- added payload CERT
- cleaned code of different states - added additional notify handling
This commit is contained in:
parent
3ebebc5e96
commit
f6ba78c370
|
@ -355,9 +355,9 @@ static void load_default_config (private_configuration_manager_t *this)
|
|||
this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
|
||||
this->add_new_configuration(this,"localhost",init_config3,sa_config3);
|
||||
|
||||
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","das ist ein sicheres wort");
|
||||
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","das ist ein sicheres wort");
|
||||
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","das ist ein sicheres wort");
|
||||
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","verschluesselt");
|
||||
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","verschluesselt");
|
||||
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","verschluesselt");
|
||||
|
||||
this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "127.0.0.1", public_key_1, 256);
|
||||
this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "152.96.193.131", public_key_2, 256);
|
||||
|
@ -602,7 +602,7 @@ static void add_new_preshared_secret (private_configuration_manager_t *this,id_t
|
|||
preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t);
|
||||
|
||||
entry->identification = identification_create_from_string(type,id_string);
|
||||
entry->preshared_secret.len = strlen(preshared_secret);
|
||||
entry->preshared_secret.len = strlen(preshared_secret) + 1;
|
||||
entry->preshared_secret.ptr = allocator_alloc(entry->preshared_secret.len);
|
||||
memcpy(entry->preshared_secret.ptr,preshared_secret,entry->preshared_secret.len);
|
||||
|
||||
|
|
|
@ -155,10 +155,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
|
|||
static void build_test_jobs(private_daemon_t *this)
|
||||
{
|
||||
int i;
|
||||
for(i = 0; i<100; i++)
|
||||
for(i = 0; i<1; i++)
|
||||
{
|
||||
initiate_ike_sa_job_t *initiate_job;
|
||||
initiate_job = initiate_ike_sa_job_create("localhost");
|
||||
initiate_job = initiate_ike_sa_job_create("pinflb30");
|
||||
this->public.event_queue->add_relative(this->public.event_queue, (job_t*)initiate_job, i * 5000);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -55,7 +55,7 @@
|
|||
* Port on which the daemon will
|
||||
* listen for incoming traffic.
|
||||
*/
|
||||
#define IKEV2_UDP_PORT 4500
|
||||
#define IKEV2_UDP_PORT 500
|
||||
|
||||
/**
|
||||
* First retransmit timeout in milliseconds.
|
||||
|
@ -72,7 +72,7 @@
|
|||
* maximum allowed level for ever context, the definiton
|
||||
* of the context may be less verbose.
|
||||
*/
|
||||
#define DEFAULT_LOGLEVEL CONTROL
|
||||
#define DEFAULT_LOGLEVEL CONTROL | ERROR
|
||||
|
||||
typedef struct daemon_t daemon_t;
|
||||
|
||||
|
|
|
@ -42,6 +42,7 @@
|
|||
#include <encoding/payloads/nonce_payload.h>
|
||||
#include <encoding/payloads/id_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/cert_payload.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
|
||||
|
||||
|
@ -797,6 +798,19 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
|
|||
this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
|
||||
break;
|
||||
}
|
||||
case CERT_DATA:
|
||||
{
|
||||
/* the AUTH Data value is generated from chunk */
|
||||
this->generate_from_chunk(this, rules[i].offset);
|
||||
|
||||
u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
|
||||
/* Length of nonce PAYLOAD is calculated */
|
||||
u_int16_t length_of_cert_payload = CERT_PAYLOAD_HEADER_LENGTH + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
|
||||
u_int16_t int16_val = htons(length_of_cert_payload);
|
||||
|
||||
this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
|
||||
break;
|
||||
}
|
||||
case PROPOSALS:
|
||||
{
|
||||
/* before iterative generate the transforms, store the current payload length position */
|
||||
|
|
|
@ -36,6 +36,11 @@
|
|||
#include <encoding/payloads/payload.h>
|
||||
#include <encoding/payloads/encryption_payload.h>
|
||||
|
||||
/**
|
||||
* Max number of notify payloads per IKEv2 Message
|
||||
*/
|
||||
#define MAX_NOTIFY_PAYLOADS 10
|
||||
|
||||
|
||||
typedef struct supported_payload_entry_t supported_payload_entry_t;
|
||||
|
||||
|
@ -109,6 +114,7 @@ struct message_rule_t {
|
|||
*/
|
||||
static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
|
||||
{
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
|
||||
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
|
||||
{KEY_EXCHANGE,1,1,FALSE,FALSE},
|
||||
{NONCE,1,1,FALSE,FALSE},
|
||||
|
@ -119,7 +125,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
|
|||
*/
|
||||
static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
|
||||
{
|
||||
{NOTIFY,0,1,FALSE,TRUE},
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
|
||||
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
|
||||
{KEY_EXCHANGE,1,1,FALSE,FALSE},
|
||||
{NONCE,1,1,FALSE,FALSE},
|
||||
|
@ -130,6 +136,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
|
|||
*/
|
||||
static supported_payload_entry_t supported_ike_auth_i_payloads[] =
|
||||
{
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{ID_INITIATOR,1,1,TRUE,FALSE},
|
||||
{CERTIFICATE,0,1,TRUE,FALSE},
|
||||
{CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
|
||||
|
@ -145,7 +152,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
|
|||
*/
|
||||
static supported_payload_entry_t supported_ike_auth_r_payloads[] =
|
||||
{
|
||||
{NOTIFY,0,1,TRUE,TRUE},
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
|
||||
{CERTIFICATE,0,1,TRUE,FALSE},
|
||||
{ID_RESPONDER,1,1,TRUE,FALSE},
|
||||
{AUTHENTICATION,1,1,TRUE,FALSE},
|
||||
|
@ -1215,3 +1222,24 @@ message_t *message_create()
|
|||
{
|
||||
return message_create_from_packet(NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in Header.
|
||||
*/
|
||||
message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type)
|
||||
{
|
||||
message_t *message = message_create_from_packet(NULL);
|
||||
notify_payload_t *payload;
|
||||
|
||||
message->set_source(message, source->clone(source));
|
||||
message->set_destination(message, destination->clone(destination));
|
||||
message->set_exchange_type(message, exchange_type);
|
||||
message->set_request(message, FALSE);
|
||||
message->set_message_id(message,0);
|
||||
message->set_ike_sa_id(message, ike_sa_id);
|
||||
|
||||
payload = notify_payload_create_from_protocol_and_type(IKE,notify_type);
|
||||
message->add_payload(message,(payload_t *) payload);
|
||||
|
||||
return message;
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
#include <sa/ike_sa_id.h>
|
||||
#include <network/packet.h>
|
||||
#include <encoding/payloads/ike_header.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <utils/linked_list.h>
|
||||
#include <transforms/crypters/crypter.h>
|
||||
#include <transforms/signers/signer.h>
|
||||
|
@ -140,22 +141,6 @@ struct message_t {
|
|||
*/
|
||||
exchange_type_t (*get_exchange_type) (message_t *this);
|
||||
|
||||
/**
|
||||
* @brief Sets the original initiator flag.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @param original_initiator TRUE if message is from original initiator
|
||||
*/
|
||||
void (*set_original_initiator) (message_t *this,bool original_initiator);
|
||||
|
||||
/**
|
||||
* @brief Gets original initiator flag.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @return TRUE if message is from original initiator, FALSE otherwise
|
||||
*/
|
||||
bool (*get_original_initiator) (message_t *this);
|
||||
|
||||
/**
|
||||
* @brief Sets the request flag.
|
||||
*
|
||||
|
@ -340,4 +325,13 @@ message_t * message_create_from_packet(packet_t *packet);
|
|||
*/
|
||||
message_t * message_create();
|
||||
|
||||
/**
|
||||
* Creates an message_t object of type reply containing a notify payload.
|
||||
*
|
||||
* @return created message_t object
|
||||
*
|
||||
* @ingroup encoding
|
||||
*/
|
||||
message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type);
|
||||
|
||||
#endif /*MESSAGE_H_*/
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <encoding/payloads/encryption_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/cert_payload.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
|
||||
|
||||
|
@ -827,6 +828,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
|
|||
}
|
||||
break;
|
||||
}
|
||||
case CERT_DATA:
|
||||
{
|
||||
size_t data_length = payload_length - CERT_PAYLOAD_HEADER_LENGTH;
|
||||
if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS)
|
||||
{
|
||||
pld->destroy(pld);
|
||||
return PARSE_ERROR;
|
||||
}
|
||||
break;
|
||||
}
|
||||
case KEY_EXCHANGE_DATA:
|
||||
{
|
||||
size_t keydata_length = payload_length - KE_PAYLOAD_HEADER_LENGTH;
|
||||
|
|
|
@ -41,6 +41,10 @@ $(BUILD_DIR)id_payload.o : $(PAYLOADS_DIR)id_payload.c $(PAYLOADS_DIR)id_payl
|
|||
OBJS+= $(BUILD_DIR)auth_payload.o
|
||||
$(BUILD_DIR)auth_payload.o : $(PAYLOADS_DIR)auth_payload.c $(PAYLOADS_DIR)auth_payload.h
|
||||
$(CC) $(CFLAGS) -c -o $@ $<
|
||||
|
||||
OBJS+= $(BUILD_DIR)cert_payload.o
|
||||
$(BUILD_DIR)cert_payload.o : $(PAYLOADS_DIR)cert_payload.c $(PAYLOADS_DIR)cert_payload.h
|
||||
$(CC) $(CFLAGS) -c -o $@ $<
|
||||
|
||||
OBJS+= $(BUILD_DIR)ts_payload.o
|
||||
$(BUILD_DIR)ts_payload.o : $(PAYLOADS_DIR)ts_payload.c $(PAYLOADS_DIR)ts_payload.h
|
||||
|
|
|
@ -0,0 +1,284 @@
|
|||
/**
|
||||
* @file cert_payload.c
|
||||
*
|
||||
* @brief Implementation of cert_payload_t.
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* Copyright (C) 2005 Jan Hutter, Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "cert_payload.h"
|
||||
|
||||
#include <utils/allocator.h>
|
||||
|
||||
|
||||
/**
|
||||
* String mappings for cert_encoding_t.
|
||||
*/
|
||||
mapping_t cert_encoding_m[] = {
|
||||
{PKCS7_WRAPPED_X509_CERTIFICATE, "PKCS7_WRAPPED_X509_CERTIFICATE"},
|
||||
{PGP_CERTIFICATE, "PGP_CERTIFICATE"},
|
||||
{DNS_SIGNED_KEY, "DNS_SIGNED_KEY"},
|
||||
{X509_CERTIFICATE_SIGNATURE, "X509_CERTIFICATE_SIGNATURE"},
|
||||
{KERBEROS_TOKEN, "KERBEROS_TOKEN"},
|
||||
{CERTIFICATE_REVOCATION_LIST, "CERTIFICATE_REVOCATION_LIST"},
|
||||
{AUTHORITY_REVOCATION_LIST, "AUTHORITY_REVOCATION_LIST"},
|
||||
{SPKI_CERTIFICATE, "SPKI_CERTIFICATE"},
|
||||
{X509_CERTIFICATE_ATTRIBUTE, "X509_CERTIFICATE_ATTRIBUTE"},
|
||||
{RAW_SA_KEY, "RAW_SA_KEY"},
|
||||
{HASH_AND_URL_X509_CERTIFICATE, "HASH_AND_URL_X509_CERTIFICATE"},
|
||||
{HASH_AND_URL_X509_BUNDLE, "HASH_AND_URL_X509_BUNDLE"},
|
||||
{MAPPING_END, NULL}
|
||||
};
|
||||
|
||||
|
||||
typedef struct private_cert_payload_t private_cert_payload_t;
|
||||
|
||||
/**
|
||||
* Private data of an cert_payload_t object.
|
||||
*
|
||||
*/
|
||||
struct private_cert_payload_t {
|
||||
/**
|
||||
* Public cert_payload_t interface.
|
||||
*/
|
||||
cert_payload_t public;
|
||||
|
||||
/**
|
||||
* Next payload type.
|
||||
*/
|
||||
u_int8_t next_payload;
|
||||
|
||||
/**
|
||||
* Critical flag.
|
||||
*/
|
||||
bool critical;
|
||||
|
||||
/**
|
||||
* Length of this payload.
|
||||
*/
|
||||
u_int16_t payload_length;
|
||||
|
||||
/**
|
||||
* Encoding of the CERT Data.
|
||||
*/
|
||||
u_int8_t cert_encoding;
|
||||
|
||||
/**
|
||||
* The contained cert data value.
|
||||
*/
|
||||
chunk_t cert_data;
|
||||
};
|
||||
|
||||
/**
|
||||
* Encoding rules to parse or generate a CERT payload
|
||||
*
|
||||
* The defined offsets are the positions in a object of type
|
||||
* private_cert_payload_t.
|
||||
*
|
||||
*/
|
||||
encoding_rule_t cert_payload_encodings[] = {
|
||||
/* 1 Byte next payload type, stored in the field next_payload */
|
||||
{ U_INT_8, offsetof(private_cert_payload_t, next_payload) },
|
||||
/* the critical bit */
|
||||
{ FLAG, offsetof(private_cert_payload_t, critical) },
|
||||
/* 7 Bit reserved bits, nowhere stored */
|
||||
{ RESERVED_BIT, 0 },
|
||||
{ RESERVED_BIT, 0 },
|
||||
{ RESERVED_BIT, 0 },
|
||||
{ RESERVED_BIT, 0 },
|
||||
{ RESERVED_BIT, 0 },
|
||||
{ RESERVED_BIT, 0 },
|
||||
{ RESERVED_BIT, 0 },
|
||||
/* Length of the whole payload*/
|
||||
{ PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)},
|
||||
/* 1 Byte CERT type*/
|
||||
{ U_INT_8, offsetof(private_cert_payload_t, cert_encoding) },
|
||||
/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
|
||||
{ CERT_DATA, offsetof(private_cert_payload_t, cert_data) }
|
||||
};
|
||||
|
||||
/*
|
||||
1 2 3
|
||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
! Next Payload !C! RESERVED ! Payload Length !
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
! Cert Encoding ! !
|
||||
+-+-+-+-+-+-+-+-+ !
|
||||
~ Certificate Data ~
|
||||
! !
|
||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
*/
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.verify.
|
||||
*/
|
||||
static status_t verify(private_cert_payload_t *this)
|
||||
{
|
||||
if (this->critical)
|
||||
{
|
||||
/* critical bit is set! */
|
||||
return FAILED;
|
||||
}
|
||||
if ((this->cert_encoding == 0) ||
|
||||
((this->cert_encoding >= 14) && (this->cert_encoding <= 200)))
|
||||
{
|
||||
/* reserved IDs */
|
||||
return FAILED;
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of cert_payload_t.get_encoding_rules.
|
||||
*/
|
||||
static void get_encoding_rules(private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
|
||||
{
|
||||
*rules = cert_payload_encodings;
|
||||
*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.get_type.
|
||||
*/
|
||||
static payload_type_t get_payload_type(private_cert_payload_t *this)
|
||||
{
|
||||
return CERTIFICATE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.get_next_type.
|
||||
*/
|
||||
static payload_type_t get_next_type(private_cert_payload_t *this)
|
||||
{
|
||||
return (this->next_payload);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.set_next_type.
|
||||
*/
|
||||
static void set_next_type(private_cert_payload_t *this,payload_type_t type)
|
||||
{
|
||||
this->next_payload = type;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.get_length.
|
||||
*/
|
||||
static size_t get_length(private_cert_payload_t *this)
|
||||
{
|
||||
return this->payload_length;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of cert_payload_t.set_cert_encoding.
|
||||
*/
|
||||
static void set_cert_encoding (private_cert_payload_t *this, cert_encoding_t encoding)
|
||||
{
|
||||
this->cert_encoding = encoding;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of cert_payload_t.get_cert_encoding.
|
||||
*/
|
||||
static cert_encoding_t get_cert_encoding (private_cert_payload_t *this)
|
||||
{
|
||||
return (this->cert_encoding);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of cert_payload_t.set_data.
|
||||
*/
|
||||
static void set_data (private_cert_payload_t *this, chunk_t data)
|
||||
{
|
||||
if (this->cert_data.ptr != NULL)
|
||||
{
|
||||
allocator_free_chunk(&(this->cert_data));
|
||||
}
|
||||
this->cert_data.ptr = allocator_clone_bytes(data.ptr,data.len);
|
||||
this->cert_data.len = data.len;
|
||||
this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->cert_data.len;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of cert_payload_t.get_data.
|
||||
*/
|
||||
static chunk_t get_data (private_cert_payload_t *this)
|
||||
{
|
||||
return (this->cert_data);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of cert_payload_t.get_data_clone.
|
||||
*/
|
||||
static chunk_t get_data_clone (private_cert_payload_t *this)
|
||||
{
|
||||
chunk_t cloned_data;
|
||||
if (this->cert_data.ptr == NULL)
|
||||
{
|
||||
return (this->cert_data);
|
||||
}
|
||||
cloned_data.ptr = allocator_clone_bytes(this->cert_data.ptr,this->cert_data.len);
|
||||
cloned_data.len = this->cert_data.len;
|
||||
return cloned_data;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.destroy and cert_payload_t.destroy.
|
||||
*/
|
||||
static void destroy(private_cert_payload_t *this)
|
||||
{
|
||||
if (this->cert_data.ptr != NULL)
|
||||
{
|
||||
allocator_free_chunk(&(this->cert_data));
|
||||
}
|
||||
|
||||
allocator_free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header
|
||||
*/
|
||||
cert_payload_t *cert_payload_create()
|
||||
{
|
||||
private_cert_payload_t *this = allocator_alloc_thing(private_cert_payload_t);
|
||||
|
||||
/* interface functions */
|
||||
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
|
||||
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
|
||||
this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
|
||||
this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
|
||||
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
|
||||
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
|
||||
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
|
||||
|
||||
/* public functions */
|
||||
this->public.destroy = (void (*) (cert_payload_t *)) destroy;
|
||||
this->public.set_cert_encoding = (void (*) (cert_payload_t *,cert_encoding_t)) set_cert_encoding;
|
||||
this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t *)) get_cert_encoding;
|
||||
this->public.set_data = (void (*) (cert_payload_t *,chunk_t)) set_data;
|
||||
this->public.get_data_clone = (chunk_t (*) (cert_payload_t *)) get_data_clone;
|
||||
this->public.get_data = (chunk_t (*) (cert_payload_t *)) get_data;
|
||||
|
||||
/* private variables */
|
||||
this->critical = FALSE;
|
||||
this->next_payload = NO_PAYLOAD;
|
||||
this->payload_length =CERT_PAYLOAD_HEADER_LENGTH;
|
||||
this->cert_data = CHUNK_INITIALIZER;
|
||||
|
||||
return (&(this->public));
|
||||
}
|
|
@ -0,0 +1,143 @@
|
|||
/**
|
||||
* @file cert_payload.h
|
||||
*
|
||||
* @brief Interface of cert_payload_t.
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* Copyright (C) 2005 Jan Hutter, Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#ifndef _CERT_PAYLOAD_H_
|
||||
#define _CERT_PAYLOAD_H_
|
||||
|
||||
#include <types.h>
|
||||
#include <encoding/payloads/payload.h>
|
||||
|
||||
/**
|
||||
* Length of a cert payload without the cert data in bytes.
|
||||
*
|
||||
* @ingroup payloads
|
||||
*/
|
||||
#define CERT_PAYLOAD_HEADER_LENGTH 5
|
||||
|
||||
|
||||
typedef enum cert_encoding_t cert_encoding_t;
|
||||
|
||||
/**
|
||||
* Cert Encoding.
|
||||
*
|
||||
* @ingroup payloads
|
||||
*/
|
||||
enum cert_encoding_t {
|
||||
PKCS7_WRAPPED_X509_CERTIFICATE = 1,
|
||||
PGP_CERTIFICATE = 2,
|
||||
DNS_SIGNED_KEY = 3,
|
||||
X509_CERTIFICATE_SIGNATURE = 4,
|
||||
KERBEROS_TOKEN = 6,
|
||||
CERTIFICATE_REVOCATION_LIST = 7,
|
||||
AUTHORITY_REVOCATION_LIST = 8,
|
||||
SPKI_CERTIFICATE = 9,
|
||||
X509_CERTIFICATE_ATTRIBUTE = 10,
|
||||
RAW_SA_KEY = 11,
|
||||
HASH_AND_URL_X509_CERTIFICATE = 12,
|
||||
HASH_AND_URL_X509_BUNDLE = 13
|
||||
};
|
||||
|
||||
extern mapping_t cert_encoding_m[];
|
||||
|
||||
|
||||
typedef struct cert_payload_t cert_payload_t;
|
||||
|
||||
/**
|
||||
* Object representing an IKEv2 CERT payload.
|
||||
*
|
||||
* The CERT payload format is described in draft section 3.6.
|
||||
*
|
||||
* @ingroup payloads
|
||||
*
|
||||
*/
|
||||
struct cert_payload_t {
|
||||
/**
|
||||
* The payload_t interface.
|
||||
*/
|
||||
payload_t payload_interface;
|
||||
|
||||
/**
|
||||
* @brief Set the CERT encoding.
|
||||
*
|
||||
*
|
||||
* @param this calling cert_payload_t object
|
||||
* @param encoding CERT encoding
|
||||
*/
|
||||
void (*set_cert_encoding) (cert_payload_t *this, cert_encoding_t encoding);
|
||||
|
||||
/**
|
||||
* @brief Get the CERT encoding.
|
||||
*
|
||||
* @param this calling cert_payload_t object
|
||||
* @return Encoding of the CERT
|
||||
*/
|
||||
cert_encoding_t (*get_cert_encoding) (cert_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Set the CERT data.
|
||||
*
|
||||
* Data are getting cloned.
|
||||
*
|
||||
* @param this calling cert_payload_t object
|
||||
* @param data CERT data as chunk_t
|
||||
*/
|
||||
void (*set_data) (cert_payload_t *this, chunk_t data);
|
||||
|
||||
/**
|
||||
* @brief Get the CERT data.
|
||||
*
|
||||
* Returned data are a copy of the internal one.
|
||||
*
|
||||
* @param this calling cert_payload_t object
|
||||
* @return CERT data as chunk_t
|
||||
*/
|
||||
chunk_t (*get_data_clone) (cert_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get the CERT data.
|
||||
*
|
||||
* Returned data are NOT copied.
|
||||
*
|
||||
* @param this calling cert_payload_t object
|
||||
* @return CERT data as chunk_t
|
||||
*/
|
||||
chunk_t (*get_data) (cert_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Destroys an cert_payload_t object.
|
||||
*
|
||||
* @param this cert_payload_t object to destroy
|
||||
*/
|
||||
void (*destroy) (cert_payload_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Creates an empty cert_payload_t object.
|
||||
*
|
||||
* @return created cert_payload_t object
|
||||
*
|
||||
* @ingroup payloads
|
||||
*/
|
||||
cert_payload_t *cert_payload_create();
|
||||
|
||||
|
||||
#endif //_CERT_PAYLOAD_H_
|
|
@ -367,6 +367,16 @@ enum encoding_type_t{
|
|||
* When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
|
||||
*/
|
||||
AUTH_DATA,
|
||||
|
||||
/**
|
||||
* Representating a CERT Data field.
|
||||
*
|
||||
* When generating the content of the chunkt pointing to
|
||||
* is written.
|
||||
*
|
||||
* When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
|
||||
*/
|
||||
CERT_DATA,
|
||||
|
||||
/**
|
||||
* Representating an IKE_SPI field in an IKEv2 Header.
|
||||
|
|
|
@ -186,18 +186,6 @@ static status_t verify(private_ike_header_t *this)
|
|||
return FAILED;
|
||||
}
|
||||
|
||||
if ((this->responder_spi == 0) && (!this->flags.initiator))
|
||||
{
|
||||
/* must be original initiator*/
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
if ((this->responder_spi == 0) && (this->flags.response))
|
||||
{
|
||||
/* must be request*/
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
/* verification of version is not done in here */
|
||||
|
||||
return SUCCESS;
|
||||
|
|
|
@ -36,7 +36,7 @@ mapping_t notify_message_type_m[] = {
|
|||
{INVALID_IKE_SPI, "INVALID_IKE_SPI"},
|
||||
{INVALID_MAJOR_VERSION, "INVALID_MAJOR_VERSION"},
|
||||
{INVALID_SYNTAX, "INVALID_SYNTAX"},
|
||||
{INVALID_MESSAGE_ID, "MODP_2048_BIT"},
|
||||
{INVALID_MESSAGE_ID, "INVALID_MESSAGE_ID"},
|
||||
{INVALID_SPI, "INVALID_SPI"},
|
||||
{NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN"},
|
||||
{INVALID_KE_PAYLOAD, "INVALID_KE_PAYLOAD"},
|
||||
|
@ -47,6 +47,11 @@ mapping_t notify_message_type_m[] = {
|
|||
{FAILED_CP_REQUIRED, "FAILED_CP_REQUIRED"},
|
||||
{TS_UACCEPTABLE, "TS_UACCEPTABLE"},
|
||||
{INVALID_SELECTORS, "INVALID_SELECTORS"},
|
||||
|
||||
/* status messages */
|
||||
{INITIAL_CONTACT, "INITIAL_CONTACT"},
|
||||
{SET_WINDOW_SIZE, "SET_WINDOW_SIZE"},
|
||||
|
||||
{MAPPING_END, NULL}
|
||||
};
|
||||
|
||||
|
|
|
@ -68,7 +68,10 @@ enum notify_message_type_t {
|
|||
INTERNAL_ADDRESS_FAILURE = 36,
|
||||
FAILED_CP_REQUIRED = 37,
|
||||
TS_UACCEPTABLE = 38,
|
||||
INVALID_SELECTORS = 39
|
||||
INVALID_SELECTORS = 39,
|
||||
|
||||
INITIAL_CONTACT = 16384,
|
||||
SET_WINDOW_SIZE = 16385
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -31,6 +31,7 @@
|
|||
#include <encoding/payloads/ke_payload.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/cert_payload.h>
|
||||
#include <encoding/payloads/encryption_payload.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
|
||||
|
@ -88,6 +89,8 @@ payload_t *payload_create(payload_type_t type)
|
|||
return (payload_t*)id_payload_create(FALSE);
|
||||
case AUTHENTICATION:
|
||||
return (payload_t*)auth_payload_create();
|
||||
case CERTIFICATE:
|
||||
return (payload_t*)cert_payload_create();
|
||||
case TRAFFIC_SELECTOR_SUBSTRUCTURE:
|
||||
return (payload_t*)traffic_selector_substructure_create();
|
||||
case TRAFFIC_SELECTOR_INITIATOR:
|
||||
|
|
|
@ -102,7 +102,12 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
|
|||
{
|
||||
chunk_t id_chunk = my_id->get_data(my_id);
|
||||
u_int8_t id_with_header[4 + id_chunk.len];
|
||||
chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header) };
|
||||
/*
|
||||
* IKEv2 for linux is not compatible with IKEv2 Draft and so not compatible with this
|
||||
* implementation, cause AUTH data are computed without
|
||||
* ID type and the three reserved bytes.
|
||||
*/
|
||||
chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)};
|
||||
u_int8_t *current_pos;
|
||||
chunk_t octets;
|
||||
|
||||
|
@ -123,6 +128,7 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
|
|||
{
|
||||
this->prf->set_key(this->prf,this->ike_sa->get_key_pr(this->ike_sa));
|
||||
}
|
||||
|
||||
|
||||
/* 4 bytes are id type and reserved fields of id payload */
|
||||
octets.len = last_message.len + other_nonce.len + this->prf->get_block_size(this->prf);
|
||||
|
@ -167,13 +173,12 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t
|
|||
/**
|
||||
* Implementation of authenticator_t.verify_auth_data.
|
||||
*/
|
||||
static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator,bool *verified)
|
||||
static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator)
|
||||
{
|
||||
switch(auth_payload->get_auth_method(auth_payload))
|
||||
{
|
||||
case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
|
||||
{
|
||||
|
||||
identification_t *other_id = other_id_payload->get_identification(other_id_payload);
|
||||
chunk_t auth_data = auth_payload->get_data(auth_payload);
|
||||
chunk_t preshared_secret;
|
||||
|
@ -190,20 +195,19 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
|
|||
|
||||
if (auth_data.len != my_auth_data.len)
|
||||
{
|
||||
*verified = FALSE;
|
||||
allocator_free_chunk(&my_auth_data);
|
||||
return SUCCESS;
|
||||
return FAILED;
|
||||
}
|
||||
if (memcmp(auth_data.ptr,my_auth_data.ptr,my_auth_data.len) == 0)
|
||||
{
|
||||
*verified = TRUE;
|
||||
status = SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
*verified = FALSE;
|
||||
status = FAILED;
|
||||
}
|
||||
allocator_free_chunk(&my_auth_data);
|
||||
return SUCCESS;
|
||||
allocator_free_chunk(&my_auth_data);
|
||||
return status;
|
||||
}
|
||||
case RSA_DIGITAL_SIGNATURE:
|
||||
{
|
||||
|
@ -224,14 +228,6 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
|
|||
octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload,initiator);
|
||||
|
||||
status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
|
||||
if (status == SUCCESS)
|
||||
{
|
||||
*verified = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
*verified = FALSE;
|
||||
}
|
||||
|
||||
allocator_free_chunk(&octets);
|
||||
return status;
|
||||
|
@ -329,7 +325,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
|
|||
|
||||
/* Public functions */
|
||||
this->public.destroy = (void(*)(authenticator_t*))destroy;
|
||||
this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool,bool *)) verify_auth_data;
|
||||
this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool)) verify_auth_data;
|
||||
this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *,bool)) compute_auth_data;
|
||||
|
||||
/* private functions */
|
||||
|
|
|
@ -60,12 +60,10 @@ struct authenticator_t {
|
|||
* @param my_nonce The sent nonce (without payload header)
|
||||
* @param other_id_payload The ID payload received from other peer
|
||||
* @param initiator Type of other peer. TRUE, if it is original initiator, FALSE otherwise
|
||||
* @param[out] verified
|
||||
* - TRUE, if verification succeeded
|
||||
* - FALSE, if verification data could not be verified
|
||||
*
|
||||
* @return
|
||||
* - SUCCESS if verification could be processed (does not mean the data could be verified)
|
||||
* - FAILED if verification failed
|
||||
* - NOT_SUPPORTED if AUTH method not supported
|
||||
* - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key)
|
||||
* - TODO rsa errors!!
|
||||
|
@ -75,8 +73,7 @@ struct authenticator_t {
|
|||
chunk_t last_received_packet,
|
||||
chunk_t my_nonce,
|
||||
id_payload_t *other_id_payload,
|
||||
bool initiator,
|
||||
bool *verified);
|
||||
bool initiator);
|
||||
|
||||
/**
|
||||
* @brief Computes authentication data and creates specific AUTH payload.
|
||||
|
|
|
@ -194,13 +194,33 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
|
|||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
|
||||
this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol");
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
switch (notify_payload->get_notify_message_type(notify_payload))
|
||||
{
|
||||
case INVALID_SYNTAX:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
case AUTHENTICATION_FAILED:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
|
||||
}
|
||||
case SINGLE_PAIR_REQUIRED:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
default:
|
||||
{
|
||||
/*
|
||||
|
@ -348,12 +368,11 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
|
|||
{
|
||||
authenticator_t *authenticator;
|
||||
status_t status;
|
||||
bool verified;
|
||||
|
||||
/* TODO VERIFY auth here */
|
||||
authenticator = authenticator_create(this->ike_sa);
|
||||
|
||||
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE,&verified);
|
||||
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
|
||||
authenticator->destroy(authenticator);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
|
@ -361,12 +380,6 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
|
|||
return FAILED;
|
||||
}
|
||||
|
||||
if (!verified)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "AUTH data could not be verified");
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified");
|
||||
return SUCCESS;
|
||||
}
|
||||
|
|
|
@ -251,10 +251,16 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
|
|||
{
|
||||
case NO_PROPOSAL_CHOSEN:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!!!");
|
||||
this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
case INVALID_MAJOR_VERSION:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Peer doesn't support IKEv2!");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
case INVALID_KE_PAYLOAD:
|
||||
{
|
||||
initiator_init_t *initiator_init_state;
|
||||
|
|
|
@ -29,6 +29,7 @@
|
|||
#include <encoding/payloads/sa_payload.h>
|
||||
#include <encoding/payloads/id_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <transforms/signers/signer.h>
|
||||
#include <transforms/crypters/crypter.h>
|
||||
#include <sa/states/ike_sa_established.h>
|
||||
|
@ -87,6 +88,15 @@ struct private_ike_sa_init_responded_t {
|
|||
status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
|
||||
status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
|
||||
status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
|
||||
|
||||
/**
|
||||
* Sends a IKE_AUTH reply with a notify payload.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param type type of notify message
|
||||
* @param data data of notify message
|
||||
*/
|
||||
void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data);
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -103,6 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
auth_payload_t *auth_request;
|
||||
sa_payload_t *sa_request;
|
||||
ts_payload_t *tsi_request, *tsr_request;
|
||||
notify_payload_t *notify_payload = NULL;
|
||||
message_t *response;
|
||||
|
||||
exchange_type = request->get_exchange_type(request);
|
||||
|
@ -181,17 +192,54 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
|
|||
tsr_request = (ts_payload_t*)payload;
|
||||
break;
|
||||
}
|
||||
case NOTIFY:
|
||||
{
|
||||
notify_payload = (notify_payload_t *) payload;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
return DELETE_ME;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* iterator can be destroyed */
|
||||
payloads->destroy(payloads);
|
||||
|
||||
|
||||
if (notify_payload != NULL)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
|
||||
payloads->destroy(payloads);
|
||||
return DELETE_ME;
|
||||
}
|
||||
switch (notify_payload->get_notify_message_type(notify_payload))
|
||||
{
|
||||
case SET_WINDOW_SIZE:
|
||||
/*
|
||||
* TODO Increase window size.
|
||||
*/
|
||||
case INITIAL_CONTACT:
|
||||
/*
|
||||
* TODO Delete existing IKE_SA's with other Identity.
|
||||
*/
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Handling of notify type %s not implemented",
|
||||
notify_payload->get_notify_message_type(notify_payload));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* build response */
|
||||
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
|
||||
|
||||
|
@ -351,25 +399,24 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
|
|||
authenticator_t *authenticator;
|
||||
auth_payload_t *auth_reply;
|
||||
status_t status;
|
||||
bool verified;
|
||||
|
||||
authenticator = authenticator_create(this->ike_sa);
|
||||
|
||||
|
||||
status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE,&verified);
|
||||
|
||||
status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE);
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
|
||||
authenticator->destroy(authenticator);
|
||||
/*
|
||||
* Send notify message of type AUTHENTICATION_FAILED
|
||||
*/
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Send notify message of type AUTHENTICATION_FAILED");
|
||||
this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER);
|
||||
return status;
|
||||
}
|
||||
if (!verified)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Verification of AUTH failed.");
|
||||
authenticator->destroy(authenticator);
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
||||
status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
|
||||
authenticator->destroy(authenticator);
|
||||
|
@ -431,6 +478,44 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_
|
|||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of private_responder_init_t.send_notify_reply.
|
||||
*/
|
||||
static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data)
|
||||
{
|
||||
notify_payload_t *payload;
|
||||
message_t *response;
|
||||
packet_t *packet;
|
||||
status_t status;
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Going to build message with notify payload");
|
||||
/* set up the reply */
|
||||
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
|
||||
payload = notify_payload_create_from_protocol_and_type(IKE,type);
|
||||
if ((data.ptr != NULL) && (data.len > 0))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Add Data to notify payload");
|
||||
payload->set_notification_data(payload,data);
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Add Notify payload to message");
|
||||
response->add_payload(response,(payload_t *) payload);
|
||||
|
||||
/* generate packet */
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Gnerate packet from message");
|
||||
status = response->generate(response, NULL, NULL, &packet);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not generate packet from message");
|
||||
return;
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Destroy message");
|
||||
response->destroy(response);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements state_t.get_state
|
||||
*/
|
||||
|
@ -475,6 +560,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
|
|||
this->build_sa_payload = build_sa_payload;
|
||||
this->build_auth_payload = build_auth_payload;
|
||||
this->build_ts_payload = build_ts_payload;
|
||||
this->send_notify_reply = send_notify_reply;
|
||||
|
||||
/* private data */
|
||||
this->ike_sa = ike_sa;
|
||||
|
|
|
@ -117,7 +117,8 @@ struct private_initiator_init_t {
|
|||
void (*build_nonce_payload) (private_initiator_init_t *this, payload_t **payload);
|
||||
|
||||
/**
|
||||
* Destroy function called internally of this class after state change succeeded.
|
||||
* Destroy function called internally of this class after state change to state
|
||||
* IKE_SA_INIT_REQUESTED succeeded.
|
||||
*
|
||||
* This destroy function does not destroy objects which were passed to the new state.
|
||||
*
|
||||
|
@ -164,7 +165,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
|
|||
this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority);
|
||||
if (this->dh_group_number == MODP_UNDEFINED)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
|
||||
this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
|
|
|
@ -189,6 +189,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
{
|
||||
/* no configuration matches given host */
|
||||
this->logger->log(this->logger, ERROR | MORE, "No INIT configuration found for given remote and local hosts");
|
||||
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
|
@ -243,7 +244,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "No proposal of suggested proposals selected");
|
||||
payloads->destroy(payloads);
|
||||
this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
|
||||
this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
|
||||
return DELETE_ME;
|
||||
}
|
||||
|
||||
|
@ -258,7 +259,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
|
||||
/* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
|
||||
break;
|
||||
}
|
||||
case KEY_EXCHANGE:
|
||||
|
@ -321,6 +321,31 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
|
|||
this->logger->log(this->logger, CONTROL | MORE, "Nonce Payload processed");
|
||||
break;
|
||||
}
|
||||
case NOTIFY:
|
||||
{
|
||||
notify_payload_t *notify_payload = (notify_payload_t *) payload;
|
||||
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
|
||||
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
|
||||
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
|
||||
|
||||
if (notify_payload->get_protocol_id(notify_payload) != IKE)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
|
||||
payloads->destroy(payloads);
|
||||
return FAILED;
|
||||
}
|
||||
switch (notify_payload->get_notify_message_type(notify_payload))
|
||||
{
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Processing of notify type %s not yet implemented",
|
||||
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)));
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Payload type not supported!");
|
||||
|
|
|
@ -40,6 +40,7 @@
|
|||
#include <encoding/payloads/nonce_payload.h>
|
||||
#include <encoding/payloads/id_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/cert_payload.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
|
||||
/*
|
||||
|
@ -1052,6 +1053,58 @@ void test_generator_with_auth_payload(tester_t *tester)
|
|||
charon->logger_manager->destroy_logger(charon->logger_manager,logger);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
void test_generator_with_cert_payload(tester_t *tester)
|
||||
{
|
||||
generator_t *generator;
|
||||
cert_payload_t *cert_payload;
|
||||
logger_t *logger;
|
||||
chunk_t generated_data;
|
||||
chunk_t cert;
|
||||
|
||||
logger = charon->logger_manager->create_logger(charon->logger_manager,TESTER,"Message with CERT Payload");
|
||||
|
||||
/* create generator */
|
||||
generator = generator_create();
|
||||
tester->assert_true(tester,(generator != NULL), "generator create check");
|
||||
|
||||
cert_payload = cert_payload_create();
|
||||
|
||||
|
||||
cert.ptr = "123456789012";
|
||||
cert.len = strlen(cert.ptr);
|
||||
|
||||
cert_payload->set_cert_encoding(cert_payload,PGP_CERTIFICATE);
|
||||
cert_payload->set_data(cert_payload,cert);
|
||||
|
||||
generator->generate_payload(generator,(payload_t *)cert_payload);
|
||||
generator->write_to_chunk(generator,&generated_data);
|
||||
logger->log_chunk(logger,RAW,"generated payload",&generated_data);
|
||||
|
||||
u_int8_t expected_generation[] = {
|
||||
/* payload header */
|
||||
0x00,0x00,0x00,0x11,
|
||||
0x02,
|
||||
/* cert data */
|
||||
0x31,0x32,0x33,0x34,
|
||||
0x35,0x36,0x37,0x38,
|
||||
0x39,0x30,0x31,0x32,
|
||||
};
|
||||
|
||||
logger->log_bytes(logger,RAW,"expected payload",expected_generation,sizeof(expected_generation));
|
||||
|
||||
tester->assert_true(tester,(memcmp(expected_generation,generated_data.ptr,sizeof(expected_generation)) == 0), "compare generated data");
|
||||
|
||||
allocator_free_chunk(&generated_data);
|
||||
|
||||
cert_payload->destroy(cert_payload);
|
||||
generator->destroy(generator);
|
||||
|
||||
charon->logger_manager->destroy_logger(charon->logger_manager,logger);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in header.
|
||||
*/
|
||||
|
|
|
@ -116,6 +116,15 @@ void test_generator_with_id_payload(tester_t *tester);
|
|||
*/
|
||||
void test_generator_with_auth_payload(tester_t *tester);
|
||||
|
||||
/**
|
||||
* @brief Test function used to test the generator with CERT payload.
|
||||
*
|
||||
* @param tester associated tester_t object
|
||||
*
|
||||
* @ingroup testcases
|
||||
*/
|
||||
void test_generator_with_cert_payload(tester_t *tester);
|
||||
|
||||
/**
|
||||
* @brief Test function used to test the generator with TS payload.
|
||||
*
|
||||
|
|
|
@ -36,6 +36,7 @@
|
|||
#include <encoding/payloads/ke_payload.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <encoding/payloads/auth_payload.h>
|
||||
#include <encoding/payloads/cert_payload.h>
|
||||
#include <encoding/payloads/ts_payload.h>
|
||||
|
||||
|
||||
|
@ -691,3 +692,43 @@ void test_parser_with_ts_payload(tester_t *tester)
|
|||
|
||||
ts_payload->destroy(ts_payload);
|
||||
}
|
||||
|
||||
/*
|
||||
* Described in Header
|
||||
*/
|
||||
void test_parser_with_cert_payload(tester_t *tester)
|
||||
{
|
||||
parser_t *parser;
|
||||
cert_payload_t *cert_payload;
|
||||
status_t status;
|
||||
chunk_t cert_chunk, result;
|
||||
|
||||
u_int8_t cert_bytes[] = {
|
||||
0x00,0x00,0x00,0x11, /* payload header */
|
||||
0x03,
|
||||
0x04,0x05,0x06,0x07,/* 12 Byte nonce */
|
||||
0x08,0x09,0x0A,0x2B,
|
||||
0x0C,0x0D,0x0E,0x0F
|
||||
};
|
||||
|
||||
cert_chunk.ptr = cert_bytes;
|
||||
cert_chunk.len = sizeof(cert_bytes);
|
||||
|
||||
parser = parser_create(cert_chunk);
|
||||
tester->assert_true(tester,(parser != NULL), "parser create check");
|
||||
status = parser->parse_payload(parser, CERTIFICATE, (payload_t**)&cert_payload);
|
||||
tester->assert_true(tester,(status == SUCCESS),"parse_payload call check");
|
||||
parser->destroy(parser);
|
||||
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
return;
|
||||
}
|
||||
result = cert_payload->get_data_clone(cert_payload);
|
||||
tester->assert_true(tester,(cert_payload->get_cert_encoding(cert_payload) == DNS_SIGNED_KEY), "is DNS_SIGNED_KEY encoding");
|
||||
tester->assert_true(tester,(result.len == 12), "parsed data lenght");
|
||||
tester->assert_false(tester,(memcmp(cert_bytes + 5, result.ptr, result.len)), "parsed data");
|
||||
cert_payload->destroy(cert_payload);
|
||||
allocator_free_chunk(&result);
|
||||
}
|
||||
|
||||
|
|
|
@ -105,4 +105,14 @@ void test_parser_with_auth_payload(tester_t *tester);
|
|||
*/
|
||||
void test_parser_with_ts_payload(tester_t *tester);
|
||||
|
||||
/**
|
||||
* @brief Test function used to test the parser_t functionality when
|
||||
* parsing a CERT payload.
|
||||
*
|
||||
* @param tester associated tester_t object
|
||||
*
|
||||
* @ingroup testcases
|
||||
*/
|
||||
void test_parser_with_cert_payload(tester_t *tester);
|
||||
|
||||
#endif /*PARSER_TEST_H_*/
|
||||
|
|
|
@ -89,6 +89,7 @@ test_t generator_test8 = {test_generator_with_nonce_payload,"Generator: Nonce Pa
|
|||
test_t generator_test9 = {test_generator_with_id_payload,"Generator: ID Payload"};
|
||||
test_t generator_test10 = {test_generator_with_auth_payload,"Generator: AUTH Payload"};
|
||||
test_t generator_test11 = {test_generator_with_ts_payload,"Generator: TS Payload"};
|
||||
test_t generator_test12 = {test_generator_with_cert_payload,"Generator: CERT Payload"};
|
||||
test_t parser_test1 = {test_parser_with_header_payload, "Parser: header payload"};
|
||||
test_t parser_test2 = {test_parser_with_sa_payload, "Parser: sa payload"};
|
||||
test_t parser_test3 = {test_parser_with_nonce_payload, "Parser: nonce payload"};
|
||||
|
@ -97,6 +98,7 @@ test_t parser_test5 = {test_parser_with_notify_payload, "Parser: notify payload"
|
|||
test_t parser_test6 = {test_parser_with_id_payload, "Parser: ID payload"};
|
||||
test_t parser_test7 = {test_parser_with_auth_payload, "Parser: AUTH payload"};
|
||||
test_t parser_test8 = {test_parser_with_ts_payload, "Parser: TS payload"};
|
||||
test_t parser_test9 = {test_parser_with_cert_payload, "Parser: CERT payload"};
|
||||
test_t packet_test = {test_packet,"Packet"};
|
||||
test_t diffie_hellman_test = {test_diffie_hellman,"Diffie Hellman"};
|
||||
test_t sha1_hasher_test = {test_sha1_hasher,"SHA1 hasher"};
|
||||
|
@ -186,6 +188,7 @@ int main()
|
|||
&parser_test6,
|
||||
&parser_test7,
|
||||
&parser_test8,
|
||||
&parser_test9,
|
||||
&generator_test3,
|
||||
&generator_test4,
|
||||
&generator_test5,
|
||||
|
@ -195,6 +198,7 @@ int main()
|
|||
&generator_test9,
|
||||
&generator_test10,
|
||||
&generator_test11,
|
||||
&generator_test12,
|
||||
&ike_sa_manager_test,
|
||||
&packet_test,
|
||||
&diffie_hellman_test,
|
||||
|
@ -225,8 +229,8 @@ int main()
|
|||
tester_t *tester = tester_create(test_output, FALSE);
|
||||
|
||||
|
||||
// tester->perform_tests(tester,all_tests);
|
||||
tester->perform_test(tester,&rsa_test);
|
||||
tester->perform_tests(tester,all_tests);
|
||||
// tester->perform_test(tester,&parser_test9);
|
||||
|
||||
|
||||
tester->destroy(tester);
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
#include <queues/jobs/incoming_packet_job.h>
|
||||
#include <queues/jobs/initiate_ike_sa_job.h>
|
||||
#include <queues/jobs/retransmit_request_job.h>
|
||||
#include <encoding/payloads/notify_payload.h>
|
||||
#include <utils/allocator.h>
|
||||
#include <utils/logger.h>
|
||||
|
||||
|
@ -115,20 +116,23 @@ struct private_thread_pool_t {
|
|||
*/
|
||||
static void process_jobs(private_thread_pool_t *this)
|
||||
{
|
||||
job_t *job;
|
||||
job_type_t job_type;
|
||||
timeval_t start_time;
|
||||
timeval_t end_time;
|
||||
|
||||
/* cancellation disabled by default */
|
||||
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
|
||||
|
||||
this->worker_logger->log(this->worker_logger, CONTROL, "worker thread running, thread_id: %u", (int)pthread_self());
|
||||
|
||||
for (;;) {
|
||||
job_t *job;
|
||||
job_type_t job_type;
|
||||
|
||||
job = charon->job_queue->get(charon->job_queue);
|
||||
job_type = job->get_type(job);
|
||||
this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Process job of type %s",
|
||||
mapping_find(job_type_m,job_type));
|
||||
|
||||
gettimeofday(&start_time,NULL);
|
||||
switch (job_type)
|
||||
{
|
||||
case INCOMING_PACKET:
|
||||
|
@ -162,8 +166,11 @@ static void process_jobs(private_thread_pool_t *this)
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Processing of job finished");
|
||||
gettimeofday(&end_time,NULL);
|
||||
|
||||
this->worker_logger->log(this->worker_logger, CONTROL, "Processed job of type %s in %d us",
|
||||
mapping_find(job_type_m,job_type),
|
||||
(((end_time.tv_sec - start_time.tv_sec) * 1000000) + (end_time.tv_usec - start_time.tv_usec)));
|
||||
|
||||
|
||||
}
|
||||
|
@ -199,13 +206,43 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa
|
|||
|
||||
if ((message->get_major_version(message) != IKE_MAJOR_VERSION) ||
|
||||
(message->get_minor_version(message) != IKE_MINOR_VERSION))
|
||||
|
||||
{
|
||||
this->worker_logger->log(this->worker_logger, ERROR, "IKE version %d.%d not supported",
|
||||
message->get_major_version(message),
|
||||
message->get_minor_version(message));
|
||||
/*
|
||||
* TODO send notify reply of type INVALID_MAJOR_VERSION
|
||||
* TODO send notify reply of type INVALID_MAJOR_VERSION for requests of type IKE_SA_INIT.
|
||||
*
|
||||
* This check is not handled in state_t object of IKE_SA to increase speed.
|
||||
*/
|
||||
if ((message->get_exchange_type(message) == IKE_SA_INIT) && (message->get_request(message)))
|
||||
{
|
||||
message_t *response;
|
||||
message->get_ike_sa_id(message, &ike_sa_id);
|
||||
ike_sa_id->switch_initiator(ike_sa_id);
|
||||
response = message_create_notify_reply(message->get_destination(message),
|
||||
message->get_source(message),
|
||||
IKE_SA_INIT,
|
||||
FALSE,ike_sa_id,INVALID_MAJOR_VERSION);
|
||||
|
||||
message->destroy(message);
|
||||
ike_sa_id->destroy(ike_sa_id);
|
||||
status = response->generate(response, NULL, NULL, &packet);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->worker_logger->log(this->worker_logger, ERROR, "Could not generate packet from message");
|
||||
response->destroy(response);
|
||||
return;
|
||||
}
|
||||
this->worker_logger->log(this->worker_logger, ERROR, "Send notify reply of type INVALID_MAJOR_VERSION");
|
||||
charon->send_queue->add(charon->send_queue, packet);
|
||||
response->destroy(response);
|
||||
return;
|
||||
}
|
||||
message->destroy(message);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
message->get_ike_sa_id(message, &ike_sa_id);
|
||||
|
|
|
@ -178,6 +178,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
|
|||
case PRIME_POOL:
|
||||
break;
|
||||
case SCHEDULER:
|
||||
logger_level = 0;
|
||||
break;
|
||||
case SENDER:
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue