removed trailing spaces ([[:space:]]+$)
[strongswan.git] / src / charon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include "message.h"
23
24 #include <library.h>
25 #include <daemon.h>
26 #include <sa/ike_sa_id.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/linked_list.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/encryption_payload.h>
33 #include <encoding/payloads/unknown_payload.h>
34
35 /**
36 * Max number of notify payloads per IKEv2 Message
37 */
38 #define MAX_NOTIFY_PAYLOADS 20
39
40 /**
41 * Max number of delete payloads per IKEv2 Message
42 */
43 #define MAX_DELETE_PAYLOADS 20
44
45
46 typedef struct payload_rule_t payload_rule_t;
47
48 /**
49 * A payload rule defines the rules for a payload
50 * in a specific message rule. It defines if and how
51 * many times a payload must/can occur in a message
52 * and if it must be encrypted.
53 */
54 struct payload_rule_t {
55 /**
56 * Payload type.
57 */
58 payload_type_t payload_type;
59
60 /**
61 * Minimal occurence of this payload.
62 */
63 size_t min_occurence;
64
65 /**
66 * Max occurence of this payload.
67 */
68 size_t max_occurence;
69
70 /**
71 * TRUE if payload must be encrypted
72 */
73 bool encrypted;
74
75 /**
76 * If this payload occurs, the message rule is
77 * fullfilled in any case. This applies e.g. to
78 * notify_payloads.
79 */
80 bool sufficient;
81 };
82
83 typedef struct payload_order_t payload_order_t;
84
85 /**
86 * payload ordering structure allows us to reorder payloads according to RFC.
87 */
88 struct payload_order_t {
89
90 /**
91 * payload type
92 */
93 payload_type_t type;
94
95 /**
96 * notify type, if payload == NOTIFY
97 */
98 notify_type_t notify;
99 };
100
101
102 typedef struct message_rule_t message_rule_t;
103
104 /**
105 * A message rule defines the kind of a message,
106 * if it has encrypted contents and a list
107 * of payload ordering rules and payload parsing rules.
108 */
109 struct message_rule_t {
110 /**
111 * Type of message.
112 */
113 exchange_type_t exchange_type;
114
115 /**
116 * Is message a request or response.
117 */
118 bool is_request;
119
120 /**
121 * Message contains encrypted content.
122 */
123 bool encrypted_content;
124
125 /**
126 * Number of payload rules which will follow
127 */
128 int payload_rule_count;
129
130 /**
131 * Pointer to first payload rule
132 */
133 payload_rule_t *payload_rules;
134
135 /**
136 * Number of payload order rules
137 */
138 int payload_order_count;
139
140 /**
141 * payload ordering rules
142 */
143 payload_order_t *payload_order;
144 };
145
146 /**
147 * Message rule for IKE_SA_INIT from initiator.
148 */
149 static payload_rule_t ike_sa_init_i_payload_rules[] = {
150 /* payload type min max encr suff */
151 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
152 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
153 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
154 {NONCE, 1, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, 10, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT initiator
160 */
161 static payload_order_t ike_sa_init_i_payload_order[] = {
162 /* payload type notify type */
163 {NOTIFY, COOKIE},
164 {SECURITY_ASSOCIATION, 0},
165 {KEY_EXCHANGE, 0},
166 {NONCE, 0},
167 {NOTIFY, NAT_DETECTION_SOURCE_IP},
168 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
169 {NOTIFY, 0},
170 {VENDOR_ID, 0},
171 };
172
173 /**
174 * Message rule for IKE_SA_INIT from responder.
175 */
176 static payload_rule_t ike_sa_init_r_payload_rules[] = {
177 /* payload type min max encr suff */
178 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
179 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
180 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
181 {NONCE, 1, 1, FALSE, FALSE},
182 {VENDOR_ID, 0, 10, FALSE, FALSE},
183 };
184
185 /**
186 * payload order for IKE_SA_INIT responder
187 */
188 static payload_order_t ike_sa_init_r_payload_order[] = {
189 /* payload type notify type */
190 {SECURITY_ASSOCIATION, 0},
191 {KEY_EXCHANGE, 0},
192 {NONCE, 0},
193 {NOTIFY, NAT_DETECTION_SOURCE_IP},
194 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
195 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
196 {CERTIFICATE_REQUEST, 0},
197 {NOTIFY, 0},
198 {VENDOR_ID, 0},
199 };
200
201 /**
202 * Message rule for IKE_AUTH from initiator.
203 */
204 static payload_rule_t ike_auth_i_payload_rules[] = {
205 /* payload type min max encr suff */
206 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
207 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
208 {AUTHENTICATION, 0, 1, TRUE, TRUE},
209 {ID_INITIATOR, 0, 1, TRUE, FALSE},
210 {CERTIFICATE, 0, 4, TRUE, FALSE},
211 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
212 {ID_RESPONDER, 0, 1, TRUE, FALSE},
213 #ifdef ME
214 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
215 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
217 #else
218 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
219 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
220 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
221 #endif /* ME */
222 {CONFIGURATION, 0, 1, TRUE, FALSE},
223 {VENDOR_ID, 0, 10, TRUE, FALSE},
224 };
225
226 /**
227 * payload order for IKE_AUTH initiator
228 */
229 static payload_order_t ike_auth_i_payload_order[] = {
230 /* payload type notify type */
231 {ID_INITIATOR, 0},
232 {CERTIFICATE, 0},
233 {NOTIFY, INITIAL_CONTACT},
234 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
235 {CERTIFICATE_REQUEST, 0},
236 {ID_RESPONDER, 0},
237 {AUTHENTICATION, 0},
238 {EXTENSIBLE_AUTHENTICATION, 0},
239 {CONFIGURATION, 0},
240 {NOTIFY, IPCOMP_SUPPORTED},
241 {NOTIFY, USE_TRANSPORT_MODE},
242 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
243 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
244 {SECURITY_ASSOCIATION, 0},
245 {TRAFFIC_SELECTOR_INITIATOR, 0},
246 {TRAFFIC_SELECTOR_RESPONDER, 0},
247 {NOTIFY, MOBIKE_SUPPORTED},
248 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
249 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
250 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
251 {NOTIFY, 0},
252 {VENDOR_ID, 0},
253 };
254
255 /**
256 * Message rule for IKE_AUTH from responder.
257 */
258 static payload_rule_t ike_auth_r_payload_rules[] = {
259 /* payload type min max encr suff */
260 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
261 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
262 {AUTHENTICATION, 0, 1, TRUE, TRUE},
263 {CERTIFICATE, 0, 4, TRUE, FALSE},
264 {ID_RESPONDER, 0, 1, TRUE, FALSE},
265 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
266 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
267 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
268 {CONFIGURATION, 0, 1, TRUE, FALSE},
269 {VENDOR_ID, 0, 10, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for IKE_AUTH responder
274 */
275 static payload_order_t ike_auth_r_payload_order[] = {
276 /* payload type notify type */
277 {ID_RESPONDER, 0},
278 {CERTIFICATE, 0},
279 {AUTHENTICATION, 0},
280 {EXTENSIBLE_AUTHENTICATION, 0},
281 {CONFIGURATION, 0},
282 {NOTIFY, IPCOMP_SUPPORTED},
283 {NOTIFY, USE_TRANSPORT_MODE},
284 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
285 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
286 {SECURITY_ASSOCIATION, 0},
287 {TRAFFIC_SELECTOR_INITIATOR, 0},
288 {TRAFFIC_SELECTOR_RESPONDER, 0},
289 {NOTIFY, AUTH_LIFETIME},
290 {NOTIFY, MOBIKE_SUPPORTED},
291 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
292 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
293 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
294 {NOTIFY, 0},
295 {VENDOR_ID, 0},
296 };
297
298 /**
299 * Message rule for INFORMATIONAL from initiator.
300 */
301 static payload_rule_t informational_i_payload_rules[] = {
302 /* payload type min max encr suff */
303 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
304 {CONFIGURATION, 0, 1, TRUE, FALSE},
305 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
306 {VENDOR_ID, 0, 10, TRUE, FALSE},
307 };
308
309 /**
310 * payload order for INFORMATIONAL initiator
311 */
312 static payload_order_t informational_i_payload_order[] = {
313 /* payload type notify type */
314 {NOTIFY, UPDATE_SA_ADDRESSES},
315 {NOTIFY, NAT_DETECTION_SOURCE_IP},
316 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
317 {NOTIFY, COOKIE2},
318 {NOTIFY, 0},
319 {DELETE, 0},
320 {CONFIGURATION, 0},
321 };
322
323 /**
324 * Message rule for INFORMATIONAL from responder.
325 */
326 static payload_rule_t informational_r_payload_rules[] = {
327 /* payload type min max encr suff */
328 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
329 {CONFIGURATION, 0, 1, TRUE, FALSE},
330 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
331 {VENDOR_ID, 0, 10, TRUE, FALSE},
332 };
333
334 /**
335 * payload order for INFORMATIONAL responder
336 */
337 static payload_order_t informational_r_payload_order[] = {
338 /* payload type notify type */
339 {NOTIFY, UPDATE_SA_ADDRESSES},
340 {NOTIFY, NAT_DETECTION_SOURCE_IP},
341 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
342 {NOTIFY, COOKIE2},
343 {NOTIFY, 0},
344 {DELETE, 0},
345 {CONFIGURATION, 0},
346 };
347
348 /**
349 * Message rule for CREATE_CHILD_SA from initiator.
350 */
351 static payload_rule_t create_child_sa_i_payload_rules[] = {
352 /* payload type min max encr suff */
353 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
354 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
355 {NONCE, 1, 1, TRUE, FALSE},
356 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
357 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
359 {CONFIGURATION, 0, 1, TRUE, FALSE},
360 {VENDOR_ID, 0, 10, TRUE, FALSE},
361 };
362
363 /**
364 * payload order for CREATE_CHILD_SA from initiator.
365 */
366 static payload_order_t create_child_sa_i_payload_order[] = {
367 /* payload type notify type */
368 {NOTIFY, REKEY_SA},
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, 0},
379 };
380
381 /**
382 * Message rule for CREATE_CHILD_SA from responder.
383 */
384 static payload_rule_t create_child_sa_r_payload_rules[] = {
385 /* payload type min max encr suff */
386 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
387 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
388 {NONCE, 1, 1, TRUE, FALSE},
389 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
390 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
391 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
392 {CONFIGURATION, 0, 1, TRUE, FALSE},
393 {VENDOR_ID, 0, 10, TRUE, FALSE},
394 };
395
396 /**
397 * payload order for CREATE_CHILD_SA from responder.
398 */
399 static payload_order_t create_child_sa_r_payload_order[] = {
400 /* payload type notify type */
401 {NOTIFY, IPCOMP_SUPPORTED},
402 {NOTIFY, USE_TRANSPORT_MODE},
403 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
404 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
405 {SECURITY_ASSOCIATION, 0},
406 {NONCE, 0},
407 {KEY_EXCHANGE, 0},
408 {TRAFFIC_SELECTOR_INITIATOR, 0},
409 {TRAFFIC_SELECTOR_RESPONDER, 0},
410 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
411 {NOTIFY, 0},
412 };
413
414 #ifdef ME
415 /**
416 * Message rule for ME_CONNECT from initiator.
417 */
418 static payload_rule_t me_connect_i_payload_rules[] = {
419 /* payload type min max encr suff */
420 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
421 {ID_PEER, 1, 1, TRUE, FALSE},
422 {VENDOR_ID, 0, 10, TRUE, FALSE}
423 };
424
425 /**
426 * payload order for ME_CONNECT from initiator.
427 */
428 static payload_order_t me_connect_i_payload_order[] = {
429 /* payload type notify type */
430 {NOTIFY, 0},
431 {ID_PEER, 0},
432 {VENDOR_ID, 0},
433 };
434
435 /**
436 * Message rule for ME_CONNECT from responder.
437 */
438 static payload_rule_t me_connect_r_payload_rules[] = {
439 /* payload type min max encr suff */
440 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
441 {VENDOR_ID, 0, 10, TRUE, FALSE}
442 };
443
444 /**
445 * payload order for ME_CONNECT from responder.
446 */
447 static payload_order_t me_connect_r_payload_order[] = {
448 /* payload type notify type */
449 {NOTIFY, 0},
450 {VENDOR_ID, 0},
451 };
452 #endif /* ME */
453
454 /**
455 * Message rules, defines allowed payloads.
456 */
457 static message_rule_t message_rules[] = {
458 {IKE_SA_INIT, TRUE, FALSE,
459 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
460 ike_sa_init_i_payload_rules,
461 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
462 ike_sa_init_i_payload_order,
463 },
464 {IKE_SA_INIT, FALSE, FALSE,
465 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
466 ike_sa_init_r_payload_rules,
467 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
468 ike_sa_init_r_payload_order,
469 },
470 {IKE_AUTH, TRUE, TRUE,
471 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
472 ike_auth_i_payload_rules,
473 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
474 ike_auth_i_payload_order,
475 },
476 {IKE_AUTH, FALSE, TRUE,
477 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
478 ike_auth_r_payload_rules,
479 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
480 ike_auth_r_payload_order,
481 },
482 {INFORMATIONAL, TRUE, TRUE,
483 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
484 informational_i_payload_rules,
485 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
486 informational_i_payload_order,
487 },
488 {INFORMATIONAL, FALSE, TRUE,
489 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
490 informational_r_payload_rules,
491 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
492 informational_r_payload_order,
493 },
494 {CREATE_CHILD_SA, TRUE, TRUE,
495 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
496 create_child_sa_i_payload_rules,
497 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
498 create_child_sa_i_payload_order,
499 },
500 {CREATE_CHILD_SA, FALSE, TRUE,
501 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
502 create_child_sa_r_payload_rules,
503 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
504 create_child_sa_r_payload_order,
505 },
506 #ifdef ME
507 {ME_CONNECT, TRUE, TRUE,
508 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
509 me_connect_i_payload_rules,
510 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
511 me_connect_i_payload_order,
512 },
513 {ME_CONNECT, FALSE, TRUE,
514 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
515 me_connect_r_payload_rules,
516 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
517 me_connect_r_payload_order,
518 },
519 #endif /* ME */
520 };
521
522
523 typedef struct private_message_t private_message_t;
524
525 /**
526 * Private data of an message_t object.
527 */
528 struct private_message_t {
529
530 /**
531 * Public part of a message_t object.
532 */
533 message_t public;
534
535 /**
536 * Minor version of message.
537 */
538 u_int8_t major_version;
539
540 /**
541 * Major version of message.
542 */
543 u_int8_t minor_version;
544
545 /**
546 * First Payload in message.
547 */
548 payload_type_t first_payload;
549
550 /**
551 * Assigned exchange type.
552 */
553 exchange_type_t exchange_type;
554
555 /**
556 * TRUE if message is a request, FALSE if a reply.
557 */
558 bool is_request;
559
560 /**
561 * Message ID of this message.
562 */
563 u_int32_t message_id;
564
565 /**
566 * ID of assigned IKE_SA.
567 */
568 ike_sa_id_t *ike_sa_id;
569
570 /**
571 * Assigned UDP packet, stores incoming packet or last generated one.
572 */
573 packet_t *packet;
574
575 /**
576 * Linked List where payload data are stored in.
577 */
578 linked_list_t *payloads;
579
580 /**
581 * Assigned parser to parse Header and Body of this message.
582 */
583 parser_t *parser;
584
585 /**
586 * The message rule for this message instance
587 */
588 message_rule_t *message_rule;
589 };
590
591 /**
592 * Implementation of private_message_t.set_message_rule.
593 */
594 static status_t set_message_rule(private_message_t *this)
595 {
596 int i;
597
598 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
599 {
600 if ((this->exchange_type == message_rules[i].exchange_type) &&
601 (this->is_request == message_rules[i].is_request))
602 {
603 /* found rule for given exchange_type*/
604 this->message_rule = &(message_rules[i]);
605 return SUCCESS;
606 }
607 }
608 this->message_rule = NULL;
609 return NOT_FOUND;
610 }
611
612 /**
613 * Implementation of private_message_t.get_payload_rule.
614 */
615 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
616 {
617 int i;
618
619 for (i = 0; i < this->message_rule->payload_rule_count;i++)
620 {
621 if (this->message_rule->payload_rules[i].payload_type == payload_type)
622 {
623 *payload_rule = &(this->message_rule->payload_rules[i]);
624 return SUCCESS;
625 }
626 }
627
628 *payload_rule = NULL;
629 return NOT_FOUND;
630 }
631
632 /**
633 * Implementation of message_t.set_ike_sa_id.
634 */
635 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
636 {
637 DESTROY_IF(this->ike_sa_id);
638 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
639 }
640
641 /**
642 * Implementation of message_t.get_ike_sa_id.
643 */
644 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
645 {
646 return this->ike_sa_id;
647 }
648
649 /**
650 * Implementation of message_t.set_message_id.
651 */
652 static void set_message_id (private_message_t *this,u_int32_t message_id)
653 {
654 this->message_id = message_id;
655 }
656
657 /**
658 * Implementation of message_t.get_message_id.
659 */
660 static u_int32_t get_message_id (private_message_t *this)
661 {
662 return this->message_id;
663 }
664
665 /**
666 * Implementation of message_t.get_initiator_spi.
667 */
668 static u_int64_t get_initiator_spi (private_message_t *this)
669 {
670 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
671 }
672
673 /**
674 * Implementation of message_t.get_responder_spi.
675 */
676 static u_int64_t get_responder_spi (private_message_t *this)
677 {
678 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
679 }
680
681 /**
682 * Implementation of message_t.set_major_version.
683 */
684 static void set_major_version (private_message_t *this,u_int8_t major_version)
685 {
686 this->major_version = major_version;
687 }
688
689
690 /**
691 * Implementation of message_t.set_major_version.
692 */
693 static u_int8_t get_major_version (private_message_t *this)
694 {
695 return this->major_version;
696 }
697
698 /**
699 * Implementation of message_t.set_minor_version.
700 */
701 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
702 {
703 this->minor_version = minor_version;
704 }
705
706 /**
707 * Implementation of message_t.get_minor_version.
708 */
709 static u_int8_t get_minor_version (private_message_t *this)
710 {
711 return this->minor_version;
712 }
713
714 /**
715 * Implementation of message_t.set_exchange_type.
716 */
717 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
718 {
719 this->exchange_type = exchange_type;
720 }
721
722 /**
723 * Implementation of message_t.get_exchange_type.
724 */
725 static exchange_type_t get_exchange_type (private_message_t *this)
726 {
727 return this->exchange_type;
728 }
729
730 /**
731 * Implementation of message_t.get_first_payload_type.
732 */
733 static payload_type_t get_first_payload_type (private_message_t *this)
734 {
735 return this->first_payload;
736 }
737
738 /**
739 * Implementation of message_t.set_request.
740 */
741 static void set_request (private_message_t *this,bool request)
742 {
743 this->is_request = request;
744 }
745
746 /**
747 * Implementation of message_t.get_request.
748 */
749 static exchange_type_t get_request (private_message_t *this)
750 {
751 return this->is_request;
752 }
753
754 /**
755 * Is this message in an encoded form?
756 */
757 static bool is_encoded(private_message_t *this)
758 {
759 chunk_t data = this->packet->get_data(this->packet);
760
761 if (data.ptr == NULL)
762 {
763 return FALSE;
764 }
765 return TRUE;
766 }
767
768 /**
769 * Implementation of message_t.add_payload.
770 */
771 static void add_payload(private_message_t *this, payload_t *payload)
772 {
773 payload_t *last_payload;
774
775 if (this->payloads->get_count(this->payloads) > 0)
776 {
777 this->payloads->get_last(this->payloads, (void **)&last_payload);
778 last_payload->set_next_type(last_payload, payload->get_type(payload));
779 }
780 else
781 {
782 this->first_payload = payload->get_type(payload);
783 }
784 payload->set_next_type(payload, NO_PAYLOAD);
785 this->payloads->insert_last(this->payloads, payload);
786
787 DBG2(DBG_ENC ,"added payload of type %N to message",
788 payload_type_names, payload->get_type(payload));
789 }
790
791 /**
792 * Implementation of message_t.add_notify.
793 */
794 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
795 chunk_t data)
796 {
797 notify_payload_t *notify;
798 payload_t *payload;
799
800 if (flush)
801 {
802 while (this->payloads->remove_last(this->payloads,
803 (void**)&payload) == SUCCESS)
804 {
805 payload->destroy(payload);
806 }
807 }
808 notify = notify_payload_create();
809 notify->set_notify_type(notify, type);
810 notify->set_notification_data(notify, data);
811 add_payload(this, (payload_t*)notify);
812 }
813
814 /**
815 * Implementation of message_t.set_source.
816 */
817 static void set_source(private_message_t *this, host_t *host)
818 {
819 this->packet->set_source(this->packet, host);
820 }
821
822 /**
823 * Implementation of message_t.set_destination.
824 */
825 static void set_destination(private_message_t *this, host_t *host)
826 {
827 this->packet->set_destination(this->packet, host);
828 }
829
830 /**
831 * Implementation of message_t.get_source.
832 */
833 static host_t* get_source(private_message_t *this)
834 {
835 return this->packet->get_source(this->packet);
836 }
837
838 /**
839 * Implementation of message_t.get_destination.
840 */
841 static host_t * get_destination(private_message_t *this)
842 {
843 return this->packet->get_destination(this->packet);
844 }
845
846 /**
847 * Implementation of message_t.create_payload_enumerator.
848 */
849 static enumerator_t *create_payload_enumerator(private_message_t *this)
850 {
851 return this->payloads->create_enumerator(this->payloads);
852 }
853
854 /**
855 * Implementation of message_t.get_payload.
856 */
857 static payload_t *get_payload(private_message_t *this, payload_type_t type)
858 {
859 payload_t *current, *found = NULL;
860 enumerator_t *enumerator;
861
862 enumerator = create_payload_enumerator(this);
863 while (enumerator->enumerate(enumerator, &current))
864 {
865 if (current->get_type(current) == type)
866 {
867 found = current;
868 break;
869 }
870 }
871 enumerator->destroy(enumerator);
872 return found;
873 }
874
875 /**
876 * Implementation of message_t.get_notify
877 */
878 static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
879 {
880 enumerator_t *enumerator;
881 notify_payload_t *notify = NULL;
882 payload_t *payload;
883
884 enumerator = create_payload_enumerator(this);
885 while (enumerator->enumerate(enumerator, &payload))
886 {
887 if (payload->get_type(payload) == NOTIFY)
888 {
889 notify = (notify_payload_t*)payload;
890 if (notify->get_notify_type(notify) == type)
891 {
892 break;
893 }
894 notify = NULL;
895 }
896 }
897 enumerator->destroy(enumerator);
898 return notify;
899 }
900
901 /**
902 * get a string representation of the message
903 */
904 static char* get_string(private_message_t *this, char *buf, int len)
905 {
906 enumerator_t *enumerator;
907 payload_t *payload;
908 int written;
909 char *pos = buf;
910
911 memset(buf, 0, len);
912 len--;
913
914 written = snprintf(pos, len, "%N %s %d [",
915 exchange_type_names, this->exchange_type,
916 this->is_request ? "request" : "response",
917 this->message_id);
918 if (written >= len || written < 0)
919 {
920 return "";
921 }
922 pos += written;
923 len -= written;
924
925 enumerator = create_payload_enumerator(this);
926 while (enumerator->enumerate(enumerator, &payload))
927 {
928 written = snprintf(pos, len, " %N", payload_type_short_names,
929 payload->get_type(payload));
930 if (written >= len || written < 0)
931 {
932 return buf;
933 }
934 pos += written;
935 len -= written;
936 if (payload->get_type(payload) == NOTIFY)
937 {
938 notify_payload_t *notify = (notify_payload_t*)payload;
939 written = snprintf(pos, len, "(%N)", notify_type_short_names,
940 notify->get_notify_type(notify));
941 if (written >= len || written < 0)
942 {
943 return buf;
944 }
945 pos += written;
946 len -= written;
947 }
948 }
949 enumerator->destroy(enumerator);
950
951 /* remove last space */
952 snprintf(pos, len, " ]");
953 return buf;
954 }
955
956 /**
957 * reorder payloads depending on reordering rules
958 */
959 static void order_payloads(private_message_t *this)
960 {
961 linked_list_t *list;
962 payload_t *payload;
963 int i;
964
965 /* move to temp list */
966 list = linked_list_create();
967 while (this->payloads->remove_last(this->payloads,
968 (void**)&payload) == SUCCESS)
969 {
970 list->insert_first(list, payload);
971 }
972 /* for each rule, ... */
973 for (i = 0; i < this->message_rule->payload_order_count; i++)
974 {
975 enumerator_t *enumerator;
976 notify_payload_t *notify;
977 payload_order_t order = this->message_rule->payload_order[i];
978
979 /* ... find all payload ... */
980 enumerator = list->create_enumerator(list);
981 while (enumerator->enumerate(enumerator, &payload))
982 {
983 /* ... with that type ... */
984 if (payload->get_type(payload) == order.type)
985 {
986 notify = (notify_payload_t*)payload;
987
988 /**... and check notify for type. */
989 if (order.type != NOTIFY || order.notify == 0 ||
990 order.notify == notify->get_notify_type(notify))
991 {
992 list->remove_at(list, enumerator);
993 add_payload(this, payload);
994 }
995 }
996 }
997 enumerator->destroy(enumerator);
998 }
999 /* append all payloads without a rule to the end */
1000 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1001 {
1002 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1003 payload_type_names, payload->get_type(payload),
1004 exchange_type_names, this->message_rule->exchange_type,
1005 this->message_rule->is_request ? "request" : "response");
1006 add_payload(this, payload);
1007 }
1008 list->destroy(list);
1009 }
1010
1011 /**
1012 * Implementation of private_message_t.encrypt_payloads.
1013 */
1014 static status_t encrypt_payloads(private_message_t *this,
1015 crypter_t *crypter, signer_t* signer)
1016 {
1017 encryption_payload_t *encryption_payload = NULL;
1018 status_t status;
1019 linked_list_t *all_payloads;
1020
1021 if (!this->message_rule->encrypted_content)
1022 {
1023 DBG2(DBG_ENC, "message doesn't have to be encrypted");
1024 /* message contains no content to encrypt */
1025 return SUCCESS;
1026 }
1027
1028 if (!crypter || !signer)
1029 {
1030 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1031 /* message contains no content to encrypt */
1032 return SUCCESS;
1033 }
1034
1035 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1036 all_payloads = linked_list_create();
1037
1038 /* first copy all payloads in a temporary list */
1039 while (this->payloads->get_count(this->payloads) > 0)
1040 {
1041 void *current_payload;
1042 this->payloads->remove_first(this->payloads,&current_payload);
1043 all_payloads->insert_last(all_payloads,current_payload);
1044 }
1045
1046 encryption_payload = encryption_payload_create();
1047
1048 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1049 while (all_payloads->get_count(all_payloads) > 0)
1050 {
1051 payload_rule_t *payload_rule;
1052 payload_t *current_payload;
1053 bool to_encrypt = FALSE;
1054
1055 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1056
1057 status = get_payload_rule(this,
1058 current_payload->get_type(current_payload),&payload_rule);
1059 /* for payload types which are not found in supported payload list,
1060 * it is presumed that they don't have to be encrypted */
1061 if ((status == SUCCESS) && (payload_rule->encrypted))
1062 {
1063 DBG2(DBG_ENC, "payload %N gets encrypted",
1064 payload_type_names, current_payload->get_type(current_payload));
1065 to_encrypt = TRUE;
1066 }
1067
1068 if (to_encrypt)
1069 {
1070 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1071 payload_type_names, current_payload->get_type(current_payload));
1072 encryption_payload->add_payload(encryption_payload,current_payload);
1073 }
1074 else
1075 {
1076 DBG2(DBG_ENC, "insert payload %N unencrypted",
1077 payload_type_names ,current_payload->get_type(current_payload));
1078 add_payload(this, (payload_t*)encryption_payload);
1079 }
1080 }
1081
1082 status = SUCCESS;
1083 DBG2(DBG_ENC, "encrypting encryption payload");
1084 encryption_payload->set_transforms(encryption_payload, crypter,signer);
1085 status = encryption_payload->encrypt(encryption_payload);
1086 DBG2(DBG_ENC, "add encrypted payload to payload list");
1087 add_payload(this, (payload_t*)encryption_payload);
1088
1089 all_payloads->destroy(all_payloads);
1090
1091 return status;
1092 }
1093
1094 /**
1095 * Implementation of message_t.generate.
1096 */
1097 static status_t generate(private_message_t *this, crypter_t *crypter,
1098 signer_t* signer, packet_t **packet)
1099 {
1100 generator_t *generator;
1101 ike_header_t *ike_header;
1102 payload_t *payload, *next_payload;
1103 enumerator_t *enumerator;
1104 status_t status;
1105 chunk_t packet_data;
1106 char str[256];
1107
1108 if (is_encoded(this))
1109 {
1110 /* already generated, return a new packet clone */
1111 *packet = this->packet->clone(this->packet);
1112 return SUCCESS;
1113 }
1114
1115 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1116 {
1117 DBG1(DBG_ENC, "exchange type is not defined");
1118 return INVALID_STATE;
1119 }
1120
1121 if (this->packet->get_source(this->packet) == NULL ||
1122 this->packet->get_destination(this->packet) == NULL)
1123 {
1124 DBG1(DBG_ENC, "%s not defined",
1125 !this->packet->get_source(this->packet) ? "source" : "destination");
1126 return INVALID_STATE;
1127 }
1128
1129 /* set the rules for this messge */
1130 status = set_message_rule(this);
1131 if (status != SUCCESS)
1132 {
1133 DBG1(DBG_ENC, "no message rules specified for this message type");
1134 return NOT_SUPPORTED;
1135 }
1136
1137 order_payloads(this);
1138
1139 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1140
1141 /* going to encrypt all content which have to be encrypted */
1142 status = encrypt_payloads(this, crypter, signer);
1143 if (status != SUCCESS)
1144 {
1145 DBG1(DBG_ENC, "payload encryption failed");
1146 return status;
1147 }
1148
1149 /* build ike header */
1150 ike_header = ike_header_create();
1151
1152 ike_header->set_exchange_type(ike_header, this->exchange_type);
1153 ike_header->set_message_id(ike_header, this->message_id);
1154 ike_header->set_response_flag(ike_header, !this->is_request);
1155 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
1156 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1157 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1158
1159 generator = generator_create();
1160
1161 payload = (payload_t*)ike_header;
1162
1163 /* generate every payload expect last one, this is done later*/
1164 enumerator = create_payload_enumerator(this);
1165 while (enumerator->enumerate(enumerator, &next_payload))
1166 {
1167 payload->set_next_type(payload, next_payload->get_type(next_payload));
1168 generator->generate_payload(generator, payload);
1169 payload = next_payload;
1170 }
1171 enumerator->destroy(enumerator);
1172
1173 /* last payload has no next payload*/
1174 payload->set_next_type(payload, NO_PAYLOAD);
1175
1176 generator->generate_payload(generator, payload);
1177
1178 ike_header->destroy(ike_header);
1179
1180 /* build packet */
1181 generator->write_to_chunk(generator, &packet_data);
1182 generator->destroy(generator);
1183
1184 /* if last payload is of type encrypted, integrity checksum if necessary */
1185 if (payload->get_type(payload) == ENCRYPTED)
1186 {
1187 DBG2(DBG_ENC, "build signature on whole message");
1188 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1189 status = encryption_payload->build_signature(encryption_payload, packet_data);
1190 if (status != SUCCESS)
1191 {
1192 return status;
1193 }
1194 }
1195
1196 this->packet->set_data(this->packet, packet_data);
1197
1198 /* clone packet for caller */
1199 *packet = this->packet->clone(this->packet);
1200
1201 DBG2(DBG_ENC, "message generated successfully");
1202 return SUCCESS;
1203 }
1204
1205 /**
1206 * Implementation of message_t.get_packet.
1207 */
1208 static packet_t *get_packet (private_message_t *this)
1209 {
1210 if (this->packet == NULL)
1211 {
1212 return NULL;
1213 }
1214 return this->packet->clone(this->packet);
1215 }
1216
1217 /**
1218 * Implementation of message_t.get_packet_data.
1219 */
1220 static chunk_t get_packet_data (private_message_t *this)
1221 {
1222 if (this->packet == NULL)
1223 {
1224 return chunk_empty;
1225 }
1226 return chunk_clone(this->packet->get_data(this->packet));
1227 }
1228
1229 /**
1230 * Implementation of message_t.parse_header.
1231 */
1232 static status_t parse_header(private_message_t *this)
1233 {
1234 ike_header_t *ike_header;
1235 status_t status;
1236
1237 DBG2(DBG_ENC, "parsing header of message");
1238
1239 this->parser->reset_context(this->parser);
1240 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
1241 if (status != SUCCESS)
1242 {
1243 DBG1(DBG_ENC, "header could not be parsed");
1244 return status;
1245
1246 }
1247
1248 /* verify payload */
1249 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
1250 if (status != SUCCESS)
1251 {
1252 DBG1(DBG_ENC, "header verification failed");
1253 ike_header->destroy(ike_header);
1254 return status;
1255 }
1256
1257 if (this->ike_sa_id != NULL)
1258 {
1259 this->ike_sa_id->destroy(this->ike_sa_id);
1260 }
1261
1262 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1263 ike_header->get_responder_spi(ike_header),
1264 ike_header->get_initiator_flag(ike_header));
1265
1266 this->exchange_type = ike_header->get_exchange_type(ike_header);
1267 this->message_id = ike_header->get_message_id(ike_header);
1268 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1269 this->major_version = ike_header->get_maj_version(ike_header);
1270 this->minor_version = ike_header->get_min_version(ike_header);
1271 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
1272
1273 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1274 this->is_request ? "request" : "response");
1275
1276 ike_header->destroy(ike_header);
1277
1278 /* get the rules for this messge */
1279 status = set_message_rule(this);
1280 if (status != SUCCESS)
1281 {
1282 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1283 exchange_type_names, this->exchange_type,
1284 this->is_request ? "request" : "response");
1285 }
1286
1287 return status;
1288 }
1289
1290 /**
1291 * Implementation of private_message_t.decrypt_and_verify_payloads.
1292 */
1293 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
1294 {
1295 bool current_payload_was_encrypted = FALSE;
1296 payload_t *previous_payload = NULL;
1297 int payload_number = 1;
1298 iterator_t *iterator;
1299 payload_t *current_payload;
1300 status_t status;
1301
1302 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1303
1304 /* process each payload and decrypt a encryption payload */
1305 while(iterator->iterate(iterator, (void**)&current_payload))
1306 {
1307 payload_rule_t *payload_rule;
1308 payload_type_t current_payload_type;
1309
1310 /* needed to check */
1311 current_payload_type = current_payload->get_type(current_payload);
1312
1313 DBG2(DBG_ENC, "process payload of type %N",
1314 payload_type_names, current_payload_type);
1315
1316 if (current_payload_type == ENCRYPTED)
1317 {
1318 encryption_payload_t *encryption_payload;
1319 payload_t *current_encrypted_payload;
1320
1321 encryption_payload = (encryption_payload_t*)current_payload;
1322
1323 DBG2(DBG_ENC, "found an encryption payload");
1324
1325 if (payload_number != this->payloads->get_count(this->payloads))
1326 {
1327 /* encrypted payload is not last one */
1328 DBG1(DBG_ENC, "encrypted payload is not last payload");
1329 iterator->destroy(iterator);
1330 return VERIFY_ERROR;
1331 }
1332 /* decrypt */
1333 encryption_payload->set_transforms(encryption_payload, crypter, signer);
1334 DBG2(DBG_ENC, "verify signature of encryption payload");
1335 status = encryption_payload->verify_signature(encryption_payload,
1336 this->packet->get_data(this->packet));
1337 if (status != SUCCESS)
1338 {
1339 DBG1(DBG_ENC, "encryption payload signature invalid");
1340 iterator->destroy(iterator);
1341 return FAILED;
1342 }
1343 DBG2(DBG_ENC, "decrypting content of encryption payload");
1344 status = encryption_payload->decrypt(encryption_payload);
1345 if (status != SUCCESS)
1346 {
1347 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1348 iterator->destroy(iterator);
1349 return PARSE_ERROR;
1350 }
1351
1352 /* needed later to find out if a payload was encrypted */
1353 current_payload_was_encrypted = TRUE;
1354
1355 /* check if there are payloads contained in the encryption payload */
1356 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1357 {
1358 DBG2(DBG_ENC, "encrypted payload is empty");
1359 /* remove the encryption payload, is not needed anymore */
1360 iterator->remove(iterator);
1361 /* encrypted payload contains no other payload */
1362 current_payload_type = NO_PAYLOAD;
1363 }
1364 else
1365 {
1366 /* encryption_payload is replaced with first payload contained in encryption_payload */
1367 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1368 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1369 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1370 }
1371
1372 /* is the current paylad the first in the message? */
1373 if (previous_payload == NULL)
1374 {
1375 /* yes, set the first payload type of the message to the current type */
1376 this->first_payload = current_payload_type;
1377 }
1378 else
1379 {
1380 /* no, set the next_type of the previous payload to the current type */
1381 previous_payload->set_next_type(previous_payload, current_payload_type);
1382 }
1383
1384 /* all encrypted payloads are added to the payload list */
1385 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1386 {
1387 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1388 DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
1389 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
1390 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1391 }
1392
1393 /* encryption payload is processed, payloads are moved. Destroy it. */
1394 encryption_payload->destroy(encryption_payload);
1395 }
1396
1397 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1398 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1399 {
1400 /* get the ruleset for found payload */
1401 status = get_payload_rule(this, current_payload_type, &payload_rule);
1402 if (status != SUCCESS)
1403 {
1404 /* payload is not allowed */
1405 DBG1(DBG_ENC, "payload type %N not allowed",
1406 payload_type_names, current_payload_type);
1407 iterator->destroy(iterator);
1408 return VERIFY_ERROR;
1409 }
1410
1411 /* check if the payload was encrypted, and if it should been have encrypted */
1412 if (payload_rule->encrypted != current_payload_was_encrypted)
1413 {
1414 /* payload was not encrypted, but should have been. or vice-versa */
1415 DBG1(DBG_ENC, "payload type %N should be %s!",
1416 payload_type_names, current_payload_type,
1417 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1418 iterator->destroy(iterator);
1419 return VERIFY_ERROR;
1420 }
1421 }
1422 /* advance to the next payload */
1423 payload_number++;
1424 /* is stored to set next payload in case of found encryption payload */
1425 previous_payload = current_payload;
1426 }
1427 iterator->destroy(iterator);
1428 return SUCCESS;
1429 }
1430
1431 /**
1432 * Implementation of private_message_t.verify.
1433 */
1434 static status_t verify(private_message_t *this)
1435 {
1436 int i;
1437 enumerator_t *enumerator;
1438 payload_t *current_payload;
1439 size_t total_found_payloads = 0;
1440
1441 DBG2(DBG_ENC, "verifying message structure");
1442
1443 /* check for payloads with wrong count*/
1444 for (i = 0; i < this->message_rule->payload_rule_count; i++)
1445 {
1446 size_t found_payloads = 0;
1447 payload_rule_t *rule;
1448
1449 rule = &this->message_rule->payload_rules[i];
1450 enumerator = create_payload_enumerator(this);
1451
1452 /* check all payloads for specific rule */
1453 while (enumerator->enumerate(enumerator, &current_payload))
1454 {
1455 payload_type_t current_payload_type;
1456 unknown_payload_t *unknown_payload;
1457
1458 current_payload_type = current_payload->get_type(current_payload);
1459 if (current_payload_type == UNKNOWN_PAYLOAD)
1460 {
1461 /* unknown payloads are ignored, IF they are not critical */
1462 unknown_payload = (unknown_payload_t*)current_payload;
1463 if (unknown_payload->is_critical(unknown_payload))
1464 {
1465 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1466 payload_type_names, current_payload_type);
1467 enumerator->destroy(enumerator);
1468 return NOT_SUPPORTED;
1469 }
1470 }
1471 else if (current_payload_type == rule->payload_type)
1472 {
1473 found_payloads++;
1474 total_found_payloads++;
1475 DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
1476 rule->payload_type);
1477
1478 /* as soon as ohe payload occures more then specified,
1479 * the verification fails */
1480 if (found_payloads >
1481 rule->max_occurence)
1482 {
1483 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1484 "occured in current message", payload_type_names,
1485 current_payload_type, rule->max_occurence,
1486 found_payloads);
1487 enumerator->destroy(enumerator);
1488 return VERIFY_ERROR;
1489 }
1490 }
1491 }
1492
1493 if (found_payloads < rule->min_occurence)
1494 {
1495 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1496 payload_type_names, rule->payload_type, rule->min_occurence,
1497 found_payloads);
1498 enumerator->destroy(enumerator);
1499 return VERIFY_ERROR;
1500 }
1501 if (rule->sufficient &&
1502 this->payloads->get_count(this->payloads) == total_found_payloads)
1503 {
1504 enumerator->destroy(enumerator);
1505 return SUCCESS;
1506 }
1507 enumerator->destroy(enumerator);
1508 }
1509 return SUCCESS;
1510 }
1511
1512 /**
1513 * Implementation of message_t.parse_body.
1514 */
1515 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
1516 {
1517 status_t status = SUCCESS;
1518 payload_type_t current_payload_type;
1519 char str[256];
1520
1521 current_payload_type = this->first_payload;
1522
1523 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1524 payload_type_names, current_payload_type);
1525
1526 /* parse payload for payload, while there are more available */
1527 while ((current_payload_type != NO_PAYLOAD))
1528 {
1529 payload_t *current_payload;
1530
1531 DBG2(DBG_ENC, "starting parsing a %N payload",
1532 payload_type_names, current_payload_type);
1533
1534 /* parse current payload */
1535 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
1536
1537 if (status != SUCCESS)
1538 {
1539 DBG1(DBG_ENC, "payload type %N could not be parsed",
1540 payload_type_names, current_payload_type);
1541 return PARSE_ERROR;
1542 }
1543
1544 DBG2(DBG_ENC, "verifying payload of type %N",
1545 payload_type_names, current_payload_type);
1546
1547 /* verify it, stop parsig if its invalid */
1548 status = current_payload->verify(current_payload);
1549 if (status != SUCCESS)
1550 {
1551 DBG1(DBG_ENC, "%N payload verification failed",
1552 payload_type_names, current_payload_type);
1553 current_payload->destroy(current_payload);
1554 return VERIFY_ERROR;
1555 }
1556
1557 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1558 payload_type_names, current_payload_type);
1559 this->payloads->insert_last(this->payloads,current_payload);
1560
1561 /* an encryption payload is the last one, so STOP here. decryption is done later */
1562 if (current_payload_type == ENCRYPTED)
1563 {
1564 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1565 payload_type_names, current_payload_type);
1566 break;
1567 }
1568
1569 /* get next payload type */
1570 current_payload_type = current_payload->get_next_type(current_payload);
1571 }
1572
1573 if (current_payload_type == ENCRYPTED)
1574 {
1575 status = decrypt_payloads(this,crypter,signer);
1576 if (status != SUCCESS)
1577 {
1578 DBG1(DBG_ENC, "could not decrypt payloads");
1579 return status;
1580 }
1581 }
1582
1583 status = verify(this);
1584 if (status != SUCCESS)
1585 {
1586 return status;
1587 }
1588
1589 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1590
1591 return SUCCESS;
1592 }
1593
1594 /**
1595 * Implementation of message_t.destroy.
1596 */
1597 static void destroy (private_message_t *this)
1598 {
1599 DESTROY_IF(this->ike_sa_id);
1600 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1601 this->packet->destroy(this->packet);
1602 this->parser->destroy(this->parser);
1603 free(this);
1604 }
1605
1606 /*
1607 * Described in Header-File
1608 */
1609 message_t *message_create_from_packet(packet_t *packet)
1610 {
1611 private_message_t *this = malloc_thing(private_message_t);
1612
1613 /* public functions */
1614 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1615 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1616 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1617 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1618 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1619 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1620 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1621 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1622 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1623 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1624 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1625 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1626 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1627 this->public.set_request = (void(*)(message_t*, bool))set_request;
1628 this->public.get_request = (bool(*)(message_t*))get_request;
1629 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1630 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1631 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1632 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1633 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1634 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1635 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1636 this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
1637 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1638 this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
1639 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1640 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1641 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1642 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1643 this->public.destroy = (void(*)(message_t*))destroy;
1644
1645 /* private values */
1646 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1647 this->is_request = TRUE;
1648 this->ike_sa_id = NULL;
1649 this->first_payload = NO_PAYLOAD;
1650 this->message_id = 0;
1651
1652 /* private values */
1653 if (packet == NULL)
1654 {
1655 packet = packet_create();
1656 }
1657 this->message_rule = NULL;
1658 this->packet = packet;
1659 this->payloads = linked_list_create();
1660
1661 /* parser is created from data of packet */
1662 this->parser = parser_create(this->packet->get_data(this->packet));
1663
1664 return (&this->public);
1665 }
1666
1667 /*
1668 * Described in Header.
1669 */
1670 message_t *message_create()
1671 {
1672 return message_create_from_packet(NULL);
1673 }
1674