projects / strongswan.git / blob
? search:


239190149675b6bb6706e8d7754ff32fb9b1c33b
[strongswan.git] / src / charon / encoding / payloads / notify_payload.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <stddef.h>
22
23 #include "notify_payload.h"
24
25 #include <daemon.h>
26 #include <encoding/payloads/encodings.h>
27 #include <crypto/hashers/hasher.h>
28
29 ENUM_BEGIN(notify_type_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
30 "UNSUPPORTED_CRITICAL_PAYLOAD");
31 ENUM_NEXT(notify_type_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
32 "INVALID_IKE_SPI",
33 "INVALID_MAJOR_VERSION");
34 ENUM_NEXT(notify_type_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
35 "INVALID_SYNTAX");
36 ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
37 "INVALID_MESSAGE_ID");
38 ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
39 "INVALID_SPI");
40 ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
41 "NO_PROPOSAL_CHOSEN");
42 ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
43 "INVALID_KE_PAYLOAD");
44 ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
45 "AUTHENTICATION_FAILED");
46 ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
47 "SINGLE_PAIR_REQUIRED",
48 "NO_ADDITIONAL_SAS",
49 "INTERNAL_ADDRESS_FAILURE",
50 "FAILED_CP_REQUIRED",
51 "TS_UNACCEPTABLE",
52 "INVALID_SELECTORS",
53 "UNACCEPTABLE_ADDRESSES",
54 "UNEXPECTED_NAT_DETECTED");
55 ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, UNEXPECTED_NAT_DETECTED,
56 "ME_CONNECT_FAILED");
57 ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, ME_CONNECT_FAILED,
58 "INITIAL_CONTACT",
59 "SET_WINDOW_SIZE",
60 "ADDITIONAL_TS_POSSIBLE",
61 "IPCOMP_SUPPORTED",
62 "NAT_DETECTION_SOURCE_IP",
63 "NAT_DETECTION_DESTINATION_IP",
64 "COOKIE",
65 "USE_TRANSPORT_MODE",
66 "HTTP_CERT_LOOKUP_SUPPORTED",
67 "REKEY_SA",
68 "ESP_TFC_PADDING_NOT_SUPPORTED",
69 "NON_FIRST_FRAGMENTS_ALSO",
70 "MOBIKE_SUPPORTED",
71 "ADDITIONAL_IP4_ADDRESS",
72 "ADDITIONAL_IP6_ADDRESS",
73 "NO_ADDITIONAL_ADDRESSES",
74 "UPDATE_SA_ADDRESSES",
75 "COOKIE2",
76 "NO_NATS_ALLOWED",
77 "AUTH_LIFETIME");
78 ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME,
79 "EAP_ONLY_AUTHENTICATION");
80 ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
81 "USE_BEET_MODE");
82 ENUM_NEXT(notify_type_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
83 "ME_MEDIATION",
84 "ME_ENDPOINT",
85 "ME_CALLBACK",
86 "ME_CONNECTID",
87 "ME_CONNECTKEY",
88 "ME_CONNECTAUTH",
89 "ME_RESPONSE");
90 ENUM_END(notify_type_names, ME_RESPONSE);
91
92
93 ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
94 "CRIT");
95 ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
96 "INVAL_IKE_SPI",
97 "INVAL_MAJOR");
98 ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
99 "INVAL_SYN");
100 ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
101 "INVAL_MID");
102 ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
103 "INVAL_SPI");
104 ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
105 "NO_PROP");
106 ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
107 "INVAL_KE");
108 ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
109 "AUTH_FAILED");
110 ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
111 "SINGLE_PAIR",
112 "NO_ADD_SAS",
113 "INT_ADDR_FAIL",
114 "FAIL_CP_REQ",
115 "TS_UNACCEPT",
116 "INVAL_SEL",
117 "UNACCEPT_ADDR",
118 "UNEXPECT_NAT");
119 ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, UNEXPECTED_NAT_DETECTED,
120 "ME_CONN_FAIL");
121 ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, AUTH_LIFETIME, ME_CONNECT_FAILED,
122 "INIT_CONTACT",
123 "SET_WINSIZE",
124 "ADD_TS_POSS",
125 "IPCOMP_SUPP",
126 "NATD_S_IP",
127 "NATD_D_IP",
128 "COOKIE",
129 "USE_TRANSP",
130 "HTTP_CERT_LOOK",
131 "REKEY_SA",
132 "ESP_TFC_PAD_N",
133 "NON_FIRST_FRAG",
134 "MOBIKE_SUP",
135 "ADD_4_ADDR",
136 "ADD_6_ADDR",
137 "NO_ADD_ADDR",
138 "UPD_SA_ADDR",
139 "COOKIE2",
140 "NO_NATS",
141 "AUTH_LFT");
142 ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME,
143 "EAP_ONLY");
144 ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
145 "BEET_MODE");
146 ENUM_NEXT(notify_type_short_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
147 "ME_MED",
148 "ME_EP",
149 "ME_CB",
150 "ME_CID",
151 "ME_CKEY",
152 "ME_CAUTH",
153 "ME_R");
154 ENUM_END(notify_type_short_names, ME_RESPONSE);
155
156
157 typedef struct private_notify_payload_t private_notify_payload_t;
158
159 /**
160 * Private data of an notify_payload_t object.
161 *
162 */
163 struct private_notify_payload_t {
164 /**
165 * Public notify_payload_t interface.
166 */
167 notify_payload_t public;
168
169 /**
170 * Next payload type.
171 */
172 u_int8_t next_payload;
173
174 /**
175 * Critical flag.
176 */
177 bool critical;
178
179 /**
180 * Length of this payload.
181 */
182 u_int16_t payload_length;
183
184 /**
185 * Protocol id.
186 */
187 u_int8_t protocol_id;
188
189 /**
190 * Spi size.
191 */
192 u_int8_t spi_size;
193
194 /**
195 * Notify message type.
196 */
197 u_int16_t notify_type;
198
199 /**
200 * Security parameter index (spi).
201 */
202 chunk_t spi;
203
204 /**
205 * Notification data.
206 */
207 chunk_t notification_data;
208 };
209
210 /**
211 * Encoding rules to parse or generate a IKEv2-Notify Payload.
212 *
213 * The defined offsets are the positions in a object of type
214 * private_notify_payload_t.
215 *
216 */
217 encoding_rule_t notify_payload_encodings[] = {
218 /* 1 Byte next payload type, stored in the field next_payload */
219 { U_INT_8, offsetof(private_notify_payload_t, next_payload) },
220 /* the critical bit */
221 { FLAG, offsetof(private_notify_payload_t, critical) },
222 /* 7 Bit reserved bits, nowhere stored */
223 { RESERVED_BIT, 0 },
224 { RESERVED_BIT, 0 },
225 { RESERVED_BIT, 0 },
226 { RESERVED_BIT, 0 },
227 { RESERVED_BIT, 0 },
228 { RESERVED_BIT, 0 },
229 { RESERVED_BIT, 0 },
230 /* Length of the whole payload*/
231 { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) },
232 /* Protocol ID as 8 bit field*/
233 { U_INT_8, offsetof(private_notify_payload_t, protocol_id) },
234 /* SPI Size as 8 bit field*/
235 { SPI_SIZE, offsetof(private_notify_payload_t, spi_size) },
236 /* Notify message type as 16 bit field*/
237 { U_INT_16, offsetof(private_notify_payload_t, notify_type) },
238 /* SPI as variable length field*/
239 { SPI, offsetof(private_notify_payload_t, spi) },
240 /* Key Exchange Data is from variable size */
241 { NOTIFICATION_DATA, offsetof(private_notify_payload_t, notification_data) }
242 };
243
244 /*
245 1 2 3
246 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
248 ! Next Payload !C! RESERVED ! Payload Length !
249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
250 ! Protocol ID ! SPI Size ! Notify Message Type !
251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
252 ! !
253 ~ Security Parameter Index (SPI) ~
254 ! !
255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
256 ! !
257 ~ Notification Data ~
258 ! !
259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
260 */
261
262 /**
263 * Implementation of payload_t.verify.
264 */
265 static status_t verify(private_notify_payload_t *this)
266 {
267 bool bad_length = FALSE;
268
269 switch (this->protocol_id)
270 {
271 case PROTO_NONE:
272 case PROTO_IKE:
273 case PROTO_AH:
274 case PROTO_ESP:
275 break;
276 default:
277 DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
278 return FAILED;
279 }
280
281 switch (this->notify_type)
282 {
283 case INVALID_KE_PAYLOAD:
284 {
285 if (this->notification_data.len != 2)
286 {
287 bad_length = TRUE;
288 }
289 break;
290 }
291 case NAT_DETECTION_SOURCE_IP:
292 case NAT_DETECTION_DESTINATION_IP:
293 case ME_CONNECTAUTH:
294 {
295 if (this->notification_data.len != HASH_SIZE_SHA1)
296 {
297 bad_length = TRUE;
298 }
299 break;
300 }
301 case INVALID_SYNTAX:
302 case INVALID_MAJOR_VERSION:
303 case NO_PROPOSAL_CHOSEN:
304 {
305 if (this->notification_data.len != 0)
306 {
307 bad_length = TRUE;
308 }
309 break;
310 }
311 case ADDITIONAL_IP4_ADDRESS:
312 {
313 if (this->notification_data.len != 4)
314 {
315 bad_length = TRUE;
316 }
317 break;
318 }
319 case ADDITIONAL_IP6_ADDRESS:
320 {
321 if (this->notification_data.len != 16)
322 {
323 bad_length = TRUE;
324 }
325 break;
326 }
327 case AUTH_LIFETIME:
328 {
329 if (this->notification_data.len != 4)
330 {
331 bad_length = TRUE;
332 }
333 break;
334 }
335 case ME_ENDPOINT:
336 if (this->notification_data.len != 12 ||
337 this->notification_data.len != 24)
338 {
339 bad_length = TRUE;
340 }
341 break;
342 case ME_CONNECTID:
343 if (this->notification_data.len < 4 ||
344 this->notification_data.len > 16)
345 {
346 bad_length = TRUE;
347 }
348 break;
349 case ME_CONNECTKEY:
350 if (this->notification_data.len < 16 ||
351 this->notification_data.len > 32)
352 {
353 bad_length = TRUE;
354 }
355 break;
356 default:
357 /* TODO: verify */
358 break;
359 }
360 if (bad_length)
361 {
362 DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
363 notify_type_names, this->notify_type,
364 this->notification_data.len);
365 return FAILED;
366 }
367 return SUCCESS;
368 }
369
370 /**
371 * Implementation of payload_t.get_encoding_rules.
372 */
373 static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
374 {
375 *rules = notify_payload_encodings;
376 *rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t);
377 }
378
379 /**
380 * Implementation of payload_t.get_type.
381 */
382 static payload_type_t get_type(private_notify_payload_t *this)
383 {
384 return NOTIFY;
385 }
386
387 /**
388 * Implementation of payload_t.get_next_type.
389 */
390 static payload_type_t get_next_type(private_notify_payload_t *this)
391 {
392 return (this->next_payload);
393 }
394
395 /**
396 * Implementation of payload_t.set_next_type.
397 */
398 static void set_next_type(private_notify_payload_t *this,payload_type_t type)
399 {
400 this->next_payload = type;
401 }
402
403 /**
404 * recompute the payloads length.
405 */
406 static void compute_length (private_notify_payload_t *this)
407 {
408 size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH;
409 if (this->notification_data.ptr != NULL)
410 {
411 length += this->notification_data.len;
412 }
413 if (this->spi.ptr != NULL)
414 {
415 length += this->spi.len;
416 }
417 this->payload_length = length;
418 }
419
420 /**
421 * Implementation of payload_t.get_length.
422 */
423 static size_t get_length(private_notify_payload_t *this)
424 {
425 compute_length(this);
426 return this->payload_length;
427 }
428
429 /**
430 * Implementation of notify_payload_t.get_protocol_id.
431 */
432 static u_int8_t get_protocol_id(private_notify_payload_t *this)
433 {
434 return this->protocol_id;
435 }
436
437 /**
438 * Implementation of notify_payload_t.set_protocol_id.
439 */
440 static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id)
441 {
442 this->protocol_id = protocol_id;
443 }
444
445 /**
446 * Implementation of notify_payload_t.get_notify_type.
447 */
448 static notify_type_t get_notify_type(private_notify_payload_t *this)
449 {
450 return this->notify_type;
451 }
452
453 /**
454 * Implementation of notify_payload_t.set_notify_type.
455 */
456 static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type)
457 {
458 this->notify_type = notify_type;
459 }
460
461 /**
462 * Implementation of notify_payload_t.get_spi.
463 */
464 static u_int32_t get_spi(private_notify_payload_t *this)
465 {
466 switch (this->protocol_id)
467 {
468 case PROTO_AH:
469 case PROTO_ESP:
470 if (this->spi.len == 4)
471 {
472 return *((u_int32_t*)this->spi.ptr);
473 }
474 default:
475 break;
476 }
477 return 0;
478 }
479
480 /**
481 * Implementation of notify_payload_t.set_spi.
482 */
483 static void set_spi(private_notify_payload_t *this, u_int32_t spi)
484 {
485 chunk_free(&this->spi);
486 switch (this->protocol_id)
487 {
488 case PROTO_AH:
489 case PROTO_ESP:
490 this->spi = chunk_alloc(4);
491 *((u_int32_t*)this->spi.ptr) = spi;
492 break;
493 default:
494 break;
495 }
496 this->spi_size = this->spi.len;
497 compute_length(this);
498 }
499
500 /**
501 * Implementation of notify_payload_t.get_notification_data.
502 */
503 static chunk_t get_notification_data(private_notify_payload_t *this)
504 {
505 return (this->notification_data);
506 }
507
508 /**
509 * Implementation of notify_payload_t.set_notification_data.
510 */
511 static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data)
512 {
513 chunk_free(&this->notification_data);
514 if (notification_data.len > 0)
515 {
516 this->notification_data = chunk_clone(notification_data);
517 }
518 compute_length(this);
519 return SUCCESS;
520 }
521
522 /**
523 * Implementation of notify_payload_t.destroy and notify_payload_t.destroy.
524 */
525 static status_t destroy(private_notify_payload_t *this)
526 {
527 chunk_free(&this->notification_data);
528 chunk_free(&this->spi);
529 free(this);
530 return SUCCESS;
531 }
532
533 /*
534 * Described in header
535 */
536 notify_payload_t *notify_payload_create()
537 {
538 private_notify_payload_t *this = malloc_thing(private_notify_payload_t);
539
540 /* interface functions */
541 this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
542 this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
543 this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
544 this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
545 this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
546 this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
547 this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
548
549 /* public functions */
550 this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
551 this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
552 this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type;
553 this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type;
554 this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi;
555 this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi;
556 this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
557 this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
558 this->public.destroy = (void (*) (notify_payload_t *)) destroy;
559
560 /* set default values of the fields */
561 this->critical = FALSE;
562 this->next_payload = NO_PAYLOAD;
563 this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH;
564 this->protocol_id = 0;
565 this->notify_type = 0;
566 this->spi.ptr = NULL;
567 this->spi.len = 0;
568 this->spi_size = 0;
569 this->notification_data.ptr = NULL;
570 this->notification_data.len = 0;
571
572 return &this->public;
573 }
574
575 /*
576 * Described in header.
577 */
578 notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type)
579 {
580 notify_payload_t *notify = notify_payload_create();
581
582 notify->set_notify_type(notify,notify_type);
583 notify->set_protocol_id(notify,protocol_id);
584
585 return notify;
586 }
strongSwan - IPsec VPN