redesigned IKE_SA using a transaction mechanism:
[strongswan.git] / src / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdlib.h>
25 #include <string.h>
26
27 #include "message.h"
28
29 #include <types.h>
30 #include <daemon.h>
31 #include <sa/ike_sa_id.h>
32 #include <encoding/generator.h>
33 #include <encoding/parser.h>
34 #include <utils/linked_list.h>
35 #include <utils/logger_manager.h>
36 #include <encoding/payloads/encodings.h>
37 #include <encoding/payloads/payload.h>
38 #include <encoding/payloads/encryption_payload.h>
39 #include <encoding/payloads/unknown_payload.h>
40
41 /**
42 * Max number of notify payloads per IKEv2 Message
43 */
44 #define MAX_NOTIFY_PAYLOADS 10
45
46
47 typedef struct payload_rule_t payload_rule_t;
48
49 /**
50 * A payload rule defines the rules for a payload
51 * in a specific message rule. It defines if and how
52 * many times a payload must/can occur in a message
53 * and if it must be encrypted.
54 */
55 struct payload_rule_t {
56 /**
57 * Payload type.
58 */
59 payload_type_t payload_type;
60
61 /**
62 * Minimal occurence of this payload.
63 */
64 size_t min_occurence;
65
66 /**
67 * Max occurence of this payload.
68 */
69 size_t max_occurence;
70
71 /**
72 * TRUE if payload must be encrypted
73 */
74 bool encrypted;
75
76 /**
77 * If this payload occurs, the message rule is
78 * fullfilled in any case. This applies e.g. to
79 * notify_payloads.
80 */
81 bool sufficient;
82 };
83
84 typedef struct message_rule_t message_rule_t;
85
86 /**
87 * A message rule defines the kind of a message,
88 * if it has encrypted contents and a list
89 * of payload rules.
90 *
91 */
92 struct message_rule_t {
93 /**
94 * Type of message.
95 */
96 exchange_type_t exchange_type;
97
98 /**
99 * Is message a request or response.
100 */
101 bool is_request;
102
103 /**
104 * Message contains encrypted content.
105 */
106 bool encrypted_content;
107
108 /**
109 * Number of payload rules which will follow
110 */
111 size_t payload_rule_count;
112
113 /**
114 * Pointer to first payload rule
115 */
116 payload_rule_t *payload_rules;
117 };
118
119 /**
120 * Message rule for IKE_SA_INIT from initiator.
121 */
122 static payload_rule_t ike_sa_init_i_payload_rules[] = {
123 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
124 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
125 {KEY_EXCHANGE,1,1,FALSE,FALSE},
126 {NONCE,1,1,FALSE,FALSE},
127 };
128
129 /**
130 * Message rule for IKE_SA_INIT from responder.
131 */
132 static payload_rule_t ike_sa_init_r_payload_rules[] = {
133 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
134 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
135 {KEY_EXCHANGE,1,1,FALSE,FALSE},
136 {NONCE,1,1,FALSE,FALSE},
137 };
138
139 /**
140 * Message rule for IKE_AUTH from initiator.
141 */
142 static payload_rule_t ike_auth_i_payload_rules[] = {
143 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
144 {ID_INITIATOR,1,1,TRUE,FALSE},
145 {CERTIFICATE,0,1,TRUE,FALSE},
146 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
147 {ID_RESPONDER,0,1,TRUE,FALSE},
148 {AUTHENTICATION,1,1,TRUE,FALSE},
149 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
150 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
151 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
152 {CONFIGURATION,0,1,TRUE,FALSE},
153 };
154
155 /**
156 * Message rule for IKE_AUTH from responder.
157 */
158 static payload_rule_t ike_auth_r_payload_rules[] = {
159 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
160 {CERTIFICATE,0,1,TRUE,FALSE},
161 {ID_RESPONDER,1,1,TRUE,FALSE},
162 {AUTHENTICATION,1,1,TRUE,FALSE},
163 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
164 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
165 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
166 {CONFIGURATION,0,1,TRUE,FALSE},
167 };
168
169
170 /**
171 * Message rule for INFORMATIONAL from initiator.
172 */
173 static payload_rule_t informational_i_payload_rules[] = {
174 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
175 {CONFIGURATION,0,1,TRUE,FALSE},
176 {DELETE,0,1,TRUE,FALSE},
177
178 };
179
180 /**
181 * Message rule for INFORMATIONAL from responder.
182 */
183 static payload_rule_t informational_r_payload_rules[] = {
184 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
185 {CONFIGURATION,0,1,TRUE,FALSE},
186 {DELETE,0,1,TRUE,FALSE},
187 };
188
189 /**
190 * Message rule for CREATE_CHILD_SA from initiator.
191 */
192 static payload_rule_t create_child_sa_i_payload_rules[] = {
193 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
194 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
195 {NONCE,1,1,TRUE,FALSE},
196 {KEY_EXCHANGE,0,1,TRUE,FALSE},
197 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
198 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
199 {CONFIGURATION,0,1,TRUE,FALSE},
200 };
201
202 /**
203 * Message rule for CREATE_CHILD_SA from responder.
204 */
205 static payload_rule_t create_child_sa_r_payload_rules[] = {
206 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
207 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
208 {NONCE,1,1,TRUE,FALSE},
209 {KEY_EXCHANGE,0,1,TRUE,FALSE},
210 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
211 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
212 {CONFIGURATION,0,1,TRUE,FALSE},
213 };
214
215
216 /**
217 * Message rules, defines allowed payloads.
218 */
219 static message_rule_t message_rules[] = {
220 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
221 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
222 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
223 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
224 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
225 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
226 {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
227 {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
228 };
229
230
231 typedef struct private_message_t private_message_t;
232
233 /**
234 * Private data of an message_t object.
235 */
236 struct private_message_t {
237
238 /**
239 * Public part of a message_t object.
240 */
241 message_t public;
242
243 /**
244 * Minor version of message.
245 */
246 u_int8_t major_version;
247
248 /**
249 * Major version of message.
250 */
251 u_int8_t minor_version;
252
253 /**
254 * First Payload in message.
255 */
256 payload_type_t first_payload;
257
258 /**
259 * Assigned exchange type.
260 */
261 exchange_type_t exchange_type;
262
263 /**
264 * TRUE if message is a request, FALSE if a reply.
265 */
266 bool is_request;
267
268 /**
269 * Message ID of this message.
270 */
271 u_int32_t message_id;
272
273 /**
274 * ID of assigned IKE_SA.
275 */
276 ike_sa_id_t *ike_sa_id;
277
278 /**
279 * Assigned UDP packet, stores incoming packet or last generated one.
280 */
281 packet_t *packet;
282
283 /**
284 * Linked List where payload data are stored in.
285 */
286 linked_list_t *payloads;
287
288 /**
289 * Assigned parser to parse Header and Body of this message.
290 */
291 parser_t *parser;
292
293 /**
294 * The message rule for this message instance
295 */
296 message_rule_t *message_rule;
297
298 /**
299 * Assigned logger.
300 */
301 logger_t *logger;
302
303 /**
304 * Sets the private message_rule member to the rule which
305 * applies to this message. Must be called before get_payload_rule().
306 *
307 * @param this calling object
308 * @return
309 * - SUCCESS
310 * - NOT_FOUND if no message rule applies to this message.
311 */
312 status_t (*set_message_rule) (private_message_t *this);
313
314 /**
315 * Gets the payload_rule_t for a specific message_rule_t and payload type.
316 *
317 * @param this calling object
318 * @param payload_type payload type
319 * @param[out] payload_rule returned payload_rule_t
320 * @return
321 * - SUCCESS
322 * - NOT_FOUND if payload not defined in current message rule
323 * - INVALID_STATE if message rule is not set via set_message_rule()
324 */
325 status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
326
327 /**
328 * Encrypts all payloads which has to get encrypted.
329 *
330 * Can also be called with messages not containing encrypted content.
331 *
332 * @param this calling object
333 * @param crypter crypter_t object
334 * @param signer signer_t object
335 * @return
336 * - SUCCESS
337 * - INVALID_STATE if no crypter/signer supplied but needed
338 */
339 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
340
341 /**
342 * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
343 *
344 * @param this calling object
345 * @param crypter crypter_t object
346 * @param signer signer_t object
347 * @return
348 * - SUCCESS
349 * - FAILED if decryption not successfull
350 * - INVALID_STATE if no crypter/signer supplied but needed
351 */
352 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
353
354 /**
355 * Verifies the message. Checks for payloads count.
356 *
357 * @param calling object
358 * @return
359 * - SUCCESS if message valid, or
360 * - FAILED if message does not align with message rules.
361 */
362 status_t (*verify) (private_message_t *this);
363 };
364
365 /**
366 * Implementation of private_message_t.set_message_rule.
367 */
368 static status_t set_message_rule(private_message_t *this)
369 {
370 int i;
371
372 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
373 {
374 if ((this->exchange_type == message_rules[i].exchange_type) &&
375 (this->is_request == message_rules[i].is_request))
376 {
377 /* found rule for given exchange_type*/
378 this->message_rule = &(message_rules[i]);
379 return SUCCESS;
380 }
381 }
382 this->message_rule = NULL;
383 return NOT_FOUND;
384 }
385
386 /**
387 * Implementation of private_message_t.get_payload_rule.
388 */
389 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
390 {
391 int i;
392
393 for (i = 0; i < this->message_rule->payload_rule_count;i++)
394 {
395 if (this->message_rule->payload_rules[i].payload_type == payload_type)
396 {
397 *payload_rule = &(this->message_rule->payload_rules[i]);
398 return SUCCESS;
399 }
400 }
401
402 *payload_rule = NULL;
403 return NOT_FOUND;
404 }
405
406 /**
407 * Implementation of message_t.set_ike_sa_id.
408 */
409 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
410 {
411 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
412 }
413
414 /**
415 * Implementation of message_t.get_ike_sa_id.
416 */
417 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
418 {
419 return this->ike_sa_id;
420 }
421
422 /**
423 * Implementation of message_t.set_message_id.
424 */
425 static void set_message_id (private_message_t *this,u_int32_t message_id)
426 {
427 this->message_id = message_id;
428 }
429
430 /**
431 * Implementation of message_t.get_message_id.
432 */
433 static u_int32_t get_message_id (private_message_t *this)
434 {
435 return this->message_id;
436 }
437
438 /**
439 * Implementation of message_t.get_initiator_spi.
440 */
441 static u_int64_t get_initiator_spi (private_message_t *this)
442 {
443 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
444 }
445
446 /**
447 * Implementation of message_t.get_responder_spi.
448 */
449 static u_int64_t get_responder_spi (private_message_t *this)
450 {
451 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
452 }
453
454 /**
455 * Implementation of message_t.set_major_version.
456 */
457 static void set_major_version (private_message_t *this,u_int8_t major_version)
458 {
459 this->major_version = major_version;
460 }
461
462
463 /**
464 * Implementation of message_t.set_major_version.
465 */
466 static u_int8_t get_major_version (private_message_t *this)
467 {
468 return this->major_version;
469 }
470
471 /**
472 * Implementation of message_t.set_minor_version.
473 */
474 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
475 {
476 this->minor_version = minor_version;
477 }
478
479 /**
480 * Implementation of message_t.get_minor_version.
481 */
482 static u_int8_t get_minor_version (private_message_t *this)
483 {
484 return this->minor_version;
485 }
486
487 /**
488 * Implementation of message_t.set_exchange_type.
489 */
490 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
491 {
492 this->exchange_type = exchange_type;
493 }
494
495 /**
496 * Implementation of message_t.get_exchange_type.
497 */
498 static exchange_type_t get_exchange_type (private_message_t *this)
499 {
500 return this->exchange_type;
501 }
502
503 /**
504 * Implementation of message_t.set_request.
505 */
506 static void set_request (private_message_t *this,bool request)
507 {
508 this->is_request = request;
509 }
510
511 /**
512 * Implementation of message_t.get_request.
513 */
514 static exchange_type_t get_request (private_message_t *this)
515 {
516 return this->is_request;
517 }
518
519 /**
520 * Is this message in an encoded form?
521 */
522 static bool is_encoded(private_message_t *this)
523 {
524 chunk_t data = this->packet->get_data(this->packet);
525
526 if (data.ptr == NULL)
527 {
528 return FALSE;
529 }
530 return TRUE;
531 }
532
533 /**
534 * Implementation of message_t.add_payload.
535 */
536 static void add_payload(private_message_t *this, payload_t *payload)
537 {
538 payload_t *last_payload;
539 if (this->payloads->get_count(this->payloads) > 0)
540 {
541 this->payloads->get_last(this->payloads,(void **) &last_payload);
542 last_payload->set_next_type(last_payload, payload->get_type(payload));
543 }
544 else
545 {
546 this->first_payload = payload->get_type(payload);
547 }
548 payload->set_next_type(payload, NO_PAYLOAD);
549 this->payloads->insert_last(this->payloads, (void*)payload);
550
551 this->logger->log(this->logger, CONTROL|LEVEL1, "added payload of type %s to message",
552 mapping_find(payload_type_m, payload->get_type(payload)));
553 }
554
555 /**
556 * Implementation of message_t.set_source.
557 */
558 static void set_source(private_message_t *this, host_t *host)
559 {
560 this->packet->set_source(this->packet, host);
561 }
562
563 /**
564 * Implementation of message_t.set_destination.
565 */
566 static void set_destination(private_message_t *this, host_t *host)
567 {
568
569 this->packet->set_destination(this->packet, host);
570 }
571
572 /**
573 * Implementation of message_t.get_source.
574 */
575 static host_t* get_source(private_message_t *this)
576 {
577 return this->packet->get_source(this->packet);
578 }
579
580 /**
581 * Implementation of message_t.get_destination.
582 */
583 static host_t * get_destination(private_message_t *this)
584 {
585 return this->packet->get_destination(this->packet);
586 }
587
588 /**
589 * Implementation of message_t.get_destination.
590 */
591 static iterator_t *get_payload_iterator(private_message_t *this)
592 {
593 return this->payloads->create_iterator(this->payloads, TRUE);
594 }
595
596 /**
597 * Build a string containing short names for all payload in this message
598 */
599 static void build_payload_string(private_message_t *this, char* buffer, size_t size)
600 {
601 iterator_t *iterator;
602 payload_t *payload;
603 bool first = TRUE;
604
605 *buffer = '\0';
606 size--;
607
608 iterator = this->payloads->create_iterator(this->payloads, TRUE);
609 while (iterator->iterate(iterator, (void**)&payload))
610 {
611 payload_type_t type = payload->get_type(payload);
612 char *name = mapping_find(payload_type_short_m, type);
613 size_t name_len = strlen(name);
614 if (!first)
615 {
616 strncat(buffer, " ", size);
617 if (size)
618 {
619 size--;
620 }
621 }
622 else
623 {
624 first = FALSE;
625 }
626 strncat(buffer, name, size);
627 if (name_len > size)
628 {
629 size = 0;
630 }
631 else
632 {
633 size -= name_len;
634 }
635 }
636 iterator->destroy(iterator);
637 }
638
639 /**
640 * Implementation of message_t.generate.
641 */
642 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
643 {
644 generator_t *generator;
645 ike_header_t *ike_header;
646 payload_t *payload, *next_payload;
647 iterator_t *iterator;
648 status_t status;
649 chunk_t packet_data;
650 char payload_names[128];
651
652 if (is_encoded(this))
653 {
654 /* already generated, return a new packet clone */
655 *packet = this->packet->clone(this->packet);
656 return SUCCESS;
657 }
658
659 build_payload_string(this, payload_names, sizeof(payload_names));
660 this->logger->log(this->logger, CONTROL, "generating %s %s [%s]",
661 mapping_find(exchange_type_m,this->exchange_type),
662 this->is_request ? "request" : "response",
663 payload_names);
664
665 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
666 {
667 this->logger->log(this->logger, ERROR | LEVEL1, "exchange type %s is not defined",
668 mapping_find(exchange_type_m,this->exchange_type));
669 return INVALID_STATE;
670 }
671
672 if (this->packet->get_source(this->packet) == NULL ||
673 this->packet->get_destination(this->packet) == NULL)
674 {
675 this->logger->log(this->logger, ERROR|LEVEL1, "%s not defined",
676 !this->packet->get_source(this->packet) ? "source" : "destination");
677 return INVALID_STATE;
678 }
679
680 /* set the rules for this messge */
681 status = this->set_message_rule(this);
682 if (status != SUCCESS)
683 {
684 this->logger->log(this->logger, ERROR, "no message rules specified for a %s %s",
685 mapping_find(exchange_type_m,this->exchange_type),
686 this->is_request ? "request" : "response");
687 return NOT_SUPPORTED;
688 }
689
690
691 /* going to encrypt all content which have to be encrypted */
692 status = this->encrypt_payloads(this, crypter, signer);
693 if (status != SUCCESS)
694 {
695 this->logger->log(this->logger, ERROR | LEVEL1, "could not encrypt payloads");
696 return status;
697 }
698
699 /* build ike header */
700 ike_header = ike_header_create();
701
702 ike_header->set_exchange_type(ike_header, this->exchange_type);
703 ike_header->set_message_id(ike_header, this->message_id);
704 ike_header->set_response_flag(ike_header, !this->is_request);
705 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
706 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
707 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
708
709 generator = generator_create();
710
711 payload = (payload_t*)ike_header;
712
713
714 /* generate every payload expect last one, this is doen later*/
715 iterator = this->payloads->create_iterator(this->payloads, TRUE);
716 while(iterator->has_next(iterator))
717 {
718 iterator->current(iterator, (void**)&next_payload);
719 payload->set_next_type(payload, next_payload->get_type(next_payload));
720 generator->generate_payload(generator, payload);
721 payload = next_payload;
722 }
723 iterator->destroy(iterator);
724
725 /* last payload has no next payload*/
726 payload->set_next_type(payload, NO_PAYLOAD);
727
728 generator->generate_payload(generator, payload);
729
730 ike_header->destroy(ike_header);
731
732 /* build packet */
733 generator->write_to_chunk(generator, &packet_data);
734 generator->destroy(generator);
735
736 /* if last payload is of type encrypted, integrity checksum if necessary */
737 if (payload->get_type(payload) == ENCRYPTED)
738 {
739 this->logger->log(this->logger, CONTROL | LEVEL1, "build signature on whole message");
740 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
741 status = encryption_payload->build_signature(encryption_payload, packet_data);
742 if (status != SUCCESS)
743 {
744 return status;
745 }
746 }
747
748 this->packet->set_data(this->packet, packet_data);
749
750 /* clone packet for caller */
751 *packet = this->packet->clone(this->packet);
752
753 this->logger->log(this->logger, CONTROL|LEVEL1, "message of type %s generated successfully",
754 mapping_find(exchange_type_m,this->exchange_type));
755 return SUCCESS;
756 }
757
758 /**
759 * Implementation of message_t.get_packet.
760 */
761 static packet_t *get_packet (private_message_t *this)
762 {
763 return this->packet->clone(this->packet);
764 }
765
766 /**
767 * Implementation of message_t.get_packet_data.
768 */
769 static chunk_t get_packet_data (private_message_t *this)
770 {
771 return chunk_clone(this->packet->get_data(this->packet));
772 }
773
774 /**
775 * Implementation of message_t.parse_header.
776 */
777 static status_t parse_header(private_message_t *this)
778 {
779 ike_header_t *ike_header;
780 status_t status;
781
782
783 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing Header of message");
784
785 this->parser->reset_context(this->parser);
786 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
787 if (status != SUCCESS)
788 {
789 this->logger->log(this->logger, ERROR | LEVEL1, "header could not be parsed");
790 return status;
791
792 }
793
794 /* verify payload */
795 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
796 if (status != SUCCESS)
797 {
798 this->logger->log(this->logger, ERROR | LEVEL1, "header verification failed");
799 ike_header->destroy(ike_header);
800 return status;
801 }
802
803 if (this->ike_sa_id != NULL)
804 {
805 this->ike_sa_id->destroy(this->ike_sa_id);
806 }
807
808 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
809 ike_header->get_responder_spi(ike_header),
810 ike_header->get_initiator_flag(ike_header));
811
812 this->exchange_type = ike_header->get_exchange_type(ike_header);
813 this->message_id = ike_header->get_message_id(ike_header);
814 this->is_request = (!(ike_header->get_response_flag(ike_header)));
815 this->major_version = ike_header->get_maj_version(ike_header);
816 this->minor_version = ike_header->get_min_version(ike_header);
817 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
818
819 this->logger->log(this->logger, CONTROL|LEVEL1, "parsed a %s %s",
820 mapping_find(exchange_type_m, this->exchange_type),
821 this->is_request ? "request" : "response");
822
823 ike_header->destroy(ike_header);
824
825 /* get the rules for this messge */
826 status = this->set_message_rule(this);
827 if (status != SUCCESS)
828 {
829 this->logger->log(this->logger, ERROR, "no message rules specified for a %s %s",
830 mapping_find(exchange_type_m,this->exchange_type),
831 this->is_request ? "request" : "response");
832 }
833
834 return status;
835 }
836
837 /**
838 * Implementation of message_t.parse_body.
839 */
840 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
841 {
842 status_t status = SUCCESS;
843 payload_type_t current_payload_type;
844 char payload_names[128];
845
846 current_payload_type = this->first_payload;
847
848 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing body of message, first payload is %s",
849 mapping_find(payload_type_m, current_payload_type));
850
851 /* parse payload for payload, while there are more available */
852 while ((current_payload_type != NO_PAYLOAD))
853 {
854 payload_t *current_payload;
855
856 this->logger->log(this->logger, CONTROL|LEVEL2, "start parsing a %s payload",
857 mapping_find(payload_type_m, current_payload_type));
858
859 /* parse current payload */
860 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
861
862 if (status != SUCCESS)
863 {
864 this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",
865 mapping_find(payload_type_m,current_payload_type));
866 return PARSE_ERROR;
867 }
868
869 this->logger->log(this->logger, CONTROL|LEVEL2, "verify payload of type %s",
870 mapping_find(payload_type_m, current_payload_type));
871
872 /* verify it, stop parsig if its invalid */
873 status = current_payload->verify(current_payload);
874 if (status != SUCCESS)
875 {
876 this->logger->log(this->logger, ERROR, "%s payload verification failed",
877 mapping_find(payload_type_m,current_payload_type));
878 current_payload->destroy(current_payload);
879 return VERIFY_ERROR;
880 }
881
882 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload verified. Adding to payload list",
883 mapping_find(payload_type_m, current_payload_type));
884 this->payloads->insert_last(this->payloads,current_payload);
885
886 /* an encryption payload is the last one, so STOP here. decryption is done later */
887 if (current_payload_type == ENCRYPTED)
888 {
889 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload found. Stop parsing",
890 mapping_find(payload_type_m, current_payload_type));
891 break;
892 }
893
894 /* get next payload type */
895 current_payload_type = current_payload->get_next_type(current_payload);
896 }
897
898 if (current_payload_type == ENCRYPTED)
899 {
900 status = this->decrypt_payloads(this,crypter,signer);
901 if (status != SUCCESS)
902 {
903 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
904 return status;
905 }
906 }
907
908 status = this->verify(this);
909 if (status != SUCCESS)
910 {
911 this->logger->log(this->logger, ERROR, "verification of message failed");
912 return status;
913 }
914
915 build_payload_string(this, payload_names, sizeof(payload_names));
916 this->logger->log(this->logger, CONTROL, "parsed %s %s [%s]",
917 mapping_find(exchange_type_m, this->exchange_type),
918 this->is_request ? "request" : "response",
919 payload_names);
920
921 return SUCCESS;
922 }
923
924 /**
925 * Implementation of private_message_t.verify.
926 */
927 static status_t verify(private_message_t *this)
928 {
929 int i;
930 iterator_t *iterator;
931 size_t total_found_payloads = 0;
932
933 this->logger->log(this->logger, CONTROL|LEVEL1, "verifying message structure");
934
935 iterator = this->payloads->create_iterator(this->payloads,TRUE);
936 /* check for payloads with wrong count*/
937 for (i = 0; i < this->message_rule->payload_rule_count;i++)
938 {
939 size_t found_payloads = 0;
940
941 /* check all payloads for specific rule */
942 iterator->reset(iterator);
943
944 while(iterator->has_next(iterator))
945 {
946 payload_t *current_payload;
947 payload_type_t current_payload_type;
948
949 iterator->current(iterator,(void **)&current_payload);
950 current_payload_type = current_payload->get_type(current_payload);
951
952 if (current_payload_type == UNKNOWN_PAYLOAD)
953 {
954 /* unknown payloads are ignored, IF they are not critical */
955 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
956 if (unknown_payload->is_critical(unknown_payload))
957 {
958 this->logger->log(this->logger, ERROR|LEVEL1, "%s (%d) is not supported, but its critical!",
959 mapping_find(payload_type_m, current_payload_type), current_payload_type);
960 iterator->destroy(iterator);
961 return NOT_SUPPORTED;
962 }
963 }
964 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
965 {
966 found_payloads++;
967 total_found_payloads++;
968 this->logger->log(this->logger, CONTROL|LEVEL2, "found payload of type %s",
969 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
970
971 /* as soon as ohe payload occures more then specified, the verification fails */
972 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
973 {
974 this->logger->log(this->logger, ERROR|LEVEL1, "payload of type %s more than %d times (%d) occured in current message",
975 mapping_find(payload_type_m, current_payload_type),
976 this->message_rule->payload_rules[i].max_occurence, found_payloads);
977 iterator->destroy(iterator);
978 return VERIFY_ERROR;
979 }
980 }
981 }
982
983 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
984 {
985 this->logger->log(this->logger, ERROR|LEVEL1, "payload of type %s not occured %d times (%d)",
986 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
987 this->message_rule->payload_rules[i].min_occurence, found_payloads);
988 iterator->destroy(iterator);
989 return VERIFY_ERROR;
990 }
991 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
992 {
993 iterator->destroy(iterator);
994 return SUCCESS;
995 }
996 }
997 iterator->destroy(iterator);
998 return SUCCESS;
999 }
1000
1001
1002 /**
1003 * Implementation of private_message_t.decrypt_and_verify_payloads.
1004 */
1005 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
1006 {
1007 bool current_payload_was_encrypted = FALSE;
1008 payload_t *previous_payload = NULL;
1009 int payload_number = 1;
1010 iterator_t *iterator;
1011 status_t status;
1012
1013 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1014
1015 /* process each payload and decrypt a encryption payload */
1016 while(iterator->has_next(iterator))
1017 {
1018 payload_rule_t *payload_rule;
1019 payload_type_t current_payload_type;
1020 payload_t *current_payload;
1021
1022 /* get current payload */
1023 iterator->current(iterator,(void **)&current_payload);
1024
1025 /* needed to check */
1026 current_payload_type = current_payload->get_type(current_payload);
1027
1028 this->logger->log(this->logger, CONTROL|LEVEL2, "process payload of type %s",
1029 mapping_find(payload_type_m,current_payload_type));
1030
1031 if (current_payload_type == ENCRYPTED)
1032 {
1033 encryption_payload_t *encryption_payload;
1034 payload_t *current_encrypted_payload;
1035
1036 encryption_payload = (encryption_payload_t*)current_payload;
1037
1038 this->logger->log(this->logger, CONTROL | LEVEL2, "found an encryption payload");
1039
1040 if (payload_number != this->payloads->get_count(this->payloads))
1041 {
1042 /* encrypted payload is not last one */
1043 this->logger->log(this->logger, ERROR, "encrypted payload is not last payload");
1044 iterator->destroy(iterator);
1045 return VERIFY_ERROR;
1046 }
1047 /* decrypt */
1048 encryption_payload->set_transforms(encryption_payload, crypter, signer);
1049 this->logger->log(this->logger, CONTROL | LEVEL1, "verify signature of encryption payload");
1050 status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet));
1051 if (status != SUCCESS)
1052 {
1053 this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
1054 iterator->destroy(iterator);
1055 return FAILED;
1056 }
1057 this->logger->log(this->logger, CONTROL | LEVEL2, "decrypt content of encryption payload");
1058 status = encryption_payload->decrypt(encryption_payload);
1059 if (status != SUCCESS)
1060 {
1061 this->logger->log(this->logger, ERROR,
1062 "encrypted payload could not be decrypted and parsed: %s",
1063 mapping_find(status_m, status));
1064 iterator->destroy(iterator);
1065 return PARSE_ERROR;
1066 }
1067
1068 /* needed later to find out if a payload was encrypted */
1069 current_payload_was_encrypted = TRUE;
1070
1071 /* check if there are payloads contained in the encryption payload */
1072 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1073 {
1074 this->logger->log(this->logger, CONTROL|LEVEL2, "encrypted payload is empty");
1075 /* remove the encryption payload, is not needed anymore */
1076 iterator->remove(iterator);
1077 /* encrypted payload contains no other payload */
1078 current_payload_type = NO_PAYLOAD;
1079 }
1080 else
1081 {
1082 /* encryption_payload is replaced with first payload contained in encryption_payload */
1083 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1084 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1085 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1086 }
1087
1088 /* is the current paylad the first in the message? */
1089 if (previous_payload == NULL)
1090 {
1091 /* yes, set the first payload type of the message to the current type */
1092 this->first_payload = current_payload_type;
1093 }
1094 else
1095 {
1096 /* no, set the next_type of the previous payload to the current type */
1097 previous_payload->set_next_type(previous_payload, current_payload_type);
1098 }
1099
1100 /* all encrypted payloads are added to the payload list */
1101 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1102 {
1103 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1104 this->logger->log(this->logger, CONTROL | LEVEL1,
1105 "insert unencrypted payload of type %s at end of list.",
1106 mapping_find(payload_type_m, current_encrypted_payload->get_type(current_encrypted_payload)));
1107 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1108 }
1109
1110 /* encryption payload is processed, payloads are moved. Destroy it. */
1111 encryption_payload->destroy(encryption_payload);
1112 }
1113
1114 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1115 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1116 {
1117 /* get the ruleset for found payload */
1118 status = this->get_payload_rule(this, current_payload_type, &payload_rule);
1119 if (status != SUCCESS)
1120 {
1121 /* payload is not allowed */
1122 this->logger->log(this->logger, ERROR, "payload type %s not allowed",
1123 mapping_find(payload_type_m,current_payload_type));
1124 iterator->destroy(iterator);
1125 return VERIFY_ERROR;
1126 }
1127
1128 /* check if the payload was encrypted, and if it should been have encrypted */
1129 if (payload_rule->encrypted != current_payload_was_encrypted)
1130 {
1131 /* payload was not encrypted, but should have been. or vice-versa */
1132 this->logger->log(this->logger, ERROR, "payload type %s should be %s!",
1133 mapping_find(payload_type_m,current_payload_type),
1134 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1135 iterator->destroy(iterator);
1136 return VERIFY_ERROR;
1137 }
1138 }
1139 /* advance to the next payload */
1140 payload_number++;
1141 /* is stored to set next payload in case of found encryption payload */
1142 previous_payload = current_payload;
1143 }
1144 iterator->destroy(iterator);
1145 return SUCCESS;
1146 }
1147
1148 /**
1149 * Implementation of private_message_t.encrypt_payloads.
1150 */
1151 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
1152 {
1153 encryption_payload_t *encryption_payload = NULL;
1154 status_t status;
1155 linked_list_t *all_payloads;
1156
1157 if (!this->message_rule->encrypted_content)
1158 {
1159 this->logger->log(this->logger, CONTROL | LEVEL1, "message doesn't have to be encrypted");
1160 /* message contains no content to encrypt */
1161 return SUCCESS;
1162 }
1163
1164 this->logger->log(this->logger, CONTROL | LEVEL2, "copy all payloads to a temporary list");
1165 all_payloads = linked_list_create();
1166
1167 /* first copy all payloads in a temporary list */
1168 while (this->payloads->get_count(this->payloads) > 0)
1169 {
1170 void *current_payload;
1171 this->payloads->remove_first(this->payloads,&current_payload);
1172 all_payloads->insert_last(all_payloads,current_payload);
1173 }
1174
1175 encryption_payload = encryption_payload_create();
1176
1177 this->logger->log(this->logger, CONTROL | LEVEL2, "check each payloads if they have to get encrypted");
1178 while (all_payloads->get_count(all_payloads) > 0)
1179 {
1180 payload_rule_t *payload_rule;
1181 payload_t *current_payload;
1182 bool to_encrypt = FALSE;
1183
1184 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1185 this->logger->log(this->logger, CONTROL | LEVEL3, "get rule for payload %s",
1186 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1187
1188 status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
1189 /* for payload types which are not found in supported payload list, it is presumed
1190 * that they don't have to be encrypted */
1191 if ((status == SUCCESS) && (payload_rule->encrypted))
1192 {
1193 this->logger->log(this->logger, CONTROL | LEVEL2, "payload %s has to get encrypted",
1194 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1195 to_encrypt = TRUE;
1196 }
1197 else if (status != SUCCESS)
1198 {
1199 this->logger->log(this->logger, CONTROL | LEVEL2, "payload %s not defined for exchange type %s. Handle it anyway",
1200 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1201 mapping_find(exchange_type_m,this->exchange_type));
1202 }
1203
1204 if (to_encrypt)
1205 {
1206 this->logger->log(this->logger, CONTROL | LEVEL2, "insert payload %s to encryption payload",
1207 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1208
1209 encryption_payload->add_payload(encryption_payload,current_payload);
1210 }
1211 else
1212 {
1213 this->logger->log(this->logger, CONTROL | LEVEL2, "insert payload %s as payload wich does not have to be encrypted",
1214 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1215 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1216 }
1217 }
1218
1219 status = SUCCESS;
1220 this->logger->log(this->logger, CONTROL | LEVEL2, "set transforms for encryption payload ");
1221 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1222 this->logger->log(this->logger, CONTROL | LEVEL1, "encrypt all payloads of encrypted payload");
1223 status = encryption_payload->encrypt(encryption_payload);
1224 this->logger->log(this->logger, CONTROL | LEVEL2, "add encrypted payload to payload list");
1225 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1226
1227 all_payloads->destroy(all_payloads);
1228
1229 return status;
1230 }
1231
1232
1233 /**
1234 * Implementation of message_t.destroy.
1235 */
1236 static void destroy (private_message_t *this)
1237 {
1238 iterator_t *iterator;
1239
1240 this->packet->destroy(this->packet);
1241
1242 if (this->ike_sa_id != NULL)
1243 {
1244 this->ike_sa_id->destroy(this->ike_sa_id);
1245 }
1246
1247 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1248 while (iterator->has_next(iterator))
1249 {
1250 payload_t *payload;
1251 iterator->current(iterator, (void**)&payload);
1252 payload->destroy(payload);
1253 }
1254 iterator->destroy(iterator);
1255 this->payloads->destroy(this->payloads);
1256 this->parser->destroy(this->parser);
1257
1258 free(this);
1259 }
1260
1261 /*
1262 * Described in Header-File
1263 */
1264 message_t *message_create_from_packet(packet_t *packet)
1265 {
1266 private_message_t *this = malloc_thing(private_message_t);
1267
1268 /* public functions */
1269 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1270 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1271 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1272 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1273 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1274 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1275 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1276 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1277 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1278 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1279 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1280 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1281 this->public.set_request = (void(*)(message_t*, bool))set_request;
1282 this->public.get_request = (bool(*)(message_t*))get_request;
1283 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1284 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1285 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1286 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1287 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1288 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1289 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1290 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1291 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1292 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1293 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1294 this->public.destroy = (void(*)(message_t*))destroy;
1295
1296 /* private values */
1297 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1298 this->is_request = TRUE;
1299 this->ike_sa_id = NULL;
1300 this->first_payload = NO_PAYLOAD;
1301 this->message_id = 0;
1302
1303 /* private functions */
1304 this->set_message_rule = set_message_rule;
1305 this->get_payload_rule = get_payload_rule;
1306 this->encrypt_payloads = encrypt_payloads;
1307 this->decrypt_payloads = decrypt_payloads;
1308 this->verify = verify;
1309
1310 /* private values */
1311 if (packet == NULL)
1312 {
1313 packet = packet_create();
1314 }
1315 this->message_rule = NULL;
1316 this->packet = packet;
1317 this->payloads = linked_list_create();
1318
1319 /* parser is created from data of packet */
1320 this->parser = parser_create(this->packet->get_data(this->packet));
1321
1322 this->logger = logger_manager->get_logger(logger_manager, MESSAGE);
1323
1324 return (&this->public);
1325 }
1326
1327 /*
1328 * Described in Header.
1329 */
1330 message_t *message_create()
1331 {
1332 return message_create_from_packet(NULL);
1333 }