ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

- added payload CERT 

- cleaned code of different states
- added additional notify handling
This commit is contained in:
Jan Hutter 2005-12-05 12:21:38 +00:00
parent 3ebebc5e96
commit f6ba78c370
29 changed files with 861 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Source/charon/config/configuration_manager.c
View File

@ -355,9 +355,9 @@ static void load_default_config (private_configuration_manager_t *this)
this->add_new_configuration(this,"pinflb30",init_config2,sa_config2);
this->add_new_configuration(this,"localhost",init_config3,sa_config3);
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","das ist ein sicheres wort");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","das ist ein sicheres wort");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","das ist ein sicheres wort");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","verschluesselt");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","verschluesselt");
this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","verschluesselt");
this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "127.0.0.1", public_key_1, 256);
this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "152.96.193.131", public_key_2, 256);
@ -602,7 +602,7 @@ static void add_new_preshared_secret (private_configuration_manager_t *this,id_t
preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t);
entry->identification = identification_create_from_string(type,id_string);
entry->preshared_secret.len = strlen(preshared_secret);
entry->preshared_secret.len = strlen(preshared_secret) + 1;
entry->preshared_secret.ptr = allocator_alloc(entry->preshared_secret.len);
memcpy(entry->preshared_secret.ptr,preshared_secret,entry->preshared_secret.len);

4
Source/charon/daemon.c
View File

@ -155,10 +155,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
static void build_test_jobs(private_daemon_t *this)
{
int i;
for(i = 0; i<100; i++)
for(i = 0; i<1; i++)
{
initiate_ike_sa_job_t *initiate_job;
initiate_job = initiate_ike_sa_job_create("localhost");
initiate_job = initiate_ike_sa_job_create("pinflb30");
this->public.event_queue->add_relative(this->public.event_queue, (job_t*)initiate_job, i * 5000);
}
}

4
Source/charon/daemon.h
View File

@ -55,7 +55,7 @@
* Port on which the daemon will
* listen for incoming traffic.
*/
#define IKEV2_UDP_PORT 4500
#define IKEV2_UDP_PORT 500
/**
* First retransmit timeout in milliseconds.
@ -72,7 +72,7 @@
* maximum allowed level for ever context, the definiton
* of the context may be less verbose.
*/
#define DEFAULT_LOGLEVEL CONTROL
#define DEFAULT_LOGLEVEL CONTROL | ERROR
typedef struct daemon_t daemon_t;

14
Source/charon/encoding/generator.c
View File

@ -42,6 +42,7 @@
#include <encoding/payloads/nonce_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/cert_payload.h>
#include <encoding/payloads/ts_payload.h>
@ -797,6 +798,19 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
break;
}
case CERT_DATA:
{
/* the AUTH Data value is generated from chunk */
this->generate_from_chunk(this, rules[i].offset);
u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
/* Length of nonce PAYLOAD is calculated */
u_int16_t length_of_cert_payload = CERT_PAYLOAD_HEADER_LENGTH + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
u_int16_t int16_val = htons(length_of_cert_payload);
this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
break;
}
case PROPOSALS:
{
/* before iterative generate the transforms, store the current payload length position */

32
Source/charon/encoding/message.c
View File

@ -36,6 +36,11 @@
#include <encoding/payloads/payload.h>
#include <encoding/payloads/encryption_payload.h>
/**
* Max number of notify payloads per IKEv2 Message
*/
#define MAX_NOTIFY_PAYLOADS 10
typedef struct supported_payload_entry_t supported_payload_entry_t;
@ -109,6 +114,7 @@ struct message_rule_t {
*/
static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
{
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
{KEY_EXCHANGE,1,1,FALSE,FALSE},
{NONCE,1,1,FALSE,FALSE},
@ -119,7 +125,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
*/
static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
{
{NOTIFY,0,1,FALSE,TRUE},
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
{KEY_EXCHANGE,1,1,FALSE,FALSE},
{NONCE,1,1,FALSE,FALSE},
@ -130,6 +136,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
*/
static supported_payload_entry_t supported_ike_auth_i_payloads[] =
{
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{ID_INITIATOR,1,1,TRUE,FALSE},
{CERTIFICATE,0,1,TRUE,FALSE},
{CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
@ -145,7 +152,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
*/
static supported_payload_entry_t supported_ike_auth_r_payloads[] =
{
{NOTIFY,0,1,TRUE,TRUE},
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
{CERTIFICATE,0,1,TRUE,FALSE},
{ID_RESPONDER,1,1,TRUE,FALSE},
{AUTHENTICATION,1,1,TRUE,FALSE},
@ -1215,3 +1222,24 @@ message_t *message_create()
{
return message_create_from_packet(NULL);
}
/*
* Described in Header.
*/
message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type)
{
message_t *message = message_create_from_packet(NULL);
notify_payload_t *payload;
message->set_source(message, source->clone(source));
message->set_destination(message, destination->clone(destination));
message->set_exchange_type(message, exchange_type);
message->set_request(message, FALSE);
message->set_message_id(message,0);
message->set_ike_sa_id(message, ike_sa_id);
payload = notify_payload_create_from_protocol_and_type(IKE,notify_type);
message->add_payload(message,(payload_t *) payload);
return message;
}

26
Source/charon/encoding/message.h
View File

@ -27,6 +27,7 @@
#include <sa/ike_sa_id.h>
#include <network/packet.h>
#include <encoding/payloads/ike_header.h>
#include <encoding/payloads/notify_payload.h>
#include <utils/linked_list.h>
#include <transforms/crypters/crypter.h>
#include <transforms/signers/signer.h>
@ -140,22 +141,6 @@ struct message_t {
*/
exchange_type_t (*get_exchange_type) (message_t *this);
/**
* @brief Sets the original initiator flag.
*
* @param this message_t object
* @param original_initiator TRUE if message is from original initiator
*/
void (*set_original_initiator) (message_t *this,bool original_initiator);
/**
* @brief Gets original initiator flag.
*
* @param this message_t object
* @return TRUE if message is from original initiator, FALSE otherwise
*/
bool (*get_original_initiator) (message_t *this);
/**
* @brief Sets the request flag.
*
@ -340,4 +325,13 @@ message_t * message_create_from_packet(packet_t *packet);
*/
message_t * message_create();
/**
* Creates an message_t object of type reply containing a notify payload.
*
* @return created message_t object
*
* @ingroup encoding
*/
message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type);
#endif /*MESSAGE_H_*/

11
Source/charon/encoding/parser.c
View File

@ -43,6 +43,7 @@
#include <encoding/payloads/notify_payload.h>
#include <encoding/payloads/encryption_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/cert_payload.h>
#include <encoding/payloads/ts_payload.h>
@ -827,6 +828,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
break;
}
case CERT_DATA:
{
size_t data_length = payload_length - CERT_PAYLOAD_HEADER_LENGTH;
if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS)
{
pld->destroy(pld);
return PARSE_ERROR;
}
break;
}
case KEY_EXCHANGE_DATA:
{
size_t keydata_length = payload_length - KE_PAYLOAD_HEADER_LENGTH;

4
Source/charon/encoding/payloads/Makefile.payloads
View File

@ -41,6 +41,10 @@ $(BUILD_DIR)id_payload.o : $(PAYLOADS_DIR)id_payload.c $(PAYLOADS_DIR)id_payl
OBJS+= $(BUILD_DIR)auth_payload.o
$(BUILD_DIR)auth_payload.o : $(PAYLOADS_DIR)auth_payload.c $(PAYLOADS_DIR)auth_payload.h
$(CC) $(CFLAGS) -c -o $@ $<
OBJS+= $(BUILD_DIR)cert_payload.o
$(BUILD_DIR)cert_payload.o : $(PAYLOADS_DIR)cert_payload.c $(PAYLOADS_DIR)cert_payload.h
$(CC) $(CFLAGS) -c -o $@ $<
OBJS+= $(BUILD_DIR)ts_payload.o
$(BUILD_DIR)ts_payload.o : $(PAYLOADS_DIR)ts_payload.c $(PAYLOADS_DIR)ts_payload.h

284
Source/charon/encoding/payloads/cert_payload.c Normal file
View File

@ -0,0 +1,284 @@
/**
* @file cert_payload.c
*
* @brief Implementation of cert_payload_t.
*
*/
/*
* Copyright (C) 2005 Jan Hutter, Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "cert_payload.h"
#include <utils/allocator.h>
/**
* String mappings for cert_encoding_t.
*/
mapping_t cert_encoding_m[] = {
{PKCS7_WRAPPED_X509_CERTIFICATE, "PKCS7_WRAPPED_X509_CERTIFICATE"},
{PGP_CERTIFICATE, "PGP_CERTIFICATE"},
{DNS_SIGNED_KEY, "DNS_SIGNED_KEY"},
{X509_CERTIFICATE_SIGNATURE, "X509_CERTIFICATE_SIGNATURE"},
{KERBEROS_TOKEN, "KERBEROS_TOKEN"},
{CERTIFICATE_REVOCATION_LIST, "CERTIFICATE_REVOCATION_LIST"},
{AUTHORITY_REVOCATION_LIST, "AUTHORITY_REVOCATION_LIST"},
{SPKI_CERTIFICATE, "SPKI_CERTIFICATE"},
{X509_CERTIFICATE_ATTRIBUTE, "X509_CERTIFICATE_ATTRIBUTE"},
{RAW_SA_KEY, "RAW_SA_KEY"},
{HASH_AND_URL_X509_CERTIFICATE, "HASH_AND_URL_X509_CERTIFICATE"},
{HASH_AND_URL_X509_BUNDLE, "HASH_AND_URL_X509_BUNDLE"},
{MAPPING_END, NULL}
};
typedef struct private_cert_payload_t private_cert_payload_t;
/**
* Private data of an cert_payload_t object.
*
*/
struct private_cert_payload_t {
/**
* Public cert_payload_t interface.
*/
cert_payload_t public;
/**
* Next payload type.
*/
u_int8_t next_payload;
/**
* Critical flag.
*/
bool critical;
/**
* Length of this payload.
*/
u_int16_t payload_length;
/**
* Encoding of the CERT Data.
*/
u_int8_t cert_encoding;
/**
* The contained cert data value.
*/
chunk_t cert_data;
};
/**
* Encoding rules to parse or generate a CERT payload
*
* The defined offsets are the positions in a object of type
* private_cert_payload_t.
*
*/
encoding_rule_t cert_payload_encodings[] = {
/* 1 Byte next payload type, stored in the field next_payload */
{ U_INT_8, offsetof(private_cert_payload_t, next_payload) },
/* the critical bit */
{ FLAG, offsetof(private_cert_payload_t, critical) },
/* 7 Bit reserved bits, nowhere stored */
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
{ RESERVED_BIT, 0 },
/* Length of the whole payload*/
{ PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)},
/* 1 Byte CERT type*/
{ U_INT_8, offsetof(private_cert_payload_t, cert_encoding) },
/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
{ CERT_DATA, offsetof(private_cert_payload_t, cert_data) }
};
/*
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Cert Encoding ! !
+-+-+-+-+-+-+-+-+ !
~ Certificate Data ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
/**
* Implementation of payload_t.verify.
*/
static status_t verify(private_cert_payload_t *this)
{
if (this->critical)
{
/* critical bit is set! */
return FAILED;
}
if ((this->cert_encoding == 0) ||
((this->cert_encoding >= 14) && (this->cert_encoding <= 200)))
{
/* reserved IDs */
return FAILED;
}
return SUCCESS;
}
/**
* Implementation of cert_payload_t.get_encoding_rules.
*/
static void get_encoding_rules(private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
{
*rules = cert_payload_encodings;
*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
}
/**
* Implementation of payload_t.get_type.
*/
static payload_type_t get_payload_type(private_cert_payload_t *this)
{
return CERTIFICATE;
}
/**
* Implementation of payload_t.get_next_type.
*/
static payload_type_t get_next_type(private_cert_payload_t *this)
{
return (this->next_payload);
}
/**
* Implementation of payload_t.set_next_type.
*/
static void set_next_type(private_cert_payload_t *this,payload_type_t type)
{
this->next_payload = type;
}
/**
* Implementation of payload_t.get_length.
*/
static size_t get_length(private_cert_payload_t *this)
{
return this->payload_length;
}
/**
* Implementation of cert_payload_t.set_cert_encoding.
*/
static void set_cert_encoding (private_cert_payload_t *this, cert_encoding_t encoding)
{
this->cert_encoding = encoding;
}
/**
* Implementation of cert_payload_t.get_cert_encoding.
*/
static cert_encoding_t get_cert_encoding (private_cert_payload_t *this)
{
return (this->cert_encoding);
}
/**
* Implementation of cert_payload_t.set_data.
*/
static void set_data (private_cert_payload_t *this, chunk_t data)
{
if (this->cert_data.ptr != NULL)
{
allocator_free_chunk(&(this->cert_data));
}
this->cert_data.ptr = allocator_clone_bytes(data.ptr,data.len);
this->cert_data.len = data.len;
this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->cert_data.len;
}
/**
* Implementation of cert_payload_t.get_data.
*/
static chunk_t get_data (private_cert_payload_t *this)
{
return (this->cert_data);
}
/**
* Implementation of cert_payload_t.get_data_clone.
*/
static chunk_t get_data_clone (private_cert_payload_t *this)
{
chunk_t cloned_data;
if (this->cert_data.ptr == NULL)
{
return (this->cert_data);
}
cloned_data.ptr = allocator_clone_bytes(this->cert_data.ptr,this->cert_data.len);
cloned_data.len = this->cert_data.len;
return cloned_data;
}
/**
* Implementation of payload_t.destroy and cert_payload_t.destroy.
*/
static void destroy(private_cert_payload_t *this)
{
if (this->cert_data.ptr != NULL)
{
allocator_free_chunk(&(this->cert_data));
}
allocator_free(this);
}
/*
* Described in header
*/
cert_payload_t *cert_payload_create()
{
private_cert_payload_t *this = allocator_alloc_thing(private_cert_payload_t);
/* interface functions */
this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
/* public functions */
this->public.destroy = (void (*) (cert_payload_t *)) destroy;
this->public.set_cert_encoding = (void (*) (cert_payload_t *,cert_encoding_t)) set_cert_encoding;
this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t *)) get_cert_encoding;
this->public.set_data = (void (*) (cert_payload_t *,chunk_t)) set_data;
this->public.get_data_clone = (chunk_t (*) (cert_payload_t *)) get_data_clone;
this->public.get_data = (chunk_t (*) (cert_payload_t *)) get_data;
/* private variables */
this->critical = FALSE;
this->next_payload = NO_PAYLOAD;
this->payload_length =CERT_PAYLOAD_HEADER_LENGTH;
this->cert_data = CHUNK_INITIALIZER;
return (&(this->public));
}

143
Source/charon/encoding/payloads/cert_payload.h Normal file
View File

@ -0,0 +1,143 @@
/**
* @file cert_payload.h
*
* @brief Interface of cert_payload_t.
*
*/
/*
* Copyright (C) 2005 Jan Hutter, Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _CERT_PAYLOAD_H_
#define _CERT_PAYLOAD_H_
#include <types.h>
#include <encoding/payloads/payload.h>
/**
* Length of a cert payload without the cert data in bytes.
*
* @ingroup payloads
*/
#define CERT_PAYLOAD_HEADER_LENGTH 5
typedef enum cert_encoding_t cert_encoding_t;
/**
* Cert Encoding.
*
* @ingroup payloads
*/
enum cert_encoding_t {
PKCS7_WRAPPED_X509_CERTIFICATE = 1,
PGP_CERTIFICATE = 2,
DNS_SIGNED_KEY = 3,
X509_CERTIFICATE_SIGNATURE = 4,
KERBEROS_TOKEN = 6,
CERTIFICATE_REVOCATION_LIST = 7,
AUTHORITY_REVOCATION_LIST = 8,
SPKI_CERTIFICATE = 9,
X509_CERTIFICATE_ATTRIBUTE = 10,
RAW_SA_KEY = 11,
HASH_AND_URL_X509_CERTIFICATE = 12,
HASH_AND_URL_X509_BUNDLE = 13
};
extern mapping_t cert_encoding_m[];
typedef struct cert_payload_t cert_payload_t;
/**
* Object representing an IKEv2 CERT payload.
*
* The CERT payload format is described in draft section 3.6.
*
* @ingroup payloads
*
*/
struct cert_payload_t {
/**
* The payload_t interface.
*/
payload_t payload_interface;
/**
* @brief Set the CERT encoding.
*
*
* @param this calling cert_payload_t object
* @param encoding CERT encoding
*/
void (*set_cert_encoding) (cert_payload_t *this, cert_encoding_t encoding);
/**
* @brief Get the CERT encoding.
*
* @param this calling cert_payload_t object
* @return Encoding of the CERT
*/
cert_encoding_t (*get_cert_encoding) (cert_payload_t *this);
/**
* @brief Set the CERT data.
*
* Data are getting cloned.
*
* @param this calling cert_payload_t object
* @param data CERT data as chunk_t
*/
void (*set_data) (cert_payload_t *this, chunk_t data);
/**
* @brief Get the CERT data.
*
* Returned data are a copy of the internal one.
*
* @param this calling cert_payload_t object
* @return CERT data as chunk_t
*/
chunk_t (*get_data_clone) (cert_payload_t *this);
/**
* @brief Get the CERT data.
*
* Returned data are NOT copied.
*
* @param this calling cert_payload_t object
* @return CERT data as chunk_t
*/
chunk_t (*get_data) (cert_payload_t *this);
/**
* @brief Destroys an cert_payload_t object.
*
* @param this cert_payload_t object to destroy
*/
void (*destroy) (cert_payload_t *this);
};
/**
* @brief Creates an empty cert_payload_t object.
*
* @return created cert_payload_t object
*
* @ingroup payloads
*/
cert_payload_t *cert_payload_create();
#endif //_CERT_PAYLOAD_H_

10
Source/charon/encoding/payloads/encodings.h
View File

@ -367,6 +367,16 @@ enum encoding_type_t{
* When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
*/
AUTH_DATA,
/**
* Representating a CERT Data field.
*
* When generating the content of the chunkt pointing to
* is written.
*
* When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
*/
CERT_DATA,
/**
* Representating an IKE_SPI field in an IKEv2 Header.

12
Source/charon/encoding/payloads/ike_header.c
View File

@ -186,18 +186,6 @@ static status_t verify(private_ike_header_t *this)
return FAILED;
}
if ((this->responder_spi == 0) && (!this->flags.initiator))
{
/* must be original initiator*/
return FAILED;
}
if ((this->responder_spi == 0) && (this->flags.response))
{
/* must be request*/
return FAILED;
}
/* verification of version is not done in here */
return SUCCESS;

7
Source/charon/encoding/payloads/notify_payload.c
View File

@ -36,7 +36,7 @@ mapping_t notify_message_type_m[] = {
{INVALID_IKE_SPI, "INVALID_IKE_SPI"},
{INVALID_MAJOR_VERSION, "INVALID_MAJOR_VERSION"},
{INVALID_SYNTAX, "INVALID_SYNTAX"},
{INVALID_MESSAGE_ID, "MODP_2048_BIT"},
{INVALID_MESSAGE_ID, "INVALID_MESSAGE_ID"},
{INVALID_SPI, "INVALID_SPI"},
{NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN"},
{INVALID_KE_PAYLOAD, "INVALID_KE_PAYLOAD"},
@ -47,6 +47,11 @@ mapping_t notify_message_type_m[] = {
{FAILED_CP_REQUIRED, "FAILED_CP_REQUIRED"},
{TS_UACCEPTABLE, "TS_UACCEPTABLE"},
{INVALID_SELECTORS, "INVALID_SELECTORS"},
/* status messages */
{INITIAL_CONTACT, "INITIAL_CONTACT"},
{SET_WINDOW_SIZE, "SET_WINDOW_SIZE"},
{MAPPING_END, NULL}
};

5
Source/charon/encoding/payloads/notify_payload.h
View File

@ -68,7 +68,10 @@ enum notify_message_type_t {
INTERNAL_ADDRESS_FAILURE = 36,
FAILED_CP_REQUIRED = 37,
TS_UACCEPTABLE = 38,
INVALID_SELECTORS = 39
INVALID_SELECTORS = 39,
INITIAL_CONTACT = 16384,
SET_WINDOW_SIZE = 16385
};
/**

3
Source/charon/encoding/payloads/payload.c
View File

@ -31,6 +31,7 @@
#include <encoding/payloads/ke_payload.h>
#include <encoding/payloads/notify_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/cert_payload.h>
#include <encoding/payloads/encryption_payload.h>
#include <encoding/payloads/ts_payload.h>
@ -88,6 +89,8 @@ payload_t *payload_create(payload_type_t type)
return (payload_t*)id_payload_create(FALSE);
case AUTHENTICATION:
return (payload_t*)auth_payload_create();
case CERTIFICATE:
return (payload_t*)cert_payload_create();
case TRAFFIC_SELECTOR_SUBSTRUCTURE:
return (payload_t*)traffic_selector_substructure_create();
case TRAFFIC_SELECTOR_INITIATOR:

32
Source/charon/sa/authenticator.c
View File

@ -102,7 +102,12 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
{
chunk_t id_chunk = my_id->get_data(my_id);
u_int8_t id_with_header[4 + id_chunk.len];
chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header) };
/*
* IKEv2 for linux is not compatible with IKEv2 Draft and so not compatible with this
* implementation, cause AUTH data are computed without
* ID type and the three reserved bytes.
*/
chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)};
u_int8_t *current_pos;
chunk_t octets;
@ -123,6 +128,7 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag
{
this->prf->set_key(this->prf,this->ike_sa->get_key_pr(this->ike_sa));
}
/* 4 bytes are id type and reserved fields of id payload */
octets.len = last_message.len + other_nonce.len + this->prf->get_block_size(this->prf);
@ -167,13 +173,12 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t
/**
* Implementation of authenticator_t.verify_auth_data.
*/
static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator,bool *verified)
static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator)
{
switch(auth_payload->get_auth_method(auth_payload))
{
case SHARED_KEY_MESSAGE_INTEGRITY_CODE:
{
identification_t *other_id = other_id_payload->get_identification(other_id_payload);
chunk_t auth_data = auth_payload->get_data(auth_payload);
chunk_t preshared_secret;
@ -190,20 +195,19 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
if (auth_data.len != my_auth_data.len)
{
*verified = FALSE;
allocator_free_chunk(&my_auth_data);
return SUCCESS;
return FAILED;
}
if (memcmp(auth_data.ptr,my_auth_data.ptr,my_auth_data.len) == 0)
{
*verified = TRUE;
status = SUCCESS;
}
else
{
*verified = FALSE;
status = FAILED;
}
allocator_free_chunk(&my_auth_data);
return SUCCESS;
allocator_free_chunk(&my_auth_data);
return status;
}
case RSA_DIGITAL_SIGNATURE:
{
@ -224,14 +228,6 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *
octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload,initiator);
status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
if (status == SUCCESS)
{
*verified = TRUE;
}
else
{
*verified = FALSE;
}
allocator_free_chunk(&octets);
return status;
@ -329,7 +325,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa)
/* Public functions */
this->public.destroy = (void(*)(authenticator_t*))destroy;
this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool,bool *)) verify_auth_data;
this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool)) verify_auth_data;
this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *,bool)) compute_auth_data;
/* private functions */

7
Source/charon/sa/authenticator.h
View File

@ -60,12 +60,10 @@ struct authenticator_t {
* @param my_nonce The sent nonce (without payload header)
* @param other_id_payload The ID payload received from other peer
* @param initiator Type of other peer. TRUE, if it is original initiator, FALSE otherwise
* @param[out] verified
* - TRUE, if verification succeeded
* - FALSE, if verification data could not be verified
*
* @return
* - SUCCESS if verification could be processed (does not mean the data could be verified)
* - FAILED if verification failed
* - NOT_SUPPORTED if AUTH method not supported
* - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key)
* - TODO rsa errors!!
@ -75,8 +73,7 @@ struct authenticator_t {
chunk_t last_received_packet,
chunk_t my_nonce,
id_payload_t *other_id_payload,
bool initiator,
bool *verified);
bool initiator);
/**
* @brief Computes authentication data and creates specific AUTH payload.

31
Source/charon/sa/states/ike_auth_requested.c
View File

@ -194,13 +194,33 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
if (notify_payload->get_protocol_id(notify_payload) != IKE)
{
this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol.");
this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol");
payloads->destroy(payloads);
return FAILED;
}
switch (notify_payload->get_notify_message_type(notify_payload))
{
case INVALID_SYNTAX:
{
this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA");
payloads->destroy(payloads);
return DELETE_ME;
}
case AUTHENTICATION_FAILED:
{
this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA");
payloads->destroy(payloads);
return DELETE_ME;
}
case SINGLE_PAIR_REQUIRED:
{
this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA");
payloads->destroy(payloads);
return DELETE_ME;
}
default:
{
/*
@ -348,12 +368,11 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
{
authenticator_t *authenticator;
status_t status;
bool verified;
/* TODO VERIFY auth here */
authenticator = authenticator_create(this->ike_sa);
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE,&verified);
status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
@ -361,12 +380,6 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
return FAILED;
}
if (!verified)
{
this->logger->log(this->logger, ERROR | MORE, "AUTH data could not be verified");
return FAILED;
}
this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified");
return SUCCESS;
}

8
Source/charon/sa/states/ike_sa_init_requested.c
View File

@ -251,10 +251,16 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
{
case NO_PROPOSAL_CHOSEN:
{
this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!!!");
this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!");
payloads->destroy(payloads);
return DELETE_ME;
}
case INVALID_MAJOR_VERSION:
{
this->logger->log(this->logger, ERROR, "Peer doesn't support IKEv2!");
payloads->destroy(payloads);
return DELETE_ME;
}
case INVALID_KE_PAYLOAD:
{
initiator_init_t *initiator_init_state;

106
Source/charon/sa/states/ike_sa_init_responded.c
View File

@ -29,6 +29,7 @@
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/notify_payload.h>
#include <transforms/signers/signer.h>
#include <transforms/crypters/crypter.h>
#include <sa/states/ike_sa_established.h>
@ -87,6 +88,15 @@ struct private_ike_sa_init_responded_t {
status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response);
status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response);
status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response);
/**
* Sends a IKE_AUTH reply with a notify payload.
*
* @param this calling object
* @param type type of notify message
* @param data data of notify message
*/
void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data);
};
/**
@ -103,6 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
auth_payload_t *auth_request;
sa_payload_t *sa_request;
ts_payload_t *tsi_request, *tsr_request;
notify_payload_t *notify_payload = NULL;
message_t *response;
exchange_type = request->get_exchange_type(request);
@ -181,17 +192,54 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
tsr_request = (ts_payload_t*)payload;
break;
}
case NOTIFY:
{
notify_payload = (notify_payload_t *) payload;
break;
}
default:
{
this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload)));
payloads->destroy(payloads);
return FAILED;
return DELETE_ME;
}
}
}
/* iterator can be destroyed */
payloads->destroy(payloads);
if (notify_payload != NULL)
{
this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
if (notify_payload->get_protocol_id(notify_payload) != IKE)
{
this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
payloads->destroy(payloads);
return DELETE_ME;
}
switch (notify_payload->get_notify_message_type(notify_payload))
{
case SET_WINDOW_SIZE:
/*
* TODO Increase window size.
*/
case INITIAL_CONTACT:
/*
* TODO Delete existing IKE_SA's with other Identity.
*/
default:
{
this->logger->log(this->logger, CONTROL|MORE, "Handling of notify type %s not implemented",
notify_payload->get_notify_message_type(notify_payload));
}
}
}
/* build response */
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
@ -351,25 +399,24 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
authenticator_t *authenticator;
auth_payload_t *auth_reply;
status_t status;
bool verified;
authenticator = authenticator_create(this->ike_sa);
status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE,&verified);
status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status));
authenticator->destroy(authenticator);
/*
* Send notify message of type AUTHENTICATION_FAILED
*/
this->logger->log(this->logger, CONTROL | MORE, "Send notify message of type AUTHENTICATION_FAILED");
this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER);
return status;
}
if (!verified)
{
this->logger->log(this->logger, ERROR, "Verification of AUTH failed.");
authenticator->destroy(authenticator);
return FAILED;
}
status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
authenticator->destroy(authenticator);
@ -431,6 +478,44 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_
return status;
}
/**
* Implementation of private_responder_init_t.send_notify_reply.
*/
static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data)
{
notify_payload_t *payload;
message_t *response;
packet_t *packet;
status_t status;
this->logger->log(this->logger, CONTROL|MOST, "Going to build message with notify payload");
/* set up the reply */
this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response);
payload = notify_payload_create_from_protocol_and_type(IKE,type);
if ((data.ptr != NULL) && (data.len > 0))
{
this->logger->log(this->logger, CONTROL|MOST, "Add Data to notify payload");
payload->set_notification_data(payload,data);
}
this->logger->log(this->logger, CONTROL|MOST, "Add Notify payload to message");
response->add_payload(response,(payload_t *) payload);
/* generate packet */
this->logger->log(this->logger, CONTROL|MOST, "Gnerate packet from message");
status = response->generate(response, NULL, NULL, &packet);
if (status != SUCCESS)
{
this->logger->log(this->logger, ERROR, "Could not generate packet from message");
return;
}
this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
charon->send_queue->add(charon->send_queue, packet);
this->logger->log(this->logger, CONTROL|MOST, "Destroy message");
response->destroy(response);
}
/**
* Implements state_t.get_state
*/
@ -475,6 +560,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
this->build_sa_payload = build_sa_payload;
this->build_auth_payload = build_auth_payload;
this->build_ts_payload = build_ts_payload;
this->send_notify_reply = send_notify_reply;
/* private data */
this->ike_sa = ike_sa;

5
Source/charon/sa/states/initiator_init.c
View File

@ -117,7 +117,8 @@ struct private_initiator_init_t {
void (*build_nonce_payload) (private_initiator_init_t *this, payload_t **payload);
/**
* Destroy function called internally of this class after state change succeeded.
* Destroy function called internally of this class after state change to state
* IKE_SA_INIT_REQUESTED succeeded.
*
* This destroy function does not destroy objects which were passed to the new state.
*
@ -164,7 +165,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name)
this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority);
if (this->dh_group_number == MODP_UNDEFINED)
{
this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority);
return DELETE_ME;
}

29
Source/charon/sa/states/responder_init.c
View File

@ -189,6 +189,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
{
/* no configuration matches given host */
this->logger->log(this->logger, ERROR | MORE, "No INIT configuration found for given remote and local hosts");
return DELETE_ME;
}
@ -243,7 +244,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
{
this->logger->log(this->logger, ERROR | MORE, "No proposal of suggested proposals selected");
payloads->destroy(payloads);
this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER);
return DELETE_ME;
}
@ -258,7 +259,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
}
this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
/* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
break;
}
case KEY_EXCHANGE:
@ -321,6 +321,31 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
this->logger->log(this->logger, CONTROL | MORE, "Nonce Payload processed");
break;
}
case NOTIFY:
{
notify_payload_t *notify_payload = (notify_payload_t *) payload;
this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s",
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)),
mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
if (notify_payload->get_protocol_id(notify_payload) != IKE)
{
this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol.");
payloads->destroy(payloads);
return FAILED;
}
switch (notify_payload->get_notify_message_type(notify_payload))
{
default:
{
this->logger->log(this->logger, CONTROL|MORE, "Processing of notify type %s not yet implemented",
mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)));
break;
}
}
}
default:
{
this->logger->log(this->logger, ERROR | MORE, "Payload type not supported!");

53
Source/charon/testcases/generator_test.c
View File

@ -40,6 +40,7 @@
#include <encoding/payloads/nonce_payload.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/cert_payload.h>
#include <encoding/payloads/ts_payload.h>
/*
@ -1052,6 +1053,58 @@ void test_generator_with_auth_payload(tester_t *tester)
charon->logger_manager->destroy_logger(charon->logger_manager,logger);
}
/*
* Described in header.
*/
void test_generator_with_cert_payload(tester_t *tester)
{
generator_t *generator;
cert_payload_t *cert_payload;
logger_t *logger;
chunk_t generated_data;
chunk_t cert;
logger = charon->logger_manager->create_logger(charon->logger_manager,TESTER,"Message with CERT Payload");
/* create generator */
generator = generator_create();
tester->assert_true(tester,(generator != NULL), "generator create check");
cert_payload = cert_payload_create();
cert.ptr = "123456789012";
cert.len = strlen(cert.ptr);
cert_payload->set_cert_encoding(cert_payload,PGP_CERTIFICATE);
cert_payload->set_data(cert_payload,cert);
generator->generate_payload(generator,(payload_t *)cert_payload);
generator->write_to_chunk(generator,&generated_data);
logger->log_chunk(logger,RAW,"generated payload",&generated_data);
u_int8_t expected_generation[] = {
/* payload header */
0x00,0x00,0x00,0x11,
0x02,
/* cert data */
0x31,0x32,0x33,0x34,
0x35,0x36,0x37,0x38,
0x39,0x30,0x31,0x32,
};
logger->log_bytes(logger,RAW,"expected payload",expected_generation,sizeof(expected_generation));
tester->assert_true(tester,(memcmp(expected_generation,generated_data.ptr,sizeof(expected_generation)) == 0), "compare generated data");
allocator_free_chunk(&generated_data);
cert_payload->destroy(cert_payload);
generator->destroy(generator);
charon->logger_manager->destroy_logger(charon->logger_manager,logger);
}
/*
* Described in header.
*/

9
Source/charon/testcases/generator_test.h
View File

@ -116,6 +116,15 @@ void test_generator_with_id_payload(tester_t *tester);
*/
void test_generator_with_auth_payload(tester_t *tester);
/**
* @brief Test function used to test the generator with CERT payload.
*
* @param tester associated tester_t object
*
* @ingroup testcases
*/
void test_generator_with_cert_payload(tester_t *tester);
/**
* @brief Test function used to test the generator with TS payload.
*

41
Source/charon/testcases/parser_test.c
View File

@ -36,6 +36,7 @@
#include <encoding/payloads/ke_payload.h>
#include <encoding/payloads/notify_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/cert_payload.h>
#include <encoding/payloads/ts_payload.h>
@ -691,3 +692,43 @@ void test_parser_with_ts_payload(tester_t *tester)
ts_payload->destroy(ts_payload);
}
/*
* Described in Header
*/
void test_parser_with_cert_payload(tester_t *tester)
{
parser_t *parser;
cert_payload_t *cert_payload;
status_t status;
chunk_t cert_chunk, result;
u_int8_t cert_bytes[] = {
0x00,0x00,0x00,0x11, /* payload header */
0x03,
0x04,0x05,0x06,0x07,/* 12 Byte nonce */
0x08,0x09,0x0A,0x2B,
0x0C,0x0D,0x0E,0x0F
};
cert_chunk.ptr = cert_bytes;
cert_chunk.len = sizeof(cert_bytes);
parser = parser_create(cert_chunk);
tester->assert_true(tester,(parser != NULL), "parser create check");
status = parser->parse_payload(parser, CERTIFICATE, (payload_t**)&cert_payload);
tester->assert_true(tester,(status == SUCCESS),"parse_payload call check");
parser->destroy(parser);
if (status != SUCCESS)
{
return;
}
result = cert_payload->get_data_clone(cert_payload);
tester->assert_true(tester,(cert_payload->get_cert_encoding(cert_payload) == DNS_SIGNED_KEY), "is DNS_SIGNED_KEY encoding");
tester->assert_true(tester,(result.len == 12), "parsed data lenght");
tester->assert_false(tester,(memcmp(cert_bytes + 5, result.ptr, result.len)), "parsed data");
cert_payload->destroy(cert_payload);
allocator_free_chunk(&result);
}

10
Source/charon/testcases/parser_test.h
View File

@ -105,4 +105,14 @@ void test_parser_with_auth_payload(tester_t *tester);
*/
void test_parser_with_ts_payload(tester_t *tester);
/**
* @brief Test function used to test the parser_t functionality when
* parsing a CERT payload.
*
* @param tester associated tester_t object
*
* @ingroup testcases
*/
void test_parser_with_cert_payload(tester_t *tester);
#endif /*PARSER_TEST_H_*/

8
Source/charon/testcases/testcases.c
View File

@ -89,6 +89,7 @@ test_t generator_test8 = {test_generator_with_nonce_payload,"Generator: Nonce Pa
test_t generator_test9 = {test_generator_with_id_payload,"Generator: ID Payload"};
test_t generator_test10 = {test_generator_with_auth_payload,"Generator: AUTH Payload"};
test_t generator_test11 = {test_generator_with_ts_payload,"Generator: TS Payload"};
test_t generator_test12 = {test_generator_with_cert_payload,"Generator: CERT Payload"};
test_t parser_test1 = {test_parser_with_header_payload, "Parser: header payload"};
test_t parser_test2 = {test_parser_with_sa_payload, "Parser: sa payload"};
test_t parser_test3 = {test_parser_with_nonce_payload, "Parser: nonce payload"};
@ -97,6 +98,7 @@ test_t parser_test5 = {test_parser_with_notify_payload, "Parser: notify payload"
test_t parser_test6 = {test_parser_with_id_payload, "Parser: ID payload"};
test_t parser_test7 = {test_parser_with_auth_payload, "Parser: AUTH payload"};
test_t parser_test8 = {test_parser_with_ts_payload, "Parser: TS payload"};
test_t parser_test9 = {test_parser_with_cert_payload, "Parser: CERT payload"};
test_t packet_test = {test_packet,"Packet"};
test_t diffie_hellman_test = {test_diffie_hellman,"Diffie Hellman"};
test_t sha1_hasher_test = {test_sha1_hasher,"SHA1 hasher"};
@ -186,6 +188,7 @@ int main()
&parser_test6,
&parser_test7,
&parser_test8,
&parser_test9,
&generator_test3,
&generator_test4,
&generator_test5,
@ -195,6 +198,7 @@ int main()
&generator_test9,
&generator_test10,
&generator_test11,
&generator_test12,
&ike_sa_manager_test,
&packet_test,
&diffie_hellman_test,
@ -225,8 +229,8 @@ int main()
tester_t *tester = tester_create(test_output, FALSE);
// tester->perform_tests(tester,all_tests);
tester->perform_test(tester,&rsa_test);
tester->perform_tests(tester,all_tests);
// tester->perform_test(tester,&parser_test9);
tester->destroy(tester);

49
Source/charon/threads/thread_pool.c
View File

@ -33,6 +33,7 @@
#include <queues/jobs/incoming_packet_job.h>
#include <queues/jobs/initiate_ike_sa_job.h>
#include <queues/jobs/retransmit_request_job.h>
#include <encoding/payloads/notify_payload.h>
#include <utils/allocator.h>
#include <utils/logger.h>
@ -115,20 +116,23 @@ struct private_thread_pool_t {
*/
static void process_jobs(private_thread_pool_t *this)
{
job_t *job;
job_type_t job_type;
timeval_t start_time;
timeval_t end_time;
/* cancellation disabled by default */
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
this->worker_logger->log(this->worker_logger, CONTROL, "worker thread running, thread_id: %u", (int)pthread_self());
for (;;) {
job_t *job;
job_type_t job_type;
job = charon->job_queue->get(charon->job_queue);
job_type = job->get_type(job);
this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Process job of type %s",
mapping_find(job_type_m,job_type));
gettimeofday(&start_time,NULL);
switch (job_type)
{
case INCOMING_PACKET:
@ -162,8 +166,11 @@ static void process_jobs(private_thread_pool_t *this)
break;
}
}
this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Processing of job finished");
gettimeofday(&end_time,NULL);
this->worker_logger->log(this->worker_logger, CONTROL, "Processed job of type %s in %d us",
mapping_find(job_type_m,job_type),
(((end_time.tv_sec - start_time.tv_sec) * 1000000) + (end_time.tv_usec - start_time.tv_usec)));
}
@ -199,13 +206,43 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa
if ((message->get_major_version(message) != IKE_MAJOR_VERSION) ||
(message->get_minor_version(message) != IKE_MINOR_VERSION))
{
this->worker_logger->log(this->worker_logger, ERROR, "IKE version %d.%d not supported",
message->get_major_version(message),
message->get_minor_version(message));
/*
* TODO send notify reply of type INVALID_MAJOR_VERSION
* TODO send notify reply of type INVALID_MAJOR_VERSION for requests of type IKE_SA_INIT.
*
* This check is not handled in state_t object of IKE_SA to increase speed.
*/
if ((message->get_exchange_type(message) == IKE_SA_INIT) && (message->get_request(message)))
{
message_t *response;
message->get_ike_sa_id(message, &ike_sa_id);
ike_sa_id->switch_initiator(ike_sa_id);
response = message_create_notify_reply(message->get_destination(message),
message->get_source(message),
IKE_SA_INIT,
FALSE,ike_sa_id,INVALID_MAJOR_VERSION);
message->destroy(message);
ike_sa_id->destroy(ike_sa_id);
status = response->generate(response, NULL, NULL, &packet);
if (status != SUCCESS)
{
this->worker_logger->log(this->worker_logger, ERROR, "Could not generate packet from message");
response->destroy(response);
return;
}
this->worker_logger->log(this->worker_logger, ERROR, "Send notify reply of type INVALID_MAJOR_VERSION");
charon->send_queue->add(charon->send_queue, packet);
response->destroy(response);
return;
}
message->destroy(message);
return;
}
message->get_ike_sa_id(message, &ike_sa_id);

1
Source/charon/utils/logger_manager.c
View File

@ -178,6 +178,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
case PRIME_POOL:
break;
case SCHEDULER:
logger_level = 0;
break;
case SENDER:
break;