Identation/whitespace cleanups
[strongswan.git] / src / charon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include "message.h"
23
24 #include <library.h>
25 #include <daemon.h>
26 #include <sa/ike_sa_id.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/linked_list.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/encryption_payload.h>
33 #include <encoding/payloads/unknown_payload.h>
34
35 /**
36 * Max number of notify payloads per IKEv2 Message
37 */
38 #define MAX_NOTIFY_PAYLOADS 20
39
40 /**
41 * Max number of delete payloads per IKEv2 Message
42 */
43 #define MAX_DELETE_PAYLOADS 20
44
45
46 typedef struct payload_rule_t payload_rule_t;
47
48 /**
49 * A payload rule defines the rules for a payload
50 * in a specific message rule. It defines if and how
51 * many times a payload must/can occur in a message
52 * and if it must be encrypted.
53 */
54 struct payload_rule_t {
55 /**
56 * Payload type.
57 */
58 payload_type_t payload_type;
59
60 /**
61 * Minimal occurence of this payload.
62 */
63 size_t min_occurence;
64
65 /**
66 * Max occurence of this payload.
67 */
68 size_t max_occurence;
69
70 /**
71 * TRUE if payload must be encrypted
72 */
73 bool encrypted;
74
75 /**
76 * If this payload occurs, the message rule is
77 * fullfilled in any case. This applies e.g. to
78 * notify_payloads.
79 */
80 bool sufficient;
81 };
82
83 typedef struct payload_order_t payload_order_t;
84
85 /**
86 * payload ordering structure allows us to reorder payloads according to RFC.
87 */
88 struct payload_order_t {
89
90 /**
91 * payload type
92 */
93 payload_type_t type;
94
95 /**
96 * notify type, if payload == NOTIFY
97 */
98 notify_type_t notify;
99 };
100
101
102 typedef struct message_rule_t message_rule_t;
103
104 /**
105 * A message rule defines the kind of a message,
106 * if it has encrypted contents and a list
107 * of payload ordering rules and payload parsing rules.
108 */
109 struct message_rule_t {
110 /**
111 * Type of message.
112 */
113 exchange_type_t exchange_type;
114
115 /**
116 * Is message a request or response.
117 */
118 bool is_request;
119
120 /**
121 * Message contains encrypted content.
122 */
123 bool encrypted_content;
124
125 /**
126 * Number of payload rules which will follow
127 */
128 int payload_rule_count;
129
130 /**
131 * Pointer to first payload rule
132 */
133 payload_rule_t *payload_rules;
134
135 /**
136 * Number of payload order rules
137 */
138 int payload_order_count;
139
140 /**
141 * payload ordering rules
142 */
143 payload_order_t *payload_order;
144 };
145
146 /**
147 * Message rule for IKE_SA_INIT from initiator.
148 */
149 static payload_rule_t ike_sa_init_i_payload_rules[] = {
150 /* payload type min max encr suff */
151 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
152 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
153 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
154 {NONCE, 1, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, 10, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT initiator
160 */
161 static payload_order_t ike_sa_init_i_payload_order[] = {
162 /* payload type notify type */
163 {NOTIFY, COOKIE},
164 {SECURITY_ASSOCIATION, 0},
165 {KEY_EXCHANGE, 0},
166 {NONCE, 0},
167 {NOTIFY, NAT_DETECTION_SOURCE_IP},
168 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
169 {NOTIFY, 0},
170 {VENDOR_ID, 0},
171 };
172
173 /**
174 * Message rule for IKE_SA_INIT from responder.
175 */
176 static payload_rule_t ike_sa_init_r_payload_rules[] = {
177 /* payload type min max encr suff */
178 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
179 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
180 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
181 {NONCE, 1, 1, FALSE, FALSE},
182 {VENDOR_ID, 0, 10, FALSE, FALSE},
183 };
184
185 /**
186 * payload order for IKE_SA_INIT responder
187 */
188 static payload_order_t ike_sa_init_r_payload_order[] = {
189 /* payload type notify type */
190 {SECURITY_ASSOCIATION, 0},
191 {KEY_EXCHANGE, 0},
192 {NONCE, 0},
193 {NOTIFY, NAT_DETECTION_SOURCE_IP},
194 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
195 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
196 {CERTIFICATE_REQUEST, 0},
197 {NOTIFY, 0},
198 {VENDOR_ID, 0},
199 };
200
201 /**
202 * Message rule for IKE_AUTH from initiator.
203 */
204 static payload_rule_t ike_auth_i_payload_rules[] = {
205 /* payload type min max encr suff */
206 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
207 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
208 {AUTHENTICATION, 0, 1, TRUE, TRUE},
209 {ID_INITIATOR, 0, 1, TRUE, FALSE},
210 {CERTIFICATE, 0, 4, TRUE, FALSE},
211 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
212 {ID_RESPONDER, 0, 1, TRUE, FALSE},
213 #ifdef ME
214 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
215 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
217 #else
218 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
219 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
220 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
221 #endif /* ME */
222 {CONFIGURATION, 0, 1, TRUE, FALSE},
223 {VENDOR_ID, 0, 10, TRUE, FALSE},
224 };
225
226 /**
227 * payload order for IKE_AUTH initiator
228 */
229 static payload_order_t ike_auth_i_payload_order[] = {
230 /* payload type notify type */
231 {ID_INITIATOR, 0},
232 {CERTIFICATE, 0},
233 {NOTIFY, INITIAL_CONTACT},
234 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
235 {CERTIFICATE_REQUEST, 0},
236 {ID_RESPONDER, 0},
237 {AUTHENTICATION, 0},
238 {EXTENSIBLE_AUTHENTICATION, 0},
239 {CONFIGURATION, 0},
240 {NOTIFY, IPCOMP_SUPPORTED},
241 {NOTIFY, USE_TRANSPORT_MODE},
242 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
243 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
244 {SECURITY_ASSOCIATION, 0},
245 {TRAFFIC_SELECTOR_INITIATOR, 0},
246 {TRAFFIC_SELECTOR_RESPONDER, 0},
247 {NOTIFY, MOBIKE_SUPPORTED},
248 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
249 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
250 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
251 {NOTIFY, 0},
252 {VENDOR_ID, 0},
253 };
254
255 /**
256 * Message rule for IKE_AUTH from responder.
257 */
258 static payload_rule_t ike_auth_r_payload_rules[] = {
259 /* payload type min max encr suff */
260 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
261 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
262 {AUTHENTICATION, 0, 1, TRUE, TRUE},
263 {CERTIFICATE, 0, 4, TRUE, FALSE},
264 {ID_RESPONDER, 0, 1, TRUE, FALSE},
265 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
266 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
267 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
268 {CONFIGURATION, 0, 1, TRUE, FALSE},
269 {VENDOR_ID, 0, 10, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for IKE_AUTH responder
274 */
275 static payload_order_t ike_auth_r_payload_order[] = {
276 /* payload type notify type */
277 {ID_RESPONDER, 0},
278 {CERTIFICATE, 0},
279 {AUTHENTICATION, 0},
280 {EXTENSIBLE_AUTHENTICATION, 0},
281 {CONFIGURATION, 0},
282 {NOTIFY, IPCOMP_SUPPORTED},
283 {NOTIFY, USE_TRANSPORT_MODE},
284 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
285 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
286 {SECURITY_ASSOCIATION, 0},
287 {TRAFFIC_SELECTOR_INITIATOR, 0},
288 {TRAFFIC_SELECTOR_RESPONDER, 0},
289 {NOTIFY, AUTH_LIFETIME},
290 {NOTIFY, MOBIKE_SUPPORTED},
291 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
292 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
293 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
294 {NOTIFY, 0},
295 {VENDOR_ID, 0},
296 };
297
298 /**
299 * Message rule for INFORMATIONAL from initiator.
300 */
301 static payload_rule_t informational_i_payload_rules[] = {
302 /* payload type min max encr suff */
303 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
304 {CONFIGURATION, 0, 1, TRUE, FALSE},
305 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
306 {VENDOR_ID, 0, 10, TRUE, FALSE},
307 };
308
309 /**
310 * payload order for INFORMATIONAL initiator
311 */
312 static payload_order_t informational_i_payload_order[] = {
313 /* payload type notify type */
314 {NOTIFY, UPDATE_SA_ADDRESSES},
315 {NOTIFY, NAT_DETECTION_SOURCE_IP},
316 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
317 {NOTIFY, COOKIE2},
318 {NOTIFY, 0},
319 {DELETE, 0},
320 {CONFIGURATION, 0},
321 };
322
323 /**
324 * Message rule for INFORMATIONAL from responder.
325 */
326 static payload_rule_t informational_r_payload_rules[] = {
327 /* payload type min max encr suff */
328 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
329 {CONFIGURATION, 0, 1, TRUE, FALSE},
330 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
331 {VENDOR_ID, 0, 10, TRUE, FALSE},
332 };
333
334 /**
335 * payload order for INFORMATIONAL responder
336 */
337 static payload_order_t informational_r_payload_order[] = {
338 /* payload type notify type */
339 {NOTIFY, UPDATE_SA_ADDRESSES},
340 {NOTIFY, NAT_DETECTION_SOURCE_IP},
341 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
342 {NOTIFY, COOKIE2},
343 {NOTIFY, 0},
344 {DELETE, 0},
345 {CONFIGURATION, 0},
346 };
347
348 /**
349 * Message rule for CREATE_CHILD_SA from initiator.
350 */
351 static payload_rule_t create_child_sa_i_payload_rules[] = {
352 /* payload type min max encr suff */
353 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
354 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
355 {NONCE, 1, 1, TRUE, FALSE},
356 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
357 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
359 {CONFIGURATION, 0, 1, TRUE, FALSE},
360 {VENDOR_ID, 0, 10, TRUE, FALSE},
361 };
362
363 /**
364 * payload order for CREATE_CHILD_SA from initiator.
365 */
366 static payload_order_t create_child_sa_i_payload_order[] = {
367 /* payload type notify type */
368 {NOTIFY, REKEY_SA},
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, 0},
379 };
380
381 /**
382 * Message rule for CREATE_CHILD_SA from responder.
383 */
384 static payload_rule_t create_child_sa_r_payload_rules[] = {
385 /* payload type min max encr suff */
386 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
387 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
388 {NONCE, 1, 1, TRUE, FALSE},
389 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
390 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
391 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
392 {CONFIGURATION, 0, 1, TRUE, FALSE},
393 {VENDOR_ID, 0, 10, TRUE, FALSE},
394 };
395
396 /**
397 * payload order for CREATE_CHILD_SA from responder.
398 */
399 static payload_order_t create_child_sa_r_payload_order[] = {
400 /* payload type notify type */
401 {NOTIFY, IPCOMP_SUPPORTED},
402 {NOTIFY, USE_TRANSPORT_MODE},
403 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
404 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
405 {SECURITY_ASSOCIATION, 0},
406 {NONCE, 0},
407 {KEY_EXCHANGE, 0},
408 {TRAFFIC_SELECTOR_INITIATOR, 0},
409 {TRAFFIC_SELECTOR_RESPONDER, 0},
410 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
411 {NOTIFY, 0},
412 };
413
414 #ifdef ME
415 /**
416 * Message rule for ME_CONNECT from initiator.
417 */
418 static payload_rule_t me_connect_i_payload_rules[] = {
419 /* payload type min max encr suff */
420 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
421 {ID_PEER, 1, 1, TRUE, FALSE},
422 {VENDOR_ID, 0, 10, TRUE, FALSE}
423 };
424
425 /**
426 * payload order for ME_CONNECT from initiator.
427 */
428 static payload_order_t me_connect_i_payload_order[] = {
429 /* payload type notify type */
430 {NOTIFY, 0},
431 {ID_PEER, 0},
432 {VENDOR_ID, 0},
433 };
434
435 /**
436 * Message rule for ME_CONNECT from responder.
437 */
438 static payload_rule_t me_connect_r_payload_rules[] = {
439 /* payload type min max encr suff */
440 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
441 {VENDOR_ID, 0, 10, TRUE, FALSE}
442 };
443
444 /**
445 * payload order for ME_CONNECT from responder.
446 */
447 static payload_order_t me_connect_r_payload_order[] = {
448 /* payload type notify type */
449 {NOTIFY, 0},
450 {VENDOR_ID, 0},
451 };
452 #endif /* ME */
453
454 /**
455 * Message rules, defines allowed payloads.
456 */
457 static message_rule_t message_rules[] = {
458 {IKE_SA_INIT, TRUE, FALSE,
459 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
460 ike_sa_init_i_payload_rules,
461 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
462 ike_sa_init_i_payload_order,
463 },
464 {IKE_SA_INIT, FALSE, FALSE,
465 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
466 ike_sa_init_r_payload_rules,
467 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
468 ike_sa_init_r_payload_order,
469 },
470 {IKE_AUTH, TRUE, TRUE,
471 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
472 ike_auth_i_payload_rules,
473 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
474 ike_auth_i_payload_order,
475 },
476 {IKE_AUTH, FALSE, TRUE,
477 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
478 ike_auth_r_payload_rules,
479 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
480 ike_auth_r_payload_order,
481 },
482 {INFORMATIONAL, TRUE, TRUE,
483 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
484 informational_i_payload_rules,
485 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
486 informational_i_payload_order,
487 },
488 {INFORMATIONAL, FALSE, TRUE,
489 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
490 informational_r_payload_rules,
491 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
492 informational_r_payload_order,
493 },
494 {CREATE_CHILD_SA, TRUE, TRUE,
495 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
496 create_child_sa_i_payload_rules,
497 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
498 create_child_sa_i_payload_order,
499 },
500 {CREATE_CHILD_SA, FALSE, TRUE,
501 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
502 create_child_sa_r_payload_rules,
503 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
504 create_child_sa_r_payload_order,
505 },
506 #ifdef ME
507 {ME_CONNECT, TRUE, TRUE,
508 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
509 me_connect_i_payload_rules,
510 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
511 me_connect_i_payload_order,
512 },
513 {ME_CONNECT, FALSE, TRUE,
514 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
515 me_connect_r_payload_rules,
516 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
517 me_connect_r_payload_order,
518 },
519 #endif /* ME */
520 };
521
522
523 typedef struct private_message_t private_message_t;
524
525 /**
526 * Private data of an message_t object.
527 */
528 struct private_message_t {
529
530 /**
531 * Public part of a message_t object.
532 */
533 message_t public;
534
535 /**
536 * Minor version of message.
537 */
538 u_int8_t major_version;
539
540 /**
541 * Major version of message.
542 */
543 u_int8_t minor_version;
544
545 /**
546 * First Payload in message.
547 */
548 payload_type_t first_payload;
549
550 /**
551 * Assigned exchange type.
552 */
553 exchange_type_t exchange_type;
554
555 /**
556 * TRUE if message is a request, FALSE if a reply.
557 */
558 bool is_request;
559
560 /**
561 * Message ID of this message.
562 */
563 u_int32_t message_id;
564
565 /**
566 * ID of assigned IKE_SA.
567 */
568 ike_sa_id_t *ike_sa_id;
569
570 /**
571 * Assigned UDP packet, stores incoming packet or last generated one.
572 */
573 packet_t *packet;
574
575 /**
576 * Linked List where payload data are stored in.
577 */
578 linked_list_t *payloads;
579
580 /**
581 * Assigned parser to parse Header and Body of this message.
582 */
583 parser_t *parser;
584
585 /**
586 * The message rule for this message instance
587 */
588 message_rule_t *message_rule;
589 };
590
591 /**
592 * Implementation of private_message_t.set_message_rule.
593 */
594 static status_t set_message_rule(private_message_t *this)
595 {
596 int i;
597
598 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
599 {
600 if ((this->exchange_type == message_rules[i].exchange_type) &&
601 (this->is_request == message_rules[i].is_request))
602 {
603 /* found rule for given exchange_type*/
604 this->message_rule = &(message_rules[i]);
605 return SUCCESS;
606 }
607 }
608 this->message_rule = NULL;
609 return NOT_FOUND;
610 }
611
612 /**
613 * Implementation of private_message_t.get_payload_rule.
614 */
615 static status_t get_payload_rule(private_message_t *this,
616 payload_type_t payload_type, payload_rule_t **payload_rule)
617 {
618 int i;
619
620 for (i = 0; i < this->message_rule->payload_rule_count;i++)
621 {
622 if (this->message_rule->payload_rules[i].payload_type == payload_type)
623 {
624 *payload_rule = &(this->message_rule->payload_rules[i]);
625 return SUCCESS;
626 }
627 }
628
629 *payload_rule = NULL;
630 return NOT_FOUND;
631 }
632
633 /**
634 * Implementation of message_t.set_ike_sa_id.
635 */
636 static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
637 {
638 DESTROY_IF(this->ike_sa_id);
639 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
640 }
641
642 /**
643 * Implementation of message_t.get_ike_sa_id.
644 */
645 static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
646 {
647 return this->ike_sa_id;
648 }
649
650 /**
651 * Implementation of message_t.set_message_id.
652 */
653 static void set_message_id(private_message_t *this,u_int32_t message_id)
654 {
655 this->message_id = message_id;
656 }
657
658 /**
659 * Implementation of message_t.get_message_id.
660 */
661 static u_int32_t get_message_id(private_message_t *this)
662 {
663 return this->message_id;
664 }
665
666 /**
667 * Implementation of message_t.get_initiator_spi.
668 */
669 static u_int64_t get_initiator_spi(private_message_t *this)
670 {
671 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
672 }
673
674 /**
675 * Implementation of message_t.get_responder_spi.
676 */
677 static u_int64_t get_responder_spi(private_message_t *this)
678 {
679 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
680 }
681
682 /**
683 * Implementation of message_t.set_major_version.
684 */
685 static void set_major_version(private_message_t *this,u_int8_t major_version)
686 {
687 this->major_version = major_version;
688 }
689
690 /**
691 * Implementation of message_t.set_major_version.
692 */
693 static u_int8_t get_major_version(private_message_t *this)
694 {
695 return this->major_version;
696 }
697
698 /**
699 * Implementation of message_t.set_minor_version.
700 */
701 static void set_minor_version(private_message_t *this,u_int8_t minor_version)
702 {
703 this->minor_version = minor_version;
704 }
705
706 /**
707 * Implementation of message_t.get_minor_version.
708 */
709 static u_int8_t get_minor_version(private_message_t *this)
710 {
711 return this->minor_version;
712 }
713
714 /**
715 * Implementation of message_t.set_exchange_type.
716 */
717 static void set_exchange_type(private_message_t *this,
718 exchange_type_t exchange_type)
719 {
720 this->exchange_type = exchange_type;
721 }
722
723 /**
724 * Implementation of message_t.get_exchange_type.
725 */
726 static exchange_type_t get_exchange_type(private_message_t *this)
727 {
728 return this->exchange_type;
729 }
730
731 /**
732 * Implementation of message_t.get_first_payload_type.
733 */
734 static payload_type_t get_first_payload_type(private_message_t *this)
735 {
736 return this->first_payload;
737 }
738
739 /**
740 * Implementation of message_t.set_request.
741 */
742 static void set_request(private_message_t *this, bool request)
743 {
744 this->is_request = request;
745 }
746
747 /**
748 * Implementation of message_t.get_request.
749 */
750 static exchange_type_t get_request(private_message_t *this)
751 {
752 return this->is_request;
753 }
754
755 /**
756 * Is this message in an encoded form?
757 */
758 static bool is_encoded(private_message_t *this)
759 {
760 chunk_t data = this->packet->get_data(this->packet);
761
762 if (data.ptr == NULL)
763 {
764 return FALSE;
765 }
766 return TRUE;
767 }
768
769 /**
770 * Implementation of message_t.add_payload.
771 */
772 static void add_payload(private_message_t *this, payload_t *payload)
773 {
774 payload_t *last_payload;
775
776 if (this->payloads->get_count(this->payloads) > 0)
777 {
778 this->payloads->get_last(this->payloads, (void **)&last_payload);
779 last_payload->set_next_type(last_payload, payload->get_type(payload));
780 }
781 else
782 {
783 this->first_payload = payload->get_type(payload);
784 }
785 payload->set_next_type(payload, NO_PAYLOAD);
786 this->payloads->insert_last(this->payloads, payload);
787
788 DBG2(DBG_ENC ,"added payload of type %N to message",
789 payload_type_names, payload->get_type(payload));
790 }
791
792 /**
793 * Implementation of message_t.add_notify.
794 */
795 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
796 chunk_t data)
797 {
798 notify_payload_t *notify;
799 payload_t *payload;
800
801 if (flush)
802 {
803 while (this->payloads->remove_last(this->payloads,
804 (void**)&payload) == SUCCESS)
805 {
806 payload->destroy(payload);
807 }
808 }
809 notify = notify_payload_create();
810 notify->set_notify_type(notify, type);
811 notify->set_notification_data(notify, data);
812 add_payload(this, (payload_t*)notify);
813 }
814
815 /**
816 * Implementation of message_t.set_source.
817 */
818 static void set_source(private_message_t *this, host_t *host)
819 {
820 this->packet->set_source(this->packet, host);
821 }
822
823 /**
824 * Implementation of message_t.set_destination.
825 */
826 static void set_destination(private_message_t *this, host_t *host)
827 {
828 this->packet->set_destination(this->packet, host);
829 }
830
831 /**
832 * Implementation of message_t.get_source.
833 */
834 static host_t* get_source(private_message_t *this)
835 {
836 return this->packet->get_source(this->packet);
837 }
838
839 /**
840 * Implementation of message_t.get_destination.
841 */
842 static host_t * get_destination(private_message_t *this)
843 {
844 return this->packet->get_destination(this->packet);
845 }
846
847 /**
848 * Implementation of message_t.create_payload_enumerator.
849 */
850 static enumerator_t *create_payload_enumerator(private_message_t *this)
851 {
852 return this->payloads->create_enumerator(this->payloads);
853 }
854
855 /**
856 * Implementation of message_t.get_payload.
857 */
858 static payload_t *get_payload(private_message_t *this, payload_type_t type)
859 {
860 payload_t *current, *found = NULL;
861 enumerator_t *enumerator;
862
863 enumerator = create_payload_enumerator(this);
864 while (enumerator->enumerate(enumerator, &current))
865 {
866 if (current->get_type(current) == type)
867 {
868 found = current;
869 break;
870 }
871 }
872 enumerator->destroy(enumerator);
873 return found;
874 }
875
876 /**
877 * Implementation of message_t.get_notify
878 */
879 static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
880 {
881 enumerator_t *enumerator;
882 notify_payload_t *notify = NULL;
883 payload_t *payload;
884
885 enumerator = create_payload_enumerator(this);
886 while (enumerator->enumerate(enumerator, &payload))
887 {
888 if (payload->get_type(payload) == NOTIFY)
889 {
890 notify = (notify_payload_t*)payload;
891 if (notify->get_notify_type(notify) == type)
892 {
893 break;
894 }
895 notify = NULL;
896 }
897 }
898 enumerator->destroy(enumerator);
899 return notify;
900 }
901
902 /**
903 * get a string representation of the message
904 */
905 static char* get_string(private_message_t *this, char *buf, int len)
906 {
907 enumerator_t *enumerator;
908 payload_t *payload;
909 int written;
910 char *pos = buf;
911
912 memset(buf, 0, len);
913 len--;
914
915 written = snprintf(pos, len, "%N %s %d [",
916 exchange_type_names, this->exchange_type,
917 this->is_request ? "request" : "response",
918 this->message_id);
919 if (written >= len || written < 0)
920 {
921 return "";
922 }
923 pos += written;
924 len -= written;
925
926 enumerator = create_payload_enumerator(this);
927 while (enumerator->enumerate(enumerator, &payload))
928 {
929 written = snprintf(pos, len, " %N", payload_type_short_names,
930 payload->get_type(payload));
931 if (written >= len || written < 0)
932 {
933 return buf;
934 }
935 pos += written;
936 len -= written;
937 if (payload->get_type(payload) == NOTIFY)
938 {
939 notify_payload_t *notify = (notify_payload_t*)payload;
940 written = snprintf(pos, len, "(%N)", notify_type_short_names,
941 notify->get_notify_type(notify));
942 if (written >= len || written < 0)
943 {
944 return buf;
945 }
946 pos += written;
947 len -= written;
948 }
949 }
950 enumerator->destroy(enumerator);
951
952 /* remove last space */
953 snprintf(pos, len, " ]");
954 return buf;
955 }
956
957 /**
958 * reorder payloads depending on reordering rules
959 */
960 static void order_payloads(private_message_t *this)
961 {
962 linked_list_t *list;
963 payload_t *payload;
964 int i;
965
966 /* move to temp list */
967 list = linked_list_create();
968 while (this->payloads->remove_last(this->payloads,
969 (void**)&payload) == SUCCESS)
970 {
971 list->insert_first(list, payload);
972 }
973 /* for each rule, ... */
974 for (i = 0; i < this->message_rule->payload_order_count; i++)
975 {
976 enumerator_t *enumerator;
977 notify_payload_t *notify;
978 payload_order_t order = this->message_rule->payload_order[i];
979
980 /* ... find all payload ... */
981 enumerator = list->create_enumerator(list);
982 while (enumerator->enumerate(enumerator, &payload))
983 {
984 /* ... with that type ... */
985 if (payload->get_type(payload) == order.type)
986 {
987 notify = (notify_payload_t*)payload;
988
989 /**... and check notify for type. */
990 if (order.type != NOTIFY || order.notify == 0 ||
991 order.notify == notify->get_notify_type(notify))
992 {
993 list->remove_at(list, enumerator);
994 add_payload(this, payload);
995 }
996 }
997 }
998 enumerator->destroy(enumerator);
999 }
1000 /* append all payloads without a rule to the end */
1001 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1002 {
1003 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1004 payload_type_names, payload->get_type(payload),
1005 exchange_type_names, this->message_rule->exchange_type,
1006 this->message_rule->is_request ? "request" : "response");
1007 add_payload(this, payload);
1008 }
1009 list->destroy(list);
1010 }
1011
1012 /**
1013 * Implementation of private_message_t.encrypt_payloads.
1014 */
1015 static status_t encrypt_payloads(private_message_t *this,
1016 crypter_t *crypter, signer_t* signer)
1017 {
1018 encryption_payload_t *encryption_payload = NULL;
1019 status_t status;
1020 linked_list_t *all_payloads;
1021
1022 if (!this->message_rule->encrypted_content)
1023 {
1024 DBG2(DBG_ENC, "message doesn't have to be encrypted");
1025 /* message contains no content to encrypt */
1026 return SUCCESS;
1027 }
1028
1029 if (!crypter || !signer)
1030 {
1031 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1032 /* message contains no content to encrypt */
1033 return SUCCESS;
1034 }
1035
1036 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1037 all_payloads = linked_list_create();
1038
1039 /* first copy all payloads in a temporary list */
1040 while (this->payloads->get_count(this->payloads) > 0)
1041 {
1042 void *current_payload;
1043 this->payloads->remove_first(this->payloads,&current_payload);
1044 all_payloads->insert_last(all_payloads,current_payload);
1045 }
1046
1047 encryption_payload = encryption_payload_create();
1048
1049 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1050 while (all_payloads->get_count(all_payloads) > 0)
1051 {
1052 payload_rule_t *payload_rule;
1053 payload_t *current_payload;
1054 bool to_encrypt = FALSE;
1055
1056 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1057
1058 status = get_payload_rule(this,
1059 current_payload->get_type(current_payload),&payload_rule);
1060 /* for payload types which are not found in supported payload list,
1061 * it is presumed that they don't have to be encrypted */
1062 if ((status == SUCCESS) && (payload_rule->encrypted))
1063 {
1064 DBG2(DBG_ENC, "payload %N gets encrypted",
1065 payload_type_names, current_payload->get_type(current_payload));
1066 to_encrypt = TRUE;
1067 }
1068
1069 if (to_encrypt)
1070 {
1071 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1072 payload_type_names, current_payload->get_type(current_payload));
1073 encryption_payload->add_payload(encryption_payload,current_payload);
1074 }
1075 else
1076 {
1077 DBG2(DBG_ENC, "insert payload %N unencrypted",
1078 payload_type_names ,current_payload->get_type(current_payload));
1079 add_payload(this, (payload_t*)encryption_payload);
1080 }
1081 }
1082
1083 status = SUCCESS;
1084 DBG2(DBG_ENC, "encrypting encryption payload");
1085 encryption_payload->set_transforms(encryption_payload, crypter,signer);
1086 status = encryption_payload->encrypt(encryption_payload);
1087 DBG2(DBG_ENC, "add encrypted payload to payload list");
1088 add_payload(this, (payload_t*)encryption_payload);
1089
1090 all_payloads->destroy(all_payloads);
1091
1092 return status;
1093 }
1094
1095 /**
1096 * Implementation of message_t.generate.
1097 */
1098 static status_t generate(private_message_t *this, crypter_t *crypter,
1099 signer_t* signer, packet_t **packet)
1100 {
1101 generator_t *generator;
1102 ike_header_t *ike_header;
1103 payload_t *payload, *next_payload;
1104 enumerator_t *enumerator;
1105 status_t status;
1106 chunk_t packet_data;
1107 char str[256];
1108
1109 if (is_encoded(this))
1110 {
1111 /* already generated, return a new packet clone */
1112 *packet = this->packet->clone(this->packet);
1113 return SUCCESS;
1114 }
1115
1116 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1117 {
1118 DBG1(DBG_ENC, "exchange type is not defined");
1119 return INVALID_STATE;
1120 }
1121
1122 if (this->packet->get_source(this->packet) == NULL ||
1123 this->packet->get_destination(this->packet) == NULL)
1124 {
1125 DBG1(DBG_ENC, "%s not defined",
1126 !this->packet->get_source(this->packet) ? "source" : "destination");
1127 return INVALID_STATE;
1128 }
1129
1130 /* set the rules for this messge */
1131 status = set_message_rule(this);
1132 if (status != SUCCESS)
1133 {
1134 DBG1(DBG_ENC, "no message rules specified for this message type");
1135 return NOT_SUPPORTED;
1136 }
1137
1138 order_payloads(this);
1139
1140 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1141
1142 /* going to encrypt all content which have to be encrypted */
1143 status = encrypt_payloads(this, crypter, signer);
1144 if (status != SUCCESS)
1145 {
1146 DBG1(DBG_ENC, "payload encryption failed");
1147 return status;
1148 }
1149
1150 /* build ike header */
1151 ike_header = ike_header_create();
1152
1153 ike_header->set_exchange_type(ike_header, this->exchange_type);
1154 ike_header->set_message_id(ike_header, this->message_id);
1155 ike_header->set_response_flag(ike_header, !this->is_request);
1156 ike_header->set_initiator_flag(ike_header,
1157 this->ike_sa_id->is_initiator(this->ike_sa_id));
1158 ike_header->set_initiator_spi(ike_header,
1159 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1160 ike_header->set_responder_spi(ike_header,
1161 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1162
1163 generator = generator_create();
1164
1165 payload = (payload_t*)ike_header;
1166
1167 /* generate every payload expect last one, this is done later*/
1168 enumerator = create_payload_enumerator(this);
1169 while (enumerator->enumerate(enumerator, &next_payload))
1170 {
1171 payload->set_next_type(payload, next_payload->get_type(next_payload));
1172 generator->generate_payload(generator, payload);
1173 payload = next_payload;
1174 }
1175 enumerator->destroy(enumerator);
1176
1177 /* last payload has no next payload*/
1178 payload->set_next_type(payload, NO_PAYLOAD);
1179
1180 generator->generate_payload(generator, payload);
1181
1182 ike_header->destroy(ike_header);
1183
1184 /* build packet */
1185 generator->write_to_chunk(generator, &packet_data);
1186 generator->destroy(generator);
1187
1188 /* if last payload is of type encrypted, integrity checksum if necessary */
1189 if (payload->get_type(payload) == ENCRYPTED)
1190 {
1191 DBG2(DBG_ENC, "build signature on whole message");
1192 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1193 status = encryption_payload->build_signature(encryption_payload, packet_data);
1194 if (status != SUCCESS)
1195 {
1196 return status;
1197 }
1198 }
1199
1200 this->packet->set_data(this->packet, packet_data);
1201
1202 /* clone packet for caller */
1203 *packet = this->packet->clone(this->packet);
1204
1205 DBG2(DBG_ENC, "message generated successfully");
1206 return SUCCESS;
1207 }
1208
1209 /**
1210 * Implementation of message_t.get_packet.
1211 */
1212 static packet_t *get_packet(private_message_t *this)
1213 {
1214 if (this->packet == NULL)
1215 {
1216 return NULL;
1217 }
1218 return this->packet->clone(this->packet);
1219 }
1220
1221 /**
1222 * Implementation of message_t.get_packet_data.
1223 */
1224 static chunk_t get_packet_data(private_message_t *this)
1225 {
1226 if (this->packet == NULL)
1227 {
1228 return chunk_empty;
1229 }
1230 return chunk_clone(this->packet->get_data(this->packet));
1231 }
1232
1233 /**
1234 * Implementation of message_t.parse_header.
1235 */
1236 static status_t parse_header(private_message_t *this)
1237 {
1238 ike_header_t *ike_header;
1239 status_t status;
1240
1241 DBG2(DBG_ENC, "parsing header of message");
1242
1243 this->parser->reset_context(this->parser);
1244 status = this->parser->parse_payload(this->parser, HEADER,
1245 (payload_t**)&ike_header);
1246 if (status != SUCCESS)
1247 {
1248 DBG1(DBG_ENC, "header could not be parsed");
1249 return status;
1250
1251 }
1252
1253 /* verify payload */
1254 status = ike_header->payload_interface.verify(
1255 &ike_header->payload_interface);
1256 if (status != SUCCESS)
1257 {
1258 DBG1(DBG_ENC, "header verification failed");
1259 ike_header->destroy(ike_header);
1260 return status;
1261 }
1262
1263 if (this->ike_sa_id != NULL)
1264 {
1265 this->ike_sa_id->destroy(this->ike_sa_id);
1266 }
1267
1268 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1269 ike_header->get_responder_spi(ike_header),
1270 ike_header->get_initiator_flag(ike_header));
1271
1272 this->exchange_type = ike_header->get_exchange_type(ike_header);
1273 this->message_id = ike_header->get_message_id(ike_header);
1274 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1275 this->major_version = ike_header->get_maj_version(ike_header);
1276 this->minor_version = ike_header->get_min_version(ike_header);
1277 this->first_payload = ike_header->payload_interface.get_next_type(
1278 &ike_header->payload_interface);
1279
1280 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1281 this->is_request ? "request" : "response");
1282
1283 ike_header->destroy(ike_header);
1284
1285 /* get the rules for this messge */
1286 status = set_message_rule(this);
1287 if (status != SUCCESS)
1288 {
1289 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1290 exchange_type_names, this->exchange_type,
1291 this->is_request ? "request" : "response");
1292 }
1293
1294 return status;
1295 }
1296
1297 /**
1298 * Implementation of private_message_t.decrypt_and_verify_payloads.
1299 */
1300 static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
1301 signer_t* signer)
1302 {
1303 bool current_payload_was_encrypted = FALSE;
1304 payload_t *previous_payload = NULL;
1305 int payload_number = 1;
1306 iterator_t *iterator;
1307 payload_t *current_payload;
1308 status_t status;
1309
1310 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1311
1312 /* process each payload and decrypt a encryption payload */
1313 while(iterator->iterate(iterator, (void**)&current_payload))
1314 {
1315 payload_rule_t *payload_rule;
1316 payload_type_t current_payload_type;
1317
1318 /* needed to check */
1319 current_payload_type = current_payload->get_type(current_payload);
1320
1321 DBG2(DBG_ENC, "process payload of type %N",
1322 payload_type_names, current_payload_type);
1323
1324 if (current_payload_type == ENCRYPTED)
1325 {
1326 encryption_payload_t *encryption_payload;
1327 payload_t *current_encrypted_payload;
1328
1329 encryption_payload = (encryption_payload_t*)current_payload;
1330
1331 DBG2(DBG_ENC, "found an encryption payload");
1332
1333 if (payload_number != this->payloads->get_count(this->payloads))
1334 {
1335 /* encrypted payload is not last one */
1336 DBG1(DBG_ENC, "encrypted payload is not last payload");
1337 iterator->destroy(iterator);
1338 return VERIFY_ERROR;
1339 }
1340 /* decrypt */
1341 encryption_payload->set_transforms(encryption_payload,
1342 crypter, signer);
1343 DBG2(DBG_ENC, "verify signature of encryption payload");
1344 status = encryption_payload->verify_signature(encryption_payload,
1345 this->packet->get_data(this->packet));
1346 if (status != SUCCESS)
1347 {
1348 DBG1(DBG_ENC, "encryption payload signature invalid");
1349 iterator->destroy(iterator);
1350 return FAILED;
1351 }
1352 DBG2(DBG_ENC, "decrypting content of encryption payload");
1353 status = encryption_payload->decrypt(encryption_payload);
1354 if (status != SUCCESS)
1355 {
1356 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1357 iterator->destroy(iterator);
1358 return PARSE_ERROR;
1359 }
1360
1361 /* needed later to find out if a payload was encrypted */
1362 current_payload_was_encrypted = TRUE;
1363
1364 /* check if there are payloads contained in the encryption payload */
1365 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1366 {
1367 DBG2(DBG_ENC, "encrypted payload is empty");
1368 /* remove the encryption payload, is not needed anymore */
1369 iterator->remove(iterator);
1370 /* encrypted payload contains no other payload */
1371 current_payload_type = NO_PAYLOAD;
1372 }
1373 else
1374 {
1375 /* encryption_payload is replaced with first payload contained
1376 * in encryption_payload */
1377 encryption_payload->remove_first_payload(encryption_payload,
1378 &current_encrypted_payload);
1379 iterator->replace(iterator, NULL,
1380 (void *)current_encrypted_payload);
1381 current_payload_type = current_encrypted_payload->get_type(
1382 current_encrypted_payload);
1383 }
1384
1385 /* is the current paylad the first in the message? */
1386 if (previous_payload == NULL)
1387 {
1388 /* yes, set the first payload type of the message to the
1389 * current type */
1390 this->first_payload = current_payload_type;
1391 }
1392 else
1393 {
1394 /* no, set the next_type of the previous payload to the
1395 * current type */
1396 previous_payload->set_next_type(previous_payload,
1397 current_payload_type);
1398 }
1399
1400 /* all encrypted payloads are added to the payload list */
1401 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1402 {
1403 encryption_payload->remove_first_payload(encryption_payload,
1404 &current_encrypted_payload);
1405 DBG2(DBG_ENC, "insert unencrypted payload of type "
1406 "%N at end of list", payload_type_names,
1407 current_encrypted_payload->get_type(
1408 current_encrypted_payload));
1409 this->payloads->insert_last(this->payloads,
1410 current_encrypted_payload);
1411 }
1412
1413 /* encryption payload is processed, payloads are moved. Destroy it. */
1414 encryption_payload->destroy(encryption_payload);
1415 }
1416
1417 /* we allow unknown payloads of any type and don't bother if it was
1418 * encrypted. Not our problem. */
1419 if (current_payload_type != UNKNOWN_PAYLOAD &&
1420 current_payload_type != NO_PAYLOAD)
1421 {
1422 /* get the ruleset for found payload */
1423 status = get_payload_rule(this, current_payload_type, &payload_rule);
1424 if (status != SUCCESS)
1425 {
1426 /* payload is not allowed */
1427 DBG1(DBG_ENC, "payload type %N not allowed",
1428 payload_type_names, current_payload_type);
1429 iterator->destroy(iterator);
1430 return VERIFY_ERROR;
1431 }
1432
1433 /* check if the payload was encrypted, and if it should been have
1434 * encrypted */
1435 if (payload_rule->encrypted != current_payload_was_encrypted)
1436 {
1437 /* payload was not encrypted, but should have been.
1438 * or vice-versa */
1439 DBG1(DBG_ENC, "payload type %N should be %s!",
1440 payload_type_names, current_payload_type,
1441 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1442 iterator->destroy(iterator);
1443 return VERIFY_ERROR;
1444 }
1445 }
1446 /* advance to the next payload */
1447 payload_number++;
1448 /* is stored to set next payload in case of found encryption payload */
1449 previous_payload = current_payload;
1450 }
1451 iterator->destroy(iterator);
1452 return SUCCESS;
1453 }
1454
1455 /**
1456 * Implementation of private_message_t.verify.
1457 */
1458 static status_t verify(private_message_t *this)
1459 {
1460 int i;
1461 enumerator_t *enumerator;
1462 payload_t *current_payload;
1463 size_t total_found_payloads = 0;
1464
1465 DBG2(DBG_ENC, "verifying message structure");
1466
1467 /* check for payloads with wrong count*/
1468 for (i = 0; i < this->message_rule->payload_rule_count; i++)
1469 {
1470 size_t found_payloads = 0;
1471 payload_rule_t *rule;
1472
1473 rule = &this->message_rule->payload_rules[i];
1474 enumerator = create_payload_enumerator(this);
1475
1476 /* check all payloads for specific rule */
1477 while (enumerator->enumerate(enumerator, &current_payload))
1478 {
1479 payload_type_t current_payload_type;
1480 unknown_payload_t *unknown_payload;
1481
1482 current_payload_type = current_payload->get_type(current_payload);
1483 if (current_payload_type == UNKNOWN_PAYLOAD)
1484 {
1485 /* unknown payloads are ignored, IF they are not critical */
1486 unknown_payload = (unknown_payload_t*)current_payload;
1487 if (unknown_payload->is_critical(unknown_payload))
1488 {
1489 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1490 payload_type_names, current_payload_type);
1491 enumerator->destroy(enumerator);
1492 return NOT_SUPPORTED;
1493 }
1494 }
1495 else if (current_payload_type == rule->payload_type)
1496 {
1497 found_payloads++;
1498 total_found_payloads++;
1499 DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
1500 rule->payload_type);
1501
1502 /* as soon as ohe payload occures more then specified,
1503 * the verification fails */
1504 if (found_payloads >
1505 rule->max_occurence)
1506 {
1507 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1508 "occured in current message", payload_type_names,
1509 current_payload_type, rule->max_occurence,
1510 found_payloads);
1511 enumerator->destroy(enumerator);
1512 return VERIFY_ERROR;
1513 }
1514 }
1515 }
1516
1517 if (found_payloads < rule->min_occurence)
1518 {
1519 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1520 payload_type_names, rule->payload_type, rule->min_occurence,
1521 found_payloads);
1522 enumerator->destroy(enumerator);
1523 return VERIFY_ERROR;
1524 }
1525 if (rule->sufficient &&
1526 this->payloads->get_count(this->payloads) == total_found_payloads)
1527 {
1528 enumerator->destroy(enumerator);
1529 return SUCCESS;
1530 }
1531 enumerator->destroy(enumerator);
1532 }
1533 return SUCCESS;
1534 }
1535
1536 /**
1537 * Implementation of message_t.parse_body.
1538 */
1539 static status_t parse_body(private_message_t *this, crypter_t *crypter,
1540 signer_t *signer)
1541 {
1542 status_t status = SUCCESS;
1543 payload_type_t current_payload_type;
1544 char str[256];
1545
1546 current_payload_type = this->first_payload;
1547
1548 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1549 payload_type_names, current_payload_type);
1550
1551 /* parse payload for payload, while there are more available */
1552 while ((current_payload_type != NO_PAYLOAD))
1553 {
1554 payload_t *current_payload;
1555
1556 DBG2(DBG_ENC, "starting parsing a %N payload",
1557 payload_type_names, current_payload_type);
1558
1559 /* parse current payload */
1560 status = this->parser->parse_payload(this->parser, current_payload_type,
1561 (payload_t**)&current_payload);
1562 if (status != SUCCESS)
1563 {
1564 DBG1(DBG_ENC, "payload type %N could not be parsed",
1565 payload_type_names, current_payload_type);
1566 return PARSE_ERROR;
1567 }
1568
1569 DBG2(DBG_ENC, "verifying payload of type %N",
1570 payload_type_names, current_payload_type);
1571
1572 /* verify it, stop parsig if its invalid */
1573 status = current_payload->verify(current_payload);
1574 if (status != SUCCESS)
1575 {
1576 DBG1(DBG_ENC, "%N payload verification failed",
1577 payload_type_names, current_payload_type);
1578 current_payload->destroy(current_payload);
1579 return VERIFY_ERROR;
1580 }
1581
1582 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1583 payload_type_names, current_payload_type);
1584 this->payloads->insert_last(this->payloads,current_payload);
1585
1586 /* an encryption payload is the last one, so STOP here. decryption is
1587 * done later */
1588 if (current_payload_type == ENCRYPTED)
1589 {
1590 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1591 payload_type_names, current_payload_type);
1592 break;
1593 }
1594
1595 /* get next payload type */
1596 current_payload_type = current_payload->get_next_type(current_payload);
1597 }
1598
1599 if (current_payload_type == ENCRYPTED)
1600 {
1601 status = decrypt_payloads(this,crypter,signer);
1602 if (status != SUCCESS)
1603 {
1604 DBG1(DBG_ENC, "could not decrypt payloads");
1605 return status;
1606 }
1607 }
1608
1609 status = verify(this);
1610 if (status != SUCCESS)
1611 {
1612 return status;
1613 }
1614
1615 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1616
1617 return SUCCESS;
1618 }
1619
1620 /**
1621 * Implementation of message_t.destroy.
1622 */
1623 static void destroy (private_message_t *this)
1624 {
1625 DESTROY_IF(this->ike_sa_id);
1626 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1627 this->packet->destroy(this->packet);
1628 this->parser->destroy(this->parser);
1629 free(this);
1630 }
1631
1632 /*
1633 * Described in Header-File
1634 */
1635 message_t *message_create_from_packet(packet_t *packet)
1636 {
1637 private_message_t *this = malloc_thing(private_message_t);
1638
1639 /* public functions */
1640 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1641 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1642 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1643 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1644 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1645 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1646 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1647 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1648 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1649 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1650 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1651 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1652 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1653 this->public.set_request = (void(*)(message_t*, bool))set_request;
1654 this->public.get_request = (bool(*)(message_t*))get_request;
1655 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1656 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1657 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1658 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1659 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1660 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1661 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1662 this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
1663 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1664 this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
1665 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1666 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1667 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1668 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1669 this->public.destroy = (void(*)(message_t*))destroy;
1670
1671 /* private values */
1672 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1673 this->is_request = TRUE;
1674 this->ike_sa_id = NULL;
1675 this->first_payload = NO_PAYLOAD;
1676 this->message_id = 0;
1677
1678 /* private values */
1679 if (packet == NULL)
1680 {
1681 packet = packet_create();
1682 }
1683 this->message_rule = NULL;
1684 this->packet = packet;
1685 this->payloads = linked_list_create();
1686
1687 /* parser is created from data of packet */
1688 this->parser = parser_create(this->packet->get_data(this->packet));
1689
1690 return (&this->public);
1691 }
1692
1693 /*
1694 * Described in Header.
1695 */
1696 message_t *message_create()
1697 {
1698 return message_create_from_packet(NULL);
1699 }
1700