目录
libcharon目录源文件
strongswan/src/libcharon
# ls
Android.mk bus control daemon.h encoding Makefile.am plugins sa
attributes config daemon.c debug kernel network processing testslibcharon里主要实现了IKE的过程,为了确保每一个端的IKE_SA能够生成,每端需要相互认证。
在 strongswan/src/libcharon/sa目录下提供几种认证方式有:
ikev1 ikev2 eap xauthlibcharon内模块相互关系
strongswan/src/libcharon/daemon.h的注释里以ikev2为例画出了数据流
+---------------------------------+ +----------------------------+
| controller | | config |
+---------------------------------+ +----------------------------+
| | | ^ ^ ^
V V V | | |
+----------+ +-----------+ +------+ +----------+ +----+
| receiver | | | | | +------+ | CHILD_SA | | K |
+---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e |
| | | | SA |--| SA | | CHILD_SA | | r |
+------+---+ +-----------+ | | +------+ +----------+ | n |
<->| socket | | | Man- | | e |
+------+---+ +-----------+ | ager | +------+ +----------+ | l |
| | | | | | IKE- |--| CHILD_SA | | - |
+---+------+ | Processor |---| |--| SA | +----------+ | I |
| sender | | | | | +------+ | f |
+----------+ +-----------+ +------+ +----+
| | | | | |
V V V V V V
+---------------------------------+ +----------------------------+
| Bus | | credentials |
+---------------------------------+ +----------------------------+
SA的状态机
* State of an IKE_SA.
*
* An IKE_SA passes various states in its lifetime. A newly created
* SA is in the state CREATED.
+----------------+
¦ SA_CREATED ¦
+----------------+
¦
on initiate()---> ¦ <----- on IKE_SA_INIT received
V
+----------------+
¦ SA_CONNECTING ¦
+----------------+
¦
¦ <----- on IKE_AUTH successfully completed
V
+----------------+
¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
+----------------+ ¦
¦ V
on delete()---> ¦ <----- on IKE_SA +-------------+
¦ delete request ¦ SA_REKEYING ¦
¦ received +-------------+
V ¦
+----------------+ ¦
¦ SA_DELETING ¦<------------------------+ <-- after rekeying
+----------------+
¦
¦ <----- after delete() acknowledged
¦
\V/
X
/ \
The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor.
The IKE_SA manager managers all IKE_SA. It further handles the synchronization:
Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines non-threadsafe.
The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.
The CHILD_SA contains state about a IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface.
The kernel interface installs IPsec security associations, policies, routes and virtual addresses. It further provides methods to enumerate interfaces and may notify the daemon about state changes at lower layers.
The bus receives signals from the different threads and relays them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus.
Its listeners are not only for logging, but also to track the state of an IKE_SA.
The controller, credential_manager, bus and backend_manager (config) are places where a plugin ca register itself to provide information or observe and control the daemon.
libcharon目录结构与描述
接下来描述strongswan/src/libcharon/目录下各文件夹的功能和相互关系
| 目录 | 文件 | 描述 |
|---|---|---|
| attributes | attribute_handler.h attribute_manager.h attributes.c mem_pool.c attribute_manager.c attribute_provider.h attributes.h mem_pool.h | |
| bus | bus.c bus.h listeners | |
| config | backend.h backend_manager.c backend_manager.h child_cfg.c child_cfg.h ike_cfg.c ike_cfg.h peer_cfg.c peer_cfg.h | |
| control | controller.c controller.h | |
| encoding | generator.c generator.h | generator用来生成IKEv2的载荷payload; generator对象创建后,很多载荷payload就能用generate_payload方法生成。生成的字节内容是追加的。在所有的载荷都被添加后,write_to_chunk方法将把所有的生成数据都写出。 |
| message.c message.h | 代表一条IKE消息,通过parser_t/generator_t来解析和生成载荷。 message_t里函数方法都是对IKE header里字段的获取和设置。 | |
| parser.c parser.h | 类parser_t是用来解析载荷payload的。 很多载荷能通过parse_payload方法从chunk中解析出来。 | |
| payloads | ike_header.h traffic_selector_substructure.h auth_payload.h encodings.h encrypted_fragment_payload.h ke_payload.h transform_attribute.h cert_payload.h encrypted_payload.h nonce_payload.h transform_substructure.h certreq_payload.h endpoint_notify.h notify_payload.h ts_payload.h | |
| kernel | kernel_handler.c kernel_handler.h kernel_listener.h | 侦听并处理内核事件,主要实现了kernel listener的接口。 主要事件有:策略匹配,SA过期,策略迁移,网络接口状态改变或者路由改变,隧道建立事件等。 |
| kernel_interface.c kernel_interface.h | kernel interface主要是和内核通信,用来处理SA和策略的管理,网络接口和IP地址的管理。是kernel_handler,kernel_ipsec,kernel_net的集合。 比如:从SAD里添加,删除,更新,查询SA等;从SPD里添加,删除,更新,查询Policy等;从内核接口查询路由,获取本地接口状态,IP地址等;添加虚拟地址,删除虚拟地址等。 | |
| kernel_ipsec.c kernel_ipsec.h | 通过内核接口管理SA和策略。 比如:从SAD里添加,删除,更新,查询SA等;从SPD里天剑,删除,更新,查询Policy等。 | |
| kernel_net.c kernel_net.h | 通过内核接口设置网络参数。 比如根据目的地址获取源地址,路由查询,获取本地IP地址对应的接口名称,为接口添加虚拟地址,添加路由等。 | |
| network | receiver.c receiver.h sender.c sender.h | |
| socket.c socket.h | ||
| socket_manager.c socket_manager.h | ||
| plugins | kernel_libipsec | |
| kernel_netlink | ||
| vici | ||
| ........ | ||
| processing | jobs | |
| sa | child_sa.c child_sa.h | 一个child_sa包含两个SAs,即host间两个方向的SAs,这个两个SAs和Policy都有相同的reqid。 |
| child_sa_manager.c child_sa_manager.h | 处理CHILD_SA和IKE_SA之间的关联; 注册,删除并查找CHILD_SA和IKE_SA之间的关联。 | |
| ike_sa.c ike_sa.h | 一个IKE_SA包含了一条连接的算法信息;一个IKE_SA包含它负责的CHID_SAs。所有的传输都是由IKE_SA通过任务管理处理。 | |
| ike_sa_id.c ike_sa_id.h | ike_sa_id是用来标识一个IKE_SA的。 IKE_SA实际由发起方和响应方的SPI标识;另外,它包含了IKE主要版本号,如IKEv2,和daemon的角色,如发起方还是响应方。 | |
| ike_sa_manager.c ike_sa_manager.h | ||
| task.c task.h | 任务类型在enum task_type_t中有枚举。 比如建立未认证的IKE_SA,认证建立的IKE_SA,认证前的证书处理,认证后的证书处理,用IKE_SA生成CHILD_SA,删除CHILD_SA等。 | |
| task_manager.c task_manager.h | IKEv1或IKEv2的管理器创建; 任务管理器使用任务队列来管理任务。 任务队列有三种:由己方初始化激活的任务队列;由对方初始化的被动任务队列;已经初始化但还未激活的任务队列。 | |
| ikev1 | ||
| ikev2 | ||
| eap | ||
| xauth | ||
| authenticator.c authenticator.h keymat.c keymat.h shunt_manager.c shunt_manager.h | ||
| tests | exchange_tests.c exchange_tests.h libcharon_tests.c libcharon_tests.h Makefile.am suites utils |
IKE报文格式,即 ISAKMP协议格式为:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! IKE_SA Initiator's SPI !
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! IKE_SA Responder's SPI !
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Message ID !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
strongswan/src/libcharon/encoding/payloads/ike_header.c文件里private_ike_header_t类有对IKE Header的描述。
报文里的Exchange Type有以下等几种类型
"QUICK_MODE",
"NEW_GROUP_MODE",
"IKE_SA_INIT",
"IKE_AUTH",
"INFORMATIONAL",
"IKE_SESSION_RESUME"
static encoding_rule_t encodings[] 定义如何解析或生成IKE Header,定义内容内报文字段的偏移值offset。
载荷Payload里面的内容有
# strongswan/src/libcharon/encoding/payloads$ ls *_payload.h
auth_payload.h cp_payload.h encrypted_fragment_payload.h hash_payload.h nonce_payload.h ts_payload.h
cert_payload.h delete_payload.h encrypted_payload.h id_payload.h notify_payload.h unknown_payload.h
certreq_payload.h eap_payload.h fragment_payload.h ke_payload.h sa_payload.h vendor_id_payload.h例如:
SA Payload
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! DOI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Situation !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ <Proposals> ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
KE(Key Exchange) Payload
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! DH Group # ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Key Exchange Data ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1373
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
