- added notify message handling to ike_sa_init_requested_t and
[strongswan.git] / Source / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/allocator.h>
34 #include <utils/logger_manager.h>
35 #include <encoding/payloads/encodings.h>
36 #include <encoding/payloads/payload.h>
37 #include <encoding/payloads/encryption_payload.h>
38
39
40 typedef struct supported_payload_entry_t supported_payload_entry_t;
41
42 /**
43 * Supported payload entry used in message_rule_t.
44 *
45 */
46 struct supported_payload_entry_t {
47 /**
48 * Payload type.
49 */
50 payload_type_t payload_type;
51
52 /**
53 * Minimal occurence of this payload.
54 */
55 size_t min_occurence;
56
57 /**
58 * Max occurence of this payload.
59 */
60 size_t max_occurence;
61
62 /**
63 * TRUE if payload has to get encrypted
64 */
65 bool encrypted;
66
67 /**
68 * Verifying can stop after checking this payload.
69 */
70 bool can_be_last;
71 };
72
73 typedef struct message_rule_t message_rule_t;
74
75 /**
76 * Message Rule used to find out which payloads
77 * are supported by each message type.
78 *
79 */
80 struct message_rule_t {
81 /**
82 * Type of message.
83 */
84 exchange_type_t exchange_type;
85
86 /**
87 * Is message a request or response.
88 */
89 bool is_request;
90
91 /**
92 * Message contains encrypted content.
93 */
94 bool encrypted_content;
95
96 /**
97 * Number of supported payloads.
98 */
99 size_t supported_payloads_count;
100
101 /**
102 * Pointer to first supported payload entry.
103 */
104 supported_payload_entry_t *supported_payloads;
105 };
106
107 /**
108 * Message rule for IKE_SA_INIT from initiator.
109 */
110 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
111 {
112 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
113 {KEY_EXCHANGE,1,1,FALSE,FALSE},
114 {NONCE,1,1,FALSE,FALSE},
115 };
116
117 /**
118 * Message rule for IKE_SA_INIT from responder.
119 */
120 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
121 {
122 {NOTIFY,0,1,FALSE,TRUE},
123 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
124 {KEY_EXCHANGE,1,1,FALSE,FALSE},
125 {NONCE,1,1,FALSE,FALSE},
126 };
127
128 /**
129 * Message rule for IKE_AUTH from initiator.
130 */
131 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
132 {
133 {ID_INITIATOR,1,1,TRUE,FALSE},
134 {CERTIFICATE,0,1,TRUE,FALSE},
135 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
136 {ID_RESPONDER,0,1,TRUE,FALSE},
137 {AUTHENTICATION,1,1,TRUE,FALSE},
138 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
139 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
140 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
141 };
142
143 /**
144 * Message rule for IKE_AUTH from responder.
145 */
146 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
147 {
148 {CERTIFICATE,0,1,TRUE,FALSE},
149 {ID_RESPONDER,0,1,TRUE,FALSE},
150 {AUTHENTICATION,1,1,TRUE,FALSE},
151 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
152 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
153 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
154 };
155
156 /**
157 * Message rules, defines allowed payloads.
158 */
159 static message_rule_t message_rules[] = {
160 {IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
161 {IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
162 {IKE_AUTH,TRUE,TRUE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
163 {IKE_AUTH,FALSE,TRUE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
164 };
165
166 typedef struct payload_entry_t payload_entry_t;
167
168 /**
169 * Entry for a payload in the internal used linked list.
170 *
171 */
172 struct payload_entry_t {
173 /**
174 * Type of payload.
175 */
176 payload_type_t payload_type;
177 /**
178 * Data struct holding the data of given payload.
179 */
180 void *data_struct;
181 };
182
183
184 typedef struct private_message_t private_message_t;
185
186 /**
187 * Private data of an message_t object.
188 */
189 struct private_message_t {
190
191 /**
192 * Public part of a message_t object.
193 */
194 message_t public;
195
196 /**
197 * Minor version of message.
198 */
199 u_int8_t major_version;
200
201 /**
202 * Major version of message.
203 */
204 u_int8_t minor_version;
205
206 /**
207 * First Payload in message.
208 */
209 payload_type_t first_payload;
210
211 /**
212 * Assigned exchange type.
213 */
214 exchange_type_t exchange_type;
215
216 /**
217 * TRUE if message is request.
218 * FALSE if message is reply.
219 */
220 bool is_request;
221
222 /**
223 * Message ID of this message.
224 */
225 u_int32_t message_id;
226
227 /**
228 * ID of assigned IKE_SA.
229 */
230 ike_sa_id_t *ike_sa_id;
231
232 /**
233 * Assigned UDP packet.
234 *
235 * Stores incoming packet or last generated one.
236 */
237 packet_t *packet;
238
239 /**
240 * Linked List where payload data are stored in.
241 */
242 linked_list_t *payloads;
243
244 /**
245 * Assigned parser to parse Header and Body of this message.
246 */
247 parser_t *parser;
248
249 /**
250 * Assigned logger.
251 */
252 logger_t *logger;
253
254 /**
255 * Gets a list of supported payloads of this message type.
256 *
257 * @param this calling object
258 * @param[out] message_rule pointer is set to the message_rule
259 * of current message type
260 *
261 * @return
262 * - SUCCESS
263 * - NOT_FOUND if no message rule
264 * for specific message type could be found
265 */
266 status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
267
268 /**
269 * Gets the supported_payload_entry_t for a specific message_rule_t and payload type.
270 *
271 * @param this calling object
272 * @param message_rule message rule
273 * @param payload_type payload type
274 * @param[out] payload_entry returned payload_entry_t
275 *
276 * @return
277 * - SUCCESS
278 * - NOT_FOUND if no message rule
279 * for specific message type could be found
280 */
281 status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
282
283 /**
284 * Encrypts all payloads which has to get encrypted.
285 *
286 * Can also be called with messages not containing encrypted content.
287 *
288 * @param this calling object
289 * @param crypter crypter_t object
290 * @param signer signer_t object
291 */
292 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
293
294 /**
295 * Decrypts encrypted contents and also verifies all payloads.
296 *
297 * @param this calling object
298 * @param crypter crypter_t object
299 * @param signer signer_t object
300 */
301 status_t (*decrypt_and_verify_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
302 };
303
304 /**
305 * Implementation of private_message_t.get_supported_payloads.
306 */
307
308 static status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
309 {
310 int i;
311
312 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
313 {
314 if ((this->exchange_type == message_rules[i].exchange_type) &&
315 (this->is_request == message_rules[i].is_request))
316 {
317 /* found rule for given exchange_type*/
318 *message_rule = &(message_rules[i]);
319 return SUCCESS;
320 }
321 }
322 *message_rule = NULL;
323 return NOT_FOUND;
324 }
325
326 /**
327 * Implementation of private_message_t.get_supported_payload_entry.
328 */
329 static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
330 {
331 int i;
332
333 for (i = 0; i < message_rule->supported_payloads_count;i++)
334 {
335 if (message_rule->supported_payloads[i].payload_type == payload_type)
336 {
337 *payload_entry = &(message_rule->supported_payloads[i]);
338 return SUCCESS;
339 }
340 }
341
342 *payload_entry = NULL;
343 return NOT_FOUND;
344 }
345
346 /**
347 * Implementation of message_t.set_ike_sa_id.
348 */
349 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
350 {
351 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
352 }
353
354 /**
355 * Implementation of message_t.get_ike_sa_id.
356 */
357 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
358 {
359 if (this->ike_sa_id == NULL)
360 {
361 return FAILED;
362 }
363 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
364 return SUCCESS;
365 }
366
367 /**
368 * Implementation of message_t.set_message_id.
369 */
370 static void set_message_id (private_message_t *this,u_int32_t message_id)
371 {
372 this->message_id = message_id;
373 }
374
375 /**
376 * Implementation of message_t.get_message_id.
377 */
378 static u_int32_t get_message_id (private_message_t *this)
379 {
380 return this->message_id;
381 }
382
383 /**
384 * Implementation of message_t.get_responder_spi.
385 */
386 static u_int64_t get_responder_spi (private_message_t *this)
387 {
388 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
389 }
390
391 /**
392 * Implementation of message_t.set_major_version.
393 */
394 static void set_major_version (private_message_t *this,u_int8_t major_version)
395 {
396 this->major_version = major_version;
397 }
398
399
400 /**
401 * Implementation of message_t.set_major_version.
402 */
403 static u_int8_t get_major_version (private_message_t *this)
404 {
405 return this->major_version;
406 }
407
408 /**
409 * Implementation of message_t.set_minor_version.
410 */
411 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
412 {
413 this->minor_version = minor_version;
414 }
415
416 /**
417 * Implementation of message_t.get_minor_version.
418 */
419 static u_int8_t get_minor_version (private_message_t *this)
420 {
421 return this->minor_version;
422 }
423
424 /**
425 * Implementation of message_t.set_exchange_type.
426 */
427 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
428 {
429 this->exchange_type = exchange_type;
430 }
431
432 /**
433 * Implementation of message_t.get_exchange_type.
434 */
435 static exchange_type_t get_exchange_type (private_message_t *this)
436 {
437 return this->exchange_type;
438 }
439
440 /**
441 * Implementation of message_t.set_request.
442 */
443 static void set_request (private_message_t *this,bool request)
444 {
445 this->is_request = request;
446 }
447
448 /**
449 * Implementation of message_t.get_request.
450 */
451 static exchange_type_t get_request (private_message_t *this)
452 {
453 return this->is_request;
454 }
455
456 /**
457 * Implementation of message_t.add_payload.
458 */
459 static void add_payload(private_message_t *this, payload_t *payload)
460 {
461 payload_t *last_payload;
462 if (this->payloads->get_count(this->payloads) > 0)
463 {
464 this->payloads->get_last(this->payloads,(void **) &last_payload);
465 last_payload->set_next_type(last_payload, payload->get_type(payload));
466 }
467 else
468 {
469 this->first_payload = payload->get_type(payload);
470 }
471 payload->set_next_type(payload, NO_PAYLOAD);
472 this->payloads->insert_last(this->payloads, (void*)payload);
473
474 this->logger->log(this->logger, CONTROL|MORE, "Added payload of type %s to message",
475 mapping_find(payload_type_m, payload->get_type(payload)));
476 }
477
478 /**
479 * Implementation of message_t.set_source.
480 */
481 static void set_source(private_message_t *this, host_t *host)
482 {
483 if (this->packet->source != NULL)
484 {
485 this->packet->source->destroy(this->packet->source);
486 }
487 this->packet->source = host;
488 }
489
490 /**
491 * Implementation of message_t.set_destination.
492 */
493 static void set_destination(private_message_t *this, host_t *host)
494 {
495 if (this->packet->destination != NULL)
496 {
497 this->packet->destination->destroy(this->packet->destination);
498 }
499 this->packet->destination = host;
500 }
501
502 /**
503 * Implementation of message_t.get_source.
504 */
505 static host_t* get_source(private_message_t *this)
506 {
507 return this->packet->source;
508 }
509
510 /**
511 * Implementation of message_t.get_destination.
512 */
513 static host_t * get_destination(private_message_t *this)
514 {
515 return this->packet->destination;
516 }
517
518 /**
519 * Implementation of message_t.get_destination.
520 */
521 static iterator_t *get_payload_iterator(private_message_t *this)
522 {
523 return this->payloads->create_iterator(this->payloads, TRUE);
524 }
525
526
527 /**
528 * Implementation of message_t.generate.
529 */
530 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
531 {
532 generator_t *generator;
533 ike_header_t *ike_header;
534 payload_t *payload, *next_payload;
535 iterator_t *iterator;
536 message_rule_t *message_rule;
537 status_t status;
538
539 this->logger->log(this->logger, CONTROL, "Generating message of type %s, contains %d payloads",
540 mapping_find(exchange_type_m,this->exchange_type),
541 this->payloads->get_count(this->payloads));
542
543 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
544 {
545 this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",mapping_find(exchange_type_m,this->exchange_type));
546 return INVALID_STATE;
547 }
548
549 status = this->get_message_rule(this, &message_rule);
550 if (status != SUCCESS)
551 {
552 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
553 mapping_find(exchange_type_m,this->exchange_type));
554 return status;
555 }
556
557 if (this->packet->source == NULL ||
558 this->packet->destination == NULL)
559 {
560 this->logger->log(this->logger, ERROR | MORE, "Source/destination not defined");
561 return INVALID_STATE;
562 }
563
564 /* going to encrypt all content which have to be encrypted */
565 status = this->encrypt_payloads(this,crypter,signer);
566 if (status != SUCCESS)
567 {
568 this->logger->log(this->logger, ERROR | MORE, "Could not encrypt payloads");
569 return status;
570 }
571
572 /* build ike header */
573 ike_header = ike_header_create();
574
575 ike_header->set_exchange_type(ike_header, this->exchange_type);
576 ike_header->set_message_id(ike_header, this->message_id);
577 ike_header->set_response_flag(ike_header, !this->is_request);
578 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
579 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
580 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
581
582 generator = generator_create();
583
584 payload = (payload_t*)ike_header;
585
586 iterator = this->payloads->create_iterator(this->payloads, TRUE);
587
588 /* generate every payload expect last one*/
589 while(iterator->has_next(iterator))
590 {
591 iterator->current(iterator, (void**)&next_payload);
592 payload->set_next_type(payload, next_payload->get_type(next_payload));
593 generator->generate_payload(generator, payload);
594 payload = next_payload;
595 }
596 iterator->destroy(iterator);
597
598 /* last payload has no next payload*/
599 payload->set_next_type(payload, NO_PAYLOAD);
600
601 generator->generate_payload(generator, payload);
602
603 ike_header->destroy(ike_header);
604
605 /* build packet */
606 if (this->packet->data.ptr != NULL)
607 {
608 this->logger->log(this->logger, CONTROL | MOST, "Replace last generated packet data");
609 allocator_free(this->packet->data.ptr);
610 }
611 generator->write_to_chunk(generator, &(this->packet->data));
612 generator->destroy(generator);
613
614 /* if last payload is of type encrypted, integrity checksum if necessary */
615 if (payload->get_type(payload) == ENCRYPTED)
616 {
617 this->logger->log(this->logger, CONTROL | MORE, "Build signature on whole message");
618 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
619 status = encryption_payload->build_signature(encryption_payload, this->packet->data);
620 if (status != SUCCESS)
621 {
622 return status;
623 }
624 }
625
626 /* clone packet for caller */
627 *packet = this->packet->clone(this->packet);
628
629 this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",mapping_find(exchange_type_m,this->exchange_type));
630 return SUCCESS;
631 }
632
633 /**
634 * Implementation of message_t.parse_header.
635 */
636 static status_t parse_header(private_message_t *this)
637 {
638 ike_header_t *ike_header;
639 status_t status;
640
641
642 this->logger->log(this->logger, CONTROL, "parsing Header of message");
643
644 this->parser->reset_context(this->parser);
645 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
646 if (status != SUCCESS)
647 {
648 this->logger->log(this->logger, ERROR | MORE, "Header could not be parsed");
649 return status;
650
651 }
652
653 /* verify payload */
654 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
655 if (status != SUCCESS)
656 {
657 this->logger->log(this->logger, ERROR | MORE, "Header verification failed");
658 ike_header->destroy(ike_header);
659 return status;
660 }
661
662 if (this->ike_sa_id != NULL)
663 {
664 this->ike_sa_id->destroy(this->ike_sa_id);
665 }
666
667 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
668 ike_header->get_responder_spi(ike_header),
669 ike_header->get_initiator_flag(ike_header));
670
671 this->exchange_type = ike_header->get_exchange_type(ike_header);
672 this->message_id = ike_header->get_message_id(ike_header);
673 this->is_request = (!(ike_header->get_response_flag(ike_header)));
674 this->major_version = ike_header->get_maj_version(ike_header);
675 this->minor_version = ike_header->get_min_version(ike_header);
676 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
677
678
679 this->logger->log(this->logger, CONTROL, "Parsing and verification of header successfully");
680
681 ike_header->destroy(ike_header);
682 return SUCCESS;
683 }
684
685 /**
686 * Implementation of message_t.parse_body.
687 */
688 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
689 {
690 status_t status = SUCCESS;
691 payload_type_t current_payload_type = this->first_payload;
692
693 this->logger->log(this->logger, CONTROL, "Parsing body of message, first payload %s",
694 mapping_find(payload_type_m, current_payload_type));
695
696 while ((current_payload_type != NO_PAYLOAD))
697 {
698 payload_t *current_payload;
699
700 this->logger->log(this->logger, CONTROL|MORE, "Start parsing payload of type %s",
701 mapping_find(payload_type_m, current_payload_type));
702
703 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
704 if (status != SUCCESS)
705 {
706 this->logger->log(this->logger, ERROR, "Payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
707 return status;
708 }
709
710 this->logger->log(this->logger, CONTROL|MOST, "Verify payload of type %s",
711 mapping_find(payload_type_m, current_payload_type));
712
713 status = current_payload->verify(current_payload);
714 if (status != SUCCESS)
715 {
716 this->logger->log(this->logger, ERROR, "Payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
717 current_payload->destroy(current_payload);
718 status = VERIFY_ERROR;
719 return status;
720 }
721
722 this->logger->log(this->logger, CONTROL|MOST, "Payload verified. Adding to payload list",
723 mapping_find(payload_type_m, current_payload_type));
724 this->payloads->insert_last(this->payloads,current_payload);
725
726 /* stop if an encryption payload found */
727 if (current_payload_type == ENCRYPTED)
728 {
729 this->logger->log(this->logger, CONTROL|MOST, "Payload of type encrypted found. Stop parsing.",
730 mapping_find(payload_type_m, current_payload_type));
731 break;
732 }
733
734 /* get next payload type */
735 current_payload_type = current_payload->get_next_type(current_payload);
736 }
737
738 status = this->decrypt_and_verify_payloads(this,crypter,signer);
739 if (status != SUCCESS)
740 {
741 this->logger->log(this->logger, ERROR, "Could not decrypt and verify payloads");
742 return status;
743 }
744
745 return SUCCESS;
746
747 }
748
749 /**
750 * Implementation of message_t.verify.
751 */
752 static status_t verify(private_message_t *this)
753 {
754 int i;
755 status_t status;
756 iterator_t *iterator;
757 message_rule_t *message_rule;
758 size_t total_found_payloads = 0;
759
760 this->logger->log(this->logger, CONTROL|MORE, "Verifying message structure");
761
762 status = this->get_message_rule(this, &message_rule);
763 if (status != SUCCESS)
764 {
765 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
766 mapping_find(exchange_type_m,this->exchange_type));
767 return status;
768 }
769
770 iterator = this->payloads->create_iterator(this->payloads,TRUE);
771 /* check for payloads with wrong count*/
772 for (i = 0; i < message_rule->supported_payloads_count;i++)
773 {
774 size_t found_payloads = 0;
775
776 /* check all payloads for specific rule */
777 iterator->reset(iterator);
778 while(iterator->has_next(iterator))
779 {
780 payload_t *current_payload;
781 iterator->current(iterator,(void **)&current_payload);
782
783 if (current_payload->get_type(current_payload) == message_rule->supported_payloads[i].payload_type)
784 {
785 found_payloads++;
786 total_found_payloads++;
787 this->logger->log(this->logger, CONTROL | MOST, "Found payload of type %s",
788 mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type));
789
790 /* as soon as ohe payload occures more then specified, the verification fails */
791 if (found_payloads > message_rule->supported_payloads[i].max_occurence)
792 {
793 this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
794 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
795 message_rule->supported_payloads[i].max_occurence,found_payloads);
796 iterator->destroy(iterator);
797 return NOT_SUPPORTED;
798 }
799 }
800 }
801 if (found_payloads < message_rule->supported_payloads[i].min_occurence)
802 {
803 this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times (%d)",
804 mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type),
805 message_rule->supported_payloads[i].min_occurence,found_payloads);
806 iterator->destroy(iterator);
807 return NOT_SUPPORTED;
808 }
809 if ((message_rule->supported_payloads[i].can_be_last) && (this->payloads->get_count(this->payloads) == total_found_payloads))
810 {
811 iterator->destroy(iterator);
812 return SUCCESS;
813 }
814 }
815 iterator->destroy(iterator);
816
817 return SUCCESS;
818 }
819
820
821 /**
822 * Implementation of private_message_t.decrypt_and_verify_payloads.
823 */
824 static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
825 {
826 bool current_payload_was_encrypted = FALSE;
827 payload_t *last_payload = NULL;
828 message_rule_t *message_rule;
829 int payload_number = 1;
830 iterator_t *iterator;
831 status_t status;
832
833 status = this->get_message_rule(this, &message_rule);
834 if (status != SUCCESS)
835 {
836 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
837 mapping_find(exchange_type_m,this->exchange_type));
838 return status;
839 }
840
841 iterator = this->payloads->create_iterator(this->payloads,TRUE);
842
843 /* process each payload and decrypt a encryption payload */
844 while(iterator->has_next(iterator))
845 {
846 supported_payload_entry_t *supported_payload_entry;
847 payload_type_t current_payload_type;
848 payload_t *current_payload;
849
850 /* get current payload */
851 iterator->current(iterator,(void **)&current_payload);
852
853 /* needed to check */
854 current_payload_type = current_payload->get_type(current_payload);
855
856 this->logger->log(this->logger, CONTROL | MOST, "Process payload of type %s",mapping_find(payload_type_m,current_payload_type));
857
858 if (current_payload_type == ENCRYPTED)
859 {
860 encryption_payload_t *encryption_payload;
861 payload_t *current_encrypted_payload;
862
863
864 this->logger->log(this->logger, CONTROL | MORE, "Found an encryption payload");
865
866 if (!message_rule->encrypted_content)
867 {
868 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
869 iterator->destroy(iterator);
870 /* encrypted payload is not last one */
871 return FAILED;
872 }
873
874 if (payload_number != this->payloads->get_count(this->payloads))
875 {
876 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last payload");
877 iterator->destroy(iterator);
878 /* encrypted payload is not last one */
879 return FAILED;
880 }
881
882 iterator->current(iterator,(void **)&encryption_payload);
883
884 /* encrypt payload */
885 encryption_payload->set_transforms(encryption_payload, crypter, signer);
886 this->logger->log(this->logger, CONTROL | MORE, "Verify signature of encryption payload");
887 status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
888 if (status != SUCCESS)
889 {
890 this->logger->log(this->logger, ERROR | MORE, "encryption payload signature invalid");
891 iterator->destroy(iterator);
892 return status;
893 }
894 this->logger->log(this->logger, CONTROL | MORE, "Decrypt content of encryption payload");
895 status = encryption_payload->decrypt(encryption_payload);
896 if (status != SUCCESS)
897 {
898 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed");
899 iterator->destroy(iterator);
900 return status;
901 }
902
903 /* needed to later find out if a payload has to be encrypted or not */
904 current_payload_was_encrypted = TRUE;
905
906 if (encryption_payload->get_payload_count(encryption_payload) == 0)
907 {
908 this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is empty");
909 iterator->remove(iterator);
910 encryption_payload->destroy(encryption_payload);
911 /* encrypted payload contains no other payload */
912 current_payload_type = NO_PAYLOAD;
913 if (last_payload == NULL)
914 {
915 /* encrypted content was the only payload in IKEv2-Message
916 * Set the first payload to the first payload of encrypted ones */
917 this->first_payload = current_payload_type;
918 }
919 else
920 {
921 /* another payload was here before the encrypted content
922 * Set the next payload of proceeding payload
923 * to the first payload of encrypted ones */
924 last_payload->set_next_type(last_payload,current_payload_type);
925 }
926 break;
927
928 }
929
930 this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is not empty");
931
932 /* encryption_payload is replaced with first encrypted payload*/
933 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
934
935 this->logger->log(this->logger, CONTROL | MORE, "Replace encrypted payload with payload of type %s.",
936 mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
937 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
938 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
939 if (last_payload == NULL)
940 {
941 /* encrypted content was the only payload in IKEv2-Message
942 * Set the first payload to the first payload of encrypted ones */
943 this->first_payload = current_payload_type;
944 }
945 else
946 {
947 /* another payload was here before the encrypted content
948 * Set the next payload of proceeding payload
949 * to the first payload of encrypted ones */
950 last_payload->set_next_type(last_payload,current_payload_type);
951 }
952
953 /* all encrypted payloads are added to the payload list */
954 while (encryption_payload->get_payload_count(encryption_payload) > 0)
955 {
956 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
957 this->logger->log(this->logger, CONTROL | MORE, "Insert unencrypted payload of type %s at end of list.",mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
958 this->payloads->insert_last(this->payloads,current_encrypted_payload);
959 }
960
961 /* encryption payload is not needed anymore cause all payloads are
962 * moved to internal payload list */
963 encryption_payload->destroy(encryption_payload);
964
965
966 }
967
968 status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&supported_payload_entry);
969 if (status != SUCCESS)
970 {
971 /* payload type not supported */
972 this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
973 iterator->destroy(iterator);
974 return status;
975 }
976
977 if (supported_payload_entry->encrypted != current_payload_was_encrypted)
978 {
979 /* payload type not supported */
980 this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
981 mapping_find(payload_type_m,current_payload_type),
982 (supported_payload_entry->encrypted) ? "encrypted": "not encrypted");
983 iterator->destroy(iterator);
984 return status;
985 }
986 payload_number++;
987 /* is stored to set next payload in case of found encryption payload */
988 last_payload = current_payload;
989 }
990 iterator->destroy(iterator);
991 return this->public.verify(&(this->public));
992 }
993
994 /**
995 * Implementation of private_message_t.encrypt_payloads.
996 */
997 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
998 {
999 encryption_payload_t *encryption_payload = NULL;
1000 message_rule_t *message_rule;
1001 status_t status;
1002 linked_list_t *all_payloads;
1003
1004 status = this->get_message_rule(this, &message_rule);
1005 if (status != SUCCESS)
1006 {
1007 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
1008 mapping_find(exchange_type_m,this->exchange_type));
1009 return status;
1010 }
1011
1012 if (!message_rule->encrypted_content)
1013 {
1014 this->logger->log(this->logger, CONTROL | MORE, "Message doesn't have to be encrypted");
1015 /* message contains no content to encrypt */
1016 return SUCCESS;
1017 }
1018
1019 this->logger->log(this->logger, CONTROL | MOST, "Copy all payloads to a temporary list");
1020 all_payloads = linked_list_create();
1021
1022 /* first copy all payloads in a temporary list */
1023 while (this->payloads->get_count(this->payloads) > 0)
1024 {
1025 void *current_payload;
1026 this->payloads->remove_first(this->payloads,&current_payload);
1027 all_payloads->insert_last(all_payloads,current_payload);
1028 }
1029
1030 this->logger->log(this->logger, CONTROL | MOST, "Check each payloads if they have to get encrypted");
1031 while (all_payloads->get_count(all_payloads) > 0)
1032 {
1033 supported_payload_entry_t *supported_payload_entry;
1034 payload_t *current_payload;
1035 bool to_encrypt = FALSE;
1036
1037 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1038 this->logger->log(this->logger, CONTROL | MOST, "Get rule for payload %s", mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1039
1040 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
1041 /* for payload types which are not found in supported payload list, it is presumed
1042 * that they don't have to be encrypted */
1043 if ((status == SUCCESS) && (supported_payload_entry->encrypted))
1044 {
1045 this->logger->log(this->logger, CONTROL | MOST, "Payload %s has to get encrypted",
1046 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1047 to_encrypt = TRUE;
1048 }
1049 else if (status != SUCCESS)
1050 {
1051 this->logger->log(this->logger, CONTROL | MOST, "Payload %s not defined for exchange type %s. Handle it anyway",
1052 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1053 mapping_find(exchange_type_m,this->exchange_type));
1054 }
1055
1056 if (to_encrypt)
1057 {
1058 if (encryption_payload == NULL)
1059 {
1060 encryption_payload = encryption_payload_create();
1061 }
1062 this->logger->log(this->logger, CONTROL | MOST, "Insert payload %s to encryption payload",
1063 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1064
1065 encryption_payload->add_payload(encryption_payload,current_payload);
1066 }
1067 else
1068 {
1069 this->logger->log(this->logger, CONTROL | MOST, "Insert payload %s as payload wich does not have to be encrypted",
1070 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1071 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1072 }
1073 }
1074
1075 status = SUCCESS;
1076 if (encryption_payload != NULL)
1077 {
1078 this->logger->log(this->logger, CONTROL | MOST, "Set transforms for encryption payload ");
1079 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1080 this->logger->log(this->logger, CONTROL | MORE, "Encrypt all payloads of encrypted payload");
1081 status = encryption_payload->encrypt(encryption_payload);
1082 this->logger->log(this->logger, CONTROL | MOST, "Add encrypted payload to payload list");
1083 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1084 }
1085
1086 all_payloads->destroy(all_payloads);
1087
1088 return status;
1089 }
1090
1091
1092 /**
1093 * Implementation of message_t.destroy.
1094 */
1095 static void destroy (private_message_t *this)
1096 {
1097 iterator_t *iterator;
1098
1099 this->logger->log(this->logger, CONTROL | MOST, "Going to destroy message_t object");
1100
1101 this->packet->destroy(this->packet);
1102
1103 if (this->ike_sa_id != NULL)
1104 {
1105 this->ike_sa_id->destroy(this->ike_sa_id);
1106 }
1107
1108 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1109 while (iterator->has_next(iterator))
1110 {
1111 payload_t *payload;
1112 iterator->current(iterator, (void**)&payload);
1113 this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s",
1114 mapping_find(payload_type_m, payload->get_type(payload)));
1115 payload->destroy(payload);
1116 }
1117 iterator->destroy(iterator);
1118 this->payloads->destroy(this->payloads);
1119 this->parser->destroy(this->parser);
1120 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1121
1122 allocator_free(this);
1123 }
1124
1125 /*
1126 * Described in Header-File
1127 */
1128 message_t *message_create_from_packet(packet_t *packet)
1129 {
1130 private_message_t *this = allocator_alloc_thing(private_message_t);
1131
1132 /* public functions */
1133 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1134 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1135 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1136 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1137 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1138 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1139 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1140 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1141 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1142 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1143 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1144 this->public.set_request = (void(*)(message_t*, bool))set_request;
1145 this->public.get_request = (bool(*)(message_t*))get_request;
1146 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1147 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1148 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1149 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1150 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1151 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1152 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1153 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1154 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1155 this->public.verify = (status_t (*) (message_t*)) verify;
1156 this->public.destroy = (void(*)(message_t*))destroy;
1157
1158 /* private values */
1159 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1160 this->is_request = TRUE;
1161 this->ike_sa_id = NULL;
1162 this->first_payload = NO_PAYLOAD;
1163 this->message_id = 0;
1164
1165 /* private functions */
1166 this->get_message_rule = get_message_rule;
1167 this->get_supported_payload_entry = get_supported_payload_entry;
1168 this->encrypt_payloads = encrypt_payloads;
1169 this->decrypt_and_verify_payloads = decrypt_and_verify_payloads;
1170
1171 /* private values */
1172 if (packet == NULL)
1173 {
1174 packet = packet_create();
1175 }
1176 this->packet = packet;
1177 this->payloads = linked_list_create();
1178
1179 /* parser is created from data of packet */
1180 this->parser = parser_create(this->packet->data);
1181
1182 this->logger = charon->logger_manager->create_logger(charon->logger_manager, MESSAGE, NULL);
1183
1184 return (&this->public);
1185 }
1186
1187 /*
1188 * Described in Header.
1189 */
1190 message_t *message_create()
1191 {
1192 return message_create_from_packet(NULL);
1193 }