef enum level_t level_t; +typedef struct bus_listener_t bus_listener_t; +typedef struct bus_t bus_t; + #include <stdarg.h> #include <sa/ike_sa.h> #include <sa/child_sa.h> -typedef enum signal_t signal_t; - /** * @brief signals emitted by the daemon. * @@ -123,8 +126,6 @@ enum signal_t { */ extern enum_name_t *signal_names; -typedef enum level_t level_t; - /** * Signal levels used to control output verbosity. */ @@ -179,8 +180,6 @@ enum level_t { #define SIG_TYPE(sig) (sig > DBG_MAX ? SIG_ANY : sig) -typedef struct bus_listener_t bus_listener_t; - /** * @brief Interface for registering at the signal bus. * @@ -213,9 +212,6 @@ struct bus_listener_t { int thread, ike_sa_t *ike_sa, char* format, va_list args); }; - -typedef struct bus_t bus_t; - /** * @brief Signal bus which sends signals to registered listeners. * diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h index 919c8f0de..d67daba25 100644 --- a/src/charon/bus/listeners/file_logger.h +++ b/src/charon/bus/listeners/file_logger.h @@ -23,17 +23,16 @@ #ifndef FILE_LOGGER_H_ #define FILE_LOGGER_H_ -#include <bus/bus.h> - - typedef struct file_logger_t file_logger_t; +#include <bus/bus.h> + /** * @brief Logger to files which implements bus_listener_t. - * + * * @b Constructors: * - file_logger_create() - * + * * @ingroup listeners */ struct file_logger_t { diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h index ff0b9ba2c..091217313 100644 --- a/src/charon/bus/listeners/sys_logger.h +++ b/src/charon/bus/listeners/sys_logger.h @@ -23,19 +23,18 @@ #ifndef SYS_LOGGER_H_ #define SYS_LOGGER_H_ +typedef struct sys_logger_t sys_logger_t; + #include <syslog.h> #include <bus/bus.h> - -typedef struct sys_logger_t sys_logger_t; - /** * @brief Logger for syslog which implements bus_listener_t. - * + * * @b Constructors: * - sys_logger_create() - * + * * @ingroup listeners */ struct sys_logger_t { diff --git a/src/charon/config/configuration.h b/src/charon/config/configuration.h index ee25872fc..57e4885eb 100755 --- a/src/charon/config/configuration.h +++ b/src/charon/config/configuration.h @@ -23,11 +23,10 @@ #ifndef CONFIGURATION_H_ #define CONFIGURATION_H_ -#include <types.h> - - typedef struct configuration_t configuration_t; +#include <types.h> + /** * @brief The interface for various daemon related configs. * diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h index 760513069..3f552d914 100644 --- a/src/charon/config/connections/connection.h +++ b/src/charon/config/connections/connection.h @@ -24,6 +24,9 @@ #ifndef CONNECTION_H_ #define CONNECTION_H_ +typedef enum cert_policy_t cert_policy_t; +typedef struct connection_t connection_t; + #include <types.h> #include <utils/host.h> #include <utils/linked_list.h> @@ -31,7 +34,6 @@ #include <config/proposal.h> #include <crypto/diffie_hellman.h> -typedef enum cert_policy_t cert_policy_t; /** * Certificate sending policy. This is also used for certificate @@ -60,16 +62,12 @@ enum cert_policy_t { */ extern enum_name_t *cert_policy_names; - -typedef struct connection_t connection_t; - /** * @brief A connection_t defines the rules to set up an IKE_SA. * - * * @b Constructors: * - connection_create() - * + * * @ingroup config */ struct connection_t { diff --git a/src/charon/config/connections/connection_store.h b/src/charon/config/connections/connection_store.h index 9e6c0efe2..1e73bd01f 100755 --- a/src/charon/config/connections/connection_store.h +++ b/src/charon/config/connections/connection_store.h @@ -23,13 +23,12 @@ #ifndef CONNECTION_STORE_H_ #define CONNECTION_STORE_H_ +typedef struct connection_store_t connection_store_t; + #include <types.h> #include <config/connections/connection.h> #include <utils/iterator.h> - -typedef struct connection_store_t connection_store_t; - /** * @brief The interface for a store of connection_t's. * diff --git a/src/charon/config/connections/local_connection_store.h b/src/charon/config/connections/local_connection_store.h index 6e73ef945..e36a66c93 100644 --- a/src/charon/config/connections/local_connection_store.h +++ b/src/charon/config/connections/local_connection_store.h @@ -23,12 +23,11 @@ #ifndef LOCAL_CONNECTION_H_ #define LOCAL_CONNECTION_H_ +typedef struct local_connection_store_t local_connection_store_t; + #include <types.h> #include <config/connections/connection_store.h> - -typedef struct local_connection_store_t local_connection_store_t; - /** * @brief A connection_store_t implementation using a simple connection list. * diff --git a/src/charon/config/credentials/credential_store.h b/src/charon/config/credentials/credential_store.h index 2394a0f0b..e991ce3d2 100755 --- a/src/charon/config/credentials/credential_store.h +++ b/src/charon/config/credentials/credential_store.h @@ -24,6 +24,8 @@ #ifndef CREDENTIAL_STORE_H_ #define CREDENTIAL_STORE_H_ +typedef struct credential_store_t credential_store_t; + #include <types.h> #include <crypto/x509.h> #include <crypto/rsa/rsa_private_key.h> @@ -31,14 +33,12 @@ #include <utils/identification.h> -typedef struct credential_store_t credential_store_t; - /** * @brief The interface for a credential_store backend. - * + * * @b Constructors: - * - stroke_create() - * + * - stroke_create() + * * @ingroup config */ struct credential_store_t { diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c index f98408283..3f4267aea 100644 --- a/src/charon/config/credentials/local_credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -1125,7 +1125,7 @@ local_credential_store_t * local_credential_store_create(bool strict) this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key; this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate; this->public.credential_store.get_ca_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_ca_certificate; - this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,identification_t*))get_ca_certificate_by_keyid; + this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid; this->public.credential_store.get_issuer_certificate = (x509_t* (*) (credential_store_t*,const x509_t*))get_issuer_certificate; this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify; this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate; diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h index f27fe0c2a..05ad5f540 100644 --- a/src/charon/config/credentials/local_credential_store.h +++ b/src/charon/config/credentials/local_credential_store.h @@ -23,13 +23,13 @@ #ifndef LOCAL_CREDENTIAL_H_ #define LOCAL_CREDENTIAL_H_ +typedef struct local_credential_store_t local_credential_store_t; + #include <types.h> #include <daemon.h> #include <config/credentials/credential_store.h> -typedef struct local_credential_store_t local_credential_store_t; - /** * @brief A credential_store_t implementation using simple credentail lists. * diff --git a/src/charon/config/policies/local_policy_store.h b/src/charon/config/policies/local_policy_store.h index ce9b33d71..5834b8e3e 100644 --- a/src/charon/config/policies/local_policy_store.h +++ b/src/charon/config/policies/local_policy_store.h @@ -23,12 +23,12 @@ #ifndef LOCAL_POLICY_STORE_H_ #define LOCAL_POLICY_STORE_H_ +typedef struct local_policy_store_t local_policy_store_t; + #include <types.h> #include <config/policies/policy_store.h> -typedef struct local_policy_store_t local_policy_store_t; - /** * @brief A policy_store_t implementation using a simple policy lists. * diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c index 70beb1c17..b52ae33ac 100644 --- a/src/charon/config/policies/policy.c +++ b/src/charon/config/policies/policy.c @@ -31,13 +31,6 @@ #include <utils/linked_list.h> #include <utils/identification.h> -ENUM(auth_method_names, RSA_DIGITAL_SIGNATURE, DSS_DIGITAL_SIGNATURE, - "RSA signature", - "pre-shared key", - "DSS signature" -); - - ENUM(dpd_action_names, DPD_NONE, DPD_RESTART, "DPD_NONE", "DPD_CLEAR", diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h index 3980d1d85..279ce93aa 100644 --- a/src/charon/config/policies/policy.h +++ b/src/charon/config/policies/policy.h @@ -24,48 +24,15 @@ #ifndef POLICY_H_ #define POLICY_H_ +typedef enum dpd_action_t dpd_action_t; +typedef struct policy_t policy_t; + #include <types.h> #include <utils/identification.h> #include <config/traffic_selector.h> #include <config/proposal.h> +#include <sa/authenticators/authenticator.h> -typedef enum auth_method_t auth_method_t; - -/** - * AUTH Method to use. - * - * @ingroup config - */ -enum auth_method_t { - /** - * Computed as specified in section 2.15 of RFC using - * an RSA private key over a PKCS#1 padded hash. - */ - RSA_DIGITAL_SIGNATURE = 1, - - /** - * Computed as specified in section 2.15 of RFC using the - * shared key associated with the identity in the ID payload - * and the negotiated prf function - */ - SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2, - - /** - * Computed as specified in section 2.15 of RFC using a - * DSS private key over a SHA-1 hash. - */ - DSS_DIGITAL_SIGNATURE = 3, -}; - -/** - * enum names for auth_method_t. - * - * @ingroup config - */ -extern enum_name_t *auth_method_names; - - -typedef enum dpd_action_t dpd_action_t; /** * @brief Actions to take when a peer does not respond (dead peer detected). @@ -90,18 +57,15 @@ enum dpd_action_t { */ extern enum_name_t *dpd_action_names; - -typedef struct policy_t policy_t; - /** * @brief A policy_t defines the policies to apply to CHILD_SAs. - * + * * The given two IDs identify a policy. These rules define how * child SAs may be set up and which traffic may be IPsec'ed. - * + * * @b Constructors: * - policy_create() - * + * * @ingroup config */ struct policy_t { diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h index a09263b13..47969087e 100755 --- a/src/charon/config/policies/policy_store.h +++ b/src/charon/config/policies/policy_store.h @@ -23,13 +23,13 @@ #ifndef POLICY_STORE_H_ #define POLICY_STORE_H_ +typedef struct policy_store_t policy_store_t; + #include <types.h> #include <config/policies/policy.h> #include <utils/linked_list.h> -typedef struct policy_store_t policy_store_t; - /** * @brief The interface for a store of policy_t's. * diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h index 5ce19e9da..6099eca30 100644 --- a/src/charon/config/proposal.h +++ b/src/charon/config/proposal.h @@ -23,6 +23,12 @@ #ifndef PROPOSAL_H_ #define PROPOSAL_H_ +typedef enum protocol_id_t protocol_id_t; +typedef enum transform_type_t transform_type_t; +typedef enum extended_sequence_numbers_t extended_sequence_numbers_t; +typedef struct algorithm_t algorithm_t; +typedef struct proposal_t proposal_t; + #include <types.h> #include <utils/identification.h> #include <utils/linked_list.h> @@ -32,12 +38,9 @@ #include <crypto/diffie_hellman.h> #include <config/traffic_selector.h> - -typedef enum protocol_id_t protocol_id_t; - /** * Protocol ID of a proposal. - * + * * @ingroup config */ enum protocol_id_t { @@ -55,11 +58,9 @@ enum protocol_id_t { extern enum_name_t *protocol_id_names; -typedef enum transform_type_t transform_type_t; - /** * Type of a transform, as in IKEv2 RFC 3.3.2. - * + * * @ingroup config */ enum transform_type_t { @@ -79,11 +80,9 @@ enum transform_type_t { extern enum_name_t *transform_type_names; -typedef enum extended_sequence_numbers_t extended_sequence_numbers_t; - -/** +/** * Extended sequence numbers, as in IKEv2 RFC 3.3.2. - * + * * @ingroup config */ enum extended_sequence_numbers_t { @@ -99,7 +98,6 @@ enum extended_sequence_numbers_t { extern enum_name_t *extended_sequence_numbers_names; -typedef struct algorithm_t algorithm_t; /** * Struct used to store different kinds of algorithms. The internal @@ -117,8 +115,6 @@ struct algorithm_t { u_int16_t key_size; }; -typedef struct proposal_t proposal_t; - /** * @brief Stores a set of algorithms used for an SA. * diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h index ef1b83275..09fdaf6ae 100644 --- a/src/charon/config/traffic_selector.h +++ b/src/charon/config/traffic_selector.h @@ -24,6 +24,9 @@ #ifndef TRAFFIC_SELECTOR_H_ #define TRAFFIC_SELECTOR_H_ +typedef enum ts_type_t ts_type_t; +typedef struct traffic_selector_t traffic_selector_t; + #include <types.h> #include <utils/host.h> @@ -32,8 +35,6 @@ */ #define TRAFFIC_SELECTOR_PRINTF_SPEC 'R' -typedef enum ts_type_t ts_type_t; - /** * Traffic selector types. * @@ -65,21 +66,18 @@ enum ts_type_t { */ extern enum_name_t *ts_type_name; - -typedef struct traffic_selector_t traffic_selector_t; - /** * @brief Object representing a traffic selector entry. - * + * * A traffic selector defines an range of addresses * and a range of ports. IPv6 is not fully supported yet. - * + * * @b Constructors: * - traffic_selector_create_from_bytes() * - traffic_selector_create_from_string() - * + * * @todo Add IPv6 support - * + * * @ingroup config */ struct traffic_selector_t { diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 295f21061..5b3349829 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -25,6 +25,8 @@ #ifndef DAEMON_H_ #define DAEMON_H_ +typedef struct daemon_t daemon_t; + #include <threads/sender.h> #include <threads/receiver.h> #include <threads/scheduler.h> @@ -272,14 +274,11 @@ */ #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" - -typedef struct daemon_t daemon_t; - /** * @brief Main class of daemon, contains some globals. - * + * * @ingroup charon - */ + */ struct daemon_t { /** * A socket_t instance. diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h index f0c31d65e..924e1e666 100644 --- a/src/charon/encoding/generator.h +++ b/src/charon/encoding/generator.h @@ -24,6 +24,8 @@ #ifndef GENERATOR_H_ #define GENERATOR_H_ +typedef struct generator_t generator_t; + #include <types.h> #include <encoding/payloads/encodings.h> #include <encoding/payloads/payload.h> @@ -31,24 +33,22 @@ /** * Generating is done in a data buffer. * This is thehe start size of this buffer in bytes. - * + * * @ingroup enconding */ #define GENERATOR_DATA_BUFFER_SIZE 500 /** * Number of bytes to increase the buffer, if it is to small. - * + * * @ingroup enconding */ #define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500 -typedef struct generator_t generator_t; - /** * @brief A generator_t class used to generate IKEv2 payloads. - * + * * After creation, multiple payloads can be generated with the generate_payload * method. The generated bytes are appended. After all payloads are added, * the write_to_chunk method writes out all generated data since diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h index 3b91e8e94..8b7e3c7cd 100644 --- a/src/charon/encoding/message.h +++ b/src/charon/encoding/message.h @@ -25,6 +25,8 @@ #ifndef MESSAGE_H_ #define MESSAGE_H_ +typedef struct message_t message_t; + #include <types.h> #include <sa/ike_sa_id.h> #include <network/packet.h> @@ -39,9 +41,6 @@ */ #define MESSAGE_PRINTF_SPEC 'M' - -typedef struct message_t message_t; - /** * @brief This class is used to represent an IKEv2-Message. * diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h index a78789bd9..bff3b50f6 100644 --- a/src/charon/encoding/parser.h +++ b/src/charon/encoding/parser.h @@ -24,23 +24,22 @@ #ifndef PARSER_H_ #define PARSER_H_ +typedef struct parser_t parser_t; + #include <types.h> #include <encoding/payloads/encodings.h> #include <encoding/payloads/payload.h> - -typedef struct parser_t parser_t; - /** * @brief A parser_t class to parse IKEv2 payloads. - * + * * A parser is used for parsing one chunk of data. Multiple * payloads can be parsed out of the chunk using parse_payload. * The parser remains the state until destroyed. - * + * * @b Constructors: * - parser_create() - * + * * @ingroup encoding */ struct parser_t { diff --git a/src/charon/encoding/payloads/auth_payload.c b/src/charon/encoding/payloads/auth_payload.c index 55de405fb..5e3569750 100644 --- a/src/charon/encoding/payloads/auth_payload.c +++ b/src/charon/encoding/payloads/auth_payload.c @@ -70,7 +70,6 @@ struct private_auth_payload_t { * * The defined offsets are the positions in a object of type * private_auth_payload_t. - * */ encoding_rule_t auth_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -78,23 +77,23 @@ encoding_rule_t auth_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_auth_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length)}, /* 1 Byte AUTH type*/ { U_INT_8, offsetof(private_auth_payload_t, auth_method) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, /* some auth data bytes, length is defined in PAYLOAD_LENGTH */ - { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } + { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } }; /* @@ -116,8 +115,8 @@ encoding_rule_t auth_payload_encodings[] = { */ static status_t verify(private_auth_payload_t *this) { - if ((this->auth_method == 0) || - ((this->auth_method >= 4) && (this->auth_method <= 200))) + if (this->auth_method == 0 || + (this->auth_method >= 4 && this->auth_method <= 200)) { /* reserved IDs */ return FAILED; diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h index 76fe53467..7616a6ed2 100644 --- a/src/charon/encoding/payloads/auth_payload.h +++ b/src/charon/encoding/payloads/auth_payload.h @@ -21,13 +21,14 @@ * for more details. */ - #ifndef AUTH_PAYLOAD_H_ #define AUTH_PAYLOAD_H_ +typedef struct auth_payload_t auth_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> -#include <config/policies/policy.h> +#include <sa/authenticators/authenticator.h> /** * Length of a auth payload without the auth data in bytes. @@ -36,17 +37,14 @@ */ #define AUTH_PAYLOAD_HEADER_LENGTH 8 - -typedef struct auth_payload_t auth_payload_t; - /** * @brief Class representing an IKEv2 AUTH payload. - * + * * The AUTH payload format is described in RFC section 3.8. - * + * * @b Constructors: * - auth_payload_create() - * + * * @ingroup payloads */ struct auth_payload_t { diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h index aaf0b8566..c1ba0bdc0 100644 --- a/src/charon/encoding/payloads/cert_payload.h +++ b/src/charon/encoding/payloads/cert_payload.h @@ -24,6 +24,9 @@ #ifndef CERT_PAYLOAD_H_ #define CERT_PAYLOAD_H_ +typedef enum cert_encoding_t cert_encoding_t; +typedef struct cert_payload_t cert_payload_t; + #include <types.h> #include <crypto/x509.h> #include <encoding/payloads/payload.h> @@ -35,12 +38,9 @@ */ #define CERT_PAYLOAD_HEADER_LENGTH 5 - -typedef enum cert_encoding_t cert_encoding_t; - /** * @brief Certificate encoding, as described in IKEv2 RFC section 3.6 - * + * * @ingroup payloads */ enum cert_encoding_t { @@ -66,11 +66,9 @@ enum cert_encoding_t { */ extern enum_name_t *cert_encoding_names; -typedef struct cert_payload_t cert_payload_t; - /** * @brief Class representing an IKEv2 CERT payload. - * + * * The CERT payload format is described in RFC section 3.6. * This is just a dummy implementation to fullfill the standards * requirements. A full implementation would offer setters/getters @@ -78,9 +76,9 @@ typedef struct cert_payload_t cert_payload_t; * * @b Constructors: * - cert_payload_create() - * + * * @todo Implement setters/getters for the different certificate encodings. - * + * * @ingroup payloads */ struct cert_payload_t { diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h index db3976aad..e00d673e7 100644 --- a/src/charon/encoding/payloads/certreq_payload.h +++ b/src/charon/encoding/payloads/certreq_payload.h @@ -24,6 +24,8 @@ #ifndef CERTREQ_PAYLOAD_H_ #define CERTREQ_PAYLOAD_H_ +typedef struct certreq_payload_t certreq_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/cert_payload.h> @@ -36,21 +38,19 @@ #define CERTREQ_PAYLOAD_HEADER_LENGTH 5 -typedef struct certreq_payload_t certreq_payload_t; - /** * @brief Class representing an IKEv2 CERTREQ payload. - * + * * The CERTREQ payload format is described in RFC section 3.7. * This is just a dummy implementation to fullfill the standards * requirements. A full implementation would offer setters/getters * for the different encoding types. - * + * * @b Constructors: * - certreq_payload_create() - * + * * @todo Implement payload functionality. - * + * * @ingroup payloads */ struct certreq_payload_t { diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h index 5cd7b2263..51abab61e 100644 --- a/src/charon/encoding/payloads/configuration_attribute.h +++ b/src/charon/encoding/payloads/configuration_attribute.h @@ -24,11 +24,13 @@ #ifndef CONFIGURATION_ATTRIBUTE_H_ #define CONFIGURATION_ATTRIBUTE_H_ +typedef enum configuration_attribute_type_t configuration_attribute_type_t; +typedef struct configuration_attribute_t configuration_attribute_t; + #include <types.h> #include <encoding/payloads/payload.h> - /** * Configuration attribute header length in bytes. * @@ -36,9 +38,6 @@ */ #define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4 - -typedef enum configuration_attribute_type_t configuration_attribute_type_t; - /** * Type of the attribute, as in IKEv2 RFC 3.15.1. * @@ -68,8 +67,6 @@ enum configuration_attribute_type_t { */ extern enum_name_t *configuration_attribute_type_names; -typedef struct configuration_attribute_t configuration_attribute_t; - /** * @brief Class representing an IKEv2-CONFIGURATION Attribute. * diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h index 3391881eb..1978b69cf 100644 --- a/src/charon/encoding/payloads/cp_payload.h +++ b/src/charon/encoding/payloads/cp_payload.h @@ -24,6 +24,9 @@ #ifndef CP_PAYLOAD_H_ #define CP_PAYLOAD_H_ +typedef enum config_type_t config_type_t; +typedef struct cp_payload_t cp_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/configuration_attribute.h> @@ -36,12 +39,9 @@ */ #define CP_PAYLOAD_HEADER_LENGTH 8 - -typedef enum config_type_t config_type_t; - /** * Config Type of an Configuration Payload. - * + * * @ingroup payloads */ enum config_type_t { @@ -58,9 +58,6 @@ enum config_type_t { */ extern enum_name_t *config_type_names; - -typedef struct cp_payload_t cp_payload_t; - /** * @brief Class representing an IKEv2-CP Payload. * diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h index 4a5af2668..3484f0235 100644 --- a/src/charon/encoding/payloads/delete_payload.h +++ b/src/charon/encoding/payloads/delete_payload.h @@ -24,31 +24,29 @@ #ifndef DELETE_PAYLOAD_H_ #define DELETE_PAYLOAD_H_ +typedef struct delete_payload_t delete_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/proposal_substructure.h> /** * Length of a delete payload without the SPI in bytes. - * + * * @ingroup payloads */ #define DELETE_PAYLOAD_HEADER_LENGTH 8 - - -typedef struct delete_payload_t delete_payload_t; - /** * @brief Class representing an IKEv2 DELETE payload. - * + * * The DELETE payload format is described in RFC section 3.11. - * + * * @b Constructors: * - delete_payload_create() - * + * * @todo Implement better setter/getters - * + * * @ingroup payloads */ struct delete_payload_t { diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h index 6b9322789..17af03d40 100644 --- a/src/charon/encoding/payloads/eap_payload.h +++ b/src/charon/encoding/payloads/eap_payload.h @@ -24,6 +24,8 @@ #ifndef EAP_PAYLOAD_H_ #define EAP_PAYLOAD_H_ +typedef struct eap_payload_t eap_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> @@ -34,19 +36,16 @@ */ #define EAP_PAYLOAD_HEADER_LENGTH 4 - -typedef struct eap_payload_t eap_payload_t; - /** * @brief Class representing an IKEv2 EAP payload. - * + * * The EAP payload format is described in RFC section 3.16. * * @b Constructors: * - eap_payload_create() - * + * * @todo Implement functionality for this payload - * + * * @ingroup payloads */ struct eap_payload_t { diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h index 24dc16fa7..d69de4f1d 100644 --- a/src/charon/encoding/payloads/encodings.h +++ b/src/charon/encoding/payloads/encodings.h @@ -24,11 +24,12 @@ #ifndef ENCODINGS_H_ #define ENCODINGS_H_ -#include <types.h> -#include <definitions.h> +typedef enum encoding_type_t encoding_type_t; +typedef struct encoding_rule_t encoding_rule_t; -typedef enum encoding_type_t encoding_type_t; +#include <types.h> +#include <definitions.h> /** * @brief All different kinds of encoding types. @@ -36,12 +37,12 @@ typedef enum encoding_type_t encoding_type_t; * Each field of an IKEv2-Message (in header or payload) * which has to be parsed or generated differently has its own * type defined here. - * + * * Header is parsed like a payload and gets its one payload_id * from PRIVATE USE space. Also the substructures * of specific payload types get their own payload_id * from PRIVATE_USE space. See IKEv2-Draft for more informations. - * + * * @ingroup payloads */ enum encoding_type_t { @@ -505,9 +506,6 @@ enum encoding_type_t { */ extern enum_name_t *encoding_type_names; - -typedef struct encoding_rule_t encoding_rule_t; - /** * An encoding rule is a mapping of a specific encoding type to * a location in the data struct where the current field is stored to diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h index 116d6f209..c0b476b73 100644 --- a/src/charon/encoding/payloads/encryption_payload.h +++ b/src/charon/encoding/payloads/encryption_payload.h @@ -23,6 +23,8 @@ #ifndef ENCRYPTION_PAYLOAD_H_ #define ENCRYPTION_PAYLOAD_H_ +typedef struct encryption_payload_t encryption_payload_t; + #include <types.h> #include <crypto/crypters/crypter.h> #include <crypto/signers/signer.h> @@ -37,11 +39,9 @@ #define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4 -typedef struct encryption_payload_t encryption_payload_t; - -/** +/** * @brief The encryption payload as described in RFC section 3.14. - * + * * Before any crypt/decrypt/sign/verify operation can occur, * the transforms must be set. After that, a parsed encryption payload * can be decrypted, which also will parse the contained payloads. @@ -51,10 +51,10 @@ typedef struct encryption_payload_t encryption_payload_t; * must be builded after generation of all payloads and the encryption * of the encryption payload. * Signature verificatin is done before decryption. - * + * * @b Constructors: * - encryption_payload_create() - * + * * @ingroup payloads */ struct encryption_payload_t { diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h index 1840c1a4c..01c6a4e1d 100644 --- a/src/charon/encoding/payloads/id_payload.h +++ b/src/charon/encoding/payloads/id_payload.h @@ -25,6 +25,8 @@ #ifndef ID_PAYLOAD_H_ #define ID_PAYLOAD_H_ +typedef struct id_payload_t id_payload_t; + #include <types.h> #include <utils/identification.h> #include <encoding/payloads/payload.h> @@ -36,18 +38,15 @@ */ #define ID_PAYLOAD_HEADER_LENGTH 8 - -typedef struct id_payload_t id_payload_t; - /** * Object representing an IKEv2 ID payload. - * + * * The ID payload format is described in RFC section 3.5. - * + * * @b Constructors: * - id_payload_create_from_identification() * - id_payload_create() - * + * * @ingroup payloads */ struct id_payload_t { diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h index 7bb380d43..4cf253f80 100644 --- a/src/charon/encoding/payloads/ike_header.h +++ b/src/charon/encoding/payloads/ike_header.h @@ -24,6 +24,9 @@ #ifndef IKE_HEADER_H_ #define IKE_HEADER_H_ +typedef enum exchange_type_t exchange_type_t; +typedef struct ike_header_t ike_header_t; + #include <types.h> #include <encoding/payloads/payload.h> @@ -55,8 +58,6 @@ */ #define IKE_HEADER_LENGTH 28 -typedef enum exchange_type_t exchange_type_t; - /** * @brief Different types of IKE-Exchanges. * @@ -99,9 +100,6 @@ enum exchange_type_t{ */ extern enum_name_t *exchange_type_names; - -typedef struct ike_header_t ike_header_t; - /** * @brief An object of this type represents an IKEv2 header and is used to * generate and parse IKEv2 headers. diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h index 3af3cce47..18f9dece7 100644 --- a/src/charon/encoding/payloads/ke_payload.h +++ b/src/charon/encoding/payloads/ke_payload.h @@ -24,6 +24,8 @@ #ifndef KE_PAYLOAD_H_ #define KE_PAYLOAD_H_ +typedef struct ke_payload_t ke_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/transform_substructure.h> @@ -37,17 +39,14 @@ */ #define KE_PAYLOAD_HEADER_LENGTH 8 - -typedef struct ke_payload_t ke_payload_t; - /** * @brief Class representing an IKEv2-KE Payload. - * + * * The KE Payload format is described in RFC section 3.4. - * + * * @b Constructors: * - ke_payload_create() - * + * * @ingroup payloads */ struct ke_payload_t { diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h index db3eec3a0..444110a99 100644 --- a/src/charon/encoding/payloads/nonce_payload.h +++ b/src/charon/encoding/payloads/nonce_payload.h @@ -24,6 +24,8 @@ #ifndef NONCE_PAYLOAD_H_ #define NONCE_PAYLOAD_H_ +typedef struct nonce_payload_t nonce_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> @@ -43,8 +45,6 @@ */ #define NONCE_PAYLOAD_HEADER_LENGTH 4 -typedef struct nonce_payload_t nonce_payload_t; - /** * Object representing an IKEv2 Nonce payload. * diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h index ec6536cdf..df956334b 100644 --- a/src/charon/encoding/payloads/notify_payload.h +++ b/src/charon/encoding/payloads/notify_payload.h @@ -26,6 +26,9 @@ #ifndef NOTIFY_PAYLOAD_H_ #define NOTIFY_PAYLOAD_H_ +typedef enum notify_type_t notify_type_t; +typedef struct notify_payload_t notify_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/proposal_substructure.h> @@ -38,14 +41,11 @@ */ #define NOTIFY_PAYLOAD_HEADER_LENGTH 8 -typedef enum notify_type_t notify_type_t; - - -/** +/** * @brief Notify message types. - * + * * See IKEv2 RFC 3.10.1. - * + * * @ingroup payloads */ enum notify_type_t { @@ -98,8 +98,6 @@ enum notify_type_t { extern enum_name_t *notify_type_names; -typedef struct notify_payload_t notify_payload_t; - /** * @brief Class representing an IKEv2-Notify Payload. * diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h index 30f2cbfda..dfc30542f 100644 --- a/src/charon/encoding/payloads/payload.h +++ b/src/charon/encoding/payloads/payload.h @@ -24,19 +24,20 @@ #ifndef PAYLOAD_H_ #define PAYLOAD_H_ +typedef enum payload_type_t payload_type_t; +typedef struct payload_t payload_t; + #include <types.h> #include <definitions.h> #include <encoding/payloads/encodings.h> -typedef enum payload_type_t payload_type_t; - /** * @brief Payload-Types of a IKEv2-Message. - * + * * Header and substructures are also defined as * payload types with values from PRIVATE USE space. - * + * * @ingroup payloads */ enum payload_type_t{ @@ -194,9 +195,6 @@ extern enum_name_t *payload_type_names; */ extern enum_name_t *payload_type_short_names; - -typedef struct payload_t payload_t; - /** * @brief Generic interface for all payload types (incl.header and substructures). * diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h index b9bd0a8b3..f1ce5bc47 100644 --- a/src/charon/encoding/payloads/proposal_substructure.h +++ b/src/charon/encoding/payloads/proposal_substructure.h @@ -24,6 +24,8 @@ #ifndef PROPOSAL_SUBSTRUCTURE_H_ #define PROPOSAL_SUBSTRUCTURE_H_ +typedef struct proposal_substructure_t proposal_substructure_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/transform_substructure.h> @@ -38,9 +40,6 @@ */ #define PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH 8 - -typedef struct proposal_substructure_t proposal_substructure_t; - /** * @brief Class representing an IKEv2-PROPOSAL SUBSTRUCTURE. * diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h index ce85dbe85..90ded9a0f 100644 --- a/src/charon/encoding/payloads/sa_payload.h +++ b/src/charon/encoding/payloads/sa_payload.h @@ -24,6 +24,8 @@ #ifndef SA_PAYLOAD_H_ #define SA_PAYLOAD_H_ +typedef struct sa_payload_t sa_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/proposal_substructure.h> @@ -36,20 +38,18 @@ */ #define SA_PAYLOAD_HEADER_LENGTH 4 -typedef struct sa_payload_t sa_payload_t; - /** * @brief Class representing an IKEv2-SA Payload. - * + * * The SA Payload format is described in RFC section 3.3. - * + * * @b Constructors: * - sa_payload_create() * - sa_payload_create_from_ike_proposals() * - sa_payload_create_from_proposal() - * + * * @todo Add support of algorithms without specified keylength in get_proposals and get_ike_proposals. - * + * * @ingroup payloads */ struct sa_payload_t { diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h index 5c19c6cb0..5fc7dced6 100644 --- a/src/charon/encoding/payloads/traffic_selector_substructure.h +++ b/src/charon/encoding/payloads/traffic_selector_substructure.h @@ -25,6 +25,8 @@ #ifndef TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ #define TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ +typedef struct traffic_selector_substructure_t traffic_selector_substructure_t; + #include <types.h> #include <encoding/payloads/payload.h> #include <utils/host.h> @@ -37,8 +39,6 @@ */ #define TRAFFIC_SELECTOR_HEADER_LENGTH 8 -typedef struct traffic_selector_substructure_t traffic_selector_substructure_t; - /** * @brief Class representing an IKEv2 TRAFFIC SELECTOR. * diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h index ffc06503c..1588b8f57 100644 --- a/src/charon/encoding/payloads/transform_attribute.h +++ b/src/charon/encoding/payloads/transform_attribute.h @@ -24,12 +24,13 @@ #ifndef TRANSFORM_ATTRIBUTE_H_ #define TRANSFORM_ATTRIBUTE_H_ +typedef enum transform_attribute_type_t transform_attribute_type_t; +typedef struct transform_attribute_t transform_attribute_t; + #include <types.h> #include <encoding/payloads/payload.h> -typedef enum transform_attribute_type_t transform_attribute_type_t; - /** * Type of the attribute, as in IKEv2 RFC 3.3.5. * @@ -47,8 +48,6 @@ enum transform_attribute_type_t { */ extern enum_name_t *transform_attribute_type_names; -typedef struct transform_attribute_t transform_attribute_t; - /** * @brief Class representing an IKEv2- TRANSFORM Attribute. * diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h index 2811fb960..ee297f826 100644 --- a/src/charon/encoding/payloads/transform_substructure.h +++ b/src/charon/encoding/payloads/transform_substructure.h @@ -24,6 +24,8 @@ #ifndef TRANSFORM_SUBSTRUCTURE_H_ #define TRANSFORM_SUBSTRUCTURE_H_ +typedef struct transform_substructure_t transform_substructure_t; + #include <types.h> #include <definitions.h> #include <encoding/payloads/payload.h> @@ -51,8 +53,6 @@ #define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8 -typedef struct transform_substructure_t transform_substructure_t; - /** * @brief Class representing an IKEv2- TRANSFORM SUBSTRUCTURE. * diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h index a8c5a38a3..a5595c98a 100644 --- a/src/charon/encoding/payloads/ts_payload.h +++ b/src/charon/encoding/payloads/ts_payload.h @@ -25,6 +25,8 @@ #ifndef TS_PAYLOAD_H_ #define TS_PAYLOAD_H_ +typedef struct ts_payload_t ts_payload_t; + #include <types.h> #include <utils/linked_list.h> #include <config/traffic_selector.h> @@ -39,17 +41,15 @@ #define TS_PAYLOAD_HEADER_LENGTH 8 -typedef struct ts_payload_t ts_payload_t; - /** * @brief Class representing an IKEv2 TS payload. - * + * * The TS payload format is described in RFC section 3.13. - * + * * @b Constructors: * - ts_payload_create() * - ts_payload_create_from_traffic_selectors() - * + * * @ingroup payloads */ struct ts_payload_t { diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h index 5279773c5..23cf421a6 100644 --- a/src/charon/encoding/payloads/unknown_payload.h +++ b/src/charon/encoding/payloads/unknown_payload.h @@ -24,6 +24,8 @@ #ifndef UNKNOWN_PAYLOAD_H_ #define UNKNOWN_PAYLOAD_H_ +typedef struct unknown_payload_t unknown_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> @@ -34,19 +36,16 @@ */ #define UNKNOWN_PAYLOAD_HEADER_LENGTH 4 - -typedef struct unknown_payload_t unknown_payload_t; - /** * @brief Payload which can't be processed further. - * + * * When the parser finds an unknown payload, he builds an instance of * this class. This allows further processing of this payload, such as * a check for the critical bit in the header. - * + * * @b Constructors: * - unknown_payload_create() - * + * * @ingroup payloads */ struct unknown_payload_t { diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h index 415313c90..8972eaa03 100644 --- a/src/charon/encoding/payloads/vendor_id_payload.h +++ b/src/charon/encoding/payloads/vendor_id_payload.h @@ -24,6 +24,8 @@ #ifndef VENDOR_ID_PAYLOAD_H_ #define VENDOR_ID_PAYLOAD_H_ +typedef struct vendor_id_payload_t vendor_id_payload_t; + #include <types.h> #include <encoding/payloads/payload.h> @@ -35,16 +37,14 @@ #define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4 -typedef struct vendor_id_payload_t vendor_id_payload_t; - /** * @brief Class representing an IKEv2 VENDOR ID payload. - * + * * The VENDOR ID payload format is described in RFC section 3.12. - * + * * @b Constructors: * - vendor_id_payload_create() - * + * * @ingroup payloads */ struct vendor_id_payload_t { diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h index 790233cf2..0736e8562 100644 --- a/src/charon/network/packet.h +++ b/src/charon/network/packet.h @@ -20,23 +20,21 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ - + #ifndef PACKET_H_ #define PACKET_H_ +typedef struct packet_t packet_t; #include <types.h> #include <utils/host.h> - -typedef struct packet_t packet_t; - /** * @brief Abstraction of an UDP-Packet, contains data, sender and receiver. - * + * * @b Constructors: * - packet_create() - * + * * @ingroup network */ struct packet_t { diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h index 431d9f2eb..a6437c86e 100644 --- a/src/charon/network/socket.h +++ b/src/charon/network/socket.h @@ -25,25 +25,22 @@ #ifndef SOCKET_H_ #define SOCKET_H_ +typedef struct socket_t socket_t; #include <types.h> #include <network/packet.h> #include <utils/host.h> #include <utils/linked_list.h> - /** * @brief Maximum size of a packet. - * + * * 3000 Bytes should be sufficient, see IKEv2 RFC. - * + * * @ingroup network */ #define MAX_PACKET 3000 - -typedef struct socket_t socket_t; - /** * @brief Abstraction of all sockets (IPv6/IPv6 send/receive). * diff --git a/src/charon/queues/event_queue.h b/src/charon/queues/event_queue.h index 9c7c30254..583fb2f1f 100644 --- a/src/charon/queues/event_queue.h +++ b/src/charon/queues/event_queue.h @@ -24,13 +24,13 @@ #ifndef EVENT_QUEUE_H_ #define EVENT_QUEUE_H_ +typedef struct event_queue_t event_queue_t; + #include <sys/time.h> #include <types.h> #include <queues/jobs/job.h> -typedef struct event_queue_t event_queue_t; - /** * @brief Event-Queue used to store timed events. * diff --git a/src/charon/queues/job_queue.h b/src/charon/queues/job_queue.h index 48e6bdc1c..8dd542e95 100644 --- a/src/charon/queues/job_queue.h +++ b/src/charon/queues/job_queue.h @@ -24,11 +24,11 @@ #ifndef JOB_QUEUE_H_ #define JOB_QUEUE_H_ +typedef struct job_queue_t job_queue_t; + #include <types.h> #include <queues/jobs/job.h> -typedef struct job_queue_t job_queue_t; - /** * @brief The job queue stores jobs, which will be processed by the thread_pool_t. * diff --git a/src/charon/queues/jobs/acquire_job.h b/src/charon/queues/jobs/acquire_job.h index d607c91f8..5a59c38a2 100644 --- a/src/charon/queues/jobs/acquire_job.h +++ b/src/charon/queues/jobs/acquire_job.h @@ -23,12 +23,11 @@ #ifndef ACQUIRE_JOB_H_ #define ACQUIRE_JOB_H_ +typedef struct acquire_job_t acquire_job_t; + #include <types.h> #include <queues/jobs/job.h> - -typedef struct acquire_job_t acquire_job_t; - /** * @brief Class representing an ACQUIRE Job. * diff --git a/src/charon/queues/jobs/delete_child_sa_job.h b/src/charon/queues/jobs/delete_child_sa_job.h index fb87440c4..99e042f7a 100644 --- a/src/charon/queues/jobs/delete_child_sa_job.h +++ b/src/charon/queues/jobs/delete_child_sa_job.h @@ -19,18 +19,18 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ - + #ifndef DELETE_CHILD_SA_JOB_H_ #define DELETE_CHILD_SA_JOB_H_ +typedef struct delete_child_sa_job_t delete_child_sa_job_t; + #include <types.h> #include <sa/ike_sa_id.h> #include <queues/jobs/job.h> #include <config/proposal.h> -typedef struct delete_child_sa_job_t delete_child_sa_job_t; - /** * @brief Class representing an DELETE_CHILD_SA Job. * diff --git a/src/charon/queues/jobs/delete_ike_sa_job.h b/src/charon/queues/jobs/delete_ike_sa_job.h index 8ef68b1c6..5857e9937 100644 --- a/src/charon/queues/jobs/delete_ike_sa_job.h +++ b/src/charon/queues/jobs/delete_ike_sa_job.h @@ -24,23 +24,23 @@ #ifndef DELETE_IKE_SA_JOB_H_ #define DELETE_IKE_SA_JOB_H_ +typedef struct delete_ike_sa_job_t delete_ike_sa_job_t; + #include <types.h> #include <sa/ike_sa_id.h> #include <queues/jobs/job.h> -typedef struct delete_ike_sa_job_t delete_ike_sa_job_t; - /** * @brief Class representing an DELETE_IKE_SA Job. - * + * * This job is responsible for deleting established or half open IKE_SAs. * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED * state. - * + * * @b Constructors: * - delete_ike_sa_job_create() - * + * * @ingroup jobs */ struct delete_ike_sa_job_t { diff --git a/src/charon/queues/jobs/incoming_packet_job.h b/src/charon/queues/jobs/incoming_packet_job.h index 2ed0e50cf..9228d2e7d 100644 --- a/src/charon/queues/jobs/incoming_packet_job.h +++ b/src/charon/queues/jobs/incoming_packet_job.h @@ -24,22 +24,21 @@ #ifndef INCOMING_PACKET_JOB_H_ #define INCOMING_PACKET_JOB_H_ +typedef struct incoming_packet_job_t incoming_packet_job_t; + #include <types.h> #include <network/packet.h> #include <queues/jobs/job.h> - -typedef struct incoming_packet_job_t incoming_packet_job_t; - /** * @brief Class representing an INCOMING_PACKET Job. - * + * * An incoming pack job is created from the receiver, which has * read a packet to process from the socket. - * + * * @b Constructors: * - incoming_packet_job_create() - * + * * @ingroup jobs */ struct incoming_packet_job_t { diff --git a/src/charon/queues/jobs/initiate_job.h b/src/charon/queues/jobs/initiate_job.h index cb6acf39d..677150508 100644 --- a/src/charon/queues/jobs/initiate_job.h +++ b/src/charon/queues/jobs/initiate_job.h @@ -23,14 +23,13 @@ #ifndef INITIATE_IKE_SA_JOB_H_ #define INITIATE_IKE_SA_JOB_H_ +typedef struct initiate_job_t initiate_job_t; + #include <types.h> #include <queues/jobs/job.h> #include <config/connections/connection.h> #include <config/policies/policy.h> - -typedef struct initiate_job_t initiate_job_t; - /** * @brief Class representing an INITIATE_IKE_SA Job. * diff --git a/src/charon/queues/jobs/job.h b/src/charon/queues/jobs/job.h index 523c416ec..aa29797c0 100644 --- a/src/charon/queues/jobs/job.h +++ b/src/charon/queues/jobs/job.h @@ -24,15 +24,15 @@ #ifndef JOB_H_ #define JOB_H_ +typedef enum job_type_t job_type_t; +typedef struct job_t job_t; + #include <types.h> #include <definitions.h> - -typedef enum job_type_t job_type_t; - /** * @brief Definition of the various job types. - * + * * @ingroup jobs */ enum job_type_t { @@ -122,8 +122,6 @@ enum job_type_t { extern enum_name_t *job_type_names; -typedef struct job_t job_t; - /** * @brief Job-Interface as it is stored in the job queue. * diff --git a/src/charon/queues/jobs/rekey_child_sa_job.h b/src/charon/queues/jobs/rekey_child_sa_job.h index 72d75d1e7..4aacf57c1 100644 --- a/src/charon/queues/jobs/rekey_child_sa_job.h +++ b/src/charon/queues/jobs/rekey_child_sa_job.h @@ -23,22 +23,21 @@ #ifndef REKEY_CHILD_SA_JOB_H_ #define REKEY_CHILD_SA_JOB_H_ +typedef struct rekey_child_sa_job_t rekey_child_sa_job_t; + #include <types.h> #include <sa/ike_sa_id.h> #include <queues/jobs/job.h> #include <config/proposal.h> - -typedef struct rekey_child_sa_job_t rekey_child_sa_job_t; - /** * @brief Class representing an REKEY_CHILD_SA Job. - * + * * This job initiates the rekeying of a CHILD SA. - * + * * @b Constructors: * - rekey_child_sa_job_create() - * + * * @ingroup jobs */ struct rekey_child_sa_job_t { diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.h b/src/charon/queues/jobs/rekey_ike_sa_job.h index 1fb3fb691..b1fdb3303 100644 --- a/src/charon/queues/jobs/rekey_ike_sa_job.h +++ b/src/charon/queues/jobs/rekey_ike_sa_job.h @@ -23,13 +23,12 @@ #ifndef REKEY_IKE_SA_JOB_H_ #define REKEY_IKE_SA_JOB_H_ +typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t; + #include <types.h> #include <sa/ike_sa_id.h> #include <queues/jobs/job.h> - -typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t; - /** * @brief Class representing an REKEY_IKE_SA Job. * diff --git a/src/charon/queues/jobs/retransmit_request_job.h b/src/charon/queues/jobs/retransmit_request_job.h index eb119ba96..c57a870ab 100644 --- a/src/charon/queues/jobs/retransmit_request_job.h +++ b/src/charon/queues/jobs/retransmit_request_job.h @@ -24,23 +24,22 @@ #ifndef RESEND_MESSAGE_JOB_H_ #define RESEND_MESSAGE_JOB_H_ +typedef struct retransmit_request_job_t retransmit_request_job_t; + #include <types.h> #include <queues/jobs/job.h> #include <sa/ike_sa_id.h> - -typedef struct retransmit_request_job_t retransmit_request_job_t; - /** * @brief Class representing an RETRANSMIT_REQUEST Job. - * + * * This job is scheduled every time a request is sent over the * wire. If the response to the request is not received at schedule * time, the retransmission will be initiated. - * + * * @b Constructors: * - retransmit_request_job_create() - * + * * @ingroup jobs */ struct retransmit_request_job_t { diff --git a/src/charon/queues/jobs/route_job.h b/src/charon/queues/jobs/route_job.h index df2648ae2..ad7b48b95 100644 --- a/src/charon/queues/jobs/route_job.h +++ b/src/charon/queues/jobs/route_job.h @@ -22,20 +22,19 @@ #ifndef ROUTE_JOB_H_ #define ROUTE_JOB_H_ +typedef struct route_job_t route_job_t; + #include <types.h> #include <queues/jobs/job.h> #include <config/policies/policy.h> #include <config/connections/connection.h> - -typedef struct route_job_t route_job_t; - /** * @brief Class representing an ROUTE Job. - * + * * @b Constructors: * - route_job_create() - * + * * @ingroup jobs */ struct route_job_t { diff --git a/src/charon/queues/jobs/send_dpd_job.h b/src/charon/queues/jobs/send_dpd_job.h index 31758b05e..fb1757471 100644 --- a/src/charon/queues/jobs/send_dpd_job.h +++ b/src/charon/queues/jobs/send_dpd_job.h @@ -22,14 +22,13 @@ #ifndef SEND_DPD_JOB_H_ #define SEND_DPD_JOB_H_ +typedef struct send_dpd_job_t send_dpd_job_t; + #include <types.h> #include <queues/jobs/job.h> #include <config/connections/connection.h> #include <sa/ike_sa_id.h> - -typedef struct send_dpd_job_t send_dpd_job_t; - /** * @brief Class representing a SEND_DPD Job. * diff --git a/src/charon/queues/jobs/send_keepalive_job.h b/src/charon/queues/jobs/send_keepalive_job.h index 4c217309f..1bb7afd7a 100644 --- a/src/charon/queues/jobs/send_keepalive_job.h +++ b/src/charon/queues/jobs/send_keepalive_job.h @@ -22,14 +22,13 @@ #ifndef SEND_KEEPALIVE_JOB_H_ #define SEND_KEEPALIVE_JOB_H_ +typedef struct send_keepalive_job_t send_keepalive_job_t; + #include <types.h> #include <queues/jobs/job.h> #include <config/connections/connection.h> #include <sa/ike_sa_id.h> - -typedef struct send_keepalive_job_t send_keepalive_job_t; - /** * @brief Class representing a SEND_KEEPALIVE Job. * diff --git a/src/charon/queues/send_queue.h b/src/charon/queues/send_queue.h index 5b8a02e3c..8043f1758 100644 --- a/src/charon/queues/send_queue.h +++ b/src/charon/queues/send_queue.h @@ -24,12 +24,11 @@ #ifndef SEND_QUEUE_H_ #define SEND_QUEUE_H_ +typedef struct send_queue_t send_queue_t; + #include <types.h> #include <network/packet.h> - -typedef struct send_queue_t send_queue_t; - /** * @brief The send queue stores packet for the sender_t instance. * diff --git a/src/charon/sa/authenticator.c b/src/charon/sa/authenticator.c deleted file mode 100644 index b9b9d0057..000000000 --- a/src/charon/sa/authenticator.c +++ /dev/null @@ -1,356 +0,0 @@ -/** - * @file authenticator.c - * - * @brief Implementation of authenticator_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <string.h> - -#include "authenticator.h" - -#include <config/policies/policy.h> -#include <daemon.h> - -/** - * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE. - */ -#define IKEV2_KEY_PAD "Key Pad for IKEv2" - - -typedef struct private_authenticator_t private_authenticator_t; - -/** - * Private data of an authenticator_t object. - */ -struct private_authenticator_t { - - /** - * Public authenticator_t interface. - */ - authenticator_t public; - - /** - * Assigned IKE_SA - */ - ike_sa_t *ike_sa; - - /** - * auth_method to create own signature/mac/whatever.. - */ - auth_method_t auth_method; - - /** - * PRF taken from the IKE_SA. - */ - prf_t *prf; -}; - -/** - * Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306 - */ -static chunk_t build_tbs_octets(private_authenticator_t *this, - chunk_t last_message, - chunk_t other_nonce, - identification_t *id, - bool initiator) -{ - prf_t *prf; - - chunk_t id_encoding = id->get_encoding(id); - u_int8_t id_with_header[4 + id_encoding.len]; - chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)}; - - u_int8_t *current_pos; - chunk_t octets; - - id_with_header[0] = id->get_type(id); - id_with_header[1] = 0x00; - id_with_header[2] = 0x00; - id_with_header[3] = 0x00; - memcpy(id_with_header + 4, id_encoding.ptr, id_encoding.len); - - if (initiator) - { - prf = this->ike_sa->get_prf_auth_i(this->ike_sa); - } - else - { - prf = this->ike_sa->get_prf_auth_r(this->ike_sa); - } - - /* 4 bytes are id type and reserved fields of id payload */ - octets.len = last_message.len + other_nonce.len + prf->get_block_size(prf); - octets.ptr = malloc(octets.len); - current_pos = octets.ptr; - memcpy(current_pos, last_message.ptr, last_message.len); - current_pos += last_message.len; - memcpy(current_pos, other_nonce.ptr, other_nonce.len); - current_pos += other_nonce.len; - prf->get_bytes(prf, id_with_header_chunk, current_pos); - - return octets; -} - -/** - * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE. - */ -static chunk_t build_shared_key_signature(private_authenticator_t *this, - chunk_t last_message, - chunk_t nonce, - identification_t *id, - bool initiator, - chunk_t secret) -{ - chunk_t key_pad = {ptr: IKEV2_KEY_PAD, len:strlen(IKEV2_KEY_PAD)}; - u_int8_t key_buffer[this->prf->get_block_size(this->prf)]; - chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)}; - chunk_t auth_data; - - chunk_t octets = build_tbs_octets(this, last_message, nonce, id, initiator); - - /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */ - this->prf->set_key(this->prf, secret); - this->prf->get_bytes(this->prf, key_pad, key_buffer); - this->prf->set_key(this->prf, key); - this->prf->allocate_bytes(this->prf, octets, &auth_data); - DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets); - DBG3(DBG_IKE, "secret %B", &secret); - DBG3(DBG_IKE, "keypad %B", &key_pad); - DBG3(DBG_IKE, "prf(secret, keypad) %B", &key); - DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data); - chunk_free(&octets); - - return auth_data; -} - -/** - * Implementation of authenticator_t.verify_auth_data. - */ -static status_t verify_auth_data (private_authenticator_t *this, - auth_payload_t *auth_payload, - chunk_t last_received_packet, - chunk_t my_nonce, - identification_t *my_id, - identification_t *other_id, - bool initiator) -{ - status_t status; - chunk_t auth_data = auth_payload->get_data(auth_payload); - auth_method_t auth_method = auth_payload->get_auth_method(auth_payload); - - switch (auth_method) - { - case SHARED_KEY_MESSAGE_INTEGRITY_CODE: - { - chunk_t shared_key; - chunk_t my_auth_data; - - status = charon->credentials->get_shared_key(charon->credentials, - my_id, - other_id, - &shared_key); - if (status != SUCCESS) - { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", - my_id, other_id); - chunk_free(&shared_key); - break; - } - - my_auth_data = build_shared_key_signature(this, last_received_packet, - my_nonce, other_id, - initiator, shared_key); - chunk_free(&shared_key); - - - status = (auth_data.len == my_auth_data.len && - memeq(auth_data.ptr, my_auth_data.ptr, my_auth_data.len)) - ? SUCCESS : FAILED; - chunk_free(&my_auth_data); - break; - } - case RSA_DIGITAL_SIGNATURE: - { - chunk_t octets; - - rsa_public_key_t *public_key = - charon->credentials->get_trusted_public_key(charon->credentials, other_id); - - if (public_key == NULL) - { - DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id); - status = NOT_FOUND; - break; - } - - octets = build_tbs_octets(this, last_received_packet, my_nonce, - other_id, initiator); - status = public_key->verify_emsa_pkcs1_signature(public_key, octets, - auth_data); - chunk_free(&octets); - break; - } - default: - { - return NOT_SUPPORTED; - } - } - - if (status == SUCCESS) - { - DBG1(DBG_IKE, "authentication of '%D' with %N successful", - other_id, auth_method_names, auth_method); - } - - return status; -} - -/** - * Implementation of authenticator_t.compute_auth_data. - */ -static status_t compute_auth_data (private_authenticator_t *this, - auth_payload_t **auth_payload, - chunk_t last_sent_packet, - chunk_t other_nonce, - identification_t *my_id, - identification_t *other_id, - bool initiator) -{ - DBG1(DBG_IKE, "authentication of '%D' with %N (myself)", - my_id, auth_method_names, this->auth_method); - - switch (this->auth_method) - { - case SHARED_KEY_MESSAGE_INTEGRITY_CODE: - { - chunk_t shared_key; - chunk_t auth_data; - - status_t status = charon->credentials->get_shared_key(charon->credentials, - my_id, - other_id, - &shared_key); - - if (status != SUCCESS) - { - DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", - my_id, other_id); - return status; - } - - auth_data = build_shared_key_signature(this, last_sent_packet, - other_nonce, my_id, - initiator, shared_key); - chunk_free(&shared_key); - *auth_payload = auth_payload_create(); - (*auth_payload)->set_auth_method(*auth_payload, - SHARED_KEY_MESSAGE_INTEGRITY_CODE); - (*auth_payload)->set_data(*auth_payload, auth_data); - - chunk_free(&auth_data); - return SUCCESS; - } - case RSA_DIGITAL_SIGNATURE: - { - chunk_t chunk; - chunk_t octets; - chunk_t auth_data; - status_t status; - rsa_public_key_t *my_pubkey; - rsa_private_key_t *my_key; - - DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", - my_id); - - my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id); - if (my_pubkey == NULL) - { - DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id); - return NOT_FOUND; - } - DBG2(DBG_IKE, "matching RSA public key found"); - - chunk = my_pubkey->get_keyid(my_pubkey); - DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk); - - my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey); - if (my_key == NULL) - { - DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B", - my_id, &chunk); - return NOT_FOUND; - } - DBG2(DBG_IKE, "matching RSA private key found"); - - octets = build_tbs_octets(this, last_sent_packet, other_nonce, - my_id, initiator); - status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, - octets, &auth_data); - chunk_free(&octets); - - if (status != SUCCESS) - { - my_key->destroy(my_key); - return status; - } - DBG2(DBG_IKE, "successfully signed with RSA private key"); - - *auth_payload = auth_payload_create(); - (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE); - (*auth_payload)->set_data(*auth_payload, auth_data); - - my_key->destroy(my_key); - chunk_free(&auth_data); - return SUCCESS; - } - default: - { - return NOT_SUPPORTED; - } - } -} - -/** - * Implementation of authenticator_t.destroy. - */ -static void destroy (private_authenticator_t *this) -{ - free(this); -} - -/* - * Described in header. - */ -authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method) -{ - private_authenticator_t *this = malloc_thing(private_authenticator_t); - - /* Public functions */ - this->public.destroy = (void(*)(authenticator_t*))destroy; - this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,chunk_t,identification_t*,identification_t*,bool)) verify_auth_data; - this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,chunk_t,identification_t*,identification_t*,bool)) compute_auth_data; - - /* private data */ - this->ike_sa = ike_sa; - this->auth_method = auth_method; - this->prf = this->ike_sa->get_prf(this->ike_sa); - - return &(this->public); -} diff --git a/src/charon/sa/authenticator.h b/src/charon/sa/authenticator.h deleted file mode 100644 index 4fb776619..000000000 --- a/src/charon/sa/authenticator.h +++ /dev/null @@ -1,137 +0,0 @@ -/** - * @file authenticator.h - * - * @brief Interface of authenticator_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef AUTHENTICATOR_H_ -#define AUTHENTICATOR_H_ - -#include <types.h> -#include <sa/ike_sa.h> -#include <network/packet.h> -#include <encoding/payloads/auth_payload.h> -#include <encoding/payloads/id_payload.h> - - -typedef struct authenticator_t authenticator_t; - -/** - * @brief Class used to authenticate a peer. - * - * Currently the following two AUTH methods are supported: - * - SHARED_KEY_MESSAGE_INTEGRITY_CODE - * - RSA_DIGITAL_SIGNATURE - * - * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.) - * over an internal stored protected_ike_sa_t object or directly from the configuration_t over - * the daemon_t object "charon". - * - * @b Constructors: - * - authenticator_create() - * - * @ingroup sa - */ -struct authenticator_t { - - /** - * @brief Verify's given authentication data. - * - * To verify a received AUTH payload the following data must be provided: - * - the last received IKEv2 Message from the other peer in binary form - * - the nonce value sent to the other peer - * - the ID payload of the other peer - * - * @param this calling object - * @param last_received_packet binary representation of the last received IKEv2-Message - * @param my_nonce the sent nonce (without payload header) - * @param my_id my ID - * @param other_id peer ID - * @param initiator type of peer. TRUE, if it is original initiator, FALSE otherwise - * - * @todo Document RSA error status types - * - * @return - * - SUCCESS if verification successful - * - FAILED if verification failed - * - NOT_SUPPORTED if AUTH method not supported - * - NOT_FOUND if the data for specific AUTH method could not be found - * (e.g. shared secret, rsa key) - */ - status_t (*verify_auth_data) (authenticator_t *this, - auth_payload_t *auth_payload, - chunk_t last_received_packet, - chunk_t my_nonce, - identification_t *my_id, - identification_t *other_id, - bool initiator); - - /** - * @brief Computes authentication data and creates specific AUTH payload. - * - * To create an AUTH payload, the following data must be provided: - * - the last sent IKEv2 Message in binary form - * - the nonce value received from the other peer - * - the ID payload of myself - * - * @param this calling object - * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location - * @param last_sent_packet binary representation of the last sent IKEv2-Message - * @param other_nonce the received nonce (without payload header) - * @param my_id my ID - * @param other_id peer ID - * @param initiator type of myself. TRUE, if I'm original initiator, FALSE otherwise - * - * @todo Document RSA error status types - * - * @return - * - SUCCESS if authentication data could be computed - * - NOT_SUPPORTED if AUTH method not supported - * - NOT_FOUND if the data for AUTH method could not be found - */ - status_t (*compute_auth_data) (authenticator_t *this, - auth_payload_t **auth_payload, - chunk_t last_sent_packet, - chunk_t other_nonce, - identification_t *my_id, - identification_t *other_id, - bool initiator); - - /** - * @brief Destroys a authenticator_t object. - * - * @param this calling object - */ - void (*destroy) (authenticator_t *this); -}; - -/** - * @brief Creates an authenticator object. - * - * @param ike_sa associated ike_sa - * @param auth_method authentication method to use for own signature/mac - * - * @return authenticator_t object - * - * @ingroup sa - */ -authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method); - -#endif /* AUTHENTICATOR_H_ */ diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c new file mode 100644 index 000000000..2460181f9 --- /dev/null +++ b/src/charon/sa/authenticators/authenticator.c @@ -0,0 +1,53 @@ +/** + * @file authenticator.c + * + * @brief Generic constructor for authenticators. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> + +#include "authenticator.h" + +#include <sa/authenticators/rsa_authenticator.h> +#include <sa/authenticators/psk_authenticator.h> + + +ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS, + "RSA signature", + "pre-shared key", + "DSS signature"); +ENUM_NEXT(auth_method_names, AUTH_EAP, AUTH_EAP, AUTH_DSS, + "EAP"); +ENUM_END(auth_method_names, AUTH_EAP); + +/* + * Described in header. + */ +authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method) +{ + switch (auth_method) + { + case AUTH_RSA: + return (authenticator_t*)rsa_authenticator_create(ike_sa); + case AUTH_PSK: + return (authenticator_t*)psk_authenticator_create(ike_sa); + default: + return NULL; + } +} diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h new file mode 100644 index 000000000..b1645c21c --- /dev/null +++ b/src/charon/sa/authenticators/authenticator.h @@ -0,0 +1,139 @@ +/** + * @file authenticator.h + * + * @brief Interface of authenticator_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef AUTHENTICATOR_H_ +#define AUTHENTICATOR_H_ + +typedef enum auth_method_t auth_method_t; +typedef struct authenticator_t authenticator_t; + +#include <types.h> +#include <sa/ike_sa.h> +#include <encoding/payloads/auth_payload.h> + +/** + * Method to use for authentication. + * + * @ingroup authenticator + */ +enum auth_method_t { + /** + * Computed as specified in section 2.15 of RFC using + * an RSA private key over a PKCS#1 padded hash. + */ + AUTH_RSA = 1, + + /** + * Computed as specified in section 2.15 of RFC using the + * shared key associated with the identity in the ID payload + * and the negotiated prf function + */ + AUTH_PSK = 2, + + /** + * Computed as specified in section 2.15 of RFC using a + * DSS private key over a SHA-1 hash. + */ + AUTH_DSS = 3, + + /** + * EAP authentication. This value is never negotiated and therefore + * a value from private use. + */ + AUTH_EAP = 201, +}; + +/** + * enum names for auth_method_t. + * + * @ingroup authenticator + */ +extern enum_name_t *auth_method_names; + +/** + * @brief Authenticator interface implemented by the various authenticators. + * + * Currently the following two AUTH methods are supported: + * - shared key message integrity code (AUTH_PSK) + * - RSA digital signature (AUTH_RSA) + * + * @b Constructors: + * - authenticator_create() + * + * @ingroup authenticator + */ +struct authenticator_t { + + /** + * @brief Verify a received authentication payload. + * + * @param this calling object + * @param ike_sa_init binary representation of received ike_sa_init + * @param my_nonce the sent nonce + * @param auth_payload authentication payload to verify + * + * @return + * - SUCCESS, + * - FAILED if verification failed + * - INVALID_ARG if auth_method does not match + * - NOT_FOUND if credentials not found + */ + status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init, + chunk_t my_nonce, auth_payload_t *auth_payload); + + /** + * @brief Build an authentication payload to send to the other peer. + * + * @param this calling object + * @param ike_sa_init binary representation of sent ike_sa_init + * @param other_nonce the received nonce + * @param[out] auth_payload the resulting authentication payload + * + * @return + * - SUCCESS, + * - NOT_FOUND if the data for AUTH method could not be found + */ + status_t (*build) (authenticator_t *this, chunk_t ike_sa_init, + chunk_t other_nonce, auth_payload_t **auth_payload); + + /** + * @brief Destroys a authenticator_t object. + * + * @param this calling object + */ + void (*destroy) (authenticator_t *this); +}; + +/** + * @brief Creates an authenticator for the specified auth method. + * + * @param ike_sa associated ike_sa + * @param auth_method authentication method to use for build()/verify() + * + * @return authenticator_t object + * + * @ingroup sa + */ +authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method); + +#endif /* AUTHENTICATOR_H_ */ diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c new file mode 100644 index 000000000..b3f49eff1 --- /dev/null +++ b/src/charon/sa/authenticators/psk_authenticator.c @@ -0,0 +1,193 @@ +/** + * @file authenticator.c + * + * @brief Implementation of authenticator_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> + +#include "psk_authenticator.h" + +#include <config/policies/policy.h> +#include <daemon.h> + +/** + * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE. + */ +#define IKEV2_KEY_PAD "Key Pad for IKEv2" +#define IKEV2_KEY_PAD_LENGTH 17 + + +typedef struct private_psk_authenticator_t private_psk_authenticator_t; + +/** + * Private data of an psk_authenticator_t object. + */ +struct private_psk_authenticator_t { + + /** + * Public authenticator_t interface. + */ + psk_authenticator_t public; + + /** + * Assigned IKE_SA + */ + ike_sa_t *ike_sa; +}; + +/** + * Function implemented in rsa_authenticator.c + */ +extern chunk_t build_tbs_octets(private_psk_authenticator_t *this, chunk_t ike_sa_init, + chunk_t nonce, identification_t *id, prf_t *prf); + +/** + * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE. + */ +static chunk_t build_shared_key_signature(private_psk_authenticator_t *this, + chunk_t ike_sa_init, + chunk_t nonce, + chunk_t secret, + identification_t *id, + prf_t *prf) +{ + chunk_t key_pad, key, auth_data, octets; + + octets = build_tbs_octets(this, ike_sa_init, nonce, id, prf); + /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */ + key_pad.ptr = IKEV2_KEY_PAD; + key_pad.len = IKEV2_KEY_PAD_LENGTH; + prf->set_key(prf, secret); + prf->allocate_bytes(prf, key_pad, &key); + prf->set_key(prf, key); + prf->allocate_bytes(prf, octets, &auth_data); + DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets); + DBG3(DBG_IKE, "secret %B", &secret); + DBG3(DBG_IKE, "keypad %B", &key_pad); + DBG3(DBG_IKE, "prf(secret, keypad) %B", &key); + DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data); + chunk_free(&octets); + chunk_free(&key); + + return auth_data; +} + +/** + * Implementation of authenticator_t.verify. + */ +static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init, + chunk_t my_nonce, auth_payload_t *auth_payload) +{ + status_t status; + chunk_t auth_data, recv_auth_data, shared_key; + identification_t *my_id, *other_id; + + my_id = this->ike_sa->get_my_id(this->ike_sa); + other_id = this->ike_sa->get_other_id(this->ike_sa); + status = charon->credentials->get_shared_key(charon->credentials, my_id, + other_id, &shared_key); + if (status != SUCCESS) + { + DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + return status; + } + + auth_data = build_shared_key_signature(this, ike_sa_init, my_nonce, + shared_key, other_id, + this->ike_sa->get_auth_verify(this->ike_sa)); + chunk_free(&shared_key); + + recv_auth_data = auth_payload->get_data(auth_payload); + if (auth_data.len != recv_auth_data.len || + !memeq(auth_data.ptr, recv_auth_data.ptr, auth_data.len)) + { + DBG1(DBG_IKE, "PSK MAC verification failed"); + chunk_free(&auth_data); + return FAILED; + } + chunk_free(&auth_data); + + DBG1(DBG_IKE, "authentication of '%D' with %N successful", + other_id, auth_method_names, AUTH_PSK); + return SUCCESS; +} + +/** + * Implementation of authenticator_t.build. + */ +static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init, + chunk_t other_nonce, auth_payload_t **auth_payload) +{ + chunk_t shared_key; + chunk_t auth_data; + status_t status; + identification_t *my_id, *other_id; + + my_id = this->ike_sa->get_my_id(this->ike_sa); + other_id = this->ike_sa->get_other_id(this->ike_sa); + DBG1(DBG_IKE, "authentication of '%D' (myself) with %N", + my_id, auth_method_names, AUTH_PSK); + status = charon->credentials->get_shared_key(charon->credentials, my_id, + other_id, &shared_key); + if (status != SUCCESS) + { + DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); + return status; + } + + auth_data = build_shared_key_signature(this, ike_sa_init, + other_nonce, shared_key, my_id, + this->ike_sa->get_auth_build(this->ike_sa)); + DBG2(DBG_IKE, "successfully created shared key MAC"); + chunk_free(&shared_key); + *auth_payload = auth_payload_create(); + (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK); + (*auth_payload)->set_data(*auth_payload, auth_data); + + chunk_free(&auth_data); + return SUCCESS; +} + +/** + * Implementation of authenticator_t.destroy. + */ +static void destroy(private_psk_authenticator_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa) +{ + private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); + + /* public functions */ + this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify; + this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build; + this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy; + + /* private data */ + this->ike_sa = ike_sa; + + return &this->public; +} diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h new file mode 100644 index 000000000..cfe6ebdaa --- /dev/null +++ b/src/charon/sa/authenticators/psk_authenticator.h @@ -0,0 +1,57 @@ +/** + * @file psk_authenticator.h + * + * @brief Interface of psk_authenticator_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef PSK_AUTHENTICATOR_H_ +#define PSK_AUTHENTICATOR_H_ + +typedef struct psk_authenticator_t psk_authenticator_t; + +#include <sa/authenticators/authenticator.h> + +/** + * @brief Implementation of the authenticator_t interface using AUTH_PSK. + * + * @b Constructors: + * - psk_authenticator_create() + * - authenticator_create() using auth_method AUTH_PSK + * + * @ingroup authenticator + */ +struct psk_authenticator_t { + + /** + * Implemented authenticator_t interface. + */ + authenticator_t authenticator_interface; +}; + +/** + * @brief Creates an authenticator for AUTH_PSK. + * + * @param ike_sa associated ike_sa + * @return psk_authenticator_t object + * + * @ingroup authenticator + */ +psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa); + +#endif /* PSK_AUTHENTICATOR_H_ */ diff --git a/src/charon/sa/authenticators/rsa_authenticator.c b/src/charon/sa/authenticators/rsa_authenticator.c new file mode 100644 index 000000000..8632c2314 --- /dev/null +++ b/src/charon/sa/authenticators/rsa_authenticator.c @@ -0,0 +1,194 @@ +/** + * @file authenticator.c + * + * @brief Implementation of authenticator_t. + * + */ + +/* + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> + +#include "rsa_authenticator.h" + +#include <config/policies/policy.h> +#include <daemon.h> + + +typedef struct private_rsa_authenticator_t private_rsa_authenticator_t; + +/** + * Private data of an rsa_authenticator_t object. + */ +struct private_rsa_authenticator_t { + + /** + * Public authenticator_t interface. + */ + rsa_authenticator_t public; + + /** + * Assigned IKE_SA + */ + ike_sa_t *ike_sa; +}; + +/** + * Builds the octets to be signed as described in section 2.15 of RFC 4306 + */ +chunk_t build_tbs_octets(private_rsa_authenticator_t *this, chunk_t ike_sa_init, + chunk_t nonce, identification_t *id, prf_t *prf) +{ + u_int8_t id_header_buf[] = {0x00, 0x00, 0x00, 0x00}; + chunk_t id_header = chunk_from_buf(id_header_buf); + chunk_t id_with_header, id_prfd, id_encoding; + + id_header_buf[0] = id->get_type(id); + id_encoding = id->get_encoding(id); + + id_with_header = chunk_cat("cc", id_header, id_encoding); + prf->allocate_bytes(prf, id_with_header, &id_prfd); + chunk_free(&id_with_header); + + return chunk_cat("ccm", ike_sa_init, nonce, id_prfd); +} + +/** + * Implementation of authenticator_t.verify. + */ +static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init, + chunk_t my_nonce, auth_payload_t *auth_payload) +{ + status_t status; + chunk_t auth_data, octets; + rsa_public_key_t *public_key; + identification_t *other_id; + + other_id = this->ike_sa->get_other_id(this->ike_sa); + + if (auth_payload->get_auth_method(auth_payload) != AUTH_RSA) + { + return INVALID_ARG; + } + auth_data = auth_payload->get_data(auth_payload); + public_key = charon->credentials->get_trusted_public_key(charon->credentials, + other_id); + if (public_key == NULL) + { + DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id); + return NOT_FOUND; + } + octets = build_tbs_octets(this, ike_sa_init, my_nonce, other_id, + this->ike_sa->get_auth_verify(this->ike_sa)); + status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data); + chunk_free(&octets); + + if (status != SUCCESS) + { + DBG1(DBG_IKE, "RSA signature verification failed"); + return status; + } + + DBG1(DBG_IKE, "authentication of '%D' with %N successful", + other_id, auth_method_names, AUTH_RSA); + return SUCCESS; +} + +/** + * Implementation of authenticator_t.build. + */ +static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init, + chunk_t other_nonce, auth_payload_t **auth_payload) +{ + chunk_t chunk; + chunk_t octets; + chunk_t auth_data; + status_t status; + rsa_public_key_t *my_pubkey; + rsa_private_key_t *my_key; + identification_t *my_id; + + my_id = this->ike_sa->get_my_id(this->ike_sa); + DBG1(DBG_IKE, "authentication of '%D' with %N (myself)", + my_id, auth_method_names, AUTH_RSA); + DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", my_id); + + my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id); + if (my_pubkey == NULL) + { + DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id); + return NOT_FOUND; + } + DBG2(DBG_IKE, "matching RSA public key found"); + chunk = my_pubkey->get_keyid(my_pubkey); + DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk); + my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey); + if (my_key == NULL) + { + DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B", + my_id, &chunk); + return NOT_FOUND; + } + DBG2(DBG_IKE, "matching RSA private key found"); + + octets = build_tbs_octets(this, ike_sa_init, other_nonce, my_id, + this->ike_sa->get_auth_build(this->ike_sa)); + status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data); + chunk_free(&octets); + + if (status != SUCCESS) + { + my_key->destroy(my_key); + DBG1(DBG_IKE, "build signature of SHA1 hash failed"); + return status; + } + DBG2(DBG_IKE, "successfully signed with RSA private key"); + + *auth_payload = auth_payload_create(); + (*auth_payload)->set_auth_method(*auth_payload, AUTH_RSA); + (*auth_payload)->set_data(*auth_payload, auth_data); + + my_key->destroy(my_key); + chunk_free(&auth_data); + return SUCCESS; +} + +/** + * Implementation of authenticator_t.destroy. + */ +static void destroy(private_rsa_authenticator_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +rsa_authenticator_t *rsa_authenticator_create(ike_sa_t *ike_sa) +{ + private_rsa_authenticator_t *this = malloc_thing(private_rsa_authenticator_t); + + /* public functions */ + this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify; + this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build; + this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy; + + /* private data */ + this->ike_sa = ike_sa; + + return &this->public; +} diff --git a/src/charon/sa/authenticators/rsa_authenticator.h b/src/charon/sa/authenticators/rsa_authenticator.h new file mode 100644 index 000000000..58b400292 --- /dev/null +++ b/src/charon/sa/authenticators/rsa_authenticator.h @@ -0,0 +1,57 @@ +/** + * @file rsa_authenticator.h + * + * @brief Interface of rsa_authenticator_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef RSA_AUTHENTICATOR_H_ +#define RSA_AUTHENTICATOR_H_ + +typedef struct rsa_authenticator_t rsa_authenticator_t; + +#include <sa/authenticators/authenticator.h> + +/** + * @brief Implementation of the authenticator_t interface using AUTH_RSA. + * + * @b Constructors: + * - rsa_authenticator_create() + * - authenticator_create() using auth_method AUTH_RSA + * + * @ingroup authenticator + */ +struct rsa_authenticator_t { + + /** + * Implemented authenticator_t interface. + */ + authenticator_t authenticator_interface; +}; + +/** + * @brief Creates an authenticator for AUTH_RSA. + * + * @param ike_sa associated ike_sa + * @return rsa_authenticator_t object + * + * @ingroup authenticator + */ +rsa_authenticator_t *rsa_authenticator_create(ike_sa_t *ike_sa); + +#endif /* RSA_AUTHENTICATOR_H_ */ diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 1caed2143..2f73e49d8 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -151,7 +151,7 @@ struct private_child_sa_t { /** * transaction which is rekeying this CHILD_SA */ - void *rekeying_transaction; + transaction_t *rekeying_transaction; /** * Updown script @@ -696,7 +696,7 @@ static linked_list_t *get_other_traffic_selectors(private_child_sa_t *this) /** * Implementation of child_sa_t.set_rekeying_transaction. */ -static void set_rekeying_transaction(private_child_sa_t *this, void *transaction) +static void set_rekeying_transaction(private_child_sa_t *this, transaction_t *transaction) { this->rekeying_transaction = transaction; } @@ -704,7 +704,7 @@ static void set_rekeying_transaction(private_child_sa_t *this, void *transaction /** * Implementation of child_sa_t.get_rekeying_transaction. */ -static void* get_rekeying_transaction(private_child_sa_t *this) +static transaction_t* get_rekeying_transaction(private_child_sa_t *this) { return this->rekeying_transaction; } @@ -1104,8 +1104,8 @@ child_sa_t * child_sa_create(u_int32_t rekey, host_t *me, host_t* other, this->public.get_my_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_my_traffic_selectors; this->public.get_other_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_other_traffic_selectors; this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time; - this->public.set_rekeying_transaction = (void (*)(child_sa_t*,void*))set_rekeying_transaction; - this->public.get_rekeying_transaction = (void* (*)(child_sa_t*))get_rekeying_transaction; + this->public.set_rekeying_transaction = (void (*)(child_sa_t*,transaction_t*))set_rekeying_transaction; + this->public.get_rekeying_transaction = (transaction_t* (*)(child_sa_t*))get_rekeying_transaction; this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state; this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state; this->public.destroy = (void(*)(child_sa_t*))destroy; diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h index d2c9ba1ca..881c50000 100644 --- a/src/charon/sa/child_sa.h +++ b/src/charon/sa/child_sa.h @@ -25,10 +25,14 @@ #ifndef CHILD_SA_H_ #define CHILD_SA_H_ +typedef enum child_sa_state_t child_sa_state_t; +typedef struct child_sa_t child_sa_t; + #include <types.h> #include <crypto/prf_plus.h> #include <encoding/payloads/proposal_substructure.h> #include <config/proposal.h> +#include <sa/transactions/transaction.h> /** * Where we should start with reqid enumeration @@ -40,8 +44,6 @@ */ #define CHILD_SA_PRINTF_SPEC 'P' -typedef enum child_sa_state_t child_sa_state_t; - /** * @brief States of a CHILD_SA */ @@ -78,8 +80,6 @@ enum child_sa_state_t { */ extern enum_name_t *child_sa_state_names; -typedef struct child_sa_t child_sa_t; - /** * @brief Represents an IPsec SAs between two hosts. * @@ -266,22 +266,17 @@ struct child_sa_t { * such situations to handle them cleanly. A rekeying transaction * registers itself to the CHILD_SA, and checks later if another * transaction is in progress of a rekey. - * - * @todo Fix include problematics to allow inclusion of - * the create_child_sa_t transaction. * * @param this calling object */ - void (*set_rekeying_transaction) (child_sa_t *this, void *transaction); + void (*set_rekeying_transaction) (child_sa_t *this, transaction_t *transaction); /** * @brief Get the transaction which rekeys this CHILD_SA. * - * @see set_rekeying_transactoin(). - * * @param this calling object */ - void* (*get_rekeying_transaction) (child_sa_t *this); + transaction_t* (*get_rekeying_transaction) (child_sa_t *this); /** * @brief Destroys a child_sa. diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 0446c9d6f..def5ecb3f 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -149,14 +149,14 @@ struct private_ike_sa_t { prf_t *child_prf; /** - * PRF, with key set to pi_key, used for authentication + * PRF to build outging authentication data */ - prf_t *prf_auth_i; + prf_t *auth_build; /** - * PRF, with key set to pr_key, used for authentication + * PRF to verify incoming authentication data */ - prf_t *prf_auth_r; + prf_t *auth_verify; /** * NAT hasher. @@ -231,7 +231,7 @@ struct private_ike_sa_t { /** * Transaction which rekeys this IKE_SA, used do detect simultaneus rekeying */ - rekey_ike_sa_t *rekeying_transaction; + transaction_t *rekeying_transaction; }; /** @@ -1357,19 +1357,19 @@ static prf_t *get_child_prf(private_ike_sa_t *this) } /** - * Implementation of ike_sa_t.get_prf_auth_i. + * Implementation of ike_sa_t.get_auth_bild */ -static prf_t *get_prf_auth_i(private_ike_sa_t *this) +static prf_t *get_auth_build(private_ike_sa_t *this) { - return this->prf_auth_i; + return this->auth_build; } /** - * Implementation of ike_sa_t.get_prf_auth_r. + * Implementation of ike_sa_t.get_auth_verify */ -static prf_t *get_prf_auth_r(private_ike_sa_t *this) +static prf_t *get_auth_verify(private_ike_sa_t *this) { - return this->prf_auth_r; + return this->auth_verify; } /** @@ -1428,6 +1428,7 @@ static status_t derive_keys(private_ike_sa_t *this, size_t key_size; crypter_t *crypter_i, *crypter_r; signer_t *signer_i, *signer_r; + prf_t *prf_i, *prf_r; u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)]; chunk_t spi_i = chunk_from_buf(spi_i_buf); chunk_t spi_r = chunk_from_buf(spi_r_buf); @@ -1571,20 +1572,31 @@ static status_t derive_keys(private_ike_sa_t *this, /* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */ proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo); - this->prf_auth_i = prf_create(algo->algorithm); - this->prf_auth_r = prf_create(algo->algorithm); + prf_i = prf_create(algo->algorithm); + prf_r = prf_create(algo->algorithm); - key_size = this->prf_auth_i->get_key_size(this->prf_auth_i); + key_size = prf_i->get_key_size(prf_i); prf_plus->allocate_bytes(prf_plus, key_size, &key); DBG4(DBG_IKE, "Sk_pi secret %B", &key); - this->prf_auth_i->set_key(this->prf_auth_i, key); + prf_i->set_key(prf_i, key); chunk_free(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); DBG4(DBG_IKE, "Sk_pr secret %B", &key); - this->prf_auth_r->set_key(this->prf_auth_r, key); + prf_r->set_key(prf_r, key); chunk_free(&key); + if (initiator) + { + this->auth_verify = prf_r; + this->auth_build = prf_i; + } + else + { + this->auth_verify = prf_i; + this->auth_build = prf_r; + } + /* all done, prf_plus not needed anymore */ prf_plus->destroy(prf_plus); @@ -1764,7 +1776,7 @@ static status_t rekey(private_ike_sa_t *this) /** * Implementation of ike_sa_t.get_rekeying_transaction. */ -static rekey_ike_sa_t* get_rekeying_transaction(private_ike_sa_t *this) +static transaction_t* get_rekeying_transaction(private_ike_sa_t *this) { return this->rekeying_transaction; } @@ -1772,7 +1784,7 @@ static rekey_ike_sa_t* get_rekeying_transaction(private_ike_sa_t *this) /** * Implementation of ike_sa_t.set_rekeying_transaction. */ -static void set_rekeying_transaction(private_ike_sa_t *this, rekey_ike_sa_t *rekey) +static void set_rekeying_transaction(private_ike_sa_t *this, transaction_t *rekey) { this->rekeying_transaction = rekey; } @@ -1920,8 +1932,8 @@ static void destroy(private_ike_sa_t *this) DESTROY_IF(this->signer_out); DESTROY_IF(this->prf); DESTROY_IF(this->child_prf); - DESTROY_IF(this->prf_auth_i); - DESTROY_IF(this->prf_auth_r); + DESTROY_IF(this->auth_verify); + DESTROY_IF(this->auth_build); DESTROY_IF(this->my_host); DESTROY_IF(this->other_host); @@ -1967,8 +1979,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive; this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf; this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf; - this->public.get_prf_auth_i = (prf_t *(*) (ike_sa_t *)) get_prf_auth_i; - this->public.get_prf_auth_r = (prf_t *(*) (ike_sa_t *)) get_prf_auth_r; + this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify; + this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build; this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys; this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa; this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa; @@ -1982,8 +1994,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.set_lifetimes = (void(*)(ike_sa_t*,u_int32_t,u_int32_t))set_lifetimes; this->public.apply_connection = (void(*)(ike_sa_t*,connection_t*))apply_connection; this->public.rekey = (status_t(*)(ike_sa_t*))rekey; - this->public.get_rekeying_transaction = (void*(*)(ike_sa_t*))get_rekeying_transaction; - this->public.set_rekeying_transaction = (void(*)(ike_sa_t*,void*))set_rekeying_transaction; + this->public.get_rekeying_transaction = (transaction_t*(*)(ike_sa_t*))get_rekeying_transaction; + this->public.set_rekeying_transaction = (void(*)(ike_sa_t*,transaction_t*))set_rekeying_transaction; this->public.adopt_children = (void(*)(ike_sa_t*,ike_sa_t*))adopt_children; /* initialize private fields */ @@ -1999,8 +2011,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->signer_in = NULL; this->signer_out = NULL; this->prf = NULL; - this->prf_auth_i = NULL; - this->prf_auth_r = NULL; + this->auth_verify = NULL; + this->auth_build = NULL; this->child_prf = NULL; this->nat_here = FALSE; this->nat_there = FALSE; diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index f09625a84..f4710b1d2 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -25,11 +25,15 @@ #ifndef IKE_SA_H_ #define IKE_SA_H_ +typedef enum ike_sa_state_t ike_sa_state_t; +typedef struct ike_sa_t ike_sa_t; + #include <types.h> #include <encoding/message.h> #include <encoding/payloads/proposal_substructure.h> #include <sa/ike_sa_id.h> #include <sa/child_sa.h> +#include <sa/transactions/transaction.h> #include <config/configuration.h> #include <utils/randomizer.h> #include <crypto/prfs/prf.h> @@ -39,11 +43,8 @@ #include <config/policies/policy.h> #include <config/proposal.h> - #define IKE_SA_PRINTF_SPEC 'K' -typedef enum ike_sa_state_t ike_sa_state_t; - /** * @brief State of an IKE_SA. * @@ -116,9 +117,6 @@ enum ike_sa_state_t { */ extern enum_name_t *ike_sa_state_names; - -typedef struct ike_sa_t ike_sa_t; - /** * @brief Class ike_sa_t representing an IKE_SA. * @@ -444,20 +442,20 @@ struct ike_sa_t { prf_t *(*get_child_prf) (ike_sa_t *this); /** - * @brief Get the prf used for authentication of initiator. + * @brief Get the prf to build outgoing authentication data. * * @param this calling object * @return pointer to prf_t object */ - prf_t *(*get_prf_auth_i) (ike_sa_t *this); + prf_t *(*get_auth_build) (ike_sa_t *this); /** - * @brief Get the prf used for authentication of responder. + * @brief Get the prf to verify incoming authentication data. * * @param this calling object * @return pointer to prf_t object */ - prf_t *(*get_prf_auth_r) (ike_sa_t *this); + prf_t *(*get_auth_verify) (ike_sa_t *this); /** * @brief Associates a child SA to this IKE SA @@ -567,13 +565,11 @@ struct ike_sa_t { /** * @brief Get the transaction which rekeys this IKE_SA. - * - * @todo Fix include for rekey_ike_sa.h * * @param this calling object * @return rekey_ike_sa_t transaction or NULL */ - void* (*get_rekeying_transaction) (ike_sa_t *this); + transaction_t* (*get_rekeying_transaction) (ike_sa_t *this); /** * @brief Set the transaction which rekeys this IKE_SA. @@ -581,7 +577,7 @@ struct ike_sa_t { * @param this calling object * @param rekey rekey_ike_sa_t transaction or NULL */ - void (*set_rekeying_transaction) (ike_sa_t *this, void *rekey); + void (*set_rekeying_transaction) (ike_sa_t *this, transaction_t *rekey); /** * @brief Move all children from other IKE_SA to this IKE_SA. diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h index a4ff889e4..8462d655b 100644 --- a/src/charon/sa/ike_sa_id.h +++ b/src/charon/sa/ike_sa_id.h @@ -25,6 +25,8 @@ #ifndef IKE_SA_ID_H_ #define IKE_SA_ID_H_ +typedef struct ike_sa_id_t ike_sa_id_t; + #include <types.h> /** @@ -32,8 +34,6 @@ */ #define IKE_SA_ID_PRINTF_SPEC 'J' -typedef struct ike_sa_id_t ike_sa_id_t; - /** * @brief An object of type ike_sa_id_t is used to identify an IKE_SA. * diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h index d99c6bf52..c14d04af6 100644 --- a/src/charon/sa/ike_sa_manager.h +++ b/src/charon/sa/ike_sa_manager.h @@ -24,11 +24,11 @@ #ifndef IKE_SA_MANAGER_H_ #define IKE_SA_MANAGER_H_ +typedef struct ike_sa_manager_t ike_sa_manager_t; + #include <types.h> #include <sa/ike_sa.h> -typedef struct ike_sa_manager_t ike_sa_manager_t; - /** * @brief The IKE_SA-Manager is responsible for managing all initiated and responded IKE_SA's. * diff --git a/src/charon/sa/transactions/create_child_sa.c b/src/charon/sa/transactions/create_child_sa.c index 64984cbad..c04fd1102 100644 --- a/src/charon/sa/transactions/create_child_sa.c +++ b/src/charon/sa/transactions/create_child_sa.c @@ -337,7 +337,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) request->add_payload(request, (payload_t*)notify); /* register us as rekeying to detect multiple rekeying */ - this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public); + this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, + &this->public.transaction); } this->message_id = this->ike_sa->get_next_message_id(this->ike_sa); @@ -718,7 +719,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request { private_create_child_sa_t *other; - other = this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa); + other = (private_create_child_sa_t*) + this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa); if (other) { /* store our lower nonce in the simultaneus transaction, it diff --git a/src/charon/sa/transactions/create_child_sa.h b/src/charon/sa/transactions/create_child_sa.h index f35b25246..8ce72e11d 100644 --- a/src/charon/sa/transactions/create_child_sa.h +++ b/src/charon/sa/transactions/create_child_sa.h @@ -23,12 +23,11 @@ #ifndef CREATE_CHILD_SA_H_ #define CREATE_CHILD_SA_H_ +typedef struct create_child_sa_t create_child_sa_t; + +#include <sa/transactions/transaction.h> #include <sa/ike_sa.h> #include <sa/child_sa.h> -#include <sa/transactions/transaction.h> - - -typedef struct create_child_sa_t create_child_sa_t; /** * @brief A transaction to create a new or rekey an existing CHILD_SA. diff --git a/src/charon/sa/transactions/dead_peer_detection.h b/src/charon/sa/transactions/dead_peer_detection.h index a1aeb24fd..78d7b9b4f 100644 --- a/src/charon/sa/transactions/dead_peer_detection.h +++ b/src/charon/sa/transactions/dead_peer_detection.h @@ -24,12 +24,11 @@ #ifndef DEAD_PEER_DETECTION_H_ #define DEAD_PEER_DETECTION_H_ +typedef struct dead_peer_detection_t dead_peer_detection_t; + #include <sa/ike_sa.h> #include <sa/transactions/transaction.h> - -typedef struct dead_peer_detection_t dead_peer_detection_t; - /** * @brief A transaction used to detect dead peers. * diff --git a/src/charon/sa/transactions/delete_child_sa.c b/src/charon/sa/transactions/delete_child_sa.c index 6fb367d00..7ec332004 100644 --- a/src/charon/sa/transactions/delete_child_sa.c +++ b/src/charon/sa/transactions/delete_child_sa.c @@ -180,7 +180,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting", protocol_id_names, protocol, ntohl(spi)); - rekey = child_sa->get_rekeying_transaction(child_sa); + rekey = (create_child_sa_t*)child_sa->get_rekeying_transaction(child_sa); if (rekey) { /* we have received a delete for an SA which we are still rekeying. diff --git a/src/charon/sa/transactions/delete_child_sa.h b/src/charon/sa/transactions/delete_child_sa.h index da222f0e0..b4cd8ea7a 100644 --- a/src/charon/sa/transactions/delete_child_sa.h +++ b/src/charon/sa/transactions/delete_child_sa.h @@ -24,12 +24,12 @@ #ifndef DELETE_CHILD_SA_H_ #define DELETE_CHILD_SA_H_ +typedef struct delete_child_sa_t delete_child_sa_t; + #include <sa/ike_sa.h> #include <sa/transactions/transaction.h> -typedef struct delete_child_sa_t delete_child_sa_t; - /** * @brief A transaction used to delete a CHILD_SA. * diff --git a/src/charon/sa/transactions/delete_ike_sa.h b/src/charon/sa/transactions/delete_ike_sa.h index 74f427500..139e65ebb 100644 --- a/src/charon/sa/transactions/delete_ike_sa.h +++ b/src/charon/sa/transactions/delete_ike_sa.h @@ -24,12 +24,11 @@ #ifndef DELETE_IKE_SA_H_ #define DELETE_IKE_SA_H_ +typedef struct delete_ike_sa_t delete_ike_sa_t; + #include <sa/ike_sa.h> #include <sa/transactions/transaction.h> - -typedef struct delete_ike_sa_t delete_ike_sa_t; - /** * @brief A transaction used to delete the IKE_SA. * diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c index a229d4da4..b09b7038d 100644 --- a/src/charon/sa/transactions/ike_auth.c +++ b/src/charon/sa/transactions/ike_auth.c @@ -33,7 +33,7 @@ #include <encoding/payloads/certreq_payload.h> #include <encoding/payloads/auth_payload.h> #include <encoding/payloads/ts_payload.h> -#include <sa/authenticator.h> +#include <sa/authenticators/authenticator.h> #include <sa/child_sa.h> @@ -238,7 +238,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) } /* build certificate payload. TODO: Handle certreq from init_ike_sa. */ - if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE + if (this->policy->get_auth_method(this->policy) == AUTH_RSA && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND) { cert_payload_t *cert_payload; @@ -273,13 +273,15 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) auth_method = this->policy->get_auth_method(this->policy); authenticator = authenticator_create(this->ike_sa, auth_method); - status = authenticator->compute_auth_data(authenticator, - &auth_payload, - this->init_request, - this->nonce_r, - my_id, - other_id, - TRUE); + if (authenticator == NULL) + { + SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA", + auth_method_names, auth_method); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); + return DESTROY_ME; + } + status = authenticator->build(authenticator, this->init_request, + this->nonce_r, &auth_payload); authenticator->destroy(authenticator); if (status != SUCCESS) { @@ -718,7 +720,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, response->add_payload(response, (payload_t*)idr_response); } - if (this->policy->get_auth_method(this->policy) == RSA_DIGITAL_SIGNATURE + if (this->policy->get_auth_method(this->policy) == AUTH_RSA && this->connection->get_cert_policy(this->connection) != CERT_NEVER_SEND) { /* build certificate payload */ x509_t *cert; @@ -747,28 +749,37 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, auth_method_t auth_method; status_t status; - auth_method = this->policy->get_auth_method(this->policy); + auth_method = auth_request->get_auth_method(auth_request); authenticator = authenticator_create(this->ike_sa, auth_method); - status = authenticator->verify_auth_data(authenticator, auth_request, - this->init_request, - this->nonce_r, - my_id, - other_id, - TRUE); + if (authenticator == NULL) + { + SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA", + auth_method_names, auth_method); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); + return DESTROY_ME; + } + status = authenticator->verify(authenticator, this->init_request, + this->nonce_r, auth_request); + authenticator->destroy(authenticator); if (status != SUCCESS) { SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA"); SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); build_notify(AUTHENTICATION_FAILED, response, TRUE); - authenticator->destroy(authenticator); return DESTROY_ME; } - status = authenticator->compute_auth_data(authenticator, &auth_response, - this->init_response, - this->nonce_i, - my_id, - other_id, - FALSE); + + auth_method = this->policy->get_auth_method(this->policy); + authenticator = authenticator_create(this->ike_sa, auth_method); + if (authenticator == NULL) + { + SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA", + auth_method_names, auth_method); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); + return DESTROY_ME; + } + status = authenticator->build(authenticator, this->init_response, + this->nonce_i, &auth_response); authenticator->destroy(authenticator); if (status != SUCCESS) { @@ -968,17 +979,18 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, auth_method_t auth_method; status_t status; - auth_method = this->policy->get_auth_method(this->policy); - authenticator = authenticator_create(this->ike_sa, auth_method); my_id = this->policy->get_my_id(this->policy); - - status = authenticator->verify_auth_data(authenticator, - auth_payload, - this->init_response, - this->nonce_i, - my_id, - other_id, - FALSE); + auth_method = auth_payload->get_auth_method(auth_payload); + authenticator = authenticator_create(this->ike_sa, auth_method); + if (authenticator == NULL) + { + SIG(IKE_UP_FAILED, "auth method %N not supported, deleting IKE_SA", + auth_method_names, auth_method); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); + return DESTROY_ME; + } + status = authenticator->verify(authenticator, this->init_response, + this->nonce_i, auth_payload); authenticator->destroy(authenticator); if (status != SUCCESS) { diff --git a/src/charon/sa/transactions/ike_auth.h b/src/charon/sa/transactions/ike_auth.h index 4c6fd822c..490359eda 100644 --- a/src/charon/sa/transactions/ike_auth.h +++ b/src/charon/sa/transactions/ike_auth.h @@ -24,12 +24,11 @@ #ifndef IKE_AUTH_H_ #define IKE_AUTH_H_ +typedef struct ike_auth_t ike_auth_t; + #include <sa/ike_sa.h> #include <sa/transactions/transaction.h> - -typedef struct ike_auth_t ike_auth_t; - /** * @brief A transaction for the second message exchange to authenticate an IKE_SA. * diff --git a/src/charon/sa/transactions/ike_sa_init.h b/src/charon/sa/transactions/ike_sa_init.h index c7a493ccf..ab820fea5 100644 --- a/src/charon/sa/transactions/ike_sa_init.h +++ b/src/charon/sa/transactions/ike_sa_init.h @@ -24,12 +24,11 @@ #ifndef IKE_SA_INIT_H_ #define IKE_SA_INIT_H_ +typedef struct ike_sa_init_t ike_sa_init_t; + #include <sa/ike_sa.h> #include <sa/transactions/transaction.h> - -typedef struct ike_sa_init_t ike_sa_init_t; - /** * @brief A transaction for the first message exchange to set up an IKE_SA. * diff --git a/src/charon/sa/transactions/rekey_ike_sa.c b/src/charon/sa/transactions/rekey_ike_sa.c index 59fc6f84b..06c8707ec 100644 --- a/src/charon/sa/transactions/rekey_ike_sa.c +++ b/src/charon/sa/transactions/rekey_ike_sa.c @@ -270,7 +270,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result) /* register us as rekeying to detect multiple rekeying */ this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); - this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public); + this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public.transaction); return SUCCESS; } @@ -623,7 +623,8 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, { private_rekey_ike_sa_t *other; - other = this->ike_sa->get_rekeying_transaction(this->ike_sa); + other = (private_rekey_ike_sa_t*) + this->ike_sa->get_rekeying_transaction(this->ike_sa); if (other) { /* store our lower nonce in the simultaneus transaction, we @@ -641,7 +642,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, other->nonce_s = chunk_clone(this->nonce_r); } /* overwrite "other" in IKE_SA, allows "other" to access "this" */ - this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public); + this->ike_sa->set_rekeying_transaction(this->ike_sa, &this->public.transaction); } else { @@ -768,7 +769,8 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, * of the SA. If it changed, we are not alone. Then we must compare the nonces. * If no simultaneous rekeying is going on, we just initiate the delete of * the superseded SA. */ - other_trans = this->ike_sa->get_rekeying_transaction(this->ike_sa); + other_trans = (private_rekey_ike_sa_t*) + this->ike_sa->get_rekeying_transaction(this->ike_sa); this->ike_sa->set_rekeying_transaction(this->ike_sa, NULL); if (this->nonce_s.ptr) diff --git a/src/charon/sa/transactions/rekey_ike_sa.h b/src/charon/sa/transactions/rekey_ike_sa.h index f9b4491e3..dbb65237e 100644 --- a/src/charon/sa/transactions/rekey_ike_sa.h +++ b/src/charon/sa/transactions/rekey_ike_sa.h @@ -23,13 +23,13 @@ #ifndef REKEY_IKE_SA_H #define REKEY_IKE_SA_H +typedef struct rekey_ike_sa_t rekey_ike_sa_t; + #include <sa/ike_sa.h> #include <sa/transactions/transaction.h> #include <crypto/diffie_hellman.h> -typedef struct rekey_ike_sa_t rekey_ike_sa_t; - /** * @brief A transaction to rekey an established IKE_SA * diff --git a/src/charon/sa/transactions/transaction.h b/src/charon/sa/transactions/transaction.h index bf910ea78..a22cf7154 100644 --- a/src/charon/sa/transactions/transaction.h +++ b/src/charon/sa/transactions/transaction.h @@ -23,15 +23,12 @@ #ifndef TRANSACTION_H_ #define TRANSACTION_H_ - typedef struct transaction_t transaction_t; #include <types.h> #include <encoding/message.h> #include <sa/ike_sa.h> - - /** * @brief This interface represents a transaction an established IKE_SA can do. * diff --git a/src/charon/threads/kernel_interface.h b/src/charon/threads/kernel_interface.h index 4370e8253..2655745a8 100644 --- a/src/charon/threads/kernel_interface.h +++ b/src/charon/threads/kernel_interface.h @@ -25,12 +25,14 @@ #ifndef KERNEL_INTERFACE_H_ #define KERNEL_INTERFACE_H_ +typedef struct natt_conf_t natt_conf_t; +typedef enum policy_dir_t policy_dir_t; +typedef struct kernel_interface_t kernel_interface_t; + #include <utils/host.h> #include <crypto/prf_plus.h> #include <encoding/payloads/proposal_substructure.h> -typedef struct natt_conf_t natt_conf_t; - /** * Configuration for NAT-T */ @@ -41,8 +43,6 @@ struct natt_conf_t { u_int16_t dport; }; -typedef enum policy_dir_t policy_dir_t; - /** * Direction of a policy. These are equal to those * defined in xfrm.h, but we want to stay implementation @@ -57,8 +57,6 @@ enum policy_dir_t { POLICY_FWD = 2, }; -typedef struct kernel_interface_t kernel_interface_t; - /** * @brief Interface to the kernel. * diff --git a/src/charon/threads/receiver.h b/src/charon/threads/receiver.h index dada9b1f4..19c0a05f4 100644 --- a/src/charon/threads/receiver.h +++ b/src/charon/threads/receiver.h @@ -24,11 +24,10 @@ #ifndef RECEIVER_H_ #define RECEIVER_H_ -#include <types.h> - - typedef struct receiver_t receiver_t; +#include <types.h> + /** * @brief Receives packets from the socket and adds them to the job queue. * diff --git a/src/charon/threads/scheduler.h b/src/charon/threads/scheduler.h index 943a18c58..e794cceeb 100644 --- a/src/charon/threads/scheduler.h +++ b/src/charon/threads/scheduler.h @@ -24,21 +24,21 @@ #ifndef SCHEDULER_H_ #define SCHEDULER_H_ -#include <types.h> - typedef struct scheduler_t scheduler_t; +#include <types.h> + /** * @brief The scheduler thread is responsible for timed events. - * + * * The scheduler thread takes out jobs from the event-queue and adds them * to the job-queue. - * + * * Starts a thread which does the work, since event-queue is blocking. - * + * * @b Constructors: * - scheduler_create() - * + * * @ingroup threads */ struct scheduler_t { diff --git a/src/charon/threads/sender.h b/src/charon/threads/sender.h index a36245933..6ec83a745 100644 --- a/src/charon/threads/sender.h +++ b/src/charon/threads/sender.h @@ -24,10 +24,10 @@ #ifndef SENDER_H_ #define SENDER_H_ -#include <types.h> - typedef struct sender_t sender_t; +#include <types.h> + /** * @brief Thread responsible for sending packets over the socket. * diff --git a/src/charon/threads/stroke_interface.h b/src/charon/threads/stroke_interface.h index 941841d14..0def5167e 100644 --- a/src/charon/threads/stroke_interface.h +++ b/src/charon/threads/stroke_interface.h @@ -23,8 +23,6 @@ #ifndef STROKE_INTERFACE_H_ #define STROKE_INTERFACE_H_ - - typedef struct stroke_t stroke_t; /** diff --git a/src/charon/threads/thread_pool.h b/src/charon/threads/thread_pool.h index e4a04e8cb..2d8fd4f4d 100644 --- a/src/charon/threads/thread_pool.h +++ b/src/charon/threads/thread_pool.h @@ -24,22 +24,21 @@ #ifndef THREAD_POOL_H_ #define THREAD_POOL_H_ +typedef struct thread_pool_t thread_pool_t; + #include <stdlib.h> #include <types.h> - -typedef struct thread_pool_t thread_pool_t; - /** * @brief A thread_pool consists of a pool of threads processing jobs from the job queue. - * + * * Current implementation uses as many threads as specified in constructor. * A more improved version would dynamically increase thread count if necessary. - * + * * @b Constructors: * - thread_pool_create() - * + * * @todo Add support for dynamic thread handling * * @ingroup threads |