added message id logging
[strongswan.git] / src / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <stdlib.h>
26 #include <string.h>
27
28 #include "message.h"
29
30 #include <types.h>
31 #include <daemon.h>
32 #include <sa/ike_sa_id.h>
33 #include <encoding/generator.h>
34 #include <encoding/parser.h>
35 #include <utils/linked_list.h>
36 #include <utils/logger_manager.h>
37 #include <encoding/payloads/encodings.h>
38 #include <encoding/payloads/payload.h>
39 #include <encoding/payloads/encryption_payload.h>
40 #include <encoding/payloads/unknown_payload.h>
41
42 /**
43 * Max number of notify payloads per IKEv2 Message
44 */
45 #define MAX_NOTIFY_PAYLOADS 10
46
47
48 typedef struct payload_rule_t payload_rule_t;
49
50 /**
51 * A payload rule defines the rules for a payload
52 * in a specific message rule. It defines if and how
53 * many times a payload must/can occur in a message
54 * and if it must be encrypted.
55 */
56 struct payload_rule_t {
57 /**
58 * Payload type.
59 */
60 payload_type_t payload_type;
61
62 /**
63 * Minimal occurence of this payload.
64 */
65 size_t min_occurence;
66
67 /**
68 * Max occurence of this payload.
69 */
70 size_t max_occurence;
71
72 /**
73 * TRUE if payload must be encrypted
74 */
75 bool encrypted;
76
77 /**
78 * If this payload occurs, the message rule is
79 * fullfilled in any case. This applies e.g. to
80 * notify_payloads.
81 */
82 bool sufficient;
83 };
84
85 typedef struct message_rule_t message_rule_t;
86
87 /**
88 * A message rule defines the kind of a message,
89 * if it has encrypted contents and a list
90 * of payload rules.
91 *
92 */
93 struct message_rule_t {
94 /**
95 * Type of message.
96 */
97 exchange_type_t exchange_type;
98
99 /**
100 * Is message a request or response.
101 */
102 bool is_request;
103
104 /**
105 * Message contains encrypted content.
106 */
107 bool encrypted_content;
108
109 /**
110 * Number of payload rules which will follow
111 */
112 size_t payload_rule_count;
113
114 /**
115 * Pointer to first payload rule
116 */
117 payload_rule_t *payload_rules;
118 };
119
120 /**
121 * Message rule for IKE_SA_INIT from initiator.
122 */
123 static payload_rule_t ike_sa_init_i_payload_rules[] = {
124 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
125 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
126 {KEY_EXCHANGE,1,1,FALSE,FALSE},
127 {NONCE,1,1,FALSE,FALSE},
128 };
129
130 /**
131 * Message rule for IKE_SA_INIT from responder.
132 */
133 static payload_rule_t ike_sa_init_r_payload_rules[] = {
134 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
135 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
136 {KEY_EXCHANGE,1,1,FALSE,FALSE},
137 {NONCE,1,1,FALSE,FALSE},
138 };
139
140 /**
141 * Message rule for IKE_AUTH from initiator.
142 */
143 static payload_rule_t ike_auth_i_payload_rules[] = {
144 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
145 {ID_INITIATOR,1,1,TRUE,FALSE},
146 {CERTIFICATE,0,1,TRUE,FALSE},
147 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
148 {ID_RESPONDER,0,1,TRUE,FALSE},
149 {AUTHENTICATION,1,1,TRUE,FALSE},
150 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
151 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
152 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
153 {CONFIGURATION,0,1,TRUE,FALSE},
154 };
155
156 /**
157 * Message rule for IKE_AUTH from responder.
158 */
159 static payload_rule_t ike_auth_r_payload_rules[] = {
160 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
161 {CERTIFICATE,0,1,TRUE,FALSE},
162 {ID_RESPONDER,1,1,TRUE,FALSE},
163 {AUTHENTICATION,1,1,TRUE,FALSE},
164 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
165 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
166 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
167 {CONFIGURATION,0,1,TRUE,FALSE},
168 };
169
170
171 /**
172 * Message rule for INFORMATIONAL from initiator.
173 */
174 static payload_rule_t informational_i_payload_rules[] = {
175 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
176 {CONFIGURATION,0,1,TRUE,FALSE},
177 {DELETE,0,1,TRUE,FALSE},
178
179 };
180
181 /**
182 * Message rule for INFORMATIONAL from responder.
183 */
184 static payload_rule_t informational_r_payload_rules[] = {
185 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
186 {CONFIGURATION,0,1,TRUE,FALSE},
187 {DELETE,0,1,TRUE,FALSE},
188 };
189
190 /**
191 * Message rule for CREATE_CHILD_SA from initiator.
192 */
193 static payload_rule_t create_child_sa_i_payload_rules[] = {
194 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
195 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
196 {NONCE,1,1,TRUE,FALSE},
197 {KEY_EXCHANGE,0,1,TRUE,FALSE},
198 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
199 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
200 {CONFIGURATION,0,1,TRUE,FALSE},
201 };
202
203 /**
204 * Message rule for CREATE_CHILD_SA from responder.
205 */
206 static payload_rule_t create_child_sa_r_payload_rules[] = {
207 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
208 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
209 {NONCE,1,1,TRUE,FALSE},
210 {KEY_EXCHANGE,0,1,TRUE,FALSE},
211 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
212 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
213 {CONFIGURATION,0,1,TRUE,FALSE},
214 };
215
216
217 /**
218 * Message rules, defines allowed payloads.
219 */
220 static message_rule_t message_rules[] = {
221 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
222 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
223 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
224 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
225 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
226 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
227 {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
228 {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
229 };
230
231
232 typedef struct private_message_t private_message_t;
233
234 /**
235 * Private data of an message_t object.
236 */
237 struct private_message_t {
238
239 /**
240 * Public part of a message_t object.
241 */
242 message_t public;
243
244 /**
245 * Minor version of message.
246 */
247 u_int8_t major_version;
248
249 /**
250 * Major version of message.
251 */
252 u_int8_t minor_version;
253
254 /**
255 * First Payload in message.
256 */
257 payload_type_t first_payload;
258
259 /**
260 * Assigned exchange type.
261 */
262 exchange_type_t exchange_type;
263
264 /**
265 * TRUE if message is a request, FALSE if a reply.
266 */
267 bool is_request;
268
269 /**
270 * Message ID of this message.
271 */
272 u_int32_t message_id;
273
274 /**
275 * ID of assigned IKE_SA.
276 */
277 ike_sa_id_t *ike_sa_id;
278
279 /**
280 * Assigned UDP packet, stores incoming packet or last generated one.
281 */
282 packet_t *packet;
283
284 /**
285 * Linked List where payload data are stored in.
286 */
287 linked_list_t *payloads;
288
289 /**
290 * Assigned parser to parse Header and Body of this message.
291 */
292 parser_t *parser;
293
294 /**
295 * The message rule for this message instance
296 */
297 message_rule_t *message_rule;
298
299 /**
300 * Assigned logger.
301 */
302 logger_t *logger;
303
304 /**
305 * Sets the private message_rule member to the rule which
306 * applies to this message. Must be called before get_payload_rule().
307 *
308 * @param this calling object
309 * @return
310 * - SUCCESS
311 * - NOT_FOUND if no message rule applies to this message.
312 */
313 status_t (*set_message_rule) (private_message_t *this);
314
315 /**
316 * Gets the payload_rule_t for a specific message_rule_t and payload type.
317 *
318 * @param this calling object
319 * @param payload_type payload type
320 * @param[out] payload_rule returned payload_rule_t
321 * @return
322 * - SUCCESS
323 * - NOT_FOUND if payload not defined in current message rule
324 * - INVALID_STATE if message rule is not set via set_message_rule()
325 */
326 status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
327
328 /**
329 * Encrypts all payloads which has to get encrypted.
330 *
331 * Can also be called with messages not containing encrypted content.
332 *
333 * @param this calling object
334 * @param crypter crypter_t object
335 * @param signer signer_t object
336 * @return
337 * - SUCCESS
338 * - INVALID_STATE if no crypter/signer supplied but needed
339 */
340 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
341
342 /**
343 * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
344 *
345 * @param this calling object
346 * @param crypter crypter_t object
347 * @param signer signer_t object
348 * @return
349 * - SUCCESS
350 * - FAILED if decryption not successfull
351 * - INVALID_STATE if no crypter/signer supplied but needed
352 */
353 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
354
355 /**
356 * Verifies the message. Checks for payloads count.
357 *
358 * @param calling object
359 * @return
360 * - SUCCESS if message valid, or
361 * - FAILED if message does not align with message rules.
362 */
363 status_t (*verify) (private_message_t *this);
364 };
365
366 /**
367 * Implementation of private_message_t.set_message_rule.
368 */
369 static status_t set_message_rule(private_message_t *this)
370 {
371 int i;
372
373 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
374 {
375 if ((this->exchange_type == message_rules[i].exchange_type) &&
376 (this->is_request == message_rules[i].is_request))
377 {
378 /* found rule for given exchange_type*/
379 this->message_rule = &(message_rules[i]);
380 return SUCCESS;
381 }
382 }
383 this->message_rule = NULL;
384 return NOT_FOUND;
385 }
386
387 /**
388 * Implementation of private_message_t.get_payload_rule.
389 */
390 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
391 {
392 int i;
393
394 for (i = 0; i < this->message_rule->payload_rule_count;i++)
395 {
396 if (this->message_rule->payload_rules[i].payload_type == payload_type)
397 {
398 *payload_rule = &(this->message_rule->payload_rules[i]);
399 return SUCCESS;
400 }
401 }
402
403 *payload_rule = NULL;
404 return NOT_FOUND;
405 }
406
407 /**
408 * Implementation of message_t.set_ike_sa_id.
409 */
410 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
411 {
412 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
413 }
414
415 /**
416 * Implementation of message_t.get_ike_sa_id.
417 */
418 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
419 {
420 return this->ike_sa_id;
421 }
422
423 /**
424 * Implementation of message_t.set_message_id.
425 */
426 static void set_message_id (private_message_t *this,u_int32_t message_id)
427 {
428 this->message_id = message_id;
429 }
430
431 /**
432 * Implementation of message_t.get_message_id.
433 */
434 static u_int32_t get_message_id (private_message_t *this)
435 {
436 return this->message_id;
437 }
438
439 /**
440 * Implementation of message_t.get_initiator_spi.
441 */
442 static u_int64_t get_initiator_spi (private_message_t *this)
443 {
444 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
445 }
446
447 /**
448 * Implementation of message_t.get_responder_spi.
449 */
450 static u_int64_t get_responder_spi (private_message_t *this)
451 {
452 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
453 }
454
455 /**
456 * Implementation of message_t.set_major_version.
457 */
458 static void set_major_version (private_message_t *this,u_int8_t major_version)
459 {
460 this->major_version = major_version;
461 }
462
463
464 /**
465 * Implementation of message_t.set_major_version.
466 */
467 static u_int8_t get_major_version (private_message_t *this)
468 {
469 return this->major_version;
470 }
471
472 /**
473 * Implementation of message_t.set_minor_version.
474 */
475 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
476 {
477 this->minor_version = minor_version;
478 }
479
480 /**
481 * Implementation of message_t.get_minor_version.
482 */
483 static u_int8_t get_minor_version (private_message_t *this)
484 {
485 return this->minor_version;
486 }
487
488 /**
489 * Implementation of message_t.set_exchange_type.
490 */
491 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
492 {
493 this->exchange_type = exchange_type;
494 }
495
496 /**
497 * Implementation of message_t.get_exchange_type.
498 */
499 static exchange_type_t get_exchange_type (private_message_t *this)
500 {
501 return this->exchange_type;
502 }
503
504 /**
505 * Implementation of message_t.set_request.
506 */
507 static void set_request (private_message_t *this,bool request)
508 {
509 this->is_request = request;
510 }
511
512 /**
513 * Implementation of message_t.get_request.
514 */
515 static exchange_type_t get_request (private_message_t *this)
516 {
517 return this->is_request;
518 }
519
520 /**
521 * Is this message in an encoded form?
522 */
523 static bool is_encoded(private_message_t *this)
524 {
525 chunk_t data = this->packet->get_data(this->packet);
526
527 if (data.ptr == NULL)
528 {
529 return FALSE;
530 }
531 return TRUE;
532 }
533
534 /**
535 * Implementation of message_t.add_payload.
536 */
537 static void add_payload(private_message_t *this, payload_t *payload)
538 {
539 payload_t *last_payload;
540 if (this->payloads->get_count(this->payloads) > 0)
541 {
542 this->payloads->get_last(this->payloads,(void **) &last_payload);
543 last_payload->set_next_type(last_payload, payload->get_type(payload));
544 }
545 else
546 {
547 this->first_payload = payload->get_type(payload);
548 }
549 payload->set_next_type(payload, NO_PAYLOAD);
550 this->payloads->insert_last(this->payloads, (void*)payload);
551
552 this->logger->log(this->logger, CONTROL|LEVEL1, "added payload of type %s to message",
553 mapping_find(payload_type_m, payload->get_type(payload)));
554 }
555
556 /**
557 * Implementation of message_t.set_source.
558 */
559 static void set_source(private_message_t *this, host_t *host)
560 {
561 this->packet->set_source(this->packet, host);
562 }
563
564 /**
565 * Implementation of message_t.set_destination.
566 */
567 static void set_destination(private_message_t *this, host_t *host)
568 {
569
570 this->packet->set_destination(this->packet, host);
571 }
572
573 /**
574 * Implementation of message_t.get_source.
575 */
576 static host_t* get_source(private_message_t *this)
577 {
578 return this->packet->get_source(this->packet);
579 }
580
581 /**
582 * Implementation of message_t.get_destination.
583 */
584 static host_t * get_destination(private_message_t *this)
585 {
586 return this->packet->get_destination(this->packet);
587 }
588
589 /**
590 * Implementation of message_t.get_destination.
591 */
592 static iterator_t *get_payload_iterator(private_message_t *this)
593 {
594 return this->payloads->create_iterator(this->payloads, TRUE);
595 }
596
597 /**
598 * Build a string containing short names for all payload in this message
599 */
600 static void build_payload_string(private_message_t *this, char* buffer, size_t size)
601 {
602 iterator_t *iterator;
603 payload_t *payload;
604 bool first = TRUE;
605
606 *buffer = '\0';
607 size--;
608
609 iterator = this->payloads->create_iterator(this->payloads, TRUE);
610 while (iterator->iterate(iterator, (void**)&payload))
611 {
612 payload_type_t type = payload->get_type(payload);
613 char *name = mapping_find(payload_type_short_m, type);
614 size_t name_len = strlen(name);
615 if (!first)
616 {
617 strncat(buffer, " ", size);
618 if (size)
619 {
620 size--;
621 }
622 }
623 else
624 {
625 first = FALSE;
626 }
627 strncat(buffer, name, size);
628 if (name_len > size)
629 {
630 size = 0;
631 }
632 else
633 {
634 size -= name_len;
635 }
636 }
637 iterator->destroy(iterator);
638 }
639
640 /**
641 * Implementation of message_t.generate.
642 */
643 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
644 {
645 generator_t *generator;
646 ike_header_t *ike_header;
647 payload_t *payload, *next_payload;
648 iterator_t *iterator;
649 status_t status;
650 chunk_t packet_data;
651 char payload_names[128];
652
653 if (is_encoded(this))
654 {
655 /* already generated, return a new packet clone */
656 *packet = this->packet->clone(this->packet);
657 return SUCCESS;
658 }
659
660 build_payload_string(this, payload_names, sizeof(payload_names));
661 this->logger->log(this->logger, CONTROL, "generating %s %s (%d) [%s]",
662 mapping_find(exchange_type_m,this->exchange_type),
663 this->is_request ? "request" : "response",
664 this->message_id,
665 payload_names);
666
667 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
668 {
669 this->logger->log(this->logger, ERROR | LEVEL1, "exchange type %s is not defined",
670 mapping_find(exchange_type_m,this->exchange_type));
671 return INVALID_STATE;
672 }
673
674 if (this->packet->get_source(this->packet) == NULL ||
675 this->packet->get_destination(this->packet) == NULL)
676 {
677 this->logger->log(this->logger, ERROR|LEVEL1, "%s not defined",
678 !this->packet->get_source(this->packet) ? "source" : "destination");
679 return INVALID_STATE;
680 }
681
682 /* set the rules for this messge */
683 status = this->set_message_rule(this);
684 if (status != SUCCESS)
685 {
686 this->logger->log(this->logger, ERROR, "no message rules specified for a %s %s",
687 mapping_find(exchange_type_m,this->exchange_type),
688 this->is_request ? "request" : "response");
689 return NOT_SUPPORTED;
690 }
691
692
693 /* going to encrypt all content which have to be encrypted */
694 status = this->encrypt_payloads(this, crypter, signer);
695 if (status != SUCCESS)
696 {
697 this->logger->log(this->logger, ERROR | LEVEL1, "could not encrypt payloads");
698 return status;
699 }
700
701 /* build ike header */
702 ike_header = ike_header_create();
703
704 ike_header->set_exchange_type(ike_header, this->exchange_type);
705 ike_header->set_message_id(ike_header, this->message_id);
706 ike_header->set_response_flag(ike_header, !this->is_request);
707 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
708 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
709 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
710
711 generator = generator_create();
712
713 payload = (payload_t*)ike_header;
714
715
716 /* generate every payload expect last one, this is doen later*/
717 iterator = this->payloads->create_iterator(this->payloads, TRUE);
718 while(iterator->has_next(iterator))
719 {
720 iterator->current(iterator, (void**)&next_payload);
721 payload->set_next_type(payload, next_payload->get_type(next_payload));
722 generator->generate_payload(generator, payload);
723 payload = next_payload;
724 }
725 iterator->destroy(iterator);
726
727 /* last payload has no next payload*/
728 payload->set_next_type(payload, NO_PAYLOAD);
729
730 generator->generate_payload(generator, payload);
731
732 ike_header->destroy(ike_header);
733
734 /* build packet */
735 generator->write_to_chunk(generator, &packet_data);
736 generator->destroy(generator);
737
738 /* if last payload is of type encrypted, integrity checksum if necessary */
739 if (payload->get_type(payload) == ENCRYPTED)
740 {
741 this->logger->log(this->logger, CONTROL | LEVEL1, "build signature on whole message");
742 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
743 status = encryption_payload->build_signature(encryption_payload, packet_data);
744 if (status != SUCCESS)
745 {
746 return status;
747 }
748 }
749
750 this->packet->set_data(this->packet, packet_data);
751
752 /* clone packet for caller */
753 *packet = this->packet->clone(this->packet);
754
755 this->logger->log(this->logger, CONTROL|LEVEL1, "message of type %s generated successfully",
756 mapping_find(exchange_type_m,this->exchange_type));
757 return SUCCESS;
758 }
759
760 /**
761 * Implementation of message_t.get_packet.
762 */
763 static packet_t *get_packet (private_message_t *this)
764 {
765 return this->packet->clone(this->packet);
766 }
767
768 /**
769 * Implementation of message_t.get_packet_data.
770 */
771 static chunk_t get_packet_data (private_message_t *this)
772 {
773 return chunk_clone(this->packet->get_data(this->packet));
774 }
775
776 /**
777 * Implementation of message_t.parse_header.
778 */
779 static status_t parse_header(private_message_t *this)
780 {
781 ike_header_t *ike_header;
782 status_t status;
783
784
785 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing Header of message");
786
787 this->parser->reset_context(this->parser);
788 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
789 if (status != SUCCESS)
790 {
791 this->logger->log(this->logger, ERROR | LEVEL1, "header could not be parsed");
792 return status;
793
794 }
795
796 /* verify payload */
797 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
798 if (status != SUCCESS)
799 {
800 this->logger->log(this->logger, ERROR | LEVEL1, "header verification failed");
801 ike_header->destroy(ike_header);
802 return status;
803 }
804
805 if (this->ike_sa_id != NULL)
806 {
807 this->ike_sa_id->destroy(this->ike_sa_id);
808 }
809
810 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
811 ike_header->get_responder_spi(ike_header),
812 ike_header->get_initiator_flag(ike_header));
813
814 this->exchange_type = ike_header->get_exchange_type(ike_header);
815 this->message_id = ike_header->get_message_id(ike_header);
816 this->is_request = (!(ike_header->get_response_flag(ike_header)));
817 this->major_version = ike_header->get_maj_version(ike_header);
818 this->minor_version = ike_header->get_min_version(ike_header);
819 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
820
821 this->logger->log(this->logger, CONTROL|LEVEL1, "parsed a %s %s",
822 mapping_find(exchange_type_m, this->exchange_type),
823 this->is_request ? "request" : "response");
824
825 ike_header->destroy(ike_header);
826
827 /* get the rules for this messge */
828 status = this->set_message_rule(this);
829 if (status != SUCCESS)
830 {
831 this->logger->log(this->logger, ERROR, "no message rules specified for a %s %s",
832 mapping_find(exchange_type_m,this->exchange_type),
833 this->is_request ? "request" : "response");
834 }
835
836 return status;
837 }
838
839 /**
840 * Implementation of message_t.parse_body.
841 */
842 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
843 {
844 status_t status = SUCCESS;
845 payload_type_t current_payload_type;
846 char payload_names[128];
847
848 current_payload_type = this->first_payload;
849
850 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing body of message, first payload is %s",
851 mapping_find(payload_type_m, current_payload_type));
852
853 /* parse payload for payload, while there are more available */
854 while ((current_payload_type != NO_PAYLOAD))
855 {
856 payload_t *current_payload;
857
858 this->logger->log(this->logger, CONTROL|LEVEL2, "start parsing a %s payload",
859 mapping_find(payload_type_m, current_payload_type));
860
861 /* parse current payload */
862 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
863
864 if (status != SUCCESS)
865 {
866 this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",
867 mapping_find(payload_type_m,current_payload_type));
868 return PARSE_ERROR;
869 }
870
871 this->logger->log(this->logger, CONTROL|LEVEL2, "verify payload of type %s",
872 mapping_find(payload_type_m, current_payload_type));
873
874 /* verify it, stop parsig if its invalid */
875 status = current_payload->verify(current_payload);
876 if (status != SUCCESS)
877 {
878 this->logger->log(this->logger, ERROR, "%s payload verification failed",
879 mapping_find(payload_type_m,current_payload_type));
880 current_payload->destroy(current_payload);
881 return VERIFY_ERROR;
882 }
883
884 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload verified. Adding to payload list",
885 mapping_find(payload_type_m, current_payload_type));
886 this->payloads->insert_last(this->payloads,current_payload);
887
888 /* an encryption payload is the last one, so STOP here. decryption is done later */
889 if (current_payload_type == ENCRYPTED)
890 {
891 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload found. Stop parsing",
892 mapping_find(payload_type_m, current_payload_type));
893 break;
894 }
895
896 /* get next payload type */
897 current_payload_type = current_payload->get_next_type(current_payload);
898 }
899
900 if (current_payload_type == ENCRYPTED)
901 {
902 status = this->decrypt_payloads(this,crypter,signer);
903 if (status != SUCCESS)
904 {
905 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
906 return status;
907 }
908 }
909
910 status = this->verify(this);
911 if (status != SUCCESS)
912 {
913 this->logger->log(this->logger, ERROR, "verification of message failed");
914 return status;
915 }
916
917 build_payload_string(this, payload_names, sizeof(payload_names));
918 this->logger->log(this->logger, CONTROL, "parsed %s %s (%d) [%s]",
919 mapping_find(exchange_type_m, this->exchange_type),
920 this->is_request ? "request" : "response",
921 this->message_id,
922 payload_names);
923
924 return SUCCESS;
925 }
926
927 /**
928 * Implementation of private_message_t.verify.
929 */
930 static status_t verify(private_message_t *this)
931 {
932 int i;
933 iterator_t *iterator;
934 size_t total_found_payloads = 0;
935
936 this->logger->log(this->logger, CONTROL|LEVEL1, "verifying message structure");
937
938 iterator = this->payloads->create_iterator(this->payloads,TRUE);
939 /* check for payloads with wrong count*/
940 for (i = 0; i < this->message_rule->payload_rule_count;i++)
941 {
942 size_t found_payloads = 0;
943
944 /* check all payloads for specific rule */
945 iterator->reset(iterator);
946
947 while(iterator->has_next(iterator))
948 {
949 payload_t *current_payload;
950 payload_type_t current_payload_type;
951
952 iterator->current(iterator,(void **)&current_payload);
953 current_payload_type = current_payload->get_type(current_payload);
954
955 if (current_payload_type == UNKNOWN_PAYLOAD)
956 {
957 /* unknown payloads are ignored, IF they are not critical */
958 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
959 if (unknown_payload->is_critical(unknown_payload))
960 {
961 this->logger->log(this->logger, ERROR|LEVEL1, "%s (%d) is not supported, but its critical!",
962 mapping_find(payload_type_m, current_payload_type), current_payload_type);
963 iterator->destroy(iterator);
964 return NOT_SUPPORTED;
965 }
966 }
967 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
968 {
969 found_payloads++;
970 total_found_payloads++;
971 this->logger->log(this->logger, CONTROL|LEVEL2, "found payload of type %s",
972 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
973
974 /* as soon as ohe payload occures more then specified, the verification fails */
975 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
976 {
977 this->logger->log(this->logger, ERROR|LEVEL1, "payload of type %s more than %d times (%d) occured in current message",
978 mapping_find(payload_type_m, current_payload_type),
979 this->message_rule->payload_rules[i].max_occurence, found_payloads);
980 iterator->destroy(iterator);
981 return VERIFY_ERROR;
982 }
983 }
984 }
985
986 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
987 {
988 this->logger->log(this->logger, ERROR|LEVEL1, "payload of type %s not occured %d times (%d)",
989 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
990 this->message_rule->payload_rules[i].min_occurence, found_payloads);
991 iterator->destroy(iterator);
992 return VERIFY_ERROR;
993 }
994 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
995 {
996 iterator->destroy(iterator);
997 return SUCCESS;
998 }
999 }
1000 iterator->destroy(iterator);
1001 return SUCCESS;
1002 }
1003
1004
1005 /**
1006 * Implementation of private_message_t.decrypt_and_verify_payloads.
1007 */
1008 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
1009 {
1010 bool current_payload_was_encrypted = FALSE;
1011 payload_t *previous_payload = NULL;
1012 int payload_number = 1;
1013 iterator_t *iterator;
1014 status_t status;
1015
1016 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1017
1018 /* process each payload and decrypt a encryption payload */
1019 while(iterator->has_next(iterator))
1020 {
1021 payload_rule_t *payload_rule;
1022 payload_type_t current_payload_type;
1023 payload_t *current_payload;
1024
1025 /* get current payload */
1026 iterator->current(iterator,(void **)&current_payload);
1027
1028 /* needed to check */
1029 current_payload_type = current_payload->get_type(current_payload);
1030
1031 this->logger->log(this->logger, CONTROL|LEVEL2, "process payload of type %s",
1032 mapping_find(payload_type_m,current_payload_type));
1033
1034 if (current_payload_type == ENCRYPTED)
1035 {
1036 encryption_payload_t *encryption_payload;
1037 payload_t *current_encrypted_payload;
1038
1039 encryption_payload = (encryption_payload_t*)current_payload;
1040
1041 this->logger->log(this->logger, CONTROL | LEVEL2, "found an encryption payload");
1042
1043 if (payload_number != this->payloads->get_count(this->payloads))
1044 {
1045 /* encrypted payload is not last one */
1046 this->logger->log(this->logger, ERROR, "encrypted payload is not last payload");
1047 iterator->destroy(iterator);
1048 return VERIFY_ERROR;
1049 }
1050 /* decrypt */
1051 encryption_payload->set_transforms(encryption_payload, crypter, signer);
1052 this->logger->log(this->logger, CONTROL | LEVEL1, "verify signature of encryption payload");
1053 status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet));
1054 if (status != SUCCESS)
1055 {
1056 this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
1057 iterator->destroy(iterator);
1058 return FAILED;
1059 }
1060 this->logger->log(this->logger, CONTROL | LEVEL2, "decrypt content of encryption payload");
1061 status = encryption_payload->decrypt(encryption_payload);
1062 if (status != SUCCESS)
1063 {
1064 this->logger->log(this->logger, ERROR,
1065 "encrypted payload could not be decrypted and parsed: %s",
1066 mapping_find(status_m, status));
1067 iterator->destroy(iterator);
1068 return PARSE_ERROR;
1069 }
1070
1071 /* needed later to find out if a payload was encrypted */
1072 current_payload_was_encrypted = TRUE;
1073
1074 /* check if there are payloads contained in the encryption payload */
1075 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1076 {
1077 this->logger->log(this->logger, CONTROL|LEVEL2, "encrypted payload is empty");
1078 /* remove the encryption payload, is not needed anymore */
1079 iterator->remove(iterator);
1080 /* encrypted payload contains no other payload */
1081 current_payload_type = NO_PAYLOAD;
1082 }
1083 else
1084 {
1085 /* encryption_payload is replaced with first payload contained in encryption_payload */
1086 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1087 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1088 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1089 }
1090
1091 /* is the current paylad the first in the message? */
1092 if (previous_payload == NULL)
1093 {
1094 /* yes, set the first payload type of the message to the current type */
1095 this->first_payload = current_payload_type;
1096 }
1097 else
1098 {
1099 /* no, set the next_type of the previous payload to the current type */
1100 previous_payload->set_next_type(previous_payload, current_payload_type);
1101 }
1102
1103 /* all encrypted payloads are added to the payload list */
1104 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1105 {
1106 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1107 this->logger->log(this->logger, CONTROL | LEVEL1,
1108 "insert unencrypted payload of type %s at end of list.",
1109 mapping_find(payload_type_m, current_encrypted_payload->get_type(current_encrypted_payload)));
1110 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1111 }
1112
1113 /* encryption payload is processed, payloads are moved. Destroy it. */
1114 encryption_payload->destroy(encryption_payload);
1115 }
1116
1117 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1118 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1119 {
1120 /* get the ruleset for found payload */
1121 status = this->get_payload_rule(this, current_payload_type, &payload_rule);
1122 if (status != SUCCESS)
1123 {
1124 /* payload is not allowed */
1125 this->logger->log(this->logger, ERROR, "payload type %s not allowed",
1126 mapping_find(payload_type_m,current_payload_type));
1127 iterator->destroy(iterator);
1128 return VERIFY_ERROR;
1129 }
1130
1131 /* check if the payload was encrypted, and if it should been have encrypted */
1132 if (payload_rule->encrypted != current_payload_was_encrypted)
1133 {
1134 /* payload was not encrypted, but should have been. or vice-versa */
1135 this->logger->log(this->logger, ERROR, "payload type %s should be %s!",
1136 mapping_find(payload_type_m,current_payload_type),
1137 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1138 iterator->destroy(iterator);
1139 return VERIFY_ERROR;
1140 }
1141 }
1142 /* advance to the next payload */
1143 payload_number++;
1144 /* is stored to set next payload in case of found encryption payload */
1145 previous_payload = current_payload;
1146 }
1147 iterator->destroy(iterator);
1148 return SUCCESS;
1149 }
1150
1151 /**
1152 * Implementation of private_message_t.encrypt_payloads.
1153 */
1154 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
1155 {
1156 encryption_payload_t *encryption_payload = NULL;
1157 status_t status;
1158 linked_list_t *all_payloads;
1159
1160 if (!this->message_rule->encrypted_content)
1161 {
1162 this->logger->log(this->logger, CONTROL | LEVEL1, "message doesn't have to be encrypted");
1163 /* message contains no content to encrypt */
1164 return SUCCESS;
1165 }
1166
1167 this->logger->log(this->logger, CONTROL | LEVEL2, "copy all payloads to a temporary list");
1168 all_payloads = linked_list_create();
1169
1170 /* first copy all payloads in a temporary list */
1171 while (this->payloads->get_count(this->payloads) > 0)
1172 {
1173 void *current_payload;
1174 this->payloads->remove_first(this->payloads,&current_payload);
1175 all_payloads->insert_last(all_payloads,current_payload);
1176 }
1177
1178 encryption_payload = encryption_payload_create();
1179
1180 this->logger->log(this->logger, CONTROL | LEVEL2, "check each payloads if they have to get encrypted");
1181 while (all_payloads->get_count(all_payloads) > 0)
1182 {
1183 payload_rule_t *payload_rule;
1184 payload_t *current_payload;
1185 bool to_encrypt = FALSE;
1186
1187 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1188 this->logger->log(this->logger, CONTROL | LEVEL3, "get rule for payload %s",
1189 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1190
1191 status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
1192 /* for payload types which are not found in supported payload list, it is presumed
1193 * that they don't have to be encrypted */
1194 if ((status == SUCCESS) && (payload_rule->encrypted))
1195 {
1196 this->logger->log(this->logger, CONTROL | LEVEL2, "payload %s has to get encrypted",
1197 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1198 to_encrypt = TRUE;
1199 }
1200 else if (status != SUCCESS)
1201 {
1202 this->logger->log(this->logger, CONTROL | LEVEL2, "payload %s not defined for exchange type %s. Handle it anyway",
1203 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1204 mapping_find(exchange_type_m,this->exchange_type));
1205 }
1206
1207 if (to_encrypt)
1208 {
1209 this->logger->log(this->logger, CONTROL | LEVEL2, "insert payload %s to encryption payload",
1210 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1211
1212 encryption_payload->add_payload(encryption_payload,current_payload);
1213 }
1214 else
1215 {
1216 this->logger->log(this->logger, CONTROL | LEVEL2, "insert payload %s as payload wich does not have to be encrypted",
1217 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1218 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1219 }
1220 }
1221
1222 status = SUCCESS;
1223 this->logger->log(this->logger, CONTROL | LEVEL2, "set transforms for encryption payload ");
1224 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1225 this->logger->log(this->logger, CONTROL | LEVEL1, "encrypt all payloads of encrypted payload");
1226 status = encryption_payload->encrypt(encryption_payload);
1227 this->logger->log(this->logger, CONTROL | LEVEL2, "add encrypted payload to payload list");
1228 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1229
1230 all_payloads->destroy(all_payloads);
1231
1232 return status;
1233 }
1234
1235
1236 /**
1237 * Implementation of message_t.destroy.
1238 */
1239 static void destroy (private_message_t *this)
1240 {
1241 iterator_t *iterator;
1242
1243 this->packet->destroy(this->packet);
1244
1245 if (this->ike_sa_id != NULL)
1246 {
1247 this->ike_sa_id->destroy(this->ike_sa_id);
1248 }
1249
1250 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1251 while (iterator->has_next(iterator))
1252 {
1253 payload_t *payload;
1254 iterator->current(iterator, (void**)&payload);
1255 payload->destroy(payload);
1256 }
1257 iterator->destroy(iterator);
1258 this->payloads->destroy(this->payloads);
1259 this->parser->destroy(this->parser);
1260
1261 free(this);
1262 }
1263
1264 /*
1265 * Described in Header-File
1266 */
1267 message_t *message_create_from_packet(packet_t *packet)
1268 {
1269 private_message_t *this = malloc_thing(private_message_t);
1270
1271 /* public functions */
1272 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1273 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1274 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1275 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1276 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1277 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1278 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1279 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1280 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1281 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1282 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1283 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1284 this->public.set_request = (void(*)(message_t*, bool))set_request;
1285 this->public.get_request = (bool(*)(message_t*))get_request;
1286 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1287 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1288 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1289 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1290 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1291 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1292 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1293 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1294 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1295 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1296 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1297 this->public.destroy = (void(*)(message_t*))destroy;
1298
1299 /* private values */
1300 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1301 this->is_request = TRUE;
1302 this->ike_sa_id = NULL;
1303 this->first_payload = NO_PAYLOAD;
1304 this->message_id = 0;
1305
1306 /* private functions */
1307 this->set_message_rule = set_message_rule;
1308 this->get_payload_rule = get_payload_rule;
1309 this->encrypt_payloads = encrypt_payloads;
1310 this->decrypt_payloads = decrypt_payloads;
1311 this->verify = verify;
1312
1313 /* private values */
1314 if (packet == NULL)
1315 {
1316 packet = packet_create();
1317 }
1318 this->message_rule = NULL;
1319 this->packet = packet;
1320 this->payloads = linked_list_create();
1321
1322 /* parser is created from data of packet */
1323 this->parser = parser_create(this->packet->get_data(this->packet));
1324
1325 this->logger = logger_manager->get_logger(logger_manager, MESSAGE);
1326
1327 return (&this->public);
1328 }
1329
1330 /*
1331 * Described in Header.
1332 */
1333 message_t *message_create()
1334 {
1335 return message_create_from_packet(NULL);
1336 }