projects / strongswan.git / blob
? search:


44850313cf9e1f4d158b21350adc905151374d22
[strongswan.git] / src / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <stdlib.h>
26 #include <string.h>
27 #include <printf.h>
28
29 #include "message.h"
30
31 #include <types.h>
32 #include <daemon.h>
33 #include <sa/ike_sa_id.h>
34 #include <encoding/generator.h>
35 #include <encoding/parser.h>
36 #include <utils/linked_list.h>
37 #include <encoding/payloads/encodings.h>
38 #include <encoding/payloads/payload.h>
39 #include <encoding/payloads/encryption_payload.h>
40 #include <encoding/payloads/unknown_payload.h>
41
42 /**
43 * Max number of notify payloads per IKEv2 Message
44 */
45 #define MAX_NOTIFY_PAYLOADS 20
46
47
48 typedef struct payload_rule_t payload_rule_t;
49
50 /**
51 * A payload rule defines the rules for a payload
52 * in a specific message rule. It defines if and how
53 * many times a payload must/can occur in a message
54 * and if it must be encrypted.
55 */
56 struct payload_rule_t {
57 /**
58 * Payload type.
59 */
60 payload_type_t payload_type;
61
62 /**
63 * Minimal occurence of this payload.
64 */
65 size_t min_occurence;
66
67 /**
68 * Max occurence of this payload.
69 */
70 size_t max_occurence;
71
72 /**
73 * TRUE if payload must be encrypted
74 */
75 bool encrypted;
76
77 /**
78 * If this payload occurs, the message rule is
79 * fullfilled in any case. This applies e.g. to
80 * notify_payloads.
81 */
82 bool sufficient;
83 };
84
85 typedef struct message_rule_t message_rule_t;
86
87 /**
88 * A message rule defines the kind of a message,
89 * if it has encrypted contents and a list
90 * of payload rules.
91 *
92 */
93 struct message_rule_t {
94 /**
95 * Type of message.
96 */
97 exchange_type_t exchange_type;
98
99 /**
100 * Is message a request or response.
101 */
102 bool is_request;
103
104 /**
105 * Message contains encrypted content.
106 */
107 bool encrypted_content;
108
109 /**
110 * Number of payload rules which will follow
111 */
112 size_t payload_rule_count;
113
114 /**
115 * Pointer to first payload rule
116 */
117 payload_rule_t *payload_rules;
118 };
119
120 /**
121 * Message rule for IKE_SA_INIT from initiator.
122 */
123 static payload_rule_t ike_sa_init_i_payload_rules[] = {
124 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
125 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
126 {KEY_EXCHANGE,1,1,FALSE,FALSE},
127 {NONCE,1,1,FALSE,FALSE},
128 };
129
130 /**
131 * Message rule for IKE_SA_INIT from responder.
132 */
133 static payload_rule_t ike_sa_init_r_payload_rules[] = {
134 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
135 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
136 {KEY_EXCHANGE,1,1,FALSE,FALSE},
137 {NONCE,1,1,FALSE,FALSE},
138 };
139
140 /**
141 * Message rule for IKE_AUTH from initiator.
142 */
143 static payload_rule_t ike_auth_i_payload_rules[] = {
144 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
145 {ID_INITIATOR,1,1,TRUE,FALSE},
146 {CERTIFICATE,0,1,TRUE,FALSE},
147 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
148 {ID_RESPONDER,0,1,TRUE,FALSE},
149 {AUTHENTICATION,1,1,TRUE,FALSE},
150 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
151 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
152 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
153 {CONFIGURATION,0,1,TRUE,FALSE},
154 };
155
156 /**
157 * Message rule for IKE_AUTH from responder.
158 */
159 static payload_rule_t ike_auth_r_payload_rules[] = {
160 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
161 {CERTIFICATE,0,1,TRUE,FALSE},
162 {ID_RESPONDER,1,1,TRUE,FALSE},
163 {AUTHENTICATION,1,1,TRUE,FALSE},
164 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
165 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
166 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
167 {CONFIGURATION,0,1,TRUE,FALSE},
168 };
169
170
171 /**
172 * Message rule for INFORMATIONAL from initiator.
173 */
174 static payload_rule_t informational_i_payload_rules[] = {
175 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
176 {CONFIGURATION,0,1,TRUE,FALSE},
177 {DELETE,0,1,TRUE,FALSE},
178
179 };
180
181 /**
182 * Message rule for INFORMATIONAL from responder.
183 */
184 static payload_rule_t informational_r_payload_rules[] = {
185 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
186 {CONFIGURATION,0,1,TRUE,FALSE},
187 {DELETE,0,1,TRUE,FALSE},
188 };
189
190 /**
191 * Message rule for CREATE_CHILD_SA from initiator.
192 */
193 static payload_rule_t create_child_sa_i_payload_rules[] = {
194 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
195 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
196 {NONCE,1,1,TRUE,FALSE},
197 {KEY_EXCHANGE,0,1,TRUE,FALSE},
198 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
199 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
200 {CONFIGURATION,0,1,TRUE,FALSE},
201 };
202
203 /**
204 * Message rule for CREATE_CHILD_SA from responder.
205 */
206 static payload_rule_t create_child_sa_r_payload_rules[] = {
207 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
208 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
209 {NONCE,1,1,TRUE,FALSE},
210 {KEY_EXCHANGE,0,1,TRUE,FALSE},
211 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
212 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
213 {CONFIGURATION,0,1,TRUE,FALSE},
214 };
215
216
217 /**
218 * Message rules, defines allowed payloads.
219 */
220 static message_rule_t message_rules[] = {
221 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
222 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
223 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
224 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
225 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
226 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
227 {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
228 {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
229 };
230
231
232 typedef struct private_message_t private_message_t;
233
234 /**
235 * Private data of an message_t object.
236 */
237 struct private_message_t {
238
239 /**
240 * Public part of a message_t object.
241 */
242 message_t public;
243
244 /**
245 * Minor version of message.
246 */
247 u_int8_t major_version;
248
249 /**
250 * Major version of message.
251 */
252 u_int8_t minor_version;
253
254 /**
255 * First Payload in message.
256 */
257 payload_type_t first_payload;
258
259 /**
260 * Assigned exchange type.
261 */
262 exchange_type_t exchange_type;
263
264 /**
265 * TRUE if message is a request, FALSE if a reply.
266 */
267 bool is_request;
268
269 /**
270 * Message ID of this message.
271 */
272 u_int32_t message_id;
273
274 /**
275 * ID of assigned IKE_SA.
276 */
277 ike_sa_id_t *ike_sa_id;
278
279 /**
280 * Assigned UDP packet, stores incoming packet or last generated one.
281 */
282 packet_t *packet;
283
284 /**
285 * Linked List where payload data are stored in.
286 */
287 linked_list_t *payloads;
288
289 /**
290 * Assigned parser to parse Header and Body of this message.
291 */
292 parser_t *parser;
293
294 /**
295 * The message rule for this message instance
296 */
297 message_rule_t *message_rule;
298 };
299
300 /**
301 * Implementation of private_message_t.set_message_rule.
302 */
303 static status_t set_message_rule(private_message_t *this)
304 {
305 int i;
306
307 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
308 {
309 if ((this->exchange_type == message_rules[i].exchange_type) &&
310 (this->is_request == message_rules[i].is_request))
311 {
312 /* found rule for given exchange_type*/
313 this->message_rule = &(message_rules[i]);
314 return SUCCESS;
315 }
316 }
317 this->message_rule = NULL;
318 return NOT_FOUND;
319 }
320
321 /**
322 * Implementation of private_message_t.get_payload_rule.
323 */
324 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
325 {
326 int i;
327
328 for (i = 0; i < this->message_rule->payload_rule_count;i++)
329 {
330 if (this->message_rule->payload_rules[i].payload_type == payload_type)
331 {
332 *payload_rule = &(this->message_rule->payload_rules[i]);
333 return SUCCESS;
334 }
335 }
336
337 *payload_rule = NULL;
338 return NOT_FOUND;
339 }
340
341 /**
342 * Implementation of message_t.set_ike_sa_id.
343 */
344 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
345 {
346 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
347 }
348
349 /**
350 * Implementation of message_t.get_ike_sa_id.
351 */
352 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
353 {
354 return this->ike_sa_id;
355 }
356
357 /**
358 * Implementation of message_t.set_message_id.
359 */
360 static void set_message_id (private_message_t *this,u_int32_t message_id)
361 {
362 this->message_id = message_id;
363 }
364
365 /**
366 * Implementation of message_t.get_message_id.
367 */
368 static u_int32_t get_message_id (private_message_t *this)
369 {
370 return this->message_id;
371 }
372
373 /**
374 * Implementation of message_t.get_initiator_spi.
375 */
376 static u_int64_t get_initiator_spi (private_message_t *this)
377 {
378 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
379 }
380
381 /**
382 * Implementation of message_t.get_responder_spi.
383 */
384 static u_int64_t get_responder_spi (private_message_t *this)
385 {
386 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
387 }
388
389 /**
390 * Implementation of message_t.set_major_version.
391 */
392 static void set_major_version (private_message_t *this,u_int8_t major_version)
393 {
394 this->major_version = major_version;
395 }
396
397
398 /**
399 * Implementation of message_t.set_major_version.
400 */
401 static u_int8_t get_major_version (private_message_t *this)
402 {
403 return this->major_version;
404 }
405
406 /**
407 * Implementation of message_t.set_minor_version.
408 */
409 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
410 {
411 this->minor_version = minor_version;
412 }
413
414 /**
415 * Implementation of message_t.get_minor_version.
416 */
417 static u_int8_t get_minor_version (private_message_t *this)
418 {
419 return this->minor_version;
420 }
421
422 /**
423 * Implementation of message_t.set_exchange_type.
424 */
425 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
426 {
427 this->exchange_type = exchange_type;
428 }
429
430 /**
431 * Implementation of message_t.get_exchange_type.
432 */
433 static exchange_type_t get_exchange_type (private_message_t *this)
434 {
435 return this->exchange_type;
436 }
437
438 /**
439 * Implementation of message_t.set_request.
440 */
441 static void set_request (private_message_t *this,bool request)
442 {
443 this->is_request = request;
444 }
445
446 /**
447 * Implementation of message_t.get_request.
448 */
449 static exchange_type_t get_request (private_message_t *this)
450 {
451 return this->is_request;
452 }
453
454 /**
455 * Is this message in an encoded form?
456 */
457 static bool is_encoded(private_message_t *this)
458 {
459 chunk_t data = this->packet->get_data(this->packet);
460
461 if (data.ptr == NULL)
462 {
463 return FALSE;
464 }
465 return TRUE;
466 }
467
468 /**
469 * Implementation of message_t.add_payload.
470 */
471 static void add_payload(private_message_t *this, payload_t *payload)
472 {
473 payload_t *last_payload;
474 if (this->payloads->get_count(this->payloads) > 0)
475 {
476 this->payloads->get_last(this->payloads,(void **) &last_payload);
477 last_payload->set_next_type(last_payload, payload->get_type(payload));
478 }
479 else
480 {
481 this->first_payload = payload->get_type(payload);
482 }
483 payload->set_next_type(payload, NO_PAYLOAD);
484 this->payloads->insert_last(this->payloads, (void*)payload);
485
486 DBG2(SIG_DBG_ENC ,"added payload of type %N to message",
487 payload_type_names, payload->get_type(payload));
488 }
489
490 /**
491 * Implementation of message_t.set_source.
492 */
493 static void set_source(private_message_t *this, host_t *host)
494 {
495 this->packet->set_source(this->packet, host);
496 }
497
498 /**
499 * Implementation of message_t.set_destination.
500 */
501 static void set_destination(private_message_t *this, host_t *host)
502 {
503 this->packet->set_destination(this->packet, host);
504 }
505
506 /**
507 * Implementation of message_t.get_source.
508 */
509 static host_t* get_source(private_message_t *this)
510 {
511 return this->packet->get_source(this->packet);
512 }
513
514 /**
515 * Implementation of message_t.get_destination.
516 */
517 static host_t * get_destination(private_message_t *this)
518 {
519 return this->packet->get_destination(this->packet);
520 }
521
522 /**
523 * Implementation of message_t.get_destination.
524 */
525 static iterator_t *get_payload_iterator(private_message_t *this)
526 {
527 return this->payloads->create_iterator(this->payloads, TRUE);
528 }
529
530 /**
531 * output handler in printf()
532 */
533 static int print(FILE *stream, const struct printf_info *info,
534 const void *const *args)
535 {
536 private_message_t *this = *((private_message_t**)(args[0]));
537 iterator_t *iterator;
538 payload_t *payload;
539 bool first = TRUE;
540 size_t total_written = 0;
541 size_t written;
542
543 if (this == NULL)
544 {
545 return fprintf(stream, "(null)");
546 }
547
548 written = fprintf(stream, "%N %s [",
549 exchange_type_names, this->exchange_type,
550 this->is_request ? "request" : "response");
551 if (written < 0)
552 {
553 return written;
554 }
555 total_written += written;
556
557 iterator = this->payloads->create_iterator(this->payloads, TRUE);
558 while (iterator->iterate(iterator, (void**)&payload))
559 {
560 if (!first)
561 {
562 written = fprintf(stream, " ");
563 if (written < 0)
564 {
565 return written;
566 }
567 total_written += written;
568 }
569 else
570 {
571 first = FALSE;
572 }
573 written = fprintf(stream, "%N", payload_type_short_names,
574 payload->get_type(payload));
575 if (written < 0)
576 {
577 return written;
578 }
579 total_written += written;
580 }
581 iterator->destroy(iterator);
582 written = fprintf(stream, "]");
583 if (written < 0)
584 {
585 return written;
586 }
587 total_written += written;
588 return total_written;
589 }
590
591 /**
592 * arginfo handler in printf()
593 */
594 static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes)
595 {
596 if (n > 0)
597 {
598 argtypes[0] = PA_POINTER;
599 }
600 return 1;
601 }
602
603 /**
604 * register printf() handlers
605 */
606 static void __attribute__ ((constructor))print_register()
607 {
608 register_printf_function(MESSAGE_PRINTF_SPEC, print, print_arginfo);
609 }
610
611 /**
612 * Implementation of private_message_t.encrypt_payloads.
613 */
614 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
615 {
616 encryption_payload_t *encryption_payload = NULL;
617 status_t status;
618 linked_list_t *all_payloads;
619
620 if (!this->message_rule->encrypted_content)
621 {
622 DBG2(SIG_DBG_ENC, "message doesn't have to be encrypted");
623 /* message contains no content to encrypt */
624 return SUCCESS;
625 }
626
627 DBG2(SIG_DBG_ENC, "copy all payloads to a temporary list");
628 all_payloads = linked_list_create();
629
630 /* first copy all payloads in a temporary list */
631 while (this->payloads->get_count(this->payloads) > 0)
632 {
633 void *current_payload;
634 this->payloads->remove_first(this->payloads,&current_payload);
635 all_payloads->insert_last(all_payloads,current_payload);
636 }
637
638 encryption_payload = encryption_payload_create();
639
640 DBG2(SIG_DBG_ENC, "check each payloads if they have to get encrypted");
641 while (all_payloads->get_count(all_payloads) > 0)
642 {
643 payload_rule_t *payload_rule;
644 payload_t *current_payload;
645 bool to_encrypt = FALSE;
646
647 all_payloads->remove_first(all_payloads,(void **)&current_payload);
648
649 status = get_payload_rule(this,
650 current_payload->get_type(current_payload),&payload_rule);
651 /* for payload types which are not found in supported payload list,
652 * it is presumed that they don't have to be encrypted */
653 if ((status == SUCCESS) && (payload_rule->encrypted))
654 {
655 DBG2(SIG_DBG_ENC, "payload %N gets encrypted",
656 payload_type_names, current_payload->get_type(current_payload));
657 to_encrypt = TRUE;
658 }
659
660 if (to_encrypt)
661 {
662 DBG2(SIG_DBG_ENC, "insert payload %N to encryption payload",
663 payload_type_names, current_payload->get_type(current_payload));
664 encryption_payload->add_payload(encryption_payload,current_payload);
665 }
666 else
667 {
668 DBG2(SIG_DBG_ENC, "insert payload %N unencrypted",
669 payload_type_names ,current_payload->get_type(current_payload));
670 add_payload(this, (payload_t*)encryption_payload);
671 }
672 }
673
674 status = SUCCESS;
675 DBG2(SIG_DBG_ENC, "encrypting encryption payload");
676 encryption_payload->set_transforms(encryption_payload, crypter,signer);
677 status = encryption_payload->encrypt(encryption_payload);
678 DBG2(SIG_DBG_ENC, "add encrypted payload to payload list");
679 add_payload(this, (payload_t*)encryption_payload);
680
681 all_payloads->destroy(all_payloads);
682
683 return status;
684 }
685
686 /**
687 * Implementation of message_t.generate.
688 */
689 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
690 {
691 generator_t *generator;
692 ike_header_t *ike_header;
693 payload_t *payload, *next_payload;
694 iterator_t *iterator;
695 status_t status;
696 chunk_t packet_data;
697
698 if (is_encoded(this))
699 {
700 /* already generated, return a new packet clone */
701 *packet = this->packet->clone(this->packet);
702 return SUCCESS;
703 }
704
705 DBG1(SIG_DBG_ENC, "generating %M", this);
706
707 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
708 {
709 DBG1(SIG_DBG_ENC, "exchange type is not defined");
710 return INVALID_STATE;
711 }
712
713 if (this->packet->get_source(this->packet) == NULL ||
714 this->packet->get_destination(this->packet) == NULL)
715 {
716 DBG1(SIG_DBG_ENC, "%s not defined",
717 !this->packet->get_source(this->packet) ? "source" : "destination");
718 return INVALID_STATE;
719 }
720
721 /* set the rules for this messge */
722 status = set_message_rule(this);
723 if (status != SUCCESS)
724 {
725 DBG1(SIG_DBG_ENC, "no message rules specified for this message type");
726 return NOT_SUPPORTED;
727 }
728
729 /* going to encrypt all content which have to be encrypted */
730 status = encrypt_payloads(this, crypter, signer);
731 if (status != SUCCESS)
732 {
733 DBG1(SIG_DBG_ENC, "payload encryption failed");
734 return status;
735 }
736
737 /* build ike header */
738 ike_header = ike_header_create();
739
740 ike_header->set_exchange_type(ike_header, this->exchange_type);
741 ike_header->set_message_id(ike_header, this->message_id);
742 ike_header->set_response_flag(ike_header, !this->is_request);
743 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
744 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
745 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
746
747 generator = generator_create();
748
749 payload = (payload_t*)ike_header;
750
751
752 /* generate every payload expect last one, this is doen later*/
753 iterator = this->payloads->create_iterator(this->payloads, TRUE);
754 while(iterator->iterate(iterator, (void**)&next_payload))
755 {
756 payload->set_next_type(payload, next_payload->get_type(next_payload));
757 generator->generate_payload(generator, payload);
758 payload = next_payload;
759 }
760 iterator->destroy(iterator);
761
762 /* last payload has no next payload*/
763 payload->set_next_type(payload, NO_PAYLOAD);
764
765 generator->generate_payload(generator, payload);
766
767 ike_header->destroy(ike_header);
768
769 /* build packet */
770 generator->write_to_chunk(generator, &packet_data);
771 generator->destroy(generator);
772
773 /* if last payload is of type encrypted, integrity checksum if necessary */
774 if (payload->get_type(payload) == ENCRYPTED)
775 {
776 DBG2(SIG_DBG_ENC, "build signature on whole message");
777 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
778 status = encryption_payload->build_signature(encryption_payload, packet_data);
779 if (status != SUCCESS)
780 {
781 return status;
782 }
783 }
784
785 this->packet->set_data(this->packet, packet_data);
786
787 /* clone packet for caller */
788 *packet = this->packet->clone(this->packet);
789
790 DBG2(SIG_DBG_ENC, "message generated successfully");
791 return SUCCESS;
792 }
793
794 /**
795 * Implementation of message_t.get_packet.
796 */
797 static packet_t *get_packet (private_message_t *this)
798 {
799 return this->packet->clone(this->packet);
800 }
801
802 /**
803 * Implementation of message_t.get_packet_data.
804 */
805 static chunk_t get_packet_data (private_message_t *this)
806 {
807 return chunk_clone(this->packet->get_data(this->packet));
808 }
809
810 /**
811 * Implementation of message_t.parse_header.
812 */
813 static status_t parse_header(private_message_t *this)
814 {
815 ike_header_t *ike_header;
816 status_t status;
817
818 DBG2(SIG_DBG_ENC, "parsing header of message");
819
820 this->parser->reset_context(this->parser);
821 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
822 if (status != SUCCESS)
823 {
824 DBG1(SIG_DBG_ENC, "header could not be parsed");
825 return status;
826
827 }
828
829 /* verify payload */
830 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
831 if (status != SUCCESS)
832 {
833 DBG1(SIG_DBG_ENC, "header verification failed");
834 ike_header->destroy(ike_header);
835 return status;
836 }
837
838 if (this->ike_sa_id != NULL)
839 {
840 this->ike_sa_id->destroy(this->ike_sa_id);
841 }
842
843 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
844 ike_header->get_responder_spi(ike_header),
845 ike_header->get_initiator_flag(ike_header));
846
847 this->exchange_type = ike_header->get_exchange_type(ike_header);
848 this->message_id = ike_header->get_message_id(ike_header);
849 this->is_request = (!(ike_header->get_response_flag(ike_header)));
850 this->major_version = ike_header->get_maj_version(ike_header);
851 this->minor_version = ike_header->get_min_version(ike_header);
852 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
853
854 DBG2(SIG_DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
855 this->is_request ? "request" : "response");
856
857 ike_header->destroy(ike_header);
858
859 /* get the rules for this messge */
860 status = set_message_rule(this);
861 if (status != SUCCESS)
862 {
863 DBG1(SIG_DBG_ENC, "no message rules specified for a %N %s",
864 exchange_type_names, this->exchange_type,
865 this->is_request ? "request" : "response");
866 }
867
868 return status;
869 }
870
871 /**
872 * Implementation of private_message_t.decrypt_and_verify_payloads.
873 */
874 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
875 {
876 bool current_payload_was_encrypted = FALSE;
877 payload_t *previous_payload = NULL;
878 int payload_number = 1;
879 iterator_t *iterator;
880 payload_t *current_payload;
881 status_t status;
882
883 iterator = this->payloads->create_iterator(this->payloads,TRUE);
884
885 /* process each payload and decrypt a encryption payload */
886 while(iterator->iterate(iterator, (void**)&current_payload))
887 {
888 payload_rule_t *payload_rule;
889 payload_type_t current_payload_type;
890
891 /* needed to check */
892 current_payload_type = current_payload->get_type(current_payload);
893
894 DBG2(SIG_DBG_ENC, "process payload of type %N",
895 payload_type_names, current_payload_type);
896
897 if (current_payload_type == ENCRYPTED)
898 {
899 encryption_payload_t *encryption_payload;
900 payload_t *current_encrypted_payload;
901
902 encryption_payload = (encryption_payload_t*)current_payload;
903
904 DBG2(SIG_DBG_ENC, "found an encryption payload");
905
906 if (payload_number != this->payloads->get_count(this->payloads))
907 {
908 /* encrypted payload is not last one */
909 DBG1(SIG_DBG_ENC, "encrypted payload is not last payload");
910 iterator->destroy(iterator);
911 return VERIFY_ERROR;
912 }
913 /* decrypt */
914 encryption_payload->set_transforms(encryption_payload, crypter, signer);
915 DBG2(SIG_DBG_ENC, "verify signature of encryption payload");
916 status = encryption_payload->verify_signature(encryption_payload,
917 this->packet->get_data(this->packet));
918 if (status != SUCCESS)
919 {
920 DBG1(SIG_DBG_ENC, "encryption payload signature invalid");
921 iterator->destroy(iterator);
922 return FAILED;
923 }
924 DBG2(SIG_DBG_ENC, "decrypting content of encryption payload");
925 status = encryption_payload->decrypt(encryption_payload);
926 if (status != SUCCESS)
927 {
928 DBG1(SIG_DBG_ENC, "encrypted payload could not be decrypted and parsed");
929 iterator->destroy(iterator);
930 return PARSE_ERROR;
931 }
932
933 /* needed later to find out if a payload was encrypted */
934 current_payload_was_encrypted = TRUE;
935
936 /* check if there are payloads contained in the encryption payload */
937 if (encryption_payload->get_payload_count(encryption_payload) == 0)
938 {
939 DBG2(SIG_DBG_ENC, "encrypted payload is empty");
940 /* remove the encryption payload, is not needed anymore */
941 iterator->remove(iterator);
942 /* encrypted payload contains no other payload */
943 current_payload_type = NO_PAYLOAD;
944 }
945 else
946 {
947 /* encryption_payload is replaced with first payload contained in encryption_payload */
948 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
949 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
950 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
951 }
952
953 /* is the current paylad the first in the message? */
954 if (previous_payload == NULL)
955 {
956 /* yes, set the first payload type of the message to the current type */
957 this->first_payload = current_payload_type;
958 }
959 else
960 {
961 /* no, set the next_type of the previous payload to the current type */
962 previous_payload->set_next_type(previous_payload, current_payload_type);
963 }
964
965 /* all encrypted payloads are added to the payload list */
966 while (encryption_payload->get_payload_count(encryption_payload) > 0)
967 {
968 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
969 DBG2(SIG_DBG_ENC, "insert unencrypted payload of type %N at end of list",
970 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
971 this->payloads->insert_last(this->payloads,current_encrypted_payload);
972 }
973
974 /* encryption payload is processed, payloads are moved. Destroy it. */
975 encryption_payload->destroy(encryption_payload);
976 }
977
978 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
979 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
980 {
981 /* get the ruleset for found payload */
982 status = get_payload_rule(this, current_payload_type, &payload_rule);
983 if (status != SUCCESS)
984 {
985 /* payload is not allowed */
986 DBG1(SIG_DBG_ENC, "payload type %N not allowed",
987 payload_type_names, current_payload_type);
988 iterator->destroy(iterator);
989 return VERIFY_ERROR;
990 }
991
992 /* check if the payload was encrypted, and if it should been have encrypted */
993 if (payload_rule->encrypted != current_payload_was_encrypted)
994 {
995 /* payload was not encrypted, but should have been. or vice-versa */
996 DBG1(SIG_DBG_ENC, "payload type %N should be %s!",
997 payload_type_names, current_payload_type,
998 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
999 iterator->destroy(iterator);
1000 return VERIFY_ERROR;
1001 }
1002 }
1003 /* advance to the next payload */
1004 payload_number++;
1005 /* is stored to set next payload in case of found encryption payload */
1006 previous_payload = current_payload;
1007 }
1008 iterator->destroy(iterator);
1009 return SUCCESS;
1010 }
1011
1012 /**
1013 * Implementation of private_message_t.verify.
1014 */
1015 static status_t verify(private_message_t *this)
1016 {
1017 int i;
1018 iterator_t *iterator;
1019 payload_t *current_payload;
1020 size_t total_found_payloads = 0;
1021
1022 DBG2(SIG_DBG_ENC, "verifying message structure");
1023
1024 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1025 /* check for payloads with wrong count*/
1026 for (i = 0; i < this->message_rule->payload_rule_count;i++)
1027 {
1028 size_t found_payloads = 0;
1029
1030 /* check all payloads for specific rule */
1031 iterator->reset(iterator);
1032
1033 while(iterator->iterate(iterator,(void **)&current_payload))
1034 {
1035 payload_type_t current_payload_type;
1036
1037 current_payload_type = current_payload->get_type(current_payload);
1038 if (current_payload_type == UNKNOWN_PAYLOAD)
1039 {
1040 /* unknown payloads are ignored, IF they are not critical */
1041 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
1042 if (unknown_payload->is_critical(unknown_payload))
1043 {
1044 DBG1(SIG_DBG_ENC, "%N is not supported, but its critical!",
1045 payload_type_names, current_payload_type);
1046 iterator->destroy(iterator);
1047 return NOT_SUPPORTED;
1048 }
1049 }
1050 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
1051 {
1052 found_payloads++;
1053 total_found_payloads++;
1054 DBG2(SIG_DBG_ENC, "found payload of type %N",
1055 payload_type_names, this->message_rule->payload_rules[i].payload_type);
1056
1057 /* as soon as ohe payload occures more then specified, the verification fails */
1058 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
1059 {
1060 DBG1(SIG_DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
1061 payload_type_names, current_payload_type,
1062 this->message_rule->payload_rules[i].max_occurence, found_payloads);
1063 iterator->destroy(iterator);
1064 return VERIFY_ERROR;
1065 }
1066 }
1067 }
1068
1069 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
1070 {
1071 DBG1(SIG_DBG_ENC, "payload of type %N not occured %d times (%d)",
1072 payload_type_names, this->message_rule->payload_rules[i].payload_type,
1073 this->message_rule->payload_rules[i].min_occurence, found_payloads);
1074 iterator->destroy(iterator);
1075 return VERIFY_ERROR;
1076 }
1077 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
1078 {
1079 iterator->destroy(iterator);
1080 return SUCCESS;
1081 }
1082 }
1083 iterator->destroy(iterator);
1084 return SUCCESS;
1085 }
1086
1087 /**
1088 * Implementation of message_t.parse_body.
1089 */
1090 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
1091 {
1092 status_t status = SUCCESS;
1093 payload_type_t current_payload_type;
1094
1095 current_payload_type = this->first_payload;
1096
1097 DBG2(SIG_DBG_ENC, "parsing body of message, first payload is %N",
1098 payload_type_names, current_payload_type);
1099
1100 /* parse payload for payload, while there are more available */
1101 while ((current_payload_type != NO_PAYLOAD))
1102 {
1103 payload_t *current_payload;
1104
1105 DBG2(SIG_DBG_ENC, "starting parsing a %N payload",
1106 payload_type_names, current_payload_type);
1107
1108 /* parse current payload */
1109 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
1110
1111 if (status != SUCCESS)
1112 {
1113 DBG1(SIG_DBG_ENC, "payload type %N could not be parsed",
1114 payload_type_names, current_payload_type);
1115 return PARSE_ERROR;
1116 }
1117
1118 DBG2(SIG_DBG_ENC, "verifying payload of type %N",
1119 payload_type_names, current_payload_type);
1120
1121 /* verify it, stop parsig if its invalid */
1122 status = current_payload->verify(current_payload);
1123 if (status != SUCCESS)
1124 {
1125 DBG1(SIG_DBG_ENC, "%N payload verification failed",
1126 payload_type_names, current_payload_type);
1127 current_payload->destroy(current_payload);
1128 return VERIFY_ERROR;
1129 }
1130
1131 DBG2(SIG_DBG_ENC, "%N payload verified. Adding to payload list",
1132 payload_type_names, current_payload_type);
1133 this->payloads->insert_last(this->payloads,current_payload);
1134
1135 /* an encryption payload is the last one, so STOP here. decryption is done later */
1136 if (current_payload_type == ENCRYPTED)
1137 {
1138 DBG2(SIG_DBG_ENC, "%N payload found. Stop parsing",
1139 payload_type_names, current_payload_type);
1140 break;
1141 }
1142
1143 /* get next payload type */
1144 current_payload_type = current_payload->get_next_type(current_payload);
1145 }
1146
1147 if (current_payload_type == ENCRYPTED)
1148 {
1149 status = decrypt_payloads(this,crypter,signer);
1150 if (status != SUCCESS)
1151 {
1152 DBG1(SIG_DBG_ENC, "could not decrypt payloads");
1153 return status;
1154 }
1155 }
1156
1157 status = verify(this);
1158 if (status != SUCCESS)
1159 {
1160 DBG1(SIG_DBG_ENC, "verification of message failed");
1161 return status;
1162 }
1163
1164 DBG1(SIG_DBG_ENC, "parsed %M", this);
1165
1166 return SUCCESS;
1167 }
1168
1169 /**
1170 * Implementation of message_t.destroy.
1171 */
1172 static void destroy (private_message_t *this)
1173 {
1174 DESTROY_IF(this->ike_sa_id);
1175 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1176 this->packet->destroy(this->packet);
1177 this->parser->destroy(this->parser);
1178 free(this);
1179 }
1180
1181 /*
1182 * Described in Header-File
1183 */
1184 message_t *message_create_from_packet(packet_t *packet)
1185 {
1186 private_message_t *this = malloc_thing(private_message_t);
1187
1188 /* public functions */
1189 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1190 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1191 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1192 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1193 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1194 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1195 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1196 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1197 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1198 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1199 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1200 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1201 this->public.set_request = (void(*)(message_t*, bool))set_request;
1202 this->public.get_request = (bool(*)(message_t*))get_request;
1203 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1204 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1205 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1206 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1207 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1208 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1209 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1210 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1211 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1212 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1213 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1214 this->public.destroy = (void(*)(message_t*))destroy;
1215
1216 /* private values */
1217 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1218 this->is_request = TRUE;
1219 this->ike_sa_id = NULL;
1220 this->first_payload = NO_PAYLOAD;
1221 this->message_id = 0;
1222
1223 /* private values */
1224 if (packet == NULL)
1225 {
1226 packet = packet_create();
1227 }
1228 this->message_rule = NULL;
1229 this->packet = packet;
1230 this->payloads = linked_list_create();
1231
1232 /* parser is created from data of packet */
1233 this->parser = parser_create(this->packet->get_data(this->packet));
1234
1235 return (&this->public);
1236 }
1237
1238 /*
1239 * Described in Header.
1240 */
1241 message_t *message_create()
1242 {
1243 return message_create_from_packet(NULL);
1244 }
strongSwan - IPsec VPN