further work for rekeying:
[strongswan.git] / src / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/logger_manager.h>
34 #include <encoding/payloads/encodings.h>
35 #include <encoding/payloads/payload.h>
36 #include <encoding/payloads/encryption_payload.h>
37 #include <encoding/payloads/unknown_payload.h>
38
39 /**
40 * Max number of notify payloads per IKEv2 Message
41 */
42 #define MAX_NOTIFY_PAYLOADS 10
43
44
45 typedef struct payload_rule_t payload_rule_t;
46
47 /**
48 * A payload rule defines the rules for a payload
49 * in a specific message rule. It defines if and how
50 * many times a payload must/can occur in a message
51 * and if it must be encrypted.
52 */
53 struct payload_rule_t {
54 /**
55 * Payload type.
56 */
57 payload_type_t payload_type;
58
59 /**
60 * Minimal occurence of this payload.
61 */
62 size_t min_occurence;
63
64 /**
65 * Max occurence of this payload.
66 */
67 size_t max_occurence;
68
69 /**
70 * TRUE if payload must be encrypted
71 */
72 bool encrypted;
73
74 /**
75 * If this payload occurs, the message rule is
76 * fullfilled in any case. This applies e.g. to
77 * notify_payloads.
78 */
79 bool sufficient;
80 };
81
82 typedef struct message_rule_t message_rule_t;
83
84 /**
85 * A message rule defines the kind of a message,
86 * if it has encrypted contents and a list
87 * of payload rules.
88 *
89 */
90 struct message_rule_t {
91 /**
92 * Type of message.
93 */
94 exchange_type_t exchange_type;
95
96 /**
97 * Is message a request or response.
98 */
99 bool is_request;
100
101 /**
102 * Message contains encrypted content.
103 */
104 bool encrypted_content;
105
106 /**
107 * Number of payload rules which will follow
108 */
109 size_t payload_rule_count;
110
111 /**
112 * Pointer to first payload rule
113 */
114 payload_rule_t *payload_rules;
115 };
116
117 /**
118 * Message rule for IKE_SA_INIT from initiator.
119 */
120 static payload_rule_t ike_sa_init_i_payload_rules[] = {
121 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
122 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
123 {KEY_EXCHANGE,1,1,FALSE,FALSE},
124 {NONCE,1,1,FALSE,FALSE},
125 };
126
127 /**
128 * Message rule for IKE_SA_INIT from responder.
129 */
130 static payload_rule_t ike_sa_init_r_payload_rules[] = {
131 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
132 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
133 {KEY_EXCHANGE,1,1,FALSE,FALSE},
134 {NONCE,1,1,FALSE,FALSE},
135 };
136
137 /**
138 * Message rule for IKE_AUTH from initiator.
139 */
140 static payload_rule_t ike_auth_i_payload_rules[] = {
141 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
142 {ID_INITIATOR,1,1,TRUE,FALSE},
143 {CERTIFICATE,0,1,TRUE,FALSE},
144 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
145 {ID_RESPONDER,0,1,TRUE,FALSE},
146 {AUTHENTICATION,1,1,TRUE,FALSE},
147 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
148 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
149 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
150 {CONFIGURATION,0,1,TRUE,FALSE},
151 };
152
153 /**
154 * Message rule for IKE_AUTH from responder.
155 */
156 static payload_rule_t ike_auth_r_payload_rules[] = {
157 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
158 {CERTIFICATE,0,1,TRUE,FALSE},
159 {ID_RESPONDER,1,1,TRUE,FALSE},
160 {AUTHENTICATION,1,1,TRUE,FALSE},
161 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
162 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
163 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
164 {CONFIGURATION,0,1,TRUE,FALSE},
165 };
166
167
168 /**
169 * Message rule for INFORMATIONAL from initiator.
170 */
171 static payload_rule_t informational_i_payload_rules[] = {
172 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
173 {CONFIGURATION,0,1,TRUE,FALSE},
174 {DELETE,0,1,TRUE,FALSE},
175
176 };
177
178 /**
179 * Message rule for INFORMATIONAL from responder.
180 */
181 static payload_rule_t informational_r_payload_rules[] = {
182 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
183 {CONFIGURATION,0,1,TRUE,FALSE},
184 {DELETE,0,1,TRUE,FALSE},
185 };
186
187 /**
188 * Message rule for CREATE_CHILD_SA from initiator.
189 */
190 static payload_rule_t create_child_sa_i_payload_rules[] = {
191 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
192 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
193 {NONCE,1,1,TRUE,FALSE},
194 {KEY_EXCHANGE,0,1,TRUE,FALSE},
195 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
196 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
197 {CONFIGURATION,0,1,TRUE,FALSE},
198 };
199
200 /**
201 * Message rule for CREATE_CHILD_SA from responder.
202 */
203 static payload_rule_t create_child_sa_r_payload_rules[] = {
204 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
205 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
206 {NONCE,1,1,TRUE,FALSE},
207 {KEY_EXCHANGE,0,1,TRUE,FALSE},
208 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
209 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
210 {CONFIGURATION,0,1,TRUE,FALSE},
211 };
212
213
214 /**
215 * Message rules, defines allowed payloads.
216 */
217 static message_rule_t message_rules[] = {
218 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
219 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
220 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
221 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
222 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
223 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
224 {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
225 {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
226 };
227
228
229 typedef struct private_message_t private_message_t;
230
231 /**
232 * Private data of an message_t object.
233 */
234 struct private_message_t {
235
236 /**
237 * Public part of a message_t object.
238 */
239 message_t public;
240
241 /**
242 * Minor version of message.
243 */
244 u_int8_t major_version;
245
246 /**
247 * Major version of message.
248 */
249 u_int8_t minor_version;
250
251 /**
252 * First Payload in message.
253 */
254 payload_type_t first_payload;
255
256 /**
257 * Assigned exchange type.
258 */
259 exchange_type_t exchange_type;
260
261 /**
262 * TRUE if message is a request, FALSE if a reply.
263 */
264 bool is_request;
265
266 /**
267 * Message ID of this message.
268 */
269 u_int32_t message_id;
270
271 /**
272 * ID of assigned IKE_SA.
273 */
274 ike_sa_id_t *ike_sa_id;
275
276 /**
277 * Assigned UDP packet, stores incoming packet or last generated one.
278 */
279 packet_t *packet;
280
281 /**
282 * Linked List where payload data are stored in.
283 */
284 linked_list_t *payloads;
285
286 /**
287 * Assigned parser to parse Header and Body of this message.
288 */
289 parser_t *parser;
290
291 /**
292 * The message rule for this message instance
293 */
294 message_rule_t *message_rule;
295
296 /**
297 * Assigned logger.
298 */
299 logger_t *logger;
300
301 /**
302 * Sets the private message_rule member to the rule which
303 * applies to this message. Must be called before get_payload_rule().
304 *
305 * @param this calling object
306 * @return
307 * - SUCCESS
308 * - NOT_FOUND if no message rule applies to this message.
309 */
310 status_t (*set_message_rule) (private_message_t *this);
311
312 /**
313 * Gets the payload_rule_t for a specific message_rule_t and payload type.
314 *
315 * @param this calling object
316 * @param payload_type payload type
317 * @param[out] payload_rule returned payload_rule_t
318 * @return
319 * - SUCCESS
320 * - NOT_FOUND if payload not defined in current message rule
321 * - INVALID_STATE if message rule is not set via set_message_rule()
322 */
323 status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
324
325 /**
326 * Encrypts all payloads which has to get encrypted.
327 *
328 * Can also be called with messages not containing encrypted content.
329 *
330 * @param this calling object
331 * @param crypter crypter_t object
332 * @param signer signer_t object
333 * @return
334 * - SUCCESS
335 * - INVALID_STATE if no crypter/signer supplied but needed
336 */
337 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
338
339 /**
340 * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
341 *
342 * @param this calling object
343 * @param crypter crypter_t object
344 * @param signer signer_t object
345 * @return
346 * - SUCCESS
347 * - FAILED if decryption not successfull
348 * - INVALID_STATE if no crypter/signer supplied but needed
349 */
350 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
351
352 /**
353 * Verifies the message. Checks for payloads count.
354 *
355 * @param calling object
356 * @return
357 * - SUCCESS if message valid, or
358 * - FAILED if message does not align with message rules.
359 */
360 status_t (*verify) (private_message_t *this);
361 };
362
363 /**
364 * Implementation of private_message_t.set_message_rule.
365 */
366 static status_t set_message_rule(private_message_t *this)
367 {
368 int i;
369
370 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
371 {
372 if ((this->exchange_type == message_rules[i].exchange_type) &&
373 (this->is_request == message_rules[i].is_request))
374 {
375 /* found rule for given exchange_type*/
376 this->message_rule = &(message_rules[i]);
377 return SUCCESS;
378 }
379 }
380 this->message_rule = NULL;
381 return NOT_FOUND;
382 }
383
384 /**
385 * Implementation of private_message_t.get_payload_rule.
386 */
387 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
388 {
389 int i;
390
391 for (i = 0; i < this->message_rule->payload_rule_count;i++)
392 {
393 if (this->message_rule->payload_rules[i].payload_type == payload_type)
394 {
395 *payload_rule = &(this->message_rule->payload_rules[i]);
396 return SUCCESS;
397 }
398 }
399
400 *payload_rule = NULL;
401 return NOT_FOUND;
402 }
403
404 /**
405 * Implementation of message_t.set_ike_sa_id.
406 */
407 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
408 {
409 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
410 }
411
412 /**
413 * Implementation of message_t.get_ike_sa_id.
414 */
415 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
416 {
417 if (this->ike_sa_id == NULL)
418 {
419 return FAILED;
420 }
421 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
422 return SUCCESS;
423 }
424
425 /**
426 * Implementation of message_t.set_message_id.
427 */
428 static void set_message_id (private_message_t *this,u_int32_t message_id)
429 {
430 this->message_id = message_id;
431 }
432
433 /**
434 * Implementation of message_t.get_message_id.
435 */
436 static u_int32_t get_message_id (private_message_t *this)
437 {
438 return this->message_id;
439 }
440
441 /**
442 * Implementation of message_t.get_responder_spi.
443 */
444 static u_int64_t get_responder_spi (private_message_t *this)
445 {
446 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
447 }
448
449 /**
450 * Implementation of message_t.set_major_version.
451 */
452 static void set_major_version (private_message_t *this,u_int8_t major_version)
453 {
454 this->major_version = major_version;
455 }
456
457
458 /**
459 * Implementation of message_t.set_major_version.
460 */
461 static u_int8_t get_major_version (private_message_t *this)
462 {
463 return this->major_version;
464 }
465
466 /**
467 * Implementation of message_t.set_minor_version.
468 */
469 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
470 {
471 this->minor_version = minor_version;
472 }
473
474 /**
475 * Implementation of message_t.get_minor_version.
476 */
477 static u_int8_t get_minor_version (private_message_t *this)
478 {
479 return this->minor_version;
480 }
481
482 /**
483 * Implementation of message_t.set_exchange_type.
484 */
485 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
486 {
487 this->exchange_type = exchange_type;
488 }
489
490 /**
491 * Implementation of message_t.get_exchange_type.
492 */
493 static exchange_type_t get_exchange_type (private_message_t *this)
494 {
495 return this->exchange_type;
496 }
497
498 /**
499 * Implementation of message_t.set_request.
500 */
501 static void set_request (private_message_t *this,bool request)
502 {
503 this->is_request = request;
504 }
505
506 /**
507 * Implementation of message_t.get_request.
508 */
509 static exchange_type_t get_request (private_message_t *this)
510 {
511 return this->is_request;
512 }
513
514 /**
515 * Implementation of message_t.add_payload.
516 */
517 static void add_payload(private_message_t *this, payload_t *payload)
518 {
519 payload_t *last_payload;
520 if (this->payloads->get_count(this->payloads) > 0)
521 {
522 this->payloads->get_last(this->payloads,(void **) &last_payload);
523 last_payload->set_next_type(last_payload, payload->get_type(payload));
524 }
525 else
526 {
527 this->first_payload = payload->get_type(payload);
528 }
529 payload->set_next_type(payload, NO_PAYLOAD);
530 this->payloads->insert_last(this->payloads, (void*)payload);
531
532 this->logger->log(this->logger, CONTROL|LEVEL1, "Added payload of type %s to message",
533 mapping_find(payload_type_m, payload->get_type(payload)));
534 }
535
536 /**
537 * Implementation of message_t.set_source.
538 */
539 static void set_source(private_message_t *this, host_t *host)
540 {
541 this->packet->set_source(this->packet, host);
542 }
543
544 /**
545 * Implementation of message_t.set_destination.
546 */
547 static void set_destination(private_message_t *this, host_t *host)
548 {
549
550 this->packet->set_destination(this->packet, host);
551 }
552
553 /**
554 * Implementation of message_t.get_source.
555 */
556 static host_t* get_source(private_message_t *this)
557 {
558 return this->packet->get_source(this->packet);
559 }
560
561 /**
562 * Implementation of message_t.get_destination.
563 */
564 static host_t * get_destination(private_message_t *this)
565 {
566 return this->packet->get_destination(this->packet);
567 }
568
569 /**
570 * Implementation of message_t.get_destination.
571 */
572 static iterator_t *get_payload_iterator(private_message_t *this)
573 {
574 return this->payloads->create_iterator(this->payloads, TRUE);
575 }
576
577
578 /**
579 * Implementation of message_t.generate.
580 */
581 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
582 {
583 generator_t *generator;
584 ike_header_t *ike_header;
585 payload_t *payload, *next_payload;
586 iterator_t *iterator;
587 status_t status;
588 chunk_t packet_data;
589
590 this->logger->log(this->logger, CONTROL, "Generating %s %s, contains %d payloads",
591 mapping_find(exchange_type_m,this->exchange_type),
592 this->is_request ? "request" : "response",
593 this->payloads->get_count(this->payloads));
594
595 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
596 {
597 this->logger->log(this->logger, ERROR | LEVEL1, "Exchange type %s is not defined",
598 mapping_find(exchange_type_m,this->exchange_type));
599 return INVALID_STATE;
600 }
601
602 if (this->packet->get_source(this->packet) == NULL ||
603 this->packet->get_destination(this->packet) == NULL)
604 {
605 this->logger->log(this->logger, ERROR|LEVEL1, "%s not defined",
606 !this->packet->get_source(this->packet) ? "source" : "destination");
607 return INVALID_STATE;
608 }
609
610 /* set the rules for this messge */
611 status = this->set_message_rule(this);
612 if (status != SUCCESS)
613 {
614 this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
615 mapping_find(exchange_type_m,this->exchange_type),
616 this->is_request ? "request" : "response");
617 return NOT_SUPPORTED;
618 }
619
620
621 /* going to encrypt all content which have to be encrypted */
622 status = this->encrypt_payloads(this, crypter, signer);
623 if (status != SUCCESS)
624 {
625 this->logger->log(this->logger, ERROR | LEVEL1, "Could not encrypt payloads");
626 return status;
627 }
628
629 /* build ike header */
630 ike_header = ike_header_create();
631
632 ike_header->set_exchange_type(ike_header, this->exchange_type);
633 ike_header->set_message_id(ike_header, this->message_id);
634 ike_header->set_response_flag(ike_header, !this->is_request);
635 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
636 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
637 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
638
639 generator = generator_create();
640
641 payload = (payload_t*)ike_header;
642
643
644 /* generate every payload expect last one, this is doen later*/
645 iterator = this->payloads->create_iterator(this->payloads, TRUE);
646 while(iterator->has_next(iterator))
647 {
648 iterator->current(iterator, (void**)&next_payload);
649 payload->set_next_type(payload, next_payload->get_type(next_payload));
650 generator->generate_payload(generator, payload);
651 payload = next_payload;
652 }
653 iterator->destroy(iterator);
654
655 /* last payload has no next payload*/
656 payload->set_next_type(payload, NO_PAYLOAD);
657
658 generator->generate_payload(generator, payload);
659
660 ike_header->destroy(ike_header);
661
662 /* build packet */
663 generator->write_to_chunk(generator, &packet_data);
664 generator->destroy(generator);
665
666 /* if last payload is of type encrypted, integrity checksum if necessary */
667 if (payload->get_type(payload) == ENCRYPTED)
668 {
669 this->logger->log(this->logger, CONTROL | LEVEL1, "Build signature on whole message");
670 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
671 status = encryption_payload->build_signature(encryption_payload, packet_data);
672 if (status != SUCCESS)
673 {
674 return status;
675 }
676 }
677
678 this->packet->set_data(this->packet, packet_data);
679
680 /* clone packet for caller */
681 *packet = this->packet->clone(this->packet);
682
683 this->logger->log(this->logger, CONTROL|LEVEL1, "Message of type %s generated successfully",
684 mapping_find(exchange_type_m,this->exchange_type));
685 return SUCCESS;
686 }
687
688 /**
689 * Implementation of message_t.get_packet.
690 */
691 static packet_t *get_packet (private_message_t *this)
692 {
693 return this->packet->clone(this->packet);
694 }
695
696 /**
697 * Implementation of message_t.get_packet_data.
698 */
699 static chunk_t get_packet_data (private_message_t *this)
700 {
701 return chunk_clone(this->packet->get_data(this->packet));
702 }
703
704 /**
705 * Implementation of message_t.parse_header.
706 */
707 static status_t parse_header(private_message_t *this)
708 {
709 ike_header_t *ike_header;
710 status_t status;
711
712
713 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing Header of message");
714
715 this->parser->reset_context(this->parser);
716 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
717 if (status != SUCCESS)
718 {
719 this->logger->log(this->logger, ERROR | LEVEL1, "Header could not be parsed");
720 return status;
721
722 }
723
724 /* verify payload */
725 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
726 if (status != SUCCESS)
727 {
728 this->logger->log(this->logger, ERROR | LEVEL1, "Header verification failed");
729 ike_header->destroy(ike_header);
730 return status;
731 }
732
733 if (this->ike_sa_id != NULL)
734 {
735 this->ike_sa_id->destroy(this->ike_sa_id);
736 }
737
738 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
739 ike_header->get_responder_spi(ike_header),
740 ike_header->get_initiator_flag(ike_header));
741
742 this->exchange_type = ike_header->get_exchange_type(ike_header);
743 this->message_id = ike_header->get_message_id(ike_header);
744 this->is_request = (!(ike_header->get_response_flag(ike_header)));
745 this->major_version = ike_header->get_maj_version(ike_header);
746 this->minor_version = ike_header->get_min_version(ike_header);
747 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
748
749 this->logger->log(this->logger, CONTROL|LEVEL1, "Parsed a %s %s",
750 mapping_find(exchange_type_m, this->exchange_type),
751 this->is_request ? "request" : "response");
752
753 ike_header->destroy(ike_header);
754
755 /* get the rules for this messge */
756 status = this->set_message_rule(this);
757 if (status != SUCCESS)
758 {
759 this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
760 mapping_find(exchange_type_m,this->exchange_type),
761 this->is_request ? "request" : "response");
762 }
763
764 return status;
765 }
766
767 /**
768 * Implementation of message_t.parse_body.
769 */
770 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
771 {
772 status_t status = SUCCESS;
773 payload_type_t current_payload_type;
774
775 current_payload_type = this->first_payload;
776
777 this->logger->log(this->logger, CONTROL|LEVEL1, "Parsing body of message, first payload is %s",
778 mapping_find(payload_type_m, current_payload_type));
779
780 /* parse payload for payload, while there are more available */
781 while ((current_payload_type != NO_PAYLOAD))
782 {
783 payload_t *current_payload;
784
785 this->logger->log(this->logger, CONTROL|LEVEL2, "Start parsing a %s payload",
786 mapping_find(payload_type_m, current_payload_type));
787
788 /* parse current payload */
789 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
790
791 if (status != SUCCESS)
792 {
793 this->logger->log(this->logger, ERROR, "Payload type %s could not be parsed",
794 mapping_find(payload_type_m,current_payload_type));
795 return status;
796 }
797
798 this->logger->log(this->logger, CONTROL|LEVEL2, "Verify payload of type %s",
799 mapping_find(payload_type_m, current_payload_type));
800
801 /* verify it, stop parsig if its invalid */
802 status = current_payload->verify(current_payload);
803 if (status != SUCCESS)
804 {
805 this->logger->log(this->logger, ERROR, "%s payload verification failed",
806 mapping_find(payload_type_m,current_payload_type));
807 current_payload->destroy(current_payload);
808 status = VERIFY_ERROR;
809 return status;
810 }
811
812 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload verified. Adding to payload list",
813 mapping_find(payload_type_m, current_payload_type));
814 this->payloads->insert_last(this->payloads,current_payload);
815
816 /* an encryption payload is the last one, so STOP here. decryption is done later */
817 if (current_payload_type == ENCRYPTED)
818 {
819 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload found. Stop parsing",
820 mapping_find(payload_type_m, current_payload_type));
821 break;
822 }
823
824 /* get next payload type */
825 current_payload_type = current_payload->get_next_type(current_payload);
826 }
827
828 if (current_payload_type == ENCRYPTED)
829 status = this->decrypt_payloads(this,crypter,signer);
830 if (status != SUCCESS)
831 {
832 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
833 return status;
834 }
835
836 status = this->verify(this);
837 if (status != SUCCESS)
838 {
839 this->logger->log(this->logger, ERROR, "Verification of message failed");
840 }
841
842 this->logger->log(this->logger, CONTROL, "Parsed %s %s, contains %d payloads",
843 mapping_find(exchange_type_m, this->exchange_type),
844 this->is_request ? "request" : "response",
845 this->payloads->get_count(this->payloads));
846
847 return status;
848 }
849
850 /**
851 * Implementation of private_message_t.verify.
852 */
853 static status_t verify(private_message_t *this)
854 {
855 int i;
856 iterator_t *iterator;
857 size_t total_found_payloads = 0;
858
859 this->logger->log(this->logger, CONTROL|LEVEL1, "Verifying message structure");
860
861 iterator = this->payloads->create_iterator(this->payloads,TRUE);
862 /* check for payloads with wrong count*/
863 for (i = 0; i < this->message_rule->payload_rule_count;i++)
864 {
865 size_t found_payloads = 0;
866
867 /* check all payloads for specific rule */
868 iterator->reset(iterator);
869
870 while(iterator->has_next(iterator))
871 {
872 payload_t *current_payload;
873 payload_type_t current_payload_type;
874
875 iterator->current(iterator,(void **)&current_payload);
876 current_payload_type = current_payload->get_type(current_payload);
877
878 if (current_payload_type == UNKNOWN_PAYLOAD)
879 {
880 /* unknown payloads are ignored, IF they are not critical */
881 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
882 if (unknown_payload->is_critical(unknown_payload))
883 {
884 this->logger->log(this->logger, ERROR|LEVEL1, "%s (%d) is not supported, but its critical!",
885 mapping_find(payload_type_m, current_payload_type), current_payload_type);
886 iterator->destroy(iterator);
887 return NOT_SUPPORTED;
888 }
889 }
890 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
891 {
892 found_payloads++;
893 total_found_payloads++;
894 this->logger->log(this->logger, CONTROL|LEVEL2, "Found payload of type %s",
895 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
896
897 /* as soon as ohe payload occures more then specified, the verification fails */
898 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
899 {
900 this->logger->log(this->logger, ERROR|LEVEL1, "Payload of type %s more than %d times (%d) occured in current message",
901 mapping_find(payload_type_m, current_payload_type),
902 this->message_rule->payload_rules[i].max_occurence, found_payloads);
903 iterator->destroy(iterator);
904 return FAILED;
905 }
906 }
907 }
908
909 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
910 {
911 this->logger->log(this->logger, ERROR|LEVEL1, "Payload of type %s not occured %d times (%d)",
912 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
913 this->message_rule->payload_rules[i].min_occurence, found_payloads);
914 iterator->destroy(iterator);
915 return FAILED;
916 }
917 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
918 {
919 iterator->destroy(iterator);
920 return SUCCESS;
921 }
922 }
923 iterator->destroy(iterator);
924 return SUCCESS;
925 }
926
927
928 /**
929 * Implementation of private_message_t.decrypt_and_verify_payloads.
930 */
931 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
932 {
933 bool current_payload_was_encrypted = FALSE;
934 payload_t *previous_payload = NULL;
935 int payload_number = 1;
936 iterator_t *iterator;
937 status_t status;
938
939 iterator = this->payloads->create_iterator(this->payloads,TRUE);
940
941 /* process each payload and decrypt a encryption payload */
942 while(iterator->has_next(iterator))
943 {
944 payload_rule_t *payload_rule;
945 payload_type_t current_payload_type;
946 payload_t *current_payload;
947
948 /* get current payload */
949 iterator->current(iterator,(void **)&current_payload);
950
951 /* needed to check */
952 current_payload_type = current_payload->get_type(current_payload);
953
954 this->logger->log(this->logger, CONTROL|LEVEL2, "Process payload of type %s",
955 mapping_find(payload_type_m,current_payload_type));
956
957 if (current_payload_type == ENCRYPTED)
958 {
959 encryption_payload_t *encryption_payload;
960 payload_t *current_encrypted_payload;
961
962 encryption_payload = (encryption_payload_t*)current_payload;
963
964 this->logger->log(this->logger, CONTROL | LEVEL2, "Found an encryption payload");
965
966 if (payload_number != this->payloads->get_count(this->payloads))
967 {
968 /* encrypted payload is not last one */
969 this->logger->log(this->logger, ERROR | LEVEL1, "Encrypted payload is not last payload");
970 iterator->destroy(iterator);
971 return FAILED;
972 }
973 /* decrypt */
974 encryption_payload->set_transforms(encryption_payload, crypter, signer);
975 this->logger->log(this->logger, CONTROL | LEVEL1, "Verify signature of encryption payload");
976 status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet));
977 if (status != SUCCESS)
978 {
979 this->logger->log(this->logger, ERROR | LEVEL1, "encryption payload signature invalid");
980 iterator->destroy(iterator);
981 return status;
982 }
983 this->logger->log(this->logger, CONTROL | LEVEL2, "Decrypt content of encryption payload");
984 status = encryption_payload->decrypt(encryption_payload);
985 if (status != SUCCESS)
986 {
987 this->logger->log(this->logger, ERROR | LEVEL1,
988 "Encrypted payload could not be decrypted and parsed: %s",
989 mapping_find(status_m, status));
990 iterator->destroy(iterator);
991 return status;
992 }
993
994 /* needed later to find out if a payload was encrypted */
995 current_payload_was_encrypted = TRUE;
996
997 /* check if there are payloads contained in the encryption payload */
998 if (encryption_payload->get_payload_count(encryption_payload) == 0)
999 {
1000 this->logger->log(this->logger, CONTROL|LEVEL2, "Encrypted payload is empty");
1001 /* remove the encryption payload, is not needed anymore */
1002 iterator->remove(iterator);
1003 /* encrypted payload contains no other payload */
1004 current_payload_type = NO_PAYLOAD;
1005 }
1006 else
1007 {
1008 /* encryption_payload is replaced with first payload contained in encryption_payload */
1009 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1010 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1011 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1012 }
1013
1014 /* is the current paylad the first in the message? */
1015 if (previous_payload == NULL)
1016 {
1017 /* yes, set the first payload type of the message to the current type */
1018 this->first_payload = current_payload_type;
1019 }
1020 else
1021 {
1022 /* no, set the next_type of the previous payload to the current type */
1023 previous_payload->set_next_type(previous_payload, current_payload_type);
1024 }
1025
1026 /* all encrypted payloads are added to the payload list */
1027 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1028 {
1029 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1030 this->logger->log(this->logger, CONTROL | LEVEL1,
1031 "Insert unencrypted payload of type %s at end of list.",
1032 mapping_find(payload_type_m, current_encrypted_payload->get_type(current_encrypted_payload)));
1033 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1034 }
1035
1036 /* encryption payload is processed, payloads are moved. Destroy it. */
1037 encryption_payload->destroy(encryption_payload);
1038 }
1039
1040 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1041 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1042 {
1043 /* get the ruleset for found payload */
1044 status = this->get_payload_rule(this, current_payload_type, &payload_rule);
1045 if (status != SUCCESS)
1046 {
1047 /* payload is not allowed */
1048 this->logger->log(this->logger, ERROR | LEVEL1, "Payload type %s not allowed",
1049 mapping_find(payload_type_m,current_payload_type));
1050 iterator->destroy(iterator);
1051 return status;
1052 }
1053
1054 /* check if the payload was encrypted, and if it should been have encrypted */
1055 if (payload_rule->encrypted != current_payload_was_encrypted)
1056 {
1057 /* payload was not encrypted, but should have been. or vice-versa */
1058 this->logger->log(this->logger, ERROR | LEVEL1, "Payload type %s should be %s!",
1059 mapping_find(payload_type_m,current_payload_type),
1060 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1061 iterator->destroy(iterator);
1062 return FAILED;
1063 }
1064 }
1065 /* advance to the next payload */
1066 payload_number++;
1067 /* is stored to set next payload in case of found encryption payload */
1068 previous_payload = current_payload;
1069 }
1070 iterator->destroy(iterator);
1071 return SUCCESS;
1072 }
1073
1074 /**
1075 * Implementation of private_message_t.encrypt_payloads.
1076 */
1077 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
1078 {
1079 encryption_payload_t *encryption_payload = NULL;
1080 status_t status;
1081 linked_list_t *all_payloads;
1082
1083 if (!this->message_rule->encrypted_content)
1084 {
1085 this->logger->log(this->logger, CONTROL | LEVEL1, "Message doesn't have to be encrypted");
1086 /* message contains no content to encrypt */
1087 return SUCCESS;
1088 }
1089
1090 this->logger->log(this->logger, CONTROL | LEVEL2, "Copy all payloads to a temporary list");
1091 all_payloads = linked_list_create();
1092
1093 /* first copy all payloads in a temporary list */
1094 while (this->payloads->get_count(this->payloads) > 0)
1095 {
1096 void *current_payload;
1097 this->payloads->remove_first(this->payloads,&current_payload);
1098 all_payloads->insert_last(all_payloads,current_payload);
1099 }
1100
1101 encryption_payload = encryption_payload_create();
1102
1103 this->logger->log(this->logger, CONTROL | LEVEL2, "Check each payloads if they have to get encrypted");
1104 while (all_payloads->get_count(all_payloads) > 0)
1105 {
1106 payload_rule_t *payload_rule;
1107 payload_t *current_payload;
1108 bool to_encrypt = FALSE;
1109
1110 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1111 this->logger->log(this->logger, CONTROL | LEVEL3, "Get rule for payload %s",
1112 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1113
1114 status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
1115 /* for payload types which are not found in supported payload list, it is presumed
1116 * that they don't have to be encrypted */
1117 if ((status == SUCCESS) && (payload_rule->encrypted))
1118 {
1119 this->logger->log(this->logger, CONTROL | LEVEL2, "Payload %s has to get encrypted",
1120 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1121 to_encrypt = TRUE;
1122 }
1123 else if (status != SUCCESS)
1124 {
1125 this->logger->log(this->logger, CONTROL | LEVEL2, "Payload %s not defined for exchange type %s. Handle it anyway",
1126 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1127 mapping_find(exchange_type_m,this->exchange_type));
1128 }
1129
1130 if (to_encrypt)
1131 {
1132 this->logger->log(this->logger, CONTROL | LEVEL2, "Insert payload %s to encryption payload",
1133 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1134
1135 encryption_payload->add_payload(encryption_payload,current_payload);
1136 }
1137 else
1138 {
1139 this->logger->log(this->logger, CONTROL | LEVEL2, "Insert payload %s as payload wich does not have to be encrypted",
1140 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1141 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1142 }
1143 }
1144
1145 status = SUCCESS;
1146 this->logger->log(this->logger, CONTROL | LEVEL2, "Set transforms for encryption payload ");
1147 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1148 this->logger->log(this->logger, CONTROL | LEVEL1, "Encrypt all payloads of encrypted payload");
1149 status = encryption_payload->encrypt(encryption_payload);
1150 this->logger->log(this->logger, CONTROL | LEVEL2, "Add encrypted payload to payload list");
1151 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1152
1153 all_payloads->destroy(all_payloads);
1154
1155 return status;
1156 }
1157
1158
1159 /**
1160 * Implementation of message_t.destroy.
1161 */
1162 static void destroy (private_message_t *this)
1163 {
1164 iterator_t *iterator;
1165
1166 this->logger->log(this->logger, CONTROL|LEVEL3, "Going to destroy message_t object");
1167
1168 this->packet->destroy(this->packet);
1169
1170 if (this->ike_sa_id != NULL)
1171 {
1172 this->ike_sa_id->destroy(this->ike_sa_id);
1173 }
1174
1175 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1176 while (iterator->has_next(iterator))
1177 {
1178 payload_t *payload;
1179 iterator->current(iterator, (void**)&payload);
1180 this->logger->log(this->logger, CONTROL|LEVEL3, "Destroying payload of type %s",
1181 mapping_find(payload_type_m, payload->get_type(payload)));
1182 payload->destroy(payload);
1183 }
1184 iterator->destroy(iterator);
1185 this->payloads->destroy(this->payloads);
1186 this->parser->destroy(this->parser);
1187
1188 free(this);
1189 }
1190
1191 /*
1192 * Described in Header-File
1193 */
1194 message_t *message_create_from_packet(packet_t *packet)
1195 {
1196 private_message_t *this = malloc_thing(private_message_t);
1197
1198 /* public functions */
1199 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1200 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1201 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1202 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1203 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1204 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1205 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1206 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1207 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1208 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1209 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1210 this->public.set_request = (void(*)(message_t*, bool))set_request;
1211 this->public.get_request = (bool(*)(message_t*))get_request;
1212 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1213 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1214 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1215 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1216 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1217 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1218 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1219 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1220 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1221 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1222 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1223 this->public.destroy = (void(*)(message_t*))destroy;
1224
1225 /* private values */
1226 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1227 this->is_request = TRUE;
1228 this->ike_sa_id = NULL;
1229 this->first_payload = NO_PAYLOAD;
1230 this->message_id = 0;
1231
1232 /* private functions */
1233 this->set_message_rule = set_message_rule;
1234 this->get_payload_rule = get_payload_rule;
1235 this->encrypt_payloads = encrypt_payloads;
1236 this->decrypt_payloads = decrypt_payloads;
1237 this->verify = verify;
1238
1239 /* private values */
1240 if (packet == NULL)
1241 {
1242 packet = packet_create();
1243 }
1244 this->message_rule = NULL;
1245 this->packet = packet;
1246 this->payloads = linked_list_create();
1247
1248 /* parser is created from data of packet */
1249 this->parser = parser_create(this->packet->get_data(this->packet));
1250
1251 this->logger = logger_manager->get_logger(logger_manager, MESSAGE);
1252
1253 return (&this->public);
1254 }
1255
1256 /*
1257 * Described in Header.
1258 */
1259 message_t *message_create()
1260 {
1261 return message_create_from_packet(NULL);
1262 }
1263
1264 /*
1265 * Described in Header.
1266 */
1267 message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type)
1268 {
1269 message_t *message = message_create_from_packet(NULL);
1270 notify_payload_t *payload;
1271
1272 message->set_source(message, source->clone(source));
1273 message->set_destination(message, destination->clone(destination));
1274 message->set_exchange_type(message, exchange_type);
1275 message->set_request(message, FALSE);
1276 message->set_message_id(message,0);
1277 message->set_ike_sa_id(message, ike_sa_id);
1278
1279 payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, notify_type);
1280 message->add_payload(message,(payload_t *) payload);
1281
1282 return message;
1283 }