diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c index 94be4b5f7..83f68eafc 100644 --- a/Source/charon/config/configuration_manager.c +++ b/Source/charon/config/configuration_manager.c @@ -355,9 +355,9 @@ static void load_default_config (private_configuration_manager_t *this) this->add_new_configuration(this,"pinflb30",init_config2,sa_config2); this->add_new_configuration(this,"localhost",init_config3,sa_config3); - this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","das ist ein sicheres wort"); - this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","das ist ein sicheres wort"); - this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","das ist ein sicheres wort"); + this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.130","verschluesselt"); + this->add_new_preshared_secret(this,ID_IPV4_ADDR, "152.96.193.131","verschluesselt"); + this->add_new_preshared_secret(this,ID_IPV4_ADDR, "127.0.0.1","verschluesselt"); this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "127.0.0.1", public_key_1, 256); this->add_new_rsa_public_key(this,ID_IPV4_ADDR, "152.96.193.131", public_key_2, 256); @@ -602,7 +602,7 @@ static void add_new_preshared_secret (private_configuration_manager_t *this,id_t preshared_secret_entry_t *entry = allocator_alloc_thing(preshared_secret_entry_t); entry->identification = identification_create_from_string(type,id_string); - entry->preshared_secret.len = strlen(preshared_secret); + entry->preshared_secret.len = strlen(preshared_secret) + 1; entry->preshared_secret.ptr = allocator_alloc(entry->preshared_secret.len); memcpy(entry->preshared_secret.ptr,preshared_secret,entry->preshared_secret.len); diff --git a/Source/charon/daemon.c b/Source/charon/daemon.c index d015a955d..a58525356 100644 --- a/Source/charon/daemon.c +++ b/Source/charon/daemon.c @@ -155,10 +155,10 @@ static void kill_daemon(private_daemon_t *this, char *reason) static void build_test_jobs(private_daemon_t *this) { int i; - for(i = 0; i<100; i++) + for(i = 0; i<1; i++) { initiate_ike_sa_job_t *initiate_job; - initiate_job = initiate_ike_sa_job_create("localhost"); + initiate_job = initiate_ike_sa_job_create("pinflb30"); this->public.event_queue->add_relative(this->public.event_queue, (job_t*)initiate_job, i * 5000); } } diff --git a/Source/charon/daemon.h b/Source/charon/daemon.h index 3e010de2d..6173b6d08 100644 --- a/Source/charon/daemon.h +++ b/Source/charon/daemon.h @@ -55,7 +55,7 @@ * Port on which the daemon will * listen for incoming traffic. */ -#define IKEV2_UDP_PORT 4500 +#define IKEV2_UDP_PORT 500 /** * First retransmit timeout in milliseconds. @@ -72,7 +72,7 @@ * maximum allowed level for ever context, the definiton * of the context may be less verbose. */ -#define DEFAULT_LOGLEVEL CONTROL +#define DEFAULT_LOGLEVEL CONTROL | ERROR typedef struct daemon_t daemon_t; diff --git a/Source/charon/encoding/generator.c b/Source/charon/encoding/generator.c index cfc96f4b2..b50e7fffb 100644 --- a/Source/charon/encoding/generator.c +++ b/Source/charon/encoding/generator.c @@ -42,6 +42,7 @@ #include #include #include +#include #include @@ -797,6 +798,19 @@ static void generate_payload (private_generator_t *this,payload_t *payload) this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset); break; } + case CERT_DATA: + { + /* the AUTH Data value is generated from chunk */ + this->generate_from_chunk(this, rules[i].offset); + + u_int32_t payload_length_position_offset = this->last_payload_length_position_offset; + /* Length of nonce PAYLOAD is calculated */ + u_int16_t length_of_cert_payload = CERT_PAYLOAD_HEADER_LENGTH + ((chunk_t *)(this->data_struct + rules[i].offset))->len; + u_int16_t int16_val = htons(length_of_cert_payload); + + this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset); + break; + } case PROPOSALS: { /* before iterative generate the transforms, store the current payload length position */ diff --git a/Source/charon/encoding/message.c b/Source/charon/encoding/message.c index c46918ed3..8c7969042 100644 --- a/Source/charon/encoding/message.c +++ b/Source/charon/encoding/message.c @@ -36,6 +36,11 @@ #include #include +/** + * Max number of notify payloads per IKEv2 Message + */ +#define MAX_NOTIFY_PAYLOADS 10 + typedef struct supported_payload_entry_t supported_payload_entry_t; @@ -109,6 +114,7 @@ struct message_rule_t { */ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] = { + {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE}, {SECURITY_ASSOCIATION,1,1,FALSE,FALSE}, {KEY_EXCHANGE,1,1,FALSE,FALSE}, {NONCE,1,1,FALSE,FALSE}, @@ -119,7 +125,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] = */ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] = { - {NOTIFY,0,1,FALSE,TRUE}, + {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE}, {SECURITY_ASSOCIATION,1,1,FALSE,FALSE}, {KEY_EXCHANGE,1,1,FALSE,FALSE}, {NONCE,1,1,FALSE,FALSE}, @@ -130,6 +136,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] = */ static supported_payload_entry_t supported_ike_auth_i_payloads[] = { + {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE}, {ID_INITIATOR,1,1,TRUE,FALSE}, {CERTIFICATE,0,1,TRUE,FALSE}, {CERTIFICATE_REQUEST,0,1,TRUE,FALSE}, @@ -145,7 +152,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] = */ static supported_payload_entry_t supported_ike_auth_r_payloads[] = { - {NOTIFY,0,1,TRUE,TRUE}, + {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE}, {CERTIFICATE,0,1,TRUE,FALSE}, {ID_RESPONDER,1,1,TRUE,FALSE}, {AUTHENTICATION,1,1,TRUE,FALSE}, @@ -1215,3 +1222,24 @@ message_t *message_create() { return message_create_from_packet(NULL); } + +/* + * Described in Header. + */ +message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type) +{ + message_t *message = message_create_from_packet(NULL); + notify_payload_t *payload; + + message->set_source(message, source->clone(source)); + message->set_destination(message, destination->clone(destination)); + message->set_exchange_type(message, exchange_type); + message->set_request(message, FALSE); + message->set_message_id(message,0); + message->set_ike_sa_id(message, ike_sa_id); + + payload = notify_payload_create_from_protocol_and_type(IKE,notify_type); + message->add_payload(message,(payload_t *) payload); + + return message; +} diff --git a/Source/charon/encoding/message.h b/Source/charon/encoding/message.h index e3be83653..98f9d8a22 100644 --- a/Source/charon/encoding/message.h +++ b/Source/charon/encoding/message.h @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -140,22 +141,6 @@ struct message_t { */ exchange_type_t (*get_exchange_type) (message_t *this); - /** - * @brief Sets the original initiator flag. - * - * @param this message_t object - * @param original_initiator TRUE if message is from original initiator - */ - void (*set_original_initiator) (message_t *this,bool original_initiator); - - /** - * @brief Gets original initiator flag. - * - * @param this message_t object - * @return TRUE if message is from original initiator, FALSE otherwise - */ - bool (*get_original_initiator) (message_t *this); - /** * @brief Sets the request flag. * @@ -340,4 +325,13 @@ message_t * message_create_from_packet(packet_t *packet); */ message_t * message_create(); +/** + * Creates an message_t object of type reply containing a notify payload. + * + * @return created message_t object + * + * @ingroup encoding + */ +message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type); + #endif /*MESSAGE_H_*/ diff --git a/Source/charon/encoding/parser.c b/Source/charon/encoding/parser.c index 509deaca9..1b1c13613 100644 --- a/Source/charon/encoding/parser.c +++ b/Source/charon/encoding/parser.c @@ -43,6 +43,7 @@ #include #include #include +#include #include @@ -827,6 +828,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ } break; } + case CERT_DATA: + { + size_t data_length = payload_length - CERT_PAYLOAD_HEADER_LENGTH; + if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) + { + pld->destroy(pld); + return PARSE_ERROR; + } + break; + } case KEY_EXCHANGE_DATA: { size_t keydata_length = payload_length - KE_PAYLOAD_HEADER_LENGTH; diff --git a/Source/charon/encoding/payloads/Makefile.payloads b/Source/charon/encoding/payloads/Makefile.payloads index 91cd2307e..1fe65179e 100644 --- a/Source/charon/encoding/payloads/Makefile.payloads +++ b/Source/charon/encoding/payloads/Makefile.payloads @@ -41,6 +41,10 @@ $(BUILD_DIR)id_payload.o : $(PAYLOADS_DIR)id_payload.c $(PAYLOADS_DIR)id_payl OBJS+= $(BUILD_DIR)auth_payload.o $(BUILD_DIR)auth_payload.o : $(PAYLOADS_DIR)auth_payload.c $(PAYLOADS_DIR)auth_payload.h $(CC) $(CFLAGS) -c -o $@ $< + +OBJS+= $(BUILD_DIR)cert_payload.o +$(BUILD_DIR)cert_payload.o : $(PAYLOADS_DIR)cert_payload.c $(PAYLOADS_DIR)cert_payload.h + $(CC) $(CFLAGS) -c -o $@ $< OBJS+= $(BUILD_DIR)ts_payload.o $(BUILD_DIR)ts_payload.o : $(PAYLOADS_DIR)ts_payload.c $(PAYLOADS_DIR)ts_payload.h diff --git a/Source/charon/encoding/payloads/cert_payload.c b/Source/charon/encoding/payloads/cert_payload.c new file mode 100644 index 000000000..c3053959f --- /dev/null +++ b/Source/charon/encoding/payloads/cert_payload.c @@ -0,0 +1,284 @@ +/** + * @file cert_payload.c + * + * @brief Implementation of cert_payload_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "cert_payload.h" + +#include + + +/** + * String mappings for cert_encoding_t. + */ +mapping_t cert_encoding_m[] = { +{PKCS7_WRAPPED_X509_CERTIFICATE, "PKCS7_WRAPPED_X509_CERTIFICATE"}, +{PGP_CERTIFICATE, "PGP_CERTIFICATE"}, +{DNS_SIGNED_KEY, "DNS_SIGNED_KEY"}, +{X509_CERTIFICATE_SIGNATURE, "X509_CERTIFICATE_SIGNATURE"}, +{KERBEROS_TOKEN, "KERBEROS_TOKEN"}, +{CERTIFICATE_REVOCATION_LIST, "CERTIFICATE_REVOCATION_LIST"}, +{AUTHORITY_REVOCATION_LIST, "AUTHORITY_REVOCATION_LIST"}, +{SPKI_CERTIFICATE, "SPKI_CERTIFICATE"}, +{X509_CERTIFICATE_ATTRIBUTE, "X509_CERTIFICATE_ATTRIBUTE"}, +{RAW_SA_KEY, "RAW_SA_KEY"}, +{HASH_AND_URL_X509_CERTIFICATE, "HASH_AND_URL_X509_CERTIFICATE"}, +{HASH_AND_URL_X509_BUNDLE, "HASH_AND_URL_X509_BUNDLE"}, +{MAPPING_END, NULL} +}; + + +typedef struct private_cert_payload_t private_cert_payload_t; + +/** + * Private data of an cert_payload_t object. + * + */ +struct private_cert_payload_t { + /** + * Public cert_payload_t interface. + */ + cert_payload_t public; + + /** + * Next payload type. + */ + u_int8_t next_payload; + + /** + * Critical flag. + */ + bool critical; + + /** + * Length of this payload. + */ + u_int16_t payload_length; + + /** + * Encoding of the CERT Data. + */ + u_int8_t cert_encoding; + + /** + * The contained cert data value. + */ + chunk_t cert_data; +}; + +/** + * Encoding rules to parse or generate a CERT payload + * + * The defined offsets are the positions in a object of type + * private_cert_payload_t. + * + */ +encoding_rule_t cert_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_cert_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)}, + /* 1 Byte CERT type*/ + { U_INT_8, offsetof(private_cert_payload_t, cert_encoding) }, + /* some cert data bytes, length is defined in PAYLOAD_LENGTH */ + { CERT_DATA, offsetof(private_cert_payload_t, cert_data) } +}; + +/* + 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! Next Payload !C! RESERVED ! Payload Length ! + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! Cert Encoding ! ! + +-+-+-+-+-+-+-+-+ ! + ~ Certificate Data ~ + ! ! + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +*/ + +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_cert_payload_t *this) +{ + if (this->critical) + { + /* critical bit is set! */ + return FAILED; + } + if ((this->cert_encoding == 0) || + ((this->cert_encoding >= 14) && (this->cert_encoding <= 200))) + { + /* reserved IDs */ + return FAILED; + } + return SUCCESS; +} + +/** + * Implementation of cert_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = cert_payload_encodings; + *rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_cert_payload_t *this) +{ + return CERTIFICATE; +} + +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_cert_payload_t *this) +{ + return (this->next_payload); +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_cert_payload_t *this,payload_type_t type) +{ + this->next_payload = type; +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_cert_payload_t *this) +{ + return this->payload_length; +} + +/** + * Implementation of cert_payload_t.set_cert_encoding. + */ +static void set_cert_encoding (private_cert_payload_t *this, cert_encoding_t encoding) +{ + this->cert_encoding = encoding; +} + +/** + * Implementation of cert_payload_t.get_cert_encoding. + */ +static cert_encoding_t get_cert_encoding (private_cert_payload_t *this) +{ + return (this->cert_encoding); +} + +/** + * Implementation of cert_payload_t.set_data. + */ +static void set_data (private_cert_payload_t *this, chunk_t data) +{ + if (this->cert_data.ptr != NULL) + { + allocator_free_chunk(&(this->cert_data)); + } + this->cert_data.ptr = allocator_clone_bytes(data.ptr,data.len); + this->cert_data.len = data.len; + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->cert_data.len; +} + +/** + * Implementation of cert_payload_t.get_data. + */ +static chunk_t get_data (private_cert_payload_t *this) +{ + return (this->cert_data); +} + +/** + * Implementation of cert_payload_t.get_data_clone. + */ +static chunk_t get_data_clone (private_cert_payload_t *this) +{ + chunk_t cloned_data; + if (this->cert_data.ptr == NULL) + { + return (this->cert_data); + } + cloned_data.ptr = allocator_clone_bytes(this->cert_data.ptr,this->cert_data.len); + cloned_data.len = this->cert_data.len; + return cloned_data; +} + +/** + * Implementation of payload_t.destroy and cert_payload_t.destroy. + */ +static void destroy(private_cert_payload_t *this) +{ + if (this->cert_data.ptr != NULL) + { + allocator_free_chunk(&(this->cert_data)); + } + + allocator_free(this); +} + +/* + * Described in header + */ +cert_payload_t *cert_payload_create() +{ + private_cert_payload_t *this = allocator_alloc_thing(private_cert_payload_t); + + /* interface functions */ + this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; + + /* public functions */ + this->public.destroy = (void (*) (cert_payload_t *)) destroy; + this->public.set_cert_encoding = (void (*) (cert_payload_t *,cert_encoding_t)) set_cert_encoding; + this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t *)) get_cert_encoding; + this->public.set_data = (void (*) (cert_payload_t *,chunk_t)) set_data; + this->public.get_data_clone = (chunk_t (*) (cert_payload_t *)) get_data_clone; + this->public.get_data = (chunk_t (*) (cert_payload_t *)) get_data; + + /* private variables */ + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length =CERT_PAYLOAD_HEADER_LENGTH; + this->cert_data = CHUNK_INITIALIZER; + + return (&(this->public)); +} diff --git a/Source/charon/encoding/payloads/cert_payload.h b/Source/charon/encoding/payloads/cert_payload.h new file mode 100644 index 000000000..b3191e307 --- /dev/null +++ b/Source/charon/encoding/payloads/cert_payload.h @@ -0,0 +1,143 @@ +/** + * @file cert_payload.h + * + * @brief Interface of cert_payload_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef _CERT_PAYLOAD_H_ +#define _CERT_PAYLOAD_H_ + +#include +#include + +/** + * Length of a cert payload without the cert data in bytes. + * + * @ingroup payloads + */ +#define CERT_PAYLOAD_HEADER_LENGTH 5 + + +typedef enum cert_encoding_t cert_encoding_t; + +/** + * Cert Encoding. + * + * @ingroup payloads + */ +enum cert_encoding_t { + PKCS7_WRAPPED_X509_CERTIFICATE = 1, + PGP_CERTIFICATE = 2, + DNS_SIGNED_KEY = 3, + X509_CERTIFICATE_SIGNATURE = 4, + KERBEROS_TOKEN = 6, + CERTIFICATE_REVOCATION_LIST = 7, + AUTHORITY_REVOCATION_LIST = 8, + SPKI_CERTIFICATE = 9, + X509_CERTIFICATE_ATTRIBUTE = 10, + RAW_SA_KEY = 11, + HASH_AND_URL_X509_CERTIFICATE = 12, + HASH_AND_URL_X509_BUNDLE = 13 +}; + +extern mapping_t cert_encoding_m[]; + + +typedef struct cert_payload_t cert_payload_t; + +/** + * Object representing an IKEv2 CERT payload. + * + * The CERT payload format is described in draft section 3.6. + * + * @ingroup payloads + * + */ +struct cert_payload_t { + /** + * The payload_t interface. + */ + payload_t payload_interface; + + /** + * @brief Set the CERT encoding. + * + * + * @param this calling cert_payload_t object + * @param encoding CERT encoding + */ + void (*set_cert_encoding) (cert_payload_t *this, cert_encoding_t encoding); + + /** + * @brief Get the CERT encoding. + * + * @param this calling cert_payload_t object + * @return Encoding of the CERT + */ + cert_encoding_t (*get_cert_encoding) (cert_payload_t *this); + + /** + * @brief Set the CERT data. + * + * Data are getting cloned. + * + * @param this calling cert_payload_t object + * @param data CERT data as chunk_t + */ + void (*set_data) (cert_payload_t *this, chunk_t data); + + /** + * @brief Get the CERT data. + * + * Returned data are a copy of the internal one. + * + * @param this calling cert_payload_t object + * @return CERT data as chunk_t + */ + chunk_t (*get_data_clone) (cert_payload_t *this); + + /** + * @brief Get the CERT data. + * + * Returned data are NOT copied. + * + * @param this calling cert_payload_t object + * @return CERT data as chunk_t + */ + chunk_t (*get_data) (cert_payload_t *this); + + /** + * @brief Destroys an cert_payload_t object. + * + * @param this cert_payload_t object to destroy + */ + void (*destroy) (cert_payload_t *this); +}; + +/** + * @brief Creates an empty cert_payload_t object. + * + * @return created cert_payload_t object + * + * @ingroup payloads + */ +cert_payload_t *cert_payload_create(); + + +#endif //_CERT_PAYLOAD_H_ diff --git a/Source/charon/encoding/payloads/encodings.h b/Source/charon/encoding/payloads/encodings.h index edc26990b..33610f1e0 100644 --- a/Source/charon/encoding/payloads/encodings.h +++ b/Source/charon/encoding/payloads/encodings.h @@ -367,6 +367,16 @@ enum encoding_type_t{ * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to. */ AUTH_DATA, + + /** + * Representating a CERT Data field. + * + * When generating the content of the chunkt pointing to + * is written. + * + * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to. + */ + CERT_DATA, /** * Representating an IKE_SPI field in an IKEv2 Header. diff --git a/Source/charon/encoding/payloads/ike_header.c b/Source/charon/encoding/payloads/ike_header.c index 784fce51d..6114c8de4 100644 --- a/Source/charon/encoding/payloads/ike_header.c +++ b/Source/charon/encoding/payloads/ike_header.c @@ -186,18 +186,6 @@ static status_t verify(private_ike_header_t *this) return FAILED; } - if ((this->responder_spi == 0) && (!this->flags.initiator)) - { - /* must be original initiator*/ - return FAILED; - } - - if ((this->responder_spi == 0) && (this->flags.response)) - { - /* must be request*/ - return FAILED; - } - /* verification of version is not done in here */ return SUCCESS; diff --git a/Source/charon/encoding/payloads/notify_payload.c b/Source/charon/encoding/payloads/notify_payload.c index 3bbc44df0..e085703b0 100644 --- a/Source/charon/encoding/payloads/notify_payload.c +++ b/Source/charon/encoding/payloads/notify_payload.c @@ -36,7 +36,7 @@ mapping_t notify_message_type_m[] = { {INVALID_IKE_SPI, "INVALID_IKE_SPI"}, {INVALID_MAJOR_VERSION, "INVALID_MAJOR_VERSION"}, {INVALID_SYNTAX, "INVALID_SYNTAX"}, - {INVALID_MESSAGE_ID, "MODP_2048_BIT"}, + {INVALID_MESSAGE_ID, "INVALID_MESSAGE_ID"}, {INVALID_SPI, "INVALID_SPI"}, {NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN"}, {INVALID_KE_PAYLOAD, "INVALID_KE_PAYLOAD"}, @@ -47,6 +47,11 @@ mapping_t notify_message_type_m[] = { {FAILED_CP_REQUIRED, "FAILED_CP_REQUIRED"}, {TS_UACCEPTABLE, "TS_UACCEPTABLE"}, {INVALID_SELECTORS, "INVALID_SELECTORS"}, + + /* status messages */ + {INITIAL_CONTACT, "INITIAL_CONTACT"}, + {SET_WINDOW_SIZE, "SET_WINDOW_SIZE"}, + {MAPPING_END, NULL} }; diff --git a/Source/charon/encoding/payloads/notify_payload.h b/Source/charon/encoding/payloads/notify_payload.h index e877e07c7..ada346af8 100644 --- a/Source/charon/encoding/payloads/notify_payload.h +++ b/Source/charon/encoding/payloads/notify_payload.h @@ -68,7 +68,10 @@ enum notify_message_type_t { INTERNAL_ADDRESS_FAILURE = 36, FAILED_CP_REQUIRED = 37, TS_UACCEPTABLE = 38, - INVALID_SELECTORS = 39 + INVALID_SELECTORS = 39, + + INITIAL_CONTACT = 16384, + SET_WINDOW_SIZE = 16385 }; /** diff --git a/Source/charon/encoding/payloads/payload.c b/Source/charon/encoding/payloads/payload.c index edc4479a9..7e6499323 100644 --- a/Source/charon/encoding/payloads/payload.c +++ b/Source/charon/encoding/payloads/payload.c @@ -31,6 +31,7 @@ #include #include #include +#include #include #include @@ -88,6 +89,8 @@ payload_t *payload_create(payload_type_t type) return (payload_t*)id_payload_create(FALSE); case AUTHENTICATION: return (payload_t*)auth_payload_create(); + case CERTIFICATE: + return (payload_t*)cert_payload_create(); case TRAFFIC_SELECTOR_SUBSTRUCTURE: return (payload_t*)traffic_selector_substructure_create(); case TRAFFIC_SELECTOR_INITIATOR: diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c index af4f3c774..e298d1fa0 100644 --- a/Source/charon/sa/authenticator.c +++ b/Source/charon/sa/authenticator.c @@ -102,7 +102,12 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag { chunk_t id_chunk = my_id->get_data(my_id); u_int8_t id_with_header[4 + id_chunk.len]; - chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header) }; + /* + * IKEv2 for linux is not compatible with IKEv2 Draft and so not compatible with this + * implementation, cause AUTH data are computed without + * ID type and the three reserved bytes. + */ + chunk_t id_with_header_chunk = {ptr:id_with_header, len: sizeof(id_with_header)}; u_int8_t *current_pos; chunk_t octets; @@ -123,6 +128,7 @@ static chunk_t allocate_octets(private_authenticator_t *this,chunk_t last_messag { this->prf->set_key(this->prf,this->ike_sa->get_key_pr(this->ike_sa)); } + /* 4 bytes are id type and reserved fields of id payload */ octets.len = last_message.len + other_nonce.len + this->prf->get_block_size(this->prf); @@ -167,13 +173,12 @@ static chunk_t allocate_auth_data_with_preshared_secret (private_authenticator_t /** * Implementation of authenticator_t.verify_auth_data. */ -static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator,bool *verified) +static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t *auth_payload, chunk_t last_received_packet,chunk_t my_nonce,id_payload_t *other_id_payload,bool initiator) { switch(auth_payload->get_auth_method(auth_payload)) { case SHARED_KEY_MESSAGE_INTEGRITY_CODE: { - identification_t *other_id = other_id_payload->get_identification(other_id_payload); chunk_t auth_data = auth_payload->get_data(auth_payload); chunk_t preshared_secret; @@ -190,20 +195,19 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t * if (auth_data.len != my_auth_data.len) { - *verified = FALSE; allocator_free_chunk(&my_auth_data); - return SUCCESS; + return FAILED; } if (memcmp(auth_data.ptr,my_auth_data.ptr,my_auth_data.len) == 0) { - *verified = TRUE; + status = SUCCESS; } else { - *verified = FALSE; + status = FAILED; } - allocator_free_chunk(&my_auth_data); - return SUCCESS; + allocator_free_chunk(&my_auth_data); + return status; } case RSA_DIGITAL_SIGNATURE: { @@ -224,14 +228,6 @@ static status_t verify_auth_data (private_authenticator_t *this,auth_payload_t * octets = this->allocate_octets(this,last_received_packet,my_nonce,other_id_payload,initiator); status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data); - if (status == SUCCESS) - { - *verified = TRUE; - } - else - { - *verified = FALSE; - } allocator_free_chunk(&octets); return status; @@ -329,7 +325,7 @@ authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa) /* Public functions */ this->public.destroy = (void(*)(authenticator_t*))destroy; - this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool,bool *)) verify_auth_data; + this->public.verify_auth_data = (status_t (*) (authenticator_t *,auth_payload_t *, chunk_t ,chunk_t ,id_payload_t *,bool)) verify_auth_data; this->public.compute_auth_data = (status_t (*) (authenticator_t *,auth_payload_t **, chunk_t ,chunk_t ,id_payload_t *,bool)) compute_auth_data; /* private functions */ diff --git a/Source/charon/sa/authenticator.h b/Source/charon/sa/authenticator.h index dc0319191..64cb1d602 100644 --- a/Source/charon/sa/authenticator.h +++ b/Source/charon/sa/authenticator.h @@ -60,12 +60,10 @@ struct authenticator_t { * @param my_nonce The sent nonce (without payload header) * @param other_id_payload The ID payload received from other peer * @param initiator Type of other peer. TRUE, if it is original initiator, FALSE otherwise - * @param[out] verified - * - TRUE, if verification succeeded - * - FALSE, if verification data could not be verified * * @return * - SUCCESS if verification could be processed (does not mean the data could be verified) + * - FAILED if verification failed * - NOT_SUPPORTED if AUTH method not supported * - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key) * - TODO rsa errors!! @@ -75,8 +73,7 @@ struct authenticator_t { chunk_t last_received_packet, chunk_t my_nonce, id_payload_t *other_id_payload, - bool initiator, - bool *verified); + bool initiator); /** * @brief Computes authentication data and creates specific AUTH payload. diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c index 041185ca2..7e01fcf61 100644 --- a/Source/charon/sa/states/ike_auth_requested.c +++ b/Source/charon/sa/states/ike_auth_requested.c @@ -194,13 +194,33 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i if (notify_payload->get_protocol_id(notify_payload) != IKE) { - this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol."); + this->logger->log(this->logger, ERROR | MORE, "Notify reply not for IKE protocol"); payloads->destroy(payloads); return FAILED; } switch (notify_payload->get_notify_message_type(notify_payload)) { + case INVALID_SYNTAX: + { + this->logger->log(this->logger, ERROR, "Going to destroy IKE_SA"); + payloads->destroy(payloads); + return DELETE_ME; + + } + case AUTHENTICATION_FAILED: + { + this->logger->log(this->logger, ERROR, "Keys invalid?. Going to destroy IKE_SA"); + payloads->destroy(payloads); + return DELETE_ME; + + } + case SINGLE_PAIR_REQUIRED: + { + this->logger->log(this->logger, ERROR, "Please reconfigure CHILD_SA. Going to destroy IKE_SA"); + payloads->destroy(payloads); + return DELETE_ME; + } default: { /* @@ -348,12 +368,11 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa { authenticator_t *authenticator; status_t status; - bool verified; /* TODO VERIFY auth here */ authenticator = authenticator_create(this->ike_sa); - status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE,&verified); + status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE); authenticator->destroy(authenticator); if (status != SUCCESS) { @@ -361,12 +380,6 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa return FAILED; } - if (!verified) - { - this->logger->log(this->logger, ERROR | MORE, "AUTH data could not be verified"); - return FAILED; - } - this->logger->log(this->logger, CONTROL | MORE, "AUTH data verified"); return SUCCESS; } diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c index 967aebb2b..b5571acb9 100644 --- a/Source/charon/sa/states/ike_sa_init_requested.c +++ b/Source/charon/sa/states/ike_sa_init_requested.c @@ -251,10 +251,16 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t { case NO_PROPOSAL_CHOSEN: { - this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!!!"); + this->logger->log(this->logger, ERROR, "Peer didn't choose a proposal!"); payloads->destroy(payloads); return DELETE_ME; } + case INVALID_MAJOR_VERSION: + { + this->logger->log(this->logger, ERROR, "Peer doesn't support IKEv2!"); + payloads->destroy(payloads); + return DELETE_ME; + } case INVALID_KE_PAYLOAD: { initiator_init_t *initiator_init_state; diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c index 1dd16f669..732c5cc23 100644 --- a/Source/charon/sa/states/ike_sa_init_responded.c +++ b/Source/charon/sa/states/ike_sa_init_responded.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -87,6 +88,15 @@ struct private_ike_sa_init_responded_t { status_t (*build_sa_payload) (private_ike_sa_init_responded_t *this, sa_payload_t *request, message_t *response); status_t (*build_auth_payload) (private_ike_sa_init_responded_t *this, auth_payload_t *request,id_payload_t *other_id_payload,id_payload_t *my_id_payload, message_t* response); status_t (*build_ts_payload) (private_ike_sa_init_responded_t *this, bool ts_initiator, ts_payload_t *request, message_t *response); + + /** + * Sends a IKE_AUTH reply with a notify payload. + * + * @param this calling object + * @param type type of notify message + * @param data data of notify message + */ + void (*send_notify_reply) (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data); }; /** @@ -103,6 +113,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t auth_payload_t *auth_request; sa_payload_t *sa_request; ts_payload_t *tsi_request, *tsr_request; + notify_payload_t *notify_payload = NULL; message_t *response; exchange_type = request->get_exchange_type(request); @@ -181,17 +192,54 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t tsr_request = (ts_payload_t*)payload; break; } + case NOTIFY: + { + notify_payload = (notify_payload_t *) payload; + break; + } default: { this->logger->log(this->logger, ERROR, "Payload type %s not supported in state ike_auth_requested!", mapping_find(payload_type_m, payload->get_type(payload))); payloads->destroy(payloads); - return FAILED; + return DELETE_ME; } } } /* iterator can be destroyed */ payloads->destroy(payloads); + + if (notify_payload != NULL) + { + this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s", + mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)), + mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload))); + + if (notify_payload->get_protocol_id(notify_payload) != IKE) + { + this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol."); + payloads->destroy(payloads); + return DELETE_ME; + } + switch (notify_payload->get_notify_message_type(notify_payload)) + { + case SET_WINDOW_SIZE: + /* + * TODO Increase window size. + */ + case INITIAL_CONTACT: + /* + * TODO Delete existing IKE_SA's with other Identity. + */ + default: + { + this->logger->log(this->logger, CONTROL|MORE, "Handling of notify type %s not implemented", + notify_payload->get_notify_message_type(notify_payload)); + } + } + } + + /* build response */ this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response); @@ -351,25 +399,24 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p authenticator_t *authenticator; auth_payload_t *auth_reply; status_t status; - bool verified; authenticator = authenticator_create(this->ike_sa); - status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE,&verified); - + status = authenticator->verify_auth_data(authenticator,auth_request, this->ike_sa_init_request_data,this->sent_nonce,other_id_payload,TRUE); + if (status != SUCCESS) { this->logger->log(this->logger, ERROR, "Verification of AUTH payload returned status %s",mapping_find(status_m,status)); authenticator->destroy(authenticator); + /* + * Send notify message of type AUTHENTICATION_FAILED + */ + this->logger->log(this->logger, CONTROL | MORE, "Send notify message of type AUTHENTICATION_FAILED"); + this->send_notify_reply (this,AUTHENTICATION_FAILED,CHUNK_INITIALIZER); return status; } - if (!verified) - { - this->logger->log(this->logger, ERROR, "Verification of AUTH failed."); - authenticator->destroy(authenticator); - return FAILED; - } + status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE); authenticator->destroy(authenticator); @@ -431,6 +478,44 @@ static status_t build_ts_payload(private_ike_sa_init_responded_t *this, bool ts_ return status; } +/** + * Implementation of private_responder_init_t.send_notify_reply. + */ +static void send_notify_reply (private_ike_sa_init_responded_t *this,notify_message_type_t type, chunk_t data) +{ + notify_payload_t *payload; + message_t *response; + packet_t *packet; + status_t status; + + this->logger->log(this->logger, CONTROL|MOST, "Going to build message with notify payload"); + /* set up the reply */ + this->ike_sa->build_message(this->ike_sa, IKE_AUTH, FALSE, &response); + payload = notify_payload_create_from_protocol_and_type(IKE,type); + if ((data.ptr != NULL) && (data.len > 0)) + { + this->logger->log(this->logger, CONTROL|MOST, "Add Data to notify payload"); + payload->set_notification_data(payload,data); + } + + this->logger->log(this->logger, CONTROL|MOST, "Add Notify payload to message"); + response->add_payload(response,(payload_t *) payload); + + /* generate packet */ + this->logger->log(this->logger, CONTROL|MOST, "Gnerate packet from message"); + status = response->generate(response, NULL, NULL, &packet); + if (status != SUCCESS) + { + this->logger->log(this->logger, ERROR, "Could not generate packet from message"); + return; + } + + this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue"); + charon->send_queue->add(charon->send_queue, packet); + this->logger->log(this->logger, CONTROL|MOST, "Destroy message"); + response->destroy(response); +} + /** * Implements state_t.get_state */ @@ -475,6 +560,7 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa this->build_sa_payload = build_sa_payload; this->build_auth_payload = build_auth_payload; this->build_ts_payload = build_ts_payload; + this->send_notify_reply = send_notify_reply; /* private data */ this->ike_sa = ike_sa; diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c index e0a6092ed..a9ec179e2 100644 --- a/Source/charon/sa/states/initiator_init.c +++ b/Source/charon/sa/states/initiator_init.c @@ -117,7 +117,8 @@ struct private_initiator_init_t { void (*build_nonce_payload) (private_initiator_init_t *this, payload_t **payload); /** - * Destroy function called internally of this class after state change succeeded. + * Destroy function called internally of this class after state change to state + * IKE_SA_INIT_REQUESTED succeeded. * * This destroy function does not destroy objects which were passed to the new state. * @@ -164,7 +165,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name) this->dh_group_number = init_config->get_dh_group_number(init_config,this->dh_group_priority); if (this->dh_group_number == MODP_UNDEFINED) { - this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority); + this->logger->log(this->logger, ERROR | MORE, "Diffie hellman group could not be retrieved with priority %d", this->dh_group_priority); return DELETE_ME; } diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c index e112f421a..5526a0e47 100644 --- a/Source/charon/sa/states/responder_init.c +++ b/Source/charon/sa/states/responder_init.c @@ -189,6 +189,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa { /* no configuration matches given host */ this->logger->log(this->logger, ERROR | MORE, "No INIT configuration found for given remote and local hosts"); + return DELETE_ME; } @@ -243,7 +244,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa { this->logger->log(this->logger, ERROR | MORE, "No proposal of suggested proposals selected"); payloads->destroy(payloads); - this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER); + this->send_notify_reply(this,NO_PROPOSAL_CHOSEN,CHUNK_INITIALIZER); return DELETE_ME; } @@ -258,7 +259,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa } this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed"); - /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/ break; } case KEY_EXCHANGE: @@ -321,6 +321,31 @@ static status_t process_message(private_responder_init_t *this, message_t *messa this->logger->log(this->logger, CONTROL | MORE, "Nonce Payload processed"); break; } + case NOTIFY: + { + notify_payload_t *notify_payload = (notify_payload_t *) payload; + + + this->logger->log(this->logger, CONTROL|MORE, "Process notify type %s for protocol %s", + mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload)), + mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload))); + + if (notify_payload->get_protocol_id(notify_payload) != IKE) + { + this->logger->log(this->logger, ERROR | MORE, "Notify not for IKE protocol."); + payloads->destroy(payloads); + return FAILED; + } + switch (notify_payload->get_notify_message_type(notify_payload)) + { + default: + { + this->logger->log(this->logger, CONTROL|MORE, "Processing of notify type %s not yet implemented", + mapping_find(notify_message_type_m, notify_payload->get_notify_message_type(notify_payload))); + break; + } + } + } default: { this->logger->log(this->logger, ERROR | MORE, "Payload type not supported!"); diff --git a/Source/charon/testcases/generator_test.c b/Source/charon/testcases/generator_test.c index a2ae01565..de0d13575 100644 --- a/Source/charon/testcases/generator_test.c +++ b/Source/charon/testcases/generator_test.c @@ -40,6 +40,7 @@ #include #include #include +#include #include /* @@ -1052,6 +1053,58 @@ void test_generator_with_auth_payload(tester_t *tester) charon->logger_manager->destroy_logger(charon->logger_manager,logger); } +/* + * Described in header. + */ +void test_generator_with_cert_payload(tester_t *tester) +{ + generator_t *generator; + cert_payload_t *cert_payload; + logger_t *logger; + chunk_t generated_data; + chunk_t cert; + + logger = charon->logger_manager->create_logger(charon->logger_manager,TESTER,"Message with CERT Payload"); + + /* create generator */ + generator = generator_create(); + tester->assert_true(tester,(generator != NULL), "generator create check"); + + cert_payload = cert_payload_create(); + + + cert.ptr = "123456789012"; + cert.len = strlen(cert.ptr); + + cert_payload->set_cert_encoding(cert_payload,PGP_CERTIFICATE); + cert_payload->set_data(cert_payload,cert); + + generator->generate_payload(generator,(payload_t *)cert_payload); + generator->write_to_chunk(generator,&generated_data); + logger->log_chunk(logger,RAW,"generated payload",&generated_data); + + u_int8_t expected_generation[] = { + /* payload header */ + 0x00,0x00,0x00,0x11, + 0x02, + /* cert data */ + 0x31,0x32,0x33,0x34, + 0x35,0x36,0x37,0x38, + 0x39,0x30,0x31,0x32, + }; + + logger->log_bytes(logger,RAW,"expected payload",expected_generation,sizeof(expected_generation)); + + tester->assert_true(tester,(memcmp(expected_generation,generated_data.ptr,sizeof(expected_generation)) == 0), "compare generated data"); + + allocator_free_chunk(&generated_data); + + cert_payload->destroy(cert_payload); + generator->destroy(generator); + + charon->logger_manager->destroy_logger(charon->logger_manager,logger); +} + /* * Described in header. */ diff --git a/Source/charon/testcases/generator_test.h b/Source/charon/testcases/generator_test.h index 34c054a82..d5e3aab0c 100644 --- a/Source/charon/testcases/generator_test.h +++ b/Source/charon/testcases/generator_test.h @@ -116,6 +116,15 @@ void test_generator_with_id_payload(tester_t *tester); */ void test_generator_with_auth_payload(tester_t *tester); +/** + * @brief Test function used to test the generator with CERT payload. + * + * @param tester associated tester_t object + * + * @ingroup testcases + */ +void test_generator_with_cert_payload(tester_t *tester); + /** * @brief Test function used to test the generator with TS payload. * diff --git a/Source/charon/testcases/parser_test.c b/Source/charon/testcases/parser_test.c index 2815c63a8..d3ec5dd1a 100644 --- a/Source/charon/testcases/parser_test.c +++ b/Source/charon/testcases/parser_test.c @@ -36,6 +36,7 @@ #include #include #include +#include #include @@ -691,3 +692,43 @@ void test_parser_with_ts_payload(tester_t *tester) ts_payload->destroy(ts_payload); } + +/* + * Described in Header + */ +void test_parser_with_cert_payload(tester_t *tester) +{ + parser_t *parser; + cert_payload_t *cert_payload; + status_t status; + chunk_t cert_chunk, result; + + u_int8_t cert_bytes[] = { + 0x00,0x00,0x00,0x11, /* payload header */ + 0x03, + 0x04,0x05,0x06,0x07,/* 12 Byte nonce */ + 0x08,0x09,0x0A,0x2B, + 0x0C,0x0D,0x0E,0x0F + }; + + cert_chunk.ptr = cert_bytes; + cert_chunk.len = sizeof(cert_bytes); + + parser = parser_create(cert_chunk); + tester->assert_true(tester,(parser != NULL), "parser create check"); + status = parser->parse_payload(parser, CERTIFICATE, (payload_t**)&cert_payload); + tester->assert_true(tester,(status == SUCCESS),"parse_payload call check"); + parser->destroy(parser); + + if (status != SUCCESS) + { + return; + } + result = cert_payload->get_data_clone(cert_payload); + tester->assert_true(tester,(cert_payload->get_cert_encoding(cert_payload) == DNS_SIGNED_KEY), "is DNS_SIGNED_KEY encoding"); + tester->assert_true(tester,(result.len == 12), "parsed data lenght"); + tester->assert_false(tester,(memcmp(cert_bytes + 5, result.ptr, result.len)), "parsed data"); + cert_payload->destroy(cert_payload); + allocator_free_chunk(&result); +} + diff --git a/Source/charon/testcases/parser_test.h b/Source/charon/testcases/parser_test.h index 11af67ae5..0db5cc223 100644 --- a/Source/charon/testcases/parser_test.h +++ b/Source/charon/testcases/parser_test.h @@ -105,4 +105,14 @@ void test_parser_with_auth_payload(tester_t *tester); */ void test_parser_with_ts_payload(tester_t *tester); +/** + * @brief Test function used to test the parser_t functionality when + * parsing a CERT payload. + * + * @param tester associated tester_t object + * + * @ingroup testcases + */ +void test_parser_with_cert_payload(tester_t *tester); + #endif /*PARSER_TEST_H_*/ diff --git a/Source/charon/testcases/testcases.c b/Source/charon/testcases/testcases.c index 03a318fcb..26c986258 100644 --- a/Source/charon/testcases/testcases.c +++ b/Source/charon/testcases/testcases.c @@ -89,6 +89,7 @@ test_t generator_test8 = {test_generator_with_nonce_payload,"Generator: Nonce Pa test_t generator_test9 = {test_generator_with_id_payload,"Generator: ID Payload"}; test_t generator_test10 = {test_generator_with_auth_payload,"Generator: AUTH Payload"}; test_t generator_test11 = {test_generator_with_ts_payload,"Generator: TS Payload"}; +test_t generator_test12 = {test_generator_with_cert_payload,"Generator: CERT Payload"}; test_t parser_test1 = {test_parser_with_header_payload, "Parser: header payload"}; test_t parser_test2 = {test_parser_with_sa_payload, "Parser: sa payload"}; test_t parser_test3 = {test_parser_with_nonce_payload, "Parser: nonce payload"}; @@ -97,6 +98,7 @@ test_t parser_test5 = {test_parser_with_notify_payload, "Parser: notify payload" test_t parser_test6 = {test_parser_with_id_payload, "Parser: ID payload"}; test_t parser_test7 = {test_parser_with_auth_payload, "Parser: AUTH payload"}; test_t parser_test8 = {test_parser_with_ts_payload, "Parser: TS payload"}; +test_t parser_test9 = {test_parser_with_cert_payload, "Parser: CERT payload"}; test_t packet_test = {test_packet,"Packet"}; test_t diffie_hellman_test = {test_diffie_hellman,"Diffie Hellman"}; test_t sha1_hasher_test = {test_sha1_hasher,"SHA1 hasher"}; @@ -186,6 +188,7 @@ int main() &parser_test6, &parser_test7, &parser_test8, + &parser_test9, &generator_test3, &generator_test4, &generator_test5, @@ -195,6 +198,7 @@ int main() &generator_test9, &generator_test10, &generator_test11, + &generator_test12, &ike_sa_manager_test, &packet_test, &diffie_hellman_test, @@ -225,8 +229,8 @@ int main() tester_t *tester = tester_create(test_output, FALSE); -// tester->perform_tests(tester,all_tests); - tester->perform_test(tester,&rsa_test); + tester->perform_tests(tester,all_tests); +// tester->perform_test(tester,&parser_test9); tester->destroy(tester); diff --git a/Source/charon/threads/thread_pool.c b/Source/charon/threads/thread_pool.c index 0146e1c6e..cce510f36 100644 --- a/Source/charon/threads/thread_pool.c +++ b/Source/charon/threads/thread_pool.c @@ -33,6 +33,7 @@ #include #include #include +#include #include #include @@ -115,20 +116,23 @@ struct private_thread_pool_t { */ static void process_jobs(private_thread_pool_t *this) { + job_t *job; + job_type_t job_type; + timeval_t start_time; + timeval_t end_time; + /* cancellation disabled by default */ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); this->worker_logger->log(this->worker_logger, CONTROL, "worker thread running, thread_id: %u", (int)pthread_self()); for (;;) { - job_t *job; - job_type_t job_type; job = charon->job_queue->get(charon->job_queue); job_type = job->get_type(job); this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Process job of type %s", mapping_find(job_type_m,job_type)); - + gettimeofday(&start_time,NULL); switch (job_type) { case INCOMING_PACKET: @@ -162,8 +166,11 @@ static void process_jobs(private_thread_pool_t *this) break; } } - - this->worker_logger->log(this->worker_logger, CONTROL|MORE, "Processing of job finished"); + gettimeofday(&end_time,NULL); + + this->worker_logger->log(this->worker_logger, CONTROL, "Processed job of type %s in %d us", + mapping_find(job_type_m,job_type), + (((end_time.tv_sec - start_time.tv_sec) * 1000000) + (end_time.tv_usec - start_time.tv_usec))); } @@ -199,13 +206,43 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa if ((message->get_major_version(message) != IKE_MAJOR_VERSION) || (message->get_minor_version(message) != IKE_MINOR_VERSION)) + { this->worker_logger->log(this->worker_logger, ERROR, "IKE version %d.%d not supported", message->get_major_version(message), message->get_minor_version(message)); /* - * TODO send notify reply of type INVALID_MAJOR_VERSION + * TODO send notify reply of type INVALID_MAJOR_VERSION for requests of type IKE_SA_INIT. + * + * This check is not handled in state_t object of IKE_SA to increase speed. */ + if ((message->get_exchange_type(message) == IKE_SA_INIT) && (message->get_request(message))) + { + message_t *response; + message->get_ike_sa_id(message, &ike_sa_id); + ike_sa_id->switch_initiator(ike_sa_id); + response = message_create_notify_reply(message->get_destination(message), + message->get_source(message), + IKE_SA_INIT, + FALSE,ike_sa_id,INVALID_MAJOR_VERSION); + + message->destroy(message); + ike_sa_id->destroy(ike_sa_id); + status = response->generate(response, NULL, NULL, &packet); + if (status != SUCCESS) + { + this->worker_logger->log(this->worker_logger, ERROR, "Could not generate packet from message"); + response->destroy(response); + return; + } + this->worker_logger->log(this->worker_logger, ERROR, "Send notify reply of type INVALID_MAJOR_VERSION"); + charon->send_queue->add(charon->send_queue, packet); + response->destroy(response); + return; + } + message->destroy(message); + + return; } message->get_ike_sa_id(message, &ike_sa_id); diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c index f5ebc7d01..52c81b268 100644 --- a/Source/charon/utils/logger_manager.c +++ b/Source/charon/utils/logger_manager.c @@ -178,6 +178,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t case PRIME_POOL: break; case SCHEDULER: + logger_level = 0; break; case SENDER: break;