Do not complain about missing payload order rules for private use payloads
[strongswan.git] / src / charon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include "message.h"
23
24 #include <library.h>
25 #include <daemon.h>
26 #include <sa/ike_sa_id.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/linked_list.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/encryption_payload.h>
33 #include <encoding/payloads/unknown_payload.h>
34
35 /**
36 * Max number of notify payloads per IKEv2 Message
37 */
38 #define MAX_NOTIFY_PAYLOADS 20
39
40 /**
41 * Max number of delete payloads per IKEv2 Message
42 */
43 #define MAX_DELETE_PAYLOADS 20
44
45
46 typedef struct payload_rule_t payload_rule_t;
47
48 /**
49 * A payload rule defines the rules for a payload
50 * in a specific message rule. It defines if and how
51 * many times a payload must/can occur in a message
52 * and if it must be encrypted.
53 */
54 struct payload_rule_t {
55 /**
56 * Payload type.
57 */
58 payload_type_t payload_type;
59
60 /**
61 * Minimal occurence of this payload.
62 */
63 size_t min_occurence;
64
65 /**
66 * Max occurence of this payload.
67 */
68 size_t max_occurence;
69
70 /**
71 * TRUE if payload must be encrypted
72 */
73 bool encrypted;
74
75 /**
76 * If this payload occurs, the message rule is
77 * fullfilled in any case. This applies e.g. to
78 * notify_payloads.
79 */
80 bool sufficient;
81 };
82
83 typedef struct payload_order_t payload_order_t;
84
85 /**
86 * payload ordering structure allows us to reorder payloads according to RFC.
87 */
88 struct payload_order_t {
89
90 /**
91 * payload type
92 */
93 payload_type_t type;
94
95 /**
96 * notify type, if payload == NOTIFY
97 */
98 notify_type_t notify;
99 };
100
101
102 typedef struct message_rule_t message_rule_t;
103
104 /**
105 * A message rule defines the kind of a message,
106 * if it has encrypted contents and a list
107 * of payload ordering rules and payload parsing rules.
108 */
109 struct message_rule_t {
110 /**
111 * Type of message.
112 */
113 exchange_type_t exchange_type;
114
115 /**
116 * Is message a request or response.
117 */
118 bool is_request;
119
120 /**
121 * Message contains encrypted content.
122 */
123 bool encrypted_content;
124
125 /**
126 * Number of payload rules which will follow
127 */
128 int payload_rule_count;
129
130 /**
131 * Pointer to first payload rule
132 */
133 payload_rule_t *payload_rules;
134
135 /**
136 * Number of payload order rules
137 */
138 int payload_order_count;
139
140 /**
141 * payload ordering rules
142 */
143 payload_order_t *payload_order;
144 };
145
146 /**
147 * Message rule for IKE_SA_INIT from initiator.
148 */
149 static payload_rule_t ike_sa_init_i_payload_rules[] = {
150 /* payload type min max encr suff */
151 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
152 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
153 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
154 {NONCE, 1, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, 10, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT initiator
160 */
161 static payload_order_t ike_sa_init_i_payload_order[] = {
162 /* payload type notify type */
163 {NOTIFY, COOKIE},
164 {SECURITY_ASSOCIATION, 0},
165 {KEY_EXCHANGE, 0},
166 {NONCE, 0},
167 {NOTIFY, NAT_DETECTION_SOURCE_IP},
168 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
169 {NOTIFY, 0},
170 {VENDOR_ID, 0},
171 };
172
173 /**
174 * Message rule for IKE_SA_INIT from responder.
175 */
176 static payload_rule_t ike_sa_init_r_payload_rules[] = {
177 /* payload type min max encr suff */
178 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
179 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
180 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
181 {NONCE, 1, 1, FALSE, FALSE},
182 {VENDOR_ID, 0, 10, FALSE, FALSE},
183 };
184
185 /**
186 * payload order for IKE_SA_INIT responder
187 */
188 static payload_order_t ike_sa_init_r_payload_order[] = {
189 /* payload type notify type */
190 {SECURITY_ASSOCIATION, 0},
191 {KEY_EXCHANGE, 0},
192 {NONCE, 0},
193 {NOTIFY, NAT_DETECTION_SOURCE_IP},
194 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
195 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
196 {CERTIFICATE_REQUEST, 0},
197 {NOTIFY, 0},
198 {VENDOR_ID, 0},
199 };
200
201 /**
202 * Message rule for IKE_AUTH from initiator.
203 */
204 static payload_rule_t ike_auth_i_payload_rules[] = {
205 /* payload type min max encr suff */
206 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
207 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
208 {AUTHENTICATION, 0, 1, TRUE, TRUE},
209 {ID_INITIATOR, 0, 1, TRUE, FALSE},
210 {CERTIFICATE, 0, 4, TRUE, FALSE},
211 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
212 {ID_RESPONDER, 0, 1, TRUE, FALSE},
213 #ifdef ME
214 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
215 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
217 #else
218 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
219 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
220 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
221 #endif /* ME */
222 {CONFIGURATION, 0, 1, TRUE, FALSE},
223 {VENDOR_ID, 0, 10, TRUE, FALSE},
224 };
225
226 /**
227 * payload order for IKE_AUTH initiator
228 */
229 static payload_order_t ike_auth_i_payload_order[] = {
230 /* payload type notify type */
231 {ID_INITIATOR, 0},
232 {CERTIFICATE, 0},
233 {NOTIFY, INITIAL_CONTACT},
234 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
235 {CERTIFICATE_REQUEST, 0},
236 {ID_RESPONDER, 0},
237 {AUTHENTICATION, 0},
238 {EXTENSIBLE_AUTHENTICATION, 0},
239 {CONFIGURATION, 0},
240 {NOTIFY, IPCOMP_SUPPORTED},
241 {NOTIFY, USE_TRANSPORT_MODE},
242 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
243 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
244 {SECURITY_ASSOCIATION, 0},
245 {TRAFFIC_SELECTOR_INITIATOR, 0},
246 {TRAFFIC_SELECTOR_RESPONDER, 0},
247 {NOTIFY, MOBIKE_SUPPORTED},
248 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
249 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
250 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
251 {NOTIFY, 0},
252 {VENDOR_ID, 0},
253 };
254
255 /**
256 * Message rule for IKE_AUTH from responder.
257 */
258 static payload_rule_t ike_auth_r_payload_rules[] = {
259 /* payload type min max encr suff */
260 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
261 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
262 {AUTHENTICATION, 0, 1, TRUE, TRUE},
263 {CERTIFICATE, 0, 4, TRUE, FALSE},
264 {ID_RESPONDER, 0, 1, TRUE, FALSE},
265 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
266 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
267 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
268 {CONFIGURATION, 0, 1, TRUE, FALSE},
269 {VENDOR_ID, 0, 10, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for IKE_AUTH responder
274 */
275 static payload_order_t ike_auth_r_payload_order[] = {
276 /* payload type notify type */
277 {ID_RESPONDER, 0},
278 {CERTIFICATE, 0},
279 {AUTHENTICATION, 0},
280 {EXTENSIBLE_AUTHENTICATION, 0},
281 {CONFIGURATION, 0},
282 {NOTIFY, IPCOMP_SUPPORTED},
283 {NOTIFY, USE_TRANSPORT_MODE},
284 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
285 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
286 {SECURITY_ASSOCIATION, 0},
287 {TRAFFIC_SELECTOR_INITIATOR, 0},
288 {TRAFFIC_SELECTOR_RESPONDER, 0},
289 {NOTIFY, AUTH_LIFETIME},
290 {NOTIFY, MOBIKE_SUPPORTED},
291 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
292 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
293 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
294 {NOTIFY, 0},
295 {VENDOR_ID, 0},
296 };
297
298 /**
299 * Message rule for INFORMATIONAL from initiator.
300 */
301 static payload_rule_t informational_i_payload_rules[] = {
302 /* payload type min max encr suff */
303 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
304 {CONFIGURATION, 0, 1, TRUE, FALSE},
305 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
306 {VENDOR_ID, 0, 10, TRUE, FALSE},
307 };
308
309 /**
310 * payload order for INFORMATIONAL initiator
311 */
312 static payload_order_t informational_i_payload_order[] = {
313 /* payload type notify type */
314 {NOTIFY, UPDATE_SA_ADDRESSES},
315 {NOTIFY, NAT_DETECTION_SOURCE_IP},
316 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
317 {NOTIFY, COOKIE2},
318 {NOTIFY, 0},
319 {DELETE, 0},
320 {CONFIGURATION, 0},
321 };
322
323 /**
324 * Message rule for INFORMATIONAL from responder.
325 */
326 static payload_rule_t informational_r_payload_rules[] = {
327 /* payload type min max encr suff */
328 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
329 {CONFIGURATION, 0, 1, TRUE, FALSE},
330 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
331 {VENDOR_ID, 0, 10, TRUE, FALSE},
332 };
333
334 /**
335 * payload order for INFORMATIONAL responder
336 */
337 static payload_order_t informational_r_payload_order[] = {
338 /* payload type notify type */
339 {NOTIFY, UPDATE_SA_ADDRESSES},
340 {NOTIFY, NAT_DETECTION_SOURCE_IP},
341 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
342 {NOTIFY, COOKIE2},
343 {NOTIFY, 0},
344 {DELETE, 0},
345 {CONFIGURATION, 0},
346 };
347
348 /**
349 * Message rule for CREATE_CHILD_SA from initiator.
350 */
351 static payload_rule_t create_child_sa_i_payload_rules[] = {
352 /* payload type min max encr suff */
353 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
354 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
355 {NONCE, 1, 1, TRUE, FALSE},
356 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
357 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
359 {CONFIGURATION, 0, 1, TRUE, FALSE},
360 {VENDOR_ID, 0, 10, TRUE, FALSE},
361 };
362
363 /**
364 * payload order for CREATE_CHILD_SA from initiator.
365 */
366 static payload_order_t create_child_sa_i_payload_order[] = {
367 /* payload type notify type */
368 {NOTIFY, REKEY_SA},
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, 0},
379 };
380
381 /**
382 * Message rule for CREATE_CHILD_SA from responder.
383 */
384 static payload_rule_t create_child_sa_r_payload_rules[] = {
385 /* payload type min max encr suff */
386 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
387 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
388 {NONCE, 1, 1, TRUE, FALSE},
389 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
390 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
391 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
392 {CONFIGURATION, 0, 1, TRUE, FALSE},
393 {VENDOR_ID, 0, 10, TRUE, FALSE},
394 };
395
396 /**
397 * payload order for CREATE_CHILD_SA from responder.
398 */
399 static payload_order_t create_child_sa_r_payload_order[] = {
400 /* payload type notify type */
401 {NOTIFY, IPCOMP_SUPPORTED},
402 {NOTIFY, USE_TRANSPORT_MODE},
403 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
404 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
405 {SECURITY_ASSOCIATION, 0},
406 {NONCE, 0},
407 {KEY_EXCHANGE, 0},
408 {TRAFFIC_SELECTOR_INITIATOR, 0},
409 {TRAFFIC_SELECTOR_RESPONDER, 0},
410 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
411 {NOTIFY, 0},
412 };
413
414 #ifdef ME
415 /**
416 * Message rule for ME_CONNECT from initiator.
417 */
418 static payload_rule_t me_connect_i_payload_rules[] = {
419 /* payload type min max encr suff */
420 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
421 {ID_PEER, 1, 1, TRUE, FALSE},
422 {VENDOR_ID, 0, 10, TRUE, FALSE}
423 };
424
425 /**
426 * payload order for ME_CONNECT from initiator.
427 */
428 static payload_order_t me_connect_i_payload_order[] = {
429 /* payload type notify type */
430 {NOTIFY, 0},
431 {ID_PEER, 0},
432 {VENDOR_ID, 0},
433 };
434
435 /**
436 * Message rule for ME_CONNECT from responder.
437 */
438 static payload_rule_t me_connect_r_payload_rules[] = {
439 /* payload type min max encr suff */
440 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
441 {VENDOR_ID, 0, 10, TRUE, FALSE}
442 };
443
444 /**
445 * payload order for ME_CONNECT from responder.
446 */
447 static payload_order_t me_connect_r_payload_order[] = {
448 /* payload type notify type */
449 {NOTIFY, 0},
450 {VENDOR_ID, 0},
451 };
452 #endif /* ME */
453
454 /**
455 * Message rules, defines allowed payloads.
456 */
457 static message_rule_t message_rules[] = {
458 {IKE_SA_INIT, TRUE, FALSE,
459 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
460 ike_sa_init_i_payload_rules,
461 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
462 ike_sa_init_i_payload_order,
463 },
464 {IKE_SA_INIT, FALSE, FALSE,
465 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
466 ike_sa_init_r_payload_rules,
467 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
468 ike_sa_init_r_payload_order,
469 },
470 {IKE_AUTH, TRUE, TRUE,
471 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
472 ike_auth_i_payload_rules,
473 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
474 ike_auth_i_payload_order,
475 },
476 {IKE_AUTH, FALSE, TRUE,
477 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
478 ike_auth_r_payload_rules,
479 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
480 ike_auth_r_payload_order,
481 },
482 {INFORMATIONAL, TRUE, TRUE,
483 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
484 informational_i_payload_rules,
485 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
486 informational_i_payload_order,
487 },
488 {INFORMATIONAL, FALSE, TRUE,
489 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
490 informational_r_payload_rules,
491 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
492 informational_r_payload_order,
493 },
494 {CREATE_CHILD_SA, TRUE, TRUE,
495 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
496 create_child_sa_i_payload_rules,
497 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
498 create_child_sa_i_payload_order,
499 },
500 {CREATE_CHILD_SA, FALSE, TRUE,
501 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
502 create_child_sa_r_payload_rules,
503 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
504 create_child_sa_r_payload_order,
505 },
506 #ifdef ME
507 {ME_CONNECT, TRUE, TRUE,
508 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
509 me_connect_i_payload_rules,
510 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
511 me_connect_i_payload_order,
512 },
513 {ME_CONNECT, FALSE, TRUE,
514 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
515 me_connect_r_payload_rules,
516 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
517 me_connect_r_payload_order,
518 },
519 #endif /* ME */
520 };
521
522
523 typedef struct private_message_t private_message_t;
524
525 /**
526 * Private data of an message_t object.
527 */
528 struct private_message_t {
529
530 /**
531 * Public part of a message_t object.
532 */
533 message_t public;
534
535 /**
536 * Minor version of message.
537 */
538 u_int8_t major_version;
539
540 /**
541 * Major version of message.
542 */
543 u_int8_t minor_version;
544
545 /**
546 * First Payload in message.
547 */
548 payload_type_t first_payload;
549
550 /**
551 * Assigned exchange type.
552 */
553 exchange_type_t exchange_type;
554
555 /**
556 * TRUE if message is a request, FALSE if a reply.
557 */
558 bool is_request;
559
560 /**
561 * Message ID of this message.
562 */
563 u_int32_t message_id;
564
565 /**
566 * ID of assigned IKE_SA.
567 */
568 ike_sa_id_t *ike_sa_id;
569
570 /**
571 * Assigned UDP packet, stores incoming packet or last generated one.
572 */
573 packet_t *packet;
574
575 /**
576 * Linked List where payload data are stored in.
577 */
578 linked_list_t *payloads;
579
580 /**
581 * Assigned parser to parse Header and Body of this message.
582 */
583 parser_t *parser;
584
585 /**
586 * The message rule for this message instance
587 */
588 message_rule_t *message_rule;
589 };
590
591 /**
592 * Implementation of private_message_t.set_message_rule.
593 */
594 static status_t set_message_rule(private_message_t *this)
595 {
596 int i;
597
598 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
599 {
600 if ((this->exchange_type == message_rules[i].exchange_type) &&
601 (this->is_request == message_rules[i].is_request))
602 {
603 /* found rule for given exchange_type*/
604 this->message_rule = &(message_rules[i]);
605 return SUCCESS;
606 }
607 }
608 this->message_rule = NULL;
609 return NOT_FOUND;
610 }
611
612 /**
613 * Implementation of private_message_t.get_payload_rule.
614 */
615 static status_t get_payload_rule(private_message_t *this,
616 payload_type_t payload_type, payload_rule_t **payload_rule)
617 {
618 int i;
619
620 for (i = 0; i < this->message_rule->payload_rule_count;i++)
621 {
622 if (this->message_rule->payload_rules[i].payload_type == payload_type)
623 {
624 *payload_rule = &(this->message_rule->payload_rules[i]);
625 return SUCCESS;
626 }
627 }
628
629 *payload_rule = NULL;
630 return NOT_FOUND;
631 }
632
633 /**
634 * Implementation of message_t.set_ike_sa_id.
635 */
636 static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
637 {
638 DESTROY_IF(this->ike_sa_id);
639 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
640 }
641
642 /**
643 * Implementation of message_t.get_ike_sa_id.
644 */
645 static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
646 {
647 return this->ike_sa_id;
648 }
649
650 /**
651 * Implementation of message_t.set_message_id.
652 */
653 static void set_message_id(private_message_t *this,u_int32_t message_id)
654 {
655 this->message_id = message_id;
656 }
657
658 /**
659 * Implementation of message_t.get_message_id.
660 */
661 static u_int32_t get_message_id(private_message_t *this)
662 {
663 return this->message_id;
664 }
665
666 /**
667 * Implementation of message_t.get_initiator_spi.
668 */
669 static u_int64_t get_initiator_spi(private_message_t *this)
670 {
671 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
672 }
673
674 /**
675 * Implementation of message_t.get_responder_spi.
676 */
677 static u_int64_t get_responder_spi(private_message_t *this)
678 {
679 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
680 }
681
682 /**
683 * Implementation of message_t.set_major_version.
684 */
685 static void set_major_version(private_message_t *this,u_int8_t major_version)
686 {
687 this->major_version = major_version;
688 }
689
690 /**
691 * Implementation of message_t.set_major_version.
692 */
693 static u_int8_t get_major_version(private_message_t *this)
694 {
695 return this->major_version;
696 }
697
698 /**
699 * Implementation of message_t.set_minor_version.
700 */
701 static void set_minor_version(private_message_t *this,u_int8_t minor_version)
702 {
703 this->minor_version = minor_version;
704 }
705
706 /**
707 * Implementation of message_t.get_minor_version.
708 */
709 static u_int8_t get_minor_version(private_message_t *this)
710 {
711 return this->minor_version;
712 }
713
714 /**
715 * Implementation of message_t.set_exchange_type.
716 */
717 static void set_exchange_type(private_message_t *this,
718 exchange_type_t exchange_type)
719 {
720 this->exchange_type = exchange_type;
721 }
722
723 /**
724 * Implementation of message_t.get_exchange_type.
725 */
726 static exchange_type_t get_exchange_type(private_message_t *this)
727 {
728 return this->exchange_type;
729 }
730
731 /**
732 * Implementation of message_t.get_first_payload_type.
733 */
734 static payload_type_t get_first_payload_type(private_message_t *this)
735 {
736 return this->first_payload;
737 }
738
739 /**
740 * Implementation of message_t.set_request.
741 */
742 static void set_request(private_message_t *this, bool request)
743 {
744 this->is_request = request;
745 }
746
747 /**
748 * Implementation of message_t.get_request.
749 */
750 static exchange_type_t get_request(private_message_t *this)
751 {
752 return this->is_request;
753 }
754
755 /**
756 * Is this message in an encoded form?
757 */
758 static bool is_encoded(private_message_t *this)
759 {
760 chunk_t data = this->packet->get_data(this->packet);
761
762 if (data.ptr == NULL)
763 {
764 return FALSE;
765 }
766 return TRUE;
767 }
768
769 /**
770 * Implementation of message_t.add_payload.
771 */
772 static void add_payload(private_message_t *this, payload_t *payload)
773 {
774 payload_t *last_payload;
775
776 if (this->payloads->get_count(this->payloads) > 0)
777 {
778 this->payloads->get_last(this->payloads, (void **)&last_payload);
779 last_payload->set_next_type(last_payload, payload->get_type(payload));
780 }
781 else
782 {
783 this->first_payload = payload->get_type(payload);
784 }
785 payload->set_next_type(payload, NO_PAYLOAD);
786 this->payloads->insert_last(this->payloads, payload);
787
788 DBG2(DBG_ENC ,"added payload of type %N to message",
789 payload_type_names, payload->get_type(payload));
790 }
791
792 /**
793 * Implementation of message_t.add_notify.
794 */
795 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
796 chunk_t data)
797 {
798 notify_payload_t *notify;
799 payload_t *payload;
800
801 if (flush)
802 {
803 while (this->payloads->remove_last(this->payloads,
804 (void**)&payload) == SUCCESS)
805 {
806 payload->destroy(payload);
807 }
808 }
809 notify = notify_payload_create();
810 notify->set_notify_type(notify, type);
811 notify->set_notification_data(notify, data);
812 add_payload(this, (payload_t*)notify);
813 }
814
815 /**
816 * Implementation of message_t.set_source.
817 */
818 static void set_source(private_message_t *this, host_t *host)
819 {
820 this->packet->set_source(this->packet, host);
821 }
822
823 /**
824 * Implementation of message_t.set_destination.
825 */
826 static void set_destination(private_message_t *this, host_t *host)
827 {
828 this->packet->set_destination(this->packet, host);
829 }
830
831 /**
832 * Implementation of message_t.get_source.
833 */
834 static host_t* get_source(private_message_t *this)
835 {
836 return this->packet->get_source(this->packet);
837 }
838
839 /**
840 * Implementation of message_t.get_destination.
841 */
842 static host_t * get_destination(private_message_t *this)
843 {
844 return this->packet->get_destination(this->packet);
845 }
846
847 /**
848 * Implementation of message_t.create_payload_enumerator.
849 */
850 static enumerator_t *create_payload_enumerator(private_message_t *this)
851 {
852 return this->payloads->create_enumerator(this->payloads);
853 }
854
855 /**
856 * Implementation of message_t.get_payload.
857 */
858 static payload_t *get_payload(private_message_t *this, payload_type_t type)
859 {
860 payload_t *current, *found = NULL;
861 enumerator_t *enumerator;
862
863 enumerator = create_payload_enumerator(this);
864 while (enumerator->enumerate(enumerator, &current))
865 {
866 if (current->get_type(current) == type)
867 {
868 found = current;
869 break;
870 }
871 }
872 enumerator->destroy(enumerator);
873 return found;
874 }
875
876 /**
877 * Implementation of message_t.get_notify
878 */
879 static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
880 {
881 enumerator_t *enumerator;
882 notify_payload_t *notify = NULL;
883 payload_t *payload;
884
885 enumerator = create_payload_enumerator(this);
886 while (enumerator->enumerate(enumerator, &payload))
887 {
888 if (payload->get_type(payload) == NOTIFY)
889 {
890 notify = (notify_payload_t*)payload;
891 if (notify->get_notify_type(notify) == type)
892 {
893 break;
894 }
895 notify = NULL;
896 }
897 }
898 enumerator->destroy(enumerator);
899 return notify;
900 }
901
902 /**
903 * get a string representation of the message
904 */
905 static char* get_string(private_message_t *this, char *buf, int len)
906 {
907 enumerator_t *enumerator;
908 payload_t *payload;
909 int written;
910 char *pos = buf;
911
912 memset(buf, 0, len);
913 len--;
914
915 written = snprintf(pos, len, "%N %s %d [",
916 exchange_type_names, this->exchange_type,
917 this->is_request ? "request" : "response",
918 this->message_id);
919 if (written >= len || written < 0)
920 {
921 return "";
922 }
923 pos += written;
924 len -= written;
925
926 enumerator = create_payload_enumerator(this);
927 while (enumerator->enumerate(enumerator, &payload))
928 {
929 written = snprintf(pos, len, " %N", payload_type_short_names,
930 payload->get_type(payload));
931 if (written >= len || written < 0)
932 {
933 return buf;
934 }
935 pos += written;
936 len -= written;
937 if (payload->get_type(payload) == NOTIFY)
938 {
939 notify_payload_t *notify = (notify_payload_t*)payload;
940 written = snprintf(pos, len, "(%N)", notify_type_short_names,
941 notify->get_notify_type(notify));
942 if (written >= len || written < 0)
943 {
944 return buf;
945 }
946 pos += written;
947 len -= written;
948 }
949 }
950 enumerator->destroy(enumerator);
951
952 /* remove last space */
953 snprintf(pos, len, " ]");
954 return buf;
955 }
956
957 /**
958 * reorder payloads depending on reordering rules
959 */
960 static void order_payloads(private_message_t *this)
961 {
962 linked_list_t *list;
963 payload_t *payload;
964 int i;
965
966 /* move to temp list */
967 list = linked_list_create();
968 while (this->payloads->remove_last(this->payloads,
969 (void**)&payload) == SUCCESS)
970 {
971 list->insert_first(list, payload);
972 }
973 /* for each rule, ... */
974 for (i = 0; i < this->message_rule->payload_order_count; i++)
975 {
976 enumerator_t *enumerator;
977 notify_payload_t *notify;
978 payload_order_t order = this->message_rule->payload_order[i];
979
980 /* ... find all payload ... */
981 enumerator = list->create_enumerator(list);
982 while (enumerator->enumerate(enumerator, &payload))
983 {
984 /* ... with that type ... */
985 if (payload->get_type(payload) == order.type)
986 {
987 notify = (notify_payload_t*)payload;
988
989 /**... and check notify for type. */
990 if (order.type != NOTIFY || order.notify == 0 ||
991 order.notify == notify->get_notify_type(notify))
992 {
993 list->remove_at(list, enumerator);
994 add_payload(this, payload);
995 }
996 }
997 }
998 enumerator->destroy(enumerator);
999 }
1000 /* append all payloads without a rule to the end */
1001 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1002 {
1003 /* do not complain about payloads in private use space */
1004 if (payload->get_type(payload) < 128)
1005 {
1006 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1007 payload_type_names, payload->get_type(payload),
1008 exchange_type_names, this->message_rule->exchange_type,
1009 this->message_rule->is_request ? "request" : "response");
1010 }
1011 add_payload(this, payload);
1012 }
1013 list->destroy(list);
1014 }
1015
1016 /**
1017 * Implementation of private_message_t.encrypt_payloads.
1018 */
1019 static status_t encrypt_payloads(private_message_t *this,
1020 crypter_t *crypter, signer_t* signer)
1021 {
1022 encryption_payload_t *encryption_payload = NULL;
1023 status_t status;
1024 linked_list_t *all_payloads;
1025
1026 if (!this->message_rule->encrypted_content)
1027 {
1028 DBG2(DBG_ENC, "message doesn't have to be encrypted");
1029 /* message contains no content to encrypt */
1030 return SUCCESS;
1031 }
1032
1033 if (!crypter || !signer)
1034 {
1035 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1036 /* message contains no content to encrypt */
1037 return SUCCESS;
1038 }
1039
1040 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1041 all_payloads = linked_list_create();
1042
1043 /* first copy all payloads in a temporary list */
1044 while (this->payloads->get_count(this->payloads) > 0)
1045 {
1046 void *current_payload;
1047 this->payloads->remove_first(this->payloads,&current_payload);
1048 all_payloads->insert_last(all_payloads,current_payload);
1049 }
1050
1051 encryption_payload = encryption_payload_create();
1052
1053 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1054 while (all_payloads->get_count(all_payloads) > 0)
1055 {
1056 payload_rule_t *payload_rule;
1057 payload_t *current_payload;
1058 bool to_encrypt = FALSE;
1059
1060 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1061
1062 status = get_payload_rule(this,
1063 current_payload->get_type(current_payload),&payload_rule);
1064 /* for payload types which are not found in supported payload list,
1065 * it is presumed that they don't have to be encrypted */
1066 if ((status == SUCCESS) && (payload_rule->encrypted))
1067 {
1068 DBG2(DBG_ENC, "payload %N gets encrypted",
1069 payload_type_names, current_payload->get_type(current_payload));
1070 to_encrypt = TRUE;
1071 }
1072
1073 if (to_encrypt)
1074 {
1075 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1076 payload_type_names, current_payload->get_type(current_payload));
1077 encryption_payload->add_payload(encryption_payload,current_payload);
1078 }
1079 else
1080 {
1081 DBG2(DBG_ENC, "insert payload %N unencrypted",
1082 payload_type_names ,current_payload->get_type(current_payload));
1083 add_payload(this, (payload_t*)encryption_payload);
1084 }
1085 }
1086
1087 status = SUCCESS;
1088 DBG2(DBG_ENC, "encrypting encryption payload");
1089 encryption_payload->set_transforms(encryption_payload, crypter,signer);
1090 status = encryption_payload->encrypt(encryption_payload);
1091 DBG2(DBG_ENC, "add encrypted payload to payload list");
1092 add_payload(this, (payload_t*)encryption_payload);
1093
1094 all_payloads->destroy(all_payloads);
1095
1096 return status;
1097 }
1098
1099 /**
1100 * Implementation of message_t.generate.
1101 */
1102 static status_t generate(private_message_t *this, crypter_t *crypter,
1103 signer_t* signer, packet_t **packet)
1104 {
1105 generator_t *generator;
1106 ike_header_t *ike_header;
1107 payload_t *payload, *next_payload;
1108 enumerator_t *enumerator;
1109 status_t status;
1110 chunk_t packet_data;
1111 char str[256];
1112
1113 if (is_encoded(this))
1114 {
1115 /* already generated, return a new packet clone */
1116 *packet = this->packet->clone(this->packet);
1117 return SUCCESS;
1118 }
1119
1120 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1121 {
1122 DBG1(DBG_ENC, "exchange type is not defined");
1123 return INVALID_STATE;
1124 }
1125
1126 if (this->packet->get_source(this->packet) == NULL ||
1127 this->packet->get_destination(this->packet) == NULL)
1128 {
1129 DBG1(DBG_ENC, "%s not defined",
1130 !this->packet->get_source(this->packet) ? "source" : "destination");
1131 return INVALID_STATE;
1132 }
1133
1134 /* set the rules for this messge */
1135 status = set_message_rule(this);
1136 if (status != SUCCESS)
1137 {
1138 DBG1(DBG_ENC, "no message rules specified for this message type");
1139 return NOT_SUPPORTED;
1140 }
1141
1142 order_payloads(this);
1143
1144 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1145
1146 /* going to encrypt all content which have to be encrypted */
1147 status = encrypt_payloads(this, crypter, signer);
1148 if (status != SUCCESS)
1149 {
1150 DBG1(DBG_ENC, "payload encryption failed");
1151 return status;
1152 }
1153
1154 /* build ike header */
1155 ike_header = ike_header_create();
1156
1157 ike_header->set_exchange_type(ike_header, this->exchange_type);
1158 ike_header->set_message_id(ike_header, this->message_id);
1159 ike_header->set_response_flag(ike_header, !this->is_request);
1160 ike_header->set_initiator_flag(ike_header,
1161 this->ike_sa_id->is_initiator(this->ike_sa_id));
1162 ike_header->set_initiator_spi(ike_header,
1163 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1164 ike_header->set_responder_spi(ike_header,
1165 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1166
1167 generator = generator_create();
1168
1169 payload = (payload_t*)ike_header;
1170
1171 /* generate every payload expect last one, this is done later*/
1172 enumerator = create_payload_enumerator(this);
1173 while (enumerator->enumerate(enumerator, &next_payload))
1174 {
1175 payload->set_next_type(payload, next_payload->get_type(next_payload));
1176 generator->generate_payload(generator, payload);
1177 payload = next_payload;
1178 }
1179 enumerator->destroy(enumerator);
1180
1181 /* last payload has no next payload*/
1182 payload->set_next_type(payload, NO_PAYLOAD);
1183
1184 generator->generate_payload(generator, payload);
1185
1186 ike_header->destroy(ike_header);
1187
1188 /* build packet */
1189 generator->write_to_chunk(generator, &packet_data);
1190 generator->destroy(generator);
1191
1192 /* if last payload is of type encrypted, integrity checksum if necessary */
1193 if (payload->get_type(payload) == ENCRYPTED)
1194 {
1195 DBG2(DBG_ENC, "build signature on whole message");
1196 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1197 status = encryption_payload->build_signature(encryption_payload, packet_data);
1198 if (status != SUCCESS)
1199 {
1200 return status;
1201 }
1202 }
1203
1204 this->packet->set_data(this->packet, packet_data);
1205
1206 /* clone packet for caller */
1207 *packet = this->packet->clone(this->packet);
1208
1209 DBG2(DBG_ENC, "message generated successfully");
1210 return SUCCESS;
1211 }
1212
1213 /**
1214 * Implementation of message_t.get_packet.
1215 */
1216 static packet_t *get_packet(private_message_t *this)
1217 {
1218 if (this->packet == NULL)
1219 {
1220 return NULL;
1221 }
1222 return this->packet->clone(this->packet);
1223 }
1224
1225 /**
1226 * Implementation of message_t.get_packet_data.
1227 */
1228 static chunk_t get_packet_data(private_message_t *this)
1229 {
1230 if (this->packet == NULL)
1231 {
1232 return chunk_empty;
1233 }
1234 return chunk_clone(this->packet->get_data(this->packet));
1235 }
1236
1237 /**
1238 * Implementation of message_t.parse_header.
1239 */
1240 static status_t parse_header(private_message_t *this)
1241 {
1242 ike_header_t *ike_header;
1243 status_t status;
1244
1245 DBG2(DBG_ENC, "parsing header of message");
1246
1247 this->parser->reset_context(this->parser);
1248 status = this->parser->parse_payload(this->parser, HEADER,
1249 (payload_t**)&ike_header);
1250 if (status != SUCCESS)
1251 {
1252 DBG1(DBG_ENC, "header could not be parsed");
1253 return status;
1254
1255 }
1256
1257 /* verify payload */
1258 status = ike_header->payload_interface.verify(
1259 &ike_header->payload_interface);
1260 if (status != SUCCESS)
1261 {
1262 DBG1(DBG_ENC, "header verification failed");
1263 ike_header->destroy(ike_header);
1264 return status;
1265 }
1266
1267 if (this->ike_sa_id != NULL)
1268 {
1269 this->ike_sa_id->destroy(this->ike_sa_id);
1270 }
1271
1272 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1273 ike_header->get_responder_spi(ike_header),
1274 ike_header->get_initiator_flag(ike_header));
1275
1276 this->exchange_type = ike_header->get_exchange_type(ike_header);
1277 this->message_id = ike_header->get_message_id(ike_header);
1278 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1279 this->major_version = ike_header->get_maj_version(ike_header);
1280 this->minor_version = ike_header->get_min_version(ike_header);
1281 this->first_payload = ike_header->payload_interface.get_next_type(
1282 &ike_header->payload_interface);
1283
1284 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1285 this->is_request ? "request" : "response");
1286
1287 ike_header->destroy(ike_header);
1288
1289 /* get the rules for this messge */
1290 status = set_message_rule(this);
1291 if (status != SUCCESS)
1292 {
1293 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1294 exchange_type_names, this->exchange_type,
1295 this->is_request ? "request" : "response");
1296 }
1297
1298 return status;
1299 }
1300
1301 /**
1302 * Implementation of private_message_t.decrypt_and_verify_payloads.
1303 */
1304 static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
1305 signer_t* signer)
1306 {
1307 bool current_payload_was_encrypted = FALSE;
1308 payload_t *previous_payload = NULL;
1309 int payload_number = 1;
1310 iterator_t *iterator;
1311 payload_t *current_payload;
1312 status_t status;
1313
1314 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1315
1316 /* process each payload and decrypt a encryption payload */
1317 while(iterator->iterate(iterator, (void**)&current_payload))
1318 {
1319 payload_rule_t *payload_rule;
1320 payload_type_t current_payload_type;
1321
1322 /* needed to check */
1323 current_payload_type = current_payload->get_type(current_payload);
1324
1325 DBG2(DBG_ENC, "process payload of type %N",
1326 payload_type_names, current_payload_type);
1327
1328 if (current_payload_type == ENCRYPTED)
1329 {
1330 encryption_payload_t *encryption_payload;
1331 payload_t *current_encrypted_payload;
1332
1333 encryption_payload = (encryption_payload_t*)current_payload;
1334
1335 DBG2(DBG_ENC, "found an encryption payload");
1336
1337 if (payload_number != this->payloads->get_count(this->payloads))
1338 {
1339 /* encrypted payload is not last one */
1340 DBG1(DBG_ENC, "encrypted payload is not last payload");
1341 iterator->destroy(iterator);
1342 return VERIFY_ERROR;
1343 }
1344 /* decrypt */
1345 encryption_payload->set_transforms(encryption_payload,
1346 crypter, signer);
1347 DBG2(DBG_ENC, "verify signature of encryption payload");
1348 status = encryption_payload->verify_signature(encryption_payload,
1349 this->packet->get_data(this->packet));
1350 if (status != SUCCESS)
1351 {
1352 DBG1(DBG_ENC, "encryption payload signature invalid");
1353 iterator->destroy(iterator);
1354 return FAILED;
1355 }
1356 DBG2(DBG_ENC, "decrypting content of encryption payload");
1357 status = encryption_payload->decrypt(encryption_payload);
1358 if (status != SUCCESS)
1359 {
1360 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1361 iterator->destroy(iterator);
1362 return PARSE_ERROR;
1363 }
1364
1365 /* needed later to find out if a payload was encrypted */
1366 current_payload_was_encrypted = TRUE;
1367
1368 /* check if there are payloads contained in the encryption payload */
1369 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1370 {
1371 DBG2(DBG_ENC, "encrypted payload is empty");
1372 /* remove the encryption payload, is not needed anymore */
1373 iterator->remove(iterator);
1374 /* encrypted payload contains no other payload */
1375 current_payload_type = NO_PAYLOAD;
1376 }
1377 else
1378 {
1379 /* encryption_payload is replaced with first payload contained
1380 * in encryption_payload */
1381 encryption_payload->remove_first_payload(encryption_payload,
1382 &current_encrypted_payload);
1383 iterator->replace(iterator, NULL,
1384 (void *)current_encrypted_payload);
1385 current_payload_type = current_encrypted_payload->get_type(
1386 current_encrypted_payload);
1387 }
1388
1389 /* is the current paylad the first in the message? */
1390 if (previous_payload == NULL)
1391 {
1392 /* yes, set the first payload type of the message to the
1393 * current type */
1394 this->first_payload = current_payload_type;
1395 }
1396 else
1397 {
1398 /* no, set the next_type of the previous payload to the
1399 * current type */
1400 previous_payload->set_next_type(previous_payload,
1401 current_payload_type);
1402 }
1403
1404 /* all encrypted payloads are added to the payload list */
1405 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1406 {
1407 encryption_payload->remove_first_payload(encryption_payload,
1408 &current_encrypted_payload);
1409 DBG2(DBG_ENC, "insert unencrypted payload of type "
1410 "%N at end of list", payload_type_names,
1411 current_encrypted_payload->get_type(
1412 current_encrypted_payload));
1413 this->payloads->insert_last(this->payloads,
1414 current_encrypted_payload);
1415 }
1416
1417 /* encryption payload is processed, payloads are moved. Destroy it. */
1418 encryption_payload->destroy(encryption_payload);
1419 }
1420
1421 /* we allow unknown payloads of any type and don't bother if it was
1422 * encrypted. Not our problem. */
1423 if (current_payload_type != UNKNOWN_PAYLOAD &&
1424 current_payload_type != NO_PAYLOAD)
1425 {
1426 /* get the ruleset for found payload */
1427 status = get_payload_rule(this, current_payload_type, &payload_rule);
1428 if (status != SUCCESS)
1429 {
1430 /* payload is not allowed */
1431 DBG1(DBG_ENC, "payload type %N not allowed",
1432 payload_type_names, current_payload_type);
1433 iterator->destroy(iterator);
1434 return VERIFY_ERROR;
1435 }
1436
1437 /* check if the payload was encrypted, and if it should been have
1438 * encrypted */
1439 if (payload_rule->encrypted != current_payload_was_encrypted)
1440 {
1441 /* payload was not encrypted, but should have been.
1442 * or vice-versa */
1443 DBG1(DBG_ENC, "payload type %N should be %s!",
1444 payload_type_names, current_payload_type,
1445 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1446 iterator->destroy(iterator);
1447 return VERIFY_ERROR;
1448 }
1449 }
1450 /* advance to the next payload */
1451 payload_number++;
1452 /* is stored to set next payload in case of found encryption payload */
1453 previous_payload = current_payload;
1454 }
1455 iterator->destroy(iterator);
1456 return SUCCESS;
1457 }
1458
1459 /**
1460 * Implementation of private_message_t.verify.
1461 */
1462 static status_t verify(private_message_t *this)
1463 {
1464 int i;
1465 enumerator_t *enumerator;
1466 payload_t *current_payload;
1467 size_t total_found_payloads = 0;
1468
1469 DBG2(DBG_ENC, "verifying message structure");
1470
1471 /* check for payloads with wrong count*/
1472 for (i = 0; i < this->message_rule->payload_rule_count; i++)
1473 {
1474 size_t found_payloads = 0;
1475 payload_rule_t *rule;
1476
1477 rule = &this->message_rule->payload_rules[i];
1478 enumerator = create_payload_enumerator(this);
1479
1480 /* check all payloads for specific rule */
1481 while (enumerator->enumerate(enumerator, &current_payload))
1482 {
1483 payload_type_t current_payload_type;
1484 unknown_payload_t *unknown_payload;
1485
1486 current_payload_type = current_payload->get_type(current_payload);
1487 if (current_payload_type == UNKNOWN_PAYLOAD)
1488 {
1489 /* unknown payloads are ignored, IF they are not critical */
1490 unknown_payload = (unknown_payload_t*)current_payload;
1491 if (unknown_payload->is_critical(unknown_payload))
1492 {
1493 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1494 payload_type_names, current_payload_type);
1495 enumerator->destroy(enumerator);
1496 return NOT_SUPPORTED;
1497 }
1498 }
1499 else if (current_payload_type == rule->payload_type)
1500 {
1501 found_payloads++;
1502 total_found_payloads++;
1503 DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
1504 rule->payload_type);
1505
1506 /* as soon as ohe payload occures more then specified,
1507 * the verification fails */
1508 if (found_payloads >
1509 rule->max_occurence)
1510 {
1511 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1512 "occured in current message", payload_type_names,
1513 current_payload_type, rule->max_occurence,
1514 found_payloads);
1515 enumerator->destroy(enumerator);
1516 return VERIFY_ERROR;
1517 }
1518 }
1519 }
1520
1521 if (found_payloads < rule->min_occurence)
1522 {
1523 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1524 payload_type_names, rule->payload_type, rule->min_occurence,
1525 found_payloads);
1526 enumerator->destroy(enumerator);
1527 return VERIFY_ERROR;
1528 }
1529 if (rule->sufficient &&
1530 this->payloads->get_count(this->payloads) == total_found_payloads)
1531 {
1532 enumerator->destroy(enumerator);
1533 return SUCCESS;
1534 }
1535 enumerator->destroy(enumerator);
1536 }
1537 return SUCCESS;
1538 }
1539
1540 /**
1541 * Implementation of message_t.parse_body.
1542 */
1543 static status_t parse_body(private_message_t *this, crypter_t *crypter,
1544 signer_t *signer)
1545 {
1546 status_t status = SUCCESS;
1547 payload_type_t current_payload_type;
1548 char str[256];
1549
1550 current_payload_type = this->first_payload;
1551
1552 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1553 payload_type_names, current_payload_type);
1554
1555 /* parse payload for payload, while there are more available */
1556 while ((current_payload_type != NO_PAYLOAD))
1557 {
1558 payload_t *current_payload;
1559
1560 DBG2(DBG_ENC, "starting parsing a %N payload",
1561 payload_type_names, current_payload_type);
1562
1563 /* parse current payload */
1564 status = this->parser->parse_payload(this->parser, current_payload_type,
1565 (payload_t**)&current_payload);
1566 if (status != SUCCESS)
1567 {
1568 DBG1(DBG_ENC, "payload type %N could not be parsed",
1569 payload_type_names, current_payload_type);
1570 return PARSE_ERROR;
1571 }
1572
1573 DBG2(DBG_ENC, "verifying payload of type %N",
1574 payload_type_names, current_payload_type);
1575
1576 /* verify it, stop parsig if its invalid */
1577 status = current_payload->verify(current_payload);
1578 if (status != SUCCESS)
1579 {
1580 DBG1(DBG_ENC, "%N payload verification failed",
1581 payload_type_names, current_payload_type);
1582 current_payload->destroy(current_payload);
1583 return VERIFY_ERROR;
1584 }
1585
1586 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1587 payload_type_names, current_payload_type);
1588 this->payloads->insert_last(this->payloads,current_payload);
1589
1590 /* an encryption payload is the last one, so STOP here. decryption is
1591 * done later */
1592 if (current_payload_type == ENCRYPTED)
1593 {
1594 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1595 payload_type_names, current_payload_type);
1596 break;
1597 }
1598
1599 /* get next payload type */
1600 current_payload_type = current_payload->get_next_type(current_payload);
1601 }
1602
1603 if (current_payload_type == ENCRYPTED)
1604 {
1605 status = decrypt_payloads(this,crypter,signer);
1606 if (status != SUCCESS)
1607 {
1608 DBG1(DBG_ENC, "could not decrypt payloads");
1609 return status;
1610 }
1611 }
1612
1613 status = verify(this);
1614 if (status != SUCCESS)
1615 {
1616 return status;
1617 }
1618
1619 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1620
1621 return SUCCESS;
1622 }
1623
1624 /**
1625 * Implementation of message_t.destroy.
1626 */
1627 static void destroy (private_message_t *this)
1628 {
1629 DESTROY_IF(this->ike_sa_id);
1630 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1631 this->packet->destroy(this->packet);
1632 this->parser->destroy(this->parser);
1633 free(this);
1634 }
1635
1636 /*
1637 * Described in Header-File
1638 */
1639 message_t *message_create_from_packet(packet_t *packet)
1640 {
1641 private_message_t *this = malloc_thing(private_message_t);
1642
1643 /* public functions */
1644 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1645 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1646 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1647 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1648 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1649 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1650 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1651 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1652 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1653 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1654 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1655 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1656 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1657 this->public.set_request = (void(*)(message_t*, bool))set_request;
1658 this->public.get_request = (bool(*)(message_t*))get_request;
1659 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1660 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1661 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1662 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1663 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1664 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1665 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1666 this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
1667 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1668 this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
1669 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1670 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1671 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1672 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1673 this->public.destroy = (void(*)(message_t*))destroy;
1674
1675 /* private values */
1676 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1677 this->is_request = TRUE;
1678 this->ike_sa_id = NULL;
1679 this->first_payload = NO_PAYLOAD;
1680 this->message_id = 0;
1681
1682 /* private values */
1683 if (packet == NULL)
1684 {
1685 packet = packet_create();
1686 }
1687 this->message_rule = NULL;
1688 this->packet = packet;
1689 this->payloads = linked_list_create();
1690
1691 /* parser is created from data of packet */
1692 this->parser = parser_create(this->packet->get_data(this->packet));
1693
1694 return (&this->public);
1695 }
1696
1697 /*
1698 * Described in Header.
1699 */
1700 message_t *message_create()
1701 {
1702 return message_create_from_packet(NULL);
1703 }
1704