projects / strongswan.git / blob
? search:


9b393f013f96bc4249d668783ce6a833f50a5db7
[strongswan.git] / src / charon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <stdlib.h>
22 #include <string.h>
23
24 #include "message.h"
25
26 #include <library.h>
27 #include <daemon.h>
28 #include <sa/ike_sa_id.h>
29 #include <encoding/generator.h>
30 #include <encoding/parser.h>
31 #include <utils/linked_list.h>
32 #include <encoding/payloads/encodings.h>
33 #include <encoding/payloads/payload.h>
34 #include <encoding/payloads/encryption_payload.h>
35 #include <encoding/payloads/unknown_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 Message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42
43 typedef struct payload_rule_t payload_rule_t;
44
45 /**
46 * A payload rule defines the rules for a payload
47 * in a specific message rule. It defines if and how
48 * many times a payload must/can occur in a message
49 * and if it must be encrypted.
50 */
51 struct payload_rule_t {
52 /**
53 * Payload type.
54 */
55 payload_type_t payload_type;
56
57 /**
58 * Minimal occurence of this payload.
59 */
60 size_t min_occurence;
61
62 /**
63 * Max occurence of this payload.
64 */
65 size_t max_occurence;
66
67 /**
68 * TRUE if payload must be encrypted
69 */
70 bool encrypted;
71
72 /**
73 * If this payload occurs, the message rule is
74 * fullfilled in any case. This applies e.g. to
75 * notify_payloads.
76 */
77 bool sufficient;
78 };
79
80 typedef struct payload_order_t payload_order_t;
81
82 /**
83 * payload ordering structure allows us to reorder payloads according to RFC.
84 */
85 struct payload_order_t {
86
87 /**
88 * payload type
89 */
90 payload_type_t type;
91
92 /**
93 * notify type, if payload == NOTIFY
94 */
95 notify_type_t notify;
96 };
97
98
99 typedef struct message_rule_t message_rule_t;
100
101 /**
102 * A message rule defines the kind of a message,
103 * if it has encrypted contents and a list
104 * of payload ordering rules and payload parsing rules.
105 */
106 struct message_rule_t {
107 /**
108 * Type of message.
109 */
110 exchange_type_t exchange_type;
111
112 /**
113 * Is message a request or response.
114 */
115 bool is_request;
116
117 /**
118 * Message contains encrypted content.
119 */
120 bool encrypted_content;
121
122 /**
123 * Number of payload rules which will follow
124 */
125 int payload_rule_count;
126
127 /**
128 * Pointer to first payload rule
129 */
130 payload_rule_t *payload_rules;
131
132 /**
133 * Number of payload order rules
134 */
135 int payload_order_count;
136
137 /**
138 * payload ordering rules
139 */
140 payload_order_t *payload_order;
141 };
142
143 /**
144 * Message rule for IKE_SA_INIT from initiator.
145 */
146 static payload_rule_t ike_sa_init_i_payload_rules[] = {
147 /* payload type min max encr suff */
148 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
149 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
150 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
151 {NONCE, 1, 1, FALSE, FALSE},
152 {VENDOR_ID, 0, 10, FALSE, FALSE},
153 };
154
155 /**
156 * payload order for IKE_SA_INIT initiator
157 */
158 static payload_order_t ike_sa_init_i_payload_order[] = {
159 /* payload type notify type */
160 {NOTIFY, COOKIE},
161 {SECURITY_ASSOCIATION, 0},
162 {KEY_EXCHANGE, 0},
163 {NONCE, 0},
164 {NOTIFY, NAT_DETECTION_SOURCE_IP},
165 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
166 {NOTIFY, 0},
167 {VENDOR_ID, 0},
168 };
169
170 /**
171 * Message rule for IKE_SA_INIT from responder.
172 */
173 static payload_rule_t ike_sa_init_r_payload_rules[] = {
174 /* payload type min max encr suff */
175 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
176 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
177 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
178 {NONCE, 1, 1, FALSE, FALSE},
179 {VENDOR_ID, 0, 10, FALSE, FALSE},
180 };
181
182 /**
183 * payload order for IKE_SA_INIT responder
184 */
185 static payload_order_t ike_sa_init_r_payload_order[] = {
186 /* payload type notify type */
187 {SECURITY_ASSOCIATION, 0},
188 {KEY_EXCHANGE, 0},
189 {NONCE, 0},
190 {NOTIFY, NAT_DETECTION_SOURCE_IP},
191 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
192 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
193 {CERTIFICATE_REQUEST, 0},
194 {NOTIFY, 0},
195 {VENDOR_ID, 0},
196 };
197
198 /**
199 * Message rule for IKE_AUTH from initiator.
200 */
201 static payload_rule_t ike_auth_i_payload_rules[] = {
202 /* payload type min max encr suff */
203 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
204 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
205 {AUTHENTICATION, 0, 1, TRUE, TRUE},
206 {ID_INITIATOR, 1, 1, TRUE, FALSE},
207 {CERTIFICATE, 0, 4, TRUE, FALSE},
208 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
209 {ID_RESPONDER, 0, 1, TRUE, FALSE},
210 #ifdef ME
211 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
212 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
213 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
214 #else
215 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_INITIATOR, 1, 1, TRUE, FALSE},
217 {TRAFFIC_SELECTOR_RESPONDER, 1, 1, TRUE, FALSE},
218 #endif /* ME */
219 {CONFIGURATION, 0, 1, TRUE, FALSE},
220 {VENDOR_ID, 0, 10, TRUE, FALSE},
221 };
222
223 /**
224 * payload order for IKE_AUTH initiator
225 */
226 static payload_order_t ike_auth_i_payload_order[] = {
227 /* payload type notify type */
228 {ID_INITIATOR, 0},
229 {CERTIFICATE, 0},
230 {NOTIFY, INITIAL_CONTACT},
231 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
232 {CERTIFICATE_REQUEST, 0},
233 {ID_RESPONDER, 0},
234 {AUTHENTICATION, 0},
235 {EXTENSIBLE_AUTHENTICATION, 0},
236 {CONFIGURATION, 0},
237 {NOTIFY, IPCOMP_SUPPORTED},
238 {NOTIFY, USE_TRANSPORT_MODE},
239 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
240 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
241 {SECURITY_ASSOCIATION, 0},
242 {TRAFFIC_SELECTOR_INITIATOR, 0},
243 {TRAFFIC_SELECTOR_RESPONDER, 0},
244 {NOTIFY, MOBIKE_SUPPORTED},
245 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
246 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
247 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
248 {NOTIFY, 0},
249 {VENDOR_ID, 0},
250 };
251
252 /**
253 * Message rule for IKE_AUTH from responder.
254 */
255 static payload_rule_t ike_auth_r_payload_rules[] = {
256 /* payload type min max encr suff */
257 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
258 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
259 {CERTIFICATE, 0, 4, TRUE, FALSE},
260 {ID_RESPONDER, 0, 1, TRUE, FALSE},
261 {AUTHENTICATION, 0, 1, TRUE, FALSE},
262 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
263 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
264 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
265 {CONFIGURATION, 0, 1, TRUE, FALSE},
266 {VENDOR_ID, 0, 10, TRUE, FALSE},
267 };
268
269 /**
270 * payload order for IKE_AUTH responder
271 */
272 static payload_order_t ike_auth_r_payload_order[] = {
273 /* payload type notify type */
274 {ID_RESPONDER, 0},
275 {CERTIFICATE, 0},
276 {AUTHENTICATION, 0},
277 {EXTENSIBLE_AUTHENTICATION, 0},
278 {CONFIGURATION, 0},
279 {NOTIFY, IPCOMP_SUPPORTED},
280 {NOTIFY, USE_TRANSPORT_MODE},
281 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
282 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
283 {SECURITY_ASSOCIATION, 0},
284 {TRAFFIC_SELECTOR_INITIATOR, 0},
285 {TRAFFIC_SELECTOR_RESPONDER, 0},
286 {NOTIFY, AUTH_LIFETIME},
287 {NOTIFY, MOBIKE_SUPPORTED},
288 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
289 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
290 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
291 {NOTIFY, 0},
292 {VENDOR_ID, 0},
293 };
294
295 /**
296 * Message rule for INFORMATIONAL from initiator.
297 */
298 static payload_rule_t informational_i_payload_rules[] = {
299 /* payload type min max encr suff */
300 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
301 {CONFIGURATION, 0, 1, TRUE, FALSE},
302 {DELETE, 0, 1, TRUE, FALSE},
303 {VENDOR_ID, 0, 10, TRUE, FALSE},
304 };
305
306 /**
307 * payload order for INFORMATIONAL initiator
308 */
309 static payload_order_t informational_i_payload_order[] = {
310 /* payload type notify type */
311 {NOTIFY, UPDATE_SA_ADDRESSES},
312 {NOTIFY, NAT_DETECTION_SOURCE_IP},
313 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
314 {NOTIFY, COOKIE2},
315 {NOTIFY, 0},
316 {DELETE, 0},
317 {CONFIGURATION, 0},
318 };
319
320 /**
321 * Message rule for INFORMATIONAL from responder.
322 */
323 static payload_rule_t informational_r_payload_rules[] = {
324 /* payload type min max encr suff */
325 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
326 {CONFIGURATION, 0, 1, TRUE, FALSE},
327 {DELETE, 0, 1, TRUE, FALSE},
328 {VENDOR_ID, 0, 10, TRUE, FALSE},
329 };
330
331 /**
332 * payload order for INFORMATIONAL responder
333 */
334 static payload_order_t informational_r_payload_order[] = {
335 /* payload type notify type */
336 {NOTIFY, UPDATE_SA_ADDRESSES},
337 {NOTIFY, NAT_DETECTION_SOURCE_IP},
338 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
339 {NOTIFY, COOKIE2},
340 {NOTIFY, 0},
341 {DELETE, 0},
342 {CONFIGURATION, 0},
343 };
344
345 /**
346 * Message rule for CREATE_CHILD_SA from initiator.
347 */
348 static payload_rule_t create_child_sa_i_payload_rules[] = {
349 /* payload type min max encr suff */
350 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
351 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
352 {NONCE, 1, 1, TRUE, FALSE},
353 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
354 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
355 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
356 {CONFIGURATION, 0, 1, TRUE, FALSE},
357 {VENDOR_ID, 0, 10, TRUE, FALSE},
358 };
359
360 /**
361 * payload order for CREATE_CHILD_SA from initiator.
362 */
363 static payload_order_t create_child_sa_i_payload_order[] = {
364 /* payload type notify type */
365 {NOTIFY, REKEY_SA},
366 {NOTIFY, IPCOMP_SUPPORTED},
367 {NOTIFY, USE_TRANSPORT_MODE},
368 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
369 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
370 {SECURITY_ASSOCIATION, 0},
371 {NONCE, 0},
372 {KEY_EXCHANGE, 0},
373 {TRAFFIC_SELECTOR_INITIATOR, 0},
374 {TRAFFIC_SELECTOR_RESPONDER, 0},
375 {NOTIFY, 0},
376 };
377
378 /**
379 * Message rule for CREATE_CHILD_SA from responder.
380 */
381 static payload_rule_t create_child_sa_r_payload_rules[] = {
382 /* payload type min max encr suff */
383 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
384 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
385 {NONCE, 1, 1, TRUE, FALSE},
386 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
387 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
388 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
389 {CONFIGURATION, 0, 1, TRUE, FALSE},
390 {VENDOR_ID, 0, 10, TRUE, FALSE},
391 };
392
393 /**
394 * payload order for CREATE_CHILD_SA from responder.
395 */
396 static payload_order_t create_child_sa_r_payload_order[] = {
397 /* payload type notify type */
398 {NOTIFY, IPCOMP_SUPPORTED},
399 {NOTIFY, USE_TRANSPORT_MODE},
400 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
401 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
402 {SECURITY_ASSOCIATION, 0},
403 {NONCE, 0},
404 {KEY_EXCHANGE, 0},
405 {TRAFFIC_SELECTOR_INITIATOR, 0},
406 {TRAFFIC_SELECTOR_RESPONDER, 0},
407 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
408 {NOTIFY, 0},
409 };
410
411 #ifdef ME
412 /**
413 * Message rule for ME_CONNECT from initiator.
414 */
415 static payload_rule_t me_connect_i_payload_rules[] = {
416 /* payload type min max encr suff */
417 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
418 {ID_PEER, 1, 1, TRUE, FALSE},
419 {VENDOR_ID, 0, 10, TRUE, FALSE}
420 };
421
422 /**
423 * payload order for ME_CONNECT from initiator.
424 */
425 static payload_order_t me_connect_i_payload_order[] = {
426 /* payload type notify type */
427 {NOTIFY, 0},
428 {ID_PEER, 0},
429 {VENDOR_ID, 0},
430 };
431
432 /**
433 * Message rule for ME_CONNECT from responder.
434 */
435 static payload_rule_t me_connect_r_payload_rules[] = {
436 /* payload type min max encr suff */
437 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
438 {VENDOR_ID, 0, 10, TRUE, FALSE}
439 };
440
441 /**
442 * payload order for ME_CONNECT from responder.
443 */
444 static payload_order_t me_connect_r_payload_order[] = {
445 /* payload type notify type */
446 {NOTIFY, 0},
447 {VENDOR_ID, 0},
448 };
449 #endif /* ME */
450
451 /**
452 * Message rules, defines allowed payloads.
453 */
454 static message_rule_t message_rules[] = {
455 {IKE_SA_INIT, TRUE, FALSE,
456 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
457 ike_sa_init_i_payload_rules,
458 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
459 ike_sa_init_i_payload_order,
460 },
461 {IKE_SA_INIT, FALSE, FALSE,
462 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
463 ike_sa_init_r_payload_rules,
464 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
465 ike_sa_init_r_payload_order,
466 },
467 {IKE_AUTH, TRUE, TRUE,
468 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
469 ike_auth_i_payload_rules,
470 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
471 ike_auth_i_payload_order,
472 },
473 {IKE_AUTH, FALSE, TRUE,
474 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
475 ike_auth_r_payload_rules,
476 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
477 ike_auth_r_payload_order,
478 },
479 {INFORMATIONAL, TRUE, TRUE,
480 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
481 informational_i_payload_rules,
482 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
483 informational_i_payload_order,
484 },
485 {INFORMATIONAL, FALSE, TRUE,
486 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
487 informational_r_payload_rules,
488 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
489 informational_r_payload_order,
490 },
491 {CREATE_CHILD_SA, TRUE, TRUE,
492 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
493 create_child_sa_i_payload_rules,
494 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
495 create_child_sa_i_payload_order,
496 },
497 {CREATE_CHILD_SA, FALSE, TRUE,
498 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
499 create_child_sa_r_payload_rules,
500 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
501 create_child_sa_r_payload_order,
502 },
503 #ifdef ME
504 {ME_CONNECT, TRUE, TRUE,
505 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
506 me_connect_i_payload_rules,
507 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
508 me_connect_i_payload_order,
509 },
510 {ME_CONNECT, FALSE, TRUE,
511 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
512 me_connect_r_payload_rules,
513 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
514 me_connect_r_payload_order,
515 },
516 #endif /* ME */
517 };
518
519
520 typedef struct private_message_t private_message_t;
521
522 /**
523 * Private data of an message_t object.
524 */
525 struct private_message_t {
526
527 /**
528 * Public part of a message_t object.
529 */
530 message_t public;
531
532 /**
533 * Minor version of message.
534 */
535 u_int8_t major_version;
536
537 /**
538 * Major version of message.
539 */
540 u_int8_t minor_version;
541
542 /**
543 * First Payload in message.
544 */
545 payload_type_t first_payload;
546
547 /**
548 * Assigned exchange type.
549 */
550 exchange_type_t exchange_type;
551
552 /**
553 * TRUE if message is a request, FALSE if a reply.
554 */
555 bool is_request;
556
557 /**
558 * Message ID of this message.
559 */
560 u_int32_t message_id;
561
562 /**
563 * ID of assigned IKE_SA.
564 */
565 ike_sa_id_t *ike_sa_id;
566
567 /**
568 * Assigned UDP packet, stores incoming packet or last generated one.
569 */
570 packet_t *packet;
571
572 /**
573 * Linked List where payload data are stored in.
574 */
575 linked_list_t *payloads;
576
577 /**
578 * Assigned parser to parse Header and Body of this message.
579 */
580 parser_t *parser;
581
582 /**
583 * The message rule for this message instance
584 */
585 message_rule_t *message_rule;
586 };
587
588 /**
589 * Implementation of private_message_t.set_message_rule.
590 */
591 static status_t set_message_rule(private_message_t *this)
592 {
593 int i;
594
595 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
596 {
597 if ((this->exchange_type == message_rules[i].exchange_type) &&
598 (this->is_request == message_rules[i].is_request))
599 {
600 /* found rule for given exchange_type*/
601 this->message_rule = &(message_rules[i]);
602 return SUCCESS;
603 }
604 }
605 this->message_rule = NULL;
606 return NOT_FOUND;
607 }
608
609 /**
610 * Implementation of private_message_t.get_payload_rule.
611 */
612 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
613 {
614 int i;
615
616 for (i = 0; i < this->message_rule->payload_rule_count;i++)
617 {
618 if (this->message_rule->payload_rules[i].payload_type == payload_type)
619 {
620 *payload_rule = &(this->message_rule->payload_rules[i]);
621 return SUCCESS;
622 }
623 }
624
625 *payload_rule = NULL;
626 return NOT_FOUND;
627 }
628
629 /**
630 * Implementation of message_t.set_ike_sa_id.
631 */
632 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
633 {
634 DESTROY_IF(this->ike_sa_id);
635 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
636 }
637
638 /**
639 * Implementation of message_t.get_ike_sa_id.
640 */
641 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
642 {
643 return this->ike_sa_id;
644 }
645
646 /**
647 * Implementation of message_t.set_message_id.
648 */
649 static void set_message_id (private_message_t *this,u_int32_t message_id)
650 {
651 this->message_id = message_id;
652 }
653
654 /**
655 * Implementation of message_t.get_message_id.
656 */
657 static u_int32_t get_message_id (private_message_t *this)
658 {
659 return this->message_id;
660 }
661
662 /**
663 * Implementation of message_t.get_initiator_spi.
664 */
665 static u_int64_t get_initiator_spi (private_message_t *this)
666 {
667 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
668 }
669
670 /**
671 * Implementation of message_t.get_responder_spi.
672 */
673 static u_int64_t get_responder_spi (private_message_t *this)
674 {
675 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
676 }
677
678 /**
679 * Implementation of message_t.set_major_version.
680 */
681 static void set_major_version (private_message_t *this,u_int8_t major_version)
682 {
683 this->major_version = major_version;
684 }
685
686
687 /**
688 * Implementation of message_t.set_major_version.
689 */
690 static u_int8_t get_major_version (private_message_t *this)
691 {
692 return this->major_version;
693 }
694
695 /**
696 * Implementation of message_t.set_minor_version.
697 */
698 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
699 {
700 this->minor_version = minor_version;
701 }
702
703 /**
704 * Implementation of message_t.get_minor_version.
705 */
706 static u_int8_t get_minor_version (private_message_t *this)
707 {
708 return this->minor_version;
709 }
710
711 /**
712 * Implementation of message_t.set_exchange_type.
713 */
714 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
715 {
716 this->exchange_type = exchange_type;
717 }
718
719 /**
720 * Implementation of message_t.get_exchange_type.
721 */
722 static exchange_type_t get_exchange_type (private_message_t *this)
723 {
724 return this->exchange_type;
725 }
726
727 /**
728 * Implementation of message_t.get_first_payload_type.
729 */
730 static payload_type_t get_first_payload_type (private_message_t *this)
731 {
732 return this->first_payload;
733 }
734
735 /**
736 * Implementation of message_t.set_request.
737 */
738 static void set_request (private_message_t *this,bool request)
739 {
740 this->is_request = request;
741 }
742
743 /**
744 * Implementation of message_t.get_request.
745 */
746 static exchange_type_t get_request (private_message_t *this)
747 {
748 return this->is_request;
749 }
750
751 /**
752 * Is this message in an encoded form?
753 */
754 static bool is_encoded(private_message_t *this)
755 {
756 chunk_t data = this->packet->get_data(this->packet);
757
758 if (data.ptr == NULL)
759 {
760 return FALSE;
761 }
762 return TRUE;
763 }
764
765 /**
766 * Implementation of message_t.add_payload.
767 */
768 static void add_payload(private_message_t *this, payload_t *payload)
769 {
770 payload_t *last_payload;
771
772 if (this->payloads->get_count(this->payloads) > 0)
773 {
774 this->payloads->get_last(this->payloads, (void **)&last_payload);
775 last_payload->set_next_type(last_payload, payload->get_type(payload));
776 }
777 else
778 {
779 this->first_payload = payload->get_type(payload);
780 }
781 payload->set_next_type(payload, NO_PAYLOAD);
782 this->payloads->insert_last(this->payloads, payload);
783
784 DBG2(DBG_ENC ,"added payload of type %N to message",
785 payload_type_names, payload->get_type(payload));
786 }
787
788 /**
789 * Implementation of message_t.add_notify.
790 */
791 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
792 chunk_t data)
793 {
794 notify_payload_t *notify;
795 payload_t *payload;
796
797 if (flush)
798 {
799 while (this->payloads->remove_last(this->payloads,
800 (void**)&payload) == SUCCESS)
801 {
802 payload->destroy(payload);
803 }
804 }
805 notify = notify_payload_create();
806 notify->set_notify_type(notify, type);
807 notify->set_notification_data(notify, data);
808 add_payload(this, (payload_t*)notify);
809 }
810
811 /**
812 * Implementation of message_t.set_source.
813 */
814 static void set_source(private_message_t *this, host_t *host)
815 {
816 this->packet->set_source(this->packet, host);
817 }
818
819 /**
820 * Implementation of message_t.set_destination.
821 */
822 static void set_destination(private_message_t *this, host_t *host)
823 {
824 this->packet->set_destination(this->packet, host);
825 }
826
827 /**
828 * Implementation of message_t.get_source.
829 */
830 static host_t* get_source(private_message_t *this)
831 {
832 return this->packet->get_source(this->packet);
833 }
834
835 /**
836 * Implementation of message_t.get_destination.
837 */
838 static host_t * get_destination(private_message_t *this)
839 {
840 return this->packet->get_destination(this->packet);
841 }
842
843 /**
844 * Implementation of message_t.get_payload_iterator.
845 */
846 static iterator_t *get_payload_iterator(private_message_t *this)
847 {
848 return this->payloads->create_iterator(this->payloads, TRUE);
849 }
850
851 /**
852 * Implementation of message_t.get_payload.
853 */
854 static payload_t *get_payload(private_message_t *this, payload_type_t type)
855 {
856 payload_t *current, *found = NULL;
857 iterator_t *iterator;
858
859 iterator = this->payloads->create_iterator(this->payloads, TRUE);
860 while (iterator->iterate(iterator, (void**)&current))
861 {
862 if (current->get_type(current) == type)
863 {
864 found = current;
865 break;
866 }
867 }
868 iterator->destroy(iterator);
869 return found;
870 }
871
872 /**
873 * get a string representation of the message
874 */
875 static char* get_string(private_message_t *this, char *buf, int len)
876 {
877 iterator_t *iterator;
878 payload_t *payload;
879 int written;
880 char *pos = buf;
881
882 memset(buf, 0, len);
883 len--;
884
885 written = snprintf(pos, len, "%N %s %d [",
886 exchange_type_names, this->exchange_type,
887 this->is_request ? "request" : "response",
888 this->message_id);
889 if (written >= len || written < 0)
890 {
891 return "";
892 }
893 pos += written;
894 len -= written;
895
896 iterator = this->payloads->create_iterator(this->payloads, TRUE);
897 while (iterator->iterate(iterator, (void**)&payload))
898 {
899 written = snprintf(pos, len, " %N", payload_type_short_names,
900 payload->get_type(payload));
901 if (written >= len || written < 0)
902 {
903 return buf;
904 }
905 pos += written;
906 len -= written;
907 if (payload->get_type(payload) == NOTIFY)
908 {
909 notify_payload_t *notify = (notify_payload_t*)payload;
910 written = snprintf(pos, len, "(%N)", notify_type_short_names,
911 notify->get_notify_type(notify));
912 if (written >= len || written < 0)
913 {
914 return buf;
915 }
916 pos += written;
917 len -= written;
918 }
919 }
920 iterator->destroy(iterator);
921
922 /* remove last space */
923 snprintf(pos, len, " ]");
924 return buf;
925 }
926
927 /**
928 * reorder payloads depending on reordering rules
929 */
930 static void order_payloads(private_message_t *this)
931 {
932 linked_list_t *list;
933 payload_t *payload;
934 int i;
935
936 /* move to temp list */
937 list = linked_list_create();
938 while (this->payloads->remove_last(this->payloads,
939 (void**)&payload) == SUCCESS)
940 {
941 list->insert_first(list, payload);
942 }
943 /* for each rule, ... */
944 for (i = 0; i < this->message_rule->payload_order_count; i++)
945 {
946 enumerator_t *enumerator;
947 notify_payload_t *notify;
948 payload_order_t order = this->message_rule->payload_order[i];
949
950 /* ... find all payload ... */
951 enumerator = list->create_enumerator(list);
952 while (enumerator->enumerate(enumerator, &payload))
953 {
954 /* ... with that type ... */
955 if (payload->get_type(payload) == order.type)
956 {
957 notify = (notify_payload_t*)payload;
958
959 /**... and check notify for type. */
960 if (order.type != NOTIFY || order.notify == 0 ||
961 order.notify == notify->get_notify_type(notify))
962 {
963 list->remove_at(list, enumerator);
964 add_payload(this, payload);
965 }
966 }
967 }
968 enumerator->destroy(enumerator);
969 }
970 /* append all payloads without a rule to the end */
971 while (list->remove_last(list, (void**)&payload) == SUCCESS)
972 {
973 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
974 payload_type_names, payload->get_type(payload),
975 exchange_type_names, this->message_rule->exchange_type,
976 this->message_rule->is_request ? "request" : "response");
977 add_payload(this, payload);
978 }
979 list->destroy(list);
980 }
981
982 /**
983 * Implementation of private_message_t.encrypt_payloads.
984 */
985 static status_t encrypt_payloads(private_message_t *this,
986 crypter_t *crypter, signer_t* signer)
987 {
988 encryption_payload_t *encryption_payload = NULL;
989 status_t status;
990 linked_list_t *all_payloads;
991
992 if (!this->message_rule->encrypted_content)
993 {
994 DBG2(DBG_ENC, "message doesn't have to be encrypted");
995 /* message contains no content to encrypt */
996 return SUCCESS;
997 }
998
999 if (!crypter || !signer)
1000 {
1001 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1002 /* message contains no content to encrypt */
1003 return SUCCESS;
1004 }
1005
1006 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1007 all_payloads = linked_list_create();
1008
1009 /* first copy all payloads in a temporary list */
1010 while (this->payloads->get_count(this->payloads) > 0)
1011 {
1012 void *current_payload;
1013 this->payloads->remove_first(this->payloads,&current_payload);
1014 all_payloads->insert_last(all_payloads,current_payload);
1015 }
1016
1017 encryption_payload = encryption_payload_create();
1018
1019 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1020 while (all_payloads->get_count(all_payloads) > 0)
1021 {
1022 payload_rule_t *payload_rule;
1023 payload_t *current_payload;
1024 bool to_encrypt = FALSE;
1025
1026 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1027
1028 status = get_payload_rule(this,
1029 current_payload->get_type(current_payload),&payload_rule);
1030 /* for payload types which are not found in supported payload list,
1031 * it is presumed that they don't have to be encrypted */
1032 if ((status == SUCCESS) && (payload_rule->encrypted))
1033 {
1034 DBG2(DBG_ENC, "payload %N gets encrypted",
1035 payload_type_names, current_payload->get_type(current_payload));
1036 to_encrypt = TRUE;
1037 }
1038
1039 if (to_encrypt)
1040 {
1041 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1042 payload_type_names, current_payload->get_type(current_payload));
1043 encryption_payload->add_payload(encryption_payload,current_payload);
1044 }
1045 else
1046 {
1047 DBG2(DBG_ENC, "insert payload %N unencrypted",
1048 payload_type_names ,current_payload->get_type(current_payload));
1049 add_payload(this, (payload_t*)encryption_payload);
1050 }
1051 }
1052
1053 status = SUCCESS;
1054 DBG2(DBG_ENC, "encrypting encryption payload");
1055 encryption_payload->set_transforms(encryption_payload, crypter,signer);
1056 status = encryption_payload->encrypt(encryption_payload);
1057 DBG2(DBG_ENC, "add encrypted payload to payload list");
1058 add_payload(this, (payload_t*)encryption_payload);
1059
1060 all_payloads->destroy(all_payloads);
1061
1062 return status;
1063 }
1064
1065 /**
1066 * Implementation of message_t.generate.
1067 */
1068 static status_t generate(private_message_t *this, crypter_t *crypter,
1069 signer_t* signer, packet_t **packet)
1070 {
1071 generator_t *generator;
1072 ike_header_t *ike_header;
1073 payload_t *payload, *next_payload;
1074 iterator_t *iterator;
1075 status_t status;
1076 chunk_t packet_data;
1077 char str[256];
1078
1079 if (is_encoded(this))
1080 {
1081 /* already generated, return a new packet clone */
1082 *packet = this->packet->clone(this->packet);
1083 return SUCCESS;
1084 }
1085
1086 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1087 {
1088 DBG1(DBG_ENC, "exchange type is not defined");
1089 return INVALID_STATE;
1090 }
1091
1092 if (this->packet->get_source(this->packet) == NULL ||
1093 this->packet->get_destination(this->packet) == NULL)
1094 {
1095 DBG1(DBG_ENC, "%s not defined",
1096 !this->packet->get_source(this->packet) ? "source" : "destination");
1097 return INVALID_STATE;
1098 }
1099
1100 /* set the rules for this messge */
1101 status = set_message_rule(this);
1102 if (status != SUCCESS)
1103 {
1104 DBG1(DBG_ENC, "no message rules specified for this message type");
1105 return NOT_SUPPORTED;
1106 }
1107
1108 order_payloads(this);
1109
1110 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1111
1112 /* going to encrypt all content which have to be encrypted */
1113 status = encrypt_payloads(this, crypter, signer);
1114 if (status != SUCCESS)
1115 {
1116 DBG1(DBG_ENC, "payload encryption failed");
1117 return status;
1118 }
1119
1120 /* build ike header */
1121 ike_header = ike_header_create();
1122
1123 ike_header->set_exchange_type(ike_header, this->exchange_type);
1124 ike_header->set_message_id(ike_header, this->message_id);
1125 ike_header->set_response_flag(ike_header, !this->is_request);
1126 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
1127 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1128 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1129
1130 generator = generator_create();
1131
1132 payload = (payload_t*)ike_header;
1133
1134
1135 /* generate every payload expect last one, this is done later*/
1136 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1137 while(iterator->iterate(iterator, (void**)&next_payload))
1138 {
1139 payload->set_next_type(payload, next_payload->get_type(next_payload));
1140 generator->generate_payload(generator, payload);
1141 payload = next_payload;
1142 }
1143 iterator->destroy(iterator);
1144
1145 /* last payload has no next payload*/
1146 payload->set_next_type(payload, NO_PAYLOAD);
1147
1148 generator->generate_payload(generator, payload);
1149
1150 ike_header->destroy(ike_header);
1151
1152 /* build packet */
1153 generator->write_to_chunk(generator, &packet_data);
1154 generator->destroy(generator);
1155
1156 /* if last payload is of type encrypted, integrity checksum if necessary */
1157 if (payload->get_type(payload) == ENCRYPTED)
1158 {
1159 DBG2(DBG_ENC, "build signature on whole message");
1160 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1161 status = encryption_payload->build_signature(encryption_payload, packet_data);
1162 if (status != SUCCESS)
1163 {
1164 return status;
1165 }
1166 }
1167
1168 this->packet->set_data(this->packet, packet_data);
1169
1170 /* clone packet for caller */
1171 *packet = this->packet->clone(this->packet);
1172
1173 DBG2(DBG_ENC, "message generated successfully");
1174 return SUCCESS;
1175 }
1176
1177 /**
1178 * Implementation of message_t.get_packet.
1179 */
1180 static packet_t *get_packet (private_message_t *this)
1181 {
1182 if (this->packet == NULL)
1183 {
1184 return NULL;
1185 }
1186 return this->packet->clone(this->packet);
1187 }
1188
1189 /**
1190 * Implementation of message_t.get_packet_data.
1191 */
1192 static chunk_t get_packet_data (private_message_t *this)
1193 {
1194 if (this->packet == NULL)
1195 {
1196 return chunk_empty;
1197 }
1198 return chunk_clone(this->packet->get_data(this->packet));
1199 }
1200
1201 /**
1202 * Implementation of message_t.parse_header.
1203 */
1204 static status_t parse_header(private_message_t *this)
1205 {
1206 ike_header_t *ike_header;
1207 status_t status;
1208
1209 DBG2(DBG_ENC, "parsing header of message");
1210
1211 this->parser->reset_context(this->parser);
1212 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
1213 if (status != SUCCESS)
1214 {
1215 DBG1(DBG_ENC, "header could not be parsed");
1216 return status;
1217
1218 }
1219
1220 /* verify payload */
1221 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
1222 if (status != SUCCESS)
1223 {
1224 DBG1(DBG_ENC, "header verification failed");
1225 ike_header->destroy(ike_header);
1226 return status;
1227 }
1228
1229 if (this->ike_sa_id != NULL)
1230 {
1231 this->ike_sa_id->destroy(this->ike_sa_id);
1232 }
1233
1234 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1235 ike_header->get_responder_spi(ike_header),
1236 ike_header->get_initiator_flag(ike_header));
1237
1238 this->exchange_type = ike_header->get_exchange_type(ike_header);
1239 this->message_id = ike_header->get_message_id(ike_header);
1240 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1241 this->major_version = ike_header->get_maj_version(ike_header);
1242 this->minor_version = ike_header->get_min_version(ike_header);
1243 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
1244
1245 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1246 this->is_request ? "request" : "response");
1247
1248 ike_header->destroy(ike_header);
1249
1250 /* get the rules for this messge */
1251 status = set_message_rule(this);
1252 if (status != SUCCESS)
1253 {
1254 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1255 exchange_type_names, this->exchange_type,
1256 this->is_request ? "request" : "response");
1257 }
1258
1259 return status;
1260 }
1261
1262 /**
1263 * Implementation of private_message_t.decrypt_and_verify_payloads.
1264 */
1265 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
1266 {
1267 bool current_payload_was_encrypted = FALSE;
1268 payload_t *previous_payload = NULL;
1269 int payload_number = 1;
1270 iterator_t *iterator;
1271 payload_t *current_payload;
1272 status_t status;
1273
1274 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1275
1276 /* process each payload and decrypt a encryption payload */
1277 while(iterator->iterate(iterator, (void**)&current_payload))
1278 {
1279 payload_rule_t *payload_rule;
1280 payload_type_t current_payload_type;
1281
1282 /* needed to check */
1283 current_payload_type = current_payload->get_type(current_payload);
1284
1285 DBG2(DBG_ENC, "process payload of type %N",
1286 payload_type_names, current_payload_type);
1287
1288 if (current_payload_type == ENCRYPTED)
1289 {
1290 encryption_payload_t *encryption_payload;
1291 payload_t *current_encrypted_payload;
1292
1293 encryption_payload = (encryption_payload_t*)current_payload;
1294
1295 DBG2(DBG_ENC, "found an encryption payload");
1296
1297 if (payload_number != this->payloads->get_count(this->payloads))
1298 {
1299 /* encrypted payload is not last one */
1300 DBG1(DBG_ENC, "encrypted payload is not last payload");
1301 iterator->destroy(iterator);
1302 return VERIFY_ERROR;
1303 }
1304 /* decrypt */
1305 encryption_payload->set_transforms(encryption_payload, crypter, signer);
1306 DBG2(DBG_ENC, "verify signature of encryption payload");
1307 status = encryption_payload->verify_signature(encryption_payload,
1308 this->packet->get_data(this->packet));
1309 if (status != SUCCESS)
1310 {
1311 DBG1(DBG_ENC, "encryption payload signature invalid");
1312 iterator->destroy(iterator);
1313 return FAILED;
1314 }
1315 DBG2(DBG_ENC, "decrypting content of encryption payload");
1316 status = encryption_payload->decrypt(encryption_payload);
1317 if (status != SUCCESS)
1318 {
1319 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1320 iterator->destroy(iterator);
1321 return PARSE_ERROR;
1322 }
1323
1324 /* needed later to find out if a payload was encrypted */
1325 current_payload_was_encrypted = TRUE;
1326
1327 /* check if there are payloads contained in the encryption payload */
1328 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1329 {
1330 DBG2(DBG_ENC, "encrypted payload is empty");
1331 /* remove the encryption payload, is not needed anymore */
1332 iterator->remove(iterator);
1333 /* encrypted payload contains no other payload */
1334 current_payload_type = NO_PAYLOAD;
1335 }
1336 else
1337 {
1338 /* encryption_payload is replaced with first payload contained in encryption_payload */
1339 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1340 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1341 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1342 }
1343
1344 /* is the current paylad the first in the message? */
1345 if (previous_payload == NULL)
1346 {
1347 /* yes, set the first payload type of the message to the current type */
1348 this->first_payload = current_payload_type;
1349 }
1350 else
1351 {
1352 /* no, set the next_type of the previous payload to the current type */
1353 previous_payload->set_next_type(previous_payload, current_payload_type);
1354 }
1355
1356 /* all encrypted payloads are added to the payload list */
1357 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1358 {
1359 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1360 DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
1361 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
1362 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1363 }
1364
1365 /* encryption payload is processed, payloads are moved. Destroy it. */
1366 encryption_payload->destroy(encryption_payload);
1367 }
1368
1369 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1370 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1371 {
1372 /* get the ruleset for found payload */
1373 status = get_payload_rule(this, current_payload_type, &payload_rule);
1374 if (status != SUCCESS)
1375 {
1376 /* payload is not allowed */
1377 DBG1(DBG_ENC, "payload type %N not allowed",
1378 payload_type_names, current_payload_type);
1379 iterator->destroy(iterator);
1380 return VERIFY_ERROR;
1381 }
1382
1383 /* check if the payload was encrypted, and if it should been have encrypted */
1384 if (payload_rule->encrypted != current_payload_was_encrypted)
1385 {
1386 /* payload was not encrypted, but should have been. or vice-versa */
1387 DBG1(DBG_ENC, "payload type %N should be %s!",
1388 payload_type_names, current_payload_type,
1389 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1390 iterator->destroy(iterator);
1391 return VERIFY_ERROR;
1392 }
1393 }
1394 /* advance to the next payload */
1395 payload_number++;
1396 /* is stored to set next payload in case of found encryption payload */
1397 previous_payload = current_payload;
1398 }
1399 iterator->destroy(iterator);
1400 return SUCCESS;
1401 }
1402
1403 /**
1404 * Implementation of private_message_t.verify.
1405 */
1406 static status_t verify(private_message_t *this)
1407 {
1408 int i;
1409 iterator_t *iterator;
1410 payload_t *current_payload;
1411 size_t total_found_payloads = 0;
1412
1413 DBG2(DBG_ENC, "verifying message structure");
1414
1415 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1416 /* check for payloads with wrong count*/
1417 for (i = 0; i < this->message_rule->payload_rule_count;i++)
1418 {
1419 size_t found_payloads = 0;
1420
1421 /* check all payloads for specific rule */
1422 iterator->reset(iterator);
1423
1424 while(iterator->iterate(iterator,(void **)&current_payload))
1425 {
1426 payload_type_t current_payload_type;
1427
1428 current_payload_type = current_payload->get_type(current_payload);
1429 if (current_payload_type == UNKNOWN_PAYLOAD)
1430 {
1431 /* unknown payloads are ignored, IF they are not critical */
1432 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
1433 if (unknown_payload->is_critical(unknown_payload))
1434 {
1435 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1436 payload_type_names, current_payload_type);
1437 iterator->destroy(iterator);
1438 return NOT_SUPPORTED;
1439 }
1440 }
1441 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
1442 {
1443 found_payloads++;
1444 total_found_payloads++;
1445 DBG2(DBG_ENC, "found payload of type %N",
1446 payload_type_names, this->message_rule->payload_rules[i].payload_type);
1447
1448 /* as soon as ohe payload occures more then specified, the verification fails */
1449 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
1450 {
1451 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
1452 payload_type_names, current_payload_type,
1453 this->message_rule->payload_rules[i].max_occurence, found_payloads);
1454 iterator->destroy(iterator);
1455 return VERIFY_ERROR;
1456 }
1457 }
1458 }
1459
1460 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
1461 {
1462 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1463 payload_type_names, this->message_rule->payload_rules[i].payload_type,
1464 this->message_rule->payload_rules[i].min_occurence, found_payloads);
1465 iterator->destroy(iterator);
1466 return VERIFY_ERROR;
1467 }
1468 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
1469 {
1470 iterator->destroy(iterator);
1471 return SUCCESS;
1472 }
1473 }
1474 iterator->destroy(iterator);
1475 return SUCCESS;
1476 }
1477
1478 /**
1479 * Implementation of message_t.parse_body.
1480 */
1481 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
1482 {
1483 status_t status = SUCCESS;
1484 payload_type_t current_payload_type;
1485 char str[256];
1486
1487 current_payload_type = this->first_payload;
1488
1489 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1490 payload_type_names, current_payload_type);
1491
1492 /* parse payload for payload, while there are more available */
1493 while ((current_payload_type != NO_PAYLOAD))
1494 {
1495 payload_t *current_payload;
1496
1497 DBG2(DBG_ENC, "starting parsing a %N payload",
1498 payload_type_names, current_payload_type);
1499
1500 /* parse current payload */
1501 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
1502
1503 if (status != SUCCESS)
1504 {
1505 DBG1(DBG_ENC, "payload type %N could not be parsed",
1506 payload_type_names, current_payload_type);
1507 return PARSE_ERROR;
1508 }
1509
1510 DBG2(DBG_ENC, "verifying payload of type %N",
1511 payload_type_names, current_payload_type);
1512
1513 /* verify it, stop parsig if its invalid */
1514 status = current_payload->verify(current_payload);
1515 if (status != SUCCESS)
1516 {
1517 DBG1(DBG_ENC, "%N payload verification failed",
1518 payload_type_names, current_payload_type);
1519 current_payload->destroy(current_payload);
1520 return VERIFY_ERROR;
1521 }
1522
1523 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1524 payload_type_names, current_payload_type);
1525 this->payloads->insert_last(this->payloads,current_payload);
1526
1527 /* an encryption payload is the last one, so STOP here. decryption is done later */
1528 if (current_payload_type == ENCRYPTED)
1529 {
1530 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1531 payload_type_names, current_payload_type);
1532 break;
1533 }
1534
1535 /* get next payload type */
1536 current_payload_type = current_payload->get_next_type(current_payload);
1537 }
1538
1539 if (current_payload_type == ENCRYPTED)
1540 {
1541 status = decrypt_payloads(this,crypter,signer);
1542 if (status != SUCCESS)
1543 {
1544 DBG1(DBG_ENC, "could not decrypt payloads");
1545 return status;
1546 }
1547 }
1548
1549 status = verify(this);
1550 if (status != SUCCESS)
1551 {
1552 return status;
1553 }
1554
1555 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1556
1557 return SUCCESS;
1558 }
1559
1560 /**
1561 * Implementation of message_t.destroy.
1562 */
1563 static void destroy (private_message_t *this)
1564 {
1565 DESTROY_IF(this->ike_sa_id);
1566 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1567 this->packet->destroy(this->packet);
1568 this->parser->destroy(this->parser);
1569 free(this);
1570 }
1571
1572 /*
1573 * Described in Header-File
1574 */
1575 message_t *message_create_from_packet(packet_t *packet)
1576 {
1577 private_message_t *this = malloc_thing(private_message_t);
1578
1579 /* public functions */
1580 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1581 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1582 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1583 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1584 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1585 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1586 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1587 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1588 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1589 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1590 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1591 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1592 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1593 this->public.set_request = (void(*)(message_t*, bool))set_request;
1594 this->public.get_request = (bool(*)(message_t*))get_request;
1595 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1596 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1597 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1598 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1599 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1600 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1601 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1602 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1603 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1604 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1605 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1606 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1607 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1608 this->public.destroy = (void(*)(message_t*))destroy;
1609
1610 /* private values */
1611 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1612 this->is_request = TRUE;
1613 this->ike_sa_id = NULL;
1614 this->first_payload = NO_PAYLOAD;
1615 this->message_id = 0;
1616
1617 /* private values */
1618 if (packet == NULL)
1619 {
1620 packet = packet_create();
1621 }
1622 this->message_rule = NULL;
1623 this->packet = packet;
1624 this->payloads = linked_list_create();
1625
1626 /* parser is created from data of packet */
1627 this->parser = parser_create(this->packet->get_data(this->packet));
1628
1629 return (&this->public);
1630 }
1631
1632 /*
1633 * Described in Header.
1634 */
1635 message_t *message_create()
1636 {
1637 return message_create_from_packet(NULL);
1638 }
1639
strongSwan - IPsec VPN