updated copyright information
[strongswan.git] / src / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <stdlib.h>
26 #include <string.h>
27
28 #include "message.h"
29
30 #include <types.h>
31 #include <daemon.h>
32 #include <sa/ike_sa_id.h>
33 #include <encoding/generator.h>
34 #include <encoding/parser.h>
35 #include <utils/linked_list.h>
36 #include <utils/logger_manager.h>
37 #include <encoding/payloads/encodings.h>
38 #include <encoding/payloads/payload.h>
39 #include <encoding/payloads/encryption_payload.h>
40 #include <encoding/payloads/unknown_payload.h>
41
42 /**
43 * Max number of notify payloads per IKEv2 Message
44 */
45 #define MAX_NOTIFY_PAYLOADS 10
46
47
48 typedef struct payload_rule_t payload_rule_t;
49
50 /**
51 * A payload rule defines the rules for a payload
52 * in a specific message rule. It defines if and how
53 * many times a payload must/can occur in a message
54 * and if it must be encrypted.
55 */
56 struct payload_rule_t {
57 /**
58 * Payload type.
59 */
60 payload_type_t payload_type;
61
62 /**
63 * Minimal occurence of this payload.
64 */
65 size_t min_occurence;
66
67 /**
68 * Max occurence of this payload.
69 */
70 size_t max_occurence;
71
72 /**
73 * TRUE if payload must be encrypted
74 */
75 bool encrypted;
76
77 /**
78 * If this payload occurs, the message rule is
79 * fullfilled in any case. This applies e.g. to
80 * notify_payloads.
81 */
82 bool sufficient;
83 };
84
85 typedef struct message_rule_t message_rule_t;
86
87 /**
88 * A message rule defines the kind of a message,
89 * if it has encrypted contents and a list
90 * of payload rules.
91 *
92 */
93 struct message_rule_t {
94 /**
95 * Type of message.
96 */
97 exchange_type_t exchange_type;
98
99 /**
100 * Is message a request or response.
101 */
102 bool is_request;
103
104 /**
105 * Message contains encrypted content.
106 */
107 bool encrypted_content;
108
109 /**
110 * Number of payload rules which will follow
111 */
112 size_t payload_rule_count;
113
114 /**
115 * Pointer to first payload rule
116 */
117 payload_rule_t *payload_rules;
118 };
119
120 /**
121 * Message rule for IKE_SA_INIT from initiator.
122 */
123 static payload_rule_t ike_sa_init_i_payload_rules[] = {
124 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
125 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
126 {KEY_EXCHANGE,1,1,FALSE,FALSE},
127 {NONCE,1,1,FALSE,FALSE},
128 };
129
130 /**
131 * Message rule for IKE_SA_INIT from responder.
132 */
133 static payload_rule_t ike_sa_init_r_payload_rules[] = {
134 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
135 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
136 {KEY_EXCHANGE,1,1,FALSE,FALSE},
137 {NONCE,1,1,FALSE,FALSE},
138 };
139
140 /**
141 * Message rule for IKE_AUTH from initiator.
142 */
143 static payload_rule_t ike_auth_i_payload_rules[] = {
144 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
145 {ID_INITIATOR,1,1,TRUE,FALSE},
146 {CERTIFICATE,0,1,TRUE,FALSE},
147 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
148 {ID_RESPONDER,0,1,TRUE,FALSE},
149 {AUTHENTICATION,1,1,TRUE,FALSE},
150 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
151 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
152 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
153 {CONFIGURATION,0,1,TRUE,FALSE},
154 };
155
156 /**
157 * Message rule for IKE_AUTH from responder.
158 */
159 static payload_rule_t ike_auth_r_payload_rules[] = {
160 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
161 {CERTIFICATE,0,1,TRUE,FALSE},
162 {ID_RESPONDER,1,1,TRUE,FALSE},
163 {AUTHENTICATION,1,1,TRUE,FALSE},
164 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
165 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
166 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
167 {CONFIGURATION,0,1,TRUE,FALSE},
168 };
169
170
171 /**
172 * Message rule for INFORMATIONAL from initiator.
173 */
174 static payload_rule_t informational_i_payload_rules[] = {
175 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
176 {CONFIGURATION,0,1,TRUE,FALSE},
177 {DELETE,0,1,TRUE,FALSE},
178
179 };
180
181 /**
182 * Message rule for INFORMATIONAL from responder.
183 */
184 static payload_rule_t informational_r_payload_rules[] = {
185 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
186 {CONFIGURATION,0,1,TRUE,FALSE},
187 {DELETE,0,1,TRUE,FALSE},
188 };
189
190 /**
191 * Message rule for CREATE_CHILD_SA from initiator.
192 */
193 static payload_rule_t create_child_sa_i_payload_rules[] = {
194 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
195 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
196 {NONCE,1,1,TRUE,FALSE},
197 {KEY_EXCHANGE,0,1,TRUE,FALSE},
198 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
199 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
200 {CONFIGURATION,0,1,TRUE,FALSE},
201 };
202
203 /**
204 * Message rule for CREATE_CHILD_SA from responder.
205 */
206 static payload_rule_t create_child_sa_r_payload_rules[] = {
207 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
208 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
209 {NONCE,1,1,TRUE,FALSE},
210 {KEY_EXCHANGE,0,1,TRUE,FALSE},
211 {TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
212 {TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
213 {CONFIGURATION,0,1,TRUE,FALSE},
214 };
215
216
217 /**
218 * Message rules, defines allowed payloads.
219 */
220 static message_rule_t message_rules[] = {
221 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
222 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
223 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
224 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
225 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
226 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
227 {CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
228 {CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
229 };
230
231
232 typedef struct private_message_t private_message_t;
233
234 /**
235 * Private data of an message_t object.
236 */
237 struct private_message_t {
238
239 /**
240 * Public part of a message_t object.
241 */
242 message_t public;
243
244 /**
245 * Minor version of message.
246 */
247 u_int8_t major_version;
248
249 /**
250 * Major version of message.
251 */
252 u_int8_t minor_version;
253
254 /**
255 * First Payload in message.
256 */
257 payload_type_t first_payload;
258
259 /**
260 * Assigned exchange type.
261 */
262 exchange_type_t exchange_type;
263
264 /**
265 * TRUE if message is a request, FALSE if a reply.
266 */
267 bool is_request;
268
269 /**
270 * Message ID of this message.
271 */
272 u_int32_t message_id;
273
274 /**
275 * ID of assigned IKE_SA.
276 */
277 ike_sa_id_t *ike_sa_id;
278
279 /**
280 * Assigned UDP packet, stores incoming packet or last generated one.
281 */
282 packet_t *packet;
283
284 /**
285 * Linked List where payload data are stored in.
286 */
287 linked_list_t *payloads;
288
289 /**
290 * Assigned parser to parse Header and Body of this message.
291 */
292 parser_t *parser;
293
294 /**
295 * The message rule for this message instance
296 */
297 message_rule_t *message_rule;
298
299 /**
300 * Assigned logger.
301 */
302 logger_t *logger;
303
304 /**
305 * Sets the private message_rule member to the rule which
306 * applies to this message. Must be called before get_payload_rule().
307 *
308 * @param this calling object
309 * @return
310 * - SUCCESS
311 * - NOT_FOUND if no message rule applies to this message.
312 */
313 status_t (*set_message_rule) (private_message_t *this);
314
315 /**
316 * Gets the payload_rule_t for a specific message_rule_t and payload type.
317 *
318 * @param this calling object
319 * @param payload_type payload type
320 * @param[out] payload_rule returned payload_rule_t
321 * @return
322 * - SUCCESS
323 * - NOT_FOUND if payload not defined in current message rule
324 * - INVALID_STATE if message rule is not set via set_message_rule()
325 */
326 status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
327
328 /**
329 * Encrypts all payloads which has to get encrypted.
330 *
331 * Can also be called with messages not containing encrypted content.
332 *
333 * @param this calling object
334 * @param crypter crypter_t object
335 * @param signer signer_t object
336 * @return
337 * - SUCCESS
338 * - INVALID_STATE if no crypter/signer supplied but needed
339 */
340 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
341
342 /**
343 * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
344 *
345 * @param this calling object
346 * @param crypter crypter_t object
347 * @param signer signer_t object
348 * @return
349 * - SUCCESS
350 * - FAILED if decryption not successfull
351 * - INVALID_STATE if no crypter/signer supplied but needed
352 */
353 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
354
355 /**
356 * Verifies the message. Checks for payloads count.
357 *
358 * @param calling object
359 * @return
360 * - SUCCESS if message valid, or
361 * - FAILED if message does not align with message rules.
362 */
363 status_t (*verify) (private_message_t *this);
364 };
365
366 /**
367 * Implementation of private_message_t.set_message_rule.
368 */
369 static status_t set_message_rule(private_message_t *this)
370 {
371 int i;
372
373 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
374 {
375 if ((this->exchange_type == message_rules[i].exchange_type) &&
376 (this->is_request == message_rules[i].is_request))
377 {
378 /* found rule for given exchange_type*/
379 this->message_rule = &(message_rules[i]);
380 return SUCCESS;
381 }
382 }
383 this->message_rule = NULL;
384 return NOT_FOUND;
385 }
386
387 /**
388 * Implementation of private_message_t.get_payload_rule.
389 */
390 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
391 {
392 int i;
393
394 for (i = 0; i < this->message_rule->payload_rule_count;i++)
395 {
396 if (this->message_rule->payload_rules[i].payload_type == payload_type)
397 {
398 *payload_rule = &(this->message_rule->payload_rules[i]);
399 return SUCCESS;
400 }
401 }
402
403 *payload_rule = NULL;
404 return NOT_FOUND;
405 }
406
407 /**
408 * Implementation of message_t.set_ike_sa_id.
409 */
410 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
411 {
412 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
413 }
414
415 /**
416 * Implementation of message_t.get_ike_sa_id.
417 */
418 static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
419 {
420 return this->ike_sa_id;
421 }
422
423 /**
424 * Implementation of message_t.set_message_id.
425 */
426 static void set_message_id (private_message_t *this,u_int32_t message_id)
427 {
428 this->message_id = message_id;
429 }
430
431 /**
432 * Implementation of message_t.get_message_id.
433 */
434 static u_int32_t get_message_id (private_message_t *this)
435 {
436 return this->message_id;
437 }
438
439 /**
440 * Implementation of message_t.get_initiator_spi.
441 */
442 static u_int64_t get_initiator_spi (private_message_t *this)
443 {
444 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
445 }
446
447 /**
448 * Implementation of message_t.get_responder_spi.
449 */
450 static u_int64_t get_responder_spi (private_message_t *this)
451 {
452 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
453 }
454
455 /**
456 * Implementation of message_t.set_major_version.
457 */
458 static void set_major_version (private_message_t *this,u_int8_t major_version)
459 {
460 this->major_version = major_version;
461 }
462
463
464 /**
465 * Implementation of message_t.set_major_version.
466 */
467 static u_int8_t get_major_version (private_message_t *this)
468 {
469 return this->major_version;
470 }
471
472 /**
473 * Implementation of message_t.set_minor_version.
474 */
475 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
476 {
477 this->minor_version = minor_version;
478 }
479
480 /**
481 * Implementation of message_t.get_minor_version.
482 */
483 static u_int8_t get_minor_version (private_message_t *this)
484 {
485 return this->minor_version;
486 }
487
488 /**
489 * Implementation of message_t.set_exchange_type.
490 */
491 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
492 {
493 this->exchange_type = exchange_type;
494 }
495
496 /**
497 * Implementation of message_t.get_exchange_type.
498 */
499 static exchange_type_t get_exchange_type (private_message_t *this)
500 {
501 return this->exchange_type;
502 }
503
504 /**
505 * Implementation of message_t.set_request.
506 */
507 static void set_request (private_message_t *this,bool request)
508 {
509 this->is_request = request;
510 }
511
512 /**
513 * Implementation of message_t.get_request.
514 */
515 static exchange_type_t get_request (private_message_t *this)
516 {
517 return this->is_request;
518 }
519
520 /**
521 * Is this message in an encoded form?
522 */
523 static bool is_encoded(private_message_t *this)
524 {
525 chunk_t data = this->packet->get_data(this->packet);
526
527 if (data.ptr == NULL)
528 {
529 return FALSE;
530 }
531 return TRUE;
532 }
533
534 /**
535 * Implementation of message_t.add_payload.
536 */
537 static void add_payload(private_message_t *this, payload_t *payload)
538 {
539 payload_t *last_payload;
540 if (this->payloads->get_count(this->payloads) > 0)
541 {
542 this->payloads->get_last(this->payloads,(void **) &last_payload);
543 last_payload->set_next_type(last_payload, payload->get_type(payload));
544 }
545 else
546 {
547 this->first_payload = payload->get_type(payload);
548 }
549 payload->set_next_type(payload, NO_PAYLOAD);
550 this->payloads->insert_last(this->payloads, (void*)payload);
551
552 this->logger->log(this->logger, CONTROL|LEVEL1, "added payload of type %s to message",
553 mapping_find(payload_type_m, payload->get_type(payload)));
554 }
555
556 /**
557 * Implementation of message_t.set_source.
558 */
559 static void set_source(private_message_t *this, host_t *host)
560 {
561 this->packet->set_source(this->packet, host);
562 }
563
564 /**
565 * Implementation of message_t.set_destination.
566 */
567 static void set_destination(private_message_t *this, host_t *host)
568 {
569
570 this->packet->set_destination(this->packet, host);
571 }
572
573 /**
574 * Implementation of message_t.get_source.
575 */
576 static host_t* get_source(private_message_t *this)
577 {
578 return this->packet->get_source(this->packet);
579 }
580
581 /**
582 * Implementation of message_t.get_destination.
583 */
584 static host_t * get_destination(private_message_t *this)
585 {
586 return this->packet->get_destination(this->packet);
587 }
588
589 /**
590 * Implementation of message_t.get_destination.
591 */
592 static iterator_t *get_payload_iterator(private_message_t *this)
593 {
594 return this->payloads->create_iterator(this->payloads, TRUE);
595 }
596
597 /**
598 * Build a string containing short names for all payload in this message
599 */
600 static void build_payload_string(private_message_t *this, char* buffer, size_t size)
601 {
602 iterator_t *iterator;
603 payload_t *payload;
604 bool first = TRUE;
605
606 *buffer = '\0';
607 size--;
608
609 iterator = this->payloads->create_iterator(this->payloads, TRUE);
610 while (iterator->iterate(iterator, (void**)&payload))
611 {
612 payload_type_t type = payload->get_type(payload);
613 char *name = mapping_find(payload_type_short_m, type);
614 size_t name_len = strlen(name);
615 if (!first)
616 {
617 strncat(buffer, " ", size);
618 if (size)
619 {
620 size--;
621 }
622 }
623 else
624 {
625 first = FALSE;
626 }
627 strncat(buffer, name, size);
628 if (name_len > size)
629 {
630 size = 0;
631 }
632 else
633 {
634 size -= name_len;
635 }
636 }
637 iterator->destroy(iterator);
638 }
639
640 /**
641 * Implementation of message_t.generate.
642 */
643 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
644 {
645 generator_t *generator;
646 ike_header_t *ike_header;
647 payload_t *payload, *next_payload;
648 iterator_t *iterator;
649 status_t status;
650 chunk_t packet_data;
651 char payload_names[128];
652
653 if (is_encoded(this))
654 {
655 /* already generated, return a new packet clone */
656 *packet = this->packet->clone(this->packet);
657 return SUCCESS;
658 }
659
660 build_payload_string(this, payload_names, sizeof(payload_names));
661 this->logger->log(this->logger, CONTROL, "generating %s %s [%s]",
662 mapping_find(exchange_type_m,this->exchange_type),
663 this->is_request ? "request" : "response",
664 payload_names);
665
666 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
667 {
668 this->logger->log(this->logger, ERROR | LEVEL1, "exchange type %s is not defined",
669 mapping_find(exchange_type_m,this->exchange_type));
670 return INVALID_STATE;
671 }
672
673 if (this->packet->get_source(this->packet) == NULL ||
674 this->packet->get_destination(this->packet) == NULL)
675 {
676 this->logger->log(this->logger, ERROR|LEVEL1, "%s not defined",
677 !this->packet->get_source(this->packet) ? "source" : "destination");
678 return INVALID_STATE;
679 }
680
681 /* set the rules for this messge */
682 status = this->set_message_rule(this);
683 if (status != SUCCESS)
684 {
685 this->logger->log(this->logger, ERROR, "no message rules specified for a %s %s",
686 mapping_find(exchange_type_m,this->exchange_type),
687 this->is_request ? "request" : "response");
688 return NOT_SUPPORTED;
689 }
690
691
692 /* going to encrypt all content which have to be encrypted */
693 status = this->encrypt_payloads(this, crypter, signer);
694 if (status != SUCCESS)
695 {
696 this->logger->log(this->logger, ERROR | LEVEL1, "could not encrypt payloads");
697 return status;
698 }
699
700 /* build ike header */
701 ike_header = ike_header_create();
702
703 ike_header->set_exchange_type(ike_header, this->exchange_type);
704 ike_header->set_message_id(ike_header, this->message_id);
705 ike_header->set_response_flag(ike_header, !this->is_request);
706 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
707 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
708 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
709
710 generator = generator_create();
711
712 payload = (payload_t*)ike_header;
713
714
715 /* generate every payload expect last one, this is doen later*/
716 iterator = this->payloads->create_iterator(this->payloads, TRUE);
717 while(iterator->has_next(iterator))
718 {
719 iterator->current(iterator, (void**)&next_payload);
720 payload->set_next_type(payload, next_payload->get_type(next_payload));
721 generator->generate_payload(generator, payload);
722 payload = next_payload;
723 }
724 iterator->destroy(iterator);
725
726 /* last payload has no next payload*/
727 payload->set_next_type(payload, NO_PAYLOAD);
728
729 generator->generate_payload(generator, payload);
730
731 ike_header->destroy(ike_header);
732
733 /* build packet */
734 generator->write_to_chunk(generator, &packet_data);
735 generator->destroy(generator);
736
737 /* if last payload is of type encrypted, integrity checksum if necessary */
738 if (payload->get_type(payload) == ENCRYPTED)
739 {
740 this->logger->log(this->logger, CONTROL | LEVEL1, "build signature on whole message");
741 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
742 status = encryption_payload->build_signature(encryption_payload, packet_data);
743 if (status != SUCCESS)
744 {
745 return status;
746 }
747 }
748
749 this->packet->set_data(this->packet, packet_data);
750
751 /* clone packet for caller */
752 *packet = this->packet->clone(this->packet);
753
754 this->logger->log(this->logger, CONTROL|LEVEL1, "message of type %s generated successfully",
755 mapping_find(exchange_type_m,this->exchange_type));
756 return SUCCESS;
757 }
758
759 /**
760 * Implementation of message_t.get_packet.
761 */
762 static packet_t *get_packet (private_message_t *this)
763 {
764 return this->packet->clone(this->packet);
765 }
766
767 /**
768 * Implementation of message_t.get_packet_data.
769 */
770 static chunk_t get_packet_data (private_message_t *this)
771 {
772 return chunk_clone(this->packet->get_data(this->packet));
773 }
774
775 /**
776 * Implementation of message_t.parse_header.
777 */
778 static status_t parse_header(private_message_t *this)
779 {
780 ike_header_t *ike_header;
781 status_t status;
782
783
784 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing Header of message");
785
786 this->parser->reset_context(this->parser);
787 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
788 if (status != SUCCESS)
789 {
790 this->logger->log(this->logger, ERROR | LEVEL1, "header could not be parsed");
791 return status;
792
793 }
794
795 /* verify payload */
796 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
797 if (status != SUCCESS)
798 {
799 this->logger->log(this->logger, ERROR | LEVEL1, "header verification failed");
800 ike_header->destroy(ike_header);
801 return status;
802 }
803
804 if (this->ike_sa_id != NULL)
805 {
806 this->ike_sa_id->destroy(this->ike_sa_id);
807 }
808
809 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
810 ike_header->get_responder_spi(ike_header),
811 ike_header->get_initiator_flag(ike_header));
812
813 this->exchange_type = ike_header->get_exchange_type(ike_header);
814 this->message_id = ike_header->get_message_id(ike_header);
815 this->is_request = (!(ike_header->get_response_flag(ike_header)));
816 this->major_version = ike_header->get_maj_version(ike_header);
817 this->minor_version = ike_header->get_min_version(ike_header);
818 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
819
820 this->logger->log(this->logger, CONTROL|LEVEL1, "parsed a %s %s",
821 mapping_find(exchange_type_m, this->exchange_type),
822 this->is_request ? "request" : "response");
823
824 ike_header->destroy(ike_header);
825
826 /* get the rules for this messge */
827 status = this->set_message_rule(this);
828 if (status != SUCCESS)
829 {
830 this->logger->log(this->logger, ERROR, "no message rules specified for a %s %s",
831 mapping_find(exchange_type_m,this->exchange_type),
832 this->is_request ? "request" : "response");
833 }
834
835 return status;
836 }
837
838 /**
839 * Implementation of message_t.parse_body.
840 */
841 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
842 {
843 status_t status = SUCCESS;
844 payload_type_t current_payload_type;
845 char payload_names[128];
846
847 current_payload_type = this->first_payload;
848
849 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing body of message, first payload is %s",
850 mapping_find(payload_type_m, current_payload_type));
851
852 /* parse payload for payload, while there are more available */
853 while ((current_payload_type != NO_PAYLOAD))
854 {
855 payload_t *current_payload;
856
857 this->logger->log(this->logger, CONTROL|LEVEL2, "start parsing a %s payload",
858 mapping_find(payload_type_m, current_payload_type));
859
860 /* parse current payload */
861 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
862
863 if (status != SUCCESS)
864 {
865 this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",
866 mapping_find(payload_type_m,current_payload_type));
867 return PARSE_ERROR;
868 }
869
870 this->logger->log(this->logger, CONTROL|LEVEL2, "verify payload of type %s",
871 mapping_find(payload_type_m, current_payload_type));
872
873 /* verify it, stop parsig if its invalid */
874 status = current_payload->verify(current_payload);
875 if (status != SUCCESS)
876 {
877 this->logger->log(this->logger, ERROR, "%s payload verification failed",
878 mapping_find(payload_type_m,current_payload_type));
879 current_payload->destroy(current_payload);
880 return VERIFY_ERROR;
881 }
882
883 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload verified. Adding to payload list",
884 mapping_find(payload_type_m, current_payload_type));
885 this->payloads->insert_last(this->payloads,current_payload);
886
887 /* an encryption payload is the last one, so STOP here. decryption is done later */
888 if (current_payload_type == ENCRYPTED)
889 {
890 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload found. Stop parsing",
891 mapping_find(payload_type_m, current_payload_type));
892 break;
893 }
894
895 /* get next payload type */
896 current_payload_type = current_payload->get_next_type(current_payload);
897 }
898
899 if (current_payload_type == ENCRYPTED)
900 {
901 status = this->decrypt_payloads(this,crypter,signer);
902 if (status != SUCCESS)
903 {
904 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
905 return status;
906 }
907 }
908
909 status = this->verify(this);
910 if (status != SUCCESS)
911 {
912 this->logger->log(this->logger, ERROR, "verification of message failed");
913 return status;
914 }
915
916 build_payload_string(this, payload_names, sizeof(payload_names));
917 this->logger->log(this->logger, CONTROL, "parsed %s %s [%s]",
918 mapping_find(exchange_type_m, this->exchange_type),
919 this->is_request ? "request" : "response",
920 payload_names);
921
922 return SUCCESS;
923 }
924
925 /**
926 * Implementation of private_message_t.verify.
927 */
928 static status_t verify(private_message_t *this)
929 {
930 int i;
931 iterator_t *iterator;
932 size_t total_found_payloads = 0;
933
934 this->logger->log(this->logger, CONTROL|LEVEL1, "verifying message structure");
935
936 iterator = this->payloads->create_iterator(this->payloads,TRUE);
937 /* check for payloads with wrong count*/
938 for (i = 0; i < this->message_rule->payload_rule_count;i++)
939 {
940 size_t found_payloads = 0;
941
942 /* check all payloads for specific rule */
943 iterator->reset(iterator);
944
945 while(iterator->has_next(iterator))
946 {
947 payload_t *current_payload;
948 payload_type_t current_payload_type;
949
950 iterator->current(iterator,(void **)&current_payload);
951 current_payload_type = current_payload->get_type(current_payload);
952
953 if (current_payload_type == UNKNOWN_PAYLOAD)
954 {
955 /* unknown payloads are ignored, IF they are not critical */
956 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
957 if (unknown_payload->is_critical(unknown_payload))
958 {
959 this->logger->log(this->logger, ERROR|LEVEL1, "%s (%d) is not supported, but its critical!",
960 mapping_find(payload_type_m, current_payload_type), current_payload_type);
961 iterator->destroy(iterator);
962 return NOT_SUPPORTED;
963 }
964 }
965 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
966 {
967 found_payloads++;
968 total_found_payloads++;
969 this->logger->log(this->logger, CONTROL|LEVEL2, "found payload of type %s",
970 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
971
972 /* as soon as ohe payload occures more then specified, the verification fails */
973 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
974 {
975 this->logger->log(this->logger, ERROR|LEVEL1, "payload of type %s more than %d times (%d) occured in current message",
976 mapping_find(payload_type_m, current_payload_type),
977 this->message_rule->payload_rules[i].max_occurence, found_payloads);
978 iterator->destroy(iterator);
979 return VERIFY_ERROR;
980 }
981 }
982 }
983
984 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
985 {
986 this->logger->log(this->logger, ERROR|LEVEL1, "payload of type %s not occured %d times (%d)",
987 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
988 this->message_rule->payload_rules[i].min_occurence, found_payloads);
989 iterator->destroy(iterator);
990 return VERIFY_ERROR;
991 }
992 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
993 {
994 iterator->destroy(iterator);
995 return SUCCESS;
996 }
997 }
998 iterator->destroy(iterator);
999 return SUCCESS;
1000 }
1001
1002
1003 /**
1004 * Implementation of private_message_t.decrypt_and_verify_payloads.
1005 */
1006 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
1007 {
1008 bool current_payload_was_encrypted = FALSE;
1009 payload_t *previous_payload = NULL;
1010 int payload_number = 1;
1011 iterator_t *iterator;
1012 status_t status;
1013
1014 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1015
1016 /* process each payload and decrypt a encryption payload */
1017 while(iterator->has_next(iterator))
1018 {
1019 payload_rule_t *payload_rule;
1020 payload_type_t current_payload_type;
1021 payload_t *current_payload;
1022
1023 /* get current payload */
1024 iterator->current(iterator,(void **)&current_payload);
1025
1026 /* needed to check */
1027 current_payload_type = current_payload->get_type(current_payload);
1028
1029 this->logger->log(this->logger, CONTROL|LEVEL2, "process payload of type %s",
1030 mapping_find(payload_type_m,current_payload_type));
1031
1032 if (current_payload_type == ENCRYPTED)
1033 {
1034 encryption_payload_t *encryption_payload;
1035 payload_t *current_encrypted_payload;
1036
1037 encryption_payload = (encryption_payload_t*)current_payload;
1038
1039 this->logger->log(this->logger, CONTROL | LEVEL2, "found an encryption payload");
1040
1041 if (payload_number != this->payloads->get_count(this->payloads))
1042 {
1043 /* encrypted payload is not last one */
1044 this->logger->log(this->logger, ERROR, "encrypted payload is not last payload");
1045 iterator->destroy(iterator);
1046 return VERIFY_ERROR;
1047 }
1048 /* decrypt */
1049 encryption_payload->set_transforms(encryption_payload, crypter, signer);
1050 this->logger->log(this->logger, CONTROL | LEVEL1, "verify signature of encryption payload");
1051 status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet));
1052 if (status != SUCCESS)
1053 {
1054 this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
1055 iterator->destroy(iterator);
1056 return FAILED;
1057 }
1058 this->logger->log(this->logger, CONTROL | LEVEL2, "decrypt content of encryption payload");
1059 status = encryption_payload->decrypt(encryption_payload);
1060 if (status != SUCCESS)
1061 {
1062 this->logger->log(this->logger, ERROR,
1063 "encrypted payload could not be decrypted and parsed: %s",
1064 mapping_find(status_m, status));
1065 iterator->destroy(iterator);
1066 return PARSE_ERROR;
1067 }
1068
1069 /* needed later to find out if a payload was encrypted */
1070 current_payload_was_encrypted = TRUE;
1071
1072 /* check if there are payloads contained in the encryption payload */
1073 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1074 {
1075 this->logger->log(this->logger, CONTROL|LEVEL2, "encrypted payload is empty");
1076 /* remove the encryption payload, is not needed anymore */
1077 iterator->remove(iterator);
1078 /* encrypted payload contains no other payload */
1079 current_payload_type = NO_PAYLOAD;
1080 }
1081 else
1082 {
1083 /* encryption_payload is replaced with first payload contained in encryption_payload */
1084 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1085 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
1086 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
1087 }
1088
1089 /* is the current paylad the first in the message? */
1090 if (previous_payload == NULL)
1091 {
1092 /* yes, set the first payload type of the message to the current type */
1093 this->first_payload = current_payload_type;
1094 }
1095 else
1096 {
1097 /* no, set the next_type of the previous payload to the current type */
1098 previous_payload->set_next_type(previous_payload, current_payload_type);
1099 }
1100
1101 /* all encrypted payloads are added to the payload list */
1102 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1103 {
1104 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1105 this->logger->log(this->logger, CONTROL | LEVEL1,
1106 "insert unencrypted payload of type %s at end of list.",
1107 mapping_find(payload_type_m, current_encrypted_payload->get_type(current_encrypted_payload)));
1108 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1109 }
1110
1111 /* encryption payload is processed, payloads are moved. Destroy it. */
1112 encryption_payload->destroy(encryption_payload);
1113 }
1114
1115 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1116 if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
1117 {
1118 /* get the ruleset for found payload */
1119 status = this->get_payload_rule(this, current_payload_type, &payload_rule);
1120 if (status != SUCCESS)
1121 {
1122 /* payload is not allowed */
1123 this->logger->log(this->logger, ERROR, "payload type %s not allowed",
1124 mapping_find(payload_type_m,current_payload_type));
1125 iterator->destroy(iterator);
1126 return VERIFY_ERROR;
1127 }
1128
1129 /* check if the payload was encrypted, and if it should been have encrypted */
1130 if (payload_rule->encrypted != current_payload_was_encrypted)
1131 {
1132 /* payload was not encrypted, but should have been. or vice-versa */
1133 this->logger->log(this->logger, ERROR, "payload type %s should be %s!",
1134 mapping_find(payload_type_m,current_payload_type),
1135 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1136 iterator->destroy(iterator);
1137 return VERIFY_ERROR;
1138 }
1139 }
1140 /* advance to the next payload */
1141 payload_number++;
1142 /* is stored to set next payload in case of found encryption payload */
1143 previous_payload = current_payload;
1144 }
1145 iterator->destroy(iterator);
1146 return SUCCESS;
1147 }
1148
1149 /**
1150 * Implementation of private_message_t.encrypt_payloads.
1151 */
1152 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
1153 {
1154 encryption_payload_t *encryption_payload = NULL;
1155 status_t status;
1156 linked_list_t *all_payloads;
1157
1158 if (!this->message_rule->encrypted_content)
1159 {
1160 this->logger->log(this->logger, CONTROL | LEVEL1, "message doesn't have to be encrypted");
1161 /* message contains no content to encrypt */
1162 return SUCCESS;
1163 }
1164
1165 this->logger->log(this->logger, CONTROL | LEVEL2, "copy all payloads to a temporary list");
1166 all_payloads = linked_list_create();
1167
1168 /* first copy all payloads in a temporary list */
1169 while (this->payloads->get_count(this->payloads) > 0)
1170 {
1171 void *current_payload;
1172 this->payloads->remove_first(this->payloads,&current_payload);
1173 all_payloads->insert_last(all_payloads,current_payload);
1174 }
1175
1176 encryption_payload = encryption_payload_create();
1177
1178 this->logger->log(this->logger, CONTROL | LEVEL2, "check each payloads if they have to get encrypted");
1179 while (all_payloads->get_count(all_payloads) > 0)
1180 {
1181 payload_rule_t *payload_rule;
1182 payload_t *current_payload;
1183 bool to_encrypt = FALSE;
1184
1185 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1186 this->logger->log(this->logger, CONTROL | LEVEL3, "get rule for payload %s",
1187 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1188
1189 status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
1190 /* for payload types which are not found in supported payload list, it is presumed
1191 * that they don't have to be encrypted */
1192 if ((status == SUCCESS) && (payload_rule->encrypted))
1193 {
1194 this->logger->log(this->logger, CONTROL | LEVEL2, "payload %s has to get encrypted",
1195 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1196 to_encrypt = TRUE;
1197 }
1198 else if (status != SUCCESS)
1199 {
1200 this->logger->log(this->logger, CONTROL | LEVEL2, "payload %s not defined for exchange type %s. Handle it anyway",
1201 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1202 mapping_find(exchange_type_m,this->exchange_type));
1203 }
1204
1205 if (to_encrypt)
1206 {
1207 this->logger->log(this->logger, CONTROL | LEVEL2, "insert payload %s to encryption payload",
1208 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1209
1210 encryption_payload->add_payload(encryption_payload,current_payload);
1211 }
1212 else
1213 {
1214 this->logger->log(this->logger, CONTROL | LEVEL2, "insert payload %s as payload wich does not have to be encrypted",
1215 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1216 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1217 }
1218 }
1219
1220 status = SUCCESS;
1221 this->logger->log(this->logger, CONTROL | LEVEL2, "set transforms for encryption payload ");
1222 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1223 this->logger->log(this->logger, CONTROL | LEVEL1, "encrypt all payloads of encrypted payload");
1224 status = encryption_payload->encrypt(encryption_payload);
1225 this->logger->log(this->logger, CONTROL | LEVEL2, "add encrypted payload to payload list");
1226 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1227
1228 all_payloads->destroy(all_payloads);
1229
1230 return status;
1231 }
1232
1233
1234 /**
1235 * Implementation of message_t.destroy.
1236 */
1237 static void destroy (private_message_t *this)
1238 {
1239 iterator_t *iterator;
1240
1241 this->packet->destroy(this->packet);
1242
1243 if (this->ike_sa_id != NULL)
1244 {
1245 this->ike_sa_id->destroy(this->ike_sa_id);
1246 }
1247
1248 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1249 while (iterator->has_next(iterator))
1250 {
1251 payload_t *payload;
1252 iterator->current(iterator, (void**)&payload);
1253 payload->destroy(payload);
1254 }
1255 iterator->destroy(iterator);
1256 this->payloads->destroy(this->payloads);
1257 this->parser->destroy(this->parser);
1258
1259 free(this);
1260 }
1261
1262 /*
1263 * Described in Header-File
1264 */
1265 message_t *message_create_from_packet(packet_t *packet)
1266 {
1267 private_message_t *this = malloc_thing(private_message_t);
1268
1269 /* public functions */
1270 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1271 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1272 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1273 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1274 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1275 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1276 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1277 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1278 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1279 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1280 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1281 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1282 this->public.set_request = (void(*)(message_t*, bool))set_request;
1283 this->public.get_request = (bool(*)(message_t*))get_request;
1284 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1285 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1286 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1287 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1288 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1289 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1290 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1291 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1292 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1293 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1294 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1295 this->public.destroy = (void(*)(message_t*))destroy;
1296
1297 /* private values */
1298 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1299 this->is_request = TRUE;
1300 this->ike_sa_id = NULL;
1301 this->first_payload = NO_PAYLOAD;
1302 this->message_id = 0;
1303
1304 /* private functions */
1305 this->set_message_rule = set_message_rule;
1306 this->get_payload_rule = get_payload_rule;
1307 this->encrypt_payloads = encrypt_payloads;
1308 this->decrypt_payloads = decrypt_payloads;
1309 this->verify = verify;
1310
1311 /* private values */
1312 if (packet == NULL)
1313 {
1314 packet = packet_create();
1315 }
1316 this->message_rule = NULL;
1317 this->packet = packet;
1318 this->payloads = linked_list_create();
1319
1320 /* parser is created from data of packet */
1321 this->parser = parser_create(this->packet->get_data(this->packet));
1322
1323 this->logger = logger_manager->get_logger(logger_manager, MESSAGE);
1324
1325 return (&this->public);
1326 }
1327
1328 /*
1329 * Described in Header.
1330 */
1331 message_t *message_create()
1332 {
1333 return message_create_from_packet(NULL);
1334 }