- added payload CERT
authorJan Hutter <jhutter@hsr.ch>
Mon, 5 Dec 2005 12:21:38 +0000 (12:21 -0000)
committerJan Hutter <jhutter@hsr.ch>
Mon, 5 Dec 2005 12:21:38 +0000 (12:21 -0000)
- cleaned code of different states
- added additional notify handling

29 files changed:
Source/charon/config/configuration_manager.c
Source/charon/daemon.c
Source/charon/daemon.h
Source/charon/encoding/generator.c
Source/charon/encoding/message.c
Source/charon/encoding/message.h
Source/charon/encoding/parser.c
Source/charon/encoding/payloads/Makefile.payloads
Source/charon/encoding/payloads/cert_payload.c [new file with mode: 0644]
Source/charon/encoding/payloads/cert_payload.h [new file with mode: 0644]
Source/charon/encoding/payloads/encodings.h
Source/charon/encoding/payloads/ike_header.c
Source/charon/encoding/payloads/notify_payload.c
Source/charon/encoding/payloads/notify_payload.h
Source/charon/encoding/payloads/payload.c
Source/charon/sa/authenticator.c
Source/charon/sa/authenticator.h
Source/charon/sa/states/ike_auth_requested.c
Source/charon/sa/states/ike_sa_init_requested.c
Source/charon/sa/states/ike_sa_init_responded.c
Source/charon/sa/states/initiator_init.c
Source/charon/sa/states/responder_init.c
Source/charon/testcases/generator_test.c
Source/charon/testcases/generator_test.h
Source/charon/testcases/parser_test.c
Source/charon/testcases/parser_test.h
Source/charon/testcases/testcases.c
Source/charon/threads/thread_pool.c
Source/charon/utils/logger_manager.c

index 94be4b5..83f68ea 100644 (file)
@@ -355,9 +355,9 @@ static void load_default_config (private_configuration_manager_t *this)
        this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
        this->add_new_configuration(this,"localhost",init_config3,sa_config3);
 
-       this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","das ist ein sicheres wort");
-       this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","das ist ein sicheres wort");
-       this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","das ist ein sicheres wort");
+       this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","verschluesselt");
+       this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","verschluesselt");
+       this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","verschluesselt");
        
        this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "127.0.0.1", public_key_1, 256);
        this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "152.96.193.131", public_key_2, 256);
@@ -602,7 +602,7 @@ static void add_new_preshared_secret (private_configuration_manager_t *this,id_t
        preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t);
        
        entry->identification = identification_create_from_string(type,id_string);
-       entry->preshared_secret.len = strlen(preshared_secret);
+       entry->preshared_secret.len = strlen(preshared_secret) + 1;
        entry->preshared_secret.ptr = allocator_alloc(entry->preshared_secret.len);
        memcpy(entry->preshared_secret.ptr,preshared_secret,entry->preshared_secret.len);
        
index d015a95..a585253 100644 (file)
@@ -155,10 +155,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 static void build_test_jobs(private_daemon_t *this)
 {
        int i;
-       for(i = 0; i<100; i++)
+       for(i = 0; i<1; i++)
        {
                initiate_ike_sa_job_t *initiate_job;
-               initiate_job = initiate_ike_sa_job_create("localhost");
+               initiate_job = initiate_ike_sa_job_create("pinflb30");
                this->public.event_queue->add_relative(this->public.event_queue, (job_t*)initiate_job, i * 5000);
        }
 }
index 3e010de..6173b6d 100644 (file)
@@ -55,7 +55,7 @@
  * Port on which the daemon will 
  * listen for incoming traffic.
  */
-#define IKEV2_UDP_PORT 4500
+#define IKEV2_UDP_PORT 500
 
 /**
  * First retransmit timeout in milliseconds.
@@ -72,7 +72,7 @@
  * maximum allowed level for ever context, the definiton
  * of the context may be less verbose.
  */
-#define DEFAULT_LOGLEVEL CONTROL
+#define DEFAULT_LOGLEVEL CONTROL | ERROR
 
 typedef struct daemon_t daemon_t;
 
index cfc96f4..b50e7ff 100644 (file)
@@ -42,6 +42,7 @@
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
 
@@ -797,6 +798,19 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
                                this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
                                break;
                        }
+                       case CERT_DATA:
+                       {
+                               /* the AUTH Data value is generated from chunk */
+                               this->generate_from_chunk(this, rules[i].offset);
+                               
+                               u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+                               /* Length of nonce PAYLOAD is calculated */
+                               u_int16_t length_of_cert_payload = CERT_PAYLOAD_HEADER_LENGTH + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
+                               u_int16_t int16_val = htons(length_of_cert_payload);
+
+                               this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+                               break;
+                       }
                        case PROPOSALS:
                        {
                                /* before iterative generate the transforms, store the current payload length position */
index c46918e..8c79690 100644 (file)
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/encryption_payload.h>
 
+/**
+ * Max number of notify payloads per IKEv2 Message
+ */
+#define MAX_NOTIFY_PAYLOADS 10
+
 
 typedef struct supported_payload_entry_t supported_payload_entry_t;
 
@@ -109,6 +114,7 @@ struct message_rule_t {
  */
 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
 {
+       {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
        {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
        {KEY_EXCHANGE,1,1,FALSE,FALSE},
        {NONCE,1,1,FALSE,FALSE},
@@ -119,7 +125,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
  */
 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
 {
-       {NOTIFY,0,1,FALSE,TRUE},
+       {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
        {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
        {KEY_EXCHANGE,1,1,FALSE,FALSE},
        {NONCE,1,1,FALSE,FALSE},
@@ -130,6 +136,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
  */
 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
 {
+       {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
        {ID_INITIATOR,1,1,TRUE,FALSE},
        {CERTIFICATE,0,1,TRUE,FALSE},
        {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
@@ -145,7 +152,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
  */
 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
 {
-       {NOTIFY,0,1,TRUE,TRUE},
+       {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
        {CERTIFICATE,0,1,TRUE,FALSE},
        {ID_RESPONDER,1,1,TRUE,FALSE},
        {AUTHENTICATION,1,1,TRUE,FALSE},
@@ -1215,3 +1222,24 @@ message_t *message_create()
 {
        return message_create_from_packet(NULL);
 }
+
+/*
+ * Described in Header.
+ */
+message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type)
+{
+       message_t *message = message_create_from_packet(NULL);
+       notify_payload_t *payload;
+       
+       message->set_source(message, source->clone(source));
+       message->set_destination(message, destination->clone(destination));
+       message->set_exchange_type(message, exchange_type);
+       message->set_request(message, FALSE);
+       message->set_message_id(message,0);
+       message->set_ike_sa_id(message, ike_sa_id);
+       
+       payload = notify_payload_create_from_protocol_and_type(IKE,notify_type);
+       message->add_payload(message,(payload_t *) payload);
+       
+       return message;
+}
index e3be836..98f9d8a 100644 (file)
@@ -27,6 +27,7 @@
 #include <sa/ike_sa_id.h>
 #include <network/packet.h>
 #include <encoding/payloads/ike_header.h>
+#include <encoding/payloads/notify_payload.h>
 #include <utils/linked_list.h>
 #include <transforms/crypters/crypter.h>
 #include <transforms/signers/signer.h>
@@ -141,22 +142,6 @@ struct message_t {
        exchange_type_t (*get_exchange_type) (message_t *this);
 
        /**
-        * @brief Sets the original initiator flag.
-        *
-        * @param this                                  message_t object
-        * @param original_initiator            TRUE if message is from original initiator
-        */
-       void (*set_original_initiator) (message_t *this,bool original_initiator);
-
-       /**
-        * @brief Gets original initiator flag.
-        *
-        * @param this                  message_t object
-        * @return                              TRUE if message is from original initiator, FALSE otherwise
-        */
-       bool (*get_original_initiator) (message_t *this);
-
-       /**
         * @brief Sets the request flag.
         *
         * @param this                                  message_t object
@@ -340,4 +325,13 @@ message_t * message_create_from_packet(packet_t *packet);
  */
 message_t * message_create();
 
+/**
+ * Creates an message_t object of type reply containing a notify payload.
+ *
+ * @return created message_t object
+ *
+ * @ingroup encoding
+ */
+message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type);
+
 #endif /*MESSAGE_H_*/
index 509deac..1b1c136 100644 (file)
@@ -43,6 +43,7 @@
 #include <encoding/payloads/notify_payload.h>
 #include <encoding/payloads/encryption_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
 
@@ -827,6 +828,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
                                }               
                                break;                  
                        }
+                       case CERT_DATA:
+                       {
+                               size_t data_length = payload_length - CERT_PAYLOAD_HEADER_LENGTH;
+                               if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+                               {
+                                       pld->destroy(pld);
+                                       return PARSE_ERROR;
+                               }               
+                               break;                  
+                       }
                        case KEY_EXCHANGE_DATA:
                        {
                                size_t keydata_length = payload_length - KE_PAYLOAD_HEADER_LENGTH;
index 91cd230..1fe6517 100644 (file)
@@ -41,6 +41,10 @@ $(BUILD_DIR)id_payload.o :                           $(PAYLOADS_DIR)id_payload.c $(PAYLOADS_DIR)id_payl
 OBJS+= $(BUILD_DIR)auth_payload.o
 $(BUILD_DIR)auth_payload.o :                           $(PAYLOADS_DIR)auth_payload.c $(PAYLOADS_DIR)auth_payload.h
                                                                                $(CC) $(CFLAGS) -c -o $@ $<
+                                                                               
+OBJS+= $(BUILD_DIR)cert_payload.o
+$(BUILD_DIR)cert_payload.o :                   $(PAYLOADS_DIR)cert_payload.c $(PAYLOADS_DIR)cert_payload.h
+                                                                               $(CC) $(CFLAGS) -c -o $@ $<
 
 OBJS+= $(BUILD_DIR)ts_payload.o
 $(BUILD_DIR)ts_payload.o :                             $(PAYLOADS_DIR)ts_payload.c $(PAYLOADS_DIR)ts_payload.h
diff --git a/Source/charon/encoding/payloads/cert_payload.c b/Source/charon/encoding/payloads/cert_payload.c
new file mode 100644 (file)
index 0000000..c305395
--- /dev/null
@@ -0,0 +1,284 @@
+/**
+ * @file cert_payload.c
+ * 
+ * @brief Implementation of cert_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cert_payload.h"
+
+#include <utils/allocator.h>
+
+
+/** 
+ * String mappings for cert_encoding_t.
+ */
+mapping_t cert_encoding_m[] = {
+{PKCS7_WRAPPED_X509_CERTIFICATE, "PKCS7_WRAPPED_X509_CERTIFICATE"},
+{PGP_CERTIFICATE, "PGP_CERTIFICATE"},
+{DNS_SIGNED_KEY, "DNS_SIGNED_KEY"},
+{X509_CERTIFICATE_SIGNATURE, "X509_CERTIFICATE_SIGNATURE"},
+{KERBEROS_TOKEN, "KERBEROS_TOKEN"},
+{CERTIFICATE_REVOCATION_LIST, "CERTIFICATE_REVOCATION_LIST"},
+{AUTHORITY_REVOCATION_LIST, "AUTHORITY_REVOCATION_LIST"},
+{SPKI_CERTIFICATE, "SPKI_CERTIFICATE"},
+{X509_CERTIFICATE_ATTRIBUTE, "X509_CERTIFICATE_ATTRIBUTE"},
+{RAW_SA_KEY, "RAW_SA_KEY"},
+{HASH_AND_URL_X509_CERTIFICATE, "HASH_AND_URL_X509_CERTIFICATE"},
+{HASH_AND_URL_X509_BUNDLE, "HASH_AND_URL_X509_BUNDLE"},
+{MAPPING_END, NULL}
+};
+
+
+typedef struct private_cert_payload_t private_cert_payload_t;
+
+/**
+ * Private data of an cert_payload_t object.
+ * 
+ */
+struct private_cert_payload_t {
+       /**
+        * Public cert_payload_t interface.
+        */
+       cert_payload_t public;
+       
+       /**
+        * Next payload type.
+        */
+       u_int8_t  next_payload;
+
+       /**
+        * Critical flag.
+        */
+       bool critical;
+       
+       /**
+        * Length of this payload.
+        */
+       u_int16_t payload_length;
+       
+       /**
+        * Encoding of the CERT Data.
+        */
+       u_int8_t cert_encoding;
+       
+       /**
+        * The contained cert data value.
+        */
+       chunk_t cert_data;
+};
+
+/**
+ * Encoding rules to parse or generate a CERT payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_cert_payload_t.
+ * 
+ */
+encoding_rule_t cert_payload_encodings[] = {
+       /* 1 Byte next payload type, stored in the field next_payload */
+       { U_INT_8,                      offsetof(private_cert_payload_t, next_payload)  },
+       /* the critical bit */
+       { FLAG,                         offsetof(private_cert_payload_t, critical)              },
+       /* 7 Bit reserved bits, nowhere stored */
+       { RESERVED_BIT, 0                                                                                                       },
+       { RESERVED_BIT, 0                                                                                                       },
+       { RESERVED_BIT, 0                                                                                                       },
+       { RESERVED_BIT, 0                                                                                                       },
+       { RESERVED_BIT, 0                                                                                                       },
+       { RESERVED_BIT, 0                                                                                                       },
+       { RESERVED_BIT, 0                                                                                                       },
+       /* Length of the whole payload*/
+       { PAYLOAD_LENGTH,       offsetof(private_cert_payload_t, payload_length)},
+       /* 1 Byte CERT type*/
+       { U_INT_8,                      offsetof(private_cert_payload_t, cert_encoding) },
+       /* some cert data bytes, length is defined in PAYLOAD_LENGTH */
+       { CERT_DATA,                    offsetof(private_cert_payload_t, cert_data) }
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                       Certificate Data                        ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_cert_payload_t *this)
+{
+       if (this->critical)
+       {
+               /* critical bit is set! */
+               return FAILED;
+       }
+       if ((this->cert_encoding == 0) ||
+               ((this->cert_encoding >= 14) && (this->cert_encoding <= 200)))
+       {
+               /* reserved IDs */
+               return FAILED;
+       }
+       return SUCCESS;
+}
+
+/**
+ * Implementation of cert_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+       *rules = cert_payload_encodings;
+       *rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_cert_payload_t *this)
+{
+       return CERTIFICATE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_cert_payload_t *this)
+{
+       return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_cert_payload_t *this,payload_type_t type)
+{
+       this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_cert_payload_t *this)
+{
+       return this->payload_length;
+}
+
+/**
+ * Implementation of cert_payload_t.set_cert_encoding.
+ */
+static void set_cert_encoding (private_cert_payload_t *this, cert_encoding_t encoding)
+{
+       this->cert_encoding = encoding;
+}
+
+/**
+ * Implementation of cert_payload_t.get_cert_encoding.
+ */
+static cert_encoding_t get_cert_encoding (private_cert_payload_t *this)
+{
+       return (this->cert_encoding);
+}
+
+/**
+ * Implementation of cert_payload_t.set_data.
+ */
+static void set_data (private_cert_payload_t *this, chunk_t data)
+{
+       if (this->cert_data.ptr != NULL)
+       {
+               allocator_free_chunk(&(this->cert_data));
+       }
+       this->cert_data.ptr = allocator_clone_bytes(data.ptr,data.len);
+       this->cert_data.len = data.len;
+       this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->cert_data.len;
+}
+
+/**
+ * Implementation of cert_payload_t.get_data.
+ */
+static chunk_t get_data (private_cert_payload_t *this)
+{
+       return (this->cert_data);
+}
+
+/**
+ * Implementation of cert_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_cert_payload_t *this)
+{
+       chunk_t cloned_data;
+       if (this->cert_data.ptr == NULL)
+       {
+               return (this->cert_data);
+       }
+       cloned_data.ptr = allocator_clone_bytes(this->cert_data.ptr,this->cert_data.len);
+       cloned_data.len = this->cert_data.len;
+       return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and cert_payload_t.destroy.
+ */
+static void destroy(private_cert_payload_t *this)
+{
+       if (this->cert_data.ptr != NULL)
+       {
+               allocator_free_chunk(&(this->cert_data));
+       }
+       
+       allocator_free(this);   
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create()
+{
+       private_cert_payload_t *this = allocator_alloc_thing(private_cert_payload_t);
+
+       /* interface functions */
+       this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+       this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+       this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+       this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+       this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+       this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+       this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+       
+       /* public functions */
+       this->public.destroy = (void (*) (cert_payload_t *)) destroy;
+       this->public.set_cert_encoding = (void (*) (cert_payload_t *,cert_encoding_t)) set_cert_encoding;
+       this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t *)) get_cert_encoding;
+       this->public.set_data = (void (*) (cert_payload_t *,chunk_t)) set_data;
+       this->public.get_data_clone = (chunk_t (*) (cert_payload_t *)) get_data_clone;
+       this->public.get_data = (chunk_t (*) (cert_payload_t *)) get_data;
+       
+       /* private variables */
+       this->critical = FALSE;
+       this->next_payload = NO_PAYLOAD;
+       this->payload_length =CERT_PAYLOAD_HEADER_LENGTH;
+       this->cert_data = CHUNK_INITIALIZER;
+
+       return (&(this->public));
+}
diff --git a/Source/charon/encoding/payloads/cert_payload.h b/Source/charon/encoding/payloads/cert_payload.h
new file mode 100644 (file)
index 0000000..b3191e3
--- /dev/null
@@ -0,0 +1,143 @@
+/**
+ * @file cert_payload.h
+ * 
+ * @brief Interface of cert_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _CERT_PAYLOAD_H_
+#define _CERT_PAYLOAD_H_
+
+#include <types.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a cert payload without the cert data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define CERT_PAYLOAD_HEADER_LENGTH 5
+
+
+typedef enum cert_encoding_t cert_encoding_t;
+
+/**
+ * Cert Encoding.
+ * 
+ * @ingroup payloads
+ */
+enum cert_encoding_t {
+       PKCS7_WRAPPED_X509_CERTIFICATE = 1,
+       PGP_CERTIFICATE = 2,
+       DNS_SIGNED_KEY = 3,
+       X509_CERTIFICATE_SIGNATURE = 4,
+       KERBEROS_TOKEN  = 6,
+       CERTIFICATE_REVOCATION_LIST = 7,
+       AUTHORITY_REVOCATION_LIST = 8,
+       SPKI_CERTIFICATE = 9,
+       X509_CERTIFICATE_ATTRIBUTE = 10,
+       RAW_SA_KEY = 11,
+       HASH_AND_URL_X509_CERTIFICATE  = 12,
+       HASH_AND_URL_X509_BUNDLE = 13
+};
+
+extern mapping_t cert_encoding_m[];
+
+
+typedef struct cert_payload_t cert_payload_t;
+
+/**
+ * Object representing an IKEv2 CERT payload.
+ * 
+ * The CERT payload format is described in draft section 3.6.
+ * 
+ * @ingroup payloads
+ * 
+ */
+struct cert_payload_t {
+       /**
+        * The payload_t interface.
+        */
+       payload_t payload_interface;
+
+       /**
+        * @brief Set the CERT encoding.
+        * 
+        *
+        * @param this                  calling cert_payload_t object
+        * @param encoding              CERT encoding
+        */
+       void (*set_cert_encoding) (cert_payload_t *this, cert_encoding_t encoding);
+       
+       /**
+        * @brief Get the CERT encoding.
+        *
+        * @param this                  calling cert_payload_t object
+        * @return                              Encoding of the CERT 
+        */
+       cert_encoding_t (*get_cert_encoding) (cert_payload_t *this);
+       
+       /**
+        * @brief Set the CERT data.
+        * 
+        * Data are getting cloned.
+        *
+        * @param this                  calling cert_payload_t object
+        * @param data                  CERT data as chunk_t
+        */
+       void (*set_data) (cert_payload_t *this, chunk_t data);
+       
+       /**
+        * @brief Get the CERT data.
+        * 
+        * Returned data are a copy of the internal one.
+        *
+        * @param this                  calling cert_payload_t object
+        * @return                              CERT data as chunk_t
+        */
+       chunk_t (*get_data_clone) (cert_payload_t *this);
+       
+       /**
+        * @brief Get the CERT data.
+        * 
+        * Returned data are NOT copied.
+        *
+        * @param this                  calling cert_payload_t object
+        * @return                              CERT data as chunk_t
+        */
+       chunk_t (*get_data) (cert_payload_t *this);
+       
+       /**
+        * @brief Destroys an cert_payload_t object.
+        *
+        * @param this  cert_payload_t object to destroy
+        */
+       void (*destroy) (cert_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty cert_payload_t object.
+ * 
+ * @return                             created cert_payload_t object
+ * 
+ * @ingroup payloads
+ */
+cert_payload_t *cert_payload_create();
+
+
+#endif //_CERT_PAYLOAD_H_
index edc2699..33610f1 100644 (file)
@@ -367,6 +367,16 @@ enum encoding_type_t{
         * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
         */
        AUTH_DATA,
+       
+       /**
+        * Representating a CERT Data field.
+        * 
+        * When generating the content of the chunkt pointing to 
+        * is written.
+        * 
+        * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
+        */
+       CERT_DATA,
 
        /**
         * Representating an IKE_SPI field in an IKEv2 Header.
index 784fce5..6114c8d 100644 (file)
@@ -186,18 +186,6 @@ static status_t verify(private_ike_header_t *this)
                return FAILED;
        }
        
-       if ((this->responder_spi == 0) && (!this->flags.initiator))
-       {
-               /* must be original initiator*/
-               return FAILED;
-       }
-
-       if ((this->responder_spi == 0) && (this->flags.response))
-       {
-               /* must be request*/
-               return FAILED;
-       }
-       
        /* verification of version is not done in here */
        
        return SUCCESS;
index 3bbc44d..e085703 100644 (file)
@@ -36,7 +36,7 @@ mapping_t notify_message_type_m[] = {
        {INVALID_IKE_SPI, "INVALID_IKE_SPI"},
        {INVALID_MAJOR_VERSION, "INVALID_MAJOR_VERSION"},
        {INVALID_SYNTAX, "INVALID_SYNTAX"},
-       {INVALID_MESSAGE_ID, "MODP_2048_BIT"},
+       {INVALID_MESSAGE_ID, "INVALID_MESSAGE_ID"},
        {INVALID_SPI, "INVALID_SPI"},
        {NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN"},
        {INVALID_KE_PAYLOAD, "INVALID_KE_PAYLOAD"},
@@ -47,6 +47,11 @@ mapping_t notify_message_type_m[] = {
        {FAILED_CP_REQUIRED, "FAILED_CP_REQUIRED"},
        {TS_UACCEPTABLE, "TS_UACCEPTABLE"},
        {INVALID_SELECTORS, "INVALID_SELECTORS"},
+       
+       /* status messages */
+       {INITIAL_CONTACT, "INITIAL_CONTACT"},
+       {SET_WINDOW_SIZE, "SET_WINDOW_SIZE"},
+       
        {MAPPING_END, NULL}
 };
 
index e877e07..ada346a 100644 (file)
@@ -68,7 +68,10 @@ enum notify_message_type_t {
        INTERNAL_ADDRESS_FAILURE = 36,
        FAILED_CP_REQUIRED = 37,
        TS_UACCEPTABLE = 38,
-       INVALID_SELECTORS = 39
+       INVALID_SELECTORS = 39,
+       
+       INITIAL_CONTACT = 16384,
+       SET_WINDOW_SIZE = 16385
 };
 
 /** 
index edc4479..7e64993 100644 (file)
@@ -31,6 +31,7 @@
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/notify_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/encryption_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
@@ -88,6 +89,8 @@ payload_t *payload_create(payload_type_t type)
                        return (payload_t*)id_payload_create(FALSE);
                case AUTHENTICATION:
                        return (payload_t*)auth_payload_create();
+               case CERTIFICATE:
+                       return (payload_t*)cert_payload_create();
                case TRAFFIC_SELECTOR_SUBSTRUCTURE:
                        return (payload_t*)traffic_selector_substructure_create();
                case TRAFFIC_SELECTOR_INITIATOR:
index af4f3c7..e298d1f 100644 (file)
@@ -102,7 +102,12 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
 {
        chunk_t id_chunk = my_id->get_data(my_id);
        u_int8_t id_with_header[4 + id_chunk.len];
-       chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header) };
+       /*
+        * IKEv2 for linux is not compatible with IKEv2 Draft and so not compatible with this
+        * implementation, cause AUTH data are computed without
+        * ID type and the three reserved bytes.
+        */
+       chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)};
        u_int8_t *current_pos;
        chunk_t octets;
        
@@ -123,6 +128,7 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
        {
                this->prf->set_key(this->prf,this->ike_sa->get_key_pr(this->ike_sa));
        }
+
        
        /* 4 bytes are id type and reserved fields of id payload */
        octets.len = last_message.len + other_nonce.len + this->prf->get_block_size(this->prf);
@@ -167,13 +173,12 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t
 /**
  * Implementation of authenticator_t.verify_auth_data.
  */
-static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator,bool *verified)
+static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator)
 {
        switch(auth_payload->get_auth_method(auth_payload))
        {
                case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
                {
-                       
                        identification_t *other_id = other_id_payload->get_identification(other_id_payload);
                        chunk_t auth_data = auth_payload->get_data(auth_payload);
                        chunk_t preshared_secret;
@@ -190,20 +195,19 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
                        
                        if (auth_data.len != my_auth_data.len)
                        {
-                               *verified = FALSE;
                                allocator_free_chunk(&my_auth_data);
-                               return SUCCESS;
+                               return FAILED;
                        }
                        if (memcmp(auth_data.ptr,my_auth_data.ptr,my_auth_data.len) == 0)
                        {
-                               *verified = TRUE;
+                               status = SUCCESS;
                        }
                        else
                        {
-                               *verified = FALSE;
+                               status = FAILED;
                        }
-                       allocator_free_chunk(&my_auth_data);            
-                       return SUCCESS;
+                       allocator_free_chunk(&my_auth_data);
+                       return status;
                }
                case RSA_DIGITAL_SIGNATURE:
                {
@@ -224,14 +228,6 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
                        octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload,initiator);
                        
                        status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
-                       if (status == SUCCESS)
-                       {
-                               *verified = TRUE;       
-                       }
-                       else
-                       {
-                               *verified = FALSE;      
-                       }
                        
                        allocator_free_chunk(&octets);
                        return status;
@@ -329,7 +325,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
 
        /* Public functions */
        this->public.destroy = (void(*)(authenticator_t*))destroy;
-       this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool,bool *)) verify_auth_data;
+       this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool)) verify_auth_data;
        this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *,bool)) compute_auth_data;
        
        /* private functions */
index dc03191..64cb1d6 100644 (file)
@@ -60,12 +60,10 @@ struct authenticator_t {
         * @param my_nonce                              The sent nonce (without payload header)
         * @param other_id_payload              The ID payload received from other peer
         * @param initiator                             Type of other peer. TRUE, if it is original initiator, FALSE otherwise
-        * @param[out] verified                 
-        *                                                              - TRUE, if verification succeeded
-        *                                                              - FALSE, if verification data could not be verified
         * 
         * @return
         *                                                              - SUCCESS if verification could be processed (does not mean the data could be verified)
+        *                                                              - FAILED if verification failed
         *                                                              - NOT_SUPPORTED if AUTH method not supported
         *                                                              - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key)
         *                                                              - TODO rsa errors!!
@@ -75,8 +73,7 @@ struct authenticator_t {
                                                                        chunk_t last_received_packet,
                                                                        chunk_t my_nonce,
                                                                        id_payload_t *other_id_payload, 
-                                                                       bool initiator,
-                                                                       bool *verified);
+                                                                       bool initiator);
 
        /**
         * @brief Computes authentication data and creates specific AUTH payload.
index 041185c..7e01fcf 100644 (file)
@@ -194,13 +194,33 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
                                                                  
                                if (notify_payload->get_protocol_id(notify_payload) != IKE)
                                {
-                                       this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
+                                       this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol");
                                        payloads->destroy(payloads);
                                        return FAILED;  
                                }
                                
                                switch (notify_payload->get_notify_message_type(notify_payload))
                                {
+                                       case INVALID_SYNTAX:
+                                       {
+                                               this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA");
+                                               payloads->destroy(payloads);
+                                               return DELETE_ME;       
+                                               
+                                       }
+                                       case AUTHENTICATION_FAILED:
+                                       {
+                                               this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA");
+                                               payloads->destroy(payloads);
+                                               return DELETE_ME;       
+                                               
+                                       }
+                                       case SINGLE_PAIR_REQUIRED:
+                                       {
+                                               this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA");
+                                               payloads->destroy(payloads);
+                                               return DELETE_ME;               
+                                       }
                                        default:
                                        {
                                                /*
@@ -348,12 +368,11 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
 {
        authenticator_t *authenticator;
        status_t status;
-       bool verified;
                
        /* TODO VERIFY auth here */
        authenticator = authenticator_create(this->ike_sa);
 
-       status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE,&verified);
+       status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
        authenticator->destroy(authenticator);
        if (status != SUCCESS)
        {
@@ -361,12 +380,6 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
                return FAILED;  
        }
 
-       if (!verified)
-       {
-               this->logger->log(this->logger, ERROR | MORE, "AUTH data could not be verified");
-               return FAILED;  
-       }
-
        this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified");
        return SUCCESS; 
 }
index 967aebb..b5571ac 100644 (file)
@@ -251,10 +251,16 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
                                {
                                        case NO_PROPOSAL_CHOSEN:
                                        {
-                                               this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!!!");
+                                               this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!");
                                                payloads->destroy(payloads);
                                                return DELETE_ME;
                                        }
+                                       case INVALID_MAJOR_VERSION:
+                                       {
+                                               this->logger->log(this->logger, ERROR, "Peer doesn't support IKEv2!");
+                                               payloads->destroy(payloads);
+                                               return DELETE_ME;                                               
+                                       }
                                        case INVALID_KE_PAYLOAD:
                                        {
                                                initiator_init_t *initiator_init_state;
index 1dd16f6..732c5cc 100644 (file)
@@ -29,6 +29,7 @@
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/notify_payload.h>
 #include <transforms/signers/signer.h>
 #include <transforms/crypters/crypter.h>
 #include <sa/states/ike_sa_established.h>
@@ -87,6 +88,15 @@ struct private_ike_sa_init_responded_t {
        status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
        status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
        status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
+       
+       /**
+        * Sends a IKE_AUTH reply with a notify payload.
+        * 
+        * @param this          calling object
+        * @param type          type of notify message
+        * @param data          data of notify message
+        */
+       void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data);
 };
 
 /**
@@ -103,6 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
        auth_payload_t *auth_request;
        sa_payload_t *sa_request;
        ts_payload_t *tsi_request, *tsr_request;
+       notify_payload_t *notify_payload = NULL;
        message_t *response;
 
        exchange_type = request->get_exchange_type(request);
@@ -181,17 +192,54 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                                tsr_request = (ts_payload_t*)payload;
                                break;  
                        }
+                       case NOTIFY:
+                       {
+                               notify_payload = (notify_payload_t *) payload;
+                               break;
+                       }
                        default:
                        {
                                this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
                                payloads->destroy(payloads);
-                               return FAILED;
+                               return DELETE_ME;
                        }
                }
        }
        /* iterator can be destroyed */
        payloads->destroy(payloads);
        
+       
+       if (notify_payload != NULL)
+       {
+                       this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
+                                                         mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
+                                                         mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+                                                         
+                       if (notify_payload->get_protocol_id(notify_payload) != IKE)
+                       {
+                               this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
+                               payloads->destroy(payloads);
+                               return DELETE_ME;       
+                       }
+                       switch (notify_payload->get_notify_message_type(notify_payload))
+                       {
+                               case SET_WINDOW_SIZE:
+                               /*
+                                * TODO Increase window size.
+                                */
+                               case INITIAL_CONTACT:
+                               /*
+                                * TODO Delete existing IKE_SA's with other Identity.
+                                */
+                               default:
+                               {
+                                       this->logger->log(this->logger, CONTROL|MORE, "Handling of notify type %s not implemented",
+                                                                         notify_payload->get_notify_message_type(notify_payload));
+                               }
+                       }
+       }
+       
+       
        /* build response */
        this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
        
@@ -351,25 +399,24 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
        authenticator_t *authenticator;
        auth_payload_t *auth_reply;
        status_t status;
-       bool verified;  
        
        authenticator = authenticator_create(this->ike_sa);
 
 
-       status =  authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE,&verified);
-
+       status =  authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE);
+       
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
                authenticator->destroy(authenticator);
+               /*
+                * Send notify message of type AUTHENTICATION_FAILED 
+                */
+               this->logger->log(this->logger, CONTROL | MORE, "Send notify message of type AUTHENTICATION_FAILED");
+               this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER);         
                return status;
        }
-       if (!verified)
-       {
-               this->logger->log(this->logger, ERROR, "Verification of AUTH failed.");
-               authenticator->destroy(authenticator);
-               return FAILED;
-       }
+               
 
        status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
        authenticator->destroy(authenticator);
@@ -432,6 +479,44 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_
 }
 
 /**
+ * Implementation of private_responder_init_t.send_notify_reply.
+ */
+static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data)
+{
+       notify_payload_t *payload;
+       message_t *response;
+       packet_t *packet;
+       status_t status;
+       
+       this->logger->log(this->logger, CONTROL|MOST, "Going to build message with notify payload");
+       /* set up the reply */
+       this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
+       payload = notify_payload_create_from_protocol_and_type(IKE,type);
+       if ((data.ptr != NULL) && (data.len > 0))
+       {
+               this->logger->log(this->logger, CONTROL|MOST, "Add Data to notify payload");
+               payload->set_notification_data(payload,data);
+       }
+       
+       this->logger->log(this->logger, CONTROL|MOST, "Add Notify payload to message");
+       response->add_payload(response,(payload_t *) payload);
+       
+       /* generate packet */   
+       this->logger->log(this->logger, CONTROL|MOST, "Gnerate packet from message");
+       status = response->generate(response, NULL, NULL, &packet);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, ERROR, "Could not generate packet from message");
+               return;
+       }
+       
+       this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
+       charon->send_queue->add(charon->send_queue, packet);
+       this->logger->log(this->logger, CONTROL|MOST, "Destroy message");
+       response->destroy(response);
+}
+
+/**
  * Implements state_t.get_state
  */
 static ike_sa_state_t get_state(private_ike_sa_init_responded_t *this)
@@ -475,6 +560,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
        this->build_sa_payload = build_sa_payload;
        this->build_auth_payload = build_auth_payload;
        this->build_ts_payload = build_ts_payload;
+       this->send_notify_reply = send_notify_reply;
        
        /* private data */
        this->ike_sa = ike_sa;
index e0a6092..a9ec179 100644 (file)
@@ -117,7 +117,8 @@ struct private_initiator_init_t {
        void (*build_nonce_payload) (private_initiator_init_t *this, payload_t **payload);      
        
        /**
-        * Destroy function called internally of this class after state change succeeded.
+        * Destroy function called internally of this class after state change to state 
+        * IKE_SA_INIT_REQUESTED succeeded.
         * 
         * This destroy function does not destroy objects which were passed to the new state.
         * 
@@ -164,7 +165,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
        this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority);
        if (this->dh_group_number == MODP_UNDEFINED)
        {
-               this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be  retrieved with priority %d", this->dh_group_priority);
+               this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
                return DELETE_ME;
        }
        
index e112f42..5526a0e 100644 (file)
@@ -189,6 +189,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        {
                /* no configuration matches given host */
                this->logger->log(this->logger, ERROR | MORE, "No INIT configuration found for given remote and local hosts");
+               
                return DELETE_ME;
        }
        
@@ -243,7 +244,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
                                {
                                        this->logger->log(this->logger, ERROR | MORE, "No proposal of suggested proposals selected");
                                        payloads->destroy(payloads);
-                                       this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);                     
+                                       this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
                                        return DELETE_ME;
                                }
                                
@@ -258,7 +259,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
                                }
                                
                                this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
-                               /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
                                break;
                        }
                        case KEY_EXCHANGE:
@@ -321,6 +321,31 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
                                this->logger->log(this->logger, CONTROL | MORE, "Nonce Payload processed");
                                break;
                        }
+                       case NOTIFY:
+                       {
+                               notify_payload_t *notify_payload = (notify_payload_t *) payload;
+                               
+                               
+                               this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
+                                                                 mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
+                                                                 mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
+                                                                 
+                               if (notify_payload->get_protocol_id(notify_payload) != IKE)
+                               {
+                                       this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
+                                       payloads->destroy(payloads);
+                                       return FAILED;  
+                               }
+                               switch (notify_payload->get_notify_message_type(notify_payload))
+                               {
+                                       default:
+                                       {
+                                               this->logger->log(this->logger, CONTROL|MORE, "Processing of notify type %s not yet implemented",
+                                                                                       mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)));
+                                               break;
+                                       }
+                               }
+                       }
                        default:
                        {
                                this->logger->log(this->logger, ERROR | MORE, "Payload type not supported!");
index a2ae015..de0d135 100644 (file)
@@ -40,6 +40,7 @@
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
 /*
@@ -1055,6 +1056,58 @@ void test_generator_with_auth_payload(tester_t *tester)
 /*
  * Described in header.
  */ 
+void test_generator_with_cert_payload(tester_t *tester)
+{
+       generator_t *generator;
+       cert_payload_t *cert_payload;
+       logger_t *logger;
+       chunk_t generated_data;
+       chunk_t cert;
+       
+       logger = charon->logger_manager->create_logger(charon->logger_manager,TESTER,"Message with CERT Payload");
+       
+       /* create generator */
+       generator = generator_create();
+       tester->assert_true(tester,(generator != NULL), "generator create check");
+       
+       cert_payload = cert_payload_create();
+       
+       
+       cert.ptr = "123456789012";
+       cert.len = strlen(cert.ptr);
+
+       cert_payload->set_cert_encoding(cert_payload,PGP_CERTIFICATE);
+       cert_payload->set_data(cert_payload,cert);
+       
+       generator->generate_payload(generator,(payload_t *)cert_payload);
+       generator->write_to_chunk(generator,&generated_data);
+       logger->log_chunk(logger,RAW,"generated payload",&generated_data);      
+       
+       u_int8_t expected_generation[] = {
+               /* payload header */
+               0x00,0x00,0x00,0x11,
+               0x02,
+               /* cert data */
+               0x31,0x32,0x33,0x34,
+               0x35,0x36,0x37,0x38,
+               0x39,0x30,0x31,0x32,
+       };
+       
+       logger->log_bytes(logger,RAW,"expected payload",expected_generation,sizeof(expected_generation));       
+       
+       tester->assert_true(tester,(memcmp(expected_generation,generated_data.ptr,sizeof(expected_generation)) == 0), "compare generated data");
+
+       allocator_free_chunk(&generated_data);
+       
+       cert_payload->destroy(cert_payload);
+       generator->destroy(generator);
+               
+       charon->logger_manager->destroy_logger(charon->logger_manager,logger);  
+}
+
+/*
+ * Described in header.
+ */ 
 void test_generator_with_ts_payload(tester_t *tester)
 {
        generator_t *generator;
index 34c054a..d5e3aab 100644 (file)
@@ -117,6 +117,15 @@ void test_generator_with_id_payload(tester_t *tester);
 void test_generator_with_auth_payload(tester_t *tester);
 
 /**
+ * @brief Test function used to test the generator with CERT payload.
+ * 
+ * @param tester associated tester_t object
+ * 
+ * @ingroup testcases
+ */
+void test_generator_with_cert_payload(tester_t *tester);
+
+/**
  * @brief Test function used to test the generator with TS payload.
  * 
  * @param tester associated tester_t object
index 2815c63..d3ec5dd 100644 (file)
@@ -36,6 +36,7 @@
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/notify_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
 
@@ -691,3 +692,43 @@ void test_parser_with_ts_payload(tester_t *tester)
        
        ts_payload->destroy(ts_payload);
 }
+
+/*
+ * Described in Header 
+ */
+void test_parser_with_cert_payload(tester_t *tester)
+{
+       parser_t *parser;
+       cert_payload_t *cert_payload;
+       status_t status;
+       chunk_t cert_chunk, result;
+       
+       u_int8_t cert_bytes[] = {
+               0x00,0x00,0x00,0x11, /* payload header */
+               0x03,
+                       0x04,0x05,0x06,0x07,/* 12 Byte nonce */
+                       0x08,0x09,0x0A,0x2B,
+                       0x0C,0x0D,0x0E,0x0F
+       };
+       
+       cert_chunk.ptr = cert_bytes;
+       cert_chunk.len = sizeof(cert_bytes);
+
+       parser = parser_create(cert_chunk);
+       tester->assert_true(tester,(parser != NULL), "parser create check");
+       status = parser->parse_payload(parser, CERTIFICATE, (payload_t**)&cert_payload);
+       tester->assert_true(tester,(status == SUCCESS),"parse_payload call check");
+       parser->destroy(parser);
+       
+       if (status != SUCCESS)
+       {
+               return; 
+       }
+       result = cert_payload->get_data_clone(cert_payload);
+       tester->assert_true(tester,(cert_payload->get_cert_encoding(cert_payload) == DNS_SIGNED_KEY), "is DNS_SIGNED_KEY encoding");
+       tester->assert_true(tester,(result.len == 12), "parsed data lenght");
+       tester->assert_false(tester,(memcmp(cert_bytes + 5, result.ptr, result.len)), "parsed data");
+       cert_payload->destroy(cert_payload);
+       allocator_free_chunk(&result);
+}
+
index 11af67a..0db5cc2 100644 (file)
@@ -105,4 +105,14 @@ void test_parser_with_auth_payload(tester_t *tester);
  */
 void test_parser_with_ts_payload(tester_t *tester);
 
+/**
+ * @brief Test function used to test the parser_t functionality when 
+ * parsing a CERT payload.
+ *
+ * @param tester       associated tester_t object
+ * 
+ * @ingroup testcases
+ */
+void test_parser_with_cert_payload(tester_t *tester);
+
 #endif /*PARSER_TEST_H_*/
index 03a318f..26c9862 100644 (file)
@@ -89,6 +89,7 @@ test_t generator_test8 = {test_generator_with_nonce_payload,"Generator: Nonce Pa
 test_t generator_test9 = {test_generator_with_id_payload,"Generator: ID Payload"};
 test_t generator_test10 = {test_generator_with_auth_payload,"Generator: AUTH Payload"};
 test_t generator_test11 = {test_generator_with_ts_payload,"Generator: TS Payload"};
+test_t generator_test12 = {test_generator_with_cert_payload,"Generator: CERT Payload"};
 test_t parser_test1 = {test_parser_with_header_payload, "Parser: header payload"};
 test_t parser_test2 = {test_parser_with_sa_payload, "Parser: sa payload"};
 test_t parser_test3 = {test_parser_with_nonce_payload, "Parser: nonce payload"};
@@ -97,6 +98,7 @@ test_t parser_test5 = {test_parser_with_notify_payload, "Parser: notify payload"
 test_t parser_test6 = {test_parser_with_id_payload, "Parser: ID payload"};
 test_t parser_test7 = {test_parser_with_auth_payload, "Parser: AUTH payload"};
 test_t parser_test8 = {test_parser_with_ts_payload, "Parser: TS payload"};
+test_t parser_test9 = {test_parser_with_cert_payload, "Parser: CERT payload"};
 test_t packet_test = {test_packet,"Packet"};
 test_t diffie_hellman_test = {test_diffie_hellman,"Diffie Hellman"};
 test_t sha1_hasher_test = {test_sha1_hasher,"SHA1 hasher"};
@@ -186,6 +188,7 @@ int main()
                &parser_test6,
                &parser_test7,
                &parser_test8,
+               &parser_test9,
                &generator_test3,
                &generator_test4,
                &generator_test5,
@@ -195,6 +198,7 @@ int main()
                &generator_test9,
                &generator_test10,
                &generator_test11,
+               &generator_test12,
                &ike_sa_manager_test,
                &packet_test,
                &diffie_hellman_test,
@@ -225,8 +229,8 @@ int main()
        tester_t *tester = tester_create(test_output, FALSE);
        
 
-//     tester->perform_tests(tester,all_tests);
-       tester->perform_test(tester,&rsa_test); 
+       tester->perform_tests(tester,all_tests);
+//     tester->perform_test(tester,&parser_test9); 
        
        
        tester->destroy(tester);
index 0146e1c..cce510f 100644 (file)
@@ -33,6 +33,7 @@
 #include <queues/jobs/incoming_packet_job.h>
 #include <queues/jobs/initiate_ike_sa_job.h>
 #include <queues/jobs/retransmit_request_job.h>
+#include <encoding/payloads/notify_payload.h>
 #include <utils/allocator.h>
 #include <utils/logger.h>
 
@@ -115,20 +116,23 @@ struct private_thread_pool_t {
  */
 static void process_jobs(private_thread_pool_t *this)
 {
+       job_t *job;
+       job_type_t job_type;
+       timeval_t start_time;
+       timeval_t end_time;
+       
        /* cancellation disabled by default */
        pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
        
        this->worker_logger->log(this->worker_logger, CONTROL, "worker thread running, thread_id: %u", (int)pthread_self());
 
        for (;;) {
-               job_t *job;
-               job_type_t job_type;
                
                job = charon->job_queue->get(charon->job_queue);
                job_type = job->get_type(job);
                this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Process job of type %s", 
                                                                 mapping_find(job_type_m,job_type));
-               
+               gettimeofday(&start_time,NULL);
                switch (job_type)
                {
                        case INCOMING_PACKET:
@@ -162,8 +166,11 @@ static void process_jobs(private_thread_pool_t *this)
                                break;
                        }
                }
-
-               this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Processing of job finished");
+               gettimeofday(&end_time,NULL);
+               
+               this->worker_logger->log(this->worker_logger, CONTROL, "Processed job of type %s in %d us",
+                                                                       mapping_find(job_type_m,job_type),
+                                                                       (((end_time.tv_sec - start_time.tv_sec) * 1000000) + (end_time.tv_usec - start_time.tv_usec)));
 
 
        }
@@ -199,13 +206,43 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa
                                
        if ((message->get_major_version(message) != IKE_MAJOR_VERSION) || 
                        (message->get_minor_version(message) != IKE_MINOR_VERSION))
+
        {
                this->worker_logger->log(this->worker_logger, ERROR, "IKE version %d.%d not supported", 
                                                                 message->get_major_version(message),
                                                                 message->get_minor_version(message));  
                /*
-                * TODO send notify reply of type INVALID_MAJOR_VERSION
+                * TODO send notify reply of type INVALID_MAJOR_VERSION for requests of type IKE_SA_INIT.
+                * 
+                * This check is not handled in state_t object of IKE_SA to increase speed.
                 */
+                if ((message->get_exchange_type(message) == IKE_SA_INIT) && (message->get_request(message)))
+                {
+                       message_t *response;
+                       message->get_ike_sa_id(message, &ike_sa_id);
+                       ike_sa_id->switch_initiator(ike_sa_id);
+                       response = message_create_notify_reply(message->get_destination(message),
+                                                                                                  message->get_source(message),
+                                                                                                  IKE_SA_INIT,
+                                                                                                  FALSE,ike_sa_id,INVALID_MAJOR_VERSION);
+
+                       message->destroy(message);
+                       ike_sa_id->destroy(ike_sa_id);
+                       status = response->generate(response, NULL, NULL, &packet);
+                       if (status != SUCCESS)
+                       {
+                               this->worker_logger->log(this->worker_logger, ERROR, "Could not generate packet from message");
+                               response->destroy(response);
+                               return;
+                       }
+                       this->worker_logger->log(this->worker_logger, ERROR, "Send notify reply of type INVALID_MAJOR_VERSION"); 
+                       charon->send_queue->add(charon->send_queue, packet);
+                       response->destroy(response);
+                       return;
+                }
+               message->destroy(message);
+               
+                return;
        }
                                
        message->get_ike_sa_id(message, &ike_sa_id);
index f5ebc7d..52c81b2 100644 (file)
@@ -178,6 +178,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
                case PRIME_POOL:
                        break;
                case SCHEDULER:
+                       logger_level = 0;
                        break;
                case SENDER:
                        break;