ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

- fixed doxygen build 

- seperates now in lib and charon
This commit is contained in:
Martin Willi 2006-04-20 13:12:35 +00:00
parent 6b3292da85
commit fcfeb3220f
16 changed files with 235 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Source/Doxyfile
View File

@ -3,7 +3,7 @@
#---------------------------------------------------------------------------
# Project related configuration options
#---------------------------------------------------------------------------
PROJECT_NAME = "charon - IKEv2 for strongSwan"
PROJECT_NAME = "charon"
PROJECT_NUMBER = 1.0
OUTPUT_DIRECTORY = doc/api
CREATE_SUBDIRS = NO
@ -71,7 +71,7 @@ WARN_LOGFILE =
# configuration options related to the input files
#---------------------------------------------------------------------------
INPUT = ./
FILE_PATTERNS = *.h
FILE_PATTERNS = *.h *.txt
RECURSIVE = YES
EXCLUDE =
EXCLUDE_SYMLINKS = NO
@ -88,7 +88,7 @@ FILTER_SOURCE_FILES = NO
#---------------------------------------------------------------------------
SOURCE_BROWSER = NO
INLINE_SOURCES = NO
STRIP_CODE_COMMENTS = YES
STRIP_CODE_COMMENTS = NO
REFERENCED_BY_RELATION = NO
REFERENCES_RELATION = NO
VERBATIM_HEADERS = YES

2
Source/Makefile
View File

@ -28,7 +28,7 @@ BINNAMELIB= $(BUILD_DIR)libstrongswan.so
MAIN_DIR= ./
CFLAGS= -Icharon -Ilib -Istroke -fPIC -Wall -g -DLEAK_DETECTIVE
# CFLAGS= -Icharon -Ilib -Istroke -fPIC -O3
#CFLAGS= -Icharon -Ilib -Istroke -fPIC -O3
# objects is extended by each included Makefile
CHARON_OBJS=

2
Source/charon/config/connection.h
View File

@ -156,7 +156,7 @@ struct connection_t {
linked_list_t *(*get_proposals) (connection_t *this);
/**
* @brief Adds a proposal to the list..
* @brief Adds a proposal to the list.
*
* The first added proposal has the highest priority, the last
* added the lowest.

2
Source/charon/config/policy.h
View File

@ -79,7 +79,7 @@ struct policy_t {
void (*update_my_id) (policy_t *this, identification_t *my_id);
/**
* @brief Update others ID.
* @brief Update others id.
*
* It may be necessary to uptdate others ID, as it
* is set to %any or to e.g. *@strongswan.org in

90
Source/charon/daemon.h
View File

@ -41,9 +41,11 @@
#include <config/credential_store.h>
/**
* @mainpage
* @defgroup charon charon
*
* @section Threading Architecture
* @brief IKEv2 keying daemon.
*
* @section Architecture
*
* All IKEv2 stuff is handled in charon. It uses a newer and more flexible
* architecture than pluto. Charon uses a thread-pool, which allows parallel
@ -95,8 +97,84 @@
* netlink socket. It waits for kernel events and processes them appropriately.
*/
/**
* @defgroup config config
*
* Classes implementing configuration related things.
*
* @ingroup charon
*/
/**
* @defgroup encoding encoding
*
* Classes used to encode and decode IKEv2 messages.
*
* @ingroup charon
*/
/**
* @defgroup payloads payloads
*
* Classes representing specific IKEv2 payloads.
*
* @ingroup encoding
*/
/**
* @defgroup network network
*
* Classes for network relevant stuff.
*
* @ingroup charon
*/
/**
* @defgroup queues queues
*
* Different kind of queues
* (thread save lists).
*
* @ingroup charon
*/
/**
* @defgroup jobs jobs
*
* Jobs used in job queue and event queue.
*
* @ingroup queues
*/
/**
* @defgroup sa sa
*
* Security associations for IKE and IPSec,
* and some helper classes.
*
* @ingroup charon
*/
/**
* @defgroup states states
*
* Varius states in which an IKE SA can be.
*
* @ingroup sa
*/
/**
* @defgroup threads threads
*
* Threaded classes, which will do their job alone.
*
* @ingroup charon
*/
/**
* Name of the daemon.
*
* @ingroup charon
*/
#define DAEMON_NAME "charon"
@ -105,16 +183,22 @@
*
* There are several other threads, this defines
* only the number of threads in thread_pool_t.
*
* @ingroup charon
*/
#define NUMBER_OF_WORKING_THREADS 4
/**
* UDP Port on which the daemon will listen for incoming traffic.
*
* @ingroup charon
*/
#define IKEV2_UDP_PORT 500
/**
* PID file, in which charon stores its process id
*
* @ingroup charon
*/
#define PID_FILE "/var/run/charon.pid"
@ -123,6 +207,8 @@ typedef struct daemon_t daemon_t;
/**
* @brief Main class of daemon, contains some globals.
*
* @ingroup charon
*/
struct daemon_t {
/**

10
Source/charon/encoding/payloads/proposal_substructure.h
View File

@ -173,6 +173,16 @@ struct proposal_substructure_t {
*/
void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
/**
* @brief Add this proposal_substructure to a proposal.
*
* Since a proposal_t may contain the data of multiple
* proposal_sbustructure_t's, it may be necessary to call
* the function multiple times with the same proposal.
*
* @param this calling proposal_substructure_t object
* @param proposal proposal where the data should be added
*/
void (*add_to_proposal) (proposal_substructure_t *this, proposal_t *proposal);
/**

90
Source/doc/Architecture.txt
View File

@ -1,9 +1,10 @@
strongSwans overall design
============================
/** @mainpage
@section design strongSwans overall design
IKEv1 and IKEv2 is handled in different keying daemons. The ole IKEv1 stuff is
completely handled in pluto, as it was all the times. IKEv2 is handled in the
new keying daemon, which is called charon.
new keying daemon, which is called #charon.
Daemon control is done over unix sockets. Pluto uses whack, as it did for years.
Charon uses another socket interface, called stroke. Stroke uses another
format as whack and therefore is not compatible to whack. The starter utility,
@ -13,6 +14,7 @@ Pluto uses starter for some commands, for other it uses the whack utility. To be
as close to pluto as possible, charon has the same split up of commands to
starter and stroke. All commands are wrapped together in the ipsec script, which
allows transparent control of both daemons.
@verbatim
+-----------------------------------------+
| ipsec |
@ -40,6 +42,7 @@ allows transparent control of both daemons.
| RAW Sock | | UDP/500 |
+----------+ +---------+
@endverbatim
Since IKEv2 uses the same port as IKEv1, both daemons must listen to UDP port
500. Under Linux, there is no clean way to set up two sockets at the same port.
To reslove this problem, charon uses a RAW socket, as they are used in network
@ -47,82 +50,7 @@ sniffers. An installed Linux Socket Filter (LSF) filters out all none-IKEv2
traffic. Pluto receives any IKE message, independant of charons behavior.
Therefore plutos behavior is changed to discard any IKEv2 traffic silently.
To gain some reusability of the code, generic crypto and utility functions are
separeted in a shared library, libstrongswan.
IKEv2 keying daemon: charon
=============================
Threading modell
------------------
All IKEv2 stuff is handled in charon. It uses a newer and more flexible
architecture than pluto. Charon uses a thread-pool, which allows parallel
execution SA-management. Beside the thread-pool, there are some special purpose
threads which do their job for the common health of the daemon.
+------+
| E Q |
| v u |---+ +------+ +------+
| e e | | | | | IKE- |
| n u | +-----------+ | |--| SA |
| t e | | | | I M | +------+
+------------+ | - | | Scheduler | | K a |
| receiver | +------+ | | | E n | +------+
+----+-------+ +-----------+ | - a | | IKE- |
| | +------+ | | S g |--| SA |
+-------+--+ +-----| J Q |---+ +------------+ | A e | +------+
-| socket | | o u | | | | - r |
+-------+--+ | b e | | Thread- | | |
| | - u | | Pool | | |
+----+-------+ | e |------| |---| |
| sender | +------+ +------------+ +------+
+----+-------+
| +------+
| | S Q |
| | e u |
| | n e |
+------------| d u |
| - e |
+--+---+
The thread-pool is the heart of the architecture. It processes jobs from a
(fully synchronized) job-queue. Mostly, a job is associated with a specific
IKE SA. These IKE SAs are synchronized, only one thread can work one an IKE SA.
This makes it unnecesary to use further synchronisation methods once a IKE SA
is checked out. The (rather complex) synchronization of IKE SAs is completely
done in the IKE SA manager.
The sceduler is responsible for event firing. It waits until a event in the
(fully synchronized) event-queue is ready for processing and pushes the event
down to the job-queue. A thread form the pool will pick it up as quick as
possible. Every thread can queue events or jobs. Furter, an event can place a
packet in the send-queue. The sender thread waits for those packets and sends
them over the wire, via the socket. The receiver does exactly the opposite of
the sender. It waits on the socket, reads in packets an places them on the
job-queue for further processing by a thread from the pool.
There are even more threads, not drawn in the upper scheme. The stroke thread
is responsible for reading and processessing commands from another process. The
kernel interface thread handles communication from and to the kernel via a
netlink socket. It waits for kernel events and processes them appropriately.
configuration backends
------------------------
The configuration architecture for charon is complex, but is flexible and
extensible. All configuration stuff is split up in multiple parts:
connection Defines a connection between two hosts. Proposals define with
wich algorithms a IKE SA should be set up.
policy Defines the rules to apply ontop of a connection. A policy is
defined between two IDs. Proposals and traffic selectors allow
fine grained configuration of the CHILD SAs (AH and ESP) to set
up.
credential A credential is something used for authentication, such as a
preshared key, a RSA private or public key, certificate, ...
configuration The configuration itself handles daemon related configuration
stuff, such as interface binding or logging settings.
These configuration types are defined as interfaces, and are currently
implemented only in the stroke class. Through the modular design, parts could be
replaced with more powerful backends, such as a RADIUS server for the
credentials, a SQL database for the connections, policy definitions on an LDAP
server, and so on...
*/

1
Source/doc/Known-bugs.txt
View File

@ -3,3 +3,4 @@
- intiating the same connection twice makes trouble
- leak_detective gets confused from libpthread (invalid frees)
- installing to many SAs in the kernel at the same time causes troubles. Threading issue?

3
Source/doc/Todo-list.txt
View File

@ -3,6 +3,7 @@
+ = done, / = partial, - = todo, ordered by priority
+ private key loading: der, without passphrase
+ load all private keys from ipsec.d/private/ in stroke.c
+ handle leftcert and rightcert in starterstroke.c/stroke.c
@ -28,7 +29,7 @@
+ integrate basic PEM loading
+ port x509 stuff
- doxygen cleanup (charon/lib)
+ doxygen cleanup (charon/lib)
- implement 3DES to load encrypted pem files

2
Source/lib/Makefile.lib
View File

@ -23,7 +23,7 @@ $(BUILD_DIR)definitions.o : $(LIB_DIR)definitions.c $(LIB_DIR)definitions.h
$(CC) $(CFLAGS) -c -o $@ $<
LIB_OBJS+= $(BUILD_DIR)library.o
$(BUILD_DIR)library.o : $(LIB_DIR)library.c
$(BUILD_DIR)library.o : $(LIB_DIR)library.c $(LIB_DIR)library.h
$(CC) $(CFLAGS) -c -o $@ $<
include $(MAIN_DIR)lib/crypto/Makefile.transforms

138
Source/lib/definitions.h
View File

@ -60,133 +60,6 @@
#endif
/**
* @defgroup config config
*
* Classes implementing configuration related things.
*/
/**
* @defgroup encoding encoding
*
* Classes used to encode and decode IKEv2 messages.
*/
/**
* @defgroup network network
*
* Classes for network relevant stuff.
*/
/**
* @defgroup payloads payloads
*
* Classes representing specific IKEv2 payloads.
*
* @ingroup encoding
*/
/**
* @defgroup sa sa
*
* Security association and helper classes.
*/
/**
* @defgroup states states
*
* Varius states in which an IKE SA can be.
*
* @ingroup sa
*/
/**
* @defgroup queues queues
*
* Different kind of queues.
*/
/**
* @defgroup jobs jobs
*
* Jobs used in job queue and event queue.
*
* @ingroup queues
*/
/**
* @defgroup testcases testcases
*
* Testcases used to test the different classes in seperate module tests.
*/
/**
* @defgroup transforms transforms
*
* Transform algorithms of different kind.
*/
/**
* @defgroup rsa rsa
*
* RSA public key algorithm.
*
* @ingroup transforms
*/
/**
* @defgroup prfs prfs
*
* Pseudo random functions.
*
* @ingroup transforms
*/
/**
* @defgroup signers signers
*
* Symmetric signing algorithms, used to ensure message integrity.
*
* @ingroup transforms
*/
/**
* @defgroup crypters crypters
*
* Symmetric encryption algorithms, used to encrypt and decrypt.
*
* @ingroup transforms
*/
/**
* @defgroup hashers hashers
*
* Hashing algorithms.
*
* @ingroup transforms
*/
/**
* @defgroup asn1 asn1
*
* ASN1 structure definition, en-/decoder of for DER
*
* @todo Implement a der_encoder_t class.
*/
/**
* @defgroup utils utils
*
* Generic helper classes.
*/
/**
* @defgroup threads threads
*
* Threaded classes, which will do their job alone.
*/
/**
* Macro gives back larger of two values.
*/
@ -202,22 +75,15 @@
*/
#define POS printf("%s, line %d\n", __FILE__, __LINE__)
/**
* Macro to allocate a type as chunk_t.
* Macro to allocate a sized type.
*
* @param thing object on which a sizeof is performed
* @return chunk_t pointing to allocated memory
* @return poiner to allocated memory
*/
#define malloc_thing(thing) ((thing*)malloc(sizeof(thing)))
/**
* Mapping entry which defines the end of a mapping_t array.
*/

100
Source/lib/library.h Normal file
View File

@ -0,0 +1,100 @@
/**
* @file library.h
*
* @brief Global library header.
*
*/
/*
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef LIBRARY_H_
#define LIBRARY_H_
/**
* @defgroup lib lib
*
* libstrongswan: library with various crypto related things.
*/
/**
* @defgroup asn1 asn1
*
* ASN1 definitions, parser and generator functions.
*
* @ingroup lib
*/
/**
* @defgroup crypto crypto
*
* Crypto algorithms of different kind.
*
* @ingroup lib
*/
/**
* @defgroup crypters crypters
*
* Symmetric encryption algorithms, used for
* encryption and decryption.
*
* @ingroup crypto
*/
/**
* @defgroup hashers hashers
*
* Hashing algorithms, such as MD5 or SHA1
*
* @ingroup crypto
*/
/**
* @defgroup prfs prfs
*
* Pseudo random functions, used to generate
* pseude random byte sequences.
*
* @ingroup crypto
*/
/**
* @defgroup rsa rsa
*
* RSA private/public key algorithm.
*
* @ingroup crypto
*/
/**
* @defgroup signers signers
*
* Symmetric signing algorithms,
* used to ensure message integrity.
*
* @ingroup crypto
*/
/**
* @defgroup utils utils
*
* Generic helper classes.
*
* @ingroup lib
*/
#endif /* LIBRARY_H_ */

39
Source/lib/utils/identification.h
View File

@ -84,21 +84,6 @@ enum id_type_t {
ID_KEY_ID = 11
};
/**
* Old pluto id format
*
* @deprecated Do not use any more, only here for pluto.
*/
// struct id {
// /** ID_* value, pluto pendant to id_type_t */
// int kind;
// /** ID_IPV4_ADDR, ID_IPV6_ADDR */
// ip_address ip_addr;
// /** ID_FQDN, ID_USER_FQDN (with @) */
// /** ID_KEY_ID, ID_DER_ASN_DN */
// chunk_t name;
// };
/**
* String mappings for id_type_t.
*/
@ -158,17 +143,6 @@ struct identification_t {
*/
char *(*get_string) (identification_t *this);
/**
* @brief Get the id in the format used in pluto.
*
* We do this in pluto style here, which means no memory
* is allocated.
*
* @param this the identification_t object
* @return string
*/
// void (*get_pluto_id) (identification_t *this, struct id *pluto_id);
/**
* @brief Check if two identification_t objects are equal.
*
@ -232,18 +206,5 @@ identification_t * identification_create_from_string(id_type_t type, char *strin
*/
identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);
/**
* @brief Creates an identification_t object from the old pluto id format.
*
* Pluto uses struct id for identification stuff. Since we need to convert from
* this format to our identification_t, we need this special constructor.
*
* @param id old pluto format id
* @return identification_t object
*
* @ingroup utils
*/
// identification_t * identification_create_from_pluto_id(struct id *pluto_id);
#endif /* IDENTIFICATION_H_ */

6
Source/lib/utils/leak_detective.c
View File

@ -1,7 +1,7 @@
/**
* @file leak_detective.c
*
* @brief Implementation of leak_detective_t.
* @brief Allocation hooks to find memory leaks.
*/
/*
@ -31,7 +31,6 @@
#include <dlfcn.h>
#include <unistd.h>
#include <syslog.h>
#define __USE_GNU /* needed for recursiv mutex initializer */
#include <pthread.h>
#include "leak_detective.h"
@ -120,8 +119,7 @@ static bool installed = FALSE;
/**
* Mutex to exclusivly uninstall hooks, access heap list
*/
static pthread_mutex_t mutex = PTHREAD_RECURSIVE_MUTEX_INITIALIZER_NP;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
/**

8
Source/lib/utils/logger_manager.h
View File

@ -145,8 +145,16 @@ struct logger_manager_t {
*/
extern logger_manager_t *logger_manager;
/**
* Initialize the logger manager with all its logger.
* Has to be called before logger_manager is accessed.
*/
void logger_manager_init();
/**
* Free any resources hold by the logger manager. Do
* not access logger_manager after this call.
*/
void logger_manager_cleanup();
#endif /*LOGGER_MANAGER_H_*/

9
Source/stroke/stroke.h
View File

@ -23,14 +23,17 @@
#ifndef STROKE_H_
#define STROKE_H_
/**
* Socket which is used to communicate between charon and stroke
*/
#define STROKE_SOCKET "/var/run/charon.ctl"
typedef struct stroke_msg_t stroke_msg_t;
/**
* @brief A stroke message sent over the unix socket.
*
*/
typedef struct stroke_msg_t stroke_msg_t;
struct stroke_msg_t {
/* length of this message with all strings */
u_int16_t length;