88dafa033a3dc99bdc602a4e6281b3e0e0880bae
[strongswan.git] / src / charon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <stdlib.h>
22 #include <string.h>
23
24 #include "message.h"
25
26 #include <library.h>
27 #include <daemon.h>
28 #include <sa/ike_sa_id.h>
29 #include <encoding/generator.h>
30 #include <encoding/parser.h>
31 #include <utils/linked_list.h>
32 #include <encoding/payloads/encodings.h>
33 #include <encoding/payloads/payload.h>
34 #include <encoding/payloads/encryption_payload.h>
35 #include <encoding/payloads/unknown_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 Message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42
43 typedef struct payload_rule_t payload_rule_t;
44
45 /**
46 * A payload rule defines the rules for a payload
47 * in a specific message rule. It defines if and how
48 * many times a payload must/can occur in a message
49 * and if it must be encrypted.
50 */
51 struct payload_rule_t {
52 /**
53 * Payload type.
54 */
55 payload_type_t payload_type;
56
57 /**
58 * Minimal occurence of this payload.
59 */
60 size_t min_occurence;
61
62 /**
63 * Max occurence of this payload.
64 */
65 size_t max_occurence;
66
67 /**
68 * TRUE if payload must be encrypted
69 */
70 bool encrypted;
71
72 /**
73 * If this payload occurs, the message rule is
74 * fullfilled in any case. This applies e.g. to
75 * notify_payloads.
76 */
77 bool sufficient;
78 };
79
80 typedef struct payload_order_t payload_order_t;
81
82 /**
83 * payload ordering structure allows us to reorder payloads according to RFC.
84 */
85 struct payload_order_t {
86
87 /**
88 * payload type
89 */
90 payload_type_t type;
91
92 /**
93 * notify type, if payload == NOTIFY
94 */
95 notify_type_t notify;
96 };
97
98
99 typedef struct message_rule_t message_rule_t;
100
101 /**
102 * A message rule defines the kind of a message,
103 * if it has encrypted contents and a list
104 * of payload ordering rules and payload parsing rules.
105 */
106 struct message_rule_t {
107 /**
108 * Type of message.
109 */
110 exchange_type_t exchange_type;
111
112 /**
113 * Is message a request or response.
114 */
115 bool is_request;
116
117 /**
118 * Message contains encrypted content.
119 */
120 bool encrypted_content;
121
122 /**
123 * Number of payload rules which will follow
124 */
125 int payload_rule_count;
126
127 /**
128 * Pointer to first payload rule
129 */
130 payload_rule_t *payload_rules;
131
132 /**
133 * Number of payload order rules
134 */
135 int payload_order_count;
136
137 /**
138 * payload ordering rules
139 */
140 payload_order_t *payload_order;
141 };
142
143 /**
144 * Message rule for IKE_SA_INIT from initiator.
145 */
146 static payload_rule_t ike_sa_init_i_payload_rules[] = {
147 /* payload type min max encr suff */
148 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
149 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
150 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
151 {NONCE, 1, 1, FALSE, FALSE},
152 {VENDOR_ID, 0, 10, FALSE, FALSE},
153 };
154
155 /**
156 * payload order for IKE_SA_INIT initiator
157 */
158 static payload_order_t ike_sa_init_i_payload_order[] = {
159 /* payload type notify type */
160 {NOTIFY, COOKIE},
161 {SECURITY_ASSOCIATION, 0},
162 {KEY_EXCHANGE, 0},
163 {NONCE, 0},
164 {NOTIFY, NAT_DETECTION_SOURCE_IP},
165 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
166 {NOTIFY, 0},
167 {VENDOR_ID, 0},
168 };
169
170 /**
171 * Message rule for IKE_SA_INIT from responder.
172 */
173 static payload_rule_t ike_sa_init_r_payload_rules[] = {
174 /* payload type min max encr suff */
175 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
176 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
177 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
178 {NONCE, 1, 1, FALSE, FALSE},
179 {VENDOR_ID, 0, 10, FALSE, FALSE},
180 };
181
182 /**
183 * payload order for IKE_SA_INIT responder
184 */
185 static payload_order_t ike_sa_init_r_payload_order[] = {
186 /* payload type notify type */
187 {SECURITY_ASSOCIATION, 0},
188 {KEY_EXCHANGE, 0},
189 {NONCE, 0},
190 {NOTIFY, NAT_DETECTION_SOURCE_IP},
191 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
192 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
193 {CERTIFICATE_REQUEST, 0},
194 {NOTIFY, 0},
195 {VENDOR_ID, 0},
196 };
197
198 /**
199 * Message rule for IKE_AUTH from initiator.
200 */
201 static payload_rule_t ike_auth_i_payload_rules[] = {
202 /* payload type min max encr suff */
203 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
204 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
205 {AUTHENTICATION, 0, 1, TRUE, TRUE},
206 {ID_INITIATOR, 1, 1, TRUE, FALSE},
207 {CERTIFICATE, 0, 4, TRUE, FALSE},
208 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
209 {ID_RESPONDER, 0, 1, TRUE, FALSE},
210 #ifdef P2P
211 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
212 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
213 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
214 #else
215 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_INITIATOR, 1, 1, TRUE, FALSE},
217 {TRAFFIC_SELECTOR_RESPONDER, 1, 1, TRUE, FALSE},
218 #endif /* P2P */
219 {CONFIGURATION, 0, 1, TRUE, FALSE},
220 {VENDOR_ID, 0, 10, TRUE, FALSE},
221 };
222
223 /**
224 * payload order for IKE_AUTH initiator
225 */
226 static payload_order_t ike_auth_i_payload_order[] = {
227 /* payload type notify type */
228 {ID_INITIATOR, 0},
229 {CERTIFICATE, 0},
230 {NOTIFY, INITIAL_CONTACT},
231 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
232 {CERTIFICATE_REQUEST, 0},
233 {ID_RESPONDER, 0},
234 {AUTHENTICATION, 0},
235 {EXTENSIBLE_AUTHENTICATION, 0},
236 {CONFIGURATION, 0},
237 {NOTIFY, IPCOMP_SUPPORTED},
238 {NOTIFY, USE_TRANSPORT_MODE},
239 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
240 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
241 {SECURITY_ASSOCIATION, 0},
242 {TRAFFIC_SELECTOR_INITIATOR, 0},
243 {TRAFFIC_SELECTOR_RESPONDER, 0},
244 {NOTIFY, MOBIKE_SUPPORTED},
245 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
246 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
247 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
248 {NOTIFY, 0},
249 {VENDOR_ID, 0},
250 };
251
252 /**
253 * Message rule for IKE_AUTH from responder.
254 */
255 static payload_rule_t ike_auth_r_payload_rules[] = {
256 /* payload type min max encr suff */
257 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
258 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
259 {CERTIFICATE, 0, 4, TRUE, FALSE},
260 {ID_RESPONDER, 0, 1, TRUE, FALSE},
261 {AUTHENTICATION, 0, 1, TRUE, FALSE},
262 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
263 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
264 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
265 {CONFIGURATION, 0, 1, TRUE, FALSE},
266 {VENDOR_ID, 0, 10, TRUE, FALSE},
267 };
268
269 /**
270 * payload order for IKE_AUTH responder
271 */
272 static payload_order_t ike_auth_r_payload_order[] = {
273 /* payload type notify type */
274 {ID_RESPONDER, 0},
275 {CERTIFICATE, 0},
276 {AUTHENTICATION, 0},
277 {EXTENSIBLE_AUTHENTICATION, 0},
278 {CONFIGURATION, 0},
279 {NOTIFY, IPCOMP_SUPPORTED},
280 {NOTIFY, USE_TRANSPORT_MODE},
281 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
282 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
283 {SECURITY_ASSOCIATION, 0},
284 {TRAFFIC_SELECTOR_INITIATOR, 0},
285 {TRAFFIC_SELECTOR_RESPONDER, 0},
286 {NOTIFY, AUTH_LIFETIME},
287 {NOTIFY, MOBIKE_SUPPORTED},
288 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
289 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
290 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
291 {NOTIFY, 0},
292 {VENDOR_ID, 0},
293 };
294
295 /**
296 * Message rule for INFORMATIONAL from initiator.
297 */
298 static payload_rule_t informational_i_payload_rules[] = {
299 /* payload type min max encr suff */
300 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
301 {CONFIGURATION, 0, 1, TRUE, FALSE},
302 {DELETE, 0, 1, TRUE, FALSE},
303 {VENDOR_ID, 0, 10, TRUE, FALSE},
304 };
305
306 /**
307 * payload order for INFORMATIONAL initiator
308 */
309 static payload_order_t informational_i_payload_order[] = {
310 /* payload type notify type */
311 {NOTIFY, 0},
312 {DELETE, 0},
313 {CONFIGURATION, 0},
314 };
315
316 /**
317 * Message rule for INFORMATIONAL from responder.
318 */
319 static payload_rule_t informational_r_payload_rules[] = {
320 /* payload type min max encr suff */
321 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
322 {CONFIGURATION, 0, 1, TRUE, FALSE},
323 {DELETE, 0, 1, TRUE, FALSE},
324 {VENDOR_ID, 0, 10, TRUE, FALSE},
325 };
326
327 /**
328 * payload order for INFORMATIONAL responder
329 */
330 static payload_order_t informational_r_payload_order[] = {
331 /* payload type notify type */
332 {NOTIFY, 0},
333 {DELETE, 0},
334 {CONFIGURATION, 0},
335 };
336
337 /**
338 * Message rule for CREATE_CHILD_SA from initiator.
339 */
340 static payload_rule_t create_child_sa_i_payload_rules[] = {
341 /* payload type min max encr suff */
342 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
343 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
344 {NONCE, 1, 1, TRUE, FALSE},
345 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
346 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
347 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
348 {CONFIGURATION, 0, 1, TRUE, FALSE},
349 {VENDOR_ID, 0, 10, TRUE, FALSE},
350 };
351
352 /**
353 * payload order for CREATE_CHILD_SA from initiator.
354 */
355 static payload_order_t create_child_sa_i_payload_order[] = {
356 /* payload type notify type */
357 {NOTIFY, REKEY_SA},
358 {NOTIFY, IPCOMP_SUPPORTED},
359 {NOTIFY, USE_TRANSPORT_MODE},
360 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
361 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
362 {SECURITY_ASSOCIATION, 0},
363 {NONCE, 0},
364 {KEY_EXCHANGE, 0},
365 {TRAFFIC_SELECTOR_INITIATOR, 0},
366 {TRAFFIC_SELECTOR_RESPONDER, 0},
367 {NOTIFY, 0},
368 };
369
370 /**
371 * Message rule for CREATE_CHILD_SA from responder.
372 */
373 static payload_rule_t create_child_sa_r_payload_rules[] = {
374 /* payload type min max encr suff */
375 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
376 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
377 {NONCE, 1, 1, TRUE, FALSE},
378 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
379 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
380 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
381 {CONFIGURATION, 0, 1, TRUE, FALSE},
382 {VENDOR_ID, 0, 10, TRUE, FALSE},
383 };
384
385 /**
386 * payload order for CREATE_CHILD_SA from responder.
387 */
388 static payload_order_t create_child_sa_r_payload_order[] = {
389 /* payload type notify type */
390 {NOTIFY, IPCOMP_SUPPORTED},
391 {NOTIFY, USE_TRANSPORT_MODE},
392 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
393 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
394 {SECURITY_ASSOCIATION, 0},
395 {NONCE, 0},
396 {KEY_EXCHANGE, 0},
397 {TRAFFIC_SELECTOR_INITIATOR, 0},
398 {TRAFFIC_SELECTOR_RESPONDER, 0},
399 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
400 {NOTIFY, 0},
401 };
402
403 #ifdef P2P
404 /**
405 * Message rule for P2P_CONNECT from initiator.
406 */
407 static payload_rule_t p2p_connect_i_payload_rules[] = {
408 /* payload type min max encr suff */
409 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
410 {ID_PEER, 1, 1, TRUE, FALSE},
411 {VENDOR_ID, 0, 10, TRUE, FALSE}
412 };
413
414 /**
415 * payload order for P2P_CONNECT from initiator.
416 */
417 static payload_order_t p2p_connect_i_payload_order[] = {
418 /* payload type notify type */
419 {NOTIFY, 0},
420 {ID_PEER, 0},
421 {VENDOR_ID, 0},
422 };
423
424 /**
425 * Message rule for P2P_CONNECT from responder.
426 */
427 static payload_rule_t p2p_connect_r_payload_rules[] = {
428 /* payload type min max encr suff */
429 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
430 {VENDOR_ID, 0, 10, TRUE, FALSE}
431 };
432
433 /**
434 * payload order for P2P_CONNECT from responder.
435 */
436 static payload_order_t p2p_connect_r_payload_order[] = {
437 /* payload type notify type */
438 {NOTIFY, 0},
439 {VENDOR_ID, 0},
440 };
441 #endif /* P2P */
442
443 /**
444 * Message rules, defines allowed payloads.
445 */
446 static message_rule_t message_rules[] = {
447 {IKE_SA_INIT, TRUE, FALSE,
448 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
449 ike_sa_init_i_payload_rules,
450 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
451 ike_sa_init_i_payload_order,
452 },
453 {IKE_SA_INIT, FALSE, FALSE,
454 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
455 ike_sa_init_r_payload_rules,
456 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
457 ike_sa_init_r_payload_order,
458 },
459 {IKE_AUTH, TRUE, TRUE,
460 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
461 ike_auth_i_payload_rules,
462 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
463 ike_auth_i_payload_order,
464 },
465 {IKE_AUTH, FALSE, TRUE,
466 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
467 ike_auth_r_payload_rules,
468 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
469 ike_auth_r_payload_order,
470 },
471 {INFORMATIONAL, TRUE, TRUE,
472 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
473 informational_i_payload_rules,
474 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
475 informational_i_payload_order,
476 },
477 {INFORMATIONAL, FALSE, TRUE,
478 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
479 informational_r_payload_rules,
480 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
481 informational_r_payload_order,
482 },
483 {CREATE_CHILD_SA, TRUE, TRUE,
484 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
485 create_child_sa_i_payload_rules,
486 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
487 create_child_sa_i_payload_order,
488 },
489 {CREATE_CHILD_SA, FALSE, TRUE,
490 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
491 create_child_sa_r_payload_rules,
492 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
493 create_child_sa_r_payload_order,
494 },
495 #ifdef P2P
496 {P2P_CONNECT, TRUE, TRUE,
497 (sizeof(p2p_connect_i_payload_rules)/sizeof(payload_rule_t)),
498 p2p_connect_i_payload_rules,
499 (sizeof(p2p_connect_i_payload_order)/sizeof(payload_order_t)),
500 p2p_connect_i_payload_order,
501 },
502 {P2P_CONNECT, FALSE, TRUE,
503 (sizeof(p2p_connect_r_payload_rules)/sizeof(payload_rule_t)),
504 p2p_connect_r_payload_rules,
505 (sizeof(p2p_connect_r_payload_order)/sizeof(payload_order_t)),
506 p2p_connect_r_payload_order,
507 },
508 #endif /* P2P */
509 };
510
511
512 typedef struct private_message_t private_message_t;
513
514 /**
515 * Private data of an message_t object.
516 */
517 struct private_message_t {
518
519 /**
520 * Public part of a message_t object.
521 */
522 message_t public;
523
524 /**
525 * Minor version of message.
526 */
527 u_int8_t major_version;
528
529 /**
530 * Major version of message.
531 */
532 u_int8_t minor_version;
533
534 /**
535 * First Payload in message.
536 */
537 payload_type_t first_payload;
538
539 /**
540 * Assigned exchange type.
541 */
542 exchange_type_t exchange_type;
543
544 /**
545 * TRUE if message is a request, FALSE if a reply.
546 */
547 bool is_request;
548
549 /**
550 * Message ID of this message.
551 */
552 u_int32_t message_id;
553
554 /**
555 * ID of assigned IKE_SA.
556 */
557 ike_sa_id_t *ike_sa_id;
558
559 /**
560 * Assigned UDP packet, stores incoming packet or last generated one.
561 */
562 packet_t *packet;
563
564 /**
565 * Linked List where payload data are stored in.
566 */
567 linked_list_t *payloads;
568
569 /**
570 * Assigned parser to parse Header and Body of this message.
571 */
572 parser_t *parser;
573
574 /**
575 * The message rule for this message instance
576 */
577 message_rule_t *message_rule;
578 };
579
580 /**
581 * Implementation of private_message_t.set_message_rule.
582 */
583 static status_t set_message_rule(private_message_t *this)
584 {
585 int i;
586
587 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
588 {
589 if ((this->exchange_type == message_rules[i].exchange_type) &&
590 (this->is_request == message_rules[i].is_request))
591 {
592 /* found rule for given exchange_type*/
593 this->message_rule = &(message_rules[i]);
594 return SUCCESS;
595 }
596 }
597 this->message_rule = NULL;
598 return NOT_FOUND;
599 }
600
601 /**
602 * Implementation of private_message_t.get_payload_rule.
603 */
604 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
605 {
606 int i;
607
608 for (i = 0; i < this->message_rule->payload_rule_count;i++)
609 {
610 if (this->message_rule->payload_rules[i].payload_type == payload_type)
611 {
612 *payload_rule = &(this->message_rule->payload_rules[i]);
613 return SUCCESS;
614 }
615 }
616
617 *payload_rule = NULL;
618 return NOT_FOUND;
619 }
620
621 /**
622 * Implementation of message_t.set_ike_sa_id.
623 */
624 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
625 {
626 DESTROY_IF(this->ike_sa_id);
627 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
628 }
629
630 /**
631 * Implementation of message_t.get_ike_sa_id.
632 */
633 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
634 {
635 return this->ike_sa_id;
636 }
637
638 /**
639 * Implementation of message_t.set_message_id.
640 */
641 static void set_message_id (private_message_t *this,u_int32_t message_id)
642 {
643 this->message_id = message_id;
644 }
645
646 /**
647 * Implementation of message_t.get_message_id.
648 */
649 static u_int32_t get_message_id (private_message_t *this)
650 {
651 return this->message_id;
652 }
653
654 /**
655 * Implementation of message_t.get_initiator_spi.
656 */
657 static u_int64_t get_initiator_spi (private_message_t *this)
658 {
659 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
660 }
661
662 /**
663 * Implementation of message_t.get_responder_spi.
664 */
665 static u_int64_t get_responder_spi (private_message_t *this)
666 {
667 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
668 }
669
670 /**
671 * Implementation of message_t.set_major_version.
672 */
673 static void set_major_version (private_message_t *this,u_int8_t major_version)
674 {
675 this->major_version = major_version;
676 }
677
678
679 /**
680 * Implementation of message_t.set_major_version.
681 */
682 static u_int8_t get_major_version (private_message_t *this)
683 {
684 return this->major_version;
685 }
686
687 /**
688 * Implementation of message_t.set_minor_version.
689 */
690 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
691 {
692 this->minor_version = minor_version;
693 }
694
695 /**
696 * Implementation of message_t.get_minor_version.
697 */
698 static u_int8_t get_minor_version (private_message_t *this)
699 {
700 return this->minor_version;
701 }
702
703 /**
704 * Implementation of message_t.set_exchange_type.
705 */
706 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
707 {
708 this->exchange_type = exchange_type;
709 }
710
711 /**
712 * Implementation of message_t.get_exchange_type.
713 */
714 static exchange_type_t get_exchange_type (private_message_t *this)
715 {
716 return this->exchange_type;
717 }
718
719 /**
720 * Implementation of message_t.get_first_payload_type.
721 */
722 static payload_type_t get_first_payload_type (private_message_t *this)
723 {
724 return this->first_payload;
725 }
726
727 /**
728 * Implementation of message_t.set_request.
729 */
730 static void set_request (private_message_t *this,bool request)
731 {
732 this->is_request = request;
733 }
734
735 /**
736 * Implementation of message_t.get_request.
737 */
738 static exchange_type_t get_request (private_message_t *this)
739 {
740 return this->is_request;
741 }
742
743 /**
744 * Is this message in an encoded form?
745 */
746 static bool is_encoded(private_message_t *this)
747 {
748 chunk_t data = this->packet->get_data(this->packet);
749
750 if (data.ptr == NULL)
751 {
752 return FALSE;
753 }
754 return TRUE;
755 }
756
757 /**
758 * Implementation of message_t.add_payload.
759 */
760 static void add_payload(private_message_t *this, payload_t *payload)
761 {
762 payload_t *last_payload;
763
764 if (this->payloads->get_count(this->payloads) > 0)
765 {
766 this->payloads->get_last(this->payloads, (void **)&last_payload);
767 last_payload->set_next_type(last_payload, payload->get_type(payload));
768 }
769 else
770 {
771 this->first_payload = payload->get_type(payload);
772 }
773 payload->set_next_type(payload, NO_PAYLOAD);
774 this->payloads->insert_last(this->payloads, payload);
775
776 DBG2(DBG_ENC ,"added payload of type %N to message",
777 payload_type_names, payload->get_type(payload));
778 }
779
780 /**
781 * Implementation of message_t.add_notify.
782 */
783 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
784 chunk_t data)
785 {
786 notify_payload_t *notify;
787 payload_t *payload;
788
789 if (flush)
790 {
791 while (this->payloads->remove_last(this->payloads,
792 (void**)&payload) == SUCCESS)
793 {
794 payload->destroy(payload);
795 }
796 }
797 notify = notify_payload_create();
798 notify->set_notify_type(notify, type);
799 notify->set_notification_data(notify, data);
800 add_payload(this, (payload_t*)notify);
801 }
802
803 /**
804 * Implementation of message_t.set_source.
805 */
806 static void set_source(private_message_t *this, host_t *host)
807 {
808 this->packet->set_source(this->packet, host);
809 }
810
811 /**
812 * Implementation of message_t.set_destination.
813 */
814 static void set_destination(private_message_t *this, host_t *host)
815 {
816 this->packet->set_destination(this->packet, host);
817 }
818
819 /**
820 * Implementation of message_t.get_source.
821 */
822 static host_t* get_source(private_message_t *this)
823 {
824 return this->packet->get_source(this->packet);
825 }
826
827 /**
828 * Implementation of message_t.get_destination.
829 */
830 static host_t * get_destination(private_message_t *this)
831 {
832 return this->packet->get_destination(this->packet);
833 }
834
835 /**
836 * Implementation of message_t.get_payload_iterator.
837 */
838 static iterator_t *get_payload_iterator(private_message_t *this)
839 {
840 return this->payloads->create_iterator(this->payloads, TRUE);
841 }
842
843 /**
844 * Implementation of message_t.get_payload.
845 */
846 static payload_t *get_payload(private_message_t *this, payload_type_t type)
847 {
848 payload_t *current, *found = NULL;
849 iterator_t *iterator;
850
851 iterator = this->payloads->create_iterator(this->payloads, TRUE);
852 while (iterator->iterate(iterator, (void**)&current))
853 {
854 if (current->get_type(current) == type)
855 {
856 found = current;
857 break;
858 }
859 }
860 iterator->destroy(iterator);
861 return found;
862 }
863
864 /**
865 * get a string representation of the message
866 */
867 static char* get_string(private_message_t *this, char *buf, int len)
868 {
869 iterator_t *iterator;
870 payload_t *payload;
871 int written;
872 char *pos = buf;
873
874 memset(buf, 0, len);
875 len--;
876
877 written = snprintf(pos, len, "%N %s %d [",
878 exchange_type_names, this->exchange_type,
879 this->is_request ? "request" : "response",
880 this->message_id);
881 if (written >= len || written < 0)
882 {
883 return "";
884 }
885 pos += written;
886 len -= written;
887
888 iterator = this->payloads->create_iterator(this->payloads, TRUE);
889 while (iterator->iterate(iterator, (void**)&payload))
890 {
891 written = snprintf(pos, len, " %N", payload_type_short_names,
892 payload->get_type(payload));
893 if (written >= len || written < 0)
894 {
895 return buf;
896 }
897 pos += written;
898 len -= written;
899 if (payload->get_type(payload) == NOTIFY)
900 {
901 notify_payload_t *notify = (notify_payload_t*)payload;
902 written = snprintf(pos, len, "(%N)", notify_type_short_names,
903 notify->get_notify_type(notify));
904 if (written >= len || written < 0)
905 {
906 return buf;
907 }
908 pos += written;
909 len -= written;
910 }
911 }
912 iterator->destroy(iterator);
913
914 /* remove last space */
915 snprintf(pos, len, " ]");
916 return buf;
917 }
918
919 /**
920 * reorder payloads depending on reordering rules
921 */
922 static void order_payloads(private_message_t *this)
923 {
924 linked_list_t *list;
925 payload_t *payload;
926 int i;
927
928 /* move to temp list */
929 list = linked_list_create();
930 while (this->payloads->remove_last(this->payloads,
931 (void**)&payload) == SUCCESS)
932 {
933 list->insert_first(list, payload);
934 }
935 /* for each rule, ... */
936 for (i = 0; i < this->message_rule->payload_order_count; i++)
937 {
938 enumerator_t *enumerator;
939 notify_payload_t *notify;
940 payload_order_t order = this->message_rule->payload_order[i];
941
942 /* ... find all payload ... */
943 enumerator = list->create_enumerator(list);
944 while (enumerator->enumerate(enumerator, &payload))
945 {
946 /* ... with that type ... */
947 if (payload->get_type(payload) == order.type)
948 {
949 notify = (notify_payload_t*)payload;
950
951 /**... and check notify for type. */
952 if (order.type != NOTIFY || order.notify == 0 ||
953 order.notify == notify->get_notify_type(notify))
954 {
955 list->remove_at(list, enumerator);
956 add_payload(this, payload);
957 }
958 }
959 }
960 enumerator->destroy(enumerator);
961 }
962 /* append all payloads without a rule to the end */
963 while (list->remove_last(list, (void**)&payload) == SUCCESS)
964 {
965 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
966 payload_type_names, payload->get_type(payload),
967 exchange_type_names, this->message_rule->exchange_type,
968 this->message_rule->is_request ? "request" : "response");
969 add_payload(this, payload);
970 }
971 list->destroy(list);
972 }
973
974 /**
975 * Implementation of private_message_t.encrypt_payloads.
976 */
977 static status_t encrypt_payloads(private_message_t *this,
978 crypter_t *crypter, signer_t* signer)
979 {
980 encryption_payload_t *encryption_payload = NULL;
981 status_t status;
982 linked_list_t *all_payloads;
983
984 if (!this->message_rule->encrypted_content)
985 {
986 DBG2(DBG_ENC, "message doesn't have to be encrypted");
987 /* message contains no content to encrypt */
988 return SUCCESS;
989 }
990
991 if (!crypter || !signer)
992 {
993 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
994 /* message contains no content to encrypt */
995 return SUCCESS;
996 }
997
998 DBG2(DBG_ENC, "copy all payloads to a temporary list");
999 all_payloads = linked_list_create();
1000
1001 /* first copy all payloads in a temporary list */
1002 while (this->payloads->get_count(this->payloads) > 0)
1003 {
1004 void *current_payload;
1005 this->payloads->remove_first(this->payloads,&current_payload);
1006 all_payloads->insert_last(all_payloads,current_payload);
1007 }
1008
1009 encryption_payload = encryption_payload_create();
1010
1011 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1012 while (all_payloads->get_count(all_payloads) > 0)
1013 {
1014 payload_rule_t *payload_rule;
1015 payload_t *current_payload;
1016 bool to_encrypt = FALSE;
1017
1018 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1019
1020 status = get_payload_rule(this,
1021 current_payload->get_type(current_payload),&payload_rule);
1022 /* for payload types which are not found in supported payload list,
1023 * it is presumed that they don't have to be encrypted */
1024 if ((status == SUCCESS) && (payload_rule->encrypted))
1025 {
1026 DBG2(DBG_ENC, "payload %N gets encrypted",
1027 payload_type_names, current_payload->get_type(current_payload));
1028 to_encrypt = TRUE;
1029 }
1030
1031 if (to_encrypt)
1032 {
1033 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1034 payload_type_names, current_payload->get_type(current_payload));
1035 encryption_payload->add_payload(encryption_payload,current_payload);
1036 }
1037 else
1038 {
1039 DBG2(DBG_ENC, "insert payload %N unencrypted",
1040 payload_type_names ,current_payload->get_type(current_payload));
1041 add_payload(this, (payload_t*)encryption_payload);
1042 }
1043 }
1044
1045 status = SUCCESS;
1046 DBG2(DBG_ENC, "encrypting encryption payload");
1047 encryption_payload->set_transforms(encryption_payload, crypter,signer);
1048 status = encryption_payload->encrypt(encryption_payload);
1049 DBG2(DBG_ENC, "add encrypted payload to payload list");
1050 add_payload(this, (payload_t*)encryption_payload);
1051
1052 all_payloads->destroy(all_payloads);
1053
1054 return status;
1055 }
1056
1057 /**
1058 * Implementation of message_t.generate.
1059 */
1060 static status_t generate(private_message_t *this, crypter_t *crypter,
1061 signer_t* signer, packet_t **packet)
1062 {
1063 generator_t *generator;
1064 ike_header_t *ike_header;
1065 payload_t *payload, *next_payload;
1066 iterator_t *iterator;
1067 status_t status;
1068 chunk_t packet_data;
1069 char str[256];
1070
1071 if (is_encoded(this))
1072 {
1073 /* already generated, return a new packet clone */
1074 *packet = this->packet->clone(this->packet);
1075 return SUCCESS;
1076 }
1077
1078 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1079 {
1080 DBG1(DBG_ENC, "exchange type is not defined");
1081 return INVALID_STATE;
1082 }
1083
1084 if (this->packet->get_source(this->packet) == NULL ||
1085 this->packet->get_destination(this->packet) == NULL)
1086 {
1087 DBG1(DBG_ENC, "%s not defined",
1088 !this->packet->get_source(this->packet) ? "source" : "destination");
1089 return INVALID_STATE;
1090 }
1091
1092 /* set the rules for this messge */
1093 status = set_message_rule(this);
1094 if (status != SUCCESS)
1095 {
1096 DBG1(DBG_ENC, "no message rules specified for this message type");
1097 return NOT_SUPPORTED;
1098 }
1099
1100 order_payloads(this);
1101
1102 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1103
1104 /* going to encrypt all content which have to be encrypted */
1105 status = encrypt_payloads(this, crypter, signer);
1106 if (status != SUCCESS)
1107 {
1108 DBG1(DBG_ENC, "payload encryption failed");
1109 return status;
1110 }
1111
1112 /* build ike header */
1113 ike_header = ike_header_create();
1114
1115 ike_header->set_exchange_type(ike_header, this->exchange_type);
1116 ike_header->set_message_id(ike_header, this->message_id);
1117 ike_header->set_response_flag(ike_header, !this->is_request);
1118 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
1119 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1120 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1121
1122 generator = generator_create();
1123
1124 payload = (payload_t*)ike_header;
1125
1126
1127 /* generate every payload expect last one, this is done later*/
1128 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1129 while(iterator->iterate(iterator, (void**)&next_payload))
1130 {
1131 payload->set_next_type(payload, next_payload->get_type(next_payload));
1132 generator->generate_payload(generator, payload);
1133 payload = next_payload;
1134 }
1135 iterator->destroy(iterator);
1136
1137 /* last payload has no next payload*/
1138 payload->set_next_type(payload, NO_PAYLOAD);
1139
1140 generator->generate_payload(generator, payload);
1141
1142 ike_header->destroy(ike_header);
1143
1144 /* build packet */
1145 generator->write_to_chunk(generator, &packet_data);
1146 generator->destroy(generator);
1147
1148 /* if last payload is of type encrypted, integrity checksum if necessary */
1149 if (payload->get_type(payload) == ENCRYPTED)
1150 {
1151 DBG2(DBG_ENC, "build signature on whole message");
1152 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1153 status = encryption_payload->build_signature(encryption_payload, packet_data);
1154 if (status != SUCCESS)
1155 {
1156 return status;
1157 }
1158 }
1159
1160 this->packet->set_data(this->packet, packet_data);
1161
1162 /* clone packet for caller */
1163 *packet = this->packet->clone(this->packet);
1164
1165 DBG2(DBG_ENC, "message generated successfully");
1166 return SUCCESS;
1167 }
1168
1169 /**
1170 * Implementation of message_t.get_packet.
1171 */
1172 static packet_t *get_packet (private_message_t *this)
1173 {
1174 if (this->packet == NULL)
1175 {
1176 return NULL;
1177 }
1178 return this->packet->clone(this->packet);
1179 }
1180
1181 /**
1182 * Implementation of message_t.get_packet_data.
1183 */
1184 static chunk_t get_packet_data (private_message_t *this)
1185 {
1186 if (this->packet == NULL)
1187 {
1188 return chunk_empty;
1189 }
1190 return chunk_clone(this->packet->get_data(this->packet));
1191 }
1192
1193 /**
1194 * Implementation of message_t.parse_header.
1195 */
1196 static status_t parse_header(private_message_t *this)
1197 {
1198 ike_header_t *ike_header;
1199 status_t status;
1200
1201 DBG2(DBG_ENC, "parsing header of message");
1202
1203 this->parser->reset_context(this->parser);
1204 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
1205 if (status != SUCCESS)
1206 {
1207 DBG1(DBG_ENC, "header could not be parsed");
1208 return status;
1209
1210 }
1211
1212 /* verify payload */
1213 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
1214 if (status != SUCCESS)
1215 {
1216 DBG1(DBG_ENC, "header verification failed");
1217 ike_header->destroy(ike_header);
1218 return status;
1219 }
1220
1221 if (this->ike_sa_id != NULL)
1222 {
1223 this->ike_sa_id->destroy(this->ike_sa_id);
1224 }
1225
1226 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1227 ike_header->get_responder_spi(ike_header),
1228 ike_header->get_initiator_flag(ike_header));
1229
1230 this->exchange_type = ike_header->get_exchange_type(ike_header);
1231 this->message_id = ike_header->get_message_id(ike_header);
1232 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1233 this->major_version = ike_header->get_maj_version(ike_header);
1234 this->minor_version = ike_header->get_min_version(ike_header);
1235 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
1236
1237 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1238 this->is_request ? "request" : "response");
1239
1240 ike_header->destroy(ike_header);
1241
1242 /* get the rules for this messge */
1243 status = set_message_rule(this);
1244 if (status != SUCCESS)
1245 {
1246 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1247 exchange_type_names, this->exchange_type,
1248 this->is_request ? "request" : "response");
1249 }
1250
1251 return status;
1252 }
1253
1254 /**
1255 * Implementation of private_message_t.decrypt_and_verify_payloads.
1256 */
1257 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
1258 {
1259 bool current_payload_was_encrypted = FALSE;
1260 payload_t *previous_payload = NULL;
1261 int payload_number = 1;
1262 iterator_t *iterator;
1263 payload_t *current_payload;
1264 status_t status;
1265
1266 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1267
1268 /* process each payload and decrypt a encryption payload */
1269 while(iterator->iterate(iterator, (void**)&current_payload))
1270 {
1271 payload_rule_t *payload_rule;
1272 payload_type_t current_payload_type;
1273
1274 /* needed to check */
1275 current_payload_type = current_payload->get_type(current_payload);
1276
1277 DBG2(DBG_ENC, "process payload of type %N",
1278 payload_type_names, current_payload_type);
1279
1280 if (current_payload_type == ENCRYPTED)
1281 {
1282 encryption_payload_t *encryption_payload;
1283 payload_t *current_encrypted_payload;
1284
1285 encryption_payload = (encryption_payload_t*)current_payload;
1286
1287 DBG2(DBG_ENC, "found an encryption payload");
1288
1289 if (payload_number != this->payloads->get_count(this->payloads))
1290 {
1291 /* encrypted payload is not last one */
1292 DBG1(DBG_ENC, "encrypted payload is not last payload");
1293 iterator->destroy(iterator);
1294 return VERIFY_ERROR;
1295 }
1296 /* decrypt */
1297 encryption_payload->set_transforms(encryption_payload, crypter, signer);
1298 DBG2(DBG_ENC, "verify signature of encryption payload");
1299 status = encryption_payload->verify_signature(encryption_payload,
1300 this->packet->get_data(this->packet));
1301 if (status != SUCCESS)
1302 {
1303 DBG1(DBG_ENC, "encryption payload signature invalid");
1304 iterator->destroy(iterator);
1305 return FAILED;
1306 }
1307 DBG2(DBG_ENC, "decrypting content of encryption payload");
1308 status = encryption_payload->decrypt(encryption_payload);
1309 if (status != SUCCESS)
1310 {
1311 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1312 iterator->destroy(iterator);
1313 return PARSE_ERROR;
1314 }
1315
1316 /* needed later to find out if a payload was encrypted */
1317 current_payload_was_encrypted = TRUE;
1318
1319 /* check if there are payloads contained in the encryption payload */
1320 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1321 {
1322 DBG2(DBG_ENC, "encrypted payload is empty");
1323 /* remove the encryption payload, is not needed anymore */
1324 iterator->remove(iterator);
1325 /* encrypted payload contains no other payload */
1326 current_payload_type = NO_PAYLOAD;
1327 }
1328 else
1329 {
1330 /* encryption_payload is replaced with first payload contained in encryption_payload */
1331 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1332 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1333 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1334 }
1335
1336 /* is the current paylad the first in the message? */
1337 if (previous_payload == NULL)
1338 {
1339 /* yes, set the first payload type of the message to the current type */
1340 this->first_payload = current_payload_type;
1341 }
1342 else
1343 {
1344 /* no, set the next_type of the previous payload to the current type */
1345 previous_payload->set_next_type(previous_payload, current_payload_type);
1346 }
1347
1348 /* all encrypted payloads are added to the payload list */
1349 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1350 {
1351 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1352 DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
1353 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
1354 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1355 }
1356
1357 /* encryption payload is processed, payloads are moved. Destroy it. */
1358 encryption_payload->destroy(encryption_payload);
1359 }
1360
1361 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1362 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1363 {
1364 /* get the ruleset for found payload */
1365 status = get_payload_rule(this, current_payload_type, &payload_rule);
1366 if (status != SUCCESS)
1367 {
1368 /* payload is not allowed */
1369 DBG1(DBG_ENC, "payload type %N not allowed",
1370 payload_type_names, current_payload_type);
1371 iterator->destroy(iterator);
1372 return VERIFY_ERROR;
1373 }
1374
1375 /* check if the payload was encrypted, and if it should been have encrypted */
1376 if (payload_rule->encrypted != current_payload_was_encrypted)
1377 {
1378 /* payload was not encrypted, but should have been. or vice-versa */
1379 DBG1(DBG_ENC, "payload type %N should be %s!",
1380 payload_type_names, current_payload_type,
1381 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1382 iterator->destroy(iterator);
1383 return VERIFY_ERROR;
1384 }
1385 }
1386 /* advance to the next payload */
1387 payload_number++;
1388 /* is stored to set next payload in case of found encryption payload */
1389 previous_payload = current_payload;
1390 }
1391 iterator->destroy(iterator);
1392 return SUCCESS;
1393 }
1394
1395 /**
1396 * Implementation of private_message_t.verify.
1397 */
1398 static status_t verify(private_message_t *this)
1399 {
1400 int i;
1401 iterator_t *iterator;
1402 payload_t *current_payload;
1403 size_t total_found_payloads = 0;
1404
1405 DBG2(DBG_ENC, "verifying message structure");
1406
1407 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1408 /* check for payloads with wrong count*/
1409 for (i = 0; i < this->message_rule->payload_rule_count;i++)
1410 {
1411 size_t found_payloads = 0;
1412
1413 /* check all payloads for specific rule */
1414 iterator->reset(iterator);
1415
1416 while(iterator->iterate(iterator,(void **)&current_payload))
1417 {
1418 payload_type_t current_payload_type;
1419
1420 current_payload_type = current_payload->get_type(current_payload);
1421 if (current_payload_type == UNKNOWN_PAYLOAD)
1422 {
1423 /* unknown payloads are ignored, IF they are not critical */
1424 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
1425 if (unknown_payload->is_critical(unknown_payload))
1426 {
1427 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1428 payload_type_names, current_payload_type);
1429 iterator->destroy(iterator);
1430 return NOT_SUPPORTED;
1431 }
1432 }
1433 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
1434 {
1435 found_payloads++;
1436 total_found_payloads++;
1437 DBG2(DBG_ENC, "found payload of type %N",
1438 payload_type_names, this->message_rule->payload_rules[i].payload_type);
1439
1440 /* as soon as ohe payload occures more then specified, the verification fails */
1441 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
1442 {
1443 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
1444 payload_type_names, current_payload_type,
1445 this->message_rule->payload_rules[i].max_occurence, found_payloads);
1446 iterator->destroy(iterator);
1447 return VERIFY_ERROR;
1448 }
1449 }
1450 }
1451
1452 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
1453 {
1454 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1455 payload_type_names, this->message_rule->payload_rules[i].payload_type,
1456 this->message_rule->payload_rules[i].min_occurence, found_payloads);
1457 iterator->destroy(iterator);
1458 return VERIFY_ERROR;
1459 }
1460 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
1461 {
1462 iterator->destroy(iterator);
1463 return SUCCESS;
1464 }
1465 }
1466 iterator->destroy(iterator);
1467 return SUCCESS;
1468 }
1469
1470 /**
1471 * Implementation of message_t.parse_body.
1472 */
1473 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
1474 {
1475 status_t status = SUCCESS;
1476 payload_type_t current_payload_type;
1477 char str[256];
1478
1479 current_payload_type = this->first_payload;
1480
1481 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1482 payload_type_names, current_payload_type);
1483
1484 /* parse payload for payload, while there are more available */
1485 while ((current_payload_type != NO_PAYLOAD))
1486 {
1487 payload_t *current_payload;
1488
1489 DBG2(DBG_ENC, "starting parsing a %N payload",
1490 payload_type_names, current_payload_type);
1491
1492 /* parse current payload */
1493 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
1494
1495 if (status != SUCCESS)
1496 {
1497 DBG1(DBG_ENC, "payload type %N could not be parsed",
1498 payload_type_names, current_payload_type);
1499 return PARSE_ERROR;
1500 }
1501
1502 DBG2(DBG_ENC, "verifying payload of type %N",
1503 payload_type_names, current_payload_type);
1504
1505 /* verify it, stop parsig if its invalid */
1506 status = current_payload->verify(current_payload);
1507 if (status != SUCCESS)
1508 {
1509 DBG1(DBG_ENC, "%N payload verification failed",
1510 payload_type_names, current_payload_type);
1511 current_payload->destroy(current_payload);
1512 return VERIFY_ERROR;
1513 }
1514
1515 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1516 payload_type_names, current_payload_type);
1517 this->payloads->insert_last(this->payloads,current_payload);
1518
1519 /* an encryption payload is the last one, so STOP here. decryption is done later */
1520 if (current_payload_type == ENCRYPTED)
1521 {
1522 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1523 payload_type_names, current_payload_type);
1524 break;
1525 }
1526
1527 /* get next payload type */
1528 current_payload_type = current_payload->get_next_type(current_payload);
1529 }
1530
1531 if (current_payload_type == ENCRYPTED)
1532 {
1533 status = decrypt_payloads(this,crypter,signer);
1534 if (status != SUCCESS)
1535 {
1536 DBG1(DBG_ENC, "could not decrypt payloads");
1537 return status;
1538 }
1539 }
1540
1541 status = verify(this);
1542 if (status != SUCCESS)
1543 {
1544 return status;
1545 }
1546
1547 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1548
1549 return SUCCESS;
1550 }
1551
1552 /**
1553 * Implementation of message_t.destroy.
1554 */
1555 static void destroy (private_message_t *this)
1556 {
1557 DESTROY_IF(this->ike_sa_id);
1558 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1559 this->packet->destroy(this->packet);
1560 this->parser->destroy(this->parser);
1561 free(this);
1562 }
1563
1564 /*
1565 * Described in Header-File
1566 */
1567 message_t *message_create_from_packet(packet_t *packet)
1568 {
1569 private_message_t *this = malloc_thing(private_message_t);
1570
1571 /* public functions */
1572 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1573 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1574 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1575 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1576 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1577 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1578 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1579 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1580 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1581 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1582 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1583 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1584 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1585 this->public.set_request = (void(*)(message_t*, bool))set_request;
1586 this->public.get_request = (bool(*)(message_t*))get_request;
1587 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1588 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1589 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1590 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1591 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1592 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1593 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1594 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1595 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1596 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1597 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1598 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1599 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1600 this->public.destroy = (void(*)(message_t*))destroy;
1601
1602 /* private values */
1603 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1604 this->is_request = TRUE;
1605 this->ike_sa_id = NULL;
1606 this->first_payload = NO_PAYLOAD;
1607 this->message_id = 0;
1608
1609 /* private values */
1610 if (packet == NULL)
1611 {
1612 packet = packet_create();
1613 }
1614 this->message_rule = NULL;
1615 this->packet = packet;
1616 this->payloads = linked_list_create();
1617
1618 /* parser is created from data of packet */
1619 this->parser = parser_create(this->packet->get_data(this->packet));
1620
1621 return (&this->public);
1622 }
1623
1624 /*
1625 * Described in Header.
1626 */
1627 message_t *message_create()
1628 {
1629 return message_create_from_packet(NULL);
1630 }
1631