- better management of unknown_payload, with critical check
authorMartin Willi <martin@strongswan.org>
Tue, 6 Dec 2005 11:51:13 +0000 (11:51 -0000)
committerMartin Willi <martin@strongswan.org>
Tue, 6 Dec 2005 11:51:13 +0000 (11:51 -0000)
- message code cleanup

Source/charon/encoding/message.c
Source/charon/encoding/message.h
Source/charon/encoding/parser.c
Source/charon/encoding/payloads/payload.c
Source/charon/encoding/payloads/payload.h
Source/charon/encoding/payloads/unknown_payload.c
Source/charon/encoding/payloads/unknown_payload.h

index 8c79690..8e4f3dd 100644 (file)
@@ -35,6 +35,7 @@
 #include <encoding/payloads/encodings.h>
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/unknown_payload.h>
 
 /**
  * Max number of notify payloads per IKEv2 Message
 #define MAX_NOTIFY_PAYLOADS 10
 
 
-typedef struct supported_payload_entry_t supported_payload_entry_t;
+typedef struct payload_rule_t payload_rule_t;
 
 /**
- * Supported payload entry used in message_rule_t.
- * 
+ * A payload rule defines the rules for a payload
+ * in a specific message rule. It defines if and how 
+ * many times a payload must/can occur in a message
+ * and if it must be encrypted.
  */
-struct supported_payload_entry_t {
+struct payload_rule_t {
        /**
         * Payload type.
         */
@@ -65,21 +68,24 @@ struct supported_payload_entry_t {
         size_t max_occurence;
         
         /**
-         * TRUE if payload has to get encrypted
+         * TRUE if payload must be encrypted
          */
         bool encrypted;
         
         /**
-         * Verifying can stop after checking this payload.
+         * If this payload occurs, the message rule is
+         * fullfilled in any case. This applies e.g. to 
+         * notify_payloads.
          */
-        bool can_be_last;
+        bool sufficient;
 };
 
 typedef struct message_rule_t message_rule_t;
 
 /**
- * Message Rule used to find out which payloads 
- * are supported by each message type.
+ * A message rule defines the kind of a message,
+ * if it has encrypted contents and a list
+ * of payload rules.
  * 
  */
 struct message_rule_t {
@@ -98,22 +104,21 @@ struct message_rule_t {
         */
        bool encrypted_content;
        
-        /**
-         * Number of supported payloads.
-         */
-        size_t supported_payloads_count;
+       /**
+        * Number of payload rules which will follow
+        */
+       size_t payload_rule_count;
         
        /**
-        * Pointer to first supported payload entry.
+        * Pointer to first payload rule
         */
-        supported_payload_entry_t *supported_payloads;
+       payload_rule_t *payload_rules;
 };
 
 /**
  * Message rule for IKE_SA_INIT from initiator.
  */
-static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
-{
+static payload_rule_t ike_sa_init_i_payload_rules[] = {
        {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
        {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
        {KEY_EXCHANGE,1,1,FALSE,FALSE},
@@ -123,8 +128,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
 /**
  * Message rule for IKE_SA_INIT from responder.
  */
-static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
-{
+static payload_rule_t ike_sa_init_r_payload_rules[] = {
        {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
        {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
        {KEY_EXCHANGE,1,1,FALSE,FALSE},
@@ -134,8 +138,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
 /**
  * Message rule for IKE_AUTH from initiator.
  */
-static supported_payload_entry_t supported_ike_auth_i_payloads[] =
-{
+static payload_rule_t ike_auth_i_payload_rules[] = {
        {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
        {ID_INITIATOR,1,1,TRUE,FALSE},
        {CERTIFICATE,0,1,TRUE,FALSE},
@@ -145,13 +148,13 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
        {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
+       {CONFIGURATION,0,1,TRUE,FALSE},
 };
 
 /**
  * Message rule for IKE_AUTH from responder.
  */
-static supported_payload_entry_t supported_ike_auth_r_payloads[] =
-{
+static payload_rule_t ike_auth_r_payload_rules[] = {
        {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
        {CERTIFICATE,0,1,TRUE,FALSE},
        {ID_RESPONDER,1,1,TRUE,FALSE},
@@ -159,33 +162,17 @@ static supported_payload_entry_t supported_ike_auth_r_payloads[] =
        {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
        {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
+       {CONFIGURATION,0,1,TRUE,FALSE},
 };
 
 /**
  * Message rules, defines allowed payloads.
  */
 static message_rule_t message_rules[] = {
-       {IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
-       {IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
-       {IKE_AUTH,TRUE,TRUE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
-       {IKE_AUTH,FALSE,TRUE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
-};
-
-typedef struct payload_entry_t payload_entry_t;
-
-/**
- * Entry for a payload in the internal used linked list.
- * 
- */
-struct payload_entry_t {
-       /**
-        * Type of payload.
-        */
-       payload_type_t payload_type;
-       /**
-        * Data struct holding the data of given payload.
-        */
-       void *data_struct;
+       {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
+       {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
+       {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
+       {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules}
 };
 
 
@@ -222,8 +209,7 @@ struct private_message_t {
        exchange_type_t exchange_type;
 
        /**
-        * TRUE if message is request.
-        * FALSE if message is reply.
+        * TRUE if message is a request, FALSE if a reply.
         */
        bool is_request;
        
@@ -238,9 +224,7 @@ struct private_message_t {
        ike_sa_id_t *ike_sa_id;
        
        /**
-        * Assigned UDP packet.
-        * 
-        * Stores incoming packet or last generated one.
+        * Assigned UDP packet, stores incoming packet or last generated one.
         */
        packet_t *packet;
         
@@ -255,38 +239,38 @@ struct private_message_t {
        parser_t *parser;
        
        /**
+        * The message rule for this message instance
+        */
+       message_rule_t *message_rule;
+       
+       /**
         * Assigned logger.
         */
        logger_t *logger;
        
        /**
-        * Gets a list of supported payloads of this message type.
+        * Sets the private message_rule member to the rule which 
+        * applies to this message. Must be called before get_payload_rule().
         * 
         * @param this                                  calling object
-        * @param[out] message_rule             pointer is set to the message_rule 
-        *                                                              of current message type
-        * 
         * @return
         *                                                              - SUCCESS
-        *                                                              - NOT_FOUND if no message rule 
-        *                                                                for specific message type could be found
+        *                                                              - NOT_FOUND if no message rule applies to this message.
         */
-       status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
+       status_t (*set_message_rule) (private_message_t *this);
 
        /**
-        * Gets the supported_payload_entry_t for a specific message_rule_t and payload type.
+        * Gets the payload_rule_t for a specific message_rule_t and payload type.
         * 
         * @param this                                  calling object
-        * @param message_rule                  message rule
         * @param payload_type                  payload type
-        * @param[out] payload_entry    returned payload_entry_t
-        * 
+        * @param[out] payload_rule             returned payload_rule_t
         * @return
         *                                                              - SUCCESS
-        *                                                              - NOT_FOUND if no message rule 
-        *                                                                for specific message type could be found
+        *                                                              - NOT_FOUND if payload not defined in current message rule
+        *                                                              - INVALID_STATE if message rule is not set via set_message_rule()
         */     
-       status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
+       status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
        
        /**
         * Encrypts all payloads which has to get encrypted.
@@ -296,24 +280,40 @@ struct private_message_t {
         * @param this                  calling object
         * @param crypter               crypter_t object
         * @param signer                signer_t object
+        * @return
+        *                                              - SUCCESS
+        *                                              - INVALID_STATE if no crypter/signer supplied but needed
         */
        status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
        
        /**
-        * Decrypts encrypted contents and also verifies all payloads.
+        * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
         * 
         * @param this                  calling object
         * @param crypter               crypter_t object
         * @param signer                signer_t object
+        * @return
+        *                                              - SUCCESS
+        *                                              - FAILED if decryption not successfull
+        *                                              - INVALID_STATE if no crypter/signer supplied but needed
+        */
+       status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
+       
+       /**
+        * Verifies the message. Checks for payloads count.
+        * 
+        * @param                               calling object
+        * @return
+        *                                              - SUCCESS if message valid, or
+        *                                              - FAILED if message does not align with message rules.
         */
-       status_t (*decrypt_and_verify_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer); 
+       status_t (*verify) (private_message_t *this);   
 };
 
 /**
- * Implementation of private_message_t.get_supported_payloads.
+ * Implementation of private_message_t.set_message_rule.
  */
-
-static  status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
+static  status_t set_message_rule(private_message_t *this)
 {
        int i;
                
@@ -323,31 +323,31 @@ static  status_t get_message_rule (private_message_t *this, message_rule_t **mes
                        (this->is_request == message_rules[i].is_request))
                {
                        /* found rule for given exchange_type*/
-                       *message_rule = &(message_rules[i]);
+                       this->message_rule = &(message_rules[i]);
                        return SUCCESS;
                }
        }
-       *message_rule = NULL;
+       this->message_rule = NULL;
        return NOT_FOUND;
 }
 
 /**
- * Implementation of private_message_t.get_supported_payload_entry.
+ * Implementation of private_message_t.get_payload_rule.
  */
-static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
+static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
 {
        int i;
        
-       for (i = 0; i < message_rule->supported_payloads_count;i++)
+       for (i = 0; i < this->message_rule->payload_rule_count;i++)
        {
-               if (message_rule->supported_payloads[i].payload_type == payload_type)
+               if (this->message_rule->payload_rules[i].payload_type == payload_type)
                {
-                       *payload_entry = &(message_rule->supported_payloads[i]);
+                       *payload_rule = &(this->message_rule->payload_rules[i]);
                        return SUCCESS;
                }
        }
        
-       *payload_entry = NULL;
+       *payload_rule = NULL;
        return NOT_FOUND;
 }
 
@@ -541,7 +541,6 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
        ike_header_t *ike_header;
        payload_t *payload, *next_payload;
        iterator_t *iterator;
-       message_rule_t *message_rule;
        status_t status;
        
        this->logger->log(this->logger, CONTROL, "Generating message of type %s, contains %d payloads",
@@ -550,27 +549,32 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
        
        if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
        {
-               this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",mapping_find(exchange_type_m,this->exchange_type));
+               this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",
+                                                       mapping_find(exchange_type_m,this->exchange_type));
                return INVALID_STATE;
        }
        
-       status = this->get_message_rule(this, &message_rule);
-       if (status != SUCCESS)
-       {
-               this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
-                                                 mapping_find(exchange_type_m,this->exchange_type));
-               return status;
-       }
-       
        if (this->packet->source == NULL ||
                this->packet->destination == NULL) 
        {
-               this->logger->log(this->logger, ERROR | MORE, "Source/destination not defined");
+               this->logger->log(this->logger, ERROR|MORE, "%s not defined",
+                                                       !this->packet->source ? "source" : "destination");
                return INVALID_STATE;
        }
        
+       /* set the rules for this messge */
+       status = this->set_message_rule(this);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
+                                                 mapping_find(exchange_type_m,this->exchange_type),
+                                                 this->is_request ? "request" : "response");
+               return NOT_SUPPORTED;
+       }
+       
+       
        /* going to encrypt all content which have to be encrypted */
-       status = this->encrypt_payloads(this,crypter,signer);
+       status = this->encrypt_payloads(this, crypter, signer);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR | MORE, "Could not encrypt payloads");
@@ -591,9 +595,9 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
        
        payload = (payload_t*)ike_header;
 
-       iterator = this->payloads->create_iterator(this->payloads, TRUE);
        
-       /* generate every payload expect last one*/
+       /* generate every payload expect last one, this is doen later*/
+       iterator = this->payloads->create_iterator(this->payloads, TRUE);
        while(iterator->has_next(iterator))
        {
                iterator->current(iterator, (void**)&next_payload);
@@ -634,7 +638,8 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
        /* clone packet for caller */
        *packet = this->packet->clone(this->packet);
        
-       this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",mapping_find(exchange_type_m,this->exchange_type));
+       this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",
+                                               mapping_find(exchange_type_m,this->exchange_type));
        return SUCCESS;
 }
 
@@ -699,11 +704,22 @@ static status_t parse_header(private_message_t *this)
        this->minor_version = ike_header->get_min_version(ike_header);
        this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
        
-       this->logger->log(this->logger, CONTROL, "Parsed a %s %s", mapping_find(exchange_type_m, this->exchange_type),
+       this->logger->log(this->logger, CONTROL, "Parsed a %s %s", 
+                                               mapping_find(exchange_type_m, this->exchange_type),
                                                this->is_request ? "request" : "response");
        
-       ike_header->destroy(ike_header);        
-       return SUCCESS; 
+       ike_header->destroy(ike_header);                                        
+       
+       /* get the rules for this messge */
+       status = this->set_message_rule(this);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
+                                                 mapping_find(exchange_type_m,this->exchange_type),
+                                                 this->is_request ? "request" : "response");
+       }
+       
+       return status;  
 }
 
 /**
@@ -712,11 +728,14 @@ static status_t parse_header(private_message_t *this)
 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
 {
        status_t status = SUCCESS;
-       payload_type_t current_payload_type = this->first_payload;
+       payload_type_t current_payload_type;
+               
+       current_payload_type = this->first_payload;     
                
        this->logger->log(this->logger, CONTROL|MORE, "Parsing body of message, first payload %s",
                                          mapping_find(payload_type_m, current_payload_type));
 
+       /* parse payload for payload, while there are more available */
        while ((current_payload_type != NO_PAYLOAD))
        {
                payload_t *current_payload;
@@ -724,6 +743,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
                this->logger->log(this->logger, CONTROL|MOST, "Start parsing payload of type %s", 
                                                        mapping_find(payload_type_m, current_payload_type));
                
+               /* parse current payload */
                status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
                if (status != SUCCESS)
                {
@@ -734,6 +754,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
                this->logger->log(this->logger, CONTROL|MOST, "Verify payload of type %s", 
                                                        mapping_find(payload_type_m, current_payload_type));
                
+               /* verify it, stop parsig if its invalid */
                status = current_payload->verify(current_payload);
                if (status != SUCCESS)
                {
@@ -747,7 +768,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
                                                        mapping_find(payload_type_m, current_payload_type));
                this->payloads->insert_last(this->payloads,current_payload);
                
-               /* stop if an encryption payload found */
+               /* an encryption payload is the last one, so STOP here. decryption is done later */
                if (current_payload_type == ENCRYPTED)
                {
                        this->logger->log(this->logger, CONTROL|MOST, "Payload of type encrypted found. Stop parsing.", 
@@ -764,78 +785,91 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
                                                this->is_request ? "request" : "response",
                                                this->payloads->get_count(this->payloads));
 
-       status = this->decrypt_and_verify_payloads(this,crypter,signer);
+       /* */
+       if (current_payload_type == ENCRYPTED)
+       status = this->decrypt_payloads(this,crypter,signer);
        if (status != SUCCESS)
        {
-               this->logger->log(this->logger, ERROR, "Could not decrypt and verify payloads");
+               this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
                return status;
        }
        
-       return SUCCESS;
-
+       status = this->verify(this);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Verification of message failed");
+       }
+       return status;
 }
 
 /**
- * Implementation of message_t.verify.
+ * Implementation of private_message_t.verify.
  */
 static status_t verify(private_message_t *this)
 {
        int i;
-       status_t status;
        iterator_t *iterator;
-       message_rule_t *message_rule;
        size_t total_found_payloads = 0;
        
        this->logger->log(this->logger, CONTROL|MORE, "Verifying message structure");
-       
-       status = this->get_message_rule(this, &message_rule);
-       if (status != SUCCESS)
-       {
-               this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
-                                                 mapping_find(exchange_type_m,this->exchange_type));
-               return status;
-       }
 
        iterator = this->payloads->create_iterator(this->payloads,TRUE);
        /* check for payloads with wrong count*/
-       for (i = 0; i < message_rule->supported_payloads_count;i++)
+       for (i = 0; i < this->message_rule->payload_rule_count;i++)
        {
                size_t found_payloads = 0;
        
                /* check all payloads for specific rule */
                iterator->reset(iterator);
+               
                while(iterator->has_next(iterator))
                {
                        payload_t *current_payload;
+                       payload_type_t current_payload_type;
+                       
                        iterator->current(iterator,(void **)&current_payload);
+                       current_payload_type = current_payload->get_type(current_payload);
                        
-                       if (current_payload->get_type(current_payload) == message_rule->supported_payloads[i].payload_type)
+                       if (current_payload_type == UNKNOWN_PAYLOAD)
+                       {
+                               /* unknown payloads are ignored, IF they are not critical */
+                               unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
+                               if (unknown_payload->is_critical(unknown_payload))
+                               {
+                                       this->logger->log(this->logger, ERROR, "%s (%d) is not supported, but its critical!",
+                                                                         mapping_find(payload_type_m, current_payload_type), current_payload_type);
+                                       iterator->destroy(iterator);
+                                       return NOT_SUPPORTED;   
+                               }
+                       }
+                       else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
                        {
                                found_payloads++;
                                total_found_payloads++;
                                this->logger->log(this->logger, CONTROL | MOST, "Found payload of type %s",
-                                                         mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type));
-
+                                                         mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
+       
                                /* as soon as ohe payload occures more then specified, the verification fails */
-                               if (found_payloads > message_rule->supported_payloads[i].max_occurence)
+                               if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
                                {
                                        this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
-                                                                         mapping_find(payload_type_m,current_payload->get_type(current_payload)),
-                                                                         message_rule->supported_payloads[i].max_occurence,found_payloads);
+                                                                         mapping_find(payload_type_m, current_payload_type),
+                                                                         this->message_rule->payload_rules[i].max_occurence, found_payloads);
                                        iterator->destroy(iterator);
-                                       return NOT_SUPPORTED;                                   
+                                       return FAILED;                                  
                                }
                        }
                }
-               if (found_payloads < message_rule->supported_payloads[i].min_occurence)
+
+               if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
                {
                        this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times (%d)",
-                                                         mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type),
-                                                         message_rule->supported_payloads[i].min_occurence,found_payloads);
+                                                         mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
+                                                         this->message_rule->payload_rules[i].min_occurence, found_payloads);
                        iterator->destroy(iterator);
-                       return NOT_SUPPORTED;
+                       return FAILED;
                }
-               if ((message_rule->supported_payloads[i].can_be_last) && (this->payloads->get_count(this->payloads) == total_found_payloads))
+               if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
                {
                        iterator->destroy(iterator);
                        return SUCCESS; 
@@ -849,29 +883,20 @@ static status_t verify(private_message_t *this)
 /**
  * Implementation of private_message_t.decrypt_and_verify_payloads.
  */
-static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
+static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
 {
        bool current_payload_was_encrypted = FALSE;
-       payload_t *last_payload = NULL;
-       message_rule_t *message_rule;
+       payload_t *previous_payload = NULL;
        int payload_number = 1;
        iterator_t *iterator;
        status_t status;
-       
-       status = this->get_message_rule(this, &message_rule);
-       if (status != SUCCESS)
-       {
-               this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
-                                                 mapping_find(exchange_type_m,this->exchange_type));
-               return status;
-       }
 
        iterator = this->payloads->create_iterator(this->payloads,TRUE);
 
        /* process each payload and decrypt a encryption payload */
        while(iterator->has_next(iterator))
        {
-               supported_payload_entry_t *supported_payload_entry;
+               payload_rule_t *payload_rule;
                payload_type_t current_payload_type;
                payload_t *current_payload;
 
@@ -888,28 +913,18 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
                        encryption_payload_t *encryption_payload;
                        payload_t *current_encrypted_payload;
                        
+                       encryption_payload = (encryption_payload_t*)current_payload;
                        
                        this->logger->log(this->logger, CONTROL | MORE, "Found an encryption payload");
-       
-                       if (!message_rule->encrypted_content)
-                       {
-                               this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
-                               iterator->destroy(iterator);
-                               /* encrypted payload is not last one */
-                               return FAILED;
-                       }
-                       
+
                        if (payload_number != this->payloads->get_count(this->payloads))
                        {
+                               /* encrypted payload is not last one */
                                this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last payload");
                                iterator->destroy(iterator);
-                               /* encrypted payload is not last one */
                                return FAILED;
                        }
-                       
-                       iterator->current(iterator,(void **)&encryption_payload);
-                       
-                       /* encrypt payload */                   
+                       /* decrypt */                   
                        encryption_payload->set_transforms(encryption_payload, crypter, signer);
                        this->logger->log(this->logger, CONTROL | MORE, "Verify signature of encryption payload");
                        status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
@@ -929,54 +944,37 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
                                return status;
                        }
                        
-                       /* needed to later find out if a payload has to be encrypted or not */
+                       /* needed later to find out if a payload was encrypted */
                        current_payload_was_encrypted = TRUE;
-                               
+                       
+                       /* check if there are payloads contained in the encryption payload */
                        if (encryption_payload->get_payload_count(encryption_payload) == 0)
                        {
-                               this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is empty");
+                               this->logger->log(this->logger, CONTROL | MOST, "Encrypted payload is empty");
+                               /* remove the encryption payload, is not needed anymore */
                                iterator->remove(iterator);
-                               encryption_payload->destroy(encryption_payload);
                                /* encrypted payload contains no other payload */
                                current_payload_type = NO_PAYLOAD;
-                               if (last_payload == NULL)
-                               {
-                                       /* encrypted content was the only payload in IKEv2-Message 
-                                        * Set the first payload to the first payload of encrypted ones */
-                                       this->first_payload = current_payload_type;
-                               }
-                               else
-                               {
-                                       /* another payload was here before the encrypted content
-                                        * Set the next payload of proceeding payload 
-                                        * to the first payload of encrypted ones */
-                                       last_payload->set_next_type(last_payload,current_payload_type);
-                               }
-                               break;
-
                        }
-       
-                       this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is not empty");
-                       
-                       /* encryption_payload is replaced with first encrypted payload*/
-                       encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
+                       else
+                       {
+                               this->logger->log(this->logger, CONTROL | MOST, "Encrypted payload is not empty");
+                               /* encryption_payload is replaced with first payload contained in encryption_payload */
+                               encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
+                               iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
+                               current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
+                       }
                        
-                       this->logger->log(this->logger, CONTROL | MORE, "Replace encrypted payload with payload of type %s.",
-                                                               mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
-                       iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
-                       current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
-                       if (last_payload == NULL)
+                       /* is the current paylad the first in the message? */
+                       if (previous_payload == NULL)
                        {
-                               /* encrypted content was the only payload in IKEv2-Message 
-                                * Set the first payload to the first payload of encrypted ones */
+                               /* yes, set the first payload type of the message to the current type */
                                this->first_payload = current_payload_type;
                        }
                        else
                        {
-                               /* another payload was here before the encrypted content
-                                * Set the next payload of proceeding payload 
-                                * to the first payload of encrypted ones */
-                               last_payload->set_next_type(last_payload,current_payload_type);
+                               /* no, set the next_type of the previous payload to the current type */
+                               previous_payload->set_next_type(previous_payload, current_payload_type);
                        }
                        
                        /* all encrypted payloads are added to the payload list */
@@ -987,37 +985,41 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
                                this->payloads->insert_last(this->payloads,current_encrypted_payload);
                        }
                        
-                       /* encryption payload is not needed anymore cause all payloads are 
-                        * moved to internal payload list */
-                       encryption_payload->destroy(encryption_payload);                                
-
-                               
+                       /* encryption payload is processed, payloads are moved. Destroy it. */
+                       encryption_payload->destroy(encryption_payload);        
                }
 
-               status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&supported_payload_entry);
-               if (status != SUCCESS)
+               /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
+               if (current_payload_type != UNKNOWN_PAYLOAD)
                {
-                       /* payload type not supported */
-                       this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
-                       iterator->destroy(iterator);
-                       return status;
-               }
-               
-               if (supported_payload_entry->encrypted != current_payload_was_encrypted)
-               {
-                       /* payload type not supported */
-                       this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!", 
-                                                               mapping_find(payload_type_m,current_payload_type),
-                                                               (supported_payload_entry->encrypted) ? "encrypted": "not encrypted");
-                       iterator->destroy(iterator);
-                       return status;
+                       /* get the ruleset for found payload */
+                       status = this->get_payload_rule(this, current_payload_type, &payload_rule);
+                       if (status != SUCCESS)
+                       {
+                               /* payload is not allowed */
+                               this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
+                               iterator->destroy(iterator);
+                               return status;
+                       }
+                       
+                       /* check if the payload was encrypted, and if it should been have encrypted */
+                       if (payload_rule->encrypted != current_payload_was_encrypted)
+                       {
+                               /* payload was not encrypted, but should have been. or vice-versa */
+                               this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!", 
+                                                                       mapping_find(payload_type_m,current_payload_type),
+                                                                       (payload_rule->encrypted) ? "encrypted": "not encrypted");
+                               iterator->destroy(iterator);
+                               return FAILED;
+                       }
                }
+               /* advance to the next payload */
                payload_number++;
                /* is stored to set next payload in case of found encryption payload */
-               last_payload = current_payload;
+               previous_payload = current_payload;
        }
        iterator->destroy(iterator);
-       return this->public.verify(&(this->public));
+       return SUCCESS;
 }
 
 /**
@@ -1026,19 +1028,10 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
 {
        encryption_payload_t *encryption_payload = NULL;
-       message_rule_t *message_rule;
        status_t status;
        linked_list_t *all_payloads;
        
-       status = this->get_message_rule(this, &message_rule);
-       if (status != SUCCESS)
-       {
-               this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
-                                                 mapping_find(exchange_type_m,this->exchange_type));
-               return status;
-       }
-       
-       if (!message_rule->encrypted_content)
+       if (!this->message_rule->encrypted_content)
        {
                this->logger->log(this->logger, CONTROL | MORE, "Message doesn't have to be encrypted");
                /* message contains no content to encrypt */
@@ -1059,17 +1052,17 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
        this->logger->log(this->logger, CONTROL | MOST, "Check each payloads if they have to get encrypted");
        while (all_payloads->get_count(all_payloads) > 0)
        {
-               supported_payload_entry_t *supported_payload_entry;
+               payload_rule_t *payload_rule;
                payload_t *current_payload;
                bool to_encrypt = FALSE;
                
                all_payloads->remove_first(all_payloads,(void **)&current_payload);
                this->logger->log(this->logger, CONTROL | MOST, "Get rule for payload %s", mapping_find(payload_type_m,current_payload->get_type(current_payload)));
                
-               status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
+               status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
                /* for payload types which are not found in supported payload list, it is presumed 
                 * that they don't have to be encrypted */
-               if ((status == SUCCESS) && (supported_payload_entry->encrypted))
+               if ((status == SUCCESS) && (payload_rule->encrypted))
                {
                        this->logger->log(this->logger, CONTROL | MOST, "Payload %s has to get encrypted", 
                                                          mapping_find(payload_type_m,current_payload->get_type(current_payload)));
@@ -1125,7 +1118,7 @@ static void destroy (private_message_t *this)
 {
        iterator_t *iterator;
        
-       this->logger->log(this->logger, CONTROL | MOST, "Going to destroy message_t object");
+       this->logger->log(this->logger, CONTROL|ALL, "Going to destroy message_t object");
        
        this->packet->destroy(this->packet);
 
@@ -1139,7 +1132,7 @@ static void destroy (private_message_t *this)
        {
                payload_t *payload;
                iterator->current(iterator, (void**)&payload);  
-               this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s", 
+               this->logger->log(this->logger, CONTROL|ALL, "Destroying payload of type %s", 
                                                        mapping_find(payload_type_m, payload->get_type(payload)));
                payload->destroy(payload);
        }
@@ -1181,7 +1174,6 @@ message_t *message_create_from_packet(packet_t *packet)
        this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
        this->public.parse_header = (status_t (*) (message_t *)) parse_header;
        this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
-       this->public.verify =  (status_t (*) (message_t*)) verify;
        this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
        this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
        this->public.destroy = (void(*)(message_t*))destroy;
@@ -1194,16 +1186,18 @@ message_t *message_create_from_packet(packet_t *packet)
        this->message_id = 0;
 
        /* private functions */
-       this->get_message_rule = get_message_rule;
-       this->get_supported_payload_entry = get_supported_payload_entry;
+       this->set_message_rule = set_message_rule;
+       this->get_payload_rule = get_payload_rule;
        this->encrypt_payloads = encrypt_payloads;
-       this->decrypt_and_verify_payloads = decrypt_and_verify_payloads;
+       this->decrypt_payloads = decrypt_payloads;
+       this->verify = verify;
 
        /* private values */
        if (packet == NULL)
        {
                packet = packet_create();       
        }
+       this->message_rule = NULL;
        this->packet = packet;
        this->payloads = linked_list_create();
        
index 98f9d8a..a10f10a 100644 (file)
@@ -38,7 +38,15 @@ typedef struct message_t message_t;
 /**
  * @brief This class is used to represent an IKEv2-Message.
  *
- * An IKEv2-Message is either a request or response.
+ * The message handles parsing and generation of payloads
+ * via parser_t/generator_t. Encryption is done transparently
+ * via the encryption_payload_t. A set of rules for messages
+ * and payloads does check parsed messages.
+ * 
+ * @b Constructors:
+ * - message_create()
+ * - message_create_from_packet()
+ * - message_create_notify_reply()
  *
  * @ingroup encoding
  */
@@ -159,6 +167,12 @@ struct message_t {
 
        /**
         * @brief Append a payload to the message.
+        * 
+        * If the payload must be encrypted is not specified here. Encryption
+        * of payloads is evaluated via internal rules for the messages and
+        * is done before generation. The order of payloads may change, since
+        * all payloads to encrypt are added to the encryption payload, which is 
+        * always the last one.
         *
         * @param this                  message_t object
         * @param payload               payload to append
@@ -166,7 +180,11 @@ struct message_t {
        void (*add_payload) (message_t *this, payload_t *payload);
 
        /**
-        * @brief Parses header of message
+        * @brief Parses header of message.
+        * 
+        * Begins parisng of a message created via message_create_from_packet().
+        * The parsing context is stored, so a subsequent call to parse_body()
+        * will continue the parsing process.
         *
         * @param this          message_t object
         * @return
@@ -181,42 +199,53 @@ struct message_t {
         * 
         * The body gets not only parsed, but rather it gets verified. 
         * All payloads are verified if they are allowed to exist in the message 
-        * of this type and if their own structure is ok.
+        * of this type and if their own structure is ok. 
+        * If there are encrypted payloads, they get decrypted via the supplied 
+        * crypter. Also the message integrity gets verified with the supplied
+        * signer.
+        * Crypter/signer can be omitted (by passing NULL) when no encryption 
+        * payload is expected.
         *
         * @param this          message_t object
+        * @param crypter       crypter to decrypt encryption payloads
+        * @param signer        signer to verifiy a message with an encryption payload
         * @return
         *                                      - SUCCESS if header could be parsed
-        *                                      - NOT_SUPPORTED if unsupported payload are contained in body
+        *                                      - NOT_SUPPORTED if ciritcal unknown payloads found
         *                                      - FAILED if message type is not suppported!
         *                                      - PARSE_ERROR if corrupted/invalid data found
         *                                      - VERIFY_ERROR if verification of some payload failed
+        *                                      - INVALID_STATE if crypter/signer not supplied, but needed
         */
        status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
 
        /**
-        * @brief Generates the UDP packet of specific message
+        * @brief Generates the UDP packet of specific message.
+        * 
+        * Payloads which must be encrypted are generated first and added to
+        * an encryption payload. This encryption payload will get encrypted via 
+        * the supplied crypter. Then all other payloads and the header get generated.
+        * After that, the checksum is added to the encryption payload over the full 
+        * message.
+        * Crypter/signer can be omitted (by passing NULL) when no encryption 
+        * payload is expected.
         *
         * @param this          message_t object
+        * @param crypter       crypter to use when a payload must be encrypted
+        * @param signer        signer to build a mac
         * @return
         *                                      - SUCCESS if packet could be generated
-        *                                      - EXCHANGE_TYPE_NOT_SET if exchange type is currently not set
-        * ....
+        *                                      - INVALID_STATE if exchange type is currently not set
+        *                                      - NOT_FOUND if no rules found for message generation
+        *                                      - INVALID_STATE if crypter/signer not supplied but needed.
         */     
        status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
-       
-       /**
-        * Verifies the structure of the message_t object. 
-        * 
-        * The payloads are checked for the correct occurence count.
-        *
-        * @param this          message_t object
-        */
-       status_t (*verify) (message_t *this);
-       
+
        /**
-        * Gets the source host informations. 
+        * @brief Gets the source host informations. 
         * 
-        * @warning Returned host_t object is not getting cloned.
+        * @warning Returned host_t object is not getting cloned, 
+        * do not destroy nor modify.
         *
         * @param this          message_t object
         * @return                      host_t object representing source host
@@ -224,7 +253,7 @@ struct message_t {
        host_t * (*get_source) (message_t *this);
        
        /**
-        * Sets the source host informations. 
+        * @brief Sets the source host informations. 
         * 
         * @warning host_t object is not getting cloned and gets destroyed by
         *                      message_t.destroy or next call of message_t.set_source.
@@ -235,9 +264,10 @@ struct message_t {
        void (*set_source) (message_t *this, host_t *host);
 
        /**
-        * Gets the destination host informations. 
+        * @brief Gets the destination host informations. 
         * 
-        * @warning Returned host_t object is not getting cloned.
+        * @warning Returned host_t object is not getting cloned, 
+        * do not destroy nor modify.
         *
         * @param this          message_t object
         * @return                      host_t object representing destination host
@@ -245,7 +275,7 @@ struct message_t {
        host_t * (*get_destination) (message_t *this);
 
        /**
-        * Sets the destination host informations. 
+        * @brief Sets the destination host informations. 
         * 
         * @warning host_t object is not getting cloned and gets destroyed by
         *                      message_t.destroy or next call of message_t.set_destination.
@@ -256,10 +286,10 @@ struct message_t {
        void (*set_destination) (message_t *this, host_t *host);
        
        /**
-        * Returns an iterator on all stored payloads.
+        * @brief Returns an iterator on all stored payloads.
         * 
         * @warning Don't insert payloads over this iterator. 
-        *                      Use message_t.add_payload instead.
+        *                      Use add_payload() instead.
         *
         * @param this          message_t object
         * @return                      iterator_t object which has to get destroyd by the caller
@@ -292,7 +322,7 @@ struct message_t {
 };
 
 /**
- * Creates an message_t object from a incoming UDP Packet.
+ * @brief Creates an message_t object from a incoming UDP Packet.
  * 
  * @warning the given packet_t object is not copied and gets 
  *                     destroyed in message_t's destroy call.
@@ -302,9 +332,9 @@ struct message_t {
  * - exchange_type is set to NOT_SET
  * - original_initiator is set to TRUE
  * - is_request is set to TRUE
+ * Call message_t.parse_header afterwards.
  * 
- * @param packet               packet_t object which is assigned to message                                      
- * 
+ * @param packet               packet_t object which is assigned to message    
  * @return                             created message_t object
  * 
  * @ingroup encoding
@@ -313,7 +343,7 @@ message_t * message_create_from_packet(packet_t *packet);
 
 
 /**
- * Creates an empty message_t object.
+ * @brief Creates an empty message_t object.
  *
  * - exchange_type is set to NOT_SET
  * - original_initiator is set to TRUE
@@ -326,7 +356,7 @@ message_t * message_create_from_packet(packet_t *packet);
 message_t * message_create();
 
 /**
- * Creates an message_t object of type reply containing a notify payload.
+ * @brief Creates an message_t object of type reply containing a notify payload.
  *
  * @return created message_t object
  *
index e3d7fa8..a6aefa9 100644 (file)
@@ -51,6 +51,7 @@
 #include <encoding/payloads/cp_payload.h>
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/unknown_payload.h>
 
 
 typedef struct private_parser_t private_parser_t;
@@ -587,6 +588,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
        int rule_number;
        encoding_rule_t *rule;
        
+       /* create instance of the payload to parse */
+       pld = payload_create(payload_type);
+       
        this->logger->log(this->logger, CONTROL|MORE, "parsing %s payload, %d bytes left", 
                                                mapping_find(payload_type_m, payload_type),
                                                this->input_roof-this->byte_pos);
@@ -594,18 +598,17 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
        this->logger->log_bytes(this->logger, RAW, "parsing payload from", this->byte_pos, 
                                                                this->input_roof-this->byte_pos);
        
-       /* ok, do the parsing */
-       pld = payload_create(payload_type);
-       if (pld == NULL)
+       if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
        {
-               this->logger->log(this->logger, ERROR, "  payload %s not supported", mapping_find(payload_type_m, payload_type));
-               return NOT_SUPPORTED;   
+               this->logger->log(this->logger, ERROR|MORE, "  payload type %d is unknown, handling as %s",
+                                                       payload_type, mapping_find(payload_type_m, UNKNOWN_PAYLOAD));
        }
+       
        /* base pointer for output, avoids casting in every rule */
        output = pld;
        
+       /* parse the payload with its own rulse */
        pld->get_encoding_rules(pld, &(this->rules), &rule_count);
-       
        for (rule_number = 0; rule_number < rule_count; rule_number++)
        {
                rule = &(this->rules[rule_number]);
@@ -974,6 +977,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
                                }
                                break;                                                  
                        }
+                       case UNKNOWN_PAYLOAD:
+                       {
+                               size_t unknown_payload_data_length = payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH;
+                               if (this->parse_chunk(this, rule_number, output + rule->offset, unknown_payload_data_length) != SUCCESS) 
+                               {
+                                       pld->destroy(pld);
+                                       return PARSE_ERROR;
+                               }
+                               break;                                                  
+                       }
                        default:
                        {
                                this->logger->log(this->logger, ERROR, "  no rule to parse rule %d %s (%d)", rule_number, mapping_find(encoding_type_m, rule->type), rule->type);
index bd94eaa..b89e80a 100644 (file)
@@ -1,7 +1,7 @@
 /**
  * @file payload.c
  * 
- * @brief Generic payload interface
+ * @brief Generic constructor to the payload_t interface.
  * 
  * 
  */
@@ -122,12 +122,10 @@ payload_t *payload_create(payload_type_t type)
                        return (payload_t*)configuration_attribute_create();
                case EXTENSIBLE_AUTHENTICATION:
                        return (payload_t*)eap_payload_create();
-               case UNKNOWN_PAYLOAD:
-                       return (payload_t*)unknown_payload_create();
                case ENCRYPTED:
                        return (payload_t*)encryption_payload_create();
                default:
-                       return NULL;
+                       return (payload_t*)unknown_payload_create();
        }
 }
 
index 6fbd949..a330065 100644 (file)
@@ -1,7 +1,7 @@
 /**
  * @file payload.h
  * 
- * @brief Generic payload interface.
+ * @brief Interface payload_t.
  * 
  * 
  */
@@ -32,8 +32,7 @@
 typedef enum payload_type_t payload_type_t;
 
 /**
- * Payload-Types of a IKEv2-Message.
- * 
+ * @brief Payload-Types of a IKEv2-Message.
  * 
  * Header and substructures are also defined as 
  * payload types with values from PRIVATE USE space.
@@ -43,87 +42,87 @@ typedef enum payload_type_t payload_type_t;
 enum payload_type_t{
 
        /**
-        * NO_PAYLOAD
+        * End of payload list in next_payload
         */
        NO_PAYLOAD = 0,
        
        /**
-        * SA
+        * The security association (SA) payload containing proposals.
         */
        SECURITY_ASSOCIATION = 33,
 
        /**
-        * KE
+        * The key exchange (KE) payload containing diffie-hellman values.
         */
        KEY_EXCHANGE = 34,
 
        /**
-        * IDi
+        * Identification for the original initiator (IDi).
         */
        ID_INITIATOR = 35,
 
        /**
-        * IDr
+        * Identification for the original responder (IDr).
         */
        ID_RESPONDER = 36,
 
        /**
-        * CERT
+        * Certificate payload with certificates (CERT).
         */
        CERTIFICATE = 37,
 
        /**
-        * CERTREQ
+        * Certificate request payload (CERTREQ).
         */
        CERTIFICATE_REQUEST = 38,
 
        /**
-        * AUTH
+        * Authentication payload contains auth data (AUTH).
         */
        AUTHENTICATION = 39,
 
        /**
-        * Ni, Nr
+        * Nonces, for initator and responder (Ni, Nr, N)
         */
        NONCE = 40,
 
        /**
-        * N
+        * Notif paylaod (N).
         */
        NOTIFY = 41,
 
        /**
-        * D
+        * Delete payload (D)
         */
        DELETE = 42,
 
        /**
-        * V
+        * Vendor id paylpoad (V).
         */
        VENDOR_ID = 43,
 
        /**
-        * TSi
+        * Traffic selector for the original initiator (TSi).
         */
        TRAFFIC_SELECTOR_INITIATOR = 44,
 
        /**
-        * TSr
+        * Traffic selector for the original responser (TSr).
         */
        TRAFFIC_SELECTOR_RESPONDER = 45,
 
        /**
-        * E
+        * Encryption payload, contains other payloads (E).
         */
        ENCRYPTED = 46,
 
        /**
-        * CP
+        * Configuration payload (CP).
         */
        CONFIGURATION = 47,
 
        /**
-        * EAP
+        * Extensible authentication payload (EAP).
         */
        EXTENSIBLE_AUTHENTICATION = 48,
        
@@ -185,8 +184,8 @@ enum payload_type_t{
 };
 
 
-/*
- * Build string mapping array for payload_type_t.
+/**
+ * String mappings for payload_type_t.
  */
 extern mapping_t payload_type_m[];
 
@@ -194,21 +193,21 @@ extern mapping_t payload_type_m[];
 typedef struct payload_t payload_t;
 
 /**
- * @brief Generic interface for all payload types (inclusive 
- * header and substructures).
+ * @brief Generic interface for all payload types (incl.header and substructures).
+ * 
+ * To handle all kinds of payloads on a generic way, this interface must
+ * be implemented by every payload. This allows parser_t/generator_t a simple
+ * handling of all payloads.
+ * 
+ * @b Constructors:
+ * - payload_create() with the payload to instanciate.
  * 
  * @ingroup payloads
  */
 struct payload_t {
-       /**
-        * @brief Destroys a payload and all included substructures.
-        *
-        * @param this  payload to destroy
-        */
-       void (*destroy) (payload_t *this);
        
        /**
-        * @brief Get encoding rules for this payload
+        * @brief Get encoding rules for this payload.
         *
         * @param this                          calling object
         * @param[out] rules            location to store pointer of first rule
@@ -217,7 +216,7 @@ struct payload_t {
        void (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules, size_t *rule_count);
 
        /**
-        * @brief get type of payload
+        * @brief Get type of payload.
         *
         * @param this                          calling object
         * @return                                      type of this payload
@@ -225,7 +224,7 @@ struct payload_t {
        payload_type_t (*get_type) (payload_t *this);
 
        /**
-        * @brief get type of next payload or zero if this is the last one
+        * @brief Get type of next payload or NO_PAYLOAD (0) if this is the last one.
         *
         * @param this                          calling object
         * @return                                      type of next payload
@@ -233,7 +232,7 @@ struct payload_t {
        payload_type_t (*get_next_type) (payload_t *this);
        
        /**
-        * @brief set type of next payload
+        * @brief Set type of next payload.
         *
         * @param this                          calling object
         * @param type                          type of next payload
@@ -241,7 +240,7 @@ struct payload_t {
        void (*set_next_type) (payload_t *this,payload_type_t type);
 
        /**
-        * @brief get length of payload 
+        * @brief Get length of payload.
         *
         * @param this                          calling object
         * @return                                      length of this payload
@@ -249,7 +248,7 @@ struct payload_t {
        size_t (*get_length) (payload_t *this);
        
        /**
-        * @brief Verifies payload structure and makes consistence check
+        * @brief Verifies payload structure and makes consistence check.
         *
         * @param this                          calling object
         * @return                                      
@@ -257,18 +256,25 @@ struct payload_t {
         *                                                      - FAILED if consistence not given
         */
        status_t (*verify) (payload_t *this);
+       
+       /**
+        * @brief Destroys a payload and all included substructures.
+        *
+        * @param this                          payload to destroy
+        */
+       void (*destroy) (payload_t *this);
 };
 
 /**
  * @brief Create an empty payload.
  * 
  * Useful for the parser, who wants a generic constructor for all payloads.
- * It supports all payload_t methods.
+ * It supports all payload_t methods. If a payload type is not known, 
+ * an unknwon_paylod is created with the chunk of data in it.
  * 
  * @param type         type of the payload to create
  * @return                     created payload
  */
 payload_t *payload_create(payload_type_t type);
 
 #endif /*PAYLOAD_H_*/
index 3e910ba..c162edc 100644 (file)
@@ -29,9 +29,9 @@ typedef struct private_unknown_payload_t private_unknown_payload_t;
 
 /**
  * Private data of an unknown_payload_t object.
- * 
  */
 struct private_unknown_payload_t {
+       
        /**
         * Public unknown_payload_t interface.
         */
@@ -40,7 +40,7 @@ struct private_unknown_payload_t {
        /**
         * Next payload type.
         */
-       u_int8_t  next_payload;
+       u_int8_t next_payload;
 
        /**
         * Critical flag.
@@ -53,18 +53,13 @@ struct private_unknown_payload_t {
        u_int16_t payload_length;
        
        /**
-        * Type of this payload.
-        */
-       payload_type_t payload_type;
-       
-       /**
         * The contained data.
         */
        chunk_t data;
 };
 
 /**
- * Encoding rules to parse or generate a EAP payload.
+ * Encoding rules to parse an payload which is not further specified.
  * 
  * The defined offsets are the positions in a object of type 
  * private_unknown_payload_t.
@@ -86,7 +81,7 @@ encoding_rule_t unknown_payload_encodings[] = {
        /* Length of the whole payload*/
        { PAYLOAD_LENGTH,       offsetof(private_unknown_payload_t, payload_length)},
        /* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
-       { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data)                       }
+       { UNKNOWN_DATA,         offsetof(private_unknown_payload_t, data)               }
 };
 
 /*
@@ -110,7 +105,7 @@ static status_t verify(private_unknown_payload_t *this)
 }
 
 /**
- * Implementation of unknown_payload_t.get_encoding_rules.
+ * Implementation of payload_t.get_encoding_rules.
  */
 static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
@@ -143,22 +138,6 @@ static void set_next_type(private_unknown_payload_t *this,payload_type_t type)
 }
 
 /**
- * Implementation of unknown_payload_t.set_real_type.
- */
-static void set_real_type(private_unknown_payload_t *this,payload_type_t type)
-{
-       this->payload_type = type;
-}
-
-/**
- * Implementation of unknown_payload_t.get_real_type.
- */
-static payload_type_t get_real_type(private_unknown_payload_t *this)
-{
-       return this->payload_type;
-}
-
-/**
  * Implementation of payload_t.get_length.
  */
 static size_t get_length(private_unknown_payload_t *this)
@@ -167,17 +146,11 @@ static size_t get_length(private_unknown_payload_t *this)
 }
 
 /**
- * Implementation of unknown_payload_t.set_data.
+ * Implementation of unknown_payload_t.get_data.
  */
-static void set_data (private_unknown_payload_t *this, chunk_t data)
+static bool is_critical(private_unknown_payload_t *this)
 {
-       if (this->data.ptr != NULL)
-       {
-               allocator_free_chunk(&(this->data));
-       }
-       this->data.ptr = allocator_clone_bytes(data.ptr,data.len);
-       this->data.len = data.len;
-       this->payload_length = DEFAULT_PAYLOAD_HEADER_LENGTH + this->data.len;
+       return this->critical;  
 }
 
 /**
@@ -189,21 +162,6 @@ static chunk_t get_data (private_unknown_payload_t *this)
 }
 
 /**
- * Implementation of unknown_payload_t.get_data_clone.
- */
-static chunk_t get_data_clone (private_unknown_payload_t *this)
-{
-       chunk_t cloned_data;
-       if (this->data.ptr == NULL)
-       {
-               return (this->data);
-       }
-       cloned_data.ptr = allocator_clone_bytes(this->data.ptr,this->data.len);
-       cloned_data.len = this->data.len;
-       return cloned_data;
-}
-
-/**
  * Implementation of payload_t.destroy and unknown_payload_t.destroy.
  */
 static void destroy(private_unknown_payload_t *this)
@@ -234,17 +192,13 @@ unknown_payload_t *unknown_payload_create()
        
        /* public functions */
        this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
-       this->public.set_real_type = (void (*) (unknown_payload_t *,payload_type_t)) set_real_type;
-       this->public.get_real_type = (payload_type_t (*) (unknown_payload_t *)) get_real_type;
-       this->public.set_data = (void (*) (unknown_payload_t *,chunk_t)) set_data;
-       this->public.get_data_clone = (chunk_t (*) (unknown_payload_t *)) get_data_clone;
+       this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
        this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
        
        /* private variables */
        this->critical = FALSE;
        this->next_payload = NO_PAYLOAD;
-       this->payload_type = NO_PAYLOAD;
-       this->payload_length = DEFAULT_PAYLOAD_HEADER_LENGTH;
+       this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH;
        this->data = CHUNK_INITIALIZER;
 
        return (&(this->public));
index ea36587..2558ce7 100644 (file)
 #include <encoding/payloads/payload.h>
 
 /**
- * Length of a default payload header.
+ * Header length of the unknown payload.
  * 
  * @ingroup payloads
  */
-#define DEFAULT_PAYLOAD_HEADER_LENGTH 4
+#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
 
 
 typedef struct unknown_payload_t unknown_payload_t;
 
 /**
- * Object representing an unknown IKEv2 payload.
+ * @brief Payload which can't be processed further.
  * 
- * @ingroup payloads
+ * When the parser finds an unknown payload, he builds an instance of
+ * this class. This allows further processing of this payload, such as
+ * a check for the critical bit in the header.
+ * 
+ * @b Constructors:
+ * - unknown_payload_create()
  * 
+ * @ingroup payloads
  */
 struct unknown_payload_t {
+       
        /**
         * The payload_t interface.
         */
        payload_t payload_interface;
        
        /**
-        * @brief Set the Data of the unknown payload.
-        * 
-        * Data are getting cloned.
-        *
-        * @param this                  calling unknown_payload_t object
-        * @param data                  data following the header as chunk_t
-        */
-       void (*set_data) (unknown_payload_t *this, chunk_t data);
-       
-       /**
-        * @brief Get the data of the message.
-        * 
-        * Returned data are a copy of the internal one.
-        *
-        * @param this                  calling unknown_payload_t object
-        * @return                              data as chunk_t
-        */
-       chunk_t (*get_data_clone) (unknown_payload_t *this);
-       
-       /**
-        * @brief Get the data of the message.
+        * @brief Get the raw data of this payload, without 
+        * the generic payload header.
         * 
-        * Returned data are NOT copied.
+        * Returned data are NOT copied and must not be freed.
         *
         * @param this                  calling unknown_payload_t object
         * @return                              data as chunk_t
         */
        chunk_t (*get_data) (unknown_payload_t *this);
-
-       /**
-        * @brief Set the real Type of this payload.
-        *
-        * @param this                  calling unknown_payload_t object
-        * @param type                  real type of this payload.
-        */
-       
-       void (*set_real_type) (unknown_payload_t *this,payload_type_t type);
        
        /**
-        * @brief Get the real Type of this payload.
+        * @brief Get the critical flag.
         *
-        * @param this                  calling unknown_payload_t object
-        * @return                              real type of this payload.
+        * @param this                  calling unknown_payload_t object
+        * @return                              TRUE if payload is critical, FALSE if not
         */
-       payload_type_t (*get_real_type) (unknown_payload_t *this);
+       bool (*is_critical) (unknown_payload_t *this);
        
        /**
         * @brief Destroys an unknown_payload_t object.