- message encryption verification fully changed
[strongswan.git] / Source / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/allocator.h>
34 #include <utils/logger_manager.h>
35 #include <encoding/payloads/encodings.h>
36 #include <encoding/payloads/payload.h>
37 #include <encoding/payloads/encryption_payload.h>
38
39
40 typedef struct supported_payload_entry_t supported_payload_entry_t;
41
42 /**
43 * Supported payload entry used in message_rule_t.
44 *
45 */
46 struct supported_payload_entry_t {
47 /**
48 * Payload type.
49 */
50 payload_type_t payload_type;
51
52 /**
53 * Minimal occurence of this payload.
54 */
55 size_t min_occurence;
56
57 /**
58 * Max occurence of this payload.
59 */
60 size_t max_occurence;
61
62 /**
63 * TRUE if payload has to get encrypted
64 */
65 bool encrypted;
66 };
67
68 typedef struct message_rule_t message_rule_t;
69
70 /**
71 * Message Rule used to find out which payloads
72 * are supported by each message type.
73 *
74 */
75 struct message_rule_t {
76 /**
77 * Type of message.
78 */
79 exchange_type_t exchange_type;
80
81 /**
82 * Is message a request or response.
83 */
84 bool is_request;
85
86 /**
87 * Message contains encrypted content.
88 */
89 bool encrypted_content;
90
91 /**
92 * Number of supported payloads.
93 */
94 size_t supported_payloads_count;
95
96 /**
97 * Pointer to first supported payload entry.
98 */
99 supported_payload_entry_t *supported_payloads;
100 };
101
102 /**
103 * Message rule for IKE_SA_INIT from initiator.
104 */
105 static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
106 {
107 {SECURITY_ASSOCIATION,1,1,FALSE},
108 {KEY_EXCHANGE,1,1,FALSE},
109 {NONCE,1,1,FALSE},
110 };
111
112 /**
113 * Message rule for IKE_SA_INIT from responder.
114 */
115 static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
116 {
117 {SECURITY_ASSOCIATION,1,1,FALSE},
118 {KEY_EXCHANGE,1,1,FALSE},
119 {NONCE,1,1,FALSE},
120 };
121
122 /**
123 * Message rule for IKE_AUTH from initiator.
124 */
125 static supported_payload_entry_t supported_ike_auth_i_payloads[] =
126 {
127 {ID_INITIATOR,1,1,TRUE},
128 {CERTIFICATE,0,1,TRUE},
129 {CERTIFICATE_REQUEST,0,1,TRUE},
130 {ID_RESPONDER,0,1,TRUE},
131 {AUTHENTICATION,1,1,TRUE},
132 {SECURITY_ASSOCIATION,1,1,TRUE},
133 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
134 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
135 };
136
137 /**
138 * Message rule for IKE_AUTH from responder.
139 */
140 static supported_payload_entry_t supported_ike_auth_r_payloads[] =
141 {
142 {CERTIFICATE,0,1,TRUE},
143 {ID_RESPONDER,0,1,TRUE},
144 {AUTHENTICATION,1,1,TRUE},
145 {SECURITY_ASSOCIATION,1,1,TRUE},
146 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
147 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
148 };
149
150 /**
151 * Message rules, defines allowed payloads.
152 */
153 static message_rule_t message_rules[] = {
154 {IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
155 {IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
156 {IKE_AUTH,TRUE,FALSE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
157 {IKE_AUTH,FALSE,FALSE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
158 };
159
160 typedef struct payload_entry_t payload_entry_t;
161
162 /**
163 * Entry for a payload in the internal used linked list.
164 *
165 */
166 struct payload_entry_t {
167 /**
168 * Type of payload.
169 */
170 payload_type_t payload_type;
171 /**
172 * Data struct holding the data of given payload.
173 */
174 void *data_struct;
175 };
176
177
178 typedef struct private_message_t private_message_t;
179
180 /**
181 * Private data of an message_t object.
182 */
183 struct private_message_t {
184
185 /**
186 * Public part of a message_t object.
187 */
188 message_t public;
189
190 /**
191 * Minor version of message.
192 */
193 u_int8_t major_version;
194
195 /**
196 * Major version of message.
197 */
198 u_int8_t minor_version;
199
200 /**
201 * First Payload in message.
202 */
203 payload_type_t first_payload;
204
205 /**
206 * Assigned exchange type.
207 */
208 exchange_type_t exchange_type;
209
210
211 /**
212 * TRUE if message is request.
213 * FALSE if message is reply.
214 */
215 bool is_request;
216
217 /**
218 * Message ID of this message.
219 */
220 u_int32_t message_id;
221
222 /**
223 * ID of assigned IKE_SA.
224 */
225 ike_sa_id_t *ike_sa_id;
226
227 /**
228 * Assigned UDP packet.
229 *
230 * Stores incoming packet or last generated one.
231 */
232 packet_t *packet;
233
234 /**
235 * Linked List where payload data are stored in.
236 */
237 linked_list_t *payloads;
238
239 /**
240 * Assigned parser to parse Header and Body of this message.
241 */
242 parser_t *parser;
243
244 /**
245 * Assigned logger.
246 */
247 logger_t *logger;
248
249 /**
250 * Gets a list of supported payloads of this message type
251 *
252 * @param this calling object
253 * @param[out] message_rule pointer is set to the message_rule of current message type
254 *
255 * @return
256 * - SUCCESS
257 * - NOT_FOUND if no message rule
258 * for specific message type could be found
259 */
260 status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
261
262 status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
263
264 /**
265 * Encrypts all payloads which has to get encrypted.
266 *
267 * @param this calling object
268 * @param crypter crypter_t object
269 * @param signer signer_t object
270 */
271 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
272
273 /**
274 * Decrypts all payloads which has to get decrypted.
275 *
276 * @param this calling object
277 * @param crypter crypter_t object
278 * @param signer signer_t object
279 */
280 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
281 };
282
283 /**
284 * Implementation of private_message_t.get_supported_payloads.
285 */
286
287 static status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
288 {
289 int i;
290
291 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
292 {
293 if ((this->exchange_type == message_rules[i].exchange_type) &&
294 (this->is_request == message_rules[i].is_request))
295 {
296 /* found rule for given exchange_type*/
297 *message_rule = &(message_rules[i]);
298 return SUCCESS;
299 }
300 }
301 *message_rule = NULL;
302 return NOT_FOUND;
303 }
304
305 static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
306 {
307 int i;
308
309 for (i = 0; i < message_rule->supported_payloads_count;i++)
310 {
311 if (message_rule->supported_payloads[i].payload_type == payload_type)
312 {
313 *payload_entry = &(message_rule->supported_payloads[i]);
314 return SUCCESS;
315 }
316 }
317
318 *payload_entry = NULL;
319 return NOT_FOUND;
320 }
321
322 /**
323 * Implementation of message_t.set_ike_sa_id.
324 */
325 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
326 {
327 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
328 }
329
330 /**
331 * Implementation of message_t.get_ike_sa_id.
332 */
333 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
334 {
335 if (this->ike_sa_id == NULL)
336 {
337 return FAILED;
338 }
339 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
340 return SUCCESS;
341 }
342
343 /**
344 * Implementation of message_t.set_message_id.
345 */
346 static void set_message_id (private_message_t *this,u_int32_t message_id)
347 {
348 this->message_id = message_id;
349 }
350
351 /**
352 * Implementation of message_t.get_message_id.
353 */
354 static u_int32_t get_message_id (private_message_t *this)
355 {
356 return this->message_id;
357 }
358
359 /**
360 * Implementation of message_t.get_responder_spi.
361 */
362 static u_int64_t get_responder_spi (private_message_t *this)
363 {
364 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
365 }
366
367 /**
368 * Implementation of message_t.set_major_version.
369 */
370 static void set_major_version (private_message_t *this,u_int8_t major_version)
371 {
372 this->major_version = major_version;
373 }
374
375
376 /**
377 * Implementation of message_t.set_major_version.
378 */
379 static u_int8_t get_major_version (private_message_t *this)
380 {
381 return this->major_version;
382 }
383
384 /**
385 * Implementation of message_t.set_minor_version.
386 */
387 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
388 {
389 this->minor_version = minor_version;
390 }
391
392 /**
393 * Implementation of message_t.get_minor_version.
394 */
395 static u_int8_t get_minor_version (private_message_t *this)
396 {
397 return this->minor_version;
398 }
399
400 /**
401 * Implementation of message_t.set_exchange_type.
402 */
403 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
404 {
405 this->exchange_type = exchange_type;
406 }
407
408 /**
409 * Implementation of message_t.get_exchange_type.
410 */
411 static exchange_type_t get_exchange_type (private_message_t *this)
412 {
413 return this->exchange_type;
414 }
415
416 /**
417 * Implementation of message_t.set_request.
418 */
419 static void set_request (private_message_t *this,bool request)
420 {
421 this->is_request = request;
422 }
423
424 /**
425 * Implementation of message_t.get_request.
426 */
427 static exchange_type_t get_request (private_message_t *this)
428 {
429 return this->is_request;
430 }
431
432 /**
433 * Implementation of message_t.add_payload.
434 */
435 static void add_payload(private_message_t *this, payload_t *payload)
436 {
437 payload_t *last_payload;
438 if (this->payloads->get_count(this->payloads) > 0)
439 {
440 this->payloads->get_last(this->payloads,(void **) &last_payload);
441 }
442
443 this->payloads->insert_last(this->payloads, payload);
444
445 if (this->payloads->get_count(this->payloads) == 1)
446 {
447 this->first_payload = payload->get_type(payload);
448 }
449 else
450 {
451 last_payload->set_next_type(last_payload,payload->get_type(payload));
452 }
453
454 this->logger->log(this->logger, CONTROL|MORE, "added payload of type %s to message",
455 mapping_find(payload_type_m, payload->get_type(payload)));
456
457 }
458
459 /**
460 * Implementation of message_t.set_source.
461 */
462 static void set_source(private_message_t *this, host_t *host)
463 {
464 if (this->packet->source != NULL)
465 {
466 this->packet->source->destroy(this->packet->source);
467 }
468 this->packet->source = host;
469 }
470
471 /**
472 * Implementation of message_t.set_destination.
473 */
474 static void set_destination(private_message_t *this, host_t *host)
475 {
476 if (this->packet->destination != NULL)
477 {
478 this->packet->destination->destroy(this->packet->destination);
479 }
480 this->packet->destination = host;
481 }
482
483 /**
484 * Implementation of message_t.get_source.
485 */
486 static void get_source(private_message_t *this, host_t **host)
487 {
488 *host = this->packet->source;
489 }
490
491 /**
492 * Implementation of message_t.get_destination.
493 */
494 static void get_destination(private_message_t *this, host_t **host)
495 {
496 *host = this->packet->destination;
497 }
498
499 /**
500 * Implementation of message_t.get_destination.
501 */
502 static iterator_t *get_payload_iterator(private_message_t *this)
503 {
504 return this->payloads->create_iterator(this->payloads, TRUE);
505 }
506
507
508 /**
509 * Implementation of message_t.generate.
510 */
511 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
512 {
513 generator_t *generator;
514 ike_header_t *ike_header;
515 payload_t *payload, *next_payload;
516 iterator_t *iterator;
517 status_t status;
518
519
520 this->logger->log(this->logger, CONTROL, "generating message, contains %d payloads",
521 this->payloads->get_count(this->payloads));
522
523 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
524 {
525 this->logger->log(this->logger, ERROR, "exchange type is not defined");
526 return INVALID_STATE;
527 }
528
529 if (this->packet->source == NULL ||
530 this->packet->destination == NULL)
531 {
532 this->logger->log(this->logger, ERROR, "source/destination not defined");
533 return INVALID_STATE;
534 }
535
536 status = this->encrypt_payloads(this,crypter,signer);
537 if (status != SUCCESS)
538 {
539 this->logger->log(this->logger, ERROR, "Could not encrypt payloads");
540 return status;
541 }
542
543 /* build ike header */
544 ike_header = ike_header_create();
545
546 ike_header->set_exchange_type(ike_header, this->exchange_type);
547 ike_header->set_message_id(ike_header, this->message_id);
548 ike_header->set_response_flag(ike_header, !this->is_request);
549 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
550 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
551 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
552
553
554 generator = generator_create();
555
556 payload = (payload_t*)ike_header;
557
558 iterator = this->payloads->create_iterator(this->payloads, TRUE);
559
560 /* generate every payload, except last one */
561 while(iterator->has_next(iterator))
562 {
563 iterator->current(iterator, (void**)&next_payload);
564 payload->set_next_type(payload, next_payload->get_type(next_payload));
565 generator->generate_payload(generator, payload);
566
567 payload = next_payload;
568 }
569 iterator->destroy(iterator);
570
571 /* build last payload */
572 payload->set_next_type(payload, NO_PAYLOAD);
573
574 generator->generate_payload(generator, payload);
575 ike_header->destroy(ike_header);
576
577 /* build packet */
578 if (this->packet->data.ptr != NULL)
579 {
580 allocator_free(this->packet->data.ptr);
581 }
582 generator->write_to_chunk(generator, &(this->packet->data));
583 generator->destroy(generator);
584
585 /* append integrity checksum if necessary */
586 if (payload->get_type(payload) == ENCRYPTED)
587 {
588 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
589 status = encryption_payload->build_signature(encryption_payload, this->packet->data);
590 if (status != SUCCESS)
591 {
592 return status;
593 }
594 }
595
596 /* clone packet for caller */
597 *packet = this->packet->clone(this->packet);
598
599 this->logger->log(this->logger, CONTROL, "message generated successfully");
600 return SUCCESS;
601 }
602
603 /**
604 * Implements message_t.parse_header.
605 */
606 static status_t parse_header(private_message_t *this)
607 {
608 ike_header_t *ike_header;
609 status_t status;
610
611
612 this->logger->log(this->logger, CONTROL, "parsing header of message");
613
614 this->parser->reset_context(this->parser);
615 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
616 if (status != SUCCESS)
617 {
618 this->logger->log(this->logger, ERROR, "Header could not be parsed");
619 return status;
620
621 }
622
623 /* verify payload */
624 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
625 if (status != SUCCESS)
626 {
627 this->logger->log(this->logger, ERROR, "Header verification failed");
628 ike_header->destroy(ike_header);
629 return status;
630 }
631
632 if (this->ike_sa_id != NULL)
633 {
634 this->ike_sa_id->destroy(this->ike_sa_id);
635 }
636
637 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
638 ike_header->get_responder_spi(ike_header),
639 ike_header->get_initiator_flag(ike_header));
640
641 this->exchange_type = ike_header->get_exchange_type(ike_header);
642 this->message_id = ike_header->get_message_id(ike_header);
643 this->is_request = (!(ike_header->get_response_flag(ike_header)));
644 this->major_version = ike_header->get_maj_version(ike_header);
645 this->minor_version = ike_header->get_min_version(ike_header);
646 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
647
648
649 this->logger->log(this->logger, CONTROL, "parsing header successfully");
650
651 ike_header->destroy(ike_header);
652 return SUCCESS;
653 }
654
655 /**
656 * Implements message_t.parse_body.
657 */
658 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
659 {
660 status_t status = SUCCESS;
661 payload_type_t current_payload_type = this->first_payload;
662
663 this->logger->log(this->logger, CONTROL, "parsing body of message");
664
665 while ((current_payload_type != NO_PAYLOAD))
666 {
667 payload_t *current_payload;
668
669 this->logger->log(this->logger, CONTROL|MORE, "start parsing payload of type %s",
670 mapping_find(payload_type_m, current_payload_type));
671
672 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
673 if (status != SUCCESS)
674 {
675 this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
676 return status;
677 }
678
679 status = current_payload->verify(current_payload);
680 if (status != SUCCESS)
681 {
682 this->logger->log(this->logger, ERROR, "payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
683 current_payload->destroy(current_payload);
684 status = VERIFY_ERROR;
685 return status;
686 }
687
688 /* get next payload type */
689 current_payload_type = current_payload->get_next_type(current_payload);
690
691 this->payloads->insert_last(this->payloads,current_payload);
692 }
693
694 status = this->decrypt_payloads(this,crypter,signer);
695 if (status != SUCCESS)
696 {
697 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
698 return status;
699 }
700
701 return SUCCESS;
702
703 }
704
705 /**
706 * implements message_t.verify
707 */
708 static status_t verify(private_message_t *this)
709 {
710 int i;
711 status_t status;
712 iterator_t *iterator;
713 message_rule_t *message_rule;
714
715 this->logger->log(this->logger, CONTROL|MORE, "verifying message");
716
717 status = this->get_message_rule(this, &message_rule);
718 if (status != SUCCESS)
719 {
720 this->logger->log(this->logger, ERROR, "Message rule could not be retrieved");
721 return status;
722 }
723
724 iterator = this->payloads->create_iterator(this->payloads,TRUE);
725 /* check for payloads with wrong count*/
726 for (i = 0; i < message_rule->supported_payloads_count;i++)
727 {
728 size_t min_occurence = message_rule->supported_payloads[i].min_occurence;
729 size_t max_occurence = message_rule->supported_payloads[i].max_occurence;
730 payload_type_t payload_type = message_rule->supported_payloads[i].payload_type;
731 size_t found_payloads = 0;
732
733 iterator->reset(iterator);
734
735 while(iterator->has_next(iterator))
736 {
737 payload_t *current_payload;
738 iterator->current(iterator,(void **)&current_payload);
739
740 if (current_payload->get_type(current_payload) == payload_type)
741 {
742 found_payloads++;
743 if (found_payloads > max_occurence)
744 {
745 this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
746 mapping_find(payload_type_m,current_payload->get_type(current_payload)),max_occurence,found_payloads);
747 iterator->destroy(iterator);
748 return NOT_SUPPORTED;
749 }
750 }
751 }
752 if (found_payloads < min_occurence)
753 {
754 this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times",
755 mapping_find(payload_type_m,payload_type),min_occurence);
756 iterator->destroy(iterator);
757 return NOT_SUPPORTED;
758 }
759 }
760 iterator->destroy(iterator);
761
762 return SUCCESS;
763 }
764
765
766 static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
767 {
768 bool current_payload_was_encrypted = FALSE;
769 status_t status;
770 message_rule_t *message_rule;
771 iterator_t *iterator;
772 int payload_number = 1;
773
774 status = this->get_message_rule(this, &message_rule);
775 if (status != SUCCESS)
776 {
777 this->logger->log(this->logger, ERROR, "No message rule for current message type");
778 return status;
779 }
780
781 iterator = this->payloads->create_iterator(this->payloads,TRUE);
782
783 while(iterator->has_next(iterator))
784 {
785 payload_t *current_payload;
786 supported_payload_entry_t *payload_entry;
787
788 /* get current payload */
789 iterator->current(iterator,(void **)&current_payload);
790
791 if (current_payload->get_type(current_payload) == ENCRYPTED)
792 {
793 encryption_payload_t *encryption_payload;
794 iterator_t *encrypted_payload_iterator;
795 payload_t *current_encrypted_payload;
796
797 if (!message_rule->encrypted_content)
798 {
799 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
800 iterator->destroy(iterator);
801 /* encrypted payload is not last one */
802 return FAILED;
803 }
804
805 if (payload_number != this->payloads->get_count(this->payloads))
806 {
807 this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last one");
808 iterator->destroy(iterator);
809 /* encrypted payload is not last one */
810 return FAILED;
811 }
812
813 this->payloads->remove_last(this->payloads,(void **)&encryption_payload);
814
815 /* encrypt payload */
816 encryption_payload->set_transforms(encryption_payload, crypter, signer);
817 status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
818 if (status != SUCCESS)
819 {
820 this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
821 iterator->destroy(iterator);
822 return status;
823 }
824 status = encryption_payload->decrypt(encryption_payload);
825 if (status != SUCCESS)
826 {
827 this->logger->log(this->logger, ERROR, "parsing decrypted encryption payload failed");
828 iterator->destroy(iterator);
829 return status;
830 }
831
832 current_payload_was_encrypted = TRUE;
833
834 encrypted_payload_iterator = encryption_payload->create_payload_iterator(encryption_payload, TRUE);
835
836 if (!encrypted_payload_iterator->has_next(encrypted_payload_iterator))
837 {
838 iterator->remove(iterator);
839 encrypted_payload_iterator->destroy(encrypted_payload_iterator);
840 encryption_payload->destroy(encryption_payload);
841 break;
842 }
843
844 /* encryption_payload is replaced with first encrypted payload*/
845 encrypted_payload_iterator->current(encrypted_payload_iterator,(void **)&current_encrypted_payload);
846 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
847
848 /* all encrypted payloads are added to the payload list */
849 while (encrypted_payload_iterator->has_next(encrypted_payload_iterator))
850 {
851 encrypted_payload_iterator->current(encrypted_payload_iterator,(void **)&current_encrypted_payload);
852 this->payloads->insert_last(this->payloads,current_encrypted_payload);
853 }
854
855 encrypted_payload_iterator->destroy(encrypted_payload_iterator);
856 encryption_payload->destroy(encryption_payload);
857 }
858
859 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&payload_entry);
860
861 if (status != SUCCESS)
862 {
863 /* payload type not supported */
864 this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload->get_type(current_payload)));
865 iterator->destroy(iterator);
866 return status;
867 }
868
869 if (payload_entry->encrypted != current_payload_was_encrypted)
870 {
871 /* payload type not supported */
872 this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",(payload_entry->encrypted) ? "encrypted": "not encrypted");
873 iterator->destroy(iterator);
874 return status;
875 }
876 payload_number++;
877 }
878 iterator->destroy(iterator);
879
880 return this->public.verify(&(this->public));
881
882 }
883
884
885 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
886 {
887 status_t status;
888 message_rule_t *message_rule;
889 encryption_payload_t *encryption_payload = NULL;
890 linked_list_t *all_payloads;
891
892 status = this->get_message_rule(this, &message_rule);
893 if (status != SUCCESS)
894 {
895 return status;
896 }
897
898 if (!message_rule->encrypted_content)
899 {
900 /* message contains no content to encrypt */
901 return SUCCESS;
902 }
903
904 all_payloads = linked_list_create();
905
906 /* first copy all payloads in a temporary list */
907 while (this->payloads->get_count(this->payloads) > 0)
908 {
909 void *current_payload;
910 this->payloads->remove_first(this->payloads,&current_payload);
911 all_payloads->insert_last(all_payloads,current_payload);
912 }
913
914 while (all_payloads->get_count(all_payloads) > 0)
915 {
916 payload_t *current_payload;
917 bool to_encrypt = FALSE;
918 supported_payload_entry_t *supported_payload_entry;
919
920 all_payloads->remove_first(all_payloads,(void **)&current_payload);
921
922 status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
923 /* for payload types which are not found in supported payload list, it is presumed
924 * that they don't have to be encrypted */
925 if ((status == SUCCESS) && (supported_payload_entry->encrypted))
926 {
927 to_encrypt = TRUE;
928 break;
929 }
930
931 if (to_encrypt)
932 {
933 if (encryption_payload == NULL)
934 {
935 encryption_payload = encryption_payload_create();
936 }
937 encryption_payload->add_payload(encryption_payload,current_payload);
938 }
939 else
940 {
941 this->payloads->insert_last(this->payloads,current_payload);
942 }
943 }
944
945 status = SUCCESS;
946 if (encryption_payload != NULL)
947 {
948 encryption_payload->set_transforms(encryption_payload,crypter,signer);
949 status = encryption_payload->encrypt(encryption_payload);
950 this->payloads->insert_last(this->payloads,encryption_payload);
951 }
952
953 all_payloads->destroy(all_payloads);
954
955 return status;
956 }
957
958 /**
959 * Implements message_t's destroy function.
960 * See #message_s.destroy.
961 */
962 static void destroy (private_message_t *this)
963 {
964 iterator_t *iterator;
965
966 this->packet->destroy(this->packet);
967
968 if (this->ike_sa_id != NULL)
969 {
970 this->ike_sa_id->destroy(this->ike_sa_id);
971 }
972
973 iterator = this->payloads->create_iterator(this->payloads, TRUE);
974 while (iterator->has_next(iterator))
975 {
976 payload_t *payload;
977 iterator->current(iterator, (void**)&payload);
978 this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s",
979 mapping_find(payload_type_m, payload->get_type(payload)));
980 payload->destroy(payload);
981 }
982 iterator->destroy(iterator);
983 this->payloads->destroy(this->payloads);
984 this->parser->destroy(this->parser);
985 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
986
987 allocator_free(this);
988 }
989
990 /*
991 * Described in Header-File
992 */
993 message_t *message_create_from_packet(packet_t *packet)
994 {
995 private_message_t *this = allocator_alloc_thing(private_message_t);
996
997 /* public functions */
998 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
999 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1000 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1001 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1002 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1003 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1004 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1005 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1006 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1007 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1008 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1009 this->public.set_request = (void(*)(message_t*, bool))set_request;
1010 this->public.get_request = (bool(*)(message_t*))get_request;
1011 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1012 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1013 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1014 this->public.get_source = (void (*) (message_t*,host_t**)) get_source;
1015 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1016 this->public.get_destination = (void (*) (message_t*,host_t**)) get_destination;
1017 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1018 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1019 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1020 this->public.verify = (status_t (*) (message_t*)) verify;
1021 this->public.destroy = (void(*)(message_t*))destroy;
1022
1023 /* private values */
1024 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1025 this->is_request = TRUE;
1026 this->ike_sa_id = NULL;
1027 this->first_payload = NO_PAYLOAD;
1028 this->message_id = 0;
1029
1030 /* private functions */
1031 this->get_message_rule = get_message_rule;
1032 this->get_supported_payload_entry = get_supported_payload_entry;
1033 this->encrypt_payloads = encrypt_payloads;
1034 this->decrypt_payloads = decrypt_payloads;
1035
1036 /* private values */
1037 if (packet == NULL)
1038 {
1039 packet = packet_create();
1040 }
1041 this->packet = packet;
1042 this->payloads = linked_list_create();
1043
1044 /* parser is created from data of packet */
1045 this->parser = parser_create(this->packet->data);
1046
1047 this->logger = charon->logger_manager->create_logger(charon->logger_manager, MESSAGE, NULL);
1048
1049 return (&this->public);
1050 }
1051
1052 /*
1053 * Described in Header-File
1054 */
1055 message_t *message_create()
1056 {
1057 return message_create_from_packet(NULL);
1058 }