Separated libcharon/sa directory with ikev1 and ikev2 subfolders
authorMartin Willi <martin@revosec.ch>
Mon, 19 Dec 2011 12:10:29 +0000 (13:10 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:26 +0000 (17:31 +0100)
219 files changed:
src/conftest/hooks/pretend_auth.c
src/conftest/hooks/rebuild_auth.c
src/libcharon/Makefile.am
src/libcharon/config/peer_cfg.h
src/libcharon/daemon.h
src/libcharon/encoding/message.c
src/libcharon/encoding/payloads/auth_payload.h
src/libcharon/encoding/payloads/eap_payload.c
src/libcharon/encoding/payloads/eap_payload.h
src/libcharon/encoding/payloads/proposal_substructure.h
src/libcharon/encoding/payloads/sa_payload.h
src/libcharon/plugins/eap_aka/eap_aka_peer.h
src/libcharon/plugins/eap_aka/eap_aka_server.h
src/libcharon/plugins/eap_gtc/eap_gtc.h
src/libcharon/plugins/eap_identity/eap_identity.h
src/libcharon/plugins/eap_md5/eap_md5.h
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.h
src/libcharon/plugins/eap_peap/eap_peap.h
src/libcharon/plugins/eap_peap/eap_peap_peer.h
src/libcharon/plugins/eap_peap/eap_peap_server.h
src/libcharon/plugins/eap_radius/eap_radius.h
src/libcharon/plugins/eap_sim/eap_sim_peer.h
src/libcharon/plugins/eap_sim/eap_sim_server.h
src/libcharon/plugins/eap_tls/eap_tls.h
src/libcharon/plugins/eap_tnc/eap_tnc.h
src/libcharon/plugins/eap_ttls/eap_ttls.h
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_ttls/eap_ttls_server.c
src/libcharon/plugins/xauth_generic/xauth_generic.h
src/libcharon/sa/authenticator.c [new file with mode: 0644]
src/libcharon/sa/authenticator.h [new file with mode: 0644]
src/libcharon/sa/authenticators/authenticator.c [deleted file]
src/libcharon/sa/authenticators/authenticator.h [deleted file]
src/libcharon/sa/authenticators/eap/eap_manager.c [deleted file]
src/libcharon/sa/authenticators/eap/eap_manager.h [deleted file]
src/libcharon/sa/authenticators/eap/eap_method.c [deleted file]
src/libcharon/sa/authenticators/eap/eap_method.h [deleted file]
src/libcharon/sa/authenticators/eap_authenticator.c [deleted file]
src/libcharon/sa/authenticators/eap_authenticator.h [deleted file]
src/libcharon/sa/authenticators/hybrid_authenticator.c [deleted file]
src/libcharon/sa/authenticators/hybrid_authenticator.h [deleted file]
src/libcharon/sa/authenticators/psk_authenticator.c [deleted file]
src/libcharon/sa/authenticators/psk_authenticator.h [deleted file]
src/libcharon/sa/authenticators/psk_v1_authenticator.c [deleted file]
src/libcharon/sa/authenticators/psk_v1_authenticator.h [deleted file]
src/libcharon/sa/authenticators/pubkey_authenticator.c [deleted file]
src/libcharon/sa/authenticators/pubkey_authenticator.h [deleted file]
src/libcharon/sa/authenticators/pubkey_v1_authenticator.c [deleted file]
src/libcharon/sa/authenticators/pubkey_v1_authenticator.h [deleted file]
src/libcharon/sa/authenticators/xauth/xauth_manager.c [deleted file]
src/libcharon/sa/authenticators/xauth/xauth_manager.h [deleted file]
src/libcharon/sa/authenticators/xauth/xauth_method.c [deleted file]
src/libcharon/sa/authenticators/xauth/xauth_method.h [deleted file]
src/libcharon/sa/connect_manager.c [deleted file]
src/libcharon/sa/connect_manager.h [deleted file]
src/libcharon/sa/ike_sa.c
src/libcharon/sa/ike_sa.h
src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.h [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.h [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/xauth/xauth_manager.c [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/xauth/xauth_manager.h [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/xauth/xauth_method.c [new file with mode: 0644]
src/libcharon/sa/ikev1/authenticators/xauth/xauth_method.h [new file with mode: 0644]
src/libcharon/sa/ikev1/keymat_v1.c [new file with mode: 0644]
src/libcharon/sa/ikev1/keymat_v1.h [new file with mode: 0644]
src/libcharon/sa/ikev1/task_manager_v1.c [new file with mode: 0644]
src/libcharon/sa/ikev1/task_manager_v1.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/informational.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/informational.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_cert_post.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_cert_post.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_cert_pre.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_delete.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_delete.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_natd.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_natd.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_vendor.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/isakmp_vendor.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/main_mode.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/main_mode.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/mode_config.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/mode_config.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/quick_delete.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/quick_delete.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/quick_mode.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/quick_mode.h [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/xauth.c [new file with mode: 0644]
src/libcharon/sa/ikev1/tasks/xauth.h [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/eap/eap_manager.c [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/eap/eap_manager.h [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/eap/eap_method.c [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/eap/eap_method.h [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/eap_authenticator.h [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/psk_authenticator.c [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/psk_authenticator.h [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c [new file with mode: 0644]
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.h [new file with mode: 0644]
src/libcharon/sa/ikev2/connect_manager.c [new file with mode: 0644]
src/libcharon/sa/ikev2/connect_manager.h [new file with mode: 0644]
src/libcharon/sa/ikev2/keymat_v2.c [new file with mode: 0644]
src/libcharon/sa/ikev2/keymat_v2.h [new file with mode: 0644]
src/libcharon/sa/ikev2/mediation_manager.c [new file with mode: 0644]
src/libcharon/sa/ikev2/mediation_manager.h [new file with mode: 0644]
src/libcharon/sa/ikev2/task_manager_v2.c [new file with mode: 0644]
src/libcharon/sa/ikev2/task_manager_v2.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/child_create.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/child_create.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/child_delete.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/child_delete.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/child_rekey.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/child_rekey.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_auth.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_auth.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_cert_post.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_cert_post.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_cert_pre.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_cert_pre.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_config.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_config.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_delete.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_delete.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_dpd.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_dpd.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_init.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_init.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_me.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_me.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_mobike.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_mobike.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_natd.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_natd.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_reauth.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_reauth.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_rekey.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_rekey.h [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_vendor.c [new file with mode: 0644]
src/libcharon/sa/ikev2/tasks/ike_vendor.h [new file with mode: 0644]
src/libcharon/sa/keymat.c
src/libcharon/sa/keymat.h
src/libcharon/sa/keymat_v1.c [deleted file]
src/libcharon/sa/keymat_v1.h [deleted file]
src/libcharon/sa/keymat_v2.c [deleted file]
src/libcharon/sa/keymat_v2.h [deleted file]
src/libcharon/sa/mediation_manager.c [deleted file]
src/libcharon/sa/mediation_manager.h [deleted file]
src/libcharon/sa/task.c [new file with mode: 0644]
src/libcharon/sa/task.h [new file with mode: 0644]
src/libcharon/sa/task_manager.c
src/libcharon/sa/task_manager.h
src/libcharon/sa/task_manager_v1.c [deleted file]
src/libcharon/sa/task_manager_v1.h [deleted file]
src/libcharon/sa/task_manager_v2.c [deleted file]
src/libcharon/sa/task_manager_v2.h [deleted file]
src/libcharon/sa/tasks/child_create.c [deleted file]
src/libcharon/sa/tasks/child_create.h [deleted file]
src/libcharon/sa/tasks/child_delete.c [deleted file]
src/libcharon/sa/tasks/child_delete.h [deleted file]
src/libcharon/sa/tasks/child_rekey.c [deleted file]
src/libcharon/sa/tasks/child_rekey.h [deleted file]
src/libcharon/sa/tasks/ike_auth.c [deleted file]
src/libcharon/sa/tasks/ike_auth.h [deleted file]
src/libcharon/sa/tasks/ike_auth_lifetime.c [deleted file]
src/libcharon/sa/tasks/ike_auth_lifetime.h [deleted file]
src/libcharon/sa/tasks/ike_cert_post.c [deleted file]
src/libcharon/sa/tasks/ike_cert_post.h [deleted file]
src/libcharon/sa/tasks/ike_cert_pre.c [deleted file]
src/libcharon/sa/tasks/ike_cert_pre.h [deleted file]
src/libcharon/sa/tasks/ike_config.c [deleted file]
src/libcharon/sa/tasks/ike_config.h [deleted file]
src/libcharon/sa/tasks/ike_delete.c [deleted file]
src/libcharon/sa/tasks/ike_delete.h [deleted file]
src/libcharon/sa/tasks/ike_dpd.c [deleted file]
src/libcharon/sa/tasks/ike_dpd.h [deleted file]
src/libcharon/sa/tasks/ike_init.c [deleted file]
src/libcharon/sa/tasks/ike_init.h [deleted file]
src/libcharon/sa/tasks/ike_me.c [deleted file]
src/libcharon/sa/tasks/ike_me.h [deleted file]
src/libcharon/sa/tasks/ike_mobike.c [deleted file]
src/libcharon/sa/tasks/ike_mobike.h [deleted file]
src/libcharon/sa/tasks/ike_natd.c [deleted file]
src/libcharon/sa/tasks/ike_natd.h [deleted file]
src/libcharon/sa/tasks/ike_reauth.c [deleted file]
src/libcharon/sa/tasks/ike_reauth.h [deleted file]
src/libcharon/sa/tasks/ike_rekey.c [deleted file]
src/libcharon/sa/tasks/ike_rekey.h [deleted file]
src/libcharon/sa/tasks/ike_vendor.c [deleted file]
src/libcharon/sa/tasks/ike_vendor.h [deleted file]
src/libcharon/sa/tasks/informational.c [deleted file]
src/libcharon/sa/tasks/informational.h [deleted file]
src/libcharon/sa/tasks/isakmp_cert_post.c [deleted file]
src/libcharon/sa/tasks/isakmp_cert_post.h [deleted file]
src/libcharon/sa/tasks/isakmp_cert_pre.c [deleted file]
src/libcharon/sa/tasks/isakmp_cert_pre.h [deleted file]
src/libcharon/sa/tasks/isakmp_delete.c [deleted file]
src/libcharon/sa/tasks/isakmp_delete.h [deleted file]
src/libcharon/sa/tasks/isakmp_natd.c [deleted file]
src/libcharon/sa/tasks/isakmp_natd.h [deleted file]
src/libcharon/sa/tasks/isakmp_vendor.c [deleted file]
src/libcharon/sa/tasks/isakmp_vendor.h [deleted file]
src/libcharon/sa/tasks/main_mode.c [deleted file]
src/libcharon/sa/tasks/main_mode.h [deleted file]
src/libcharon/sa/tasks/mode_config.c [deleted file]
src/libcharon/sa/tasks/mode_config.h [deleted file]
src/libcharon/sa/tasks/quick_delete.c [deleted file]
src/libcharon/sa/tasks/quick_delete.h [deleted file]
src/libcharon/sa/tasks/quick_mode.c [deleted file]
src/libcharon/sa/tasks/quick_mode.h [deleted file]
src/libcharon/sa/tasks/task.c [deleted file]
src/libcharon/sa/tasks/task.h [deleted file]
src/libcharon/sa/tasks/xauth.c [deleted file]
src/libcharon/sa/tasks/xauth.h [deleted file]

index 10b13c6..3a7bb4f 100644 (file)
@@ -15,7 +15,7 @@
 
 #include "hook.h"
 
-#include <sa/keymat_v2.h>
+#include <sa/ikev2/keymat_v2.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/auth_payload.h>
index cf9b113..1197eb2 100644 (file)
@@ -15,7 +15,7 @@
 
 #include "hook.h"
 
-#include <sa/keymat_v2.h>
+#include <sa/ikev2/keymat_v2.h>
 #include <encoding/generator.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/auth_payload.h>
index 95bec09..474b205 100644 (file)
@@ -57,55 +57,57 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
-sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
-sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
-sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
-sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
-sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
-sa/authenticators/psk_v1_authenticator.c sa/authenticators/psk_v1_authenticator.h \
-sa/authenticators/pubkey_v1_authenticator.c sa/authenticators/pubkey_v1_authenticator.h \
-sa/authenticators/hybrid_authenticator.c sa/authenticators/hybrid_authenticator.h \
-sa/authenticators/xauth/xauth_method.c sa/authenticators/xauth/xauth_method.h \
-sa/authenticators/xauth/xauth_manager.c sa/authenticators/xauth/xauth_manager.h \
+sa/authenticator.c sa/authenticator.h \
 sa/child_sa.c sa/child_sa.h \
 sa/ike_sa.c sa/ike_sa.h \
 sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/keymat.h sa/keymat.c \
 sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/task_manager.h sa/task_manager.c sa/task_manager_v2.c sa/task_manager_v2.h \
-sa/task_manager_v1.c sa/task_manager_v1.h \
-sa/keymat.h sa/keymat.c sa/keymat_v2.c sa/keymat_v2.h \
-sa/keymat_v1.c sa/keymat_v1.h \
+sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
-sa/tasks/child_create.c sa/tasks/child_create.h \
-sa/tasks/child_delete.c sa/tasks/child_delete.h \
-sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
-sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
-sa/tasks/ike_config.c sa/tasks/ike_config.h \
-sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
-sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
-sa/tasks/ike_init.c sa/tasks/ike_init.h \
-sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
-sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
-sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
-sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
-sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
-sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/main_mode.c sa/tasks/main_mode.h \
-sa/tasks/informational.c sa/tasks/informational.h \
-sa/tasks/isakmp_cert_pre.c sa/tasks/isakmp_cert_pre.h \
-sa/tasks/isakmp_cert_post.c sa/tasks/isakmp_cert_post.h \
-sa/tasks/isakmp_natd.c sa/tasks/isakmp_natd.h \
-sa/tasks/isakmp_vendor.c sa/tasks/isakmp_vendor.h \
-sa/tasks/isakmp_delete.c sa/tasks/isakmp_delete.h \
-sa/tasks/xauth.c sa/tasks/xauth.h \
-sa/tasks/quick_mode.c sa/tasks/quick_mode.h \
-sa/tasks/quick_delete.c sa/tasks/quick_delete.h \
-sa/tasks/mode_config.c sa/tasks/mode_config.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/task.c sa/task.h \
+sa/ikev2/keymat_v2.c sa/ikev2/keymat_v2.h \
+sa/ikev2/task_manager_v2.c sa/ikev2/task_manager_v2.h \
+sa/ikev2/authenticators/eap_authenticator.c sa/ikev2/authenticators/eap_authenticator.h \
+sa/ikev2/authenticators/eap/eap_method.c sa/ikev2/authenticators/eap/eap_method.h \
+sa/ikev2/authenticators/eap/eap_manager.c sa/ikev2/authenticators/eap/eap_manager.h \
+sa/ikev2/authenticators/psk_authenticator.c sa/ikev2/authenticators/psk_authenticator.h \
+sa/ikev2/authenticators/pubkey_authenticator.c sa/ikev2/authenticators/pubkey_authenticator.h \
+sa/ikev2/tasks/child_create.c sa/ikev2/tasks/child_create.h \
+sa/ikev2/tasks/child_delete.c sa/ikev2/tasks/child_delete.h \
+sa/ikev2/tasks/child_rekey.c sa/ikev2/tasks/child_rekey.h \
+sa/ikev2/tasks/ike_auth.c sa/ikev2/tasks/ike_auth.h \
+sa/ikev2/tasks/ike_cert_pre.c sa/ikev2/tasks/ike_cert_pre.h \
+sa/ikev2/tasks/ike_cert_post.c sa/ikev2/tasks/ike_cert_post.h \
+sa/ikev2/tasks/ike_config.c sa/ikev2/tasks/ike_config.h \
+sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
+sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
+sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
+sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
+sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
+sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
+sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
+sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
+sa/ikev1/authenticators/hybrid_authenticator.c sa/ikev1/authenticators/hybrid_authenticator.h \
+sa/ikev1/authenticators/xauth/xauth_method.c sa/ikev1/authenticators/xauth/xauth_method.h \
+sa/ikev1/authenticators/xauth/xauth_manager.c sa/ikev1/authenticators/xauth/xauth_manager.h \
+sa/ikev1/tasks/main_mode.c sa/ikev1/tasks/main_mode.h \
+sa/ikev1/tasks/informational.c sa/ikev1/tasks/informational.h \
+sa/ikev1/tasks/isakmp_cert_pre.c sa/ikev1/tasks/isakmp_cert_pre.h \
+sa/ikev1/tasks/isakmp_cert_post.c sa/ikev1/tasks/isakmp_cert_post.h \
+sa/ikev1/tasks/isakmp_natd.c sa/ikev1/tasks/isakmp_natd.h \
+sa/ikev1/tasks/isakmp_vendor.c sa/ikev1/tasks/isakmp_vendor.h \
+sa/ikev1/tasks/isakmp_delete.c sa/ikev1/tasks/isakmp_delete.h \
+sa/ikev1/tasks/xauth.c sa/ikev1/tasks/xauth.h \
+sa/ikev1/tasks/quick_mode.c sa/ikev1/tasks/quick_mode.h \
+sa/ikev1/tasks/quick_delete.c sa/ikev1/tasks/quick_delete.h \
+sa/ikev1/tasks/mode_config.c sa/ikev1/tasks/mode_config.h
 
 
 daemon.lo :            $(top_builddir)/config.status
@@ -132,9 +134,9 @@ if USE_ME
   libcharon_la_SOURCES += encoding/payloads/endpoint_notify.c encoding/payloads/endpoint_notify.h \
     processing/jobs/initiate_mediation_job.c processing/jobs/initiate_mediation_job.h \
     processing/jobs/mediation_job.c processing/jobs/mediation_job.h \
-    sa/connect_manager.c sa/connect_manager.h \
-    sa/mediation_manager.c sa/mediation_manager.h \
-    sa/tasks/ike_me.c sa/tasks/ike_me.h
+    sa/ikev2/connect_manager.c sa/ikev2/connect_manager.h \
+    sa/ikev2/mediation_manager.c sa/ikev2/mediation_manager.h \
+    sa/ikev2/tasks/ike_me.c sa/ikev2/tasks/ike_me.h
 endif
 
 if USE_LIBCAP
index f191561..dcbe6aa 100644 (file)
@@ -35,8 +35,6 @@ typedef struct peer_cfg_t peer_cfg_t;
 #include <config/proposal.h>
 #include <config/ike_cfg.h>
 #include <config/child_cfg.h>
-#include <sa/authenticators/authenticator.h>
-#include <sa/authenticators/eap/eap_method.h>
 #include <credentials/auth_cfg.h>
 
 /**
index a887eab..785ad23 100644 (file)
@@ -148,12 +148,12 @@ typedef struct daemon_t daemon_t;
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
 #include <config/backend_manager.h>
-#include <sa/authenticators/eap/eap_manager.h>
-#include <sa/authenticators/xauth/xauth_manager.h>
+#include <sa/ikev2/authenticators/eap/eap_manager.h>
+#include <sa/ikev1/authenticators/xauth/xauth_manager.h>
 
 #ifdef ME
-#include <sa/connect_manager.h>
-#include <sa/mediation_manager.h>
+#include <sa/ikev2/connect_manager.h>
+#include <sa/ikev2/mediation_manager.h>
 #endif /* ME */
 
 /**
index 708e3fb..cf2a66e 100644 (file)
@@ -24,7 +24,7 @@
 
 #include <library.h>
 #include <daemon.h>
-#include <sa/keymat_v1.h>
+#include <sa/ikev1/keymat_v1.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
 #include <encoding/payloads/encodings.h>
index 521fe1d..b922d12 100644 (file)
@@ -26,7 +26,7 @@ typedef struct auth_payload_t auth_payload_t;
 
 #include <library.h>
 #include <encoding/payloads/payload.h>
-#include <sa/authenticators/authenticator.h>
+#include <sa/authenticator.h>
 
 /**
  * Class representing an IKEv2 AUTH payload.
index 9982f05..1b9a5c8 100644 (file)
@@ -19,6 +19,7 @@
 #include "eap_payload.h"
 
 #include <daemon.h>
+#include <eap/eap.h>
 
 typedef struct private_eap_payload_t private_eap_payload_t;
 
index e63db7d..52bc7ac 100644 (file)
@@ -25,8 +25,8 @@
 typedef struct eap_payload_t eap_payload_t;
 
 #include <library.h>
+#include <eap/eap.h>
 #include <encoding/payloads/payload.h>
-#include <sa/authenticators/eap/eap_method.h>
 
 /**
  * Class representing an IKEv2 EAP payload.
index 03b26e1..aefdf2f 100644 (file)
@@ -30,7 +30,7 @@ typedef struct proposal_substructure_t proposal_substructure_t;
 #include <config/proposal.h>
 #include <utils/linked_list.h>
 #include <kernel/kernel_ipsec.h>
-#include <sa/authenticators/authenticator.h>
+#include <sa/authenticator.h>
 
 /**
  * Class representing an IKEv1/IKEv2 proposal substructure.
index dfba477..6dfbd51 100644 (file)
@@ -29,7 +29,7 @@ typedef struct sa_payload_t sa_payload_t;
 #include <encoding/payloads/proposal_substructure.h>
 #include <utils/linked_list.h>
 #include <kernel/kernel_ipsec.h>
-#include <sa/authenticators/authenticator.h>
+#include <sa/authenticator.h>
 
 /**
  * Class representing an IKEv1 or IKEv2 SA Payload.
index 974ba27..4fc1821 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_aka_peer_t eap_aka_peer_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * EAP-AKA peer implementation.
index 5ab1c4d..4819021 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_aka_server_t eap_aka_server_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * EAP-AKA server implementation.
index 2eb8482..0ce46b3 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_gtc_t eap_gtc_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-GTC.
index 9a7f285..811b19b 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_identity_t eap_identity_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP Identity.
index c668714..302abc4 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_md5_t eap_md5_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-MD5 (CHAP).
index 34cc114..44050d0 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_mschapv2_t eap_mschapv2_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-MS-CHAPv2.
index f47bad5..7bf7b1d 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_peap_t eap_peap_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of eap_method_t using EAP-PEAP.
index a875442..61586b1 100644 (file)
@@ -26,7 +26,7 @@ typedef struct eap_peap_peer_t eap_peap_peer_t;
 #include "tls_application.h"
 
 #include <library.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * TLS application data handler as peer.
index 93141d6..cc03d4b 100644 (file)
@@ -26,7 +26,7 @@ typedef struct eap_peap_server_t eap_peap_server_t;
 #include "tls_application.h"
 
 #include <library.h>
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * TLS application data handler as server.
index e98cb06..9cfdbb9 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_radius_t eap_radius_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using a RADIUS server.
index ba72ce4..c32cb31 100644 (file)
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_PEER_H_
 #define EAP_SIM_PEER_H_
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 typedef struct eap_sim_peer_t eap_sim_peer_t;
 
index c0ed64f..a4a0eea 100644 (file)
@@ -21,7 +21,7 @@
 #ifndef EAP_SIM_SERVER_H_
 #define EAP_SIM_SERVER_H_
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 typedef struct eap_sim_server_t eap_sim_server_t;
 
index 7e08023..4227c9d 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_tls_t eap_tls_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of eap_method_t using EAP-TLS.
index 7e166fb..1c7e1b6 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_tnc_t eap_tnc_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-TNC.
index 6e3bf2c..ca2b824 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct eap_ttls_t eap_ttls_t;
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 /**
  * Implementation of eap_method_t using EAP-TTLS.
index d2feb77..aa10c7d 100644 (file)
@@ -19,7 +19,7 @@
 #include <debug.h>
 #include <daemon.h>
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
 
index 3c46993..2a2aee1 100644 (file)
@@ -19,7 +19,7 @@
 #include <debug.h>
 #include <daemon.h>
 
-#include <sa/authenticators/eap/eap_method.h>
+#include <sa/ikev2/authenticators/eap/eap_method.h>
 
 typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
 
index dfb759b..04e3d47 100644 (file)
@@ -23,7 +23,7 @@
 
 typedef struct xauth_generic_t xauth_generic_t;
 
-#include <sa/authenticators/xauth/xauth_method.h>
+#include <sa/ikev1/authenticators/xauth/xauth_method.h>
 
 /**
  * Implementation of the xauth_method_t interface using cleartext secrets
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
new file mode 100644 (file)
index 0000000..d7a4b3e
--- /dev/null
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2006-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "authenticator.h"
+
+#include <sa/ikev2/authenticators/pubkey_authenticator.h>
+#include <sa/ikev2/authenticators/psk_authenticator.h>
+#include <sa/ikev2/authenticators/eap_authenticator.h>
+#include <sa/ikev1/authenticators/psk_v1_authenticator.h>
+#include <sa/ikev1/authenticators/pubkey_v1_authenticator.h>
+#include <sa/ikev1/authenticators/hybrid_authenticator.h>
+#include <encoding/payloads/auth_payload.h>
+
+
+ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
+       "RSA signature",
+       "pre-shared key",
+       "DSS signature");
+ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
+       "ECDSA-256 signature",
+       "ECDSA-384 signature",
+       "ECDSA-521 signature");
+ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_ECDSA_521,
+       "XAuthInitPSK",
+       "XAuthRespPSK",
+       "XAuthInitRSA",
+       "XauthRespRSA",
+       "HybridInitRSA",
+       "HybridRespRSA",
+);
+ENUM_END(auth_method_names, AUTH_HYBRID_RESP_RSA);
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init,
+                                                                       char reserved[3])
+{
+       switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
+       {
+               case AUTH_CLASS_ANY:
+                       /* defaults to PUBKEY */
+               case AUTH_CLASS_PUBKEY:
+                       return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
+                                                                               received_nonce, sent_init, reserved);
+               case AUTH_CLASS_PSK:
+                       return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
+                                                                               received_nonce, sent_init, reserved);
+               case AUTH_CLASS_EAP:
+                       return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
+                                                                               received_nonce, sent_nonce,
+                                                                               received_init, sent_init, reserved);
+               default:
+                       return NULL;
+       }
+}
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_verifier(
+                                                                       ike_sa_t *ike_sa, message_t *message,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init,
+                                                                       char reserved[3])
+{
+       auth_payload_t *auth_payload;
+
+       auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+       if (auth_payload == NULL)
+       {
+               return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
+                                                                               received_nonce, sent_nonce,
+                                                                               received_init, sent_init, reserved);
+       }
+       switch (auth_payload->get_auth_method(auth_payload))
+       {
+               case AUTH_RSA:
+               case AUTH_ECDSA_256:
+               case AUTH_ECDSA_384:
+               case AUTH_ECDSA_521:
+                       return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
+                                                                               sent_nonce, received_init, reserved);
+               case AUTH_PSK:
+                       return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
+                                                                               sent_nonce, received_init, reserved);
+               default:
+                       return NULL;
+       }
+}
+
+/**
+ * Described in header.
+ */
+authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
+                                                               auth_method_t auth_method, diffie_hellman_t *dh,
+                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                               chunk_t id_payload)
+{
+       switch (auth_method)
+       {
+               case AUTH_PSK:
+               case AUTH_XAUTH_INIT_PSK:
+               case AUTH_XAUTH_RESP_PSK:
+                       return (authenticator_t*)psk_v1_authenticator_create(ike_sa,
+                                                                               initiator, dh, dh_value, sa_payload,
+                                                                               id_payload);
+               case AUTH_RSA:
+               case AUTH_XAUTH_INIT_RSA:
+               case AUTH_XAUTH_RESP_RSA:
+                       return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
+                                                                               initiator, dh, dh_value, sa_payload,
+                                                                               id_payload);
+               case AUTH_HYBRID_INIT_RSA:
+               case AUTH_HYBRID_RESP_RSA:
+                       return (authenticator_t*)hybrid_authenticator_create(ike_sa,
+                                                                               initiator, dh, dh_value, sa_payload,
+                                                                               id_payload);
+               default:
+                       return NULL;
+       }
+}
diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h
new file mode 100644 (file)
index 0000000..3af9391
--- /dev/null
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup authenticator authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef AUTHENTICATOR_H_
+#define AUTHENTICATOR_H_
+
+typedef enum auth_method_t auth_method_t;
+typedef struct authenticator_t authenticator_t;
+
+#include <library.h>
+#include <credentials/auth_cfg.h>
+#include <sa/ike_sa.h>
+
+/**
+ * Method to use for authentication, as defined in IKEv2.
+ */
+enum auth_method_t {
+
+       /**
+        * No authentication used.
+        */
+       AUTH_NONE = 0,
+
+       /**
+        * Computed as specified in section 2.15 of RFC using
+        * an RSA private key over a PKCS#1 padded hash.
+        */
+       AUTH_RSA = 1,
+
+       /**
+        * Computed as specified in section 2.15 of RFC using the
+        * shared key associated with the identity in the ID payload
+        * and the negotiated prf function
+        */
+       AUTH_PSK = 2,
+
+       /**
+        * Computed as specified in section 2.15 of RFC using a
+        * DSS private key over a SHA-1 hash.
+        */
+       AUTH_DSS = 3,
+
+       /**
+        * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
+        */
+       AUTH_ECDSA_256 = 9,
+
+       /**
+        * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
+        */
+       AUTH_ECDSA_384 = 10,
+
+       /**
+        * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
+        */
+       AUTH_ECDSA_521 = 11,
+
+       /**
+        * IKEv1 initiator XAUTH with PSK, outside of IANA range
+        */
+       AUTH_XAUTH_INIT_PSK = 256,
+
+       /**
+        * IKEv1 responder XAUTH with PSK, outside of IANA range
+        */
+       AUTH_XAUTH_RESP_PSK,
+
+       /**
+        * IKEv1 initiator XAUTH with RSA, outside of IANA range
+        */
+       AUTH_XAUTH_INIT_RSA,
+
+       /**
+        * IKEv1 responder XAUTH with RSA, outside of IANA range
+        */
+       AUTH_XAUTH_RESP_RSA,
+
+       /**
+        * IKEv1 initiator XAUTH, responder RSA, outside of IANA range
+        */
+       AUTH_HYBRID_INIT_RSA,
+
+       /**
+        * IKEv1 responder XAUTH, initiator RSA, outside of IANA range
+        */
+       AUTH_HYBRID_RESP_RSA,
+};
+
+/**
+ * enum names for auth_method_t.
+ */
+extern enum_name_t *auth_method_names;
+
+/**
+ * Authenticator interface implemented by the various authenticators.
+ *
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
+ */
+struct authenticator_t {
+
+       /**
+        * Process an incoming message using the authenticator.
+        *
+        * @param message               message containing authentication payloads
+        * @return
+        *                                              - SUCCESS if authentication successful
+        *                                              - FAILED if authentication failed
+        *                                              - NEED_MORE if another exchange required
+        */
+       status_t (*process)(authenticator_t *this, message_t *message);
+
+       /**
+        * Attach authentication data to an outgoing message.
+        *
+        * @param message               message to add authentication data to
+        * @return
+        *                                              - SUCCESS if authentication successful
+        *                                              - FAILED if authentication failed
+        *                                              - NEED_MORE if another exchange required
+        */
+       status_t (*build)(authenticator_t *this, message_t *message);
+
+       /**
+        * Check if the authenticator is capable of mutual authentication.
+        *
+        * Some authenticator authenticate both peers, e.g. EAP. To support
+        * mutual authentication with only a single authenticator (EAP-only
+        * authentication), it must be mutual. This method is invoked in ike_auth
+        * to check if the given authenticator is capable of doing so.
+        */
+       bool (*is_mutual)(authenticator_t *this);
+
+       /**
+        * Destroy authenticator instance.
+        */
+       void (*destroy) (authenticator_t *this);
+};
+
+/**
+ * Create an IKEv2 authenticator to build signatures.
+ *
+ * @param ike_sa                       associated ike_sa
+ * @param cfg                          authentication configuration
+ * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
+ * @param reserved                     reserved bytes of the ID payload
+ * @return                                     authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_builder(
+                                                                       ike_sa_t *ike_sa, auth_cfg_t *cfg,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init,
+                                                                       char reserved[3]);
+
+/**
+ * Create an IKEv2 authenticator to verify signatures.
+ *
+ * @param ike_sa                       associated ike_sa
+ * @param message                      message containing authentication data
+ * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
+ * @param reserved                     reserved bytes of the ID payload
+ * @return                                     authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_verifier(
+                                                                       ike_sa_t *ike_sa, message_t *message,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init,
+                                                                       char reserved[3]);
+
+/**
+ * Create an IKEv1 authenticator to build and verify signatures or hash
+ * payloads.
+ *
+ * @note Due to the fixed ID, these authenticators can only be used in one
+ * direction at a time.
+ *
+ * @param ike_sa                       associated IKE_SA
+ * @param initiator                    TRUE if we are the IKE_SA initiator
+ * @param auth_method          negotiated authentication method to use
+ * @param dh                           diffie hellman key exchange
+ * @param dh_value                     others public diffie hellman value
+ * @param sa_payload           generated SA payload data, without payload header
+ * @param id_payload           encoded ID payload of peer to authenticate or verify
+ *                                                     without payload header (gets owned)
+ * @return                                     authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
+                                                               auth_method_t auth_method, diffie_hellman_t *dh,
+                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                               chunk_t id_payload);
+
+#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c
deleted file mode 100644 (file)
index 73029b9..0000000
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "authenticator.h"
-
-#include <sa/authenticators/pubkey_authenticator.h>
-#include <sa/authenticators/psk_authenticator.h>
-#include <sa/authenticators/eap_authenticator.h>
-#include <sa/authenticators/psk_v1_authenticator.h>
-#include <sa/authenticators/pubkey_v1_authenticator.h>
-#include <sa/authenticators/hybrid_authenticator.h>
-#include <encoding/payloads/auth_payload.h>
-
-
-ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
-       "RSA signature",
-       "pre-shared key",
-       "DSS signature");
-ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
-       "ECDSA-256 signature",
-       "ECDSA-384 signature",
-       "ECDSA-521 signature");
-ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_ECDSA_521,
-       "XAuthInitPSK",
-       "XAuthRespPSK",
-       "XAuthInitRSA",
-       "XauthRespRSA",
-       "HybridInitRSA",
-       "HybridRespRSA",
-);
-ENUM_END(auth_method_names, AUTH_HYBRID_RESP_RSA);
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3])
-{
-       switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
-       {
-               case AUTH_CLASS_ANY:
-                       /* defaults to PUBKEY */
-               case AUTH_CLASS_PUBKEY:
-                       return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
-                                                                               received_nonce, sent_init, reserved);
-               case AUTH_CLASS_PSK:
-                       return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
-                                                                               received_nonce, sent_init, reserved);
-               case AUTH_CLASS_EAP:
-                       return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
-                                                                               received_nonce, sent_nonce,
-                                                                               received_init, sent_init, reserved);
-               default:
-                       return NULL;
-       }
-}
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_verifier(
-                                                                       ike_sa_t *ike_sa, message_t *message,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3])
-{
-       auth_payload_t *auth_payload;
-
-       auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-       if (auth_payload == NULL)
-       {
-               return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
-                                                                               received_nonce, sent_nonce,
-                                                                               received_init, sent_init, reserved);
-       }
-       switch (auth_payload->get_auth_method(auth_payload))
-       {
-               case AUTH_RSA:
-               case AUTH_ECDSA_256:
-               case AUTH_ECDSA_384:
-               case AUTH_ECDSA_521:
-                       return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
-                                                                               sent_nonce, received_init, reserved);
-               case AUTH_PSK:
-                       return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
-                                                                               sent_nonce, received_init, reserved);
-               default:
-                       return NULL;
-       }
-}
-
-/**
- * Described in header.
- */
-authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
-                                                               auth_method_t auth_method, diffie_hellman_t *dh,
-                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                               chunk_t id_payload)
-{
-       switch (auth_method)
-       {
-               case AUTH_PSK:
-               case AUTH_XAUTH_INIT_PSK:
-               case AUTH_XAUTH_RESP_PSK:
-                       return (authenticator_t*)psk_v1_authenticator_create(ike_sa,
-                                                                               initiator, dh, dh_value, sa_payload,
-                                                                               id_payload);
-               case AUTH_RSA:
-               case AUTH_XAUTH_INIT_RSA:
-               case AUTH_XAUTH_RESP_RSA:
-                       return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
-                                                                               initiator, dh, dh_value, sa_payload,
-                                                                               id_payload);
-               case AUTH_HYBRID_INIT_RSA:
-               case AUTH_HYBRID_RESP_RSA:
-                       return (authenticator_t*)hybrid_authenticator_create(ike_sa,
-                                                                               initiator, dh, dh_value, sa_payload,
-                                                                               id_payload);
-               default:
-                       return NULL;
-       }
-}
diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h
deleted file mode 100644 (file)
index 3af9391..0000000
+++ /dev/null
@@ -1,218 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup authenticator authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef AUTHENTICATOR_H_
-#define AUTHENTICATOR_H_
-
-typedef enum auth_method_t auth_method_t;
-typedef struct authenticator_t authenticator_t;
-
-#include <library.h>
-#include <credentials/auth_cfg.h>
-#include <sa/ike_sa.h>
-
-/**
- * Method to use for authentication, as defined in IKEv2.
- */
-enum auth_method_t {
-
-       /**
-        * No authentication used.
-        */
-       AUTH_NONE = 0,
-
-       /**
-        * Computed as specified in section 2.15 of RFC using
-        * an RSA private key over a PKCS#1 padded hash.
-        */
-       AUTH_RSA = 1,
-
-       /**
-        * Computed as specified in section 2.15 of RFC using the
-        * shared key associated with the identity in the ID payload
-        * and the negotiated prf function
-        */
-       AUTH_PSK = 2,
-
-       /**
-        * Computed as specified in section 2.15 of RFC using a
-        * DSS private key over a SHA-1 hash.
-        */
-       AUTH_DSS = 3,
-
-       /**
-        * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
-        */
-       AUTH_ECDSA_256 = 9,
-
-       /**
-        * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
-        */
-       AUTH_ECDSA_384 = 10,
-
-       /**
-        * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
-        */
-       AUTH_ECDSA_521 = 11,
-
-       /**
-        * IKEv1 initiator XAUTH with PSK, outside of IANA range
-        */
-       AUTH_XAUTH_INIT_PSK = 256,
-
-       /**
-        * IKEv1 responder XAUTH with PSK, outside of IANA range
-        */
-       AUTH_XAUTH_RESP_PSK,
-
-       /**
-        * IKEv1 initiator XAUTH with RSA, outside of IANA range
-        */
-       AUTH_XAUTH_INIT_RSA,
-
-       /**
-        * IKEv1 responder XAUTH with RSA, outside of IANA range
-        */
-       AUTH_XAUTH_RESP_RSA,
-
-       /**
-        * IKEv1 initiator XAUTH, responder RSA, outside of IANA range
-        */
-       AUTH_HYBRID_INIT_RSA,
-
-       /**
-        * IKEv1 responder XAUTH, initiator RSA, outside of IANA range
-        */
-       AUTH_HYBRID_RESP_RSA,
-};
-
-/**
- * enum names for auth_method_t.
- */
-extern enum_name_t *auth_method_names;
-
-/**
- * Authenticator interface implemented by the various authenticators.
- *
- * An authenticator implementation handles AUTH and EAP payloads. Received
- * messages are passed to the process() method, to send authentication data
- * the message is passed to the build() method.
- */
-struct authenticator_t {
-
-       /**
-        * Process an incoming message using the authenticator.
-        *
-        * @param message               message containing authentication payloads
-        * @return
-        *                                              - SUCCESS if authentication successful
-        *                                              - FAILED if authentication failed
-        *                                              - NEED_MORE if another exchange required
-        */
-       status_t (*process)(authenticator_t *this, message_t *message);
-
-       /**
-        * Attach authentication data to an outgoing message.
-        *
-        * @param message               message to add authentication data to
-        * @return
-        *                                              - SUCCESS if authentication successful
-        *                                              - FAILED if authentication failed
-        *                                              - NEED_MORE if another exchange required
-        */
-       status_t (*build)(authenticator_t *this, message_t *message);
-
-       /**
-        * Check if the authenticator is capable of mutual authentication.
-        *
-        * Some authenticator authenticate both peers, e.g. EAP. To support
-        * mutual authentication with only a single authenticator (EAP-only
-        * authentication), it must be mutual. This method is invoked in ike_auth
-        * to check if the given authenticator is capable of doing so.
-        */
-       bool (*is_mutual)(authenticator_t *this);
-
-       /**
-        * Destroy authenticator instance.
-        */
-       void (*destroy) (authenticator_t *this);
-};
-
-/**
- * Create an IKEv2 authenticator to build signatures.
- *
- * @param ike_sa                       associated ike_sa
- * @param cfg                          authentication configuration
- * @param received_nonce       nonce received in IKE_SA_INIT
- * @param sent_nonce           nonce sent in IKE_SA_INIT
- * @param received_init                received IKE_SA_INIT message data
- * @param sent_init                    sent IKE_SA_INIT message data
- * @param reserved                     reserved bytes of the ID payload
- * @return                                     authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_builder(
-                                                                       ike_sa_t *ike_sa, auth_cfg_t *cfg,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3]);
-
-/**
- * Create an IKEv2 authenticator to verify signatures.
- *
- * @param ike_sa                       associated ike_sa
- * @param message                      message containing authentication data
- * @param received_nonce       nonce received in IKE_SA_INIT
- * @param sent_nonce           nonce sent in IKE_SA_INIT
- * @param received_init                received IKE_SA_INIT message data
- * @param sent_init                    sent IKE_SA_INIT message data
- * @param reserved                     reserved bytes of the ID payload
- * @return                                     authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_verifier(
-                                                                       ike_sa_t *ike_sa, message_t *message,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3]);
-
-/**
- * Create an IKEv1 authenticator to build and verify signatures or hash
- * payloads.
- *
- * @note Due to the fixed ID, these authenticators can only be used in one
- * direction at a time.
- *
- * @param ike_sa                       associated IKE_SA
- * @param initiator                    TRUE if we are the IKE_SA initiator
- * @param auth_method          negotiated authentication method to use
- * @param dh                           diffie hellman key exchange
- * @param dh_value                     others public diffie hellman value
- * @param sa_payload           generated SA payload data, without payload header
- * @param id_payload           encoded ID payload of peer to authenticate or verify
- *                                                     without payload header (gets owned)
- * @return                                     authenticator, NULL if not supported
- */
-authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
-                                                               auth_method_t auth_method, diffie_hellman_t *dh,
-                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                               chunk_t id_payload);
-
-#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.c b/src/libcharon/sa/authenticators/eap/eap_manager.c
deleted file mode 100644 (file)
index bc2c4a6..0000000
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_manager.h"
-
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-typedef struct private_eap_manager_t private_eap_manager_t;
-typedef struct eap_entry_t eap_entry_t;
-
-/**
- * EAP constructor entry
- */
-struct eap_entry_t {
-
-       /**
-        * EAP method type, vendor specific if vendor is set
-        */
-       eap_type_t type;
-
-       /**
-        * vendor ID, 0 for default EAP methods
-        */
-       u_int32_t vendor;
-
-       /**
-        * Role of the method returned by the constructor, EAP_SERVER or EAP_PEER
-        */
-       eap_role_t role;
-
-       /**
-        * constructor function to create instance
-        */
-       eap_constructor_t constructor;
-};
-
-/**
- * private data of eap_manager
- */
-struct private_eap_manager_t {
-
-       /**
-        * public functions
-        */
-       eap_manager_t public;
-
-       /**
-        * list of eap_entry_t's
-        */
-       linked_list_t *methods;
-
-       /**
-        * rwlock to lock methods
-        */
-       rwlock_t *lock;
-};
-
-METHOD(eap_manager_t, add_method, void,
-       private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
-       eap_role_t role, eap_constructor_t constructor)
-{
-       eap_entry_t *entry = malloc_thing(eap_entry_t);
-
-       entry->type = type;
-       entry->vendor = vendor;
-       entry->role = role;
-       entry->constructor = constructor;
-
-       this->lock->write_lock(this->lock);
-       this->methods->insert_last(this->methods, entry);
-       this->lock->unlock(this->lock);
-}
-
-METHOD(eap_manager_t, remove_method, void,
-       private_eap_manager_t *this, eap_constructor_t constructor)
-{
-       enumerator_t *enumerator;
-       eap_entry_t *entry;
-
-       this->lock->write_lock(this->lock);
-       enumerator = this->methods->create_enumerator(this->methods);
-       while (enumerator->enumerate(enumerator, &entry))
-       {
-               if (constructor == entry->constructor)
-               {
-                       this->methods->remove_at(this->methods, enumerator);
-                       free(entry);
-               }
-       }
-       enumerator->destroy(enumerator);
-       this->lock->unlock(this->lock);
-}
-
-METHOD(eap_manager_t, create_instance, eap_method_t*,
-       private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
-       eap_role_t role, identification_t *server, identification_t *peer)
-{
-       enumerator_t *enumerator;
-       eap_entry_t *entry;
-       eap_method_t *method = NULL;
-
-       this->lock->read_lock(this->lock);
-       enumerator = this->methods->create_enumerator(this->methods);
-       while (enumerator->enumerate(enumerator, &entry))
-       {
-               if (type == entry->type && vendor == entry->vendor &&
-                       role == entry->role)
-               {
-                       method = entry->constructor(server, peer);
-                       if (method)
-                       {
-                               break;
-                       }
-               }
-       }
-       enumerator->destroy(enumerator);
-       this->lock->unlock(this->lock);
-       return method;
-}
-
-METHOD(eap_manager_t, destroy, void,
-       private_eap_manager_t *this)
-{
-       this->methods->destroy_function(this->methods, free);
-       this->lock->destroy(this->lock);
-       free(this);
-}
-
-/*
- * See header
- */
-eap_manager_t *eap_manager_create()
-{
-       private_eap_manager_t *this;
-
-       INIT(this,
-                       .public = {
-                               .add_method = _add_method,
-                               .remove_method = _remove_method,
-                               .create_instance = _create_instance,
-                               .destroy = _destroy,
-                       },
-                       .methods = linked_list_create(),
-                       .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-       );
-
-       return &this->public;
-}
-
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.h b/src/libcharon/sa/authenticators/eap/eap_manager.h
deleted file mode 100644 (file)
index 0333fb6..0000000
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_manager eap_manager
- * @{ @ingroup eap
- */
-
-#ifndef EAP_MANAGER_H_
-#define EAP_MANAGER_H_
-
-#include <sa/authenticators/eap/eap_method.h>
-
-typedef struct eap_manager_t eap_manager_t;
-
-/**
- * The EAP manager manages all EAP implementations and creates instances.
- *
- * A plugin registers it's implemented EAP method at the manager by
- * providing type and a contructor function. The manager then instanciates
- * eap_method_t instances through the provided constructor to handle
- * EAP authentication.
- */
-struct eap_manager_t {
-
-       /**
-        * Register a EAP method implementation.
-        *
-        * @param method                vendor specific method, if vendor != 0
-        * @param vendor                vendor ID, 0 for non-vendor (default) EAP methods
-        * @param role                  EAP role of the registered method
-        * @param constructor   constructor function, returns an eap_method_t
-        */
-       void (*add_method)(eap_manager_t *this, eap_type_t type, u_int32_t vendor,
-                                          eap_role_t role, eap_constructor_t constructor);
-
-       /**
-        * Unregister a EAP method implementation using it's constructor.
-        *
-        * @param constructor   constructor function to remove, as added in add_method
-        */
-       void (*remove_method)(eap_manager_t *this, eap_constructor_t constructor);
-
-       /**
-        * Create a new EAP method instance.
-        *
-        * @param type                  type of the EAP method
-        * @param vendor                vendor ID, 0 for non-vendor (default) EAP methods
-        * @param role                  role of EAP method, either EAP_SERVER or EAP_PEER
-        * @param server                identity of the server
-        * @param peer                  identity of the peer (client)
-        * @return                              EAP method instance, NULL if no constructor found
-        */
-       eap_method_t* (*create_instance)(eap_manager_t *this, eap_type_t type,
-                                                                        u_int32_t vendor, eap_role_t role,
-                                                                        identification_t *server,
-                                                                        identification_t *peer);
-
-       /**
-        * Destroy a eap_manager instance.
-        */
-       void (*destroy)(eap_manager_t *this);
-};
-
-/**
- * Create a eap_manager instance.
- */
-eap_manager_t *eap_manager_create();
-
-#endif /** EAP_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c
deleted file mode 100644 (file)
index a05e8c5..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_method.h"
-
-#include <daemon.h>
-
-ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
-       "EAP_SERVER",
-       "EAP_PEER",
-);
-
-/**
- * See header
- */
-bool eap_method_register(plugin_t *plugin, plugin_feature_t *feature,
-                                                bool reg, void *data)
-{
-       if (reg)
-       {
-               charon->eap->add_method(charon->eap, feature->arg.eap, 0,
-                                       feature->type == FEATURE_EAP_SERVER ? EAP_SERVER : EAP_PEER,
-                                       (eap_constructor_t)data);
-       }
-       else
-       {
-               charon->eap->remove_method(charon->eap, (eap_constructor_t)data);
-       }
-       return TRUE;
-}
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
deleted file mode 100644 (file)
index 6242a5a..0000000
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_method eap_method
- * @{ @ingroup eap
- */
-
-#ifndef EAP_METHOD_H_
-#define EAP_METHOD_H_
-
-typedef struct eap_method_t eap_method_t;
-typedef enum eap_role_t eap_role_t;
-
-#include <library.h>
-#include <plugins/plugin.h>
-#include <utils/identification.h>
-#include <eap/eap.h>
-#include <encoding/payloads/eap_payload.h>
-
-/**
- * Role of an eap_method, SERVER or PEER (client)
- */
-enum eap_role_t {
-       EAP_SERVER,
-       EAP_PEER,
-};
-/**
- * enum names for eap_role_t.
- */
-extern enum_name_t *eap_role_names;
-
-/**
- * Interface of an EAP method for server and client side.
- *
- * An EAP method initiates an EAP exchange and processes requests and
- * responses. An EAP method may need multiple exchanges before succeeding, and
- * the eap_authentication may use multiple EAP methods to authenticate a peer.
- * To accomplish these requirements, all EAP methods have their own
- * implementation while the eap_authenticatior uses one or more of these
- * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
- * of the method, the eap_authenticator does this.
- * An EAP method may establish a MSK, this is used the complete the
- * authentication. Even if a mutual EAP method is used, the traditional
- * AUTH payloads are required. Only these include the nonces and messages from
- * ike_sa_init and therefore prevent man in the middle attacks.
- * The EAP method must use an initial EAP identifier value != 0, as a preceding
- * EAP-Identity exchange always uses identifier 0.
- */
-struct eap_method_t {
-
-       /**
-        * Initiate the EAP exchange.
-        *
-        * initiate() is only useable for server implementations, as clients only
-        * reply to server requests.
-        * A eap_payload is created in "out" if result is NEED_MORE.
-        *
-        * @param out           eap_payload to send to the client
-        * @return
-        *                                      - NEED_MORE, if an other exchange is required
-        *                                      - FAILED, if unable to create eap request payload
-        */
-       status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
-
-       /**
-        * Process a received EAP message.
-        *
-        * A eap_payload is created in "out" if result is NEED_MORE.
-        *
-        * @param in            eap_payload response received
-        * @param out           created eap_payload to send
-        * @return
-        *                                      - NEED_MORE, if an other exchange is required
-        *                                      - FAILED, if EAP method failed
-        *                                      - SUCCESS, if EAP method succeeded
-        */
-       status_t (*process) (eap_method_t *this, eap_payload_t *in,
-                                                eap_payload_t **out);
-
-       /**
-        * Get the EAP type implemented in this method.
-        *
-        * @param vendor        pointer receiving vendor identifier for type, 0 for none
-        * @return                      type of the EAP method
-        */
-       eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
-
-       /**
-        * Check if this EAP method authenticates the server.
-        *
-        * Some EAP methods provide mutual authentication and
-        * allow authentication using only EAP, if the peer supports it.
-        *
-        * @return                      TRUE if methods provides mutual authentication
-        */
-       bool (*is_mutual) (eap_method_t *this);
-
-       /**
-        * Get the MSK established by this EAP method.
-        *
-        * Not all EAP methods establish a shared secret. For implementations of
-        * the EAP-Identity method, get_msk() returns the received identity.
-        *
-        * @param msk                   chunk receiving internal stored MSK
-        * @return
-        *                                              - SUCCESS, or
-        *                                              - FAILED, if MSK not established (yet)
-        */
-       status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
-
-       /**
-        * Get the current EAP identifier.
-        *
-        * @return                              current EAP identifier
-        */
-       u_int8_t (*get_identifier) (eap_method_t *this);
-
-       /**
-        * Set the EAP identifier to a deterministic value, overwriting
-        * the randomly initialized default value.
-        *
-        * @param identifier    current EAP identifier
-        */
-       void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
-
-       /**
-        * Destroys a eap_method_t object.
-        */
-       void (*destroy) (eap_method_t *this);
-};
-
-/**
- * Constructor definition for a pluggable EAP method.
- *
- * Each EAP module must define a constructor function which will return
- * an initialized object with the methods defined in eap_method_t.
- * Constructors for server and peers are identical, to support both roles
- * of a EAP method, a plugin needs register two constructors in the
- * eap_manager_t.
- * The passed identites are of type ID_EAP and valid only during the
- * constructor invocation.
- *
- * @param server               ID of the server to use for credential lookup
- * @param peer                 ID of the peer to use for credential lookup
- * @return                             implementation of the eap_method_t interface
- */
-typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
-                                                                                  identification_t *peer);
-
-/**
- * Helper function to (un-)register EAP methods from plugin features.
- *
- * This function is a plugin_feature_callback_t and can be used with the
- * PLUGIN_CALLBACK macro to register a EAP method constructor.
- *
- * @param plugin               plugin registering the EAP method constructor
- * @param feature              associated plugin feature
- * @param reg                  TRUE to register, FALSE to unregister.
- * @param data                 data passed to callback, an eap_constructor_t
- */
-bool eap_method_register(plugin_t *plugin, plugin_feature_t *feature,
-                                                bool reg, void *data);
-
-#endif /** EAP_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
deleted file mode 100644 (file)
index d36d544..0000000
+++ /dev/null
@@ -1,710 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "eap_authenticator.h"
-
-#include <daemon.h>
-#include <sa/keymat_v2.h>
-#include <sa/authenticators/eap/eap_method.h>
-#include <encoding/payloads/auth_payload.h>
-#include <encoding/payloads/eap_payload.h>
-
-typedef struct private_eap_authenticator_t private_eap_authenticator_t;
-
-/**
- * Private data of an eap_authenticator_t object.
- */
-struct private_eap_authenticator_t {
-
-       /**
-        * Public authenticator_t interface.
-        */
-       eap_authenticator_t public;
-
-       /**
-        * Assigned IKE_SA
-        */
-       ike_sa_t *ike_sa;
-
-       /**
-        * others nonce to include in AUTH calculation
-        */
-       chunk_t received_nonce;
-
-       /**
-        * our nonce to include in AUTH calculation
-        */
-       chunk_t sent_nonce;
-
-       /**
-        * others IKE_SA_INIT message data to include in AUTH calculation
-        */
-       chunk_t received_init;
-
-       /**
-        * our IKE_SA_INIT message data to include in AUTH calculation
-        */
-       chunk_t sent_init;
-
-       /**
-        * Reserved bytes of ID payload
-        */
-       char reserved[3];
-
-       /**
-        * Current EAP method processing
-        */
-       eap_method_t *method;
-
-       /**
-        * MSK used to build and verify auth payload
-        */
-       chunk_t msk;
-
-       /**
-        * EAP authentication method completed successfully
-        */
-       bool eap_complete;
-
-       /**
-        * Set if we require mutual EAP due EAP-only authentication
-        */
-       bool require_mutual;
-
-       /**
-        * authentication payload verified successfully
-        */
-       bool auth_complete;
-
-       /**
-        * generated EAP payload
-        */
-       eap_payload_t *eap_payload;
-
-       /**
-        * EAP identity of peer
-        */
-       identification_t *eap_identity;
-};
-
-/**
- * load an EAP method
- */
-static eap_method_t *load_method(private_eap_authenticator_t *this,
-                                                       eap_type_t type, u_int32_t vendor, eap_role_t role)
-{
-       identification_t *server, *peer, *aaa;
-       auth_cfg_t *auth;
-
-       if (role == EAP_SERVER)
-       {
-               server = this->ike_sa->get_my_id(this->ike_sa);
-               peer = this->ike_sa->get_other_id(this->ike_sa);
-               auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       }
-       else
-       {
-               server = this->ike_sa->get_other_id(this->ike_sa);
-               peer = this->ike_sa->get_my_id(this->ike_sa);
-               auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-       }
-       if (this->eap_identity)
-       {
-               peer = this->eap_identity;
-       }
-       aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY);
-       if (aaa)
-       {
-               server = aaa;
-       }
-       return charon->eap->create_instance(charon->eap, type, vendor,
-                                                                               role, server, peer);
-}
-
-/**
- * Initiate EAP conversation as server
- */
-static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
-                                                                                 bool do_identity)
-{
-       auth_cfg_t *auth;
-       eap_type_t type;
-       identification_t *id;
-       u_int32_t vendor;
-       eap_payload_t *out;
-       char *action;
-
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-
-       /* initiate EAP-Identity exchange if required */
-       if (!this->eap_identity && do_identity)
-       {
-               id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
-               if (id)
-               {
-                       if (id->get_type(id) == ID_ANY)
-                       {
-                               this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
-                               if (this->method)
-                               {
-                                       if (this->method->initiate(this->method, &out) == NEED_MORE)
-                                       {
-                                               DBG1(DBG_IKE, "initiating %N method (id 0x%02X)",
-                                                        eap_type_names, EAP_IDENTITY,
-                                                        this->method->get_identifier(this->method));
-                                               return out;
-                                       }
-                                       this->method->destroy(this->method);
-                               }
-                               DBG1(DBG_IKE, "EAP-Identity request configured, "
-                                        "but not supported");
-                       }
-                       else
-                       {
-                               DBG1(DBG_IKE, "using configured EAP-Identity %Y", id);
-                               this->eap_identity = id->clone(id);
-                       }
-               }
-       }
-       /* invoke real EAP method */
-       type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
-       vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
-       action = "loading";
-       this->method = load_method(this, type, vendor, EAP_SERVER);
-       if (this->method)
-       {
-               action = "initiating";
-               type = this->method->get_type(this->method, &vendor);
-               if (this->method->initiate(this->method, &out) == NEED_MORE)
-               {
-                       if (vendor)
-                       {
-                               DBG1(DBG_IKE, "initiating EAP vendor type %d-%d method (id 0x%02X)",
-                                        type, vendor, out->get_identifier(out));
-                       }
-                       else
-                       {
-                               DBG1(DBG_IKE, "initiating %N method (id 0x%02X)", eap_type_names,
-                                        type, out->get_identifier(out));
-                       }
-                       return out;
-               }
-       }
-       if (vendor)
-       {
-               DBG1(DBG_IKE, "%s EAP vendor type %d-%d method failed",
-                                         action, type, vendor);
-       }
-       else
-       {
-               DBG1(DBG_IKE, "%s %N method failed", action, eap_type_names, type);
-       }
-       return eap_payload_create_code(EAP_FAILURE, 0);
-}
-
-/**
- * Replace the existing EAP-Identity in other auth config
- */
-static void replace_eap_identity(private_eap_authenticator_t *this)
-{
-       enumerator_t *enumerator;
-       auth_rule_t rule;
-       auth_cfg_t *cfg;
-       void *ptr;
-
-       cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       enumerator = cfg->create_enumerator(cfg);
-       while (enumerator->enumerate(enumerator, &rule, &ptr))
-       {
-               if (rule == AUTH_RULE_EAP_IDENTITY)
-               {
-                       cfg->replace(cfg, enumerator, AUTH_RULE_EAP_IDENTITY,
-                                                this->eap_identity->clone(this->eap_identity));
-                       break;
-               }
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Handle EAP exchange as server
- */
-static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
-                                                                                eap_payload_t *in)
-{
-       eap_type_t type, received_type;
-       u_int32_t vendor, received_vendor;
-       eap_payload_t *out;
-
-       if (in->get_code(in) != EAP_RESPONSE)
-       {
-               DBG1(DBG_IKE, "received %N, sending %N",
-                        eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
-               return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
-       }
-
-       type = this->method->get_type(this->method, &vendor);
-       received_type = in->get_type(in, &received_vendor);
-       if (type != received_type || vendor != received_vendor)
-       {
-               if (received_vendor == 0 && received_type == EAP_NAK)
-               {
-                       DBG1(DBG_IKE, "received %N, sending %N",
-                                eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
-               }
-               else
-               {
-                       DBG1(DBG_IKE, "received invalid EAP response, sending %N",
-                                eap_code_names, EAP_FAILURE);
-               }
-               return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
-       }
-
-       switch (this->method->process(this->method, in, &out))
-       {
-               case NEED_MORE:
-                       return out;
-               case SUCCESS:
-                       if (!vendor && type == EAP_IDENTITY)
-                       {
-                               chunk_t data;
-
-                               if (this->method->get_msk(this->method, &data) == SUCCESS)
-                               {
-                                       this->eap_identity = identification_create_from_data(data);
-                                       DBG1(DBG_IKE, "received EAP identity '%Y'",
-                                                this->eap_identity);
-                                       replace_eap_identity(this);
-                               }
-                               /* restart EAP exchange, but with real method */
-                               this->method->destroy(this->method);
-                               return server_initiate_eap(this, FALSE);
-                       }
-                       if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
-                       {
-                               this->msk = chunk_clone(this->msk);
-                       }
-                       if (vendor)
-                       {
-                               DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
-                                        "%sMSK established", type, vendor,
-                                        this->msk.ptr ? "" : "no ");
-                       }
-                       else
-                       {
-                               DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
-                                        eap_type_names, type, this->msk.ptr ? "" : "no ");
-                       }
-                       this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
-                                                                               TRUE);
-                       this->eap_complete = TRUE;
-                       return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
-               case FAILED:
-               default:
-                       if (vendor)
-                       {
-                               DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
-                                        "peer %Y", type, vendor,
-                                        this->ike_sa->get_other_id(this->ike_sa));
-                       }
-                       else
-                       {
-                               DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
-                                        eap_type_names, type,
-                                        this->ike_sa->get_other_id(this->ike_sa));
-                       }
-                       return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
-       }
-}
-
-/**
- * Processing method for a peer
- */
-static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
-                                                                                eap_payload_t *in)
-{
-       eap_type_t type;
-       u_int32_t vendor;
-       auth_cfg_t *auth;
-       eap_payload_t *out;
-       identification_t *id;
-
-       type = in->get_type(in, &vendor);
-
-       if (!vendor && type == EAP_IDENTITY)
-       {
-               DESTROY_IF(this->eap_identity);
-               auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-               id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
-               if (!id || id->get_type(id) == ID_ANY)
-               {
-                       id = this->ike_sa->get_my_id(this->ike_sa);
-               }
-               DBG1(DBG_IKE, "server requested %N (id 0x%02X), sending '%Y'",
-                        eap_type_names, type, in->get_identifier(in), id);
-               this->eap_identity = id->clone(id);
-
-               this->method = load_method(this, type, vendor, EAP_PEER);
-               if (this->method)
-               {
-                       if (this->method->process(this->method, in, &out) == SUCCESS)
-                       {
-                               this->method->destroy(this->method);
-                               this->method = NULL;
-                               return out;
-                       }
-                       this->method->destroy(this->method);
-                       this->method = NULL;
-               }
-               DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
-                        eap_type_names, type);
-               return eap_payload_create_nak(in->get_identifier(in));
-       }
-       if (this->method == NULL)
-       {
-               if (vendor)
-               {
-                       DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d ",
-                                                 "(id 0x%02X)", type, vendor, in->get_identifier(in));
-               }
-               else
-               {
-                       DBG1(DBG_IKE, "server requested %N authentication (id 0x%02X)",
-                                eap_type_names, type, in->get_identifier(in));
-               }
-               this->method = load_method(this, type, vendor, EAP_PEER);
-               if (!this->method)
-               {
-                       DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
-                       return eap_payload_create_nak(in->get_identifier(in));
-               }
-       }
-
-       type = this->method->get_type(this->method, &vendor);
-
-       if (this->method->process(this->method, in, &out) == NEED_MORE)
-       {       /* client methods should never return SUCCESS */
-               return out;
-       }
-
-       if (vendor)
-       {
-               DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
-       }
-       else
-       {
-               DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
-       }
-       return NULL;
-}
-
-/**
- * Verify AUTH payload
- */
-static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
-                                               chunk_t nonce, chunk_t init)
-{
-       auth_payload_t *auth_payload;
-       chunk_t auth_data, recv_auth_data;
-       identification_t *other_id;
-       auth_cfg_t *auth;
-       keymat_v2_t *keymat;
-
-       auth_payload = (auth_payload_t*)message->get_payload(message,
-                                                                                                                AUTHENTICATION);
-       if (!auth_payload)
-       {
-               DBG1(DBG_IKE, "AUTH payload missing");
-               return FALSE;
-       }
-       other_id = this->ike_sa->get_other_id(this->ike_sa);
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
-                                                                       this->msk, other_id, this->reserved);
-       recv_auth_data = auth_payload->get_data(auth_payload);
-       if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
-       {
-               DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
-                        this->msk.ptr ? "" : "out");
-               chunk_free(&auth_data);
-               return FALSE;
-       }
-       chunk_free(&auth_data);
-
-       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-                other_id, auth_class_names, AUTH_CLASS_EAP);
-       this->auth_complete = TRUE;
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-       return TRUE;
-}
-
-/**
- * Build AUTH payload
- */
-static void build_auth(private_eap_authenticator_t *this, message_t *message,
-                                          chunk_t nonce, chunk_t init)
-{
-       auth_payload_t *auth_payload;
-       identification_t *my_id;
-       chunk_t auth_data;
-       keymat_v2_t *keymat;
-
-       my_id = this->ike_sa->get_my_id(this->ike_sa);
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-
-       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
-                my_id, auth_class_names, AUTH_CLASS_EAP);
-
-       auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce,
-                                                                       this->msk, my_id, this->reserved);
-       auth_payload = auth_payload_create();
-       auth_payload->set_auth_method(auth_payload, AUTH_PSK);
-       auth_payload->set_data(auth_payload, auth_data);
-       message->add_payload(message, (payload_t*)auth_payload);
-       chunk_free(&auth_data);
-}
-
-METHOD(authenticator_t, process_server, status_t,
-       private_eap_authenticator_t *this, message_t *message)
-{
-       eap_payload_t *eap_payload;
-
-       if (this->eap_complete)
-       {
-               if (!verify_auth(this, message, this->sent_nonce, this->received_init))
-               {
-                       return FAILED;
-               }
-               return NEED_MORE;
-       }
-
-       if (!this->method)
-       {
-               this->eap_payload = server_initiate_eap(this, TRUE);
-       }
-       else
-       {
-               eap_payload = (eap_payload_t*)message->get_payload(message,
-                                                                                                       EXTENSIBLE_AUTHENTICATION);
-               if (!eap_payload)
-               {
-                       return FAILED;
-               }
-               this->eap_payload = server_process_eap(this, eap_payload);
-       }
-       return NEED_MORE;
-}
-
-METHOD(authenticator_t, build_server, status_t,
-       private_eap_authenticator_t *this, message_t *message)
-{
-       if (this->eap_payload)
-       {
-               eap_code_t code;
-
-               code = this->eap_payload->get_code(this->eap_payload);
-               message->add_payload(message, (payload_t*)this->eap_payload);
-               this->eap_payload = NULL;
-               if (code == EAP_FAILURE)
-               {
-                       return FAILED;
-               }
-               return NEED_MORE;
-       }
-       if (this->eap_complete && this->auth_complete)
-       {
-               build_auth(this, message, this->received_nonce, this->sent_init);
-               return SUCCESS;
-       }
-       return FAILED;
-}
-
-METHOD(authenticator_t, process_client, status_t,
-       private_eap_authenticator_t *this, message_t *message)
-{
-       eap_payload_t *eap_payload;
-
-       if (this->eap_complete)
-       {
-               if (!verify_auth(this, message, this->sent_nonce, this->received_init))
-               {
-                       return FAILED;
-               }
-               if (this->require_mutual && !this->method->is_mutual(this->method))
-               {       /* we require mutual authentication due to EAP-only */
-                       u_int32_t vendor;
-
-                       DBG1(DBG_IKE, "EAP-only authentication requires a mutual and "
-                                "MSK deriving EAP method, but %N is not",
-                                eap_type_names, this->method->get_type(this->method, &vendor));
-                       return FAILED;
-               }
-               return SUCCESS;
-       }
-
-       eap_payload = (eap_payload_t*)message->get_payload(message,
-                                                                                                       EXTENSIBLE_AUTHENTICATION);
-       if (eap_payload)
-       {
-               switch (eap_payload->get_code(eap_payload))
-               {
-                       case EAP_REQUEST:
-                       {
-                               this->eap_payload = client_process_eap(this, eap_payload);
-                               if (this->eap_payload)
-                               {
-                                       return NEED_MORE;
-                               }
-                               return FAILED;
-                       }
-                       case EAP_SUCCESS:
-                       {
-                               eap_type_t type;
-                               u_int32_t vendor;
-                               auth_cfg_t *cfg;
-
-                               if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
-                               {
-                                       this->msk = chunk_clone(this->msk);
-                               }
-                               type = this->method->get_type(this->method, &vendor);
-                               if (vendor)
-                               {
-                                       DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
-                                                "%sMSK established", type, vendor,
-                                                this->msk.ptr ? "" : "no ");
-                               }
-                               else
-                               {
-                                       DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
-                                                eap_type_names, type, this->msk.ptr ? "" : "no ");
-                               }
-                               cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-                               cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
-                               if (vendor)
-                               {
-                                       cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
-                               }
-                               this->eap_complete = TRUE;
-                               return NEED_MORE;
-                       }
-                       case EAP_FAILURE:
-                       default:
-                       {
-                               DBG1(DBG_IKE, "received %N, EAP authentication failed",
-                                        eap_code_names, eap_payload->get_code(eap_payload));
-                               return FAILED;
-                       }
-               }
-       }
-       return FAILED;
-}
-
-METHOD(authenticator_t, build_client, status_t,
-       private_eap_authenticator_t *this, message_t *message)
-{
-       if (this->eap_payload)
-       {
-               message->add_payload(message, (payload_t*)this->eap_payload);
-               this->eap_payload = NULL;
-               return NEED_MORE;
-       }
-       if (this->eap_complete)
-       {
-               build_auth(this, message, this->received_nonce, this->sent_init);
-               return NEED_MORE;
-       }
-       return NEED_MORE;
-}
-
-METHOD(authenticator_t, is_mutual, bool,
-       private_eap_authenticator_t *this)
-{
-       /* we don't know yet, but insist on it after EAP is complete */
-       this->require_mutual = TRUE;
-       return TRUE;
-}
-
-METHOD(authenticator_t, destroy, void,
-       private_eap_authenticator_t *this)
-{
-       DESTROY_IF(this->method);
-       DESTROY_IF(this->eap_payload);
-       DESTROY_IF(this->eap_identity);
-       chunk_free(&this->msk);
-       free(this);
-}
-
-/*
- * Described in header.
- */
-eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3])
-{
-       private_eap_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = _build_client,
-                               .process = _process_client,
-                               .is_mutual = _is_mutual,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .received_init = received_init,
-               .received_nonce = received_nonce,
-               .sent_init = sent_init,
-               .sent_nonce = sent_nonce,
-       );
-       memcpy(this->reserved, reserved, sizeof(this->reserved));
-
-       return &this->public;
-}
-
-/*
- * Described in header.
- */
-eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3])
-{
-       private_eap_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = _build_server,
-                               .process = _process_server,
-                               .is_mutual = _is_mutual,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .received_init = received_init,
-               .received_nonce = received_nonce,
-               .sent_init = sent_init,
-               .sent_nonce = sent_nonce,
-       );
-       memcpy(this->reserved, reserved, sizeof(this->reserved));
-
-       return &this->public;
-}
-
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h
deleted file mode 100644 (file)
index 726411a..0000000
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup eap_authenticator eap_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef EAP_AUTHENTICATOR_H_
-#define EAP_AUTHENTICATOR_H_
-
-typedef struct eap_authenticator_t eap_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using EAP authentication.
- *
- * Authentication using EAP involves the most complex authenticator. It stays
- * alive over multiple ike_auth transactions and handles multiple EAP
- * messages.
- *
- * @verbatim
-                          ike_sa_init
-                   ------------------------->
-                   <-------------------------
-                 followed by multiple ike_auth:
-
-     +--------+                                +--------+
-     |  EAP   |       IDi, [IDr,] SA, TS       |  EAP   |
-     | client |  --------------------------->  | server |
-     |        |          ID, AUTH, EAP         |        |
-     |        |  <---------------------------  |        |
-     |        |              EAP               |        |
-     |        |  --------------------------->  |        |
-     |        |              EAP               |        |
-     |        |  <---------------------------  |        |
-     |        |              EAP               |        |
-     |        |  --------------------------->  |        |
-     |        |           EAP(SUCCESS)         |        |
-     |        |  <---------------------------  |        |
-     |        |              AUTH              |        |  If EAP establishes
-     |        |  --------------------------->  |        |  a session key, AUTH
-     |        |          AUTH, SA, TS          |        |  payloads use this
-     |        |  <---------------------------  |        |  key, not SK_pi/pr
-     +--------+                                +--------+
-
-   @endverbatim
- */
-struct eap_authenticator_t {
-
-       /**
-        * Implemented authenticator_t interface.
-        */
-       authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to authenticate against an EAP server.
- *
- * @param ike_sa                       associated ike_sa
- * @param received_nonce       nonce received in IKE_SA_INIT
- * @param sent_nonce           nonce sent in IKE_SA_INIT
- * @param received_init                received IKE_SA_INIT message data
- * @param sent_init                    sent IKE_SA_INIT message data
- * @param reserved                     reserved bytes of ID payload
- * @return                                     EAP authenticator
- */
-eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3]);
-
-/**
- * Create an authenticator to authenticate EAP clients.
- *
- * @param ike_sa                       associated ike_sa
- * @param received_nonce       nonce received in IKE_SA_INIT
- * @param sent_nonce           nonce sent in IKE_SA_INIT
- * @param received_init                received IKE_SA_INIT message data
- * @param sent_init                    sent IKE_SA_INIT message data
- * @param reserved                     reserved bytes of ID payload
- * @return                                     EAP authenticator
- */
-eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_nonce,
-                                                                       chunk_t received_init, chunk_t sent_init,
-                                                                       char reserved[3]);
-
-#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/hybrid_authenticator.c b/src/libcharon/sa/authenticators/hybrid_authenticator.c
deleted file mode 100644 (file)
index f1bc1ec..0000000
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "hybrid_authenticator.h"
-
-#include <daemon.h>
-
-typedef struct private_hybrid_authenticator_t private_hybrid_authenticator_t;
-
-/**
- * Private data of an hybrid_authenticator_t object.
- */
-struct private_hybrid_authenticator_t {
-
-       /**
-        * Public authenticator_t interface.
-        */
-       hybrid_authenticator_t public;
-
-       /**
-        * Public key authenticator
-        */
-       authenticator_t *sig;
-
-       /**
-        * HASH payload authenticator without credentials
-        */
-       authenticator_t *hash;
-};
-
-METHOD(authenticator_t, build_i, status_t,
-       private_hybrid_authenticator_t *this, message_t *message)
-{
-       return this->hash->build(this->hash, message);
-}
-
-METHOD(authenticator_t, process_r, status_t,
-       private_hybrid_authenticator_t *this, message_t *message)
-{
-       return this->hash->process(this->hash, message);
-}
-
-METHOD(authenticator_t, build_r, status_t,
-       private_hybrid_authenticator_t *this, message_t *message)
-{
-       return this->sig->build(this->sig, message);
-}
-
-METHOD(authenticator_t, process_i, status_t,
-       private_hybrid_authenticator_t *this, message_t *message)
-{
-       return this->sig->process(this->sig, message);
-}
-
-METHOD(authenticator_t, destroy, void,
-       private_hybrid_authenticator_t *this)
-{
-       DESTROY_IF(this->hash);
-       DESTROY_IF(this->sig);
-       free(this);
-}
-
-/*
- * Described in header.
- */
-hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
-                                                                               bool initiator, diffie_hellman_t *dh,
-                                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                                               chunk_t id_payload)
-{
-       private_hybrid_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .sig = authenticator_create_v1(ike_sa, initiator, AUTH_RSA, dh,
-                                                       dh_value, sa_payload, id_payload),
-               .hash = authenticator_create_v1(ike_sa, initiator, AUTH_PSK,
-                                                       dh, dh_value, sa_payload, chunk_clone(id_payload)),
-       );
-       if (!this->sig || !this->hash)
-       {
-               destroy(this);
-               return NULL;
-       }
-       if (initiator)
-       {
-               this->public.authenticator.build = _build_i;
-               this->public.authenticator.process = _process_i;
-       }
-       else
-       {
-               this->public.authenticator.build = _build_r;
-               this->public.authenticator.process = _process_r;
-       }
-       return &this->public;
-}
diff --git a/src/libcharon/sa/authenticators/hybrid_authenticator.h b/src/libcharon/sa/authenticators/hybrid_authenticator.h
deleted file mode 100644 (file)
index 3705747..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup hybrid_authenticator hybrid_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef HYBRID_AUTHENTICATOR_H_
-#define HYBRID_AUTHENTICATOR_H_
-
-typedef struct hybrid_authenticator_t hybrid_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using IKEv1 hybrid authentication.
- */
-struct hybrid_authenticator_t {
-
-       /**
-        * Implemented authenticator_t interface.
-        */
-       authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build hybrid signatures.
- *
- * @param ike_sa                       associated IKE_SA
- * @param initiator                    TRUE if we are the IKE_SA initiator
- * @param dh                           diffie hellman key exchange
- * @param dh_value                     others public diffie hellman value
- * @param sa_payload           generated SA payload data, without payload header
- * @param id_payload           encoded ID payload of peer to authenticate or verify
- *                                                     without payload header (gets owned)
- * @return                                     hybrid authenticator
- */
-hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
-                                                                               bool initiator, diffie_hellman_t *dh,
-                                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                                               chunk_t id_payload);
-
-#endif /** HYBRID_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c
deleted file mode 100644 (file)
index 26c7225..0000000
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "psk_authenticator.h"
-
-#include <daemon.h>
-#include <encoding/payloads/auth_payload.h>
-#include <sa/keymat_v2.h>
-
-typedef struct private_psk_authenticator_t private_psk_authenticator_t;
-
-/**
- * Private data of an psk_authenticator_t object.
- */
-struct private_psk_authenticator_t {
-
-       /**
-        * Public authenticator_t interface.
-        */
-       psk_authenticator_t public;
-
-       /**
-        * Assigned IKE_SA
-        */
-       ike_sa_t *ike_sa;
-
-       /**
-        * nonce to include in AUTH calculation
-        */
-       chunk_t nonce;
-
-       /**
-        * IKE_SA_INIT message data to include in AUTH calculation
-        */
-       chunk_t ike_sa_init;
-
-       /**
-        * Reserved bytes of ID payload
-        */
-       char reserved[3];
-};
-
-METHOD(authenticator_t, build, status_t,
-       private_psk_authenticator_t *this, message_t *message)
-{
-       identification_t *my_id, *other_id;
-       auth_payload_t *auth_payload;
-       shared_key_t *key;
-       chunk_t auth_data;
-       keymat_v2_t *keymat;
-
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       my_id = this->ike_sa->get_my_id(this->ike_sa);
-       other_id = this->ike_sa->get_other_id(this->ike_sa);
-       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
-                my_id, auth_method_names, AUTH_PSK);
-       key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
-       if (key == NULL)
-       {
-               DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
-               return NOT_FOUND;
-       }
-       auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
-                                               this->nonce, key->get_key(key), my_id, this->reserved);
-       key->destroy(key);
-       DBG2(DBG_IKE, "successfully created shared key MAC");
-       auth_payload = auth_payload_create();
-       auth_payload->set_auth_method(auth_payload, AUTH_PSK);
-       auth_payload->set_data(auth_payload, auth_data);
-       chunk_free(&auth_data);
-       message->add_payload(message, (payload_t*)auth_payload);
-
-       return SUCCESS;
-}
-
-METHOD(authenticator_t, process, status_t,
-       private_psk_authenticator_t *this, message_t *message)
-{
-       chunk_t auth_data, recv_auth_data;
-       identification_t *my_id, *other_id;
-       auth_payload_t *auth_payload;
-       auth_cfg_t *auth;
-       shared_key_t *key;
-       enumerator_t *enumerator;
-       bool authenticated = FALSE;
-       int keys_found = 0;
-       keymat_v2_t *keymat;
-
-       auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-       if (!auth_payload)
-       {
-               return FAILED;
-       }
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       recv_auth_data = auth_payload->get_data(auth_payload);
-       my_id = this->ike_sa->get_my_id(this->ike_sa);
-       other_id = this->ike_sa->get_other_id(this->ike_sa);
-       enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
-                                                                                               SHARED_IKE, my_id, other_id);
-       while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL))
-       {
-               keys_found++;
-
-               auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
-                               this->nonce, key->get_key(key), other_id, this->reserved);
-               if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
-               {
-                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-                                other_id, auth_method_names, AUTH_PSK);
-                       authenticated = TRUE;
-               }
-               chunk_free(&auth_data);
-       }
-       enumerator->destroy(enumerator);
-
-       if (!authenticated)
-       {
-               if (keys_found == 0)
-               {
-                       DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
-                       return NOT_FOUND;
-               }
-               DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
-                        keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
-               return FAILED;
-       }
-
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
-       return SUCCESS;
-}
-
-METHOD(authenticator_t, destroy, void,
-       private_psk_authenticator_t *this)
-{
-       free(this);
-}
-
-/*
- * Described in header.
- */
-psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_init,
-                                                                       char reserved[3])
-{
-       private_psk_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = _build,
-                               .process = (void*)return_failed,
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .ike_sa_init = sent_init,
-               .nonce = received_nonce,
-       );
-       memcpy(this->reserved, reserved, sizeof(this->reserved));
-
-       return &this->public;
-}
-
-/*
- * Described in header.
- */
-psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t sent_nonce, chunk_t received_init,
-                                                                       char reserved[3])
-{
-       private_psk_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = (void*)return_failed,
-                               .process = _process,
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .ike_sa_init = received_init,
-               .nonce = sent_nonce,
-       );
-       memcpy(this->reserved, reserved, sizeof(this->reserved));
-
-       return &this->public;
-}
-
diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h
deleted file mode 100644 (file)
index 8cf1a0f..0000000
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup psk_authenticator psk_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef PSK_AUTHENTICATOR_H_
-#define PSK_AUTHENTICATOR_H_
-
-typedef struct psk_authenticator_t psk_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using pre-shared keys.
- */
-struct psk_authenticator_t {
-
-       /**
-        * Implemented authenticator_t interface.
-        */
-       authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build PSK signatures.
- *
- * @param ike_sa                       associated ike_sa
- * @param received_nonce       nonce received in IKE_SA_INIT
- * @param sent_init                    sent IKE_SA_INIT message data
- * @param reserved                     reserved bytes of ID payload
- * @return                                     PSK authenticator
- */
-psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_init,
-                                                                       char reserved[3]);
-
-/**
- * Create an authenticator to verify PSK signatures.
- *
- * @param ike_sa                       associated ike_sa
- * @param sent_nonce           nonce sent in IKE_SA_INIT
- * @param received_init                received IKE_SA_INIT message data
- * @param reserved                     reserved bytes of ID payload
- * @return                                     PSK authenticator
- */
-psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t sent_nonce, chunk_t received_init,
-                                                                       char reserved[3]);
-
-#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/authenticators/psk_v1_authenticator.c
deleted file mode 100644 (file)
index 11fd811..0000000
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "psk_v1_authenticator.h"
-
-#include <daemon.h>
-#include <sa/keymat_v1.h>
-#include <encoding/payloads/hash_payload.h>
-
-typedef struct private_psk_v1_authenticator_t private_psk_v1_authenticator_t;
-
-/**
- * Private data of an psk_v1_authenticator_t object.
- */
-struct private_psk_v1_authenticator_t {
-
-       /**
-        * Public authenticator_t interface.
-        */
-       psk_v1_authenticator_t public;
-
-       /**
-        * Assigned IKE_SA
-        */
-       ike_sa_t *ike_sa;
-
-       /**
-        * TRUE if we are initiator
-        */
-       bool initiator;
-
-       /**
-        * DH key exchange
-        */
-       diffie_hellman_t *dh;
-
-       /**
-        * Others DH public value
-        */
-       chunk_t dh_value;
-
-       /**
-        * Encoded SA payload, without fixed header
-        */
-       chunk_t sa_payload;
-
-       /**
-        * Encoded ID payload, without fixed header
-        */
-       chunk_t id_payload;
-};
-
-METHOD(authenticator_t, build, status_t,
-       private_psk_v1_authenticator_t *this, message_t *message)
-{
-       hash_payload_t *hash_payload;
-       keymat_v1_t *keymat;
-       chunk_t hash, dh;
-
-       this->dh->get_my_public_value(this->dh, &dh);
-       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
-       hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
-                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-                                       this->id_payload);
-       free(dh.ptr);
-
-       hash_payload = hash_payload_create(HASH_V1);
-       hash_payload->set_hash(hash_payload, hash);
-       message->add_payload(message, &hash_payload->payload_interface);
-       free(hash.ptr);
-
-       return SUCCESS;
-}
-
-METHOD(authenticator_t, process, status_t,
-       private_psk_v1_authenticator_t *this, message_t *message)
-{
-       hash_payload_t *hash_payload;
-       keymat_v1_t *keymat;
-       chunk_t hash, dh;
-
-       hash_payload = (hash_payload_t*)message->get_payload(message, HASH_V1);
-       if (!hash_payload)
-       {
-               DBG1(DBG_IKE, "HASH payload missing in message");
-               return FAILED;
-       }
-
-       this->dh->get_my_public_value(this->dh, &dh);
-       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
-       hash = keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
-                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-                                       this->id_payload);
-       free(dh.ptr);
-       if (chunk_equals(hash, hash_payload->get_hash(hash_payload)))
-       {
-               free(hash.ptr);
-               return SUCCESS;
-       }
-       free(hash.ptr);
-       DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
-       return FAILED;
-}
-
-METHOD(authenticator_t, destroy, void,
-       private_psk_v1_authenticator_t *this)
-{
-       chunk_free(&this->id_payload);
-       free(this);
-}
-
-/*
- * Described in header.
- */
-psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
-                                                                               bool initiator, diffie_hellman_t *dh,
-                                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                                               chunk_t id_payload)
-{
-       private_psk_v1_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = _build,
-                               .process = _process,
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .initiator = initiator,
-               .dh = dh,
-               .dh_value = dh_value,
-               .sa_payload = sa_payload,
-               .id_payload = id_payload,
-       );
-
-       return &this->public;
-}
diff --git a/src/libcharon/sa/authenticators/psk_v1_authenticator.h b/src/libcharon/sa/authenticators/psk_v1_authenticator.h
deleted file mode 100644 (file)
index e01d49c..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup psk_v1_authenticator psk_v1_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef PSK_V1_AUTHENTICATOR_H_
-#define PSK_V1_AUTHENTICATOR_H_
-
-typedef struct psk_v1_authenticator_t psk_v1_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using pre-shared keys for IKEv1.
- */
-struct psk_v1_authenticator_t {
-
-       /**
-        * Implemented authenticator_t interface.
-        */
-       authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build PSK signatures.
- *
- * @param ike_sa                       associated IKE_SA
- * @param initiator                    TRUE if we are the IKE_SA initiator
- * @param dh                           diffie hellman key exchange
- * @param dh_value                     others public diffie hellman value
- * @param sa_payload           generated SA payload data, without payload header
- * @param id_payload           encoded ID payload of peer to authenticate or verify
- *                                                     without payload header (gets owned)
- * @return                                     PSK authenticator
- */
-psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
-                                                                               bool initiator, diffie_hellman_t *dh,
-                                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                                               chunk_t id_payload);
-
-#endif /** PSK_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
deleted file mode 100644 (file)
index df5b06a..0000000
+++ /dev/null
@@ -1,269 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "pubkey_authenticator.h"
-
-#include <daemon.h>
-#include <encoding/payloads/auth_payload.h>
-#include <sa/keymat_v2.h>
-
-typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
-
-/**
- * Private data of an pubkey_authenticator_t object.
- */
-struct private_pubkey_authenticator_t {
-
-       /**
-        * Public authenticator_t interface.
-        */
-       pubkey_authenticator_t public;
-
-       /**
-        * Assigned IKE_SA
-        */
-       ike_sa_t *ike_sa;
-
-       /**
-        * nonce to include in AUTH calculation
-        */
-       chunk_t nonce;
-
-       /**
-        * IKE_SA_INIT message data to include in AUTH calculation
-        */
-       chunk_t ike_sa_init;
-
-       /**
-        * Reserved bytes of ID payload
-        */
-       char reserved[3];
-};
-
-METHOD(authenticator_t, build, status_t,
-       private_pubkey_authenticator_t *this, message_t *message)
-{
-       chunk_t octets, auth_data;
-       status_t status = FAILED;
-       private_key_t *private;
-       identification_t *id;
-       auth_cfg_t *auth;
-       auth_payload_t *auth_payload;
-       auth_method_t auth_method;
-       signature_scheme_t scheme;
-       keymat_v2_t *keymat;
-
-       id = this->ike_sa->get_my_id(this->ike_sa);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-       private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
-       if (private == NULL)
-       {
-               DBG1(DBG_IKE, "no private key found for '%Y'", id);
-               return NOT_FOUND;
-       }
-
-       switch (private->get_type(private))
-       {
-               case KEY_RSA:
-                       /* we currently use always SHA1 for signatures,
-                        * TODO: support other hashes depending on configuration/auth */
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-                       auth_method = AUTH_RSA;
-                       break;
-               case KEY_ECDSA:
-                       /* we try to deduct the signature scheme from the keysize */
-                       switch (private->get_keysize(private))
-                       {
-                               case 256:
-                                       scheme = SIGN_ECDSA_256;
-                                       auth_method = AUTH_ECDSA_256;
-                                       break;
-                               case 384:
-                                       scheme = SIGN_ECDSA_384;
-                                       auth_method = AUTH_ECDSA_384;
-                                       break;
-                               case 521:
-                                       scheme = SIGN_ECDSA_521;
-                                       auth_method = AUTH_ECDSA_521;
-                                       break;
-                               default:
-                                       DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
-                                                       private->get_keysize(private));
-                                       return status;
-                       }
-                       break;
-               default:
-                       DBG1(DBG_IKE, "private key of type %N not supported",
-                                       key_type_names, private->get_type(private));
-                       return status;
-       }
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-                                                                        this->nonce, id, this->reserved);
-       if (private->sign(private, scheme, octets, &auth_data))
-       {
-               auth_payload = auth_payload_create();
-               auth_payload->set_auth_method(auth_payload, auth_method);
-               auth_payload->set_data(auth_payload, auth_data);
-               chunk_free(&auth_data);
-               message->add_payload(message, (payload_t*)auth_payload);
-               status = SUCCESS;
-       }
-       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-                auth_method_names, auth_method,
-                (status == SUCCESS)? "successful":"failed");
-       chunk_free(&octets);
-       private->destroy(private);
-
-       return status;
-}
-
-METHOD(authenticator_t, process, status_t,
-       private_pubkey_authenticator_t *this, message_t *message)
-{
-       public_key_t *public;
-       auth_method_t auth_method;
-       auth_payload_t *auth_payload;
-       chunk_t auth_data, octets;
-       identification_t *id;
-       auth_cfg_t *auth, *current_auth;
-       enumerator_t *enumerator;
-       key_type_t key_type = KEY_ECDSA;
-       signature_scheme_t scheme;
-       status_t status = NOT_FOUND;
-       keymat_v2_t *keymat;
-
-       auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
-       if (!auth_payload)
-       {
-               return FAILED;
-       }
-       auth_method = auth_payload->get_auth_method(auth_payload);
-       switch (auth_method)
-       {
-               case AUTH_RSA:
-                       /* We currently accept SHA1 signatures only
-                        * TODO: allow other hash algorithms and note it in "auth" */
-                       key_type = KEY_RSA;
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-                       break;
-               case AUTH_ECDSA_256:
-                       scheme = SIGN_ECDSA_256;
-                       break;
-               case AUTH_ECDSA_384:
-                       scheme = SIGN_ECDSA_384;
-                       break;
-               case AUTH_ECDSA_521:
-                       scheme = SIGN_ECDSA_521;
-                       break;
-               default:
-                       return INVALID_ARG;
-       }
-       auth_data = auth_payload->get_data(auth_payload);
-       id = this->ike_sa->get_other_id(this->ike_sa);
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-                                                                        this->nonce, id, this->reserved);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                                               key_type, id, auth);
-       while (enumerator->enumerate(enumerator, &public, &current_auth))
-       {
-               if (public->verify(public, scheme, octets, auth_data))
-               {
-                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-                                                  id, auth_method_names, auth_method);
-                       status = SUCCESS;
-                       auth->merge(auth, current_auth, FALSE);
-                       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-                       break;
-               }
-               else
-               {
-                       status = FAILED;
-                       DBG1(DBG_IKE, "signature validation failed, looking for another key");
-               }
-       }
-       enumerator->destroy(enumerator);
-       chunk_free(&octets);
-       if (status == NOT_FOUND)
-       {
-               DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
-                        key_type_names, key_type, id);
-       }
-       return status;
-}
-
-METHOD(authenticator_t, destroy, void,
-       private_pubkey_authenticator_t *this)
-{
-       free(this);
-}
-
-/*
- * Described in header.
- */
-pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_init,
-                                                                       char reserved[3])
-{
-       private_pubkey_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = _build,
-                               .process = (void*)return_failed,
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .ike_sa_init = sent_init,
-               .nonce = received_nonce,
-       );
-       memcpy(this->reserved, reserved, sizeof(this->reserved));
-
-       return &this->public;
-}
-
-/*
- * Described in header.
- */
-pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t sent_nonce, chunk_t received_init,
-                                                                       char reserved[3])
-{
-       private_pubkey_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = (void*)return_failed,
-                               .process = _process,
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .ike_sa_init = received_init,
-               .nonce = sent_nonce,
-       );
-       memcpy(this->reserved, reserved, sizeof(this->reserved));
-
-       return &this->public;
-}
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h
deleted file mode 100644 (file)
index 4c3937e..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pubkey_authenticator pubkey_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef PUBKEY_AUTHENTICATOR_H_
-#define PUBKEY_AUTHENTICATOR_H_
-
-typedef struct pubkey_authenticator_t pubkey_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using public key authenitcation.
- */
-struct pubkey_authenticator_t {
-
-       /**
-        * Implemented authenticator_t interface.
-        */
-       authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build public key signatures.
- *
- * @param ike_sa                       associated ike_sa
- * @param received_nonce       nonce received in IKE_SA_INIT
- * @param sent_init                    sent IKE_SA_INIT message data
- * @param reserved                     reserved bytes of ID payload
- * @return                                     public key authenticator
- */
-pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
-                                                                       chunk_t received_nonce, chunk_t sent_init,
-                                                                       char reserved[3]);
-
-/**
- * Create an authenticator to verify public key signatures.
- *
- * @param ike_sa                       associated ike_sa
- * @param sent_nonce           nonce sent in IKE_SA_INIT
- * @param received_init                received IKE_SA_INIT message data
- * @param reserved                     reserved bytes of ID payload
- * @return                                     public key authenticator
- */
-pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
-                                                                       chunk_t sent_nonce, chunk_t received_init,
-                                                                       char reserved[3]);
-
-#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.c
deleted file mode 100644 (file)
index 7da1953..0000000
+++ /dev/null
@@ -1,217 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "pubkey_v1_authenticator.h"
-
-#include <daemon.h>
-#include <sa/keymat_v1.h>
-#include <encoding/payloads/hash_payload.h>
-
-typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t;
-
-/**
- * Private data of an pubkey_v1_authenticator_t object.
- */
-struct private_pubkey_v1_authenticator_t {
-
-       /**
-        * Public authenticator_t interface.
-        */
-       pubkey_v1_authenticator_t public;
-
-       /**
-        * Assigned IKE_SA
-        */
-       ike_sa_t *ike_sa;
-
-       /**
-        * TRUE if we are initiator
-        */
-       bool initiator;
-
-       /**
-        * DH key exchange
-        */
-       diffie_hellman_t *dh;
-
-       /**
-        * Others DH public value
-        */
-       chunk_t dh_value;
-
-       /**
-        * Encoded SA payload, without fixed header
-        */
-       chunk_t sa_payload;
-
-       /**
-        * Encoded ID payload, without fixed header
-        */
-       chunk_t id_payload;
-};
-
-METHOD(authenticator_t, build, status_t,
-       private_pubkey_v1_authenticator_t *this, message_t *message)
-{
-       hash_payload_t *sig_payload;
-       chunk_t hash, sig, dh;
-       keymat_v1_t *keymat;
-       status_t status;
-       private_key_t *private;
-       identification_t *id;
-       auth_cfg_t *auth;
-       key_type_t type;
-       signature_scheme_t scheme;
-
-       /* TODO-IKEv1: other key types */
-       type = KEY_RSA;
-       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
-
-       id = this->ike_sa->get_my_id(this->ike_sa);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-       private = lib->credmgr->get_private(lib->credmgr, type, id, auth);
-       if (!private)
-       {
-               DBG1(DBG_IKE, "no private key found for '%Y'", id);
-               return NOT_FOUND;
-       }
-
-       this->dh->get_my_public_value(this->dh, &dh);
-       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
-       hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
-                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-                                       this->id_payload);
-       free(dh.ptr);
-
-       if (private->sign(private, scheme, hash, &sig))
-       {
-               sig_payload = hash_payload_create(SIGNATURE_V1);
-               sig_payload->set_hash(sig_payload, sig);
-               free(sig.ptr);
-               message->add_payload(message, &sig_payload->payload_interface);
-               status = SUCCESS;
-               DBG1(DBG_IKE, "authentication of '%Y' (myself) successful", id);
-       }
-       else
-       {
-               DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id);
-               status = FAILED;
-       }
-       private->destroy(private);
-       free(hash.ptr);
-
-       return status;
-}
-
-METHOD(authenticator_t, process, status_t,
-       private_pubkey_v1_authenticator_t *this, message_t *message)
-{
-       chunk_t hash, sig, dh;
-       keymat_v1_t *keymat;
-       public_key_t *public;
-       hash_payload_t *sig_payload;
-       auth_cfg_t *auth, *current_auth;
-       enumerator_t *enumerator;
-       status_t status = NOT_FOUND;
-       key_type_t type;
-       signature_scheme_t scheme;
-       identification_t *id;
-
-       /* TODO-IKEv1: currently RSA only */
-       type = KEY_RSA;
-       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
-
-       sig_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1);
-       if (!sig_payload)
-       {
-               DBG1(DBG_IKE, "SIG payload missing in message");
-               return FAILED;
-       }
-
-       id = this->ike_sa->get_other_id(this->ike_sa);
-       this->dh->get_my_public_value(this->dh, &dh);
-       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
-       hash = keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
-                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
-                                       this->id_payload);
-       free(dh.ptr);
-
-       sig = sig_payload->get_hash(sig_payload);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
-       enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, type,
-                                                                                                               id, auth);
-       while (enumerator->enumerate(enumerator, &public, &current_auth))
-       {
-               if (public->verify(public, scheme, hash, sig))
-               {
-                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-                                id, key_type_names, type);
-                       status = SUCCESS;
-                       auth->merge(auth, current_auth, FALSE);
-                       auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-                       break;
-               }
-               else
-               {
-                       DBG1(DBG_IKE, "signature validation failed, looking for another key");
-                       status = FAILED;
-               }
-       }
-       enumerator->destroy(enumerator);
-       free(hash.ptr);
-       if (status != SUCCESS)
-       {
-               DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
-                        key_type_names, type, id);
-       }
-       return status;
-}
-
-METHOD(authenticator_t, destroy, void,
-       private_pubkey_v1_authenticator_t *this)
-{
-       chunk_free(&this->id_payload);
-       free(this);
-}
-
-/*
- * Described in header.
- */
-pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
-                                                                               bool initiator, diffie_hellman_t *dh,
-                                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                                               chunk_t id_payload)
-{
-       private_pubkey_v1_authenticator_t *this;
-
-       INIT(this,
-               .public = {
-                       .authenticator = {
-                               .build = _build,
-                               .process = _process,
-                               .is_mutual = (void*)return_false,
-                               .destroy = _destroy,
-                       },
-               },
-               .ike_sa = ike_sa,
-               .initiator = initiator,
-               .dh = dh,
-               .dh_value = dh_value,
-               .sa_payload = sa_payload,
-               .id_payload = id_payload,
-       );
-
-       return &this->public;
-}
diff --git a/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h b/src/libcharon/sa/authenticators/pubkey_v1_authenticator.h
deleted file mode 100644 (file)
index e71a81f..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup pubkey_v1_authenticator pubkey_v1_authenticator
- * @{ @ingroup authenticators
- */
-
-#ifndef PUBKEY_V1_AUTHENTICATOR_H_
-#define PUBKEY_V1_AUTHENTICATOR_H_
-
-typedef struct pubkey_v1_authenticator_t pubkey_v1_authenticator_t;
-
-#include <sa/authenticators/authenticator.h>
-
-/**
- * Implementation of authenticator_t using public keys for IKEv1.
- */
-struct pubkey_v1_authenticator_t {
-
-       /**
-        * Implemented authenticator_t interface.
-        */
-       authenticator_t authenticator;
-};
-
-/**
- * Create an authenticator to build and verify public key signatures.
- *
- * @param ike_sa                       associated IKE_SA
- * @param initiator                    TRUE if we are IKE_SA initiator
- * @param dh                           diffie hellman key exchange
- * @param dh_value                     others public diffie hellman value
- * @param sa_payload           generated SA payload data, without payload header
- * @param id_payload           encoded ID payload of peer to authenticate or verify
- *                                                     without payload header (gets owned)
- * @return                                     pubkey authenticator
- */
-pubkey_v1_authenticator_t *pubkey_v1_authenticator_create(ike_sa_t *ike_sa,
-                                                                               bool initiator, diffie_hellman_t *dh,
-                                                                               chunk_t dh_value, chunk_t sa_payload,
-                                                                               chunk_t id_payload);
-
-#endif /** PUBKEY_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_manager.c b/src/libcharon/sa/authenticators/xauth/xauth_manager.c
deleted file mode 100644 (file)
index 432c9c0..0000000
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "xauth_manager.h"
-
-#include <utils/linked_list.h>
-#include <threading/rwlock.h>
-
-typedef struct private_xauth_manager_t private_xauth_manager_t;
-typedef struct xauth_entry_t xauth_entry_t;
-
-/**
- * XAuth constructor entry
- */
-struct xauth_entry_t {
-
-       /**
-        * Xauth backend name
-        */
-       char *name;
-
-       /**
-        * Role of the method, XAUTH_SERVER or XAUTH_PEER
-        */
-       xauth_role_t role;
-
-       /**
-        * constructor function to create instance
-        */
-       xauth_constructor_t constructor;
-};
-
-/**
- * private data of xauth_manager
- */
-struct private_xauth_manager_t {
-
-       /**
-        * public functions
-        */
-       xauth_manager_t public;
-
-       /**
-        * list of eap_entry_t's
-        */
-       linked_list_t *methods;
-
-       /**
-        * rwlock to lock methods
-        */
-       rwlock_t *lock;
-};
-
-METHOD(xauth_manager_t, add_method, void,
-       private_xauth_manager_t *this, char *name, xauth_role_t role,
-       xauth_constructor_t constructor)
-{
-       xauth_entry_t *entry;
-
-       INIT(entry,
-               .name = name,
-               .role = role,
-               .constructor = constructor,
-       );
-
-       this->lock->write_lock(this->lock);
-       this->methods->insert_last(this->methods, entry);
-       this->lock->unlock(this->lock);
-}
-
-METHOD(xauth_manager_t, remove_method, void,
-       private_xauth_manager_t *this, xauth_constructor_t constructor)
-{
-       enumerator_t *enumerator;
-       xauth_entry_t *entry;
-
-       this->lock->write_lock(this->lock);
-       enumerator = this->methods->create_enumerator(this->methods);
-       while (enumerator->enumerate(enumerator, &entry))
-       {
-               if (constructor == entry->constructor)
-               {
-                       this->methods->remove_at(this->methods, enumerator);
-                       free(entry);
-               }
-       }
-       enumerator->destroy(enumerator);
-       this->lock->unlock(this->lock);
-}
-
-METHOD(xauth_manager_t, create_instance, xauth_method_t*,
-       private_xauth_manager_t *this, char *name, xauth_role_t role,
-       identification_t *server, identification_t *peer)
-{
-       enumerator_t *enumerator;
-       xauth_entry_t *entry;
-       xauth_method_t *method = NULL;
-
-       this->lock->read_lock(this->lock);
-       enumerator = this->methods->create_enumerator(this->methods);
-       while (enumerator->enumerate(enumerator, &entry))
-       {
-               if (role == entry->role &&
-                       (!name || streq(name, entry->name)))
-               {
-                       method = entry->constructor(server, peer);
-                       if (method)
-                       {
-                               break;
-                       }
-               }
-       }
-       enumerator->destroy(enumerator);
-       this->lock->unlock(this->lock);
-       return method;
-}
-
-METHOD(xauth_manager_t, destroy, void,
-       private_xauth_manager_t *this)
-{
-       this->methods->destroy_function(this->methods, free);
-       this->lock->destroy(this->lock);
-       free(this);
-}
-
-/*
- * See header
- */
-xauth_manager_t *xauth_manager_create()
-{
-       private_xauth_manager_t *this;
-
-       INIT(this,
-               .public = {
-                       .add_method = _add_method,
-                       .remove_method = _remove_method,
-                       .create_instance = _create_instance,
-                       .destroy = _destroy,
-               },
-               .methods = linked_list_create(),
-               .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-       );
-
-       return &this->public;
-}
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_manager.h b/src/libcharon/sa/authenticators/xauth/xauth_manager.h
deleted file mode 100644 (file)
index 7f07cc2..0000000
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_manager xauth_manager
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_MANAGER_H_
-#define XAUTH_MANAGER_H_
-
-#include <sa/authenticators/xauth/xauth_method.h>
-
-typedef struct xauth_manager_t xauth_manager_t;
-
-/**
- * The XAuth manager manages all XAuth implementations and creates instances.
- *
- * A plugin registers it's implemented XAuth method at the manager by
- * providing type and a contructor function. The manager then instanciates
- * xauth_method_t instances through the provided constructor to handle
- * XAuth authentication.
- */
-struct xauth_manager_t {
-
-       /**
-        * Register a XAuth method implementation.
-        *
-        * @param name                  backend name to register
-        * @param role                  XAUTH_SERVER or XAUTH_PEER
-        * @param constructor   constructor function, returns an xauth_method_t
-        */
-       void (*add_method)(xauth_manager_t *this, char *name,
-                                          xauth_role_t role, xauth_constructor_t constructor);
-
-       /**
-        * Unregister a XAuth method implementation using it's constructor.
-        *
-        * @param constructor   constructor function, as added in add_method
-        */
-       void (*remove_method)(xauth_manager_t *this, xauth_constructor_t constructor);
-
-       /**
-        * Create a new XAuth method instance.
-        *
-        * @param name                  backend name, as it was registered with
-        * @param role                  XAUTH_SERVER or XAUTH_PEER
-        * @param server                identity of the server
-        * @param peer                  identity of the peer (client)
-        * @return                              XAUTH method instance, NULL if no constructor found
-        */
-       xauth_method_t* (*create_instance)(xauth_manager_t *this,
-                                                       char *name, xauth_role_t role,
-                                                       identification_t *server, identification_t *peer);
-
-       /**
-        * Destroy a eap_manager instance.
-        */
-       void (*destroy)(xauth_manager_t *this);
-};
-
-/**
- * Create a eap_manager instance.
- */
-xauth_manager_t *xauth_manager_create();
-
-#endif /** XAUTH_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.c b/src/libcharon/sa/authenticators/xauth/xauth_method.c
deleted file mode 100644 (file)
index 838822d..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "xauth_method.h"
-
-#include <daemon.h>
-
-ENUM(xauth_role_names, XAUTH_SERVER, XAUTH_PEER,
-       "XAUTH_SERVER",
-       "XAUTH_PEER",
-);
-
-/**
- * See header
- */
-bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
-                                                bool reg, void *data)
-{
-       if (reg)
-       {
-               charon->xauth->add_method(charon->xauth, feature->arg.xauth,
-                       feature->type == FEATURE_XAUTH_SERVER ? XAUTH_SERVER : XAUTH_PEER,
-                       (xauth_constructor_t)data);
-       }
-       else
-       {
-               charon->xauth->remove_method(charon->xauth, (xauth_constructor_t)data);
-       }
-       return TRUE;
-}
diff --git a/src/libcharon/sa/authenticators/xauth/xauth_method.h b/src/libcharon/sa/authenticators/xauth/xauth_method.h
deleted file mode 100644 (file)
index 9f6067d..0000000
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup xauth_method xauth_method
- * @{ @ingroup xauth
- */
-
-#ifndef XAUTH_METHOD_H_
-#define XAUTH_METHOD_H_
-
-typedef struct xauth_method_t xauth_method_t;
-typedef enum xauth_role_t xauth_role_t;
-
-#include <library.h>
-#include <plugins/plugin.h>
-#include <utils/identification.h>
-#include <encoding/payloads/cp_payload.h>
-
-/**
- * Role of an xauth_method, SERVER or PEER (client)
- */
-enum xauth_role_t {
-       XAUTH_SERVER,
-       XAUTH_PEER,
-};
-
-/**
- * enum names for xauth_role_t.
- */
-extern enum_name_t *xauth_role_names;
-
-/**
- * Interface of an XAuth method for server and client side.
- *
- * An XAuth method initiates an XAuth exchange and processes requests and
- * responses. An XAuth method may need multiple exchanges before succeeding.
- * Sending of XAUTH(STATUS) message is done by the framework, not a method.
- */
-struct xauth_method_t {
-
-       /**
-        * Initiate the XAuth exchange.
-        *
-        * initiate() is only useable for server implementations, as clients only
-        * reply to server requests.
-        * A cp_payload is created in "out" if result is NEED_MORE.
-        *
-        * @param out           cp_payload to send to the client
-        * @return
-        *                                      - NEED_MORE, if an other exchange is required
-        *                                      - FAILED, if unable to create XAuth request payload
-        */
-       status_t (*initiate) (xauth_method_t *this, cp_payload_t **out);
-
-       /**
-        * Process a received XAuth message.
-        *
-        * A cp_payload is created in "out" if result is NEED_MORE.
-        *
-        * @param in            cp_payload response received
-        * @param out           created cp_payload to send
-        * @return
-        *                                      - NEED_MORE, if an other exchange is required
-        *                                      - FAILED, if XAuth method failed
-        *                                      - SUCCESS, if XAuth method succeeded
-        */
-       status_t (*process) (xauth_method_t *this, cp_payload_t *in,
-                                                cp_payload_t **out);
-
-       /**
-        * Get the XAuth username received as XAuth initiator.
-        *
-        * @return                      used XAuth username, pointer to internal data
-        */
-       identification_t* (*get_identity)(xauth_method_t *this);
-
-       /**
-        * Destroys a eap_method_t object.
-        */
-       void (*destroy) (xauth_method_t *this);
-};
-
-/**
- * Constructor definition for a pluggable XAuth method.
- *
- * Each XAuth module must define a constructor function which will return
- * an initialized object with the methods defined in xauth_method_t.
- * Constructors for server and peers are identical, to support both roles
- * of a XAuth method, a plugin needs register two constructors in the
- * xauth_manager_t.
- *
- * @param server               ID of the server to use for credential lookup
- * @param peer                 ID of the peer to use for credential lookup
- * @return                             implementation of the eap_method_t interface
- */
-typedef xauth_method_t *(*xauth_constructor_t)(identification_t *server,
-                                                                                          identification_t *peer);
-
-/**
- * Helper function to (un-)register XAuth methods from plugin features.
- *
- * This function is a plugin_feature_callback_t and can be used with the
- * PLUGIN_CALLBACK macro to register a XAuth method constructor.
- *
- * @param plugin               plugin registering the XAuth method constructor
- * @param feature              associated plugin feature
- * @param reg                  TRUE to register, FALSE to unregister.
- * @param data                 data passed to callback, an xauth_constructor_t
- */
-bool xauth_method_register(plugin_t *plugin, plugin_feature_t *feature,
-                                                  bool reg, void *data);
-
-#endif /** XAUTH_METHOD_H_ @}*/
diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c
deleted file mode 100644 (file)
index 31947aa..0000000
+++ /dev/null
@@ -1,1600 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "connect_manager.h"
-
-#include <math.h>
-
-#include <daemon.h>
-#include <threading/mutex.h>
-#include <utils/linked_list.h>
-#include <crypto/hashers/hasher.h>
-
-#include <processing/jobs/callback_job.h>
-#include <processing/jobs/initiate_mediation_job.h>
-#include <encoding/payloads/endpoint_notify.h>
-
-/* base timeout
- * the check interval is ME_INTERVAL */
-#define ME_INTERVAL 25 /* ms */
-/* retransmission timeout is first ME_INTERVAL for ME_BOOST retransmissions
- * then gets reduced to ME_INTERVAL * ME_RETRANS_BASE ^ (sent retransmissions - ME_BOOST). */
-/* number of initial retransmissions sent in short interval */
-#define ME_BOOST 2
-/* base for retransmissions */
-#define ME_RETRANS_BASE 1.8
-/* max number of retransmissions */
-#define ME_MAX_RETRANS 13
-
-/* time to wait before the initiator finishes the connectivity checks after
- * the first check has succeeded */
-#define ME_WAIT_TO_FINISH 1000 /* ms */
-
-typedef struct private_connect_manager_t private_connect_manager_t;
-
-/**
- * Additional private members of connect_manager_t.
- */
-struct private_connect_manager_t {
-       /**
-        * Public interface of connect_manager_t.
-        */
-        connect_manager_t public;
-
-        /**
-         * Lock for exclusivly accessing the manager.
-         */
-        mutex_t *mutex;
-
-        /**
-         * Hasher to generate signatures
-         */
-        hasher_t *hasher;
-
-        /**
-         * Linked list with initiated mediated connections
-         */
-        linked_list_t *initiated;
-
-        /**
-         * Linked list with checklists (hash table with connect ID as key would
-         * be better).
-         */
-        linked_list_t *checklists;
-};
-
-typedef enum check_state_t check_state_t;
-
-enum check_state_t {
-       CHECK_NONE,
-       CHECK_WAITING,
-       CHECK_IN_PROGRESS,
-       CHECK_SUCCEEDED,
-       CHECK_FAILED
-};
-
-typedef struct endpoint_pair_t endpoint_pair_t;
-
-/**
- * An entry in the check list.
- */
-struct endpoint_pair_t {
-       /** pair id */
-       u_int32_t id;
-
-       /** priority */
-       u_int64_t priority;
-
-       /** local endpoint */
-       host_t *local;
-
-       /** remote endpoint */
-       host_t *remote;
-
-       /** state */
-       check_state_t state;
-
-       /** number of retransmissions */
-       u_int32_t retransmitted;
-
-       /** the generated packet */
-       packet_t *packet;
-};
-
-/**
- * Destroys an endpoint pair
- */
-static void endpoint_pair_destroy(endpoint_pair_t *this)
-{
-       DESTROY_IF(this->local);
-       DESTROY_IF(this->remote);
-       DESTROY_IF(this->packet);
-       free(this);
-}
-
-/**
- * Creates a new entry for the list.
- */
-static endpoint_pair_t *endpoint_pair_create(endpoint_notify_t *initiator,
-               endpoint_notify_t *responder, bool initiator_is_local)
-{
-       endpoint_pair_t *this;
-
-       u_int32_t pi = initiator->get_priority(initiator);
-       u_int32_t pr = responder->get_priority(responder);
-
-       INIT(this,
-               .priority = pow(2, 32) * min(pi, pr) + 2 * max(pi, pr)
-                                                                                        + (pi > pr ? 1 : 0),
-               .local = initiator_is_local ? initiator->get_base(initiator)
-                                                                       : responder->get_base(responder),
-               .remote = initiator_is_local ? responder->get_host(responder)
-                                                                        : initiator->get_host(initiator),
-               .state = CHECK_WAITING,
-       );
-
-       this->local = this->local->clone(this->local);
-       this->remote = this->remote->clone(this->remote);
-
-       return this;
-}
-
-
-typedef struct check_list_t check_list_t;
-
-/**
- * An entry in the linked list.
- */
-struct check_list_t {
-
-       struct {
-               /** initiator's id */
-               identification_t *id;
-
-               /** initiator's key */
-               chunk_t key;
-
-               /** initiator's endpoints */
-               linked_list_t *endpoints;
-       } initiator;
-
-       struct {
-               /** responder's id */
-               identification_t *id;
-
-               /** responder's key */
-               chunk_t key;
-
-               /** responder's endpoints */
-               linked_list_t *endpoints;
-       } responder;
-
-       /** connect id */
-       chunk_t connect_id;
-
-       /** list of endpoint pairs */
-       linked_list_t *pairs;
-
-       /** pairs queued for triggered checks */
-       linked_list_t *triggered;
-
-       /** state */
-       check_state_t state;
-
-       /** TRUE if this is the initiator */
-       bool is_initiator;
-
-       /** TRUE if the initiator is finishing the checks */
-       bool is_finishing;
-
-       /** the current sender job */
-       job_t *sender;
-
-};
-
-/**
- * Destroys a checklist
- */
-static void check_list_destroy(check_list_t *this)
-{
-       DESTROY_IF(this->initiator.id);
-       DESTROY_IF(this->responder.id);
-
-       chunk_free(&this->connect_id);
-       chunk_free(&this->initiator.key);
-       chunk_free(&this->responder.key);
-
-       DESTROY_OFFSET_IF(this->initiator.endpoints,
-                                         offsetof(endpoint_notify_t, destroy));
-       DESTROY_OFFSET_IF(this->responder.endpoints,
-                                         offsetof(endpoint_notify_t, destroy));
-
-       DESTROY_FUNCTION_IF(this->pairs, (void*)endpoint_pair_destroy);
-       /* this list contains some of the elements contained in this->pairs */
-       DESTROY_IF(this->triggered);
-
-       free(this);
-}
-
-/**
- * Creates a new checklist
- */
-static check_list_t *check_list_create(identification_t *initiator,
-                                                                          identification_t *responder,
-                                                                          chunk_t connect_id,
-                                                                          chunk_t initiator_key,
-                                                                          linked_list_t *initiator_endpoints,
-                                                                          bool is_initiator)
-{
-       check_list_t *this;
-
-       INIT(this,
-               .connect_id = chunk_clone(connect_id),
-               .initiator = {
-                       .id = initiator->clone(initiator),
-                       .key = chunk_clone(initiator_key),
-                       .endpoints = initiator_endpoints->clone_offset(initiator_endpoints,
-                                                                                       offsetof(endpoint_notify_t, clone)),
-               },
-               .responder = {
-                       .id = responder->clone(responder),
-               },
-               .pairs = linked_list_create(),
-               .triggered = linked_list_create(),
-               .state = CHECK_NONE,
-               .is_initiator = is_initiator,
-       );
-
-       return this;
-}
-
-typedef struct initiated_t initiated_t;
-
-/**
- * For an initiator, the data stored about initiated mediation connections
- */
-struct initiated_t {
-       /** my id */
-       identification_t *id;
-
-       /** peer id */
-       identification_t *peer_id;
-
-       /** list of mediated sas */
-       linked_list_t *mediated;
-};
-
-/**
- * Destroys a queued initiation
- */
-static void initiated_destroy(initiated_t *this)
-{
-       DESTROY_IF(this->id);
-       DESTROY_IF(this->peer_id);
-       this->mediated->destroy_offset(this->mediated,
-                                                                  offsetof(ike_sa_id_t, destroy));
-       free(this);
-}
-
-/**
- * Creates a queued initiation
- */
-static initiated_t *initiated_create(identification_t *id,
-                                                                        identification_t *peer_id)
-{
-       initiated_t *this;
-
-       INIT(this,
-               .id = id->clone(id),
-               .peer_id = peer_id->clone(peer_id),
-               .mediated = linked_list_create(),
-       );
-
-       return this;
-}
-
-
-typedef struct check_t check_t;
-
-/**
- * Data exchanged in a connectivity check
- */
-struct check_t {
-       /** message id */
-       u_int32_t mid;
-
-       /** source of the connectivity check */
-       host_t *src;
-
-       /** destination of the connectivity check */
-       host_t *dst;
-
-       /** connect id */
-       chunk_t connect_id;
-
-       /** endpoint */
-       endpoint_notify_t *endpoint;
-
-       /** raw endpoint payload (to verify the signature) */
-       chunk_t endpoint_raw;
-
-       /** connect auth */
-       chunk_t auth;
-};
-
-/**
- * Destroys a connectivity check
- */
-static void check_destroy(check_t *this)
-{
-       chunk_free(&this->connect_id);
-       chunk_free(&this->endpoint_raw);
-       chunk_free(&this->auth);
-       DESTROY_IF(this->src);
-       DESTROY_IF(this->dst);
-       DESTROY_IF(this->endpoint);
-       free(this);
-}
-
-/**
- * Creates a new connectivity check
- */
-static check_t *check_create()
-{
-       check_t *this;
-
-       INIT(this,
-               .mid = 0,
-       );
-
-       return this;
-}
-
-typedef struct callback_data_t callback_data_t;
-
-/**
- * Data required by several callback jobs used in this file
- */
-struct callback_data_t {
-       /** connect manager */
-       private_connect_manager_t *connect_manager;
-
-       /** connect id */
-       chunk_t connect_id;
-
-       /** message (pair) id */
-       u_int32_t mid;
-};
-
-/**
- * Destroys a callback data object
- */
-static void callback_data_destroy(callback_data_t *this)
-{
-       chunk_free(&this->connect_id);
-       free(this);
-}
-
-/**
- * Creates a new callback data object
- */
-static callback_data_t *callback_data_create(private_connect_manager_t *connect_manager,
-                                                                                        chunk_t connect_id)
-{
-       callback_data_t *this;
-       INIT(this,
-               .connect_manager = connect_manager,
-               .connect_id = chunk_clone(connect_id),
-               .mid = 0,
-       );
-       return this;
-}
-
-/**
- * Creates a new retransmission data object
- */
-static callback_data_t *retransmit_data_create(private_connect_manager_t *connect_manager,
-                                                                                          chunk_t connect_id, u_int32_t mid)
-{
-       callback_data_t *this = callback_data_create(connect_manager, connect_id);
-       this->mid = mid;
-       return this;
-}
-
-typedef struct initiate_data_t initiate_data_t;
-
-/**
- * Data required by the initiate mediated
- */
-struct initiate_data_t {
-       /** checklist */
-       check_list_t *checklist;
-
-       /** waiting mediated connections */
-       initiated_t *initiated;
-};
-
-/**
- * Destroys a initiate data object
- */
-static void initiate_data_destroy(initiate_data_t *this)
-{
-       check_list_destroy(this->checklist);
-       initiated_destroy(this->initiated);
-       free(this);
-}
-
-/**
- * Creates a new initiate data object
- */
-static initiate_data_t *initiate_data_create(check_list_t *checklist,
-                                                                                        initiated_t *initiated)
-{
-       initiate_data_t *this;
-       INIT(this,
-               .checklist = checklist,
-               .initiated = initiated,
-       );
-       return this;
-}
-
-/**
- * Find an initiated connection by the peers' ids
- */
-static bool match_initiated_by_ids(initiated_t *current, identification_t *id,
-                                                                  identification_t *peer_id)
-{
-       return id->equals(id, current->id) && peer_id->equals(peer_id, current->peer_id);
-}
-
-static status_t get_initiated_by_ids(private_connect_manager_t *this,
-                                                                        identification_t *id,
-                                                                        identification_t *peer_id,
-                                                                        initiated_t **initiated)
-{
-       return this->initiated->find_first(this->initiated,
-                                                               (linked_list_match_t)match_initiated_by_ids,
-                                                               (void**)initiated, id, peer_id);
-}
-
-/**
- * Removes data about initiated connections
- */
-static void remove_initiated(private_connect_manager_t *this,
-                                                        initiated_t *initiated)
-{
-       enumerator_t *enumerator;
-       initiated_t *current;
-
-       enumerator = this->initiated->create_enumerator(this->initiated);
-       while (enumerator->enumerate(enumerator, (void**)&current))
-       {
-               if (current == initiated)
-               {
-                       this->initiated->remove_at(this->initiated, enumerator);
-                       break;
-               }
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Find the checklist with a specific connect ID
- */
-static bool match_checklist_by_id(check_list_t *current, chunk_t *connect_id)
-{
-       return chunk_equals(*connect_id, current->connect_id);
-}
-
-static status_t get_checklist_by_id(private_connect_manager_t *this,
-                                                                       chunk_t connect_id,
-                                                                       check_list_t **check_list)
-{
-       return this->checklists->find_first(this->checklists,
-                                                               (linked_list_match_t)match_checklist_by_id,
-                                                               (void**)check_list, &connect_id);
-}
-
-/**
- * Removes a checklist
- */
-static void remove_checklist(private_connect_manager_t *this,
-                                                        check_list_t *checklist)
-{
-       enumerator_t *enumerator;
-       check_list_t *current;
-
-       enumerator = this->checklists->create_enumerator(this->checklists);
-       while (enumerator->enumerate(enumerator, (void**)&current))
-       {
-               if (current == checklist)
-               {
-                       this->checklists->remove_at(this->checklists, enumerator);
-                       break;
-               }
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Checks if a list of endpoint_notify_t contains a certain host_t
- */
-static bool match_endpoint_by_host(endpoint_notify_t *current, host_t *host)
-{
-       return host->equals(host, current->get_host(current));
-}
-
-static status_t endpoints_contain(linked_list_t *endpoints, host_t *host,
-                                                                 endpoint_notify_t **endpoint)
-{
-       return endpoints->find_first(endpoints,
-                                                                (linked_list_match_t)match_endpoint_by_host,
-                                                                (void**)endpoint, host);
-}
-
-/**
- * Inserts an endpoint pair into a list of pairs ordered by priority (high to low)
- */
-static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair)
-{
-       enumerator_t *enumerator = pairs->create_enumerator(pairs);
-       endpoint_pair_t *current;
-       while (enumerator->enumerate(enumerator, (void**)&current) &&
-                  current->priority >= pair->priority)
-       {
-               continue;
-       }
-       pairs->insert_before(pairs, enumerator, pair);
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Searches a list of endpoint_pair_t for a pair with specific host_ts
- */
-static bool match_pair_by_hosts(endpoint_pair_t *current, host_t *local,
-                                                               host_t *remote)
-{
-       return local->equals(local, current->local) && remote->equals(remote, current->remote);
-}
-
-static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local,
-                                                                 host_t *remote, endpoint_pair_t **pair)
-{
-       return pairs->find_first(pairs, (linked_list_match_t)match_pair_by_hosts,
-                                                        (void**)pair, local, remote);
-}
-
-static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id)
-{
-       return current->id == *id;
-}
-
-/**
- * Searches for a pair with a specific id
- */
-static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id,
-                                                          endpoint_pair_t **pair)
-{
-       return checklist->pairs->find_first(checklist->pairs,
-                                                                               (linked_list_match_t)match_pair_by_id,
-                                                                               (void**)pair, &id);
-}
-
-static bool match_succeeded_pair(endpoint_pair_t *current)
-{
-       return current->state == CHECK_SUCCEEDED;
-}
-
-/**
- * Returns the best pair of state CHECK_SUCCEEDED from a checklist.
- */
-static status_t get_best_valid_pair(check_list_t *checklist,
-                                                                       endpoint_pair_t **pair)
-{
-       return checklist->pairs->find_first(checklist->pairs,
-                                                                       (linked_list_match_t)match_succeeded_pair,
-                                                                       (void**)pair);
-}
-
-static bool match_waiting_pair(endpoint_pair_t *current)
-{
-       return current->state == CHECK_WAITING;
-}
-
-/**
- * Returns and *removes* the first triggered pair in state CHECK_WAITING.
- */
-static status_t get_triggered_pair(check_list_t *checklist,
-                                                                  endpoint_pair_t **pair)
-{
-       enumerator_t *enumerator;
-       endpoint_pair_t *current;
-       status_t status = NOT_FOUND;
-
-       enumerator = checklist->triggered->create_enumerator(checklist->triggered);
-       while (enumerator->enumerate(enumerator, (void**)&current))
-       {
-               checklist->triggered->remove_at(checklist->triggered, enumerator);
-
-               if (current->state == CHECK_WAITING)
-               {
-                       if (pair)
-                       {
-                               *pair = current;
-                       }
-                       status = SUCCESS;
-                       break;
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       return status;
-}
-
-/**
- * Prints all the pairs on a checklist
- */
-static void print_checklist(check_list_t *checklist)
-{
-       enumerator_t *enumerator;
-       endpoint_pair_t *current;
-
-       DBG1(DBG_IKE, "pairs on checklist %#B:", &checklist->connect_id);
-       enumerator = checklist->pairs->create_enumerator(checklist->pairs);
-       while (enumerator->enumerate(enumerator, (void**)&current))
-       {
-               DBG1(DBG_IKE, " * %#H - %#H (%d)", current->local, current->remote,
-                        current->priority);
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Prunes identical pairs with lower priority from the list
- * Note: this function also numbers the remaining pairs serially
- */
-static void prune_pairs(linked_list_t *pairs)
-{
-       enumerator_t *enumerator, *search;
-       endpoint_pair_t *current, *other;
-       u_int32_t id = 0;
-
-       enumerator = pairs->create_enumerator(pairs);
-       search = pairs->create_enumerator(pairs);
-       while (enumerator->enumerate(enumerator, (void**)&current))
-       {
-               current->id = ++id;
-
-               while (search->enumerate(search, (void**)&other))
-               {
-                       if (current == other)
-                       {
-                               continue;
-                       }
-
-                       if (current->local->equals(current->local, other->local) &&
-                               current->remote->equals(current->remote, other->remote))
-                       {
-                               /* since the list of pairs is sorted by priority in descending
-                                * order, and we iterate the list from the beginning, we are
-                                * sure that the priority of 'other' is lower than that of
-                                * 'current', remove it */
-                               DBG1(DBG_IKE, "pruning endpoint pair %#H - %#H with priority %d",
-                                        other->local, other->remote, other->priority);
-                               pairs->remove_at(pairs, search);
-                               endpoint_pair_destroy(other);
-                       }
-               }
-               pairs->reset_enumerator(pairs, search);
-       }
-       search->destroy(search);
-       enumerator->destroy(enumerator);
-}
-
-/**
- * Builds a list of endpoint pairs
- */
-static void build_pairs(check_list_t *checklist)
-{
-       /* FIXME: limit endpoints and pairs */
-       enumerator_t *enumerator_i, *enumerator_r;
-       endpoint_notify_t *initiator, *responder;
-
-       enumerator_i = checklist->initiator.endpoints->create_enumerator(
-                                                                               checklist->initiator.endpoints);
-       while (enumerator_i->enumerate(enumerator_i, (void**)&initiator))
-       {
-               enumerator_r = checklist->responder.endpoints->create_enumerator(
-                                                                               checklist->responder.endpoints);
-               while (enumerator_r->enumerate(enumerator_r, (void**)&responder))
-               {
-                       if (initiator->get_family(initiator) != responder->get_family(responder))
-                       {
-                               continue;
-                       }
-
-                       insert_pair_by_priority(checklist->pairs, endpoint_pair_create(
-                                                       initiator, responder, checklist->is_initiator));
-               }
-               enumerator_r->destroy(enumerator_r);
-       }
-       enumerator_i->destroy(enumerator_i);
-
-       print_checklist(checklist);
-
-       prune_pairs(checklist->pairs);
-}
-
-/**
- * Processes the payloads of a connectivity check and returns the extracted data
- */
-static status_t process_payloads(message_t *message, check_t *check)
-{
-       enumerator_t *enumerator;
-       payload_t *payload;
-
-       enumerator = message->create_payload_enumerator(message);
-       while (enumerator->enumerate(enumerator, &payload))
-       {
-               if (payload->get_type(payload) != NOTIFY)
-               {
-                       DBG1(DBG_IKE, "ignoring payload of type '%N' while processing "
-                                "connectivity check", payload_type_names,
-                                payload->get_type(payload));
-                       continue;
-               }
-
-               notify_payload_t *notify = (notify_payload_t*)payload;
-
-               switch (notify->get_notify_type(notify))
-               {
-                       case ME_ENDPOINT:
-                       {
-                               if (check->endpoint)
-                               {
-                                       DBG1(DBG_IKE, "connectivity check contains multiple "
-                                                "ME_ENDPOINT notifies");
-                                       break;
-                               }
-
-                               endpoint_notify_t *endpoint = endpoint_notify_create_from_payload(notify);
-                               if (!endpoint)
-                               {
-                                       DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
-                                       break;
-                               }
-                               check->endpoint = endpoint;
-                               check->endpoint_raw = chunk_clone(notify->get_notification_data(notify));
-                               DBG2(DBG_IKE, "received ME_ENDPOINT notify");
-                               break;
-                       }
-                       case ME_CONNECTID:
-                       {
-                               if (check->connect_id.ptr)
-                               {
-                                       DBG1(DBG_IKE, "connectivity check contains multiple "
-                                                "ME_CONNECTID notifies");
-                                       break;
-                               }
-                               check->connect_id = chunk_clone(notify->get_notification_data(notify));
-                               DBG2(DBG_IKE, "received ME_CONNECTID %#B", &check->connect_id);
-                               break;
-                       }
-                       case ME_CONNECTAUTH:
-                       {
-                               if (check->auth.ptr)
-                               {
-                                       DBG1(DBG_IKE, "connectivity check contains multiple "
-                                                "ME_CONNECTAUTH notifies");
-                                       break;
-                               }
-                               check->auth = chunk_clone(notify->get_notification_data(notify));
-                               DBG2(DBG_IKE, "received ME_CONNECTAUTH %#B", &check->auth);
-                               break;
-                       }
-                       default:
-                               break;
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
-       {
-               DBG1(DBG_IKE, "at least one required payload was missing from the "
-                        "connectivity check");
-               return FAILED;
-       }
-
-       return SUCCESS;
-}
-
-/**
- * Builds the signature for a connectivity check
- */
-static chunk_t build_signature(private_connect_manager_t *this,
-               check_list_t *checklist, check_t *check, bool outbound)
-{
-       u_int32_t mid;
-       chunk_t mid_chunk, key_chunk, sig_chunk;
-       chunk_t sig_hash;
-
-       mid = htonl(check->mid);
-       mid_chunk = chunk_from_thing(mid);
-
-       key_chunk = (checklist->is_initiator && outbound) || (!checklist->is_initiator && !outbound)
-                                       ? checklist->initiator.key : checklist->responder.key;
-
-       /* signature = SHA1( MID | ME_CONNECTID | ME_ENDPOINT | ME_CONNECTKEY ) */
-       sig_chunk = chunk_cat("cccc", mid_chunk, check->connect_id,
-                                                 check->endpoint_raw, key_chunk);
-       this->hasher->allocate_hash(this->hasher, sig_chunk, &sig_hash);
-       DBG3(DBG_IKE, "sig_chunk %#B", &sig_chunk);
-       DBG3(DBG_IKE, "sig_hash %#B", &sig_hash);
-
-       chunk_free(&sig_chunk);
-       return sig_hash;
-}
-
-static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair);
-static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time);
-static void finish_checks(private_connect_manager_t *this, check_list_t *checklist);
-
-/**
- * After one of the initiator's pairs has succeeded we finish the checks without
- * waiting for all the timeouts
- */
-static job_requeue_t initiator_finish(callback_data_t *data)
-{
-       private_connect_manager_t *this = data->connect_manager;
-
-       this->mutex->lock(this->mutex);
-
-       check_list_t *checklist;
-       if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' not found, can't finish "
-                        "connectivity checks", &data->connect_id);
-               this->mutex->unlock(this->mutex);
-               return JOB_REQUEUE_NONE;
-       }
-
-       finish_checks(this, checklist);
-
-       this->mutex->unlock(this->mutex);
-
-       return JOB_REQUEUE_NONE;
-}
-
-/**
- * Updates the state of the whole checklist
- */
-static void update_checklist_state(private_connect_manager_t *this,
-                                                                  check_list_t *checklist)
-{
-       enumerator_t *enumerator;
-       endpoint_pair_t *current;
-       bool in_progress = FALSE, succeeded = FALSE;
-
-       enumerator = checklist->pairs->create_enumerator(checklist->pairs);
-       while (enumerator->enumerate(enumerator, (void**)&current))
-       {
-               switch(current->state)
-               {
-                       case CHECK_WAITING:
-                               /* at least one is still waiting -> checklist remains
-                                * in waiting state */
-                               enumerator->destroy(enumerator);
-                               return;
-                       case CHECK_IN_PROGRESS:
-                               in_progress = TRUE;
-                               break;
-                       case CHECK_SUCCEEDED:
-                               succeeded = TRUE;
-                               break;
-                       default:
-                               break;
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       if (checklist->is_initiator && succeeded && !checklist->is_finishing)
-       {
-               /* instead of waiting until all checks have finished (i.e. all
-                * retransmissions have failed) the initiator finishes the checks
-                * right after the first check has succeeded. to allow a probably
-                * better pair to succeed, we still wait a certain time */
-               DBG2(DBG_IKE, "fast finishing checks for checklist '%#B'",
-                        &checklist->connect_id);
-
-               callback_data_t *data = callback_data_create(this, checklist->connect_id);
-               job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-               lib->scheduler->schedule_job_ms(lib->scheduler, job, ME_WAIT_TO_FINISH);
-               checklist->is_finishing = TRUE;
-       }
-
-       if (in_progress)
-       {
-               checklist->state = CHECK_IN_PROGRESS;
-       }
-       else if (succeeded)
-       {
-               checklist->state = CHECK_SUCCEEDED;
-       }
-       else
-       {
-               checklist->state = CHECK_FAILED;
-       }
-}
-
-/**
- * This function is triggered for each sent check after a specific timeout
- */
-static job_requeue_t retransmit(callback_data_t *data)
-{
-       private_connect_manager_t *this = data->connect_manager;
-
-       this->mutex->lock(this->mutex);
-
-       check_list_t *checklist;
-       if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' not found, can't retransmit "
-                        "connectivity check", &data->connect_id);
-               this->mutex->unlock(this->mutex);
-               return JOB_REQUEUE_NONE;
-       }
-
-       endpoint_pair_t *pair;
-       if (get_pair_by_id(checklist, data->mid, &pair) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "pair with id '%d' not found, can't retransmit "
-                        "connectivity check", data->mid);
-               goto retransmit_end;
-       }
-
-       if (pair->state != CHECK_IN_PROGRESS)
-       {
-               DBG2(DBG_IKE, "pair with id '%d' is in wrong state [%d], don't "
-                        "retransmit the connectivity check", data->mid, pair->state);
-               goto retransmit_end;
-       }
-
-       if (++pair->retransmitted > ME_MAX_RETRANS)
-       {
-               DBG2(DBG_IKE, "pair with id '%d' failed after %d retransmissions",
-                        data->mid, ME_MAX_RETRANS);
-               pair->state = CHECK_FAILED;
-               goto retransmit_end;
-       }
-
-       charon->sender->send(charon->sender, pair->packet->clone(pair->packet));
-
-       queue_retransmission(this, checklist, pair);
-
-retransmit_end:
-       update_checklist_state(this, checklist);
-
-       switch(checklist->state)
-       {
-               case CHECK_SUCCEEDED:
-               case CHECK_FAILED:
-                       finish_checks(this, checklist);
-                       break;
-               default:
-                       break;
-       }
-
-       this->mutex->unlock(this->mutex);
-
-       /* we reschedule it manually */
-       return JOB_REQUEUE_NONE;
-}
-
-/**
- * Queues a retransmission job
- */
-static void queue_retransmission(private_connect_manager_t *this, check_list_t *checklist, endpoint_pair_t *pair)
-{
-       callback_data_t *data = retransmit_data_create(this, checklist->connect_id, pair->id);
-       job_t *job = (job_t*)callback_job_create((callback_job_cb_t)retransmit, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-
-       u_int32_t retransmission = pair->retransmitted + 1;
-       u_int32_t rto = ME_INTERVAL;
-       if (retransmission > ME_BOOST)
-       {
-               rto = (u_int32_t)(ME_INTERVAL * pow(ME_RETRANS_BASE, retransmission - ME_BOOST));
-       }
-       DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
-                retransmission, pair->id, rto);
-
-       lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)job, rto);
-}
-
-/**
- * Sends a check
- */
-static void send_check(private_connect_manager_t *this, check_list_t *checklist,
-               check_t *check, endpoint_pair_t *pair, bool request)
-{
-       message_t *message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
-       message->set_message_id(message, check->mid);
-       message->set_exchange_type(message, INFORMATIONAL);
-       message->set_request(message, request);
-       message->set_destination(message, check->dst->clone(check->dst));
-       message->set_source(message, check->src->clone(check->src));
-
-       ike_sa_id_t *ike_sa_id = ike_sa_id_create(0, 0, request);
-       message->set_ike_sa_id(message, ike_sa_id);
-       ike_sa_id->destroy(ike_sa_id);
-
-       message->add_notify(message, FALSE, ME_CONNECTID, check->connect_id);
-       DBG2(DBG_IKE, "send ME_CONNECTID %#B", &check->connect_id);
-
-       notify_payload_t *endpoint = check->endpoint->build_notify(check->endpoint);
-       check->endpoint_raw = chunk_clone(endpoint->get_notification_data(endpoint));
-       message->add_payload(message, (payload_t*)endpoint);
-       DBG2(DBG_IKE, "send ME_ENDPOINT notify");
-
-       check->auth = build_signature(this, checklist, check, TRUE);
-       message->add_notify(message, FALSE, ME_CONNECTAUTH, check->auth);
-       DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
-
-       packet_t *packet;
-       if (message->generate(message, NULL, &packet) == SUCCESS)
-       {
-               charon->sender->send(charon->sender, packet->clone(packet));
-
-               if (request)
-               {
-                       DESTROY_IF(pair->packet);
-                       pair->packet = packet;
-                       pair->retransmitted = 0;
-                       queue_retransmission(this, checklist, pair);
-               }
-               else
-               {
-                       packet->destroy(packet);
-               }
-       }
-       message->destroy(message);
-}
-
-/**
- * Queues a triggered check
- */
-static void queue_triggered_check(private_connect_manager_t *this,
-               check_list_t *checklist, endpoint_pair_t *pair)
-{
-       DBG2(DBG_IKE, "queueing triggered check for pair '%d'", pair->id);
-       pair->state = CHECK_WAITING;
-       checklist->triggered->insert_last(checklist->triggered, pair);
-
-       if (!checklist->sender)
-       {
-               /* if the sender is not running we restart it */
-               schedule_checks(this, checklist, ME_INTERVAL);
-       }
-}
-
-/**
- * This function is triggered for each checklist at a specific interval
- */
-static job_requeue_t sender(callback_data_t *data)
-{
-       private_connect_manager_t *this = data->connect_manager;
-
-       this->mutex->lock(this->mutex);
-
-       check_list_t *checklist;
-       if (get_checklist_by_id(this, data->connect_id, &checklist) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' not found, can't send "
-                        "connectivity check", &data->connect_id);
-               this->mutex->unlock(this->mutex);
-               return JOB_REQUEUE_NONE;
-       }
-
-       /* reset the sender */
-       checklist->sender = NULL;
-
-       endpoint_pair_t *pair;
-       if (get_triggered_pair(checklist, &pair) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "no triggered check queued, sending an ordinary check");
-
-               if (checklist->pairs->find_first(checklist->pairs,
-                                                                       (linked_list_match_t)match_waiting_pair,
-                                                                       (void**)&pair) != SUCCESS)
-               {
-                       this->mutex->unlock(this->mutex);
-                       DBG1(DBG_IKE, "no pairs in waiting state, aborting");
-                       return JOB_REQUEUE_NONE;
-               }
-       }
-       else
-       {
-               DBG1(DBG_IKE, "triggered check found");
-       }
-
-       check_t *check = check_create();
-       check->mid = pair->id;
-       check->src = pair->local->clone(pair->local);
-       check->dst = pair->remote->clone(pair->remote);
-       check->connect_id = chunk_clone(checklist->connect_id);
-       check->endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE, NULL,
-                                                                                                          NULL);
-
-       pair->state = CHECK_IN_PROGRESS;
-
-       send_check(this, checklist, check, pair, TRUE);
-
-       check_destroy(check);
-
-       /* schedule this job again */
-       schedule_checks(this, checklist, ME_INTERVAL);
-
-       this->mutex->unlock(this->mutex);
-
-       /* we reschedule it manually */
-       return JOB_REQUEUE_NONE;
-}
-
-/**
- * Schedules checks for a checklist (time in ms)
- */
-static void schedule_checks(private_connect_manager_t *this, check_list_t *checklist, u_int32_t time)
-{
-       callback_data_t *data = callback_data_create(this, checklist->connect_id);
-       checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-       lib->scheduler->schedule_job_ms(lib->scheduler, checklist->sender, time);
-}
-
-/**
- * Initiates waiting mediated connections
- */
-static job_requeue_t initiate_mediated(initiate_data_t *data)
-{
-       check_list_t *checklist = data->checklist;
-       initiated_t *initiated = data->initiated;
-
-       endpoint_pair_t *pair;
-       if (get_best_valid_pair(checklist, &pair) == SUCCESS)
-       {
-               ike_sa_id_t *waiting_sa;
-               enumerator_t *enumerator = initiated->mediated->create_enumerator(
-                                                                                                               initiated->mediated);
-               while (enumerator->enumerate(enumerator, (void**)&waiting_sa))
-               {
-                       ike_sa_t *sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, waiting_sa);
-                       if (sa->initiate_mediated(sa, pair->local, pair->remote, checklist->connect_id) != SUCCESS)
-                       {
-                               DBG1(DBG_IKE, "establishing mediated connection failed");
-                               charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa);
-                       }
-                       else
-                       {
-                               charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa);
-                       }
-               }
-               enumerator->destroy(enumerator);
-       }
-       else
-       {
-               /* this should (can?) not happen */
-       }
-
-       return JOB_REQUEUE_NONE;
-}
-
-/**
- * Finishes checks for a checklist
- */
-static void finish_checks(private_connect_manager_t *this, check_list_t *checklist)
-{
-       if (checklist->is_initiator)
-       {
-               initiated_t *initiated;
-               if (get_initiated_by_ids(this, checklist->initiator.id,
-                               checklist->responder.id, &initiated) == SUCCESS)
-               {
-                       remove_checklist(this, checklist);
-                       remove_initiated(this, initiated);
-
-                       initiate_data_t *data = initiate_data_create(checklist, initiated);
-                       job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
-                       lib->processor->queue_job(lib->processor, job);
-                       return;
-               }
-               else
-               {
-                       DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y'"
-                                " and '%Y'", checklist->initiator.id, checklist->responder.id);
-               }
-       }
-}
-
-/**
- * Process the response to one of our requests
- */
-static void process_response(private_connect_manager_t *this, check_t *check,
-               check_list_t *checklist)
-{
-       endpoint_pair_t *pair;
-       if (get_pair_by_id(checklist, check->mid, &pair) == SUCCESS)
-       {
-               if (pair->local->equals(pair->local, check->dst) &&
-                       pair->remote->equals(pair->remote, check->src))
-               {
-                       DBG1(DBG_IKE, "endpoint pair '%d' is valid: '%#H' - '%#H'",
-                                pair->id, pair->local, pair->remote);
-                       pair->state = CHECK_SUCCEEDED;
-               }
-
-               linked_list_t *local_endpoints = checklist->is_initiator ?
-                       checklist->initiator.endpoints : checklist->responder.endpoints;
-
-               endpoint_notify_t *local_endpoint;
-               if (endpoints_contain(local_endpoints,
-                                                         check->endpoint->get_host(check->endpoint),
-                                                         &local_endpoint) != SUCCESS)
-               {
-                       local_endpoint = endpoint_notify_create_from_host(PEER_REFLEXIVE,
-                                       check->endpoint->get_host(check->endpoint), pair->local);
-                       local_endpoint->set_priority(local_endpoint,
-                                                               check->endpoint->get_priority(check->endpoint));
-                       local_endpoints->insert_last(local_endpoints, local_endpoint);
-               }
-
-               update_checklist_state(this, checklist);
-
-               switch(checklist->state)
-               {
-                       case CHECK_SUCCEEDED:
-                       case CHECK_FAILED:
-                               finish_checks(this, checklist);
-                               break;
-                       default:
-                               break;
-               }
-       }
-       else
-       {
-               DBG1(DBG_IKE, "pair with id '%d' not found", check->mid);
-       }
-}
-
-static void process_request(private_connect_manager_t *this, check_t *check,
-                                                       check_list_t *checklist)
-{
-       linked_list_t *remote_endpoints = checklist->is_initiator ?
-                               checklist->responder.endpoints : checklist->initiator.endpoints;
-
-       endpoint_notify_t *peer_reflexive, *remote_endpoint;
-       peer_reflexive = endpoint_notify_create_from_host(PEER_REFLEXIVE,
-                                                                                                         check->src, NULL);
-       peer_reflexive->set_priority(peer_reflexive,
-                                                       check->endpoint->get_priority(check->endpoint));
-
-       if (endpoints_contain(remote_endpoints, check->src, &remote_endpoint) != SUCCESS)
-       {
-               remote_endpoint = peer_reflexive->clone(peer_reflexive);
-               remote_endpoints->insert_last(remote_endpoints, remote_endpoint);
-       }
-
-       endpoint_pair_t *pair;
-       if (get_pair_by_hosts(checklist->pairs, check->dst, check->src,
-                                                 &pair) == SUCCESS)
-       {
-               switch(pair->state)
-               {
-                       case CHECK_IN_PROGRESS:
-                               /* prevent retransmissions */
-                               pair->retransmitted = ME_MAX_RETRANS;
-                               /* FIXME: we should wait to the next rto to send the triggered
-                                * check */
-                               /* fall-through */
-                       case CHECK_WAITING:
-                       case CHECK_FAILED:
-                               queue_triggered_check(this, checklist, pair);
-                               break;
-                       case CHECK_SUCCEEDED:
-                       default:
-                               break;
-               }
-       }
-       else
-       {
-               endpoint_notify_t *local_endpoint = endpoint_notify_create_from_host(HOST, check->dst, NULL);
-
-               endpoint_notify_t *initiator = checklist->is_initiator ? local_endpoint : remote_endpoint;
-               endpoint_notify_t *responder = checklist->is_initiator ? remote_endpoint : local_endpoint;
-
-               pair = endpoint_pair_create(initiator, responder, checklist->is_initiator);
-               pair->id = checklist->pairs->get_count(checklist->pairs) + 1;
-
-               insert_pair_by_priority(checklist->pairs, pair);
-
-               queue_triggered_check(this, checklist, pair);
-
-               local_endpoint->destroy(local_endpoint);
-       }
-
-       check_t *response = check_create();
-
-       response->mid = check->mid;
-       response->src = check->dst->clone(check->dst);
-       response->dst = check->src->clone(check->src);
-       response->connect_id = chunk_clone(check->connect_id);
-       response->endpoint = peer_reflexive;
-
-       send_check(this, checklist, response, pair, FALSE);
-
-       check_destroy(response);
-}
-
-METHOD(connect_manager_t, process_check, void,
-       private_connect_manager_t *this, message_t *message)
-{
-       if (message->parse_body(message, NULL) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
-                        exchange_type_names, message->get_exchange_type(message),
-                        message->get_request(message) ? "request" : "response",
-                        message->get_message_id(message));
-               return;
-       }
-
-       check_t *check = check_create();
-       check->mid = message->get_message_id(message);
-       check->src = message->get_source(message);
-       check->src = check->src->clone(check->src);
-       check->dst = message->get_destination(message);
-       check->dst = check->dst->clone(check->dst);
-
-       if (process_payloads(message, check) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "invalid connectivity check %s received",
-                        message->get_request(message) ? "request" : "response");
-               check_destroy(check);
-               return;
-       }
-
-       this->mutex->lock(this->mutex);
-
-       check_list_t *checklist;
-       if (get_checklist_by_id(this, check->connect_id, &checklist) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' not found",
-                        &check->connect_id);
-               check_destroy(check);
-               this->mutex->unlock(this->mutex);
-               return;
-       }
-
-       chunk_t sig = build_signature(this, checklist, check, FALSE);
-       if (!chunk_equals(sig, check->auth))
-       {
-               DBG1(DBG_IKE, "connectivity check verification failed");
-               check_destroy(check);
-               chunk_free(&sig);
-               this->mutex->unlock(this->mutex);
-               return;
-       }
-       chunk_free(&sig);
-
-       if (message->get_request(message))
-       {
-               process_request(this, check, checklist);
-       }
-       else
-       {
-               process_response(this, check, checklist);
-       }
-
-       this->mutex->unlock(this->mutex);
-
-       check_destroy(check);
-}
-
-METHOD(connect_manager_t, check_and_register, bool,
-       private_connect_manager_t *this, identification_t *id,
-       identification_t *peer_id, ike_sa_id_t *mediated_sa)
-{
-       initiated_t *initiated;
-       bool already_there = TRUE;
-
-       this->mutex->lock(this->mutex);
-
-       if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
-       {
-               DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'",
-                        peer_id);
-               initiated = initiated_create(id, peer_id);
-               this->initiated->insert_last(this->initiated, initiated);
-               already_there = FALSE;
-       }
-
-       if (initiated->mediated->find_first(initiated->mediated,
-                                                               (linked_list_match_t)mediated_sa->equals,
-                                                               NULL, mediated_sa) != SUCCESS)
-       {
-               initiated->mediated->insert_last(initiated->mediated,
-                                                                                mediated_sa->clone(mediated_sa));
-       }
-
-       this->mutex->unlock(this->mutex);
-
-       return already_there;
-}
-
-METHOD(connect_manager_t, check_and_initiate, void,
-       private_connect_manager_t *this, ike_sa_id_t *mediation_sa,
-       identification_t *id, identification_t *peer_id)
-{
-       initiated_t *initiated;
-
-       this->mutex->lock(this->mutex);
-
-       if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
-       {
-               DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
-               this->mutex->unlock(this->mutex);
-               return;
-       }
-
-       ike_sa_id_t *waiting_sa;
-       enumerator_t *enumerator = initiated->mediated->create_enumerator(
-                                                                                                               initiated->mediated);
-       while (enumerator->enumerate(enumerator, (void**)&waiting_sa))
-       {
-               job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa,
-                                                                                                                        waiting_sa);
-               lib->processor->queue_job(lib->processor, job);
-       }
-       enumerator->destroy(enumerator);
-
-       this->mutex->unlock(this->mutex);
-}
-
-METHOD(connect_manager_t, set_initiator_data, status_t,
-       private_connect_manager_t *this, identification_t *initiator,
-       identification_t *responder, chunk_t connect_id, chunk_t key,
-       linked_list_t *endpoints, bool is_initiator)
-{
-       check_list_t *checklist;
-
-       this->mutex->lock(this->mutex);
-
-       if (get_checklist_by_id(this, connect_id, NULL) == SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' already exists, aborting",
-                        &connect_id);
-               this->mutex->unlock(this->mutex);
-               return FAILED;
-       }
-
-       checklist = check_list_create(initiator, responder, connect_id, key,
-                                                                 endpoints, is_initiator);
-       this->checklists->insert_last(this->checklists, checklist);
-
-       this->mutex->unlock(this->mutex);
-
-       return SUCCESS;
-}
-
-METHOD(connect_manager_t, set_responder_data, status_t,
-       private_connect_manager_t *this, chunk_t connect_id, chunk_t key,
-       linked_list_t *endpoints)
-{
-       check_list_t *checklist;
-
-       this->mutex->lock(this->mutex);
-
-       if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' not found",
-                        &connect_id);
-               this->mutex->unlock(this->mutex);
-               return NOT_FOUND;
-       }
-
-       checklist->responder.key = chunk_clone(key);
-       checklist->responder.endpoints = endpoints->clone_offset(endpoints,
-                                                                                       offsetof(endpoint_notify_t, clone));
-       checklist->state = CHECK_WAITING;
-
-       build_pairs(checklist);
-
-       /* send the first check immediately */
-       schedule_checks(this, checklist, 0);
-
-       this->mutex->unlock(this->mutex);
-
-       return SUCCESS;
-}
-
-METHOD(connect_manager_t, stop_checks, status_t,
-       private_connect_manager_t *this, chunk_t connect_id)
-{
-       check_list_t *checklist;
-
-       this->mutex->lock(this->mutex);
-
-       if (get_checklist_by_id(this, connect_id, &checklist) != SUCCESS)
-       {
-               DBG1(DBG_IKE, "checklist with id '%#B' not found",
-                        &connect_id);
-               this->mutex->unlock(this->mutex);
-               return NOT_FOUND;
-       }
-
-       DBG1(DBG_IKE, "removing checklist with id '%#B'", &connect_id);
-
-       remove_checklist(this, checklist);
-       check_list_destroy(checklist);
-
-       this->mutex->unlock(this->mutex);
-
-       return SUCCESS;
-}
-
-METHOD(connect_manager_t, destroy, void,
-       private_connect_manager_t *this)
-{
-       this->mutex->lock(this->mutex);
-
-       this->checklists->destroy_function(this->checklists,
-                                                                          (void*)check_list_destroy);
-       this->initiated->destroy_function(this->initiated,
-                                                                        (void*)initiated_destroy);
-       DESTROY_IF(this->hasher);
-
-       this->mutex->unlock(this->mutex);
-       this->mutex->destroy(this->mutex);
-       free(this);
-}
-
-/*
- * Described in header.
- */
-connect_manager_t *connect_manager_create()
-{
-       private_connect_manager_t *this;
-
-       INIT(this,
-               .public = {
-                       .destroy = _destroy,
-                       .check_and_register = _check_and_register,
-                       .check_and_initiate = _check_and_initiate,
-                       .set_initiator_data = _set_initiator_data,
-                       .set_responder_data = _set_responder_data,
-                       .process_check = _process_check,
-                       .stop_checks = _stop_checks,
-               },
-               .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
-               .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
-               .checklists = linked_list_create(),
-               .initiated = linked_list_create(),
-       );
-
-       if (this->hasher == NULL)
-       {
-               DBG1(DBG_IKE, "unable to create connect manager, SHA1 not supported");
-               destroy(this);
-               return NULL;
-       }
-
-       return &this->public;
-}
diff --git a/src/libcharon/sa/connect_manager.h b/src/libcharon/sa/connect_manager.h
deleted file mode 100644 (file)
index 8fa8ff6..0000000
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2007-2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup connect_manager connect_manager
- * @{ @ingroup sa
- */
-
-#ifndef CONNECT_MANAGER_H_
-#define CONNECT_MANAGER_H_
-
-typedef struct connect_manager_t connect_manager_t;
-
-#include <encoding/message.h>
-#include <sa/ike_sa_id.h>
-#include <utils/identification.h>
-
-/**
- * The connection manager is responsible for establishing a direct
- * connection with another peer.
- */
-struct connect_manager_t {
-
-       /**
-        * Checks if a there is already a mediated connection registered
-        * between two peers.
-        *
-        * @param id                    my id
-        * @param peer_id               the other peer's id
-        * @param mediated_sa   the IKE_SA ID of the mediated connection
-        * @returns
-        *                                              - TRUE, if a mediated connection is registered
-        *                                              - FALSE, otherwise
-        */
-       bool (*check_and_register) (connect_manager_t *this, identification_t *id,
-                                                               identification_t *peer_id,
-                                                               ike_sa_id_t *mediated_sa);
-
-       /**
-        * Checks if there are waiting connections with a specific peer.
-        * If so, reinitiate them.
-        *
-        * @param id                    my id
-        * @param peer_id               the other peer's id
-        */
-       void (*check_and_initiate) (connect_manager_t *this,
-                                                               ike_sa_id_t *mediation_sa, identification_t *id,
-                                                               identification_t *peer_id);
-
-       /**
-        * Creates a checklist and sets the initiator's data.
-        *
-        * @param initiator             ID of the initiator
-        * @param responder             ID of the responder
-        * @param connect_id    the connect ID provided by the initiator
-        * @param key                   the initiator's key
-        * @param endpoints             the initiator's endpoints
-        * @param is_initiator  TRUE, if the caller of this method is the initiator
-        * @returns                             SUCCESS
-        */
-       status_t (*set_initiator_data) (connect_manager_t *this,
-                                                                       identification_t *initiator,
-                                                                       identification_t *responder,
-                                                                       chunk_t connect_id, chunk_t key,
-                                                                       linked_list_t *endpoints,
-                                                                       bool is_initiator);
-
-       /**
-        * Updates a checklist and sets the responder's data. The checklist's
-        * state is advanced to WAITING which means that checks will be sent.
-        *
-        * @param connect_id    the connect ID
-        * @param chunk_t               the responder's key
-        * @param endpoints             the responder's endpoints
-        * @returns
-        *                                              - NOT_FOUND, if the checklist has not been found
-        *                                              - SUCCESS, otherwise
-        */
-       status_t (*set_responder_data) (connect_manager_t *this,
-                                                                       chunk_t connect_id, chunk_t key,
-                                                                       linked_list_t *endpoints);
-
-       /**
-        * Stops checks for a checklist. Called after the responder received an
-        * IKE_SA_INIT request which contains a ME_CONNECTID payload.
-        *
-        * @param connect_id    the connect ID
-        * @returns
-        *                                              - NOT_FOUND, if the checklist has not been found
-        *                                              - SUCCESS, otherwise
-        */
-       status_t (*stop_checks) (connect_manager_t *this, chunk_t connect_id);
-
-       /**
-        * Processes a connectivity check
-        *
-        * @param message               the received message
-        */
-       void (*process_check) (connect_manager_t *this, message_t *message);
-
-       /**
-        * Destroys the manager with all data.
-        */
-       void (*destroy) (connect_manager_t *this);
-};
-
-/**
- * Create a manager.
- *
- * @returns    connect_manager_t object
- */
-connect_manager_t *connect_manager_create(void);
-
-#endif /** CONNECT_MANAGER_H_ @}*/
index 331b001..0ee4324 100644 (file)
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
-#include <sa/tasks/ike_init.h>
-#include <sa/tasks/ike_natd.h>
-#include <sa/tasks/ike_mobike.h>
-#include <sa/tasks/ike_auth.h>
-#include <sa/tasks/ike_auth_lifetime.h>
-#include <sa/tasks/ike_config.h>
-#include <sa/tasks/ike_cert_pre.h>
-#include <sa/tasks/ike_cert_post.h>
-#include <sa/tasks/ike_rekey.h>
-#include <sa/tasks/ike_reauth.h>
-#include <sa/tasks/ike_delete.h>
-#include <sa/tasks/ike_dpd.h>
-#include <sa/tasks/ike_vendor.h>
-#include <sa/tasks/child_create.h>
-#include <sa/tasks/child_delete.h>
-#include <sa/tasks/child_rekey.h>
-#include <sa/tasks/main_mode.h>
-#include <sa/tasks/isakmp_cert_pre.h>
-#include <sa/tasks/isakmp_cert_post.h>
-#include <sa/tasks/isakmp_natd.h>
-#include <sa/tasks/quick_mode.h>
-#include <sa/tasks/quick_delete.h>
-#include <sa/tasks/isakmp_vendor.h>
-#include <sa/tasks/isakmp_delete.h>
+#include <sa/ikev2/tasks/ike_init.h>
+#include <sa/ikev2/tasks/ike_natd.h>
+#include <sa/ikev2/tasks/ike_mobike.h>
+#include <sa/ikev2/tasks/ike_auth.h>
+#include <sa/ikev2/tasks/ike_auth_lifetime.h>
+#include <sa/ikev2/tasks/ike_config.h>
+#include <sa/ikev2/tasks/ike_cert_pre.h>
+#include <sa/ikev2/tasks/ike_cert_post.h>
+#include <sa/ikev2/tasks/ike_rekey.h>
+#include <sa/ikev2/tasks/ike_reauth.h>
+#include <sa/ikev2/tasks/ike_delete.h>
+#include <sa/ikev2/tasks/ike_dpd.h>
+#include <sa/ikev2/tasks/ike_vendor.h>
+#include <sa/ikev2/tasks/child_create.h>
+#include <sa/ikev2/tasks/child_delete.h>
+#include <sa/ikev2/tasks/child_rekey.h>
+#include <sa/ikev1/tasks/main_mode.h>
+#include <sa/ikev1/tasks/isakmp_cert_pre.h>
+#include <sa/ikev1/tasks/isakmp_cert_post.h>
+#include <sa/ikev1/tasks/isakmp_natd.h>
+#include <sa/ikev1/tasks/quick_mode.h>
+#include <sa/ikev1/tasks/quick_delete.h>
+#include <sa/ikev1/tasks/isakmp_vendor.h>
+#include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/retransmit_job.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 #include <processing/jobs/send_dpd_job.h>
@@ -59,7 +59,7 @@
 #include <processing/jobs/rekey_ike_sa_job.h>
 
 #ifdef ME
-#include <sa/tasks/ike_me.h>
+#include <sa/ikev2/tasks/ike_me.h>
 #include <processing/jobs/initiate_mediation_job.h>
 #endif
 
index cbb16ca..e503564 100644 (file)
@@ -37,7 +37,7 @@ typedef struct ike_sa_t ike_sa_t;
 #include <encoding/payloads/configuration_attribute.h>
 #include <sa/ike_sa_id.h>
 #include <sa/child_sa.h>
-#include <sa/tasks/task.h>
+#include <sa/task.h>
 #include <sa/task_manager.h>
 #include <sa/keymat.h>
 #include <config/peer_cfg.h>
diff --git a/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c
new file mode 100644 (file)
index 0000000..f1bc1ec
--- /dev/null
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hybrid_authenticator.h"
+
+#include <daemon.h>
+
+typedef struct private_hybrid_authenticator_t private_hybrid_authenticator_t;
+
+/**
+ * Private data of an hybrid_authenticator_t object.
+ */
+struct private_hybrid_authenticator_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       hybrid_authenticator_t public;
+
+       /**
+        * Public key authenticator
+        */
+       authenticator_t *sig;
+
+       /**
+        * HASH payload authenticator without credentials
+        */
+       authenticator_t *hash;
+};
+
+METHOD(authenticator_t, build_i, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->hash->build(this->hash, message);
+}
+
+METHOD(authenticator_t, process_r, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->hash->process(this->hash, message);
+}
+
+METHOD(authenticator_t, build_r, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->sig->build(this->sig, message);
+}
+
+METHOD(authenticator_t, process_i, status_t,
+       private_hybrid_authenticator_t *this, message_t *message)
+{
+       return this->sig->process(this->sig, message);
+}
+
+METHOD(authenticator_t, destroy, void,
+       private_hybrid_authenticator_t *this)
+{
+       DESTROY_IF(this->hash);
+       DESTROY_IF(this->sig);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                                               chunk_t id_payload)
+{
+       private_hybrid_authenticator_t *this;
+
+       INIT(this,
+               .public = {
+                       .authenticator = {
+                               .is_mutual = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .sig = authenticator_create_v1(ike_sa, initiator, AUTH_RSA, dh,
+                                                       dh_value, sa_payload, id_payload),
+               .hash = authenticator_create_v1(ike_sa, initiator, AUTH_PSK,
+                                                       dh, dh_value, sa_payload, chunk_clone(id_payload)),
+       );
+       if (!this->sig || !this->hash)
+       {
+               destroy(this);
+               return NULL;
+       }
+       if (initiator)
+       {
+               this->public.authenticator.build = _build_i;
+               this->public.authenticator.process = _process_i;
+       }
+       else
+       {
+               this->public.authenticator.build = _build_r;
+               this->public.authenticator.process = _process_r;
+       }
+       return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.h b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.h
new file mode 100644 (file)
index 0000000..6a0bb1e
--- /dev/null
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hybrid_authenticator hybrid_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef HYBRID_AUTHENTICATOR_H_
+#define HYBRID_AUTHENTICATOR_H_
+
+typedef struct hybrid_authenticator_t hybrid_authenticator_t;
+
+#include <sa/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using IKEv1 hybrid authentication.
+ */
+struct hybrid_authenticator_t {
+
+       /**
+        * Implemented authenticator_t interface.
+        */
+       authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build hybrid signatures.
+ *
+ * @param ike_sa                       associated IKE_SA
+ * @param initiator                    TRUE if we are the IKE_SA initiator
+ * @param dh                           diffie hellman key exchange
+ * @param dh_value                     others public diffie hellman value
+ * @param sa_payload           generated SA payload data, without payload header
+ * @param id_payload           encoded ID payload of peer to authenticate or verify
+ *                                                     without payload header (gets owned)
+ * @return                                     hybrid authenticator
+ */
+hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                                               chunk_t id_payload);
+
+#endif /** HYBRID_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
new file mode 100644 (file)
index 0000000..ce794a2
--- /dev/null
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "psk_v1_authenticator.h"
+
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <encoding/payloads/hash_payload.h>
+
+typedef struct private_psk_v1_authenticator_t private_psk_v1_authenticator_t;
+
+/**
+ * Private data of an psk_v1_authenticator_t object.
+ */
+struct private_psk_v1_authenticator_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       psk_v1_authenticator_t public;
+
+       /**
+        * Assigned IKE_SA
+        */
+       ike_sa_t *ike_sa;
+
+       /**
+        * TRUE if we are initiator
+        */
+       bool initiator;
+
+       /**
+        * DH key exchange
+        */
+       diffie_hellman_t *dh;
+
+       /**
+        * Others DH public value
+        */
+       chunk_t dh_value;
+
+       /**
+        * Encoded SA payload, without fixed header
+        */
+       chunk_t sa_payload;
+
+       /**
+        * Encoded ID payload, without fixed header
+        */
+       chunk_t id_payload;
+};
+
+METHOD(authenticator_t, build, status_t,
+       private_psk_v1_authenticator_t *this, message_t *message)
+{
+       hash_payload_t *hash_payload;
+       keymat_v1_t *keymat;
+       chunk_t hash, dh;
+
+       this->dh->get_my_public_value(this->dh, &dh);
+       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+       hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
+                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+                                       this->id_payload);
+       free(dh.ptr);
+
+       hash_payload = hash_payload_create(HASH_V1);
+       hash_payload->set_hash(hash_payload, hash);
+       message->add_payload(message, &hash_payload->payload_interface);
+       free(hash.ptr);
+
+       return SUCCESS;
+}
+
+METHOD(authenticator_t, process, status_t,
+       private_psk_v1_authenticator_t *this, message_t *message)
+{
+       hash_payload_t *hash_payload;
+       keymat_v1_t *keymat;
+       chunk_t hash, dh;
+
+       hash_payload = (hash_payload_t*)message->get_payload(message, HASH_V1);
+       if (!hash_payload)
+       {
+               DBG1(DBG_IKE, "HASH payload missing in message");
+               return FAILED;
+       }
+
+       this->dh->get_my_public_value(this->dh, &dh);
+       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+       hash = keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
+                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+                                       this->id_payload);
+       free(dh.ptr);
+       if (chunk_equals(hash, hash_payload->get_hash(hash_payload)))
+       {
+               free(hash.ptr);
+               return SUCCESS;
+       }
+       free(hash.ptr);
+       DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
+       return FAILED;
+}
+
+METHOD(authenticator_t, destroy, void,
+       private_psk_v1_authenticator_t *this)
+{
+       chunk_free(&this->id_payload);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                                               chunk_t id_payload)
+{
+       private_psk_v1_authenticator_t *this;
+
+       INIT(this,
+               .public = {
+                       .authenticator = {
+                               .build = _build,
+                               .process = _process,
+                               .is_mutual = (void*)return_false,
+                               .destroy = _destroy,
+                       },
+               },
+               .ike_sa = ike_sa,
+               .initiator = initiator,
+               .dh = dh,
+               .dh_value = dh_value,
+               .sa_payload = sa_payload,
+               .id_payload = id_payload,
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h
new file mode 100644 (file)
index 0000000..194b964
--- /dev/null
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup psk_v1_authenticator psk_v1_authenticator
+ * @{ @ingroup authenticators
+ */
+
+#ifndef PSK_V1_AUTHENTICATOR_H_
+#define PSK_V1_AUTHENTICATOR_H_
+
+typedef struct psk_v1_authenticator_t psk_v1_authenticator_t;
+
+#include <sa/authenticator.h>
+
+/**
+ * Implementation of authenticator_t using pre-shared keys for IKEv1.
+ */
+struct psk_v1_authenticator_t {
+
+       /**
+        * Implemented authenticator_t interface.
+        */
+       authenticator_t authenticator;
+};
+
+/**
+ * Create an authenticator to build PSK signatures.
+ *
+ * @param ike_sa                       associated IKE_SA
+ * @param initiator                    TRUE if we are the IKE_SA initiator
+ * @param dh                           diffie hellman key exchange
+ * @param dh_value                     others public diffie hellman value
+ * @param sa_payload           generated SA payload data, without payload header
+ * @param id_payload           encoded ID payload of peer to authenticate or verify
+ *                                                     without payload header (gets owned)
+ * @return                                     PSK authenticator
+ */
+psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
+                                                                               bool initiator, diffie_hellman_t *dh,
+                                                                               chunk_t dh_value, chunk_t sa_payload,
+                                                                               chunk_t id_payload);
+
+#endif /** PSK_V1_AUTHENTICATOR_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
new file mode 100644 (file)
index 0000000..56fcf2c
--- /dev/null
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pubkey_v1_authenticator.h"
+
+#include <daemon.h>
+#include <sa/ikev1/keymat_v1.h>
+#include <encoding/payloads/hash_payload.h>
+
+typedef struct private_pubkey_v1_authenticator_t private_pubkey_v1_authenticator_t;
+
+/**
+ * Private data of an pubkey_v1_authenticator_t object.
+ */
+struct private_pubkey_v1_authenticator_t {
+
+       /**
+        * Public authenticator_t interface.
+        */
+       pubkey_v1_authenticator_t public;
+
+       /**
+        * Assigned IKE_SA
+        */
+       ike_sa_t *ike_sa;
+
+       /**
+        * TRUE if we are initiator
+        */
+       bool initiator;
+
+       /**
+        * DH key exchange
+        */
+       diffie_hellman_t *dh;
+
+       /**
+        * Others DH public value
+        */
+       chunk_t dh_value;
+
+       /**
+        * Encoded SA payload, without fixed header
+        */
+       chunk_t sa_payload;
+
+       /**
+        * Encoded ID payload, without fixed header
+        */
+       chunk_t id_payload;
+};
+
+METHOD(authenticator_t, build, status_t,
+       private_pubkey_v1_authenticator_t *this, message_t *message)
+{
+       hash_payload_t *sig_payload;
+       chunk_t hash, sig, dh;
+       keymat_v1_t *keymat;
+       status_t status;
+       private_key_t *private;
+       identification_t *id;
+       auth_cfg_t *auth;
+       key_type_t type;
+       signature_scheme_t scheme;
+
+       /* TODO-IKEv1: other key types */
+       type = KEY_RSA;
+       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+
+       id = this->ike_sa->get_my_id(this->ike_sa);
+       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+       private = lib->credmgr->get_private(lib->credmgr, type, id, auth);
+       if (!private)
+       {
+               DBG1(DBG_IKE, "no private key found for '%Y'", id);
+               return NOT_FOUND;
+       }
+
+       this->dh->get_my_public_value(this->dh, &dh);
+       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
+       hash = keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
+                                       this->ike_sa->get_id(this->ike_sa), this->sa_payload,
+                                       this->id_payload);
+       free(dh.ptr);
+
+       if (private->sign(private, scheme, hash, &sig))
+       {
+               sig_payload = hash_payload_create(SIGNATURE_V1);
+               sig_payload->set_hash(sig_payload, sig);
+               free(sig.ptr);
+               message->add_payload(message, &sig_payload->payload_interface);
+               status = SUCCESS;
+               DBG1(DBG_IKE, "authentication of '%Y' (myself) successful", id);
+       }
+       else
+       {
+               DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id);
+               status = FAILED;
+       }
+       private->destroy(private);
+       free(hash.ptr);
+
+       return status;
+}
+
+METHOD(authenticator_t, process, status_t,
+       private_pubkey_v1_authenticator_t *this, message_t *message)
+{
+       chunk_t hash, sig, dh;
+       keymat_v1_t *keymat;
+       public_key_t *public;
+       hash_payload_t *sig_payload;
+       auth_cfg_t *auth, *current_auth;
+       enumerator_t *enumerator;
+       status_t status = NOT_FOUND;
+       key_type_t type;
+       signature_scheme_t scheme;
+       identification_t *id;
+
+       /* TODO-IKEv1: currently RSA only */
+       type = KEY_RSA;
+       scheme = SIGN_RSA_EMSA_PKCS1_NULL;
+
+       sig_payload = (hash_payload_t*)message->get_payload(message, SIGNATURE_V1);
+       if (!sig_payload)
+       {
+               DBG1(DBG_IKE, "SIG payload missing in message");
+               return FAILED;
+       }
+
+       id = this->ike_sa->get_other_id(this->ike_sa);
+       this->dh->get_my_public_value(this->dh, &dh);
+       keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this-&g