- fixed encryption bug
[strongswan.git] / Source / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/allocator.h>
34 #include <utils/logger_manager.h>
35 #include <encoding/payloads/encodings.h>
36 #include <encoding/payloads/payload.h>
37 #include <encoding/payloads/encryption_payload.h>
38
39
40 typedef struct supported_payload_entry_t supported_payload_entry_t;
41
42 /**
43 * Supported payload entry used in message_rule_t.
44 *
45 */
46 struct supported_payload_entry_t {
47 /**
48 * Payload type.
49 */
50 payload_type_t payload_type;
51
52 /**
53 * Minimal occurence of this payload.
54 */
55 size_t min_occurence;
56
57 /**
58 * Max occurence of this payload.
59 */
60 size_t max_occurence;
61
62 /**
63 * TRUE if payload has to get encrypted
64 */
65 bool encrypted;
66 };
67
68 typedef struct message_rule_t message_rule_t;
69
70 /**
71 * Message Rule used to find out which payloads
72 * are supported by each message type.
73 *
74 */
75 struct message_rule_t {
76 /**
77 * Type of message.
78 */
79 exchange_type_t exchange_type;
80
81 /**
82 * Is message a request or response.
83 */
84 bool is_request;
85
86 /**
87 * Message contains encrypted content.
88 */
89 bool encrypted_content;
90
91 /**
92 * Number of supported payloads.
93 */
94 size_t supported_payloads_count;
95
96 /**
97 * Pointer to first supported payload entry.
98 */
99 supported_payload_entry_t *supported_payloads;
100 };
101
102 /**
103 * Message rule for IKE_SA_INIT from initiator.
104 */
105 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
106 {
107 {SECURITY_ASSOCIATION,1,1,FALSE},
108 {KEY_EXCHANGE,1,1,FALSE},
109 {NONCE,1,1,FALSE},
110 };
111
112 /**
113 * Message rule for IKE_SA_INIT from responder.
114 */
115 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
116 {
117 {SECURITY_ASSOCIATION,1,1,FALSE},
118 {KEY_EXCHANGE,1,1,FALSE},
119 {NONCE,1,1,FALSE},
120 };
121
122 /**
123 * Message rule for IKE_AUTH from initiator.
124 */
125 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
126 {
127 {ID_INITIATOR,1,1,TRUE},
128 {CERTIFICATE,0,1,TRUE},
129 {CERTIFICATE_REQUEST,0,1,TRUE},
130 {ID_RESPONDER,0,1,TRUE},
131 {AUTHENTICATION,1,1,TRUE},
132 {SECURITY_ASSOCIATION,1,1,TRUE},
133 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
134 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
135 };
136
137 /**
138 * Message rule for IKE_AUTH from responder.
139 */
140 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
141 {
142 {CERTIFICATE,0,1,TRUE},
143 {ID_RESPONDER,0,1,TRUE},
144 {AUTHENTICATION,1,1,TRUE},
145 {SECURITY_ASSOCIATION,1,1,TRUE},
146 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
147 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
148 };
149
150 /**
151 * Message rules, defines allowed payloads.
152 */
153 static message_rule_t message_rules[] = {
154 {IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
155 {IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
156 {IKE_AUTH,TRUE,TRUE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
157 {IKE_AUTH,FALSE,TRUE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
158 };
159
160 typedef struct payload_entry_t payload_entry_t;
161
162 /**
163 * Entry for a payload in the internal used linked list.
164 *
165 */
166 struct payload_entry_t {
167 /**
168 * Type of payload.
169 */
170 payload_type_t payload_type;
171 /**
172 * Data struct holding the data of given payload.
173 */
174 void *data_struct;
175 };
176
177
178 typedef struct private_message_t private_message_t;
179
180 /**
181 * Private data of an message_t object.
182 */
183 struct private_message_t {
184
185 /**
186 * Public part of a message_t object.
187 */
188 message_t public;
189
190 /**
191 * Minor version of message.
192 */
193 u_int8_t major_version;
194
195 /**
196 * Major version of message.
197 */
198 u_int8_t minor_version;
199
200 /**
201 * First Payload in message.
202 */
203 payload_type_t first_payload;
204
205 /**
206 * Assigned exchange type.
207 */
208 exchange_type_t exchange_type;
209
210
211 /**
212 * TRUE if message is request.
213 * FALSE if message is reply.
214 */
215 bool is_request;
216
217 /**
218 * Message ID of this message.
219 */
220 u_int32_t message_id;
221
222 /**
223 * ID of assigned IKE_SA.
224 */
225 ike_sa_id_t *ike_sa_id;
226
227 /**
228 * Assigned UDP packet.
229 *
230 * Stores incoming packet or last generated one.
231 */
232 packet_t *packet;
233
234 /**
235 * Linked List where payload data are stored in.
236 */
237 linked_list_t *payloads;
238
239 /**
240 * Assigned parser to parse Header and Body of this message.
241 */
242 parser_t *parser;
243
244 /**
245 * Assigned logger.
246 */
247 logger_t *logger;
248
249 /**
250 * Gets a list of supported payloads of this message type
251 *
252 * @param this calling object
253 * @param[out] message_rule pointer is set to the message_rule of current message type
254 *
255 * @return
256 * - SUCCESS
257 * - NOT_FOUND if no message rule
258 * for specific message type could be found
259 */
260 status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
261
262 status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
263
264 /**
265 * Encrypts all payloads which has to get encrypted.
266 *
267 * @param this calling object
268 * @param crypter crypter_t object
269 * @param signer signer_t object
270 */
271 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
272
273 /**
274 * Decrypts all payloads which has to get decrypted.
275 *
276 * @param this calling object
277 * @param crypter crypter_t object
278 * @param signer signer_t object
279 */
280 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
281 };
282
283 /**
284 * Implementation of private_message_t.get_supported_payloads.
285 */
286
287 static status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
288 {
289 int i;
290
291 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
292 {
293 if ((this->exchange_type == message_rules[i].exchange_type) &&
294 (this->is_request == message_rules[i].is_request))
295 {
296 /* found rule for given exchange_type*/
297 *message_rule = &(message_rules[i]);
298 return SUCCESS;
299 }
300 }
301 *message_rule = NULL;
302 return NOT_FOUND;
303 }
304
305 static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
306 {
307 int i;
308
309 for (i = 0; i < message_rule->supported_payloads_count;i++)
310 {
311 if (message_rule->supported_payloads[i].payload_type == payload_type)
312 {
313 *payload_entry = &(message_rule->supported_payloads[i]);
314 return SUCCESS;
315 }
316 }
317
318 *payload_entry = NULL;
319 return NOT_FOUND;
320 }
321
322 /**
323 * Implementation of message_t.set_ike_sa_id.
324 */
325 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
326 {
327 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
328 }
329
330 /**
331 * Implementation of message_t.get_ike_sa_id.
332 */
333 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
334 {
335 if (this->ike_sa_id == NULL)
336 {
337 return FAILED;
338 }
339 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
340 return SUCCESS;
341 }
342
343 /**
344 * Implementation of message_t.set_message_id.
345 */
346 static void set_message_id (private_message_t *this,u_int32_t message_id)
347 {
348 this->message_id = message_id;
349 }
350
351 /**
352 * Implementation of message_t.get_message_id.
353 */
354 static u_int32_t get_message_id (private_message_t *this)
355 {
356 return this->message_id;
357 }
358
359 /**
360 * Implementation of message_t.get_responder_spi.
361 */
362 static u_int64_t get_responder_spi (private_message_t *this)
363 {
364 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
365 }
366
367 /**
368 * Implementation of message_t.set_major_version.
369 */
370 static void set_major_version (private_message_t *this,u_int8_t major_version)
371 {
372 this->major_version = major_version;
373 }
374
375
376 /**
377 * Implementation of message_t.set_major_version.
378 */
379 static u_int8_t get_major_version (private_message_t *this)
380 {
381 return this->major_version;
382 }
383
384 /**
385 * Implementation of message_t.set_minor_version.
386 */
387 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
388 {
389 this->minor_version = minor_version;
390 }
391
392 /**
393 * Implementation of message_t.get_minor_version.
394 */
395 static u_int8_t get_minor_version (private_message_t *this)
396 {
397 return this->minor_version;
398 }
399
400 /**
401 * Implementation of message_t.set_exchange_type.
402 */
403 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
404 {
405 this->exchange_type = exchange_type;
406 }
407
408 /**
409 * Implementation of message_t.get_exchange_type.
410 */
411 static exchange_type_t get_exchange_type (private_message_t *this)
412 {
413 return this->exchange_type;
414 }
415
416 /**
417 * Implementation of message_t.set_request.
418 */
419 static void set_request (private_message_t *this,bool request)
420 {
421 this->is_request = request;
422 }
423
424 /**
425 * Implementation of message_t.get_request.
426 */
427 static exchange_type_t get_request (private_message_t *this)
428 {
429 return this->is_request;
430 }
431
432 /**
433 * Implementation of message_t.add_payload.
434 */
435 static void add_payload(private_message_t *this, payload_t *payload)
436 {
437 payload_t *last_payload;
438 if (this->payloads->get_count(this->payloads) > 0)
439 {
440 this->payloads->get_last(this->payloads,(void **) &last_payload);
441 last_payload->set_next_type(last_payload, payload->get_type(payload));
442 }
443 else
444 {
445 this->first_payload = payload->get_type(payload);
446 }
447 payload->set_next_type(payload, NO_PAYLOAD);
448 this->payloads->insert_last(this->payloads, (void*)payload);
449
450 this->logger->log(this->logger, CONTROL|MORE, "added payload of type %s to message",
451 mapping_find(payload_type_m, payload->get_type(payload)));
452 }
453
454 /**
455 * Implementation of message_t.set_source.
456 */
457 static void set_source(private_message_t *this, host_t *host)
458 {
459 if (this->packet->source != NULL)
460 {
461 this->packet->source->destroy(this->packet->source);
462 }
463 this->packet->source = host;
464 }
465
466 /**
467 * Implementation of message_t.set_destination.
468 */
469 static void set_destination(private_message_t *this, host_t *host)
470 {
471 if (this->packet->destination != NULL)
472 {
473 this->packet->destination->destroy(this->packet->destination);
474 }
475 this->packet->destination = host;
476 }
477
478 /**
479 * Implementation of message_t.get_source.
480 */
481 static void get_source(private_message_t *this, host_t **host)
482 {
483 *host = this->packet->source;
484 }
485
486 /**
487 * Implementation of message_t.get_destination.
488 */
489 static void get_destination(private_message_t *this, host_t **host)
490 {
491 *host = this->packet->destination;
492 }
493
494 /**
495 * Implementation of message_t.get_destination.
496 */
497 static iterator_t *get_payload_iterator(private_message_t *this)
498 {
499 return this->payloads->create_iterator(this->payloads, TRUE);
500 }
501
502
503 /**
504 * Implementation of message_t.generate.
505 */
506 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
507 {
508 generator_t *generator;
509 ike_header_t *ike_header;
510 payload_t *payload, *next_payload;
511 iterator_t *iterator;
512 status_t status;
513
514
515 this->logger->log(this->logger, CONTROL, "generating message, contains %d payloads",
516 this->payloads->get_count(this->payloads));
517
518 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
519 {
520 this->logger->log(this->logger, ERROR, "exchange type is not defined");
521 return INVALID_STATE;
522 }
523
524 if (this->packet->source == NULL ||
525 this->packet->destination == NULL)
526 {
527 this->logger->log(this->logger, ERROR, "source/destination not defined");
528 return INVALID_STATE;
529 }
530
531 status = this->encrypt_payloads(this,crypter,signer);
532 if (status != SUCCESS)
533 {
534 this->logger->log(this->logger, ERROR, "Could not encrypt payloads");
535 return status;
536 }
537
538 /* build ike header */
539 ike_header = ike_header_create();
540
541 ike_header->set_exchange_type(ike_header, this->exchange_type);
542 ike_header->set_message_id(ike_header, this->message_id);
543 ike_header->set_response_flag(ike_header, !this->is_request);
544 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
545 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
546 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
547
548
549 generator = generator_create();
550
551 payload = (payload_t*)ike_header;
552
553 iterator = this->payloads->create_iterator(this->payloads, TRUE);
554
555 /* generate every payload, except last one */
556 while(iterator->has_next(iterator))
557 {
558 iterator->current(iterator, (void**)&next_payload);
559 payload->set_next_type(payload, next_payload->get_type(next_payload));
560 generator->generate_payload(generator, payload);
561
562 payload = next_payload;
563 }
564 iterator->destroy(iterator);
565
566 /* build last payload */
567 payload->set_next_type(payload, NO_PAYLOAD);
568
569 generator->generate_payload(generator, payload);
570 ike_header->destroy(ike_header);
571
572 /* build packet */
573 if (this->packet->data.ptr != NULL)
574 {
575 allocator_free(this->packet->data.ptr);
576 }
577 generator->write_to_chunk(generator, &(this->packet->data));
578 generator->destroy(generator);
579
580 /* append integrity checksum if necessary */
581 if (payload->get_type(payload) == ENCRYPTED)
582 {
583 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
584 status = encryption_payload->build_signature(encryption_payload, this->packet->data);
585 if (status != SUCCESS)
586 {
587 return status;
588 }
589 }
590
591 /* clone packet for caller */
592 *packet = this->packet->clone(this->packet);
593
594 this->logger->log(this->logger, CONTROL, "message generated successfully");
595 return SUCCESS;
596 }
597
598 /**
599 * Implements message_t.parse_header.
600 */
601 static status_t parse_header(private_message_t *this)
602 {
603 ike_header_t *ike_header;
604 status_t status;
605
606
607 this->logger->log(this->logger, CONTROL, "parsing header of message");
608
609 this->parser->reset_context(this->parser);
610 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
611 if (status != SUCCESS)
612 {
613 this->logger->log(this->logger, ERROR, "Header could not be parsed");
614 return status;
615
616 }
617
618 /* verify payload */
619 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
620 if (status != SUCCESS)
621 {
622 this->logger->log(this->logger, ERROR, "Header verification failed");
623 ike_header->destroy(ike_header);
624 return status;
625 }
626
627 if (this->ike_sa_id != NULL)
628 {
629 this->ike_sa_id->destroy(this->ike_sa_id);
630 }
631
632 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
633 ike_header->get_responder_spi(ike_header),
634 ike_header->get_initiator_flag(ike_header));
635
636 this->exchange_type = ike_header->get_exchange_type(ike_header);
637 this->message_id = ike_header->get_message_id(ike_header);
638 this->is_request = (!(ike_header->get_response_flag(ike_header)));
639 this->major_version = ike_header->get_maj_version(ike_header);
640 this->minor_version = ike_header->get_min_version(ike_header);
641 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
642
643
644 this->logger->log(this->logger, CONTROL, "parsing header successfully");
645
646 ike_header->destroy(ike_header);
647 return SUCCESS;
648 }
649
650 /**
651 * Implements message_t.parse_body.
652 */
653 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
654 {
655 status_t status = SUCCESS;
656 payload_type_t current_payload_type = this->first_payload;
657
658 this->logger->log(this->logger, CONTROL, "parsing body of message, first payload %s",
659 mapping_find(payload_type_m, current_payload_type));
660
661 while ((current_payload_type != NO_PAYLOAD))
662 {
663 payload_t *current_payload;
664
665 this->logger->log(this->logger, CONTROL|MORE, "start parsing payload of type %s",
666 mapping_find(payload_type_m, current_payload_type));
667
668 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
669 if (status != SUCCESS)
670 {
671 this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
672 return status;
673 }
674
675 status = current_payload->verify(current_payload);
676 if (status != SUCCESS)
677 {
678 this->logger->log(this->logger, ERROR, "payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
679 current_payload->destroy(current_payload);
680 status = VERIFY_ERROR;
681 return status;
682 }
683
684 /* get next payload type */
685 current_payload_type = current_payload->get_next_type(current_payload);
686
687 this->payloads->insert_last(this->payloads,current_payload);
688 }
689
690 status = this->decrypt_payloads(this,crypter,signer);
691 if (status != SUCCESS)
692 {
693 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
694 return status;
695 }
696
697 return SUCCESS;
698
699 }
700
701 /**
702 * implements message_t.verify
703 */
704 static status_t verify(private_message_t *this)
705 {
706 int i;
707 status_t status;
708 iterator_t *iterator;
709 message_rule_t *message_rule;
710
711 this->logger->log(this->logger, CONTROL|MORE, "verifying message");
712
713 status = this->get_message_rule(this, &message_rule);
714 if (status != SUCCESS)
715 {
716 this->logger->log(this->logger, ERROR, "Message rule could not be retrieved");
717 return status;
718 }
719
720 iterator = this->payloads->create_iterator(this->payloads,TRUE);
721 /* check for payloads with wrong count*/
722 for (i = 0; i < message_rule->supported_payloads_count;i++)
723 {
724 size_t min_occurence = message_rule->supported_payloads[i].min_occurence;
725 size_t max_occurence = message_rule->supported_payloads[i].max_occurence;
726 payload_type_t payload_type = message_rule->supported_payloads[i].payload_type;
727 size_t found_payloads = 0;
728
729 iterator->reset(iterator);
730
731 while(iterator->has_next(iterator))
732 {
733 payload_t *current_payload;
734 iterator->current(iterator,(void **)&current_payload);
735
736 if (current_payload->get_type(current_payload) == payload_type)
737 {
738 found_payloads++;
739 if (found_payloads > max_occurence)
740 {
741 this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
742 mapping_find(payload_type_m,current_payload->get_type(current_payload)),max_occurence,found_payloads);
743 iterator->destroy(iterator);
744 return NOT_SUPPORTED;
745 }
746 }
747 }
748 if (found_payloads < min_occurence)
749 {
750 this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times",
751 mapping_find(payload_type_m,payload_type),min_occurence);
752 iterator->destroy(iterator);
753 return NOT_SUPPORTED;
754 }
755 }
756 iterator->destroy(iterator);
757
758 return SUCCESS;
759 }
760
761
762 static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
763 {
764 bool current_payload_was_encrypted = FALSE;
765 status_t status;
766 message_rule_t *message_rule;
767 iterator_t *iterator;
768 int payload_number = 1;
769
770 status = this->get_message_rule(this, &message_rule);
771 if (status != SUCCESS)
772 {
773 this->logger->log(this->logger, ERROR, "No message rule for current message type");
774 return status;
775 }
776
777 iterator = this->payloads->create_iterator(this->payloads,TRUE);
778
779 while(iterator->has_next(iterator))
780 {
781 payload_t *current_payload;
782 supported_payload_entry_t *payload_entry;
783
784 /* get current payload */
785 iterator->current(iterator,(void **)&current_payload);
786
787 this->logger->log(this->logger, CONTROL | MOST, "Process payload of type %s.",mapping_find(payload_type_m,current_payload->get_type(current_payload)));
788
789 if (current_payload->get_type(current_payload) == ENCRYPTED)
790 {
791 encryption_payload_t *encryption_payload;
792 iterator_t *encrypted_payload_iterator;
793 payload_t *current_encrypted_payload;
794
795 if (!message_rule->encrypted_content)
796 {
797 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
798 iterator->destroy(iterator);
799 /* encrypted payload is not last one */
800 return FAILED;
801 }
802
803 if (payload_number != this->payloads->get_count(this->payloads))
804 {
805 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last one");
806 iterator->destroy(iterator);
807 /* encrypted payload is not last one */
808 return FAILED;
809 }
810
811 this->payloads->remove_last(this->payloads,(void **)&encryption_payload);
812
813 /* encrypt payload */
814 encryption_payload->set_transforms(encryption_payload, crypter, signer);
815 status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
816 if (status != SUCCESS)
817 {
818 this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
819 iterator->destroy(iterator);
820 return status;
821 }
822 status = encryption_payload->decrypt(encryption_payload);
823 if (status != SUCCESS)
824 {
825 this->logger->log(this->logger, ERROR, "parsing decrypted encryption payload failed");
826 iterator->destroy(iterator);
827 return status;
828 }
829
830 current_payload_was_encrypted = TRUE;
831
832 encrypted_payload_iterator = encryption_payload->create_payload_iterator(encryption_payload, TRUE);
833
834 if (!encrypted_payload_iterator->has_next(encrypted_payload_iterator))
835 {
836 iterator->remove(iterator);
837 encrypted_payload_iterator->destroy(encrypted_payload_iterator);
838 encryption_payload->destroy(encryption_payload);
839 break;
840 }
841
842 /* encryption_payload is replaced with first encrypted payload*/
843 encrypted_payload_iterator->current(encrypted_payload_iterator,(void **)&current_encrypted_payload);
844 this->logger->log(this->logger, CONTROL | MORE, "Replace encrypted payload with payload of type %s.",mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
845 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
846
847 /* all encrypted payloads are added to the payload list */
848 while (encrypted_payload_iterator->has_next(encrypted_payload_iterator))
849 {
850 this->logger->log(this->logger, CONTROL | MORE, "Insert unencrypted payload of type %s at end of list.",mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
851 encrypted_payload_iterator->current(encrypted_payload_iterator,(void **)&current_encrypted_payload);
852 this->payloads->insert_last(this->payloads,current_encrypted_payload);
853 }
854
855 encrypted_payload_iterator->destroy(encrypted_payload_iterator);
856 encryption_payload->destroy(encryption_payload);
857 }
858
859 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&payload_entry);
860
861 if (status != SUCCESS)
862 {
863 /* payload type not supported */
864 this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload->get_type(current_payload)));
865 iterator->destroy(iterator);
866 return status;
867 }
868
869 if (payload_entry->encrypted != current_payload_was_encrypted)
870 {
871 /* payload type not supported */
872 this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
873 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
874 (payload_entry->encrypted) ? "encrypted": "not encrypted");
875 iterator->destroy(iterator);
876 return status;
877 }
878 payload_number++;
879 }
880 iterator->destroy(iterator);
881
882 return this->public.verify(&(this->public));
883
884 }
885
886
887 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
888 {
889 status_t status;
890 message_rule_t *message_rule;
891 encryption_payload_t *encryption_payload = NULL;
892 linked_list_t *all_payloads;
893
894 status = this->get_message_rule(this, &message_rule);
895 if (status != SUCCESS)
896 {
897 return status;
898 }
899
900 if (!message_rule->encrypted_content)
901 {
902 /* message contains no content to encrypt */
903 return SUCCESS;
904 }
905
906 all_payloads = linked_list_create();
907
908 /* first copy all payloads in a temporary list */
909 while (this->payloads->get_count(this->payloads) > 0)
910 {
911 void *current_payload;
912 this->payloads->remove_first(this->payloads,&current_payload);
913 all_payloads->insert_last(all_payloads,current_payload);
914 }
915
916 while (all_payloads->get_count(all_payloads) > 0)
917 {
918 payload_t *current_payload;
919 bool to_encrypt = FALSE;
920 supported_payload_entry_t *supported_payload_entry;
921
922 all_payloads->remove_first(all_payloads,(void **)&current_payload);
923
924 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
925 /* for payload types which are not found in supported payload list, it is presumed
926 * that they don't have to be encrypted */
927 if ((status == SUCCESS) && (supported_payload_entry->encrypted))
928 {
929 to_encrypt = TRUE;
930 break;
931 }
932
933 if (to_encrypt)
934 {
935 if (encryption_payload == NULL)
936 {
937 encryption_payload = encryption_payload_create();
938 }
939 encryption_payload->add_payload(encryption_payload,current_payload);
940 }
941 else
942 {
943 this->payloads->insert_last(this->payloads,current_payload);
944 }
945 }
946
947 status = SUCCESS;
948 if (encryption_payload != NULL)
949 {
950 encryption_payload->set_transforms(encryption_payload,crypter,signer);
951 status = encryption_payload->encrypt(encryption_payload);
952 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
953 }
954
955 all_payloads->destroy(all_payloads);
956
957 return status;
958 }
959
960 /**
961 * Implements message_t's destroy function.
962 * See #message_s.destroy.
963 */
964 static void destroy (private_message_t *this)
965 {
966 iterator_t *iterator;
967
968 this->packet->destroy(this->packet);
969
970 if (this->ike_sa_id != NULL)
971 {
972 this->ike_sa_id->destroy(this->ike_sa_id);
973 }
974
975 iterator = this->payloads->create_iterator(this->payloads, TRUE);
976 while (iterator->has_next(iterator))
977 {
978 payload_t *payload;
979 iterator->current(iterator, (void**)&payload);
980 this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s",
981 mapping_find(payload_type_m, payload->get_type(payload)));
982 payload->destroy(payload);
983 }
984 iterator->destroy(iterator);
985 this->payloads->destroy(this->payloads);
986 this->parser->destroy(this->parser);
987 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
988
989 allocator_free(this);
990 }
991
992 /*
993 * Described in Header-File
994 */
995 message_t *message_create_from_packet(packet_t *packet)
996 {
997 private_message_t *this = allocator_alloc_thing(private_message_t);
998
999 /* public functions */
1000 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1001 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1002 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1003 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1004 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1005 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1006 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1007 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1008 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1009 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1010 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1011 this->public.set_request = (void(*)(message_t*, bool))set_request;
1012 this->public.get_request = (bool(*)(message_t*))get_request;
1013 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1014 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1015 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1016 this->public.get_source = (void (*) (message_t*,host_t**)) get_source;
1017 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1018 this->public.get_destination = (void (*) (message_t*,host_t**)) get_destination;
1019 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1020 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1021 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1022 this->public.verify = (status_t (*) (message_t*)) verify;
1023 this->public.destroy = (void(*)(message_t*))destroy;
1024
1025 /* private values */
1026 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1027 this->is_request = TRUE;
1028 this->ike_sa_id = NULL;
1029 this->first_payload = NO_PAYLOAD;
1030 this->message_id = 0;
1031
1032 /* private functions */
1033 this->get_message_rule = get_message_rule;
1034 this->get_supported_payload_entry = get_supported_payload_entry;
1035 this->encrypt_payloads = encrypt_payloads;
1036 this->decrypt_payloads = decrypt_payloads;
1037
1038 /* private values */
1039 if (packet == NULL)
1040 {
1041 packet = packet_create();
1042 }
1043 this->packet = packet;
1044 this->payloads = linked_list_create();
1045
1046 /* parser is created from data of packet */
1047 this->parser = parser_create(this->packet->data);
1048
1049 this->logger = charon->logger_manager->create_logger(charon->logger_manager, MESSAGE, NULL);
1050
1051 return (&this->public);
1052 }
1053
1054 /*
1055 * Described in Header-File
1056 */
1057 message_t *message_create()
1058 {
1059 return message_create_from_packet(NULL);
1060 }