- fixed message decryption
[strongswan.git] / Source / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/allocator.h>
34 #include <utils/logger_manager.h>
35 #include <encoding/payloads/encodings.h>
36 #include <encoding/payloads/payload.h>
37 #include <encoding/payloads/encryption_payload.h>
38
39
40 typedef struct supported_payload_entry_t supported_payload_entry_t;
41
42 /**
43 * Supported payload entry used in message_rule_t.
44 *
45 */
46 struct supported_payload_entry_t {
47 /**
48 * Payload type.
49 */
50 payload_type_t payload_type;
51
52 /**
53 * Minimal occurence of this payload.
54 */
55 size_t min_occurence;
56
57 /**
58 * Max occurence of this payload.
59 */
60 size_t max_occurence;
61
62 /**
63 * TRUE if payload has to get encrypted
64 */
65 bool encrypted;
66 };
67
68 typedef struct message_rule_t message_rule_t;
69
70 /**
71 * Message Rule used to find out which payloads
72 * are supported by each message type.
73 *
74 */
75 struct message_rule_t {
76 /**
77 * Type of message.
78 */
79 exchange_type_t exchange_type;
80
81 /**
82 * Is message a request or response.
83 */
84 bool is_request;
85
86 /**
87 * Message contains encrypted content.
88 */
89 bool encrypted_content;
90
91 /**
92 * Number of supported payloads.
93 */
94 size_t supported_payloads_count;
95
96 /**
97 * Pointer to first supported payload entry.
98 */
99 supported_payload_entry_t *supported_payloads;
100 };
101
102 /**
103 * Message rule for IKE_SA_INIT from initiator.
104 */
105 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
106 {
107 {SECURITY_ASSOCIATION,1,1,FALSE},
108 {KEY_EXCHANGE,1,1,FALSE},
109 {NONCE,1,1,FALSE},
110 };
111
112 /**
113 * Message rule for IKE_SA_INIT from responder.
114 */
115 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
116 {
117 {SECURITY_ASSOCIATION,1,1,FALSE},
118 {KEY_EXCHANGE,1,1,FALSE},
119 {NONCE,1,1,FALSE},
120 };
121
122 /**
123 * Message rule for IKE_AUTH from initiator.
124 */
125 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
126 {
127 {ID_INITIATOR,1,1,TRUE},
128 /* {CERTIFICATE,0,1,TRUE},
129 {CERTIFICATE_REQUEST,0,1,TRUE},
130 {ID_RESPONDER,0,1,TRUE},*/
131 {AUTHENTICATION,1,1,TRUE},
132 /* {SECURITY_ASSOCIATION,1,1,TRUE},
133 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
134 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},*/
135 };
136
137 /**
138 * Message rule for IKE_AUTH from responder.
139 */
140 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
141 {
142 {CERTIFICATE,0,1,TRUE},
143 {ID_RESPONDER,0,1,TRUE},
144 /* {AUTHENTICATION,1,1,TRUE},
145 {SECURITY_ASSOCIATION,1,1,TRUE},
146 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
147 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},*/
148 };
149
150 /**
151 * Message rules, defines allowed payloads.
152 */
153 static message_rule_t message_rules[] = {
154 {IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
155 {IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
156 {IKE_AUTH,TRUE,TRUE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
157 {IKE_AUTH,FALSE,TRUE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
158 };
159
160 typedef struct payload_entry_t payload_entry_t;
161
162 /**
163 * Entry for a payload in the internal used linked list.
164 *
165 */
166 struct payload_entry_t {
167 /**
168 * Type of payload.
169 */
170 payload_type_t payload_type;
171 /**
172 * Data struct holding the data of given payload.
173 */
174 void *data_struct;
175 };
176
177
178 typedef struct private_message_t private_message_t;
179
180 /**
181 * Private data of an message_t object.
182 */
183 struct private_message_t {
184
185 /**
186 * Public part of a message_t object.
187 */
188 message_t public;
189
190 /**
191 * Minor version of message.
192 */
193 u_int8_t major_version;
194
195 /**
196 * Major version of message.
197 */
198 u_int8_t minor_version;
199
200 /**
201 * First Payload in message.
202 */
203 payload_type_t first_payload;
204
205 /**
206 * Assigned exchange type.
207 */
208 exchange_type_t exchange_type;
209
210
211 /**
212 * TRUE if message is request.
213 * FALSE if message is reply.
214 */
215 bool is_request;
216
217 /**
218 * Message ID of this message.
219 */
220 u_int32_t message_id;
221
222 /**
223 * ID of assigned IKE_SA.
224 */
225 ike_sa_id_t *ike_sa_id;
226
227 /**
228 * Assigned UDP packet.
229 *
230 * Stores incoming packet or last generated one.
231 */
232 packet_t *packet;
233
234 /**
235 * Linked List where payload data are stored in.
236 */
237 linked_list_t *payloads;
238
239 /**
240 * Assigned parser to parse Header and Body of this message.
241 */
242 parser_t *parser;
243
244 /**
245 * Assigned logger.
246 */
247 logger_t *logger;
248
249 /**
250 * Gets a list of supported payloads of this message type
251 *
252 * @param this calling object
253 * @param[out] message_rule pointer is set to the message_rule of current message type
254 *
255 * @return
256 * - SUCCESS
257 * - NOT_FOUND if no message rule
258 * for specific message type could be found
259 */
260 status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
261
262 status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
263
264 /**
265 * Encrypts all payloads which has to get encrypted.
266 *
267 * @param this calling object
268 * @param crypter crypter_t object
269 * @param signer signer_t object
270 */
271 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
272
273 /**
274 * Decrypts all payloads which has to get decrypted.
275 *
276 * @param this calling object
277 * @param crypter crypter_t object
278 * @param signer signer_t object
279 */
280 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
281 };
282
283 /**
284 * Implementation of private_message_t.get_supported_payloads.
285 */
286
287 static status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
288 {
289 int i;
290
291 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
292 {
293 if ((this->exchange_type == message_rules[i].exchange_type) &&
294 (this->is_request == message_rules[i].is_request))
295 {
296 /* found rule for given exchange_type*/
297 *message_rule = &(message_rules[i]);
298 return SUCCESS;
299 }
300 }
301 *message_rule = NULL;
302 return NOT_FOUND;
303 }
304
305 static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
306 {
307 int i;
308
309 for (i = 0; i < message_rule->supported_payloads_count;i++)
310 {
311 if (message_rule->supported_payloads[i].payload_type == payload_type)
312 {
313 *payload_entry = &(message_rule->supported_payloads[i]);
314 return SUCCESS;
315 }
316 }
317
318 *payload_entry = NULL;
319 return NOT_FOUND;
320 }
321
322 /**
323 * Implementation of message_t.set_ike_sa_id.
324 */
325 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
326 {
327 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
328 }
329
330 /**
331 * Implementation of message_t.get_ike_sa_id.
332 */
333 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
334 {
335 if (this->ike_sa_id == NULL)
336 {
337 return FAILED;
338 }
339 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
340 return SUCCESS;
341 }
342
343 /**
344 * Implementation of message_t.set_message_id.
345 */
346 static void set_message_id (private_message_t *this,u_int32_t message_id)
347 {
348 this->message_id = message_id;
349 }
350
351 /**
352 * Implementation of message_t.get_message_id.
353 */
354 static u_int32_t get_message_id (private_message_t *this)
355 {
356 return this->message_id;
357 }
358
359 /**
360 * Implementation of message_t.get_responder_spi.
361 */
362 static u_int64_t get_responder_spi (private_message_t *this)
363 {
364 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
365 }
366
367 /**
368 * Implementation of message_t.set_major_version.
369 */
370 static void set_major_version (private_message_t *this,u_int8_t major_version)
371 {
372 this->major_version = major_version;
373 }
374
375
376 /**
377 * Implementation of message_t.set_major_version.
378 */
379 static u_int8_t get_major_version (private_message_t *this)
380 {
381 return this->major_version;
382 }
383
384 /**
385 * Implementation of message_t.set_minor_version.
386 */
387 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
388 {
389 this->minor_version = minor_version;
390 }
391
392 /**
393 * Implementation of message_t.get_minor_version.
394 */
395 static u_int8_t get_minor_version (private_message_t *this)
396 {
397 return this->minor_version;
398 }
399
400 /**
401 * Implementation of message_t.set_exchange_type.
402 */
403 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
404 {
405 this->exchange_type = exchange_type;
406 }
407
408 /**
409 * Implementation of message_t.get_exchange_type.
410 */
411 static exchange_type_t get_exchange_type (private_message_t *this)
412 {
413 return this->exchange_type;
414 }
415
416 /**
417 * Implementation of message_t.set_request.
418 */
419 static void set_request (private_message_t *this,bool request)
420 {
421 this->is_request = request;
422 }
423
424 /**
425 * Implementation of message_t.get_request.
426 */
427 static exchange_type_t get_request (private_message_t *this)
428 {
429 return this->is_request;
430 }
431
432 /**
433 * Implementation of message_t.add_payload.
434 */
435 static void add_payload(private_message_t *this, payload_t *payload)
436 {
437 payload_t *last_payload;
438 if (this->payloads->get_count(this->payloads) > 0)
439 {
440 this->payloads->get_last(this->payloads,(void **) &last_payload);
441 last_payload->set_next_type(last_payload, payload->get_type(payload));
442 }
443 else
444 {
445 this->first_payload = payload->get_type(payload);
446 }
447 payload->set_next_type(payload, NO_PAYLOAD);
448 this->payloads->insert_last(this->payloads, (void*)payload);
449
450 this->logger->log(this->logger, CONTROL|MORE, "added payload of type %s to message",
451 mapping_find(payload_type_m, payload->get_type(payload)));
452
453
454 }
455
456 /**
457 * Implementation of message_t.set_source.
458 */
459 static void set_source(private_message_t *this, host_t *host)
460 {
461 if (this->packet->source != NULL)
462 {
463 this->packet->source->destroy(this->packet->source);
464 }
465 this->packet->source = host;
466 }
467
468 /**
469 * Implementation of message_t.set_destination.
470 */
471 static void set_destination(private_message_t *this, host_t *host)
472 {
473 if (this->packet->destination != NULL)
474 {
475 this->packet->destination->destroy(this->packet->destination);
476 }
477 this->packet->destination = host;
478 }
479
480 /**
481 * Implementation of message_t.get_source.
482 */
483 static void get_source(private_message_t *this, host_t **host)
484 {
485 *host = this->packet->source;
486 }
487
488 /**
489 * Implementation of message_t.get_destination.
490 */
491 static void get_destination(private_message_t *this, host_t **host)
492 {
493 *host = this->packet->destination;
494 }
495
496 /**
497 * Implementation of message_t.get_destination.
498 */
499 static iterator_t *get_payload_iterator(private_message_t *this)
500 {
501 return this->payloads->create_iterator(this->payloads, TRUE);
502 }
503
504
505 /**
506 * Implementation of message_t.generate.
507 */
508 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
509 {
510 generator_t *generator;
511 ike_header_t *ike_header;
512 payload_t *payload, *next_payload;
513 iterator_t *iterator;
514 status_t status;
515
516
517 this->logger->log(this->logger, CONTROL, "generating message, contains %d payloads",
518 this->payloads->get_count(this->payloads));
519
520 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
521 {
522 this->logger->log(this->logger, ERROR, "exchange type is not defined");
523 return INVALID_STATE;
524 }
525
526 if (this->packet->source == NULL ||
527 this->packet->destination == NULL)
528 {
529 this->logger->log(this->logger, ERROR, "source/destination not defined");
530 return INVALID_STATE;
531 }
532
533 status = this->encrypt_payloads(this,crypter,signer);
534 if (status != SUCCESS)
535 {
536 this->logger->log(this->logger, ERROR, "Could not encrypt payloads");
537 return status;
538 }
539
540 /* build ike header */
541 ike_header = ike_header_create();
542
543 ike_header->set_exchange_type(ike_header, this->exchange_type);
544 ike_header->set_message_id(ike_header, this->message_id);
545 ike_header->set_response_flag(ike_header, !this->is_request);
546 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
547 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
548 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
549
550
551 generator = generator_create();
552
553 payload = (payload_t*)ike_header;
554
555 iterator = this->payloads->create_iterator(this->payloads, TRUE);
556
557 /* generate every payload, except last one */
558 while(iterator->has_next(iterator))
559 {
560 iterator->current(iterator, (void**)&next_payload);
561 payload->set_next_type(payload, next_payload->get_type(next_payload));
562 generator->generate_payload(generator, payload);
563
564 payload = next_payload;
565 }
566 iterator->destroy(iterator);
567
568 /* build last payload */
569 payload->set_next_type(payload, NO_PAYLOAD);
570
571 generator->generate_payload(generator, payload);
572 ike_header->destroy(ike_header);
573
574 /* build packet */
575 if (this->packet->data.ptr != NULL)
576 {
577 allocator_free(this->packet->data.ptr);
578 }
579 generator->write_to_chunk(generator, &(this->packet->data));
580 generator->destroy(generator);
581
582 /* append integrity checksum if necessary */
583 if (payload->get_type(payload) == ENCRYPTED)
584 {
585 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
586 status = encryption_payload->build_signature(encryption_payload, this->packet->data);
587 if (status != SUCCESS)
588 {
589 return status;
590 }
591 }
592
593 /* clone packet for caller */
594 *packet = this->packet->clone(this->packet);
595
596 this->logger->log(this->logger, CONTROL, "message generated successfully");
597 return SUCCESS;
598 }
599
600 /**
601 * Implements message_t.parse_header.
602 */
603 static status_t parse_header(private_message_t *this)
604 {
605 ike_header_t *ike_header;
606 status_t status;
607
608
609 this->logger->log(this->logger, CONTROL, "parsing header of message");
610
611 this->parser->reset_context(this->parser);
612 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
613 if (status != SUCCESS)
614 {
615 this->logger->log(this->logger, ERROR, "Header could not be parsed");
616 return status;
617
618 }
619
620 /* verify payload */
621 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
622 if (status != SUCCESS)
623 {
624 this->logger->log(this->logger, ERROR, "Header verification failed");
625 ike_header->destroy(ike_header);
626 return status;
627 }
628
629 if (this->ike_sa_id != NULL)
630 {
631 this->ike_sa_id->destroy(this->ike_sa_id);
632 }
633
634 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
635 ike_header->get_responder_spi(ike_header),
636 ike_header->get_initiator_flag(ike_header));
637
638 this->exchange_type = ike_header->get_exchange_type(ike_header);
639 this->message_id = ike_header->get_message_id(ike_header);
640 this->is_request = (!(ike_header->get_response_flag(ike_header)));
641 this->major_version = ike_header->get_maj_version(ike_header);
642 this->minor_version = ike_header->get_min_version(ike_header);
643 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
644
645
646 this->logger->log(this->logger, CONTROL, "parsing header successfully");
647
648 ike_header->destroy(ike_header);
649 return SUCCESS;
650 }
651
652 /**
653 * Implements message_t.parse_body.
654 */
655 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
656 {
657 status_t status = SUCCESS;
658 payload_type_t current_payload_type = this->first_payload;
659
660 this->logger->log(this->logger, CONTROL, "parsing body of message, first payload %s",
661 mapping_find(payload_type_m, current_payload_type));
662
663 while ((current_payload_type != NO_PAYLOAD))
664 {
665 payload_t *current_payload;
666
667 this->logger->log(this->logger, CONTROL|MORE, "start parsing payload of type %s",
668 mapping_find(payload_type_m, current_payload_type));
669
670 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
671 if (status != SUCCESS)
672 {
673 this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
674 return status;
675 }
676
677 status = current_payload->verify(current_payload);
678 if (status != SUCCESS)
679 {
680 this->logger->log(this->logger, ERROR, "payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
681 current_payload->destroy(current_payload);
682 status = VERIFY_ERROR;
683 return status;
684 }
685
686
687 this->payloads->insert_last(this->payloads,current_payload);
688
689 /* stop if an encryptino payload found */
690 if (current_payload_type == ENCRYPTED)
691 {
692 break;
693 }
694
695 /* get next payload type */
696 current_payload_type = current_payload->get_next_type(current_payload);
697 }
698
699 status = this->decrypt_payloads(this,crypter,signer);
700 if (status != SUCCESS)
701 {
702 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
703 return status;
704 }
705
706 return SUCCESS;
707
708 }
709
710 /**
711 * implements message_t.verify
712 */
713 static status_t verify(private_message_t *this)
714 {
715 int i;
716 status_t status;
717 iterator_t *iterator;
718 message_rule_t *message_rule;
719
720 this->logger->log(this->logger, CONTROL|MORE, "verifying message");
721
722 status = this->get_message_rule(this, &message_rule);
723 if (status != SUCCESS)
724 {
725 this->logger->log(this->logger, ERROR, "Message rule could not be retrieved");
726 return status;
727 }
728
729 iterator = this->payloads->create_iterator(this->payloads,TRUE);
730 /* check for payloads with wrong count*/
731 for (i = 0; i < message_rule->supported_payloads_count;i++)
732 {
733 size_t min_occurence = message_rule->supported_payloads[i].min_occurence;
734 size_t max_occurence = message_rule->supported_payloads[i].max_occurence;
735 payload_type_t payload_type = message_rule->supported_payloads[i].payload_type;
736 size_t found_payloads = 0;
737
738 iterator->reset(iterator);
739
740 while(iterator->has_next(iterator))
741 {
742 payload_t *current_payload;
743 iterator->current(iterator,(void **)&current_payload);
744
745 if (current_payload->get_type(current_payload) == payload_type)
746 {
747 found_payloads++;
748 this->logger->log(this->logger, CONTROL | MOST, "Found payload of type %s",
749 mapping_find(payload_type_m,payload_type));
750
751 if (found_payloads > max_occurence)
752 {
753 this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
754 mapping_find(payload_type_m,current_payload->get_type(current_payload)),max_occurence,found_payloads);
755 iterator->destroy(iterator);
756 return NOT_SUPPORTED;
757 }
758 }
759 }
760 if (found_payloads < min_occurence)
761 {
762 this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times",
763 mapping_find(payload_type_m,payload_type),min_occurence);
764 iterator->destroy(iterator);
765 return NOT_SUPPORTED;
766 }
767 }
768 iterator->destroy(iterator);
769
770 return SUCCESS;
771 }
772
773
774 static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
775 {
776 bool current_payload_was_encrypted = FALSE;
777 status_t status;
778 message_rule_t *message_rule;
779 iterator_t *iterator;
780 int payload_number = 1;
781 payload_t *last_payload = NULL;
782
783 status = this->get_message_rule(this, &message_rule);
784 if (status != SUCCESS)
785 {
786 this->logger->log(this->logger, ERROR, "No message rule for current message type");
787 return status;
788 }
789
790 iterator = this->payloads->create_iterator(this->payloads,TRUE);
791
792 while(iterator->has_next(iterator))
793 {
794 payload_t *current_payload;
795 payload_type_t current_payload_type;
796 supported_payload_entry_t *payload_entry;
797
798 /* get current payload */
799 iterator->current(iterator,(void **)&current_payload);
800
801 current_payload_type = current_payload->get_type(current_payload);
802
803 this->logger->log(this->logger, CONTROL | MOST, "Process payload of type %s.",mapping_find(payload_type_m,current_payload_type));
804
805 if (current_payload_type == ENCRYPTED)
806 {
807 encryption_payload_t *encryption_payload;
808 payload_t *current_encrypted_payload;
809
810
811 this->logger->log(this->logger, CONTROL | MORE, "Found an encryption payload");
812
813 if (!message_rule->encrypted_content)
814 {
815 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
816 iterator->destroy(iterator);
817 /* encrypted payload is not last one */
818 return FAILED;
819 }
820
821 if (payload_number != this->payloads->get_count(this->payloads))
822 {
823 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last one");
824 iterator->destroy(iterator);
825 /* encrypted payload is not last one */
826 return FAILED;
827 }
828
829 iterator->current(iterator,(void **)&encryption_payload);
830
831 /* encrypt payload */
832 encryption_payload->set_transforms(encryption_payload, crypter, signer);
833 status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
834 if (status != SUCCESS)
835 {
836 this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
837 iterator->destroy(iterator);
838 return status;
839 }
840 status = encryption_payload->decrypt(encryption_payload);
841 if (status != SUCCESS)
842 {
843 this->logger->log(this->logger, ERROR, "parsing decrypted encryption payload failed");
844 iterator->destroy(iterator);
845 return status;
846 }
847
848 current_payload_was_encrypted = TRUE;
849
850 if (encryption_payload->get_payload_count(encryption_payload) == 0)
851 {
852 iterator->remove(iterator);
853 encryption_payload->destroy(encryption_payload);
854 current_payload_type = NO_PAYLOAD;
855 if (last_payload == NULL)
856 {
857 this->first_payload = current_payload_type;
858 }
859 else
860 {
861 last_payload->set_next_type(last_payload,current_payload_type);
862 }
863 break;
864 }
865
866 /* encryption_payload is replaced with first encrypted payload*/
867 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
868
869 this->logger->log(this->logger, CONTROL | MORE, "Replace encrypted payload with payload of type %s.",
870 mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
871 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
872 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
873 if (last_payload == NULL)
874 {
875 this->first_payload = current_payload_type;
876 }
877 else
878 {
879 last_payload->set_next_type(last_payload,current_payload_type);
880 }
881
882 /* all encrypted payloads are added to the payload list */
883 while (encryption_payload->get_payload_count(encryption_payload) > 0)
884 {
885 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
886 this->logger->log(this->logger, CONTROL | MORE, "Insert unencrypted payload of type %s at end of list.",mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
887 this->payloads->insert_last(this->payloads,current_encrypted_payload);
888 }
889
890
891 encryption_payload->destroy(encryption_payload);
892 }
893
894 status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&payload_entry);
895
896 if (status != SUCCESS)
897 {
898 /* payload type not supported */
899 this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
900 iterator->destroy(iterator);
901 return status;
902 }
903
904 if (payload_entry->encrypted != current_payload_was_encrypted)
905 {
906 /* payload type not supported */
907 this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
908 mapping_find(payload_type_m,current_payload_type),
909 (payload_entry->encrypted) ? "encrypted": "not encrypted");
910 iterator->destroy(iterator);
911 return status;
912 }
913 payload_number++;
914 last_payload = current_payload;
915 }
916 iterator->destroy(iterator);
917
918 return this->public.verify(&(this->public));
919
920 }
921
922
923 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
924 {
925 status_t status;
926 message_rule_t *message_rule;
927 encryption_payload_t *encryption_payload = NULL;
928 linked_list_t *all_payloads;
929
930 status = this->get_message_rule(this, &message_rule);
931 if (status != SUCCESS)
932 {
933 this->logger->log(this->logger, ERROR | MORE, "No message rule for this message type");
934 return status;
935 }
936 if (!message_rule->encrypted_content)
937 {
938 this->logger->log(this->logger, CONTROL | MORE, "Message doesn't have to be encrypted");
939 /* message contains no content to encrypt */
940 return SUCCESS;
941 }
942
943 all_payloads = linked_list_create();
944
945 /* first copy all payloads in a temporary list */
946 while (this->payloads->get_count(this->payloads) > 0)
947 {
948 void *current_payload;
949 this->payloads->remove_first(this->payloads,&current_payload);
950 all_payloads->insert_last(all_payloads,current_payload);
951 }
952
953 while (all_payloads->get_count(all_payloads) > 0)
954 {
955 payload_t *current_payload;
956 bool to_encrypt = FALSE;
957 supported_payload_entry_t *supported_payload_entry;
958
959 all_payloads->remove_first(all_payloads,(void **)&current_payload);
960
961 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
962 /* for payload types which are not found in supported payload list, it is presumed
963 * that they don't have to be encrypted */
964 if ((status == SUCCESS) && (supported_payload_entry->encrypted))
965 {
966 to_encrypt = TRUE;
967 }
968
969 if (to_encrypt)
970 {
971 if (encryption_payload == NULL)
972 {
973 encryption_payload = encryption_payload_create();
974 }
975 encryption_payload->add_payload(encryption_payload,current_payload);
976 }
977 else
978 {
979 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
980 }
981 }
982
983 status = SUCCESS;
984 if (encryption_payload != NULL)
985 {
986 encryption_payload->set_transforms(encryption_payload,crypter,signer);
987 status = encryption_payload->encrypt(encryption_payload);
988 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
989 }
990
991 all_payloads->destroy(all_payloads);
992
993 return status;
994 }
995
996 /**
997 * Implements message_t's destroy function.
998 * See #message_s.destroy.
999 */
1000 static void destroy (private_message_t *this)
1001 {
1002 iterator_t *iterator;
1003
1004 this->packet->destroy(this->packet);
1005
1006 if (this->ike_sa_id != NULL)
1007 {
1008 this->ike_sa_id->destroy(this->ike_sa_id);
1009 }
1010
1011 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1012 while (iterator->has_next(iterator))
1013 {
1014 payload_t *payload;
1015 iterator->current(iterator, (void**)&payload);
1016 this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s",
1017 mapping_find(payload_type_m, payload->get_type(payload)));
1018 payload->destroy(payload);
1019 }
1020 iterator->destroy(iterator);
1021 this->payloads->destroy(this->payloads);
1022 this->parser->destroy(this->parser);
1023 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1024
1025 allocator_free(this);
1026 }
1027
1028 /*
1029 * Described in Header-File
1030 */
1031 message_t *message_create_from_packet(packet_t *packet)
1032 {
1033 private_message_t *this = allocator_alloc_thing(private_message_t);
1034
1035 /* public functions */
1036 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1037 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1038 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1039 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1040 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1041 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1042 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1043 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1044 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1045 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1046 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1047 this->public.set_request = (void(*)(message_t*, bool))set_request;
1048 this->public.get_request = (bool(*)(message_t*))get_request;
1049 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1050 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1051 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1052 this->public.get_source = (void (*) (message_t*,host_t**)) get_source;
1053 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1054 this->public.get_destination = (void (*) (message_t*,host_t**)) get_destination;
1055 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1056 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1057 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1058 this->public.verify = (status_t (*) (message_t*)) verify;
1059 this->public.destroy = (void(*)(message_t*))destroy;
1060
1061 /* private values */
1062 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1063 this->is_request = TRUE;
1064 this->ike_sa_id = NULL;
1065 this->first_payload = NO_PAYLOAD;
1066 this->message_id = 0;
1067
1068 /* private functions */
1069 this->get_message_rule = get_message_rule;
1070 this->get_supported_payload_entry = get_supported_payload_entry;
1071 this->encrypt_payloads = encrypt_payloads;
1072 this->decrypt_payloads = decrypt_payloads;
1073
1074 /* private values */
1075 if (packet == NULL)
1076 {
1077 packet = packet_create();
1078 }
1079 this->packet = packet;
1080 this->payloads = linked_list_create();
1081
1082 /* parser is created from data of packet */
1083 this->parser = parser_create(this->packet->data);
1084
1085 this->logger = charon->logger_manager->create_logger(charon->logger_manager, MESSAGE, NULL);
1086
1087 return (&this->public);
1088 }
1089
1090 /*
1091 * Described in Header-File
1092 */
1093 message_t *message_create()
1094 {
1095 return message_create_from_packet(NULL);
1096 }