- added payload CERT

- cleaned code of different states
- added additional notify handling

12 files changed, 519 insertions, 32 deletions

diff --git a/Source/charon/encoding/generator.c b/Source/charon/encoding/generator.c
index cfc96f4b2..b50e7fffb 100644
--- a/Source/charon/encoding/generator.c
+++ b/Source/charon/encoding/generator.c
@@ -42,6 +42,7 @@
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/id_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
 
@@ -797,6 +798,19 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
 				break;
 			}
+			case CERT_DATA:
+			{
+				/* the AUTH Data value is generated from chunk */
+				this->generate_from_chunk(this, rules[i].offset);
+				
+				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+				/* Length of nonce PAYLOAD is calculated */
+				u_int16_t length_of_cert_payload = CERT_PAYLOAD_HEADER_LENGTH + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
+				u_int16_t int16_val = htons(length_of_cert_payload);
+
+				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				break;
+			}
 			case PROPOSALS:
 			{
 				/* before iterative generate the transforms, store the current payload length position */
diff --git a/Source/charon/encoding/message.c b/Source/charon/encoding/message.c
index c46918ed3..8c7969042 100644
--- a/Source/charon/encoding/message.c
+++ b/Source/charon/encoding/message.c
@@ -36,6 +36,11 @@
 #include <encoding/payloads/payload.h>
 #include <encoding/payloads/encryption_payload.h>
 
+/**
+ * Max number of notify payloads per IKEv2 Message
+ */
+#define MAX_NOTIFY_PAYLOADS 10
+
 
 typedef struct supported_payload_entry_t supported_payload_entry_t;
 
@@ -109,6 +114,7 @@ struct message_rule_t {
  */
 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
 {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
 	{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
 	{KEY_EXCHANGE,1,1,FALSE,FALSE},
 	{NONCE,1,1,FALSE,FALSE},
@@ -119,7 +125,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
  */
 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
 {
-	{NOTIFY,0,1,FALSE,TRUE},
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
 	{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
 	{KEY_EXCHANGE,1,1,FALSE,FALSE},
 	{NONCE,1,1,FALSE,FALSE},
@@ -130,6 +136,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
  */
 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
 {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
 	{ID_INITIATOR,1,1,TRUE,FALSE},
 	{CERTIFICATE,0,1,TRUE,FALSE},
 	{CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
@@ -145,7 +152,7 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
  */
 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
 {
-	{NOTIFY,0,1,TRUE,TRUE},
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
 	{CERTIFICATE,0,1,TRUE,FALSE},
 	{ID_RESPONDER,1,1,TRUE,FALSE},
 	{AUTHENTICATION,1,1,TRUE,FALSE},
@@ -1215,3 +1222,24 @@ message_t *message_create()
 {
 	return message_create_from_packet(NULL);
 }
+
+/*
+ * Described in Header.
+ */
+message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type)
+{
+	message_t *message = message_create_from_packet(NULL);
+	notify_payload_t *payload;
+	
+	message->set_source(message, source->clone(source));
+	message->set_destination(message, destination->clone(destination));
+	message->set_exchange_type(message, exchange_type);
+	message->set_request(message, FALSE);
+	message->set_message_id(message,0);
+	message->set_ike_sa_id(message, ike_sa_id);
+	
+	payload = notify_payload_create_from_protocol_and_type(IKE,notify_type);
+	message->add_payload(message,(payload_t *) payload);
+	
+	return message;
+}
diff --git a/Source/charon/encoding/message.h b/Source/charon/encoding/message.h
index e3be83653..98f9d8a22 100644
--- a/Source/charon/encoding/message.h
+++ b/Source/charon/encoding/message.h
@@ -27,6 +27,7 @@
 #include <sa/ike_sa_id.h>
 #include <network/packet.h>
 #include <encoding/payloads/ike_header.h>
+#include <encoding/payloads/notify_payload.h>
 #include <utils/linked_list.h>
 #include <transforms/crypters/crypter.h>
 #include <transforms/signers/signer.h>
@@ -141,22 +142,6 @@ struct message_t {
 	exchange_type_t (*get_exchange_type) (message_t *this);
 
 	/**
-	 * @brief Sets the original initiator flag.
-	 *
-	 * @param this 					message_t object
-	 * @param original_initiator		TRUE if message is from original initiator
-	 */
-	void (*set_original_initiator) (message_t *this,bool original_initiator);
-
-	/**
-	 * @brief Gets original initiator flag.
-	 *
-	 * @param this 			message_t object
-	 * @return				TRUE if message is from original initiator, FALSE otherwise
-	 */
-	bool (*get_original_initiator) (message_t *this);
-
-	/**
 	 * @brief Sets the request flag.
 	 *
 	 * @param this 					message_t object
@@ -340,4 +325,13 @@ message_t * message_create_from_packet(packet_t *packet);
  */
 message_t * message_create();
 
+/**
+ * Creates an message_t object of type reply containing a notify payload.
+ *
+ * @return created message_t object
+ *
+ * @ingroup encoding
+ */
+message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type);
+
 #endif /*MESSAGE_H_*/
diff --git a/Source/charon/encoding/parser.c b/Source/charon/encoding/parser.c
index 509deaca9..1b1c13613 100644
--- a/Source/charon/encoding/parser.c
+++ b/Source/charon/encoding/parser.c
@@ -43,6 +43,7 @@
 #include <encoding/payloads/notify_payload.h>
 #include <encoding/payloads/encryption_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
 
@@ -827,6 +828,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
 				}		
 				break;			
 			}
+			case CERT_DATA:
+			{
+				size_t data_length = payload_length - CERT_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;			
+			}
 			case KEY_EXCHANGE_DATA:
 			{
 				size_t keydata_length = payload_length - KE_PAYLOAD_HEADER_LENGTH;
diff --git a/Source/charon/encoding/payloads/Makefile.payloads b/Source/charon/encoding/payloads/Makefile.payloads
index 91cd2307e..1fe65179e 100644
--- a/Source/charon/encoding/payloads/Makefile.payloads
+++ b/Source/charon/encoding/payloads/Makefile.payloads
@@ -41,6 +41,10 @@ $(BUILD_DIR)id_payload.o :				$(PAYLOADS_DIR)id_payload.c $(PAYLOADS_DIR)id_payl
 OBJS+= $(BUILD_DIR)auth_payload.o
 $(BUILD_DIR)auth_payload.o :				$(PAYLOADS_DIR)auth_payload.c $(PAYLOADS_DIR)auth_payload.h
 										$(CC) $(CFLAGS) -c -o $@ $<
+										
+OBJS+= $(BUILD_DIR)cert_payload.o
+$(BUILD_DIR)cert_payload.o :			$(PAYLOADS_DIR)cert_payload.c $(PAYLOADS_DIR)cert_payload.h
+										$(CC) $(CFLAGS) -c -o $@ $<
 
 OBJS+= $(BUILD_DIR)ts_payload.o
 $(BUILD_DIR)ts_payload.o :				$(PAYLOADS_DIR)ts_payload.c $(PAYLOADS_DIR)ts_payload.h
diff --git a/Source/charon/encoding/payloads/cert_payload.c b/Source/charon/encoding/payloads/cert_payload.c
new file mode 100644
index 000000000..c3053959f
--- /dev/null
+++ b/Source/charon/encoding/payloads/cert_payload.c
@@ -0,0 +1,284 @@
+/**
+ * @file cert_payload.c
+ * 
+ * @brief Implementation of cert_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "cert_payload.h"
+
+#include <utils/allocator.h>
+
+
+/** 
+ * String mappings for cert_encoding_t.
+ */
+mapping_t cert_encoding_m[] = {
+{PKCS7_WRAPPED_X509_CERTIFICATE, "PKCS7_WRAPPED_X509_CERTIFICATE"},
+{PGP_CERTIFICATE, "PGP_CERTIFICATE"},
+{DNS_SIGNED_KEY, "DNS_SIGNED_KEY"},
+{X509_CERTIFICATE_SIGNATURE, "X509_CERTIFICATE_SIGNATURE"},
+{KERBEROS_TOKEN, "KERBEROS_TOKEN"},
+{CERTIFICATE_REVOCATION_LIST, "CERTIFICATE_REVOCATION_LIST"},
+{AUTHORITY_REVOCATION_LIST, "AUTHORITY_REVOCATION_LIST"},
+{SPKI_CERTIFICATE, "SPKI_CERTIFICATE"},
+{X509_CERTIFICATE_ATTRIBUTE, "X509_CERTIFICATE_ATTRIBUTE"},
+{RAW_SA_KEY, "RAW_SA_KEY"},
+{HASH_AND_URL_X509_CERTIFICATE, "HASH_AND_URL_X509_CERTIFICATE"},
+{HASH_AND_URL_X509_BUNDLE, "HASH_AND_URL_X509_BUNDLE"},
+{MAPPING_END, NULL}
+};
+
+
+typedef struct private_cert_payload_t private_cert_payload_t;
+
+/**
+ * Private data of an cert_payload_t object.
+ * 
+ */
+struct private_cert_payload_t {
+	/**
+	 * Public cert_payload_t interface.
+	 */
+	cert_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Encoding of the CERT Data.
+	 */
+	u_int8_t cert_encoding;
+	
+	/**
+	 * The contained cert data value.
+	 */
+	chunk_t cert_data;
+};
+
+/**
+ * Encoding rules to parse or generate a CERT payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_cert_payload_t.
+ * 
+ */
+encoding_rule_t cert_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_cert_payload_t, critical) 		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_cert_payload_t, payload_length)},
+ 	/* 1 Byte CERT type*/
+	{ U_INT_8,			offsetof(private_cert_payload_t, cert_encoding)	},
+	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CERT_DATA,			offsetof(private_cert_payload_t, cert_data) }
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                       Certificate Data                        ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_cert_payload_t *this)
+{
+	if (this->critical)
+	{
+		/* critical bit is set! */
+		return FAILED;
+	}
+	if ((this->cert_encoding == 0) ||
+		((this->cert_encoding >= 14) && (this->cert_encoding <= 200)))
+	{
+		/* reserved IDs */
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of cert_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = cert_payload_encodings;
+	*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_cert_payload_t *this)
+{
+	return CERTIFICATE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_cert_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_cert_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_cert_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of cert_payload_t.set_cert_encoding.
+ */
+static void set_cert_encoding (private_cert_payload_t *this, cert_encoding_t encoding)
+{
+	this->cert_encoding = encoding;
+}
+
+/**
+ * Implementation of cert_payload_t.get_cert_encoding.
+ */
+static cert_encoding_t get_cert_encoding (private_cert_payload_t *this)
+{
+	return (this->cert_encoding);
+}
+
+/**
+ * Implementation of cert_payload_t.set_data.
+ */
+static void set_data (private_cert_payload_t *this, chunk_t data)
+{
+	if (this->cert_data.ptr != NULL)
+	{
+		allocator_free_chunk(&(this->cert_data));
+	}
+	this->cert_data.ptr = allocator_clone_bytes(data.ptr,data.len);
+	this->cert_data.len = data.len;
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->cert_data.len;
+}
+
+/**
+ * Implementation of cert_payload_t.get_data.
+ */
+static chunk_t get_data (private_cert_payload_t *this)
+{
+	return (this->cert_data);
+}
+
+/**
+ * Implementation of cert_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_cert_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->cert_data.ptr == NULL)
+	{
+		return (this->cert_data);
+	}
+	cloned_data.ptr = allocator_clone_bytes(this->cert_data.ptr,this->cert_data.len);
+	cloned_data.len = this->cert_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and cert_payload_t.destroy.
+ */
+static void destroy(private_cert_payload_t *this)
+{
+	if (this->cert_data.ptr != NULL)
+	{
+		allocator_free_chunk(&(this->cert_data));
+	}
+	
+	allocator_free(this);	
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create()
+{
+	private_cert_payload_t *this = allocator_alloc_thing(private_cert_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (cert_payload_t *)) destroy;
+	this->public.set_cert_encoding = (void (*) (cert_payload_t *,cert_encoding_t)) set_cert_encoding;
+	this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t *)) get_cert_encoding;
+	this->public.set_data = (void (*) (cert_payload_t *,chunk_t)) set_data;
+	this->public.get_data_clone = (chunk_t (*) (cert_payload_t *)) get_data_clone;
+	this->public.get_data = (chunk_t (*) (cert_payload_t *)) get_data;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =CERT_PAYLOAD_HEADER_LENGTH;
+	this->cert_data = CHUNK_INITIALIZER;
+
+	return (&(this->public));
+}
diff --git a/Source/charon/encoding/payloads/cert_payload.h b/Source/charon/encoding/payloads/cert_payload.h
new file mode 100644
index 000000000..b3191e307
--- /dev/null
+++ b/Source/charon/encoding/payloads/cert_payload.h
@@ -0,0 +1,143 @@
+/**
+ * @file cert_payload.h
+ * 
+ * @brief Interface of cert_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _CERT_PAYLOAD_H_
+#define _CERT_PAYLOAD_H_
+
+#include <types.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a cert payload without the cert data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define CERT_PAYLOAD_HEADER_LENGTH 5
+
+
+typedef enum cert_encoding_t cert_encoding_t;
+
+/**
+ * Cert Encoding.
+ * 
+ * @ingroup payloads
+ */
+enum cert_encoding_t {
+	PKCS7_WRAPPED_X509_CERTIFICATE = 1,
+	PGP_CERTIFICATE = 2,
+	DNS_SIGNED_KEY = 3,
+	X509_CERTIFICATE_SIGNATURE = 4,
+	KERBEROS_TOKEN	= 6,
+	CERTIFICATE_REVOCATION_LIST = 7,
+	AUTHORITY_REVOCATION_LIST = 8,
+	SPKI_CERTIFICATE = 9,
+	X509_CERTIFICATE_ATTRIBUTE = 10,
+	RAW_SA_KEY = 11,
+	HASH_AND_URL_X509_CERTIFICATE  = 12,
+	HASH_AND_URL_X509_BUNDLE = 13
+};
+
+extern mapping_t cert_encoding_m[];
+
+
+typedef struct cert_payload_t cert_payload_t;
+
+/**
+ * Object representing an IKEv2 CERT payload.
+ * 
+ * The CERT payload format is described in draft section 3.6.
+ * 
+ * @ingroup payloads
+ * 
+ */
+struct cert_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the CERT encoding.
+	 * 
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @param encoding		CERT encoding
+	 */
+	void (*set_cert_encoding) (cert_payload_t *this, cert_encoding_t encoding);
+	
+	/**
+	 * @brief Get the CERT encoding.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @return				Encoding of the CERT 
+	 */
+	cert_encoding_t (*get_cert_encoding) (cert_payload_t *this);
+	
+	/**
+	 * @brief Set the CERT data.
+	 * 
+	 * Data are getting cloned.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @param data			CERT data as chunk_t
+	 */
+	void (*set_data) (cert_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the CERT data.
+	 * 
+	 * Returned data are a copy of the internal one.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @return				CERT data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (cert_payload_t *this);
+	
+	/**
+	 * @brief Get the CERT data.
+	 * 
+	 * Returned data are NOT copied.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @return				CERT data as chunk_t
+	 */
+	chunk_t (*get_data) (cert_payload_t *this);
+	
+	/**
+	 * @brief Destroys an cert_payload_t object.
+	 *
+	 * @param this 	cert_payload_t object to destroy
+	 */
+	void (*destroy) (cert_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty cert_payload_t object.
+ * 
+ * @return				created cert_payload_t object
+ * 
+ * @ingroup payloads
+ */
+cert_payload_t *cert_payload_create();
+
+
+#endif //_CERT_PAYLOAD_H_
diff --git a/Source/charon/encoding/payloads/encodings.h b/Source/charon/encoding/payloads/encodings.h
index edc26990b..33610f1e0 100644
--- a/Source/charon/encoding/payloads/encodings.h
+++ b/Source/charon/encoding/payloads/encodings.h
@@ -367,6 +367,16 @@ enum encoding_type_t{
 	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
 	 */
 	AUTH_DATA,
+	
+	/**
+	 * Representating a CERT Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
+	 */
+	CERT_DATA,
 
 	/**
 	 * Representating an IKE_SPI field in an IKEv2 Header.
diff --git a/Source/charon/encoding/payloads/ike_header.c b/Source/charon/encoding/payloads/ike_header.c
index 784fce51d..6114c8de4 100644
--- a/Source/charon/encoding/payloads/ike_header.c
+++ b/Source/charon/encoding/payloads/ike_header.c
@@ -186,18 +186,6 @@ static status_t verify(private_ike_header_t *this)
 		return FAILED;
 	}
 	
-	if ((this->responder_spi == 0) && (!this->flags.initiator))
-	{
-		/* must be original initiator*/
-		return FAILED;
-	}
-
-	if ((this->responder_spi == 0) && (this->flags.response))
-	{
-		/* must be request*/
-		return FAILED;
-	}
-	
 	/* verification of version is not done in here */
 	
 	return SUCCESS;
diff --git a/Source/charon/encoding/payloads/notify_payload.c b/Source/charon/encoding/payloads/notify_payload.c
index 3bbc44df0..e085703b0 100644
--- a/Source/charon/encoding/payloads/notify_payload.c
+++ b/Source/charon/encoding/payloads/notify_payload.c
@@ -36,7 +36,7 @@ mapping_t notify_message_type_m[] = {
 	{INVALID_IKE_SPI, "INVALID_IKE_SPI"},
 	{INVALID_MAJOR_VERSION, "INVALID_MAJOR_VERSION"},
 	{INVALID_SYNTAX, "INVALID_SYNTAX"},
-	{INVALID_MESSAGE_ID, "MODP_2048_BIT"},
+	{INVALID_MESSAGE_ID, "INVALID_MESSAGE_ID"},
 	{INVALID_SPI, "INVALID_SPI"},
 	{NO_PROPOSAL_CHOSEN, "NO_PROPOSAL_CHOSEN"},
 	{INVALID_KE_PAYLOAD, "INVALID_KE_PAYLOAD"},
@@ -47,6 +47,11 @@ mapping_t notify_message_type_m[] = {
 	{FAILED_CP_REQUIRED, "FAILED_CP_REQUIRED"},
 	{TS_UACCEPTABLE, "TS_UACCEPTABLE"},
 	{INVALID_SELECTORS, "INVALID_SELECTORS"},
+	
+	/* status messages */
+	{INITIAL_CONTACT, "INITIAL_CONTACT"},
+	{SET_WINDOW_SIZE, "SET_WINDOW_SIZE"},
+	
 	{MAPPING_END, NULL}
 };
 
diff --git a/Source/charon/encoding/payloads/notify_payload.h b/Source/charon/encoding/payloads/notify_payload.h
index e877e07c7..ada346af8 100644
--- a/Source/charon/encoding/payloads/notify_payload.h
+++ b/Source/charon/encoding/payloads/notify_payload.h
@@ -68,7 +68,10 @@ enum notify_message_type_t {
 	INTERNAL_ADDRESS_FAILURE = 36,
 	FAILED_CP_REQUIRED = 37,
 	TS_UACCEPTABLE = 38,
-	INVALID_SELECTORS = 39
+	INVALID_SELECTORS = 39,
+	
+	INITIAL_CONTACT = 16384,
+	SET_WINDOW_SIZE = 16385
 };
 
 /** 
diff --git a/Source/charon/encoding/payloads/payload.c b/Source/charon/encoding/payloads/payload.c
index edc4479a9..7e6499323 100644
--- a/Source/charon/encoding/payloads/payload.c
+++ b/Source/charon/encoding/payloads/payload.c
@@ -31,6 +31,7 @@
 #include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/notify_payload.h>
 #include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
 #include <encoding/payloads/encryption_payload.h>
 #include <encoding/payloads/ts_payload.h>
 
@@ -88,6 +89,8 @@ payload_t *payload_create(payload_type_t type)
 			return (payload_t*)id_payload_create(FALSE);
 		case AUTHENTICATION:
 			return (payload_t*)auth_payload_create();
+		case CERTIFICATE:
+			return (payload_t*)cert_payload_create();
 		case TRAFFIC_SELECTOR_SUBSTRUCTURE:
 			return (payload_t*)traffic_selector_substructure_create();
 		case TRAFFIC_SELECTOR_INITIATOR: