merged tasking branch into trunk
[strongswan.git] / src / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <stdlib.h>
26 #include <string.h>
27 #include <printf.h>
28
29 #include "message.h"
30
31 #include <library.h>
32 #include <daemon.h>
33 #include <sa/ike_sa_id.h>
34 #include <encoding/generator.h>
35 #include <encoding/parser.h>
36 #include <utils/linked_list.h>
37 #include <encoding/payloads/encodings.h>
38 #include <encoding/payloads/payload.h>
39 #include <encoding/payloads/encryption_payload.h>
40 #include <encoding/payloads/unknown_payload.h>
41
42 /**
43 * Max number of notify payloads per IKEv2 Message
44 */
45 #define MAX_NOTIFY_PAYLOADS 20
46
47
48 typedef struct payload_rule_t payload_rule_t;
49
50 /**
51 * A payload rule defines the rules for a payload
52 * in a specific message rule. It defines if and how
53 * many times a payload must/can occur in a message
54 * and if it must be encrypted.
55 */
56 struct payload_rule_t {
57 /**
58 * Payload type.
59 */
60 payload_type_t payload_type;
61
62 /**
63 * Minimal occurence of this payload.
64 */
65 size_t min_occurence;
66
67 /**
68 * Max occurence of this payload.
69 */
70 size_t max_occurence;
71
72 /**
73 * TRUE if payload must be encrypted
74 */
75 bool encrypted;
76
77 /**
78 * If this payload occurs, the message rule is
79 * fullfilled in any case. This applies e.g. to
80 * notify_payloads.
81 */
82 bool sufficient;
83 };
84
85 typedef struct message_rule_t message_rule_t;
86
87 /**
88 * A message rule defines the kind of a message,
89 * if it has encrypted contents and a list
90 * of payload rules.
91 *
92 */
93 struct message_rule_t {
94 /**
95 * Type of message.
96 */
97 exchange_type_t exchange_type;
98
99 /**
100 * Is message a request or response.
101 */
102 bool is_request;
103
104 /**
105 * Message contains encrypted content.
106 */
107 bool encrypted_content;
108
109 /**
110 * Number of payload rules which will follow
111 */
112 size_t payload_rule_count;
113
114 /**
115 * Pointer to first payload rule
116 */
117 payload_rule_t *payload_rules;
118 };
119
120 /**
121 * Message rule for IKE_SA_INIT from initiator.
122 */
123 static payload_rule_t ike_sa_init_i_payload_rules[] = {
124 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
125 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
126 {KEY_EXCHANGE,1,1,FALSE,FALSE},
127 {NONCE,1,1,FALSE,FALSE},
128 };
129
130 /**
131 * Message rule for IKE_SA_INIT from responder.
132 */
133 static payload_rule_t ike_sa_init_r_payload_rules[] = {
134 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
135 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
136 {KEY_EXCHANGE,1,1,FALSE,FALSE},
137 {NONCE,1,1,FALSE,FALSE},
138 };
139
140 /**
141 * Message rule for IKE_AUTH from initiator.
142 */
143 static payload_rule_t ike_auth_i_payload_rules[] = {
144 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
145 {EXTENSIBLE_AUTHENTICATION,0,1,TRUE,TRUE},
146 {AUTHENTICATION,0,1,TRUE,TRUE},
147 {ID_INITIATOR,1,1,TRUE,FALSE},
148 {CERTIFICATE,0,1,TRUE,FALSE},
149 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
150 {ID_RESPONDER,0,1,TRUE,FALSE},
151 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
152 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
153 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
154 {CONFIGURATION,0,1,TRUE,FALSE},
155 };
156
157 /**
158 * Message rule for IKE_AUTH from responder.
159 */
160 static payload_rule_t ike_auth_r_payload_rules[] = {
161 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
162 {EXTENSIBLE_AUTHENTICATION,0,1,TRUE,TRUE},
163 {CERTIFICATE,0,1,TRUE,FALSE},
164 {ID_RESPONDER,0,1,TRUE,FALSE},
165 {AUTHENTICATION,0,1,TRUE,FALSE},
166 {SECURITY_ASSOCIATION,0,1,TRUE,FALSE},
167 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
168 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
169 {CONFIGURATION,0,1,TRUE,FALSE},
170 };
171
172
173 /**
174 * Message rule for INFORMATIONAL from initiator.
175 */
176 static payload_rule_t informational_i_payload_rules[] = {
177 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
178 {CONFIGURATION,0,1,TRUE,FALSE},
179 {DELETE,0,1,TRUE,FALSE},
180
181 };
182
183 /**
184 * Message rule for INFORMATIONAL from responder.
185 */
186 static payload_rule_t informational_r_payload_rules[] = {
187 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
188 {CONFIGURATION,0,1,TRUE,FALSE},
189 {DELETE,0,1,TRUE,FALSE},
190 };
191
192 /**
193 * Message rule for CREATE_CHILD_SA from initiator.
194 */
195 static payload_rule_t create_child_sa_i_payload_rules[] = {
196 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
197 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
198 {NONCE,1,1,TRUE,FALSE},
199 {KEY_EXCHANGE,0,1,TRUE,FALSE},
200 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
201 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
202 {CONFIGURATION,0,1,TRUE,FALSE},
203 };
204
205 /**
206 * Message rule for CREATE_CHILD_SA from responder.
207 */
208 static payload_rule_t create_child_sa_r_payload_rules[] = {
209 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
210 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
211 {NONCE,1,1,TRUE,FALSE},
212 {KEY_EXCHANGE,0,1,TRUE,FALSE},
213 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
214 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
215 {CONFIGURATION,0,1,TRUE,FALSE},
216 };
217
218
219 /**
220 * Message rules, defines allowed payloads.
221 */
222 static message_rule_t message_rules[] = {
223 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
224 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
225 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
226 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
227 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
228 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
229 {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
230 {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
231 };
232
233
234 typedef struct private_message_t private_message_t;
235
236 /**
237 * Private data of an message_t object.
238 */
239 struct private_message_t {
240
241 /**
242 * Public part of a message_t object.
243 */
244 message_t public;
245
246 /**
247 * Minor version of message.
248 */
249 u_int8_t major_version;
250
251 /**
252 * Major version of message.
253 */
254 u_int8_t minor_version;
255
256 /**
257 * First Payload in message.
258 */
259 payload_type_t first_payload;
260
261 /**
262 * Assigned exchange type.
263 */
264 exchange_type_t exchange_type;
265
266 /**
267 * TRUE if message is a request, FALSE if a reply.
268 */
269 bool is_request;
270
271 /**
272 * Message ID of this message.
273 */
274 u_int32_t message_id;
275
276 /**
277 * ID of assigned IKE_SA.
278 */
279 ike_sa_id_t *ike_sa_id;
280
281 /**
282 * Assigned UDP packet, stores incoming packet or last generated one.
283 */
284 packet_t *packet;
285
286 /**
287 * Linked List where payload data are stored in.
288 */
289 linked_list_t *payloads;
290
291 /**
292 * Assigned parser to parse Header and Body of this message.
293 */
294 parser_t *parser;
295
296 /**
297 * The message rule for this message instance
298 */
299 message_rule_t *message_rule;
300 };
301
302 /**
303 * Implementation of private_message_t.set_message_rule.
304 */
305 static status_t set_message_rule(private_message_t *this)
306 {
307 int i;
308
309 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
310 {
311 if ((this->exchange_type == message_rules[i].exchange_type) &&
312 (this->is_request == message_rules[i].is_request))
313 {
314 /* found rule for given exchange_type*/
315 this->message_rule = &(message_rules[i]);
316 return SUCCESS;
317 }
318 }
319 this->message_rule = NULL;
320 return NOT_FOUND;
321 }
322
323 /**
324 * Implementation of private_message_t.get_payload_rule.
325 */
326 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
327 {
328 int i;
329
330 for (i = 0; i < this->message_rule->payload_rule_count;i++)
331 {
332 if (this->message_rule->payload_rules[i].payload_type == payload_type)
333 {
334 *payload_rule = &(this->message_rule->payload_rules[i]);
335 return SUCCESS;
336 }
337 }
338
339 *payload_rule = NULL;
340 return NOT_FOUND;
341 }
342
343 /**
344 * Implementation of message_t.set_ike_sa_id.
345 */
346 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
347 {
348 DESTROY_IF(this->ike_sa_id);
349 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
350 }
351
352 /**
353 * Implementation of message_t.get_ike_sa_id.
354 */
355 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
356 {
357 return this->ike_sa_id;
358 }
359
360 /**
361 * Implementation of message_t.set_message_id.
362 */
363 static void set_message_id (private_message_t *this,u_int32_t message_id)
364 {
365 this->message_id = message_id;
366 }
367
368 /**
369 * Implementation of message_t.get_message_id.
370 */
371 static u_int32_t get_message_id (private_message_t *this)
372 {
373 return this->message_id;
374 }
375
376 /**
377 * Implementation of message_t.get_initiator_spi.
378 */
379 static u_int64_t get_initiator_spi (private_message_t *this)
380 {
381 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
382 }
383
384 /**
385 * Implementation of message_t.get_responder_spi.
386 */
387 static u_int64_t get_responder_spi (private_message_t *this)
388 {
389 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
390 }
391
392 /**
393 * Implementation of message_t.set_major_version.
394 */
395 static void set_major_version (private_message_t *this,u_int8_t major_version)
396 {
397 this->major_version = major_version;
398 }
399
400
401 /**
402 * Implementation of message_t.set_major_version.
403 */
404 static u_int8_t get_major_version (private_message_t *this)
405 {
406 return this->major_version;
407 }
408
409 /**
410 * Implementation of message_t.set_minor_version.
411 */
412 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
413 {
414 this->minor_version = minor_version;
415 }
416
417 /**
418 * Implementation of message_t.get_minor_version.
419 */
420 static u_int8_t get_minor_version (private_message_t *this)
421 {
422 return this->minor_version;
423 }
424
425 /**
426 * Implementation of message_t.set_exchange_type.
427 */
428 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
429 {
430 this->exchange_type = exchange_type;
431 }
432
433 /**
434 * Implementation of message_t.get_exchange_type.
435 */
436 static exchange_type_t get_exchange_type (private_message_t *this)
437 {
438 return this->exchange_type;
439 }
440
441 /**
442 * Implementation of message_t.set_request.
443 */
444 static void set_request (private_message_t *this,bool request)
445 {
446 this->is_request = request;
447 }
448
449 /**
450 * Implementation of message_t.get_request.
451 */
452 static exchange_type_t get_request (private_message_t *this)
453 {
454 return this->is_request;
455 }
456
457 /**
458 * Is this message in an encoded form?
459 */
460 static bool is_encoded(private_message_t *this)
461 {
462 chunk_t data = this->packet->get_data(this->packet);
463
464 if (data.ptr == NULL)
465 {
466 return FALSE;
467 }
468 return TRUE;
469 }
470
471 /**
472 * Implementation of message_t.add_payload.
473 */
474 static void add_payload(private_message_t *this, payload_t *payload)
475 {
476 payload_t *last_payload;
477 if (this->payloads->get_count(this->payloads) > 0)
478 {
479 this->payloads->get_last(this->payloads,(void **) &last_payload);
480 last_payload->set_next_type(last_payload, payload->get_type(payload));
481 }
482 else
483 {
484 this->first_payload = payload->get_type(payload);
485 }
486 payload->set_next_type(payload, NO_PAYLOAD);
487 this->payloads->insert_last(this->payloads, (void*)payload);
488
489 DBG2(DBG_ENC ,"added payload of type %N to message",
490 payload_type_names, payload->get_type(payload));
491 }
492
493 /**
494 * Implementation of message_t.add_notify.
495 */
496 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
497 chunk_t data)
498 {
499 notify_payload_t *notify;
500 payload_t *payload;
501
502 if (flush)
503 {
504 while (this->payloads->remove_last(this->payloads,
505 (void**)&payload) == SUCCESS)
506 {
507 payload->destroy(payload);
508 }
509 }
510 notify = notify_payload_create();
511 notify->set_notify_type(notify, type);
512 notify->set_notification_data(notify, data);
513 add_payload(this, (payload_t*)notify);
514 }
515
516 /**
517 * Implementation of message_t.set_source.
518 */
519 static void set_source(private_message_t *this, host_t *host)
520 {
521 this->packet->set_source(this->packet, host);
522 }
523
524 /**
525 * Implementation of message_t.set_destination.
526 */
527 static void set_destination(private_message_t *this, host_t *host)
528 {
529 this->packet->set_destination(this->packet, host);
530 }
531
532 /**
533 * Implementation of message_t.get_source.
534 */
535 static host_t* get_source(private_message_t *this)
536 {
537 return this->packet->get_source(this->packet);
538 }
539
540 /**
541 * Implementation of message_t.get_destination.
542 */
543 static host_t * get_destination(private_message_t *this)
544 {
545 return this->packet->get_destination(this->packet);
546 }
547
548 /**
549 * Implementation of message_t.get_payload_iterator.
550 */
551 static iterator_t *get_payload_iterator(private_message_t *this)
552 {
553 return this->payloads->create_iterator(this->payloads, TRUE);
554 }
555
556 /**
557 * Implementation of message_t.get_payload.
558 */
559 static payload_t *get_payload(private_message_t *this, payload_type_t type)
560 {
561 payload_t *current, *found = NULL;
562 iterator_t *iterator;
563
564 iterator = this->payloads->create_iterator(this->payloads, TRUE);
565 while (iterator->iterate(iterator, (void**)&current))
566 {
567 if (current->get_type(current) == type)
568 {
569 found = current;
570 break;
571 }
572 }
573 iterator->destroy(iterator);
574 return found;
575 }
576
577 /**
578 * output handler in printf()
579 */
580 static int print(FILE *stream, const struct printf_info *info,
581 const void *const *args)
582 {
583 private_message_t *this = *((private_message_t**)(args[0]));
584 iterator_t *iterator;
585 payload_t *payload;
586 bool first = TRUE;
587 size_t total_written = 0;
588 size_t written;
589
590 if (this == NULL)
591 {
592 return fprintf(stream, "(null)");
593 }
594
595 written = fprintf(stream, "%N %s [",
596 exchange_type_names, this->exchange_type,
597 this->is_request ? "request" : "response");
598 if (written < 0)
599 {
600 return written;
601 }
602 total_written += written;
603
604 iterator = this->payloads->create_iterator(this->payloads, TRUE);
605 while (iterator->iterate(iterator, (void**)&payload))
606 {
607 if (!first)
608 {
609 written = fprintf(stream, " ");
610 if (written < 0)
611 {
612 return written;
613 }
614 total_written += written;
615 }
616 else
617 {
618 first = FALSE;
619 }
620 written = fprintf(stream, "%N", payload_type_short_names,
621 payload->get_type(payload));
622 if (written < 0)
623 {
624 return written;
625 }
626 total_written += written;
627 }
628 iterator->destroy(iterator);
629 written = fprintf(stream, "]");
630 if (written < 0)
631 {
632 return written;
633 }
634 total_written += written;
635 return total_written;
636 }
637
638 /**
639 * register printf() handlers
640 */
641 static void __attribute__ ((constructor))print_register()
642 {
643 register_printf_function(PRINTF_MESSAGE, print, arginfo_ptr);
644 }
645
646 /**
647 * Implementation of private_message_t.encrypt_payloads.
648 */
649 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
650 {
651 encryption_payload_t *encryption_payload = NULL;
652 status_t status;
653 linked_list_t *all_payloads;
654
655 if (!this->message_rule->encrypted_content)
656 {
657 DBG2(DBG_ENC, "message doesn't have to be encrypted");
658 /* message contains no content to encrypt */
659 return SUCCESS;
660 }
661
662 DBG2(DBG_ENC, "copy all payloads to a temporary list");
663 all_payloads = linked_list_create();
664
665 /* first copy all payloads in a temporary list */
666 while (this->payloads->get_count(this->payloads) > 0)
667 {
668 void *current_payload;
669 this->payloads->remove_first(this->payloads,&current_payload);
670 all_payloads->insert_last(all_payloads,current_payload);
671 }
672
673 encryption_payload = encryption_payload_create();
674
675 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
676 while (all_payloads->get_count(all_payloads) > 0)
677 {
678 payload_rule_t *payload_rule;
679 payload_t *current_payload;
680 bool to_encrypt = FALSE;
681
682 all_payloads->remove_first(all_payloads,(void **)&current_payload);
683
684 status = get_payload_rule(this,
685 current_payload->get_type(current_payload),&payload_rule);
686 /* for payload types which are not found in supported payload list,
687 * it is presumed that they don't have to be encrypted */
688 if ((status == SUCCESS) && (payload_rule->encrypted))
689 {
690 DBG2(DBG_ENC, "payload %N gets encrypted",
691 payload_type_names, current_payload->get_type(current_payload));
692 to_encrypt = TRUE;
693 }
694
695 if (to_encrypt)
696 {
697 DBG2(DBG_ENC, "insert payload %N to encryption payload",
698 payload_type_names, current_payload->get_type(current_payload));
699 encryption_payload->add_payload(encryption_payload,current_payload);
700 }
701 else
702 {
703 DBG2(DBG_ENC, "insert payload %N unencrypted",
704 payload_type_names ,current_payload->get_type(current_payload));
705 add_payload(this, (payload_t*)encryption_payload);
706 }
707 }
708
709 status = SUCCESS;
710 DBG2(DBG_ENC, "encrypting encryption payload");
711 encryption_payload->set_transforms(encryption_payload, crypter,signer);
712 status = encryption_payload->encrypt(encryption_payload);
713 DBG2(DBG_ENC, "add encrypted payload to payload list");
714 add_payload(this, (payload_t*)encryption_payload);
715
716 all_payloads->destroy(all_payloads);
717
718 return status;
719 }
720
721 /**
722 * Implementation of message_t.generate.
723 */
724 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
725 {
726 generator_t *generator;
727 ike_header_t *ike_header;
728 payload_t *payload, *next_payload;
729 iterator_t *iterator;
730 status_t status;
731 chunk_t packet_data;
732
733 if (is_encoded(this))
734 {
735 /* already generated, return a new packet clone */
736 *packet = this->packet->clone(this->packet);
737 return SUCCESS;
738 }
739
740 DBG1(DBG_ENC, "generating %M", this);
741
742 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
743 {
744 DBG1(DBG_ENC, "exchange type is not defined");
745 return INVALID_STATE;
746 }
747
748 if (this->packet->get_source(this->packet) == NULL ||
749 this->packet->get_destination(this->packet) == NULL)
750 {
751 DBG1(DBG_ENC, "%s not defined",
752 !this->packet->get_source(this->packet) ? "source" : "destination");
753 return INVALID_STATE;
754 }
755
756 /* set the rules for this messge */
757 status = set_message_rule(this);
758 if (status != SUCCESS)
759 {
760 DBG1(DBG_ENC, "no message rules specified for this message type");
761 return NOT_SUPPORTED;
762 }
763
764 /* going to encrypt all content which have to be encrypted */
765 status = encrypt_payloads(this, crypter, signer);
766 if (status != SUCCESS)
767 {
768 DBG1(DBG_ENC, "payload encryption failed");
769 return status;
770 }
771
772 /* build ike header */
773 ike_header = ike_header_create();
774
775 ike_header->set_exchange_type(ike_header, this->exchange_type);
776 ike_header->set_message_id(ike_header, this->message_id);
777 ike_header->set_response_flag(ike_header, !this->is_request);
778 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
779 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
780 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
781
782 generator = generator_create();
783
784 payload = (payload_t*)ike_header;
785
786
787 /* generate every payload expect last one, this is doen later*/
788 iterator = this->payloads->create_iterator(this->payloads, TRUE);
789 while(iterator->iterate(iterator, (void**)&next_payload))
790 {
791 payload->set_next_type(payload, next_payload->get_type(next_payload));
792 generator->generate_payload(generator, payload);
793 payload = next_payload;
794 }
795 iterator->destroy(iterator);
796
797 /* last payload has no next payload*/
798 payload->set_next_type(payload, NO_PAYLOAD);
799
800 generator->generate_payload(generator, payload);
801
802 ike_header->destroy(ike_header);
803
804 /* build packet */
805 generator->write_to_chunk(generator, &packet_data);
806 generator->destroy(generator);
807
808 /* if last payload is of type encrypted, integrity checksum if necessary */
809 if (payload->get_type(payload) == ENCRYPTED)
810 {
811 DBG2(DBG_ENC, "build signature on whole message");
812 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
813 status = encryption_payload->build_signature(encryption_payload, packet_data);
814 if (status != SUCCESS)
815 {
816 return status;
817 }
818 }
819
820 this->packet->set_data(this->packet, packet_data);
821
822 /* clone packet for caller */
823 *packet = this->packet->clone(this->packet);
824
825 DBG2(DBG_ENC, "message generated successfully");
826 return SUCCESS;
827 }
828
829 /**
830 * Implementation of message_t.get_packet.
831 */
832 static packet_t *get_packet (private_message_t *this)
833 {
834 if (this->packet == NULL)
835 {
836 return NULL;
837 }
838 return this->packet->clone(this->packet);
839 }
840
841 /**
842 * Implementation of message_t.get_packet_data.
843 */
844 static chunk_t get_packet_data (private_message_t *this)
845 {
846 if (this->packet == NULL)
847 {
848 return chunk_empty;
849 }
850 return chunk_clone(this->packet->get_data(this->packet));
851 }
852
853 /**
854 * Implementation of message_t.parse_header.
855 */
856 static status_t parse_header(private_message_t *this)
857 {
858 ike_header_t *ike_header;
859 status_t status;
860
861 DBG2(DBG_ENC, "parsing header of message");
862
863 this->parser->reset_context(this->parser);
864 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
865 if (status != SUCCESS)
866 {
867 DBG1(DBG_ENC, "header could not be parsed");
868 return status;
869
870 }
871
872 /* verify payload */
873 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
874 if (status != SUCCESS)
875 {
876 DBG1(DBG_ENC, "header verification failed");
877 ike_header->destroy(ike_header);
878 return status;
879 }
880
881 if (this->ike_sa_id != NULL)
882 {
883 this->ike_sa_id->destroy(this->ike_sa_id);
884 }
885
886 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
887 ike_header->get_responder_spi(ike_header),
888 ike_header->get_initiator_flag(ike_header));
889
890 this->exchange_type = ike_header->get_exchange_type(ike_header);
891 this->message_id = ike_header->get_message_id(ike_header);
892 this->is_request = (!(ike_header->get_response_flag(ike_header)));
893 this->major_version = ike_header->get_maj_version(ike_header);
894 this->minor_version = ike_header->get_min_version(ike_header);
895 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
896
897 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
898 this->is_request ? "request" : "response");
899
900 ike_header->destroy(ike_header);
901
902 /* get the rules for this messge */
903 status = set_message_rule(this);
904 if (status != SUCCESS)
905 {
906 DBG1(DBG_ENC, "no message rules specified for a %N %s",
907 exchange_type_names, this->exchange_type,
908 this->is_request ? "request" : "response");
909 }
910
911 return status;
912 }
913
914 /**
915 * Implementation of private_message_t.decrypt_and_verify_payloads.
916 */
917 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
918 {
919 bool current_payload_was_encrypted = FALSE;
920 payload_t *previous_payload = NULL;
921 int payload_number = 1;
922 iterator_t *iterator;
923 payload_t *current_payload;
924 status_t status;
925
926 iterator = this->payloads->create_iterator(this->payloads,TRUE);
927
928 /* process each payload and decrypt a encryption payload */
929 while(iterator->iterate(iterator, (void**)&current_payload))
930 {
931 payload_rule_t *payload_rule;
932 payload_type_t current_payload_type;
933
934 /* needed to check */
935 current_payload_type = current_payload->get_type(current_payload);
936
937 DBG2(DBG_ENC, "process payload of type %N",
938 payload_type_names, current_payload_type);
939
940 if (current_payload_type == ENCRYPTED)
941 {
942 encryption_payload_t *encryption_payload;
943 payload_t *current_encrypted_payload;
944
945 encryption_payload = (encryption_payload_t*)current_payload;
946
947 DBG2(DBG_ENC, "found an encryption payload");
948
949 if (payload_number != this->payloads->get_count(this->payloads))
950 {
951 /* encrypted payload is not last one */
952 DBG1(DBG_ENC, "encrypted payload is not last payload");
953 iterator->destroy(iterator);
954 return VERIFY_ERROR;
955 }
956 /* decrypt */
957 encryption_payload->set_transforms(encryption_payload, crypter, signer);
958 DBG2(DBG_ENC, "verify signature of encryption payload");
959 status = encryption_payload->verify_signature(encryption_payload,
960 this->packet->get_data(this->packet));
961 if (status != SUCCESS)
962 {
963 DBG1(DBG_ENC, "encryption payload signature invalid");
964 iterator->destroy(iterator);
965 return FAILED;
966 }
967 DBG2(DBG_ENC, "decrypting content of encryption payload");
968 status = encryption_payload->decrypt(encryption_payload);
969 if (status != SUCCESS)
970 {
971 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
972 iterator->destroy(iterator);
973 return PARSE_ERROR;
974 }
975
976 /* needed later to find out if a payload was encrypted */
977 current_payload_was_encrypted = TRUE;
978
979 /* check if there are payloads contained in the encryption payload */
980 if (encryption_payload->get_payload_count(encryption_payload) == 0)
981 {
982 DBG2(DBG_ENC, "encrypted payload is empty");
983 /* remove the encryption payload, is not needed anymore */
984 iterator->remove(iterator);
985 /* encrypted payload contains no other payload */
986 current_payload_type = NO_PAYLOAD;
987 }
988 else
989 {
990 /* encryption_payload is replaced with first payload contained in encryption_payload */
991 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
992 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
993 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
994 }
995
996 /* is the current paylad the first in the message? */
997 if (previous_payload == NULL)
998 {
999 /* yes, set the first payload type of the message to the current type */
1000 this->first_payload = current_payload_type;
1001 }
1002 else
1003 {
1004 /* no, set the next_type of the previous payload to the current type */
1005 previous_payload->set_next_type(previous_payload, current_payload_type);
1006 }
1007
1008 /* all encrypted payloads are added to the payload list */
1009 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1010 {
1011 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1012 DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
1013 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
1014 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1015 }
1016
1017 /* encryption payload is processed, payloads are moved. Destroy it. */
1018 encryption_payload->destroy(encryption_payload);
1019 }
1020
1021 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1022 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1023 {
1024 /* get the ruleset for found payload */
1025 status = get_payload_rule(this, current_payload_type, &payload_rule);
1026 if (status != SUCCESS)
1027 {
1028 /* payload is not allowed */
1029 DBG1(DBG_ENC, "payload type %N not allowed",
1030 payload_type_names, current_payload_type);
1031 iterator->destroy(iterator);
1032 return VERIFY_ERROR;
1033 }
1034
1035 /* check if the payload was encrypted, and if it should been have encrypted */
1036 if (payload_rule->encrypted != current_payload_was_encrypted)
1037 {
1038 /* payload was not encrypted, but should have been. or vice-versa */
1039 DBG1(DBG_ENC, "payload type %N should be %s!",
1040 payload_type_names, current_payload_type,
1041 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1042 iterator->destroy(iterator);
1043 return VERIFY_ERROR;
1044 }
1045 }
1046 /* advance to the next payload */
1047 payload_number++;
1048 /* is stored to set next payload in case of found encryption payload */
1049 previous_payload = current_payload;
1050 }
1051 iterator->destroy(iterator);
1052 return SUCCESS;
1053 }
1054
1055 /**
1056 * Implementation of private_message_t.verify.
1057 */
1058 static status_t verify(private_message_t *this)
1059 {
1060 int i;
1061 iterator_t *iterator;
1062 payload_t *current_payload;
1063 size_t total_found_payloads = 0;
1064
1065 DBG2(DBG_ENC, "verifying message structure");
1066
1067 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1068 /* check for payloads with wrong count*/
1069 for (i = 0; i < this->message_rule->payload_rule_count;i++)
1070 {
1071 size_t found_payloads = 0;
1072
1073 /* check all payloads for specific rule */
1074 iterator->reset(iterator);
1075
1076 while(iterator->iterate(iterator,(void **)&current_payload))
1077 {
1078 payload_type_t current_payload_type;
1079
1080 current_payload_type = current_payload->get_type(current_payload);
1081 if (current_payload_type == UNKNOWN_PAYLOAD)
1082 {
1083 /* unknown payloads are ignored, IF they are not critical */
1084 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
1085 if (unknown_payload->is_critical(unknown_payload))
1086 {
1087 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1088 payload_type_names, current_payload_type);
1089 iterator->destroy(iterator);
1090 return NOT_SUPPORTED;
1091 }
1092 }
1093 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
1094 {
1095 found_payloads++;
1096 total_found_payloads++;
1097 DBG2(DBG_ENC, "found payload of type %N",
1098 payload_type_names, this->message_rule->payload_rules[i].payload_type);
1099
1100 /* as soon as ohe payload occures more then specified, the verification fails */
1101 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
1102 {
1103 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
1104 payload_type_names, current_payload_type,
1105 this->message_rule->payload_rules[i].max_occurence, found_payloads);
1106 iterator->destroy(iterator);
1107 return VERIFY_ERROR;
1108 }
1109 }
1110 }
1111
1112 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
1113 {
1114 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1115 payload_type_names, this->message_rule->payload_rules[i].payload_type,
1116 this->message_rule->payload_rules[i].min_occurence, found_payloads);
1117 iterator->destroy(iterator);
1118 return VERIFY_ERROR;
1119 }
1120 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
1121 {
1122 iterator->destroy(iterator);
1123 return SUCCESS;
1124 }
1125 }
1126 iterator->destroy(iterator);
1127 return SUCCESS;
1128 }
1129
1130 /**
1131 * Implementation of message_t.parse_body.
1132 */
1133 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
1134 {
1135 status_t status = SUCCESS;
1136 payload_type_t current_payload_type;
1137
1138 current_payload_type = this->first_payload;
1139
1140 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1141 payload_type_names, current_payload_type);
1142
1143 /* parse payload for payload, while there are more available */
1144 while ((current_payload_type != NO_PAYLOAD))
1145 {
1146 payload_t *current_payload;
1147
1148 DBG2(DBG_ENC, "starting parsing a %N payload",
1149 payload_type_names, current_payload_type);
1150
1151 /* parse current payload */
1152 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
1153
1154 if (status != SUCCESS)
1155 {
1156 DBG1(DBG_ENC, "payload type %N could not be parsed",
1157 payload_type_names, current_payload_type);
1158 return PARSE_ERROR;
1159 }
1160
1161 DBG2(DBG_ENC, "verifying payload of type %N",
1162 payload_type_names, current_payload_type);
1163
1164 /* verify it, stop parsig if its invalid */
1165 status = current_payload->verify(current_payload);
1166 if (status != SUCCESS)
1167 {
1168 DBG1(DBG_ENC, "%N payload verification failed",
1169 payload_type_names, current_payload_type);
1170 current_payload->destroy(current_payload);
1171 return VERIFY_ERROR;
1172 }
1173
1174 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1175 payload_type_names, current_payload_type);
1176 this->payloads->insert_last(this->payloads,current_payload);
1177
1178 /* an encryption payload is the last one, so STOP here. decryption is done later */
1179 if (current_payload_type == ENCRYPTED)
1180 {
1181 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1182 payload_type_names, current_payload_type);
1183 break;
1184 }
1185
1186 /* get next payload type */
1187 current_payload_type = current_payload->get_next_type(current_payload);
1188 }
1189
1190 if (current_payload_type == ENCRYPTED)
1191 {
1192 status = decrypt_payloads(this,crypter,signer);
1193 if (status != SUCCESS)
1194 {
1195 DBG1(DBG_ENC, "could not decrypt payloads");
1196 return status;
1197 }
1198 }
1199
1200 status = verify(this);
1201 if (status != SUCCESS)
1202 {
1203 return status;
1204 }
1205
1206 DBG1(DBG_ENC, "parsed %M", this);
1207
1208 return SUCCESS;
1209 }
1210
1211 /**
1212 * Implementation of message_t.destroy.
1213 */
1214 static void destroy (private_message_t *this)
1215 {
1216 DESTROY_IF(this->ike_sa_id);
1217 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1218 this->packet->destroy(this->packet);
1219 this->parser->destroy(this->parser);
1220 free(this);
1221 }
1222
1223 /*
1224 * Described in Header-File
1225 */
1226 message_t *message_create_from_packet(packet_t *packet)
1227 {
1228 private_message_t *this = malloc_thing(private_message_t);
1229
1230 /* public functions */
1231 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1232 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1233 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1234 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1235 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1236 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1237 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1238 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1239 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1240 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1241 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1242 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1243 this->public.set_request = (void(*)(message_t*, bool))set_request;
1244 this->public.get_request = (bool(*)(message_t*))get_request;
1245 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1246 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1247 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1248 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1249 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1250 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1251 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1252 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1253 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1254 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1255 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1256 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1257 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1258 this->public.destroy = (void(*)(message_t*))destroy;
1259
1260 /* private values */
1261 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1262 this->is_request = TRUE;
1263 this->ike_sa_id = NULL;
1264 this->first_payload = NO_PAYLOAD;
1265 this->message_id = 0;
1266
1267 /* private values */
1268 if (packet == NULL)
1269 {
1270 packet = packet_create();
1271 }
1272 this->message_rule = NULL;
1273 this->packet = packet;
1274 this->payloads = linked_list_create();
1275
1276 /* parser is created from data of packet */
1277 this->parser = parser_create(this->packet->get_data(this->packet));
1278
1279 return (&this->public);
1280 }
1281
1282 /*
1283 * Described in Header.
1284 */
1285 message_t *message_create()
1286 {
1287 return message_create_from_packet(NULL);
1288 }