d3b92f3f150aa279aae8c6b8ee6ea37e6d1d9241
[strongswan.git] / Source / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/allocator.h>
34 #include <utils/logger_manager.h>
35 #include <encoding/payloads/encodings.h>
36 #include <encoding/payloads/payload.h>
37 #include <encoding/payloads/encryption_payload.h>
38
39
40 typedef struct supported_payload_entry_t supported_payload_entry_t;
41
42 /**
43 * Supported payload entry used in message_rule_t.
44 *
45 */
46 struct supported_payload_entry_t {
47 /**
48 * Payload type.
49 */
50 payload_type_t payload_type;
51
52 /**
53 * Minimal occurence of this payload.
54 */
55 size_t min_occurence;
56
57 /**
58 * Max occurence of this payload.
59 */
60 size_t max_occurence;
61
62 /**
63 * TRUE if payload has to get encrypted
64 */
65 bool encrypted;
66 };
67
68 typedef struct message_rule_t message_rule_t;
69
70 /**
71 * Message Rule used to find out which payloads
72 * are supported by each message type.
73 *
74 */
75 struct message_rule_t {
76 /**
77 * Type of message.
78 */
79 exchange_type_t exchange_type;
80
81 /**
82 * Is message a request or response.
83 */
84 bool is_request;
85
86 /**
87 * Message contains encrypted content.
88 */
89 bool encrypted_content;
90
91 /**
92 * Number of supported payloads.
93 */
94 size_t supported_payloads_count;
95
96 /**
97 * Pointer to first supported payload entry.
98 */
99 supported_payload_entry_t *supported_payloads;
100 };
101
102 /**
103 * Message rule for IKE_SA_INIT from initiator.
104 */
105 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
106 {
107 {SECURITY_ASSOCIATION,1,1,FALSE},
108 {KEY_EXCHANGE,1,1,FALSE},
109 {NONCE,1,1,FALSE},
110 };
111
112 /**
113 * Message rule for IKE_SA_INIT from responder.
114 */
115 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
116 {
117 {SECURITY_ASSOCIATION,1,1,FALSE},
118 {KEY_EXCHANGE,1,1,FALSE},
119 {NONCE,1,1,FALSE},
120 };
121
122 /**
123 * Message rule for IKE_AUTH from initiator.
124 */
125 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
126 {
127 {ID_INITIATOR,1,1,TRUE},
128 {CERTIFICATE,0,1,TRUE},
129 {CERTIFICATE_REQUEST,0,1,TRUE},
130 {ID_RESPONDER,0,1,TRUE},
131 {AUTHENTICATION,1,1,TRUE},
132 {SECURITY_ASSOCIATION,1,1,TRUE},
133 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
134 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
135 };
136
137 /**
138 * Message rule for IKE_AUTH from responder.
139 */
140 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
141 {
142 {CERTIFICATE,0,1,TRUE},
143 {ID_RESPONDER,0,1,TRUE},
144 {AUTHENTICATION,1,1,TRUE},
145 {SECURITY_ASSOCIATION,1,1,TRUE},
146 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
147 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
148 };
149
150 /**
151 * Message rules, defines allowed payloads.
152 */
153 static message_rule_t message_rules[] = {
154 {IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
155 {IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
156 {IKE_AUTH,TRUE,TRUE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
157 {IKE_AUTH,FALSE,TRUE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
158 };
159
160 typedef struct payload_entry_t payload_entry_t;
161
162 /**
163 * Entry for a payload in the internal used linked list.
164 *
165 */
166 struct payload_entry_t {
167 /**
168 * Type of payload.
169 */
170 payload_type_t payload_type;
171 /**
172 * Data struct holding the data of given payload.
173 */
174 void *data_struct;
175 };
176
177
178 typedef struct private_message_t private_message_t;
179
180 /**
181 * Private data of an message_t object.
182 */
183 struct private_message_t {
184
185 /**
186 * Public part of a message_t object.
187 */
188 message_t public;
189
190 /**
191 * Minor version of message.
192 */
193 u_int8_t major_version;
194
195 /**
196 * Major version of message.
197 */
198 u_int8_t minor_version;
199
200 /**
201 * First Payload in message.
202 */
203 payload_type_t first_payload;
204
205 /**
206 * Assigned exchange type.
207 */
208 exchange_type_t exchange_type;
209
210 /**
211 * TRUE if message is request.
212 * FALSE if message is reply.
213 */
214 bool is_request;
215
216 /**
217 * Message ID of this message.
218 */
219 u_int32_t message_id;
220
221 /**
222 * ID of assigned IKE_SA.
223 */
224 ike_sa_id_t *ike_sa_id;
225
226 /**
227 * Assigned UDP packet.
228 *
229 * Stores incoming packet or last generated one.
230 */
231 packet_t *packet;
232
233 /**
234 * Linked List where payload data are stored in.
235 */
236 linked_list_t *payloads;
237
238 /**
239 * Assigned parser to parse Header and Body of this message.
240 */
241 parser_t *parser;
242
243 /**
244 * Assigned logger.
245 */
246 logger_t *logger;
247
248 /**
249 * Gets a list of supported payloads of this message type.
250 *
251 * @param this calling object
252 * @param[out] message_rule pointer is set to the message_rule
253 * of current message type
254 *
255 * @return
256 * - SUCCESS
257 * - NOT_FOUND if no message rule
258 * for specific message type could be found
259 */
260 status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
261
262 /**
263 * Gets the supported_payload_entry_t for a specific message_rule_t and payload type.
264 *
265 * @param this calling object
266 * @param message_rule message rule
267 * @param payload_type payload type
268 * @param[out] payload_entry returned payload_entry_t
269 *
270 * @return
271 * - SUCCESS
272 * - NOT_FOUND if no message rule
273 * for specific message type could be found
274 */
275 status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
276
277 /**
278 * Encrypts all payloads which has to get encrypted.
279 *
280 * Can also be called with messages not containing encrypted content.
281 *
282 * @param this calling object
283 * @param crypter crypter_t object
284 * @param signer signer_t object
285 */
286 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
287
288 /**
289 * Decrypts encrypted contents and also verifies all payloads.
290 *
291 * @param this calling object
292 * @param crypter crypter_t object
293 * @param signer signer_t object
294 */
295 status_t (*decrypt_and_verify_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
296 };
297
298 /**
299 * Implementation of private_message_t.get_supported_payloads.
300 */
301
302 static status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
303 {
304 int i;
305
306 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
307 {
308 if ((this->exchange_type == message_rules[i].exchange_type) &&
309 (this->is_request == message_rules[i].is_request))
310 {
311 /* found rule for given exchange_type*/
312 *message_rule = &(message_rules[i]);
313 return SUCCESS;
314 }
315 }
316 *message_rule = NULL;
317 return NOT_FOUND;
318 }
319
320 /**
321 * Implementation of private_message_t.get_supported_payload_entry.
322 */
323 static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
324 {
325 int i;
326
327 for (i = 0; i < message_rule->supported_payloads_count;i++)
328 {
329 if (message_rule->supported_payloads[i].payload_type == payload_type)
330 {
331 *payload_entry = &(message_rule->supported_payloads[i]);
332 return SUCCESS;
333 }
334 }
335
336 *payload_entry = NULL;
337 return NOT_FOUND;
338 }
339
340 /**
341 * Implementation of message_t.set_ike_sa_id.
342 */
343 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
344 {
345 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
346 }
347
348 /**
349 * Implementation of message_t.get_ike_sa_id.
350 */
351 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
352 {
353 if (this->ike_sa_id == NULL)
354 {
355 return FAILED;
356 }
357 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
358 return SUCCESS;
359 }
360
361 /**
362 * Implementation of message_t.set_message_id.
363 */
364 static void set_message_id (private_message_t *this,u_int32_t message_id)
365 {
366 this->message_id = message_id;
367 }
368
369 /**
370 * Implementation of message_t.get_message_id.
371 */
372 static u_int32_t get_message_id (private_message_t *this)
373 {
374 return this->message_id;
375 }
376
377 /**
378 * Implementation of message_t.get_responder_spi.
379 */
380 static u_int64_t get_responder_spi (private_message_t *this)
381 {
382 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
383 }
384
385 /**
386 * Implementation of message_t.set_major_version.
387 */
388 static void set_major_version (private_message_t *this,u_int8_t major_version)
389 {
390 this->major_version = major_version;
391 }
392
393
394 /**
395 * Implementation of message_t.set_major_version.
396 */
397 static u_int8_t get_major_version (private_message_t *this)
398 {
399 return this->major_version;
400 }
401
402 /**
403 * Implementation of message_t.set_minor_version.
404 */
405 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
406 {
407 this->minor_version = minor_version;
408 }
409
410 /**
411 * Implementation of message_t.get_minor_version.
412 */
413 static u_int8_t get_minor_version (private_message_t *this)
414 {
415 return this->minor_version;
416 }
417
418 /**
419 * Implementation of message_t.set_exchange_type.
420 */
421 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
422 {
423 this->exchange_type = exchange_type;
424 }
425
426 /**
427 * Implementation of message_t.get_exchange_type.
428 */
429 static exchange_type_t get_exchange_type (private_message_t *this)
430 {
431 return this->exchange_type;
432 }
433
434 /**
435 * Implementation of message_t.set_request.
436 */
437 static void set_request (private_message_t *this,bool request)
438 {
439 this->is_request = request;
440 }
441
442 /**
443 * Implementation of message_t.get_request.
444 */
445 static exchange_type_t get_request (private_message_t *this)
446 {
447 return this->is_request;
448 }
449
450 /**
451 * Implementation of message_t.add_payload.
452 */
453 static void add_payload(private_message_t *this, payload_t *payload)
454 {
455 payload_t *last_payload;
456 if (this->payloads->get_count(this->payloads) > 0)
457 {
458 this->payloads->get_last(this->payloads,(void **) &last_payload);
459 last_payload->set_next_type(last_payload, payload->get_type(payload));
460 }
461 else
462 {
463 this->first_payload = payload->get_type(payload);
464 }
465 payload->set_next_type(payload, NO_PAYLOAD);
466 this->payloads->insert_last(this->payloads, (void*)payload);
467
468 this->logger->log(this->logger, CONTROL|MORE, "Added payload of type %s to message",
469 mapping_find(payload_type_m, payload->get_type(payload)));
470 }
471
472 /**
473 * Implementation of message_t.set_source.
474 */
475 static void set_source(private_message_t *this, host_t *host)
476 {
477 if (this->packet->source != NULL)
478 {
479 this->packet->source->destroy(this->packet->source);
480 }
481 this->packet->source = host;
482 }
483
484 /**
485 * Implementation of message_t.set_destination.
486 */
487 static void set_destination(private_message_t *this, host_t *host)
488 {
489 if (this->packet->destination != NULL)
490 {
491 this->packet->destination->destroy(this->packet->destination);
492 }
493 this->packet->destination = host;
494 }
495
496 /**
497 * Implementation of message_t.get_source.
498 */
499 static host_t* get_source(private_message_t *this)
500 {
501 return this->packet->source;
502 }
503
504 /**
505 * Implementation of message_t.get_destination.
506 */
507 static host_t * get_destination(private_message_t *this)
508 {
509 return this->packet->destination;
510 }
511
512 /**
513 * Implementation of message_t.get_destination.
514 */
515 static iterator_t *get_payload_iterator(private_message_t *this)
516 {
517 return this->payloads->create_iterator(this->payloads, TRUE);
518 }
519
520
521 /**
522 * Implementation of message_t.generate.
523 */
524 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
525 {
526 generator_t *generator;
527 ike_header_t *ike_header;
528 payload_t *payload, *next_payload;
529 iterator_t *iterator;
530 message_rule_t *message_rule;
531 status_t status;
532
533 this->logger->log(this->logger, CONTROL, "Generating message of type %s, contains %d payloads",
534 mapping_find(exchange_type_m,this->exchange_type),
535 this->payloads->get_count(this->payloads));
536
537 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
538 {
539 this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",mapping_find(exchange_type_m,this->exchange_type));
540 return INVALID_STATE;
541 }
542
543 status = this->get_message_rule(this, &message_rule);
544 if (status != SUCCESS)
545 {
546 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
547 mapping_find(exchange_type_m,this->exchange_type));
548 return status;
549 }
550
551 if (this->packet->source == NULL ||
552 this->packet->destination == NULL)
553 {
554 this->logger->log(this->logger, ERROR | MORE, "Source/destination not defined");
555 return INVALID_STATE;
556 }
557
558 /* going to encrypt all content which have to be encrypted */
559 status = this->encrypt_payloads(this,crypter,signer);
560 if (status != SUCCESS)
561 {
562 this->logger->log(this->logger, ERROR | MORE, "Could not encrypt payloads");
563 return status;
564 }
565
566 /* build ike header */
567 ike_header = ike_header_create();
568
569 ike_header->set_exchange_type(ike_header, this->exchange_type);
570 ike_header->set_message_id(ike_header, this->message_id);
571 ike_header->set_response_flag(ike_header, !this->is_request);
572 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
573 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
574 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
575
576 generator = generator_create();
577
578 payload = (payload_t*)ike_header;
579
580 iterator = this->payloads->create_iterator(this->payloads, TRUE);
581
582 /* generate every payload expect last one*/
583 while(iterator->has_next(iterator))
584 {
585 iterator->current(iterator, (void**)&next_payload);
586 payload->set_next_type(payload, next_payload->get_type(next_payload));
587 generator->generate_payload(generator, payload);
588 payload = next_payload;
589 }
590 iterator->destroy(iterator);
591
592 /* last payload has no next payload*/
593 payload->set_next_type(payload, NO_PAYLOAD);
594
595 generator->generate_payload(generator, payload);
596
597 ike_header->destroy(ike_header);
598
599 /* build packet */
600 if (this->packet->data.ptr != NULL)
601 {
602 this->logger->log(this->logger, CONTROL | MOST, "Replace last generated packet data");
603 allocator_free(this->packet->data.ptr);
604 }
605 generator->write_to_chunk(generator, &(this->packet->data));
606 generator->destroy(generator);
607
608 /* if last payload is of type encrypted, integrity checksum if necessary */
609 if (payload->get_type(payload) == ENCRYPTED)
610 {
611 this->logger->log(this->logger, CONTROL | MORE, "Build signature on whole message");
612 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
613 status = encryption_payload->build_signature(encryption_payload, this->packet->data);
614 if (status != SUCCESS)
615 {
616 return status;
617 }
618 }
619
620 /* clone packet for caller */
621 *packet = this->packet->clone(this->packet);
622
623 this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",mapping_find(exchange_type_m,this->exchange_type));
624 return SUCCESS;
625 }
626
627 /**
628 * Implementation of message_t.parse_header.
629 */
630 static status_t parse_header(private_message_t *this)
631 {
632 ike_header_t *ike_header;
633 status_t status;
634
635
636 this->logger->log(this->logger, CONTROL, "parsing Header of message");
637
638 this->parser->reset_context(this->parser);
639 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
640 if (status != SUCCESS)
641 {
642 this->logger->log(this->logger, ERROR | MORE, "Header could not be parsed");
643 return status;
644
645 }
646
647 /* verify payload */
648 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
649 if (status != SUCCESS)
650 {
651 this->logger->log(this->logger, ERROR | MORE, "Header verification failed");
652 ike_header->destroy(ike_header);
653 return status;
654 }
655
656 if (this->ike_sa_id != NULL)
657 {
658 this->ike_sa_id->destroy(this->ike_sa_id);
659 }
660
661 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
662 ike_header->get_responder_spi(ike_header),
663 ike_header->get_initiator_flag(ike_header));
664
665 this->exchange_type = ike_header->get_exchange_type(ike_header);
666 this->message_id = ike_header->get_message_id(ike_header);
667 this->is_request = (!(ike_header->get_response_flag(ike_header)));
668 this->major_version = ike_header->get_maj_version(ike_header);
669 this->minor_version = ike_header->get_min_version(ike_header);
670 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
671
672
673 this->logger->log(this->logger, CONTROL, "Parsing and verification of header successfully");
674
675 ike_header->destroy(ike_header);
676 return SUCCESS;
677 }
678
679 /**
680 * Implementation of message_t.parse_body.
681 */
682 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
683 {
684 status_t status = SUCCESS;
685 payload_type_t current_payload_type = this->first_payload;
686
687 this->logger->log(this->logger, CONTROL, "Parsing body of message, first payload %s",
688 mapping_find(payload_type_m, current_payload_type));
689
690 while ((current_payload_type != NO_PAYLOAD))
691 {
692 payload_t *current_payload;
693
694 this->logger->log(this->logger, CONTROL|MORE, "Start parsing payload of type %s",
695 mapping_find(payload_type_m, current_payload_type));
696
697 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
698 if (status != SUCCESS)
699 {
700 this->logger->log(this->logger, ERROR, "Payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
701 return status;
702 }
703
704 this->logger->log(this->logger, CONTROL|MOST, "Verify payload of type %s",
705 mapping_find(payload_type_m, current_payload_type));
706
707 status = current_payload->verify(current_payload);
708 if (status != SUCCESS)
709 {
710 this->logger->log(this->logger, ERROR, "Payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
711 current_payload->destroy(current_payload);
712 status = VERIFY_ERROR;
713 return status;
714 }
715
716 this->logger->log(this->logger, CONTROL|MOST, "Payload verified. Adding to payload list",
717 mapping_find(payload_type_m, current_payload_type));
718 this->payloads->insert_last(this->payloads,current_payload);
719
720 /* stop if an encryption payload found */
721 if (current_payload_type == ENCRYPTED)
722 {
723 this->logger->log(this->logger, CONTROL|MOST, "Payload of type encrypted found. Stop parsing.",
724 mapping_find(payload_type_m, current_payload_type));
725 break;
726 }
727
728 /* get next payload type */
729 current_payload_type = current_payload->get_next_type(current_payload);
730 }
731
732 status = this->decrypt_and_verify_payloads(this,crypter,signer);
733 if (status != SUCCESS)
734 {
735 this->logger->log(this->logger, ERROR, "Could not decrypt and verify payloads");
736 return status;
737 }
738
739 return SUCCESS;
740
741 }
742
743 /**
744 * Implementation of message_t.verify.
745 */
746 static status_t verify(private_message_t *this)
747 {
748 int i;
749 status_t status;
750 iterator_t *iterator;
751 message_rule_t *message_rule;
752
753 this->logger->log(this->logger, CONTROL|MORE, "Verifying message structure");
754
755 status = this->get_message_rule(this, &message_rule);
756 if (status != SUCCESS)
757 {
758 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
759 mapping_find(exchange_type_m,this->exchange_type));
760 return status;
761 }
762
763 iterator = this->payloads->create_iterator(this->payloads,TRUE);
764 /* check for payloads with wrong count*/
765 for (i = 0; i < message_rule->supported_payloads_count;i++)
766 {
767 size_t found_payloads = 0;
768
769 /* check all payloads for specific rule */
770 iterator->reset(iterator);
771 while(iterator->has_next(iterator))
772 {
773 payload_t *current_payload;
774 iterator->current(iterator,(void **)&current_payload);
775
776 if (current_payload->get_type(current_payload) == message_rule->supported_payloads[i].payload_type)
777 {
778 found_payloads++;
779 this->logger->log(this->logger, CONTROL | MOST, "Found payload of type %s",
780 mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type));
781
782 /* as soon as ohe payload occures more then specified, the verification fails */
783 if (found_payloads > message_rule->supported_payloads[i].max_occurence)
784 {
785 this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
786 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
787 message_rule->supported_payloads[i].max_occurence,found_payloads);
788 iterator->destroy(iterator);
789 return NOT_SUPPORTED;
790 }
791 }
792 }
793 if (found_payloads < message_rule->supported_payloads[i].min_occurence)
794 {
795 this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times (%d)",
796 mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type),
797 message_rule->supported_payloads[i].min_occurence,found_payloads);
798 iterator->destroy(iterator);
799 return NOT_SUPPORTED;
800 }
801 }
802 iterator->destroy(iterator);
803
804 return SUCCESS;
805 }
806
807
808 /**
809 * Implementation of private_message_t.decrypt_and_verify_payloads.
810 */
811 static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
812 {
813 bool current_payload_was_encrypted = FALSE;
814 payload_t *last_payload = NULL;
815 message_rule_t *message_rule;
816 int payload_number = 1;
817 iterator_t *iterator;
818 status_t status;
819
820 status = this->get_message_rule(this, &message_rule);
821 if (status != SUCCESS)
822 {
823 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
824 mapping_find(exchange_type_m,this->exchange_type));
825 return status;
826 }
827
828 iterator = this->payloads->create_iterator(this->payloads,TRUE);
829
830 /* process each payload and decrypt a encryption payload */
831 while(iterator->has_next(iterator))
832 {
833 supported_payload_entry_t *supported_payload_entry;
834 payload_type_t current_payload_type;
835 payload_t *current_payload;
836
837 /* get current payload */
838 iterator->current(iterator,(void **)&current_payload);
839
840 /* needed to check */
841 current_payload_type = current_payload->get_type(current_payload);
842
843 this->logger->log(this->logger, CONTROL | MOST, "Process payload of type %s",mapping_find(payload_type_m,current_payload_type));
844
845 if (current_payload_type == ENCRYPTED)
846 {
847 encryption_payload_t *encryption_payload;
848 payload_t *current_encrypted_payload;
849
850
851 this->logger->log(this->logger, CONTROL | MORE, "Found an encryption payload");
852
853 if (!message_rule->encrypted_content)
854 {
855 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
856 iterator->destroy(iterator);
857 /* encrypted payload is not last one */
858 return FAILED;
859 }
860
861 if (payload_number != this->payloads->get_count(this->payloads))
862 {
863 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last payload");
864 iterator->destroy(iterator);
865 /* encrypted payload is not last one */
866 return FAILED;
867 }
868
869 iterator->current(iterator,(void **)&encryption_payload);
870
871 /* encrypt payload */
872 encryption_payload->set_transforms(encryption_payload, crypter, signer);
873 this->logger->log(this->logger, CONTROL | MORE, "Verify signature of encryption payload");
874 status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
875 if (status != SUCCESS)
876 {
877 this->logger->log(this->logger, ERROR | MORE, "encryption payload signature invalid");
878 iterator->destroy(iterator);
879 return status;
880 }
881 this->logger->log(this->logger, CONTROL | MORE, "Decrypt content of encryption payload");
882 status = encryption_payload->decrypt(encryption_payload);
883 if (status != SUCCESS)
884 {
885 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed");
886 iterator->destroy(iterator);
887 return status;
888 }
889
890 /* needed to later find out if a payload has to be encrypted or not */
891 current_payload_was_encrypted = TRUE;
892
893 if (encryption_payload->get_payload_count(encryption_payload) == 0)
894 {
895 this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is empty");
896 iterator->remove(iterator);
897 encryption_payload->destroy(encryption_payload);
898 /* encrypted payload contains no other payload */
899 current_payload_type = NO_PAYLOAD;
900 if (last_payload == NULL)
901 {
902 /* encrypted content was the only payload in IKEv2-Message
903 * Set the first payload to the first payload of encrypted ones */
904 this->first_payload = current_payload_type;
905 }
906 else
907 {
908 /* another payload was here before the encrypted content
909 * Set the next payload of proceeding payload
910 * to the first payload of encrypted ones */
911 last_payload->set_next_type(last_payload,current_payload_type);
912 }
913 break;
914
915 }
916
917 this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is not empty");
918
919 /* encryption_payload is replaced with first encrypted payload*/
920 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
921
922 this->logger->log(this->logger, CONTROL | MORE, "Replace encrypted payload with payload of type %s.",
923 mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
924 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
925 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
926 if (last_payload == NULL)
927 {
928 /* encrypted content was the only payload in IKEv2-Message
929 * Set the first payload to the first payload of encrypted ones */
930 this->first_payload = current_payload_type;
931 }
932 else
933 {
934 /* another payload was here before the encrypted content
935 * Set the next payload of proceeding payload
936 * to the first payload of encrypted ones */
937 last_payload->set_next_type(last_payload,current_payload_type);
938 }
939
940 /* all encrypted payloads are added to the payload list */
941 while (encryption_payload->get_payload_count(encryption_payload) > 0)
942 {
943 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
944 this->logger->log(this->logger, CONTROL | MORE, "Insert unencrypted payload of type %s at end of list.",mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
945 this->payloads->insert_last(this->payloads,current_encrypted_payload);
946 }
947
948 /* encryption payload is not needed anymore cause all payloads are
949 * moved to internal payload list */
950 encryption_payload->destroy(encryption_payload);
951
952
953 }
954
955 status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&supported_payload_entry);
956 if (status != SUCCESS)
957 {
958 /* payload type not supported */
959 this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
960 iterator->destroy(iterator);
961 return status;
962 }
963
964 if (supported_payload_entry->encrypted != current_payload_was_encrypted)
965 {
966 /* payload type not supported */
967 this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
968 mapping_find(payload_type_m,current_payload_type),
969 (supported_payload_entry->encrypted) ? "encrypted": "not encrypted");
970 iterator->destroy(iterator);
971 return status;
972 }
973 payload_number++;
974 /* is stored to set next payload in case of found encryption payload */
975 last_payload = current_payload;
976 }
977 iterator->destroy(iterator);
978 return this->public.verify(&(this->public));
979 }
980
981 /**
982 * Implementation of private_message_t.encrypt_payloads.
983 */
984 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
985 {
986 encryption_payload_t *encryption_payload = NULL;
987 message_rule_t *message_rule;
988 status_t status;
989 linked_list_t *all_payloads;
990
991 status = this->get_message_rule(this, &message_rule);
992 if (status != SUCCESS)
993 {
994 this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
995 mapping_find(exchange_type_m,this->exchange_type));
996 return status;
997 }
998
999 if (!message_rule->encrypted_content)
1000 {
1001 this->logger->log(this->logger, CONTROL | MORE, "Message doesn't have to be encrypted");
1002 /* message contains no content to encrypt */
1003 return SUCCESS;
1004 }
1005
1006 this->logger->log(this->logger, CONTROL | MOST, "Copy all payloads to a temporary list");
1007 all_payloads = linked_list_create();
1008
1009 /* first copy all payloads in a temporary list */
1010 while (this->payloads->get_count(this->payloads) > 0)
1011 {
1012 void *current_payload;
1013 this->payloads->remove_first(this->payloads,&current_payload);
1014 all_payloads->insert_last(all_payloads,current_payload);
1015 }
1016
1017 this->logger->log(this->logger, CONTROL | MOST, "Check each payloads if they have to get encrypted");
1018 while (all_payloads->get_count(all_payloads) > 0)
1019 {
1020 supported_payload_entry_t *supported_payload_entry;
1021 payload_t *current_payload;
1022 bool to_encrypt = FALSE;
1023
1024 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1025 this->logger->log(this->logger, CONTROL | MOST, "Get rule for payload %s", mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1026
1027 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
1028 /* for payload types which are not found in supported payload list, it is presumed
1029 * that they don't have to be encrypted */
1030 if ((status == SUCCESS) && (supported_payload_entry->encrypted))
1031 {
1032 this->logger->log(this->logger, CONTROL | MOST, "Payload %s has to get encrypted",
1033 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1034 to_encrypt = TRUE;
1035 }
1036 else if (status != SUCCESS)
1037 {
1038 this->logger->log(this->logger, CONTROL | MOST, "Payload %s not defined for exchange type %s. Handle it anyway",
1039 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1040 mapping_find(exchange_type_m,this->exchange_type));
1041 }
1042
1043 if (to_encrypt)
1044 {
1045 if (encryption_payload == NULL)
1046 {
1047 encryption_payload = encryption_payload_create();
1048 }
1049 this->logger->log(this->logger, CONTROL | MOST, "Insert payload %s to encryption payload",
1050 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1051
1052 encryption_payload->add_payload(encryption_payload,current_payload);
1053 }
1054 else
1055 {
1056 this->logger->log(this->logger, CONTROL | MOST, "Insert payload %s as payload wich does not have to be encrypted",
1057 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1058 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1059 }
1060 }
1061
1062 status = SUCCESS;
1063 if (encryption_payload != NULL)
1064 {
1065 this->logger->log(this->logger, CONTROL | MOST, "Set transforms for encryption payload ");
1066 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1067 this->logger->log(this->logger, CONTROL | MORE, "Encrypt all payloads of encrypted payload");
1068 status = encryption_payload->encrypt(encryption_payload);
1069 this->logger->log(this->logger, CONTROL | MOST, "Add encrypted payload to payload list");
1070 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1071 }
1072
1073 all_payloads->destroy(all_payloads);
1074
1075 return status;
1076 }
1077
1078
1079 /**
1080 * Implementation of message_t.destroy.
1081 */
1082 static void destroy (private_message_t *this)
1083 {
1084 iterator_t *iterator;
1085
1086 this->logger->log(this->logger, CONTROL | MOST, "Going to destroy message_t object");
1087
1088 this->packet->destroy(this->packet);
1089
1090 if (this->ike_sa_id != NULL)
1091 {
1092 this->ike_sa_id->destroy(this->ike_sa_id);
1093 }
1094
1095 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1096 while (iterator->has_next(iterator))
1097 {
1098 payload_t *payload;
1099 iterator->current(iterator, (void**)&payload);
1100 this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s",
1101 mapping_find(payload_type_m, payload->get_type(payload)));
1102 payload->destroy(payload);
1103 }
1104 iterator->destroy(iterator);
1105 this->payloads->destroy(this->payloads);
1106 this->parser->destroy(this->parser);
1107 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1108
1109 allocator_free(this);
1110 }
1111
1112 /*
1113 * Described in Header-File
1114 */
1115 message_t *message_create_from_packet(packet_t *packet)
1116 {
1117 private_message_t *this = allocator_alloc_thing(private_message_t);
1118
1119 /* public functions */
1120 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1121 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1122 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1123 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1124 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1125 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1126 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1127 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1128 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1129 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1130 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1131 this->public.set_request = (void(*)(message_t*, bool))set_request;
1132 this->public.get_request = (bool(*)(message_t*))get_request;
1133 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1134 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1135 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1136 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1137 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1138 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1139 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1140 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1141 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1142 this->public.verify = (status_t (*) (message_t*)) verify;
1143 this->public.destroy = (void(*)(message_t*))destroy;
1144
1145 /* private values */
1146 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1147 this->is_request = TRUE;
1148 this->ike_sa_id = NULL;
1149 this->first_payload = NO_PAYLOAD;
1150 this->message_id = 0;
1151
1152 /* private functions */
1153 this->get_message_rule = get_message_rule;
1154 this->get_supported_payload_entry = get_supported_payload_entry;
1155 this->encrypt_payloads = encrypt_payloads;
1156 this->decrypt_and_verify_payloads = decrypt_and_verify_payloads;
1157
1158 /* private values */
1159 if (packet == NULL)
1160 {
1161 packet = packet_create();
1162 }
1163 this->packet = packet;
1164 this->payloads = linked_list_create();
1165
1166 /* parser is created from data of packet */
1167 this->parser = parser_create(this->packet->data);
1168
1169 this->logger = charon->logger_manager->create_logger(charon->logger_manager, MESSAGE, NULL);
1170
1171 return (&this->public);
1172 }
1173
1174 /*
1175 * Described in Header.
1176 */
1177 message_t *message_create()
1178 {
1179 return message_create_from_packet(NULL);
1180 }