*/
linked_list_t *remote_auth;
-#ifdef ME
+#ifdef ME
/**
* Is this a mediation connection?
*/
(this->virtual_ip == other->virtual_ip ||
(this->virtual_ip && other->virtual_ip &&
this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
- (this->pool == other->pool ||
+ (this->pool == other->pool ||
(this->pool && other->pool && streq(this->pool, other->pool))) &&
auth_cfg_equal(this, other)
#ifdef ME
private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t);
/* public functions */
- this->public.get_name = (char* (*) (peer_cfg_t *))get_name;
- this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;
+ this->public.get_name = (char* (*) (peer_cfg_t *))get_name;
+ this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;
this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg;
this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg;
this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg;
* requests when using this definition for the other peer. If
* it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
* included.
- *
+ *
* @warning These definitions must be the same as in pluto/starter,
* as they are sent over the stroke socket.
*/
* Each peer_cfg has two lists of authentication config attached. Local
* authentication configs define how to authenticate ourself against the remote
* peer. Each config is enforced using the multiple authentication extension
- * (RFC4739).
+ * (RFC4739).
* The remote authentication configs are handled as constraints. The peer has
* to fullfill each of these rules (using multiple authentication, in any order)
* to gain access to the configuration.
/**
* Get the name of the peer_cfg.
- *
+ *
* Returned object is not getting cloned.
- *
+ *
* @return peer_cfg's name
*/
char* (*get_name) (peer_cfg_t *this);
/**
* Get the IKE config to use for initiaton.
- *
+ *
* @return the IKE config to use
*/
ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
/**
* Attach a CHILD config.
- *
+ *
* @param child_cfg CHILD config to add
*/
void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
/**
* Create an enumerator for all attached CHILD configs.
- *
+ *
* @return an enumerator over all CHILD configs.
*/
enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
/**
* Select a CHILD config from traffic selectors.
- *
+ *
* @param my_ts TS for local side
* @param other_ts TS for remote side
* @param my_host host to narrow down dynamic TS for local side
/**
* Use MOBIKE (RFC4555) if peer supports it?
- *
+ *
* @return TRUE to enable MOBIKE support
*/
bool (*use_mobike) (peer_cfg_t *this);
/**
* Get the DPD check interval.
- *
+ *
* @return dpd_delay in seconds
*/
u_int32_t (*get_dpd) (peer_cfg_t *this);
#ifdef ME
/**
* Is this a mediation connection?
- *
+ *
* @return TRUE, if this is a mediation connection
*/
bool (*is_mediation) (peer_cfg_t *this);
/**
* Get peer_cfg of the connection this one is mediated through.
- *
+ *
* @return the peer_cfg of the mediation connection
*/
peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
/**
* Get the id of the other peer at the mediation server.
- *
+ *
* This is the leftid of the peer's connection with the mediation server.
- *
+ *
* If it is not configured, it is assumed to be the same as the right id
- * of this connection.
- *
+ * of this connection.
+ *
* @return the id of the other peer
*/
identification_t* (*get_peer_id) (peer_cfg_t *this);
/**
* Create a configuration object for IKE_AUTH and later.
- *
+ *
* name-string gets cloned, ID's not.
* Virtual IPs are used if they are != NULL. A %any host means the virtual
* IP should be obtained from the other peer.
* Lifetimes are in seconds. To prevent to peers to start rekeying at the
* same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeylifetime - random(0, jitter)).
- *
+ * (rekeylifetime - random(0, jitter)).
+ *
* @param name name of the peer_cfg
* @param ike_version which IKE version we sould use for this peer
* @param ike_cfg IKE config to use when acting as initiator
typedef struct interface_job_t interface_job_t;
-/**
+/**
* job for asynchronous listen operations
*/
struct interface_job_t {
- /**
- * job interface
+ /**
+ * job interface
*/
job_t public;
- /**
- * associated listener
+ /**
+ * associated listener
*/
interface_listener_t listener;
};
/**
* Implementation of controller_t.terminate_ike.
*/
-static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
+static status_t terminate_ike(controller_t *this, u_int32_t unique_id,
controller_cb_t callback, void *param)
{
ike_sa_t *ike_sa;
/**
* Implementation of controller_t.terminate_child.
*/
-static status_t terminate_child(controller_t *this, u_int32_t reqid,
+static status_t terminate_child(controller_t *this, u_int32_t reqid,
controller_cb_t callback, void *param)
{
ike_sa_t *ike_sa;
};
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- reqid, TRUE);
+ reqid, TRUE);
if (ike_sa == NULL)
{
DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
-/*
+/*
* Copyright (C) 2006-2009 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
sigemptyset(&set);
- sigaddset(&set, SIGINT);
- sigaddset(&set, SIGHUP);
+ sigaddset(&set, SIGINT);
+ sigaddset(&set, SIGHUP);
sigaddset(&set, SIGTERM);
while (TRUE)
if (setgid(charon->gid) != 0)
{
- kill_daemon(this, "change to unprivileged group failed");
+ kill_daemon(this, "change to unprivileged group failed");
}
if (setuid(charon->uid) != 0)
{
- kill_daemon(this, "change to unprivileged user failed");
+ kill_daemon(this, "change to unprivileged user failed");
}
#ifdef CAPABILITIES
}
/**
- * lookup UID and GID
+ * lookup UID and GID
*/
static void lookup_uid_gid(private_daemon_t *this)
{
this->public.traps = trap_manager_create();
/* load plugins, further infrastructure may need it */
- if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
+ if (!lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "charon.load", PLUGINS)))
{
return FALSE;
* Create the daemon.
*/
private_daemon_t *daemon_create(void)
-{
+{
struct sigaction action;
private_daemon_t *this = malloc_thing(private_daemon_t);
}
/**
- * Check/create PID file, return TRUE if already running
+ * Check/create PID file, return TRUE if already running
*/
static bool check_pidfile()
{
*
* @defgroup bus bus
* @ingroup charon
- *
+ *
* @defgroup listeners listeners
* @ingroup bus
*
* from the processor. Work is delegated to the processor by queueing jobs
* to it.
@verbatim
-
+
+---------------------------------+ +----------------------------+
| controller | | config |
- +---------------------------------+ +----------------------------+
- | | | ^ ^ ^
- V V V | | |
-
+ +---------------------------------+ +----------------------------+
+ | | | ^ ^ ^
+ V V V | | |
+
+----------+ +-----------+ +------+ +----------+ +----+
| receiver | | | | | +------+ | CHILD_SA | | K |
+---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e |
+------+---+ +-----------+ | ager | +------+ +----------+ | l |
| | | | | | IKE- |--| CHILD_SA | | - |
+---+------+ | Processor |---| |--| SA | +----------+ | I |
- | sender | | | | | +------+ | f |
+ | sender | | | | | +------+ | f |
+----------+ +-----------+ +------+ +----+
-
- | | | | | |
- V V V V V V
- +---------------------------------+ +----------------------------+
- | Bus | | credentials |
- +---------------------------------+ +----------------------------+
+
+ | | | | | |
+ V V V V V V
+ +---------------------------------+ +----------------------------+
+ | Bus | | credentials |
+ +---------------------------------+ +----------------------------+
@endverbatim
- * The scheduler is responsible to execute timed events. Jobs may be queued to
- * the scheduler to get executed at a defined time (e.g. rekeying). The
+ * The scheduler is responsible to execute timed events. Jobs may be queued to
+ * the scheduler to get executed at a defined time (e.g. rekeying). The
* scheduler does not execute the jobs itself, it queues them to the processor.
- *
- * The IKE_SA manager managers all IKE_SA. It further handles the
+ *
+ * The IKE_SA manager managers all IKE_SA. It further handles the
* synchronization:
- * Each IKE_SA must be checked out strictly and checked in again after use. The
- * manager guarantees that only one thread may check out a single IKE_SA. This
+ * Each IKE_SA must be checked out strictly and checked in again after use. The
+ * manager guarantees that only one thread may check out a single IKE_SA. This
* allows us to write the (complex) IKE_SAs routines non-threadsave.
- * The IKE_SA contain the state and the logic of each IKE_SA and handle the
+ * The IKE_SA contain the state and the logic of each IKE_SA and handle the
* messages.
- *
+ *
* The CHILD_SA contains state about a IPsec security association and manages
- * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
+ * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
* takes place here through the kernel interface.
- *
+ *
* The kernel interface installs IPsec security associations, policies, routes
- * and virtual addresses. It further provides methods to enumerate interfaces
+ * and virtual addresses. It further provides methods to enumerate interfaces
* and may notify the daemon about state changes at lower layers.
- *
- * The bus receives signals from the different threads and relais them to interested
- * listeners. Debugging signals, but also important state changes or error
- * messages are sent over the bus.
- * It's listeners are not only for logging, but also to track the state of an
+ *
+ * The bus receives signals from the different threads and relays them to
+ * interested listeners. Debugging signals, but also important state changes or
+ * error messages are sent over the bus.
+ * Its listeners are not only for logging, but also to track the state of an
* IKE_SA.
*
- * The controller, credential_manager, bus and backend_manager (config) are
+ * The controller, credential_manager, bus and backend_manager (config) are
* places where a plugin ca register itself to privide information or observe
* and control the daemon.
*/
*/
gid_t gid;
- /**
+ /**
* The thread_id of main-thread.
*/
pthread_t main_thread_id;
/**
* Shut down the daemon.
- *
+ *
* @param reason describtion why it will be killed
*/
void (*kill) (daemon_t *this, char *reason);
/**
* A payload rule defines the rules for a payload
- * in a specific message rule. It defines if and how
+ * in a specific message rule. It defines if and how
* many times a payload must/can occur in a message
* and if it must be encrypted.
*/
/**
* If this payload occurs, the message rule is
- * fullfilled in any case. This applies e.g. to
+ * fullfilled in any case. This applies e.g. to
* notify_payloads.
*/
bool sufficient;
struct payload_order_t {
/**
- * payload type
+ * payload type
*/
payload_type_t type;
- /**
+ /**
* notify type, if payload == NOTIFY
*/
notify_type_t notify;
(sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
me_connect_r_payload_order,
},
-#endif /* ME */
+#endif /* ME */
};
/**
* Implementation of message_t.add_notify.
*/
-static void add_notify(private_message_t *this, bool flush, notify_type_t type,
+static void add_notify(private_message_t *this, bool flush, notify_type_t type,
chunk_t data)
{
notify_payload_t *notify;
if (flush)
{
- while (this->payloads->remove_last(this->payloads,
+ while (this->payloads->remove_last(this->payloads,
(void**)&payload) == SUCCESS)
{
payload->destroy(payload);
len--;
written = snprintf(pos, len, "%N %s %d [",
- exchange_type_names, this->exchange_type,
+ exchange_type_names, this->exchange_type,
this->is_request ? "request" : "response",
this->message_id);
if (written >= len || written < 0)
list->remove_at(list, enumerator);
add_payload(this, payload);
}
- }
+ }
}
enumerator->destroy(enumerator);
}
status = get_payload_rule(this,
current_payload->get_type(current_payload),&payload_rule);
- /* for payload types which are not found in supported payload list,
+ /* for payload types which are not found in supported payload list,
* it is presumed that they don't have to be encrypted */
if ((status == SUCCESS) && (payload_rule->encrypted))
{
}
if (this->packet->get_source(this->packet) == NULL ||
- this->packet->get_destination(this->packet) == NULL)
+ this->packet->get_destination(this->packet) == NULL)
{
DBG1(DBG_ENC, "%s not defined",
!this->packet->get_source(this->packet) ? "source" : "destination");
}
/* encryption payload is processed, payloads are moved. Destroy it. */
- encryption_payload->destroy(encryption_payload);
+ encryption_payload->destroy(encryption_payload);
}
/* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
DBG1(DBG_ENC, "%N is not supported, but its critical!",
payload_type_names, current_payload_type);
enumerator->destroy(enumerator);
- return NOT_SUPPORTED;
+ return NOT_SUPPORTED;
}
}
else if (current_payload_type == rule->payload_type)
DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
rule->payload_type);
- /* as soon as ohe payload occures more then specified,
+ /* as soon as ohe payload occures more then specified,
* the verification fails */
if (found_payloads >
rule->max_occurence)
this->payloads->get_count(this->payloads) == total_found_payloads)
{
enumerator->destroy(enumerator);
- return SUCCESS;
+ return SUCCESS;
}
enumerator->destroy(enumerator);
}
payload_type_t current_payload_type;
char str[256];
- current_payload_type = this->first_payload;
+ current_payload_type = this->first_payload;
DBG2(DBG_ENC, "parsing body of message, first payload is %N",
payload_type_names, current_payload_type);
{
payload_t *current_payload;
- DBG2(DBG_ENC, "starting parsing a %N payload",
+ DBG2(DBG_ENC, "starting parsing a %N payload",
payload_type_names, current_payload_type);
/* parse current payload */
/* private values */
if (packet == NULL)
{
- packet = packet_create();
+ packet = packet_create();
}
this->message_rule = NULL;
this->packet = packet;
/**
* Private data of an ike_header_t object.
- *
*/
struct private_ike_header_t {
/**
/**
* IKE minor version.
- */
+ */
u_int8_t min_version;
/**
* Exchange type .
- */
+ */
u_int8_t exchange_type;
/**
* Flags of the Message.
- *
*/
- struct {
+ struct {
/**
* Sender is initiator of the associated IKE_SA_INIT-Exchange.
*/
/**
* Length of the whole IKEv2-Message (header and all payloads).
*/
- u_int32_t length;
+ u_int32_t length;
};
ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
/**
* Encoding rules to parse or generate a IKEv2-Header.
*
- * The defined offsets are the positions in a object of type
+ * The defined offsets are the positions in a object of type
* ike_header_t.
- *
*/
encoding_rule_t ike_header_encodings[] = {
/* 8 Byte SPI, stored in the field initiator_spi */
/* 8 Bit for the exchange type */
{ U_INT_8, offsetof(private_ike_header_t, exchange_type) },
/* 2 Bit reserved bits, nowhere stored */
- { RESERVED_BIT, 0 },
- { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
+ { RESERVED_BIT, 0 },
/* 3 Bit flags, stored in the fields response, version and initiator */
- { FLAG, offsetof(private_ike_header_t, flags.response) },
+ { FLAG, offsetof(private_ike_header_t, flags.response) },
{ FLAG, offsetof(private_ike_header_t, flags.version) },
{ FLAG, offsetof(private_ike_header_t, flags.initiator) },
/* 3 Bit reserved bits, nowhere stored */
*/
static u_int64_t get_initiator_spi(private_ike_header_t *this)
{
- return this->initiator_spi;
+ return this->initiator_spi;
}
/**
*/
static u_int64_t get_responder_spi(private_ike_header_t *this)
{
- return this->responder_spi;
+ return this->responder_spi;
}
/**
*/
static u_int8_t get_maj_version(private_ike_header_t *this)
{
- return this->maj_version;
+ return this->maj_version;
}
/**
*/
static u_int8_t get_min_version(private_ike_header_t *this)
{
- return this->min_version;
+ return this->min_version;
}
/**
*/
static bool get_response_flag(private_ike_header_t *this)
{
- return this->flags.response;
+ return this->flags.response;
}
/**
*/
static void set_response_flag(private_ike_header_t *this, bool response)
{
- this->flags.response = response;
+ this->flags.response = response;
}
/**
*/
static bool get_version_flag(private_ike_header_t *this)
{
- return this->flags.version;
+ return this->flags.version;
}
/**
*/
static bool get_initiator_flag(private_ike_header_t *this)
{
- return this->flags.initiator;
+ return this->flags.initiator;
}
/**
*/
static void set_initiator_flag(private_ike_header_t *this, bool initiator)
{
- this->flags.initiator = initiator;
+ this->flags.initiator = initiator;
}
/**
*/
static u_int8_t get_exchange_type(private_ike_header_t *this)
{
- return this->exchange_type;
+ return this->exchange_type;
}
/**
*/
static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type)
{
- this->exchange_type = exchange_type;
+ this->exchange_type = exchange_type;
}
/**
*/
static u_int32_t get_message_id(private_ike_header_t *this)
{
- return this->message_id;
+ return this->message_id;
}
/**
extern enum_name_t *exchange_type_names;
/**
- * An object of this type represents an IKEv2 header and is used to
+ * An object of this type represents an IKEv2 header and is used to
* generate and parse IKEv2 headers.
- *
- * The header format of an IKEv2-Message is compatible to the
- * ISAKMP-Header format to allow implementations supporting
+ *
+ * The header format of an IKEv2-Message is compatible to the
+ * ISAKMP-Header format to allow implementations supporting
* both versions of the IKE-protocol.
*/
struct ike_header_t {
* Set the response flag-
*
* @param response response flag
- *
*/
void (*set_response_flag) (ike_header_t *this, bool response);
/**
/**
* Create an ike_header_t object
- *
+ *
* @return ike_header_t object
*/
ike_header_t *ike_header_create(void);
/**
* Payload-Types of a IKEv2-Message.
*
- * Header and substructures are also defined as
+ * Header and substructures are also defined as
* payload types with values from PRIVATE USE space.
*/
enum payload_type_t{
#ifdef ME
/**
* Identification payload for peers has a value from
- * the PRIVATE USE space.
+ * the PRIVATE USE space.
*/
ID_PEER = 128,
#endif /* ME */
/**
* Header has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle IKEv2-Header like a payload.
*/
HEADER = 140,
/**
* PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle a proposal substructure like a payload.
*/
PROPOSAL_SUBSTRUCTURE = 141,
/**
* TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle a transform substructure like a payload.
*/
TRANSFORM_SUBSTRUCTURE = 142,
/**
* TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle a transform attribute like a payload.
*/
TRANSFORM_ATTRIBUTE = 143,
/**
* TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle a transform selector like a payload.
- */
+ */
TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
/**
* CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle a transform attribute like a payload.
*/
CONFIGURATION_ATTRIBUTE = 145,
/**
* A unknown payload has a value of PRIVATE USE space.
- *
- * This payload type is not sent over wire and just
+ *
+ * This payload type is not sent over wire and just
* used internally to handle a unknown payload.
*/
UNKNOWN_PAYLOAD = 146,
/**
* Generic interface for all payload types (incl.header and substructures).
- *
+ *
* To handle all kinds of payloads on a generic way, this interface must
* be implemented by every payload. This allows parser_t/generator_t a simple
* handling of all payloads.
/**
* Create an empty payload.
- *
+ *
* Useful for the parser, who wants a generic constructor for all payloads.
- * It supports all payload_t methods. If a payload type is not known,
+ * It supports all payload_t methods. If a payload type is not known,
* an unknwon_paylod is created with the chunk of data in it.
- *
+ *
* @param type type of the payload to create
* @return payload_t object
*/
msg->add_conn.me.address,
msg->add_conn.other.address);
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
- return ike_cfg;
+ return ike_cfg;
}
/**
{
this->ca->check_for_hash_and_url(this->ca, certificate);
}
- cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+ cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
if (identity->get_type(identity) == ID_ANY ||
!certificate->has_subject(certificate, identity))
{
#ifdef ME
if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
{
- DBG1(DBG_CFG, "a mediation connection cannot be a"
- " mediated connection at the same time, aborting");
+ DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
+ "at the same time, aborting");
return NULL;
}
if (msg->add_conn.ikeme.mediated_by)
{
mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
- msg->add_conn.ikeme.mediated_by);
+ msg->add_conn.ikeme.mediated_by);
if (!mediated_by)
{
DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
msg->add_conn.ikeme.mediated_by);
return NULL;
}
-
if (!mediated_by->is_mediation(mediated_by))
{
- DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is"
- "no mediation connection, aborting",
- msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
+ DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
+ "no mediation connection, aborting",
+ msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
mediated_by->destroy(mediated_by);
return NULL;
}
else
{
rekey = msg->add_conn.rekey.ike_lifetime - over;
- }
+ }
if (msg->add_conn.me.sourceip_size)
{
if (msg->add_conn.me.sourceip)
* uses to serve pool addresses. */
peer_cfg = peer_cfg_create(msg->add_conn.name,
msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
- msg->add_conn.me.sendcert, unique,
+ msg->add_conn.me.sendcert, unique,
msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
msg->add_conn.mobike, msg->add_conn.dpd.delay,
vip, msg->add_conn.other.sourceip_size ?
ike_sa_t *ike_sa;
#ifdef ME
- /* if this is an unencrypted INFORMATIONAL exchange it is likely a
+ /* if this is an unencrypted INFORMATIONAL exchange it is likely a
* connectivity check. */
if (this->message->get_exchange_type(this->message) == INFORMATIONAL &&
this->message->get_first_payload_type(this->message) != ENCRYPTED)
*/
chunk_t connect_id;
#endif /* ME */
-
+
/**
* Identification used for us
*/
/* schedule rekeying if we have a time which is smaller than
* an already scheduled rekeying */
t = this->peer_cfg->get_rekey_time(this->peer_cfg);
- if (t && (this->stats[STAT_REKEY] == 0 ||
+ if (t && (this->stats[STAT_REKEY] == 0 ||
(this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
{
this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
}
t = this->peer_cfg->get_reauth_time(this->peer_cfg);
- if (t && (this->stats[STAT_REAUTH] == 0 ||
+ if (t && (this->stats[STAT_REAUTH] == 0 ||
(this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
{
this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
{
/* delete may fail if a packet gets lost, so set a timeout */
job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
- charon->scheduler->schedule_job(charon->scheduler, job,
+ charon->scheduler->schedule_job(charon->scheduler, job,
HALF_OPEN_IKE_SA_TIMEOUT);
break;
}
* Implementation of ike_sa_t.respond
*/
static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
- chunk_t connect_id)
+ chunk_t connect_id)
{
ike_me_t *task = ike_me_create(&this->public, TRUE);
task->respond(task, peer_id, connect_id);
* Implementation of ike_sa_t.relay
*/
static status_t relay(private_ike_sa_t *this, identification_t *requester,
- chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
+ chunk_t connect_id, chunk_t connect_key,
+ linked_list_t *endpoints, bool response)
{
ike_me_t *task = ike_me_create(&this->public, TRUE);
task->relay(task, requester, connect_id, connect_key, endpoints, response);
/**
* Implementation of ike_sa_t.initiate_mediation
*/
-static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
+static status_t initiate_mediation(private_ike_sa_t *this,
+ peer_cfg_t *mediated_cfg)
{
ike_me_t *task = ike_me_create(&this->public, TRUE);
task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
/**
* Implementation of ike_sa_t.initiate_mediated
*/
-static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
- chunk_t connect_id)
+static status_t initiate_mediated(private_ike_sa_t *this, host_t *me,
+ host_t *other, chunk_t connect_id)
{
set_my_host(this, me->clone(me));
set_other_host(this, other->clone(other));
chunk_free(&this->connect_id);
this->connect_id = chunk_clone(connect_id);
-
return this->task_manager->initiate(this->task_manager);
}
#endif /* ME */
{
if (this->state == IKE_ESTABLISHED)
{
- /* mediation connection is already established, retrigger state change
- * to notify bus listeners */
+ /* mediation connection is already established, retrigger state
+ * change to notify bus listeners */
DBG1(DBG_IKE, "mediation connection is already up");
set_state(this, IKE_ESTABLISHED);
}
if (this->other_virtual_ip != NULL ||
has_condition(this, COND_EAP_AUTHENTICATED)
#ifdef ME
- /* if we are mediation server we too cannot reauth the IKE_SA */
+ /* as mediation server we too cannot reauth the IKE_SA */
|| this->is_mediation_server
#endif /* ME */
)
bool required = FALSE;
status_t status = FAILED;
- /* check if we have children to keep up at all*/
+ /* check if we have children to keep up at all */
iterator = create_child_sa_iterator(this);
while (iterator->iterate(iterator, (void**)&child_sa))
{
}
iterator->destroy(iterator);
#ifdef ME
- /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
+ /* mediation connections have no children, keep them up anyway */
if (this->peer_cfg->is_mediation(this->peer_cfg))
{
required = TRUE;
(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
}
else if (this->stats[STAT_REAUTH] == 0 ||
- this->stats[STAT_REAUTH] > reauth_time)
+ this->stats[STAT_REAUTH] > reauth_time)
{
this->stats[STAT_REAUTH] = reauth_time;
DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
}
/* ... and configuration attributes */
- while (other->attributes->remove_last(other->attributes,
+ while (other->attributes->remove_last(other->attributes,
(void**)&entry) == SUCCESS)
{
this->attributes->insert_first(this->attributes, entry);
this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
"lifetime reduced to %ds", reauth, delete);
- charon->scheduler->schedule_job(charon->scheduler,
+ charon->scheduler->schedule_job(charon->scheduler,
(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
- charon->scheduler->schedule_job(charon->scheduler,
+ charon->scheduler->schedule_job(charon->scheduler,
(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
}
/* we have to initate here, there may be new tasks to handle */
set_state(this, IKE_DESTROYING);
/* remove attributes first, as we pass the IKE_SA to the handler */
- while (this->attributes->remove_last(this->attributes,
+ while (this->attributes->remove_last(this->attributes,
(void**)&entry) == SUCCESS)
{
charon->attributes->release(charon->attributes, entry->handler,
#ifdef ME
if (this->is_mediation_server)
{
- charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
+ charon->mediation_manager->remove(charon->mediation_manager,
+ this->ike_sa_id);
}
DESTROY_IF(this->server_reflexive_host);
chunk_free(&this->connect_id);
¦ SA_CREATED ¦
+----------------+
¦
- on initiate()---> ¦ <----- on IKE_SA_INIT received
+ on initiate()---> ¦ <----- on IKE_SA_INIT received
V
+----------------+
¦ SA_CONNECTING ¦
/**
* Get the id of the SA.
- *
+ *
* Returned ike_sa_id_t object is not getting cloned!
*
* @return ike_sa's ike_sa_id_t
/**
* Get the own host address.
- *
+ *
* @return host address
*/
host_t* (*get_my_host) (ike_sa_t *this);
/**
* Set the own host address.
- *
+ *
* @param me host address
*/
void (*set_my_host) (ike_sa_t *this, host_t *me);
/**
* Get the other peers host address.
- *
+ *
* @return host address
*/
host_t* (*get_other_host) (ike_sa_t *this);
/**
* Set the others host address.
- *
+ *
* @param other host address
*/
void (*set_other_host) (ike_sa_t *this, host_t *other);
/**
* Get the own identification.
- *
+ *
* @return identification
*/
identification_t* (*get_my_id) (ike_sa_t *this);
/**
* Set the own identification.
- *
+ *
* @param me identification
*/
void (*set_my_id) (ike_sa_t *this, identification_t *me);
/**
* Get the other peer's identification.
- *
+ *
* @return identification
*/
identification_t* (*get_other_id) (ike_sa_t *this);
/**
* Set the other peer's identification.
- *
+ *
* @param other identification
*/
void (*set_other_id) (ike_sa_t *this, identification_t *other);
* Get the peers EAP identity.
*
* The EAP identity is exchanged in a EAP-Identity exchange.
- *
+ *
* @return identification, NULL if none set
*/
identification_t* (*get_eap_identity) (ike_sa_t *this);
/**
* Set the peer's EAP identity.
- *
+ *
* @param id identification
*/
void (*set_eap_identity) (ike_sa_t *this, identification_t *id);
/**
* Get the config used to setup this IKE_SA.
- *
+ *
* @return ike_config
*/
ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
/**
* Set the config to setup this IKE_SA.
- *
+ *
* @param config ike_config to use
*/
void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
/**
* Get the peer config used by this IKE_SA.
- *
+ *
* @return peer_config
*/
peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
/**
* Set the peer config to use with this IKE_SA.
- *
+ *
* @param config peer_config to use
*/
void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
/**
* Get the server reflexive host.
- *
+ *
* @return server reflexive host
*/
host_t* (*get_server_reflexive_host) (ike_sa_t *this);
/**
* Set the server reflexive host.
- *
+ *
* @param host server reflexive host
*/
void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
/**
* Get the connect ID.
- *
+ *
* @return connect ID
*/
chunk_t (*get_connect_id) (ike_sa_t *this);
/**
* Initiate the mediation of a mediated connection (i.e. initiate a
- * ME_CONNECT exchange).
- *
- * @param mediated_cfg peer_cfg of the mediated connection
- * @return
- * - SUCCESS if initialization started
- * - DESTROY_ME if initialization failed
+ * ME_CONNECT exchange to a mediation server).
+ *
+ * @param mediated_cfg peer_cfg of the mediated connection
+ * @return
+ * - SUCCESS if initialization started
+ * - DESTROY_ME if initialization failed
*/
status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
/**
* Initiate the mediated connection
- *
- * @param me local endpoint (gets cloned)
- * @param other remote endpoint (gets cloned)
- * @param connect_id connect ID (gets cloned)
- * @return
- * - SUCCESS if initialization started
- * - DESTROY_ME if initialization failed
+ *
+ * @param me local endpoint (gets cloned)
+ * @param other remote endpoint (gets cloned)
+ * @param connect_id connect ID (gets cloned)
+ * @return
+ * - SUCCESS if initialization started
+ * - DESTROY_ME if initialization failed
*/
status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
- chunk_t connect_id);
+ chunk_t connect_id);
/**
- * Relay data from one peer to another (i.e. initiate a
- * ME_CONNECT exchange).
+ * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
+ * to a peer).
*
* Data is cloned.
- *
- * @param requester ID of the requesting peer
- * @param connect_id data of the ME_CONNECTID payload
- * @param connect_key data of the ME_CONNECTKEY payload
- * @param endpoints endpoints
- * @param response TRUE if this is a response
- * @return
- * - SUCCESS if relay started
- * - DESTROY_ME if relay failed
+ *
+ * @param requester ID of the requesting peer
+ * @param connect_id data of the ME_CONNECTID payload
+ * @param connect_key data of the ME_CONNECTKEY payload
+ * @param endpoints endpoints
+ * @param response TRUE if this is a response
+ * @return
+ * - SUCCESS if relay started
+ * - DESTROY_ME if relay failed
*/
- status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id,
- chunk_t connect_key, linked_list_t *endpoints, bool response);
+ status_t (*relay) (ike_sa_t *this, identification_t *requester,
+ chunk_t connect_id, chunk_t connect_key,
+ linked_list_t *endpoints, bool response);
/**
* Send a callback to a peer.
- *
+ *
* Data is cloned.
- *
- * @param peer_id ID of the other peer
+ *
+ * @param peer_id ID of the other peer
* @return
- * - SUCCESS if response started
- * - DESTROY_ME if response failed
+ * - SUCCESS if response started
+ * - DESTROY_ME if response failed
*/
status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
/**
* Respond to a ME_CONNECT request.
- *
+ *
* Data is cloned.
- *
- * @param peer_id ID of the other peer
- * @param connect_id the connect ID supplied by the initiator
+ *
+ * @param peer_id ID of the other peer
+ * @param connect_id the connect ID supplied by the initiator
* @return
- * - SUCCESS if response started
- * - DESTROY_ME if response failed
+ * - SUCCESS if response started
+ * - DESTROY_ME if response failed
*/
- status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id);
+ status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
+ chunk_t connect_id);
#endif /* ME */
/**
* The configs are owned by the IKE_SA after the call. If the initiate
* is triggered by a packet, traffic selectors of the packet can be added
* to the CHILD_SA.
- *
+ *
* @param child_cfg child config to create CHILD from
* @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
* @param tsi source of triggering packet
* @param tsr destination of triggering packet.
- * @return
+ * @return
* - SUCCESS if initialization started
* - DESTROY_ME if initialization failed
*/
/**
* Initiates the deletion of an IKE_SA.
- *
+ *
* Sends a delete message to the remote peer and waits for
* its response. If the response comes in, or a timeout occurs,
* the IKE SA gets deleted.
- *
+ *
* @return
* - SUCCESS if deletion is initialized
- * - DESTROY_ME, if the IKE_SA is not in
+ * - DESTROY_ME, if the IKE_SA is not in
* an established state and can not be
* deleted (but destroyed).
*/
/**
* Processes a incoming IKEv2-Message.
*
- * Message processing may fail. If a critical failure occurs,
- * process_message() return DESTROY_ME. Then the caller must
+ * Message processing may fail. If a critical failure occurs,
+ * process_message() return DESTROY_ME. Then the caller must
* destroy the IKE_SA immediatly, as it is unusable.
- *
+ *
* @param message message to process
- * @return
+ * @return
* - SUCCESS
* - FAILED
* - DESTROY_ME if this IKE_SA MUST be deleted
/**
* Generate a IKE message to send it to the peer.
- *
+ *
* This method generates all payloads in the message and encrypts/signs
* the packet.
- *
+ *
* @param message message to generate
* @param packet generated output packet
- * @return
+ * @return
* - SUCCESS
* - FAILED
* - DESTROY_ME if this IKE_SA MUST be deleted
/**
* Retransmits a request.
- *
+ *
* @param message_id ID of the request to retransmit
* @return
* - SUCCESS
* To check if a peer is still alive, periodic
* empty INFORMATIONAL messages are sent if no
* other traffic was received.
- *
+ *
* @return
* - SUCCESS
* - DESTROY_ME, if peer did not respond
/**
* Associates a child SA to this IKE SA
- *
+ *
* @param child_sa child_sa to add
*/
void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
/**
* Get a CHILD_SA identified by protocol and SPI.
- *
+ *
* @param protocol protocol of the SA
* @param spi SPI of the CHILD_SA
* @param inbound TRUE if SPI is inbound, FALSE if outbound
* @return child_sa, or NULL if none found
*/
- child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
+ child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
u_int32_t spi, bool inbound);
/**
* Create an iterator over all CHILD_SAs.
- *
+ *
* @return iterator
*/
iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
linked_list_t *passive_tasks;
/**
- * the task manager has been reset
+ * the task manager has been reset
*/
bool reset;
};
*/
static void flush(private_task_manager_t *this)
{
- this->queued_tasks->destroy_offset(this->queued_tasks,
+ this->queued_tasks->destroy_offset(this->queued_tasks,
offsetof(task_t, destroy));
this->passive_tasks->destroy_offset(this->passive_tasks,
offsetof(task_t, destroy));
this->reset = FALSE;
iterator->destroy(iterator);
return build_request(this);
- }
+ }
}
iterator->destroy(iterator);
this->passive_tasks->insert_last(this->passive_tasks, task);
task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
this->passive_tasks->insert_last(this->passive_tasks, task);
-#ifdef ME
+#ifdef ME
task = (task_t*)ike_me_create(this->ike_sa, FALSE);
this->passive_tasks->insert_last(this->passive_tasks, task);
#endif /* ME */
{
proposal_list = this->config->get_proposals(this->config);
if (this->old_sa)
- {
+ {
/* include SPI of new IKE_SA when we are rekeying */
iterator = proposal_list->create_iterator(proposal_list, TRUE);
while (iterator->iterate(iterator, (void**)&proposal))
proposal_list = sa_payload->get_proposals(sa_payload);
this->proposal = this->config->select_proposal(this->config,
proposal_list);
- proposal_list->destroy_offset(proposal_list,
+ proposal_list->destroy_offset(proposal_list,
offsetof(proposal_t, destroy));
break;
}
vendor_id_payload_t *vendor_id = (vendor_id_payload_t*)payload;
chunk_t vid = vendor_id->get_data(vendor_id);
- DBG1(DBG_ENC, "received vendor id: %#B", &vid);
+ DBG1(DBG_ENC, "received vendor id: %#B", &vid);
}
default:
break;
* Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_init_t *this, message_t *message)
-{
+{
rng_t *rng;
this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
DBG1(DBG_IKE, "received %N notify error",
notify_type_names, type);
enumerator->destroy(enumerator);
- return FAILED;
+ return FAILED;
}
DBG2(DBG_IKE, "received %N notify",
notify_type_names, type);
notify_type_t type, host_t *host)
{
chunk_t hash;
- notify_payload_t *notify;
+ notify_payload_t *notify;
ike_sa_id_t *ike_sa_id;
ike_cfg_t *config;
this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
!this->dst_matched);
this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
- !this->src_matched);
+ !this->src_matched);
config = this->ike_sa->get_ike_cfg(this->ike_sa);
if (this->dst_matched && this->src_matched &&
config->force_encap(config))
{
- this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
+ this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
}
}
}
if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
#ifdef ME
- /* if we are on a mediation connection we swith to port 4500 even
+ /* if we are on a mediation connection we switch to port 4500 even
* if no NAT is detected. */
peer_cfg->is_mediation(peer_cfg) ||
#endif /* ME */
* Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_natd_t *this, message_t *message)
-{
+{
process_payloads(this, message);
return NEED_MORE;
iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
if (iterator->get_count(iterator) == 0
#ifdef ME
- /* we allow a peer to reauth a mediation connection (without CHILD_SA) */
+ /* we allow peers to reauth mediation connections (without children) */
&& !peer_cfg->is_mediation(peer_cfg)
#endif /* ME */
)
*
* A task is an elemantary operation. It may be handled by a single or by
* multiple exchanges. An exchange may even complete multiple tasks.
- * A task has a build() and an process() operation. The build() operation
+ * A task has a build() and an process() operation. The build() operation
* creates payloads and adds it to the message. The process() operation
* inspects a message and handles its payloads. An initiator of an exchange
* first calls build() to build the request, and processes the response message
/**
* Build a request or response message for this task.
- *
+ *
* @param message message to add payloads to
* @return
* - FAILED if a critical error occured
/**
* Process a request or response message for this task.
- *
+ *
* @param message message to read payloads from
* @return
* - FAILED if a critical error occured