Encrypt payloads with missing rule, fix insertion of non-encrypted payloads
[strongswan.git] / src / charon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include "message.h"
23
24 #include <library.h>
25 #include <daemon.h>
26 #include <sa/ike_sa_id.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/linked_list.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/encryption_payload.h>
33 #include <encoding/payloads/unknown_payload.h>
34
35 /**
36 * Max number of notify payloads per IKEv2 Message
37 */
38 #define MAX_NOTIFY_PAYLOADS 20
39
40 /**
41 * Max number of delete payloads per IKEv2 Message
42 */
43 #define MAX_DELETE_PAYLOADS 20
44
45
46 typedef struct payload_rule_t payload_rule_t;
47
48 /**
49 * A payload rule defines the rules for a payload
50 * in a specific message rule. It defines if and how
51 * many times a payload must/can occur in a message
52 * and if it must be encrypted.
53 */
54 struct payload_rule_t {
55 /**
56 * Payload type.
57 */
58 payload_type_t payload_type;
59
60 /**
61 * Minimal occurence of this payload.
62 */
63 size_t min_occurence;
64
65 /**
66 * Max occurence of this payload.
67 */
68 size_t max_occurence;
69
70 /**
71 * TRUE if payload must be encrypted
72 */
73 bool encrypted;
74
75 /**
76 * If this payload occurs, the message rule is
77 * fullfilled in any case. This applies e.g. to
78 * notify_payloads.
79 */
80 bool sufficient;
81 };
82
83 typedef struct payload_order_t payload_order_t;
84
85 /**
86 * payload ordering structure allows us to reorder payloads according to RFC.
87 */
88 struct payload_order_t {
89
90 /**
91 * payload type
92 */
93 payload_type_t type;
94
95 /**
96 * notify type, if payload == NOTIFY
97 */
98 notify_type_t notify;
99 };
100
101
102 typedef struct message_rule_t message_rule_t;
103
104 /**
105 * A message rule defines the kind of a message,
106 * if it has encrypted contents and a list
107 * of payload ordering rules and payload parsing rules.
108 */
109 struct message_rule_t {
110 /**
111 * Type of message.
112 */
113 exchange_type_t exchange_type;
114
115 /**
116 * Is message a request or response.
117 */
118 bool is_request;
119
120 /**
121 * Message contains encrypted content.
122 */
123 bool encrypted_content;
124
125 /**
126 * Number of payload rules which will follow
127 */
128 int payload_rule_count;
129
130 /**
131 * Pointer to first payload rule
132 */
133 payload_rule_t *payload_rules;
134
135 /**
136 * Number of payload order rules
137 */
138 int payload_order_count;
139
140 /**
141 * payload ordering rules
142 */
143 payload_order_t *payload_order;
144 };
145
146 /**
147 * Message rule for IKE_SA_INIT from initiator.
148 */
149 static payload_rule_t ike_sa_init_i_payload_rules[] = {
150 /* payload type min max encr suff */
151 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
152 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
153 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
154 {NONCE, 1, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, 10, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT initiator
160 */
161 static payload_order_t ike_sa_init_i_payload_order[] = {
162 /* payload type notify type */
163 {NOTIFY, COOKIE},
164 {SECURITY_ASSOCIATION, 0},
165 {KEY_EXCHANGE, 0},
166 {NONCE, 0},
167 {NOTIFY, NAT_DETECTION_SOURCE_IP},
168 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
169 {NOTIFY, 0},
170 {VENDOR_ID, 0},
171 };
172
173 /**
174 * Message rule for IKE_SA_INIT from responder.
175 */
176 static payload_rule_t ike_sa_init_r_payload_rules[] = {
177 /* payload type min max encr suff */
178 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
179 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
180 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
181 {NONCE, 1, 1, FALSE, FALSE},
182 {VENDOR_ID, 0, 10, FALSE, FALSE},
183 };
184
185 /**
186 * payload order for IKE_SA_INIT responder
187 */
188 static payload_order_t ike_sa_init_r_payload_order[] = {
189 /* payload type notify type */
190 {SECURITY_ASSOCIATION, 0},
191 {KEY_EXCHANGE, 0},
192 {NONCE, 0},
193 {NOTIFY, NAT_DETECTION_SOURCE_IP},
194 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
195 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
196 {CERTIFICATE_REQUEST, 0},
197 {NOTIFY, 0},
198 {VENDOR_ID, 0},
199 };
200
201 /**
202 * Message rule for IKE_AUTH from initiator.
203 */
204 static payload_rule_t ike_auth_i_payload_rules[] = {
205 /* payload type min max encr suff */
206 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
207 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
208 {AUTHENTICATION, 0, 1, TRUE, TRUE},
209 {ID_INITIATOR, 0, 1, TRUE, FALSE},
210 {CERTIFICATE, 0, 4, TRUE, FALSE},
211 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
212 {ID_RESPONDER, 0, 1, TRUE, FALSE},
213 #ifdef ME
214 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
215 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
217 #else
218 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
219 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
220 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
221 #endif /* ME */
222 {CONFIGURATION, 0, 1, TRUE, FALSE},
223 {VENDOR_ID, 0, 10, TRUE, FALSE},
224 };
225
226 /**
227 * payload order for IKE_AUTH initiator
228 */
229 static payload_order_t ike_auth_i_payload_order[] = {
230 /* payload type notify type */
231 {ID_INITIATOR, 0},
232 {CERTIFICATE, 0},
233 {NOTIFY, INITIAL_CONTACT},
234 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
235 {CERTIFICATE_REQUEST, 0},
236 {ID_RESPONDER, 0},
237 {AUTHENTICATION, 0},
238 {EXTENSIBLE_AUTHENTICATION, 0},
239 {CONFIGURATION, 0},
240 {NOTIFY, IPCOMP_SUPPORTED},
241 {NOTIFY, USE_TRANSPORT_MODE},
242 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
243 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
244 {SECURITY_ASSOCIATION, 0},
245 {TRAFFIC_SELECTOR_INITIATOR, 0},
246 {TRAFFIC_SELECTOR_RESPONDER, 0},
247 {NOTIFY, MOBIKE_SUPPORTED},
248 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
249 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
250 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
251 {NOTIFY, 0},
252 {VENDOR_ID, 0},
253 };
254
255 /**
256 * Message rule for IKE_AUTH from responder.
257 */
258 static payload_rule_t ike_auth_r_payload_rules[] = {
259 /* payload type min max encr suff */
260 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
261 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
262 {AUTHENTICATION, 0, 1, TRUE, TRUE},
263 {CERTIFICATE, 0, 4, TRUE, FALSE},
264 {ID_RESPONDER, 0, 1, TRUE, FALSE},
265 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
266 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
267 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
268 {CONFIGURATION, 0, 1, TRUE, FALSE},
269 {VENDOR_ID, 0, 10, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for IKE_AUTH responder
274 */
275 static payload_order_t ike_auth_r_payload_order[] = {
276 /* payload type notify type */
277 {ID_RESPONDER, 0},
278 {CERTIFICATE, 0},
279 {AUTHENTICATION, 0},
280 {EXTENSIBLE_AUTHENTICATION, 0},
281 {CONFIGURATION, 0},
282 {NOTIFY, IPCOMP_SUPPORTED},
283 {NOTIFY, USE_TRANSPORT_MODE},
284 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
285 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
286 {SECURITY_ASSOCIATION, 0},
287 {TRAFFIC_SELECTOR_INITIATOR, 0},
288 {TRAFFIC_SELECTOR_RESPONDER, 0},
289 {NOTIFY, AUTH_LIFETIME},
290 {NOTIFY, MOBIKE_SUPPORTED},
291 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
292 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
293 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
294 {NOTIFY, 0},
295 {VENDOR_ID, 0},
296 };
297
298 /**
299 * Message rule for INFORMATIONAL from initiator.
300 */
301 static payload_rule_t informational_i_payload_rules[] = {
302 /* payload type min max encr suff */
303 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
304 {CONFIGURATION, 0, 1, TRUE, FALSE},
305 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
306 {VENDOR_ID, 0, 10, TRUE, FALSE},
307 };
308
309 /**
310 * payload order for INFORMATIONAL initiator
311 */
312 static payload_order_t informational_i_payload_order[] = {
313 /* payload type notify type */
314 {NOTIFY, UPDATE_SA_ADDRESSES},
315 {NOTIFY, NAT_DETECTION_SOURCE_IP},
316 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
317 {NOTIFY, COOKIE2},
318 {NOTIFY, 0},
319 {DELETE, 0},
320 {CONFIGURATION, 0},
321 };
322
323 /**
324 * Message rule for INFORMATIONAL from responder.
325 */
326 static payload_rule_t informational_r_payload_rules[] = {
327 /* payload type min max encr suff */
328 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
329 {CONFIGURATION, 0, 1, TRUE, FALSE},
330 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
331 {VENDOR_ID, 0, 10, TRUE, FALSE},
332 };
333
334 /**
335 * payload order for INFORMATIONAL responder
336 */
337 static payload_order_t informational_r_payload_order[] = {
338 /* payload type notify type */
339 {NOTIFY, UPDATE_SA_ADDRESSES},
340 {NOTIFY, NAT_DETECTION_SOURCE_IP},
341 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
342 {NOTIFY, COOKIE2},
343 {NOTIFY, 0},
344 {DELETE, 0},
345 {CONFIGURATION, 0},
346 };
347
348 /**
349 * Message rule for CREATE_CHILD_SA from initiator.
350 */
351 static payload_rule_t create_child_sa_i_payload_rules[] = {
352 /* payload type min max encr suff */
353 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
354 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
355 {NONCE, 1, 1, TRUE, FALSE},
356 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
357 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
359 {CONFIGURATION, 0, 1, TRUE, FALSE},
360 {VENDOR_ID, 0, 10, TRUE, FALSE},
361 };
362
363 /**
364 * payload order for CREATE_CHILD_SA from initiator.
365 */
366 static payload_order_t create_child_sa_i_payload_order[] = {
367 /* payload type notify type */
368 {NOTIFY, REKEY_SA},
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, 0},
379 };
380
381 /**
382 * Message rule for CREATE_CHILD_SA from responder.
383 */
384 static payload_rule_t create_child_sa_r_payload_rules[] = {
385 /* payload type min max encr suff */
386 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
387 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
388 {NONCE, 1, 1, TRUE, FALSE},
389 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
390 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
391 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
392 {CONFIGURATION, 0, 1, TRUE, FALSE},
393 {VENDOR_ID, 0, 10, TRUE, FALSE},
394 };
395
396 /**
397 * payload order for CREATE_CHILD_SA from responder.
398 */
399 static payload_order_t create_child_sa_r_payload_order[] = {
400 /* payload type notify type */
401 {NOTIFY, IPCOMP_SUPPORTED},
402 {NOTIFY, USE_TRANSPORT_MODE},
403 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
404 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
405 {SECURITY_ASSOCIATION, 0},
406 {NONCE, 0},
407 {KEY_EXCHANGE, 0},
408 {TRAFFIC_SELECTOR_INITIATOR, 0},
409 {TRAFFIC_SELECTOR_RESPONDER, 0},
410 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
411 {NOTIFY, 0},
412 };
413
414 #ifdef ME
415 /**
416 * Message rule for ME_CONNECT from initiator.
417 */
418 static payload_rule_t me_connect_i_payload_rules[] = {
419 /* payload type min max encr suff */
420 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
421 {ID_PEER, 1, 1, TRUE, FALSE},
422 {VENDOR_ID, 0, 10, TRUE, FALSE}
423 };
424
425 /**
426 * payload order for ME_CONNECT from initiator.
427 */
428 static payload_order_t me_connect_i_payload_order[] = {
429 /* payload type notify type */
430 {NOTIFY, 0},
431 {ID_PEER, 0},
432 {VENDOR_ID, 0},
433 };
434
435 /**
436 * Message rule for ME_CONNECT from responder.
437 */
438 static payload_rule_t me_connect_r_payload_rules[] = {
439 /* payload type min max encr suff */
440 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
441 {VENDOR_ID, 0, 10, TRUE, FALSE}
442 };
443
444 /**
445 * payload order for ME_CONNECT from responder.
446 */
447 static payload_order_t me_connect_r_payload_order[] = {
448 /* payload type notify type */
449 {NOTIFY, 0},
450 {VENDOR_ID, 0},
451 };
452 #endif /* ME */
453
454 /**
455 * Message rules, defines allowed payloads.
456 */
457 static message_rule_t message_rules[] = {
458 {IKE_SA_INIT, TRUE, FALSE,
459 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
460 ike_sa_init_i_payload_rules,
461 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
462 ike_sa_init_i_payload_order,
463 },
464 {IKE_SA_INIT, FALSE, FALSE,
465 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
466 ike_sa_init_r_payload_rules,
467 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
468 ike_sa_init_r_payload_order,
469 },
470 {IKE_AUTH, TRUE, TRUE,
471 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
472 ike_auth_i_payload_rules,
473 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
474 ike_auth_i_payload_order,
475 },
476 {IKE_AUTH, FALSE, TRUE,
477 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
478 ike_auth_r_payload_rules,
479 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
480 ike_auth_r_payload_order,
481 },
482 {INFORMATIONAL, TRUE, TRUE,
483 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
484 informational_i_payload_rules,
485 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
486 informational_i_payload_order,
487 },
488 {INFORMATIONAL, FALSE, TRUE,
489 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
490 informational_r_payload_rules,
491 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
492 informational_r_payload_order,
493 },
494 {CREATE_CHILD_SA, TRUE, TRUE,
495 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
496 create_child_sa_i_payload_rules,
497 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
498 create_child_sa_i_payload_order,
499 },
500 {CREATE_CHILD_SA, FALSE, TRUE,
501 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
502 create_child_sa_r_payload_rules,
503 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
504 create_child_sa_r_payload_order,
505 },
506 #ifdef ME
507 {ME_CONNECT, TRUE, TRUE,
508 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
509 me_connect_i_payload_rules,
510 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
511 me_connect_i_payload_order,
512 },
513 {ME_CONNECT, FALSE, TRUE,
514 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
515 me_connect_r_payload_rules,
516 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
517 me_connect_r_payload_order,
518 },
519 #endif /* ME */
520 };
521
522
523 typedef struct private_message_t private_message_t;
524
525 /**
526 * Private data of an message_t object.
527 */
528 struct private_message_t {
529
530 /**
531 * Public part of a message_t object.
532 */
533 message_t public;
534
535 /**
536 * Minor version of message.
537 */
538 u_int8_t major_version;
539
540 /**
541 * Major version of message.
542 */
543 u_int8_t minor_version;
544
545 /**
546 * First Payload in message.
547 */
548 payload_type_t first_payload;
549
550 /**
551 * Assigned exchange type.
552 */
553 exchange_type_t exchange_type;
554
555 /**
556 * TRUE if message is a request, FALSE if a reply.
557 */
558 bool is_request;
559
560 /**
561 * Message ID of this message.
562 */
563 u_int32_t message_id;
564
565 /**
566 * ID of assigned IKE_SA.
567 */
568 ike_sa_id_t *ike_sa_id;
569
570 /**
571 * Assigned UDP packet, stores incoming packet or last generated one.
572 */
573 packet_t *packet;
574
575 /**
576 * Linked List where payload data are stored in.
577 */
578 linked_list_t *payloads;
579
580 /**
581 * Assigned parser to parse Header and Body of this message.
582 */
583 parser_t *parser;
584
585 /**
586 * The message rule for this message instance
587 */
588 message_rule_t *message_rule;
589 };
590
591 /**
592 * Implementation of private_message_t.set_message_rule.
593 */
594 static status_t set_message_rule(private_message_t *this)
595 {
596 int i;
597
598 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
599 {
600 if ((this->exchange_type == message_rules[i].exchange_type) &&
601 (this->is_request == message_rules[i].is_request))
602 {
603 /* found rule for given exchange_type*/
604 this->message_rule = &(message_rules[i]);
605 return SUCCESS;
606 }
607 }
608 this->message_rule = NULL;
609 return NOT_FOUND;
610 }
611
612 /**
613 * Implementation of private_message_t.get_payload_rule.
614 */
615 static status_t get_payload_rule(private_message_t *this,
616 payload_type_t payload_type, payload_rule_t **payload_rule)
617 {
618 int i;
619
620 for (i = 0; i < this->message_rule->payload_rule_count;i++)
621 {
622 if (this->message_rule->payload_rules[i].payload_type == payload_type)
623 {
624 *payload_rule = &(this->message_rule->payload_rules[i]);
625 return SUCCESS;
626 }
627 }
628
629 *payload_rule = NULL;
630 return NOT_FOUND;
631 }
632
633 /**
634 * Implementation of message_t.set_ike_sa_id.
635 */
636 static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
637 {
638 DESTROY_IF(this->ike_sa_id);
639 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
640 }
641
642 /**
643 * Implementation of message_t.get_ike_sa_id.
644 */
645 static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
646 {
647 return this->ike_sa_id;
648 }
649
650 /**
651 * Implementation of message_t.set_message_id.
652 */
653 static void set_message_id(private_message_t *this,u_int32_t message_id)
654 {
655 this->message_id = message_id;
656 }
657
658 /**
659 * Implementation of message_t.get_message_id.
660 */
661 static u_int32_t get_message_id(private_message_t *this)
662 {
663 return this->message_id;
664 }
665
666 /**
667 * Implementation of message_t.get_initiator_spi.
668 */
669 static u_int64_t get_initiator_spi(private_message_t *this)
670 {
671 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
672 }
673
674 /**
675 * Implementation of message_t.get_responder_spi.
676 */
677 static u_int64_t get_responder_spi(private_message_t *this)
678 {
679 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
680 }
681
682 /**
683 * Implementation of message_t.set_major_version.
684 */
685 static void set_major_version(private_message_t *this,u_int8_t major_version)
686 {
687 this->major_version = major_version;
688 }
689
690 /**
691 * Implementation of message_t.set_major_version.
692 */
693 static u_int8_t get_major_version(private_message_t *this)
694 {
695 return this->major_version;
696 }
697
698 /**
699 * Implementation of message_t.set_minor_version.
700 */
701 static void set_minor_version(private_message_t *this,u_int8_t minor_version)
702 {
703 this->minor_version = minor_version;
704 }
705
706 /**
707 * Implementation of message_t.get_minor_version.
708 */
709 static u_int8_t get_minor_version(private_message_t *this)
710 {
711 return this->minor_version;
712 }
713
714 /**
715 * Implementation of message_t.set_exchange_type.
716 */
717 static void set_exchange_type(private_message_t *this,
718 exchange_type_t exchange_type)
719 {
720 this->exchange_type = exchange_type;
721 }
722
723 /**
724 * Implementation of message_t.get_exchange_type.
725 */
726 static exchange_type_t get_exchange_type(private_message_t *this)
727 {
728 return this->exchange_type;
729 }
730
731 /**
732 * Implementation of message_t.get_first_payload_type.
733 */
734 static payload_type_t get_first_payload_type(private_message_t *this)
735 {
736 return this->first_payload;
737 }
738
739 /**
740 * Implementation of message_t.set_request.
741 */
742 static void set_request(private_message_t *this, bool request)
743 {
744 this->is_request = request;
745 }
746
747 /**
748 * Implementation of message_t.get_request.
749 */
750 static exchange_type_t get_request(private_message_t *this)
751 {
752 return this->is_request;
753 }
754
755 /**
756 * Is this message in an encoded form?
757 */
758 static bool is_encoded(private_message_t *this)
759 {
760 chunk_t data = this->packet->get_data(this->packet);
761
762 if (data.ptr == NULL)
763 {
764 return FALSE;
765 }
766 return TRUE;
767 }
768
769 /**
770 * Implementation of message_t.add_payload.
771 */
772 static void add_payload(private_message_t *this, payload_t *payload)
773 {
774 payload_t *last_payload;
775
776 if (this->payloads->get_count(this->payloads) > 0)
777 {
778 this->payloads->get_last(this->payloads, (void **)&last_payload);
779 last_payload->set_next_type(last_payload, payload->get_type(payload));
780 }
781 else
782 {
783 this->first_payload = payload->get_type(payload);
784 }
785 payload->set_next_type(payload, NO_PAYLOAD);
786 this->payloads->insert_last(this->payloads, payload);
787
788 DBG2(DBG_ENC ,"added payload of type %N to message",
789 payload_type_names, payload->get_type(payload));
790 }
791
792 /**
793 * Implementation of message_t.add_notify.
794 */
795 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
796 chunk_t data)
797 {
798 notify_payload_t *notify;
799 payload_t *payload;
800
801 if (flush)
802 {
803 while (this->payloads->remove_last(this->payloads,
804 (void**)&payload) == SUCCESS)
805 {
806 payload->destroy(payload);
807 }
808 }
809 notify = notify_payload_create();
810 notify->set_notify_type(notify, type);
811 notify->set_notification_data(notify, data);
812 add_payload(this, (payload_t*)notify);
813 }
814
815 /**
816 * Implementation of message_t.set_source.
817 */
818 static void set_source(private_message_t *this, host_t *host)
819 {
820 this->packet->set_source(this->packet, host);
821 }
822
823 /**
824 * Implementation of message_t.set_destination.
825 */
826 static void set_destination(private_message_t *this, host_t *host)
827 {
828 this->packet->set_destination(this->packet, host);
829 }
830
831 /**
832 * Implementation of message_t.get_source.
833 */
834 static host_t* get_source(private_message_t *this)
835 {
836 return this->packet->get_source(this->packet);
837 }
838
839 /**
840 * Implementation of message_t.get_destination.
841 */
842 static host_t * get_destination(private_message_t *this)
843 {
844 return this->packet->get_destination(this->packet);
845 }
846
847 /**
848 * Implementation of message_t.create_payload_enumerator.
849 */
850 static enumerator_t *create_payload_enumerator(private_message_t *this)
851 {
852 return this->payloads->create_enumerator(this->payloads);
853 }
854
855 /**
856 * Implementation of message_t.get_payload.
857 */
858 static payload_t *get_payload(private_message_t *this, payload_type_t type)
859 {
860 payload_t *current, *found = NULL;
861 enumerator_t *enumerator;
862
863 enumerator = create_payload_enumerator(this);
864 while (enumerator->enumerate(enumerator, &current))
865 {
866 if (current->get_type(current) == type)
867 {
868 found = current;
869 break;
870 }
871 }
872 enumerator->destroy(enumerator);
873 return found;
874 }
875
876 /**
877 * Implementation of message_t.get_notify
878 */
879 static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
880 {
881 enumerator_t *enumerator;
882 notify_payload_t *notify = NULL;
883 payload_t *payload;
884
885 enumerator = create_payload_enumerator(this);
886 while (enumerator->enumerate(enumerator, &payload))
887 {
888 if (payload->get_type(payload) == NOTIFY)
889 {
890 notify = (notify_payload_t*)payload;
891 if (notify->get_notify_type(notify) == type)
892 {
893 break;
894 }
895 notify = NULL;
896 }
897 }
898 enumerator->destroy(enumerator);
899 return notify;
900 }
901
902 /**
903 * get a string representation of the message
904 */
905 static char* get_string(private_message_t *this, char *buf, int len)
906 {
907 enumerator_t *enumerator;
908 payload_t *payload;
909 int written;
910 char *pos = buf;
911
912 memset(buf, 0, len);
913 len--;
914
915 written = snprintf(pos, len, "%N %s %d [",
916 exchange_type_names, this->exchange_type,
917 this->is_request ? "request" : "response",
918 this->message_id);
919 if (written >= len || written < 0)
920 {
921 return "";
922 }
923 pos += written;
924 len -= written;
925
926 enumerator = create_payload_enumerator(this);
927 while (enumerator->enumerate(enumerator, &payload))
928 {
929 written = snprintf(pos, len, " %N", payload_type_short_names,
930 payload->get_type(payload));
931 if (written >= len || written < 0)
932 {
933 return buf;
934 }
935 pos += written;
936 len -= written;
937 if (payload->get_type(payload) == NOTIFY)
938 {
939 notify_payload_t *notify = (notify_payload_t*)payload;
940 written = snprintf(pos, len, "(%N)", notify_type_short_names,
941 notify->get_notify_type(notify));
942 if (written >= len || written < 0)
943 {
944 return buf;
945 }
946 pos += written;
947 len -= written;
948 }
949 }
950 enumerator->destroy(enumerator);
951
952 /* remove last space */
953 snprintf(pos, len, " ]");
954 return buf;
955 }
956
957 /**
958 * reorder payloads depending on reordering rules
959 */
960 static void order_payloads(private_message_t *this)
961 {
962 linked_list_t *list;
963 payload_t *payload;
964 int i;
965
966 /* move to temp list */
967 list = linked_list_create();
968 while (this->payloads->remove_last(this->payloads,
969 (void**)&payload) == SUCCESS)
970 {
971 list->insert_first(list, payload);
972 }
973 /* for each rule, ... */
974 for (i = 0; i < this->message_rule->payload_order_count; i++)
975 {
976 enumerator_t *enumerator;
977 notify_payload_t *notify;
978 payload_order_t order = this->message_rule->payload_order[i];
979
980 /* ... find all payload ... */
981 enumerator = list->create_enumerator(list);
982 while (enumerator->enumerate(enumerator, &payload))
983 {
984 /* ... with that type ... */
985 if (payload->get_type(payload) == order.type)
986 {
987 notify = (notify_payload_t*)payload;
988
989 /**... and check notify for type. */
990 if (order.type != NOTIFY || order.notify == 0 ||
991 order.notify == notify->get_notify_type(notify))
992 {
993 list->remove_at(list, enumerator);
994 add_payload(this, payload);
995 }
996 }
997 }
998 enumerator->destroy(enumerator);
999 }
1000 /* append all payloads without a rule to the end */
1001 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1002 {
1003 /* do not complain about payloads in private use space */
1004 if (payload->get_type(payload) < 128)
1005 {
1006 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1007 payload_type_names, payload->get_type(payload),
1008 exchange_type_names, this->message_rule->exchange_type,
1009 this->message_rule->is_request ? "request" : "response");
1010 }
1011 add_payload(this, payload);
1012 }
1013 list->destroy(list);
1014 }
1015
1016 /**
1017 * Implementation of private_message_t.encrypt_payloads.
1018 */
1019 static status_t encrypt_payloads(private_message_t *this,
1020 crypter_t *crypter, signer_t* signer)
1021 {
1022 encryption_payload_t *encryption;
1023 linked_list_t *payloads;
1024 payload_t *current;
1025 status_t status;
1026
1027 if (!this->message_rule->encrypted_content)
1028 {
1029 DBG2(DBG_ENC, "message doesn't have to be encrypted");
1030 /* message contains no content to encrypt */
1031 return SUCCESS;
1032 }
1033
1034 if (!crypter || !signer)
1035 {
1036 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1037 /* message contains no content to encrypt */
1038 return SUCCESS;
1039 }
1040
1041 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1042 payloads = linked_list_create();
1043
1044 /* first copy all payloads in a temporary list */
1045 while (this->payloads->get_count(this->payloads) > 0)
1046 {
1047 this->payloads->remove_first(this->payloads, (void**)&current);
1048 payloads->insert_last(payloads, current);
1049 }
1050
1051 encryption = encryption_payload_create();
1052
1053 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1054 while (payloads->get_count(payloads) > 0)
1055 {
1056 payload_rule_t *rule;
1057 payload_type_t type;
1058 bool to_encrypt = TRUE;
1059
1060 payloads->remove_first(payloads, (void**)&current);
1061
1062 type = current->get_type(current);
1063 if (get_payload_rule(this, type, &rule) == SUCCESS)
1064 {
1065 to_encrypt = rule->encrypted;
1066 }
1067 if (to_encrypt)
1068 {
1069 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1070 payload_type_names, current->get_type(current));
1071 encryption->add_payload(encryption, current);
1072 }
1073 else
1074 {
1075 DBG2(DBG_ENC, "insert payload %N unencrypted",
1076 payload_type_names, current->get_type(current));
1077 add_payload(this, (payload_t*)current);
1078 }
1079 }
1080
1081 DBG2(DBG_ENC, "encrypting encryption payload");
1082 encryption->set_transforms(encryption, crypter, signer);
1083 status = encryption->encrypt(encryption);
1084 DBG2(DBG_ENC, "add encrypted payload to payload list");
1085 add_payload(this, (payload_t*)encryption);
1086
1087 payloads->destroy(payloads);
1088
1089 return status;
1090 }
1091
1092 /**
1093 * Implementation of message_t.generate.
1094 */
1095 static status_t generate(private_message_t *this, crypter_t *crypter,
1096 signer_t* signer, packet_t **packet)
1097 {
1098 generator_t *generator;
1099 ike_header_t *ike_header;
1100 payload_t *payload, *next_payload;
1101 enumerator_t *enumerator;
1102 status_t status;
1103 chunk_t packet_data;
1104 char str[256];
1105
1106 if (is_encoded(this))
1107 {
1108 /* already generated, return a new packet clone */
1109 *packet = this->packet->clone(this->packet);
1110 return SUCCESS;
1111 }
1112
1113 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1114 {
1115 DBG1(DBG_ENC, "exchange type is not defined");
1116 return INVALID_STATE;
1117 }
1118
1119 if (this->packet->get_source(this->packet) == NULL ||
1120 this->packet->get_destination(this->packet) == NULL)
1121 {
1122 DBG1(DBG_ENC, "%s not defined",
1123 !this->packet->get_source(this->packet) ? "source" : "destination");
1124 return INVALID_STATE;
1125 }
1126
1127 /* set the rules for this messge */
1128 status = set_message_rule(this);
1129 if (status != SUCCESS)
1130 {
1131 DBG1(DBG_ENC, "no message rules specified for this message type");
1132 return NOT_SUPPORTED;
1133 }
1134
1135 order_payloads(this);
1136
1137 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1138
1139 /* going to encrypt all content which have to be encrypted */
1140 status = encrypt_payloads(this, crypter, signer);
1141 if (status != SUCCESS)
1142 {
1143 DBG1(DBG_ENC, "payload encryption failed");
1144 return status;
1145 }
1146
1147 /* build ike header */
1148 ike_header = ike_header_create();
1149
1150 ike_header->set_exchange_type(ike_header, this->exchange_type);
1151 ike_header->set_message_id(ike_header, this->message_id);
1152 ike_header->set_response_flag(ike_header, !this->is_request);
1153 ike_header->set_initiator_flag(ike_header,
1154 this->ike_sa_id->is_initiator(this->ike_sa_id));
1155 ike_header->set_initiator_spi(ike_header,
1156 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1157 ike_header->set_responder_spi(ike_header,
1158 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1159
1160 generator = generator_create();
1161
1162 payload = (payload_t*)ike_header;
1163
1164 /* generate every payload expect last one, this is done later*/
1165 enumerator = create_payload_enumerator(this);
1166 while (enumerator->enumerate(enumerator, &next_payload))
1167 {
1168 payload->set_next_type(payload, next_payload->get_type(next_payload));
1169 generator->generate_payload(generator, payload);
1170 payload = next_payload;
1171 }
1172 enumerator->destroy(enumerator);
1173
1174 /* last payload has no next payload*/
1175 payload->set_next_type(payload, NO_PAYLOAD);
1176
1177 generator->generate_payload(generator, payload);
1178
1179 ike_header->destroy(ike_header);
1180
1181 /* build packet */
1182 generator->write_to_chunk(generator, &packet_data);
1183 generator->destroy(generator);
1184
1185 /* if last payload is of type encrypted, integrity checksum if necessary */
1186 if (payload->get_type(payload) == ENCRYPTED)
1187 {
1188 DBG2(DBG_ENC, "build signature on whole message");
1189 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1190 status = encryption_payload->build_signature(encryption_payload, packet_data);
1191 if (status != SUCCESS)
1192 {
1193 return status;
1194 }
1195 }
1196
1197 this->packet->set_data(this->packet, packet_data);
1198
1199 /* clone packet for caller */
1200 *packet = this->packet->clone(this->packet);
1201
1202 DBG2(DBG_ENC, "message generated successfully");
1203 return SUCCESS;
1204 }
1205
1206 /**
1207 * Implementation of message_t.get_packet.
1208 */
1209 static packet_t *get_packet(private_message_t *this)
1210 {
1211 if (this->packet == NULL)
1212 {
1213 return NULL;
1214 }
1215 return this->packet->clone(this->packet);
1216 }
1217
1218 /**
1219 * Implementation of message_t.get_packet_data.
1220 */
1221 static chunk_t get_packet_data(private_message_t *this)
1222 {
1223 if (this->packet == NULL)
1224 {
1225 return chunk_empty;
1226 }
1227 return chunk_clone(this->packet->get_data(this->packet));
1228 }
1229
1230 /**
1231 * Implementation of message_t.parse_header.
1232 */
1233 static status_t parse_header(private_message_t *this)
1234 {
1235 ike_header_t *ike_header;
1236 status_t status;
1237
1238 DBG2(DBG_ENC, "parsing header of message");
1239
1240 this->parser->reset_context(this->parser);
1241 status = this->parser->parse_payload(this->parser, HEADER,
1242 (payload_t**)&ike_header);
1243 if (status != SUCCESS)
1244 {
1245 DBG1(DBG_ENC, "header could not be parsed");
1246 return status;
1247
1248 }
1249
1250 /* verify payload */
1251 status = ike_header->payload_interface.verify(
1252 &ike_header->payload_interface);
1253 if (status != SUCCESS)
1254 {
1255 DBG1(DBG_ENC, "header verification failed");
1256 ike_header->destroy(ike_header);
1257 return status;
1258 }
1259
1260 if (this->ike_sa_id != NULL)
1261 {
1262 this->ike_sa_id->destroy(this->ike_sa_id);
1263 }
1264
1265 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1266 ike_header->get_responder_spi(ike_header),
1267 ike_header->get_initiator_flag(ike_header));
1268
1269 this->exchange_type = ike_header->get_exchange_type(ike_header);
1270 this->message_id = ike_header->get_message_id(ike_header);
1271 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1272 this->major_version = ike_header->get_maj_version(ike_header);
1273 this->minor_version = ike_header->get_min_version(ike_header);
1274 this->first_payload = ike_header->payload_interface.get_next_type(
1275 &ike_header->payload_interface);
1276
1277 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1278 this->is_request ? "request" : "response");
1279
1280 ike_header->destroy(ike_header);
1281
1282 /* get the rules for this messge */
1283 status = set_message_rule(this);
1284 if (status != SUCCESS)
1285 {
1286 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1287 exchange_type_names, this->exchange_type,
1288 this->is_request ? "request" : "response");
1289 }
1290
1291 return status;
1292 }
1293
1294 /**
1295 * Implementation of private_message_t.decrypt_and_verify_payloads.
1296 */
1297 static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
1298 signer_t* signer)
1299 {
1300 bool current_payload_was_encrypted = FALSE;
1301 payload_t *previous_payload = NULL;
1302 int payload_number = 1;
1303 iterator_t *iterator;
1304 payload_t *current_payload;
1305 status_t status;
1306
1307 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1308
1309 /* process each payload and decrypt a encryption payload */
1310 while(iterator->iterate(iterator, (void**)&current_payload))
1311 {
1312 payload_rule_t *payload_rule;
1313 payload_type_t current_payload_type;
1314
1315 /* needed to check */
1316 current_payload_type = current_payload->get_type(current_payload);
1317
1318 DBG2(DBG_ENC, "process payload of type %N",
1319 payload_type_names, current_payload_type);
1320
1321 if (current_payload_type == ENCRYPTED)
1322 {
1323 encryption_payload_t *encryption_payload;
1324 payload_t *current_encrypted_payload;
1325
1326 encryption_payload = (encryption_payload_t*)current_payload;
1327
1328 DBG2(DBG_ENC, "found an encryption payload");
1329
1330 if (payload_number != this->payloads->get_count(this->payloads))
1331 {
1332 /* encrypted payload is not last one */
1333 DBG1(DBG_ENC, "encrypted payload is not last payload");
1334 iterator->destroy(iterator);
1335 return VERIFY_ERROR;
1336 }
1337 /* decrypt */
1338 encryption_payload->set_transforms(encryption_payload,
1339 crypter, signer);
1340 DBG2(DBG_ENC, "verify signature of encryption payload");
1341 status = encryption_payload->verify_signature(encryption_payload,
1342 this->packet->get_data(this->packet));
1343 if (status != SUCCESS)
1344 {
1345 DBG1(DBG_ENC, "encryption payload signature invalid");
1346 iterator->destroy(iterator);
1347 return FAILED;
1348 }
1349 DBG2(DBG_ENC, "decrypting content of encryption payload");
1350 status = encryption_payload->decrypt(encryption_payload);
1351 if (status != SUCCESS)
1352 {
1353 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1354 iterator->destroy(iterator);
1355 return PARSE_ERROR;
1356 }
1357
1358 /* needed later to find out if a payload was encrypted */
1359 current_payload_was_encrypted = TRUE;
1360
1361 /* check if there are payloads contained in the encryption payload */
1362 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1363 {
1364 DBG2(DBG_ENC, "encrypted payload is empty");
1365 /* remove the encryption payload, is not needed anymore */
1366 iterator->remove(iterator);
1367 /* encrypted payload contains no other payload */
1368 current_payload_type = NO_PAYLOAD;
1369 }
1370 else
1371 {
1372 /* encryption_payload is replaced with first payload contained
1373 * in encryption_payload */
1374 encryption_payload->remove_first_payload(encryption_payload,
1375 &current_encrypted_payload);
1376 iterator->replace(iterator, NULL,
1377 (void *)current_encrypted_payload);
1378 current_payload_type = current_encrypted_payload->get_type(
1379 current_encrypted_payload);
1380 }
1381
1382 /* is the current paylad the first in the message? */
1383 if (previous_payload == NULL)
1384 {
1385 /* yes, set the first payload type of the message to the
1386 * current type */
1387 this->first_payload = current_payload_type;
1388 }
1389 else
1390 {
1391 /* no, set the next_type of the previous payload to the
1392 * current type */
1393 previous_payload->set_next_type(previous_payload,
1394 current_payload_type);
1395 }
1396
1397 /* all encrypted payloads are added to the payload list */
1398 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1399 {
1400 encryption_payload->remove_first_payload(encryption_payload,
1401 &current_encrypted_payload);
1402 DBG2(DBG_ENC, "insert unencrypted payload of type "
1403 "%N at end of list", payload_type_names,
1404 current_encrypted_payload->get_type(
1405 current_encrypted_payload));
1406 this->payloads->insert_last(this->payloads,
1407 current_encrypted_payload);
1408 }
1409
1410 /* encryption payload is processed, payloads are moved. Destroy it. */
1411 encryption_payload->destroy(encryption_payload);
1412 }
1413
1414 /* we allow unknown payloads of any type and don't bother if it was
1415 * encrypted. Not our problem. */
1416 if (current_payload_type != UNKNOWN_PAYLOAD &&
1417 current_payload_type != NO_PAYLOAD)
1418 {
1419 /* get the ruleset for found payload */
1420 status = get_payload_rule(this, current_payload_type, &payload_rule);
1421 if (status != SUCCESS)
1422 {
1423 /* payload is not allowed */
1424 DBG1(DBG_ENC, "payload type %N not allowed",
1425 payload_type_names, current_payload_type);
1426 iterator->destroy(iterator);
1427 return VERIFY_ERROR;
1428 }
1429
1430 /* check if the payload was encrypted, and if it should been have
1431 * encrypted */
1432 if (payload_rule->encrypted != current_payload_was_encrypted)
1433 {
1434 /* payload was not encrypted, but should have been.
1435 * or vice-versa */
1436 DBG1(DBG_ENC, "payload type %N should be %s!",
1437 payload_type_names, current_payload_type,
1438 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1439 iterator->destroy(iterator);
1440 return VERIFY_ERROR;
1441 }
1442 }
1443 /* advance to the next payload */
1444 payload_number++;
1445 /* is stored to set next payload in case of found encryption payload */
1446 previous_payload = current_payload;
1447 }
1448 iterator->destroy(iterator);
1449 return SUCCESS;
1450 }
1451
1452 /**
1453 * Implementation of private_message_t.verify.
1454 */
1455 static status_t verify(private_message_t *this)
1456 {
1457 int i;
1458 enumerator_t *enumerator;
1459 payload_t *current_payload;
1460 size_t total_found_payloads = 0;
1461
1462 DBG2(DBG_ENC, "verifying message structure");
1463
1464 /* check for payloads with wrong count*/
1465 for (i = 0; i < this->message_rule->payload_rule_count; i++)
1466 {
1467 size_t found_payloads = 0;
1468 payload_rule_t *rule;
1469
1470 rule = &this->message_rule->payload_rules[i];
1471 enumerator = create_payload_enumerator(this);
1472
1473 /* check all payloads for specific rule */
1474 while (enumerator->enumerate(enumerator, &current_payload))
1475 {
1476 payload_type_t current_payload_type;
1477 unknown_payload_t *unknown_payload;
1478
1479 current_payload_type = current_payload->get_type(current_payload);
1480 if (current_payload_type == UNKNOWN_PAYLOAD)
1481 {
1482 /* unknown payloads are ignored, IF they are not critical */
1483 unknown_payload = (unknown_payload_t*)current_payload;
1484 if (unknown_payload->is_critical(unknown_payload))
1485 {
1486 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1487 payload_type_names, current_payload_type);
1488 enumerator->destroy(enumerator);
1489 return NOT_SUPPORTED;
1490 }
1491 }
1492 else if (current_payload_type == rule->payload_type)
1493 {
1494 found_payloads++;
1495 total_found_payloads++;
1496 DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
1497 rule->payload_type);
1498
1499 /* as soon as ohe payload occures more then specified,
1500 * the verification fails */
1501 if (found_payloads >
1502 rule->max_occurence)
1503 {
1504 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1505 "occured in current message", payload_type_names,
1506 current_payload_type, rule->max_occurence,
1507 found_payloads);
1508 enumerator->destroy(enumerator);
1509 return VERIFY_ERROR;
1510 }
1511 }
1512 }
1513
1514 if (found_payloads < rule->min_occurence)
1515 {
1516 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1517 payload_type_names, rule->payload_type, rule->min_occurence,
1518 found_payloads);
1519 enumerator->destroy(enumerator);
1520 return VERIFY_ERROR;
1521 }
1522 if (rule->sufficient &&
1523 this->payloads->get_count(this->payloads) == total_found_payloads)
1524 {
1525 enumerator->destroy(enumerator);
1526 return SUCCESS;
1527 }
1528 enumerator->destroy(enumerator);
1529 }
1530 return SUCCESS;
1531 }
1532
1533 /**
1534 * Implementation of message_t.parse_body.
1535 */
1536 static status_t parse_body(private_message_t *this, crypter_t *crypter,
1537 signer_t *signer)
1538 {
1539 status_t status = SUCCESS;
1540 payload_type_t current_payload_type;
1541 char str[256];
1542
1543 current_payload_type = this->first_payload;
1544
1545 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1546 payload_type_names, current_payload_type);
1547
1548 /* parse payload for payload, while there are more available */
1549 while ((current_payload_type != NO_PAYLOAD))
1550 {
1551 payload_t *current_payload;
1552
1553 DBG2(DBG_ENC, "starting parsing a %N payload",
1554 payload_type_names, current_payload_type);
1555
1556 /* parse current payload */
1557 status = this->parser->parse_payload(this->parser, current_payload_type,
1558 (payload_t**)&current_payload);
1559 if (status != SUCCESS)
1560 {
1561 DBG1(DBG_ENC, "payload type %N could not be parsed",
1562 payload_type_names, current_payload_type);
1563 return PARSE_ERROR;
1564 }
1565
1566 DBG2(DBG_ENC, "verifying payload of type %N",
1567 payload_type_names, current_payload_type);
1568
1569 /* verify it, stop parsig if its invalid */
1570 status = current_payload->verify(current_payload);
1571 if (status != SUCCESS)
1572 {
1573 DBG1(DBG_ENC, "%N payload verification failed",
1574 payload_type_names, current_payload_type);
1575 current_payload->destroy(current_payload);
1576 return VERIFY_ERROR;
1577 }
1578
1579 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1580 payload_type_names, current_payload_type);
1581 this->payloads->insert_last(this->payloads,current_payload);
1582
1583 /* an encryption payload is the last one, so STOP here. decryption is
1584 * done later */
1585 if (current_payload_type == ENCRYPTED)
1586 {
1587 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1588 payload_type_names, current_payload_type);
1589 break;
1590 }
1591
1592 /* get next payload type */
1593 current_payload_type = current_payload->get_next_type(current_payload);
1594 }
1595
1596 if (current_payload_type == ENCRYPTED)
1597 {
1598 status = decrypt_payloads(this,crypter,signer);
1599 if (status != SUCCESS)
1600 {
1601 DBG1(DBG_ENC, "could not decrypt payloads");
1602 return status;
1603 }
1604 }
1605
1606 status = verify(this);
1607 if (status != SUCCESS)
1608 {
1609 return status;
1610 }
1611
1612 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1613
1614 return SUCCESS;
1615 }
1616
1617 /**
1618 * Implementation of message_t.destroy.
1619 */
1620 static void destroy (private_message_t *this)
1621 {
1622 DESTROY_IF(this->ike_sa_id);
1623 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1624 this->packet->destroy(this->packet);
1625 this->parser->destroy(this->parser);
1626 free(this);
1627 }
1628
1629 /*
1630 * Described in Header-File
1631 */
1632 message_t *message_create_from_packet(packet_t *packet)
1633 {
1634 private_message_t *this = malloc_thing(private_message_t);
1635
1636 /* public functions */
1637 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1638 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1639 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1640 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1641 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1642 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1643 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1644 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1645 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1646 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1647 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1648 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1649 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1650 this->public.set_request = (void(*)(message_t*, bool))set_request;
1651 this->public.get_request = (bool(*)(message_t*))get_request;
1652 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1653 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1654 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1655 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1656 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1657 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1658 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1659 this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
1660 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1661 this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
1662 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1663 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1664 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1665 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1666 this->public.destroy = (void(*)(message_t*))destroy;
1667
1668 /* private values */
1669 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1670 this->is_request = TRUE;
1671 this->ike_sa_id = NULL;
1672 this->first_payload = NO_PAYLOAD;
1673 this->message_id = 0;
1674
1675 /* private values */
1676 if (packet == NULL)
1677 {
1678 packet = packet_create();
1679 }
1680 this->message_rule = NULL;
1681 this->packet = packet;
1682 this->payloads = linked_list_create();
1683
1684 /* parser is created from data of packet */
1685 this->parser = parser_create(this->packet->get_data(this->packet));
1686
1687 return (&this->public);
1688 }
1689
1690 /*
1691 * Described in Header.
1692 */
1693 message_t *message_create()
1694 {
1695 return message_create_from_packet(NULL);
1696 }
1697