Encrypt INFORMATIONAL exchange if needed
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/keymat_v1.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/hash_payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * Max number of NAT-D payloads per IKEv1 message
64 */
65 #define MAX_NAT_D_PAYLOADS 5
66
67 /**
68 * A payload rule defines the rules for a payload
69 * in a specific message rule. It defines if and how
70 * many times a payload must/can occur in a message
71 * and if it must be encrypted.
72 */
73 typedef struct {
74 /* Payload type */
75 payload_type_t type;
76 /* Minimal occurrence of this payload. */
77 size_t min_occurence;
78 /* Max occurrence of this payload. */
79 size_t max_occurence;
80 /* TRUE if payload must be encrypted */
81 bool encrypted;
82 /* If payload occurs, the message rule is fulfilled */
83 bool sufficient;
84 } payload_rule_t;
85
86 /**
87 * payload ordering structure allows us to reorder payloads according to RFC.
88 */
89 typedef struct {
90 /** payload type */
91 payload_type_t type;
92 /** notify type, if payload == NOTIFY */
93 notify_type_t notify;
94 } payload_order_t;
95
96 /**
97 * A message rule defines the kind of a message,
98 * if it has encrypted contents and a list
99 * of payload ordering rules and payload parsing rules.
100 */
101 typedef struct {
102 /** Type of message. */
103 exchange_type_t exchange_type;
104 /** Is message a request or response. */
105 bool is_request;
106 /** Message contains encrypted payloads. */
107 bool encrypted;
108 /** Number of payload rules which will follow */
109 int rule_count;
110 /** Pointer to first payload rule */
111 payload_rule_t *rules;
112 /** Number of payload order rules */
113 int order_count;
114 /** payload ordering rules */
115 payload_order_t *order;
116 } message_rule_t;
117
118 /**
119 * Message rule for IKE_SA_INIT from initiator.
120 */
121 static payload_rule_t ike_sa_init_i_rules[] = {
122 /* payload type min max encr suff */
123 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
124 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
125 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
126 {NONCE, 1, 1, FALSE, FALSE},
127 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
128 };
129
130 /**
131 * payload order for IKE_SA_INIT initiator
132 */
133 static payload_order_t ike_sa_init_i_order[] = {
134 /* payload type notify type */
135 {NOTIFY, COOKIE},
136 {SECURITY_ASSOCIATION, 0},
137 {KEY_EXCHANGE, 0},
138 {NONCE, 0},
139 {NOTIFY, NAT_DETECTION_SOURCE_IP},
140 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
141 {NOTIFY, 0},
142 {VENDOR_ID, 0},
143 };
144
145 /**
146 * Message rule for IKE_SA_INIT from responder.
147 */
148 static payload_rule_t ike_sa_init_r_rules[] = {
149 /* payload type min max encr suff */
150 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
151 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
152 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
153 {NONCE, 1, 1, FALSE, FALSE},
154 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT responder
160 */
161 static payload_order_t ike_sa_init_r_order[] = {
162 /* payload type notify type */
163 {SECURITY_ASSOCIATION, 0},
164 {KEY_EXCHANGE, 0},
165 {NONCE, 0},
166 {NOTIFY, NAT_DETECTION_SOURCE_IP},
167 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
168 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
169 {CERTIFICATE_REQUEST, 0},
170 {NOTIFY, 0},
171 {VENDOR_ID, 0},
172 };
173
174 /**
175 * Message rule for IKE_AUTH from initiator.
176 */
177 static payload_rule_t ike_auth_i_rules[] = {
178 /* payload type min max encr suff */
179 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
180 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
181 {AUTHENTICATION, 0, 1, TRUE, TRUE},
182 {ID_INITIATOR, 0, 1, TRUE, FALSE},
183 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
184 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
185 {ID_RESPONDER, 0, 1, TRUE, FALSE},
186 #ifdef ME
187 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
189 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
190 #else
191 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
192 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
193 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
194 #endif /* ME */
195 {CONFIGURATION, 0, 1, TRUE, FALSE},
196 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
197 };
198
199 /**
200 * payload order for IKE_AUTH initiator
201 */
202 static payload_order_t ike_auth_i_order[] = {
203 /* payload type notify type */
204 {ID_INITIATOR, 0},
205 {CERTIFICATE, 0},
206 {NOTIFY, INITIAL_CONTACT},
207 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
208 {CERTIFICATE_REQUEST, 0},
209 {ID_RESPONDER, 0},
210 {AUTHENTICATION, 0},
211 {EXTENSIBLE_AUTHENTICATION, 0},
212 {CONFIGURATION, 0},
213 {NOTIFY, IPCOMP_SUPPORTED},
214 {NOTIFY, USE_TRANSPORT_MODE},
215 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
216 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
217 {SECURITY_ASSOCIATION, 0},
218 {TRAFFIC_SELECTOR_INITIATOR, 0},
219 {TRAFFIC_SELECTOR_RESPONDER, 0},
220 {NOTIFY, MOBIKE_SUPPORTED},
221 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
222 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
223 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
224 {NOTIFY, 0},
225 {VENDOR_ID, 0},
226 };
227
228 /**
229 * Message rule for IKE_AUTH from responder.
230 */
231 static payload_rule_t ike_auth_r_rules[] = {
232 /* payload type min max encr suff */
233 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
234 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
235 {AUTHENTICATION, 0, 1, TRUE, TRUE},
236 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
237 {ID_RESPONDER, 0, 1, TRUE, FALSE},
238 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
239 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
240 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
241 {CONFIGURATION, 0, 1, TRUE, FALSE},
242 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
243 };
244
245 /**
246 * payload order for IKE_AUTH responder
247 */
248 static payload_order_t ike_auth_r_order[] = {
249 /* payload type notify type */
250 {ID_RESPONDER, 0},
251 {CERTIFICATE, 0},
252 {AUTHENTICATION, 0},
253 {EXTENSIBLE_AUTHENTICATION, 0},
254 {CONFIGURATION, 0},
255 {NOTIFY, IPCOMP_SUPPORTED},
256 {NOTIFY, USE_TRANSPORT_MODE},
257 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
258 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
259 {SECURITY_ASSOCIATION, 0},
260 {TRAFFIC_SELECTOR_INITIATOR, 0},
261 {TRAFFIC_SELECTOR_RESPONDER, 0},
262 {NOTIFY, AUTH_LIFETIME},
263 {NOTIFY, MOBIKE_SUPPORTED},
264 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
265 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
266 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
267 {NOTIFY, 0},
268 {VENDOR_ID, 0},
269 };
270
271 /**
272 * Message rule for INFORMATIONAL from initiator.
273 */
274 static payload_rule_t informational_i_rules[] = {
275 /* payload type min max encr suff */
276 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
277 {CONFIGURATION, 0, 1, TRUE, FALSE},
278 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
279 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
280 };
281
282 /**
283 * payload order for INFORMATIONAL initiator
284 */
285 static payload_order_t informational_i_order[] = {
286 /* payload type notify type */
287 {NOTIFY, UPDATE_SA_ADDRESSES},
288 {NOTIFY, NAT_DETECTION_SOURCE_IP},
289 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
290 {NOTIFY, COOKIE2},
291 {NOTIFY, 0},
292 {DELETE, 0},
293 {CONFIGURATION, 0},
294 };
295
296 /**
297 * Message rule for INFORMATIONAL from responder.
298 */
299 static payload_rule_t informational_r_rules[] = {
300 /* payload type min max encr suff */
301 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
302 {CONFIGURATION, 0, 1, TRUE, FALSE},
303 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
304 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
305 };
306
307 /**
308 * payload order for INFORMATIONAL responder
309 */
310 static payload_order_t informational_r_order[] = {
311 /* payload type notify type */
312 {NOTIFY, UPDATE_SA_ADDRESSES},
313 {NOTIFY, NAT_DETECTION_SOURCE_IP},
314 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
315 {NOTIFY, COOKIE2},
316 {NOTIFY, 0},
317 {DELETE, 0},
318 {CONFIGURATION, 0},
319 };
320
321 /**
322 * Message rule for CREATE_CHILD_SA from initiator.
323 */
324 static payload_rule_t create_child_sa_i_rules[] = {
325 /* payload type min max encr suff */
326 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
327 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
328 {NONCE, 1, 1, TRUE, FALSE},
329 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
330 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
331 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
332 {CONFIGURATION, 0, 1, TRUE, FALSE},
333 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
334 };
335
336 /**
337 * payload order for CREATE_CHILD_SA from initiator.
338 */
339 static payload_order_t create_child_sa_i_order[] = {
340 /* payload type notify type */
341 {NOTIFY, REKEY_SA},
342 {NOTIFY, IPCOMP_SUPPORTED},
343 {NOTIFY, USE_TRANSPORT_MODE},
344 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
345 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
346 {SECURITY_ASSOCIATION, 0},
347 {NONCE, 0},
348 {KEY_EXCHANGE, 0},
349 {TRAFFIC_SELECTOR_INITIATOR, 0},
350 {TRAFFIC_SELECTOR_RESPONDER, 0},
351 {NOTIFY, 0},
352 };
353
354 /**
355 * Message rule for CREATE_CHILD_SA from responder.
356 */
357 static payload_rule_t create_child_sa_r_rules[] = {
358 /* payload type min max encr suff */
359 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
360 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
361 {NONCE, 1, 1, TRUE, FALSE},
362 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
363 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
364 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
365 {CONFIGURATION, 0, 1, TRUE, FALSE},
366 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
367 };
368
369 /**
370 * payload order for CREATE_CHILD_SA from responder.
371 */
372 static payload_order_t create_child_sa_r_order[] = {
373 /* payload type notify type */
374 {NOTIFY, IPCOMP_SUPPORTED},
375 {NOTIFY, USE_TRANSPORT_MODE},
376 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
377 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
378 {SECURITY_ASSOCIATION, 0},
379 {NONCE, 0},
380 {KEY_EXCHANGE, 0},
381 {TRAFFIC_SELECTOR_INITIATOR, 0},
382 {TRAFFIC_SELECTOR_RESPONDER, 0},
383 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
384 {NOTIFY, 0},
385 };
386
387 #ifdef ME
388 /**
389 * Message rule for ME_CONNECT from initiator.
390 */
391 static payload_rule_t me_connect_i_rules[] = {
392 /* payload type min max encr suff */
393 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
394 {ID_PEER, 1, 1, TRUE, FALSE},
395 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
396 };
397
398 /**
399 * payload order for ME_CONNECT from initiator.
400 */
401 static payload_order_t me_connect_i_order[] = {
402 /* payload type notify type */
403 {NOTIFY, 0},
404 {ID_PEER, 0},
405 {VENDOR_ID, 0},
406 };
407
408 /**
409 * Message rule for ME_CONNECT from responder.
410 */
411 static payload_rule_t me_connect_r_rules[] = {
412 /* payload type min max encr suff */
413 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
414 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
415 };
416
417 /**
418 * payload order for ME_CONNECT from responder.
419 */
420 static payload_order_t me_connect_r_order[] = {
421 /* payload type notify type */
422 {NOTIFY, 0},
423 {VENDOR_ID, 0},
424 };
425 #endif /* ME */
426
427 #ifdef USE_IKEV1
428 /**
429 * Message rule for ID_PROT from initiator.
430 */
431 static payload_rule_t id_prot_i_rules[] = {
432 /* payload type min max encr suff */
433 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
434 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
435 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
436 {NONCE_V1, 0, 1, FALSE, FALSE},
437 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
438 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
439 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
440 {ID_V1, 0, 1, TRUE, FALSE},
441 {CERTIFICATE_V1, 0, 2, TRUE, FALSE},
442 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
443 {HASH_V1, 0, 1, TRUE, FALSE},
444 };
445
446 /**
447 * payload order for ID_PROT from initiator.
448 */
449 static payload_order_t id_prot_i_order[] = {
450 /* payload type notify type */
451 {SECURITY_ASSOCIATION_V1, 0},
452 {KEY_EXCHANGE_V1, 0},
453 {NONCE_V1, 0},
454 {ID_V1, 0},
455 {CERTIFICATE_V1, 0},
456 {SIGNATURE_V1, 0},
457 {HASH_V1, 0},
458 {CERTIFICATE_REQUEST_V1, 0},
459 {NOTIFY_V1, 0},
460 {VENDOR_ID_V1, 0},
461 {NAT_D_V1, 0},
462 };
463
464 /**
465 * Message rule for ID_PROT from responder.
466 */
467 static payload_rule_t id_prot_r_rules[] = {
468 /* payload type min max encr suff */
469 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
470 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
471 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
472 {NONCE_V1, 0, 1, FALSE, FALSE},
473 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
474 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
475 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
476 {ID_V1, 0, 1, TRUE, FALSE},
477 {CERTIFICATE_V1, 0, 2, TRUE, FALSE},
478 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
479 {HASH_V1, 0, 1, TRUE, FALSE},
480 };
481
482 /**
483 * payload order for ID_PROT from responder.
484 */
485 static payload_order_t id_prot_r_order[] = {
486 /* payload type notify type */
487 {SECURITY_ASSOCIATION_V1, 0},
488 {KEY_EXCHANGE_V1, 0},
489 {NONCE_V1, 0},
490 {ID_V1, 0},
491 {CERTIFICATE_V1, 0},
492 {SIGNATURE_V1, 0},
493 {HASH_V1, 0},
494 {CERTIFICATE_REQUEST_V1, 0},
495 {NOTIFY_V1, 0},
496 {VENDOR_ID_V1, 0},
497 {NAT_D_V1, 0},
498 };
499
500 /**
501 * Message rule for AGGRESSIVE from initiator.
502 */
503 static payload_rule_t aggressive_i_rules[] = {
504 /* payload type min max encr suff */
505 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
506 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
507 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
508 {NONCE_V1, 0, 1, FALSE, FALSE},
509 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
510 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
511 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
512 {ID_V1, 0, 1, FALSE, FALSE},
513 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
514 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
515 {HASH_V1, 0, 1, FALSE, FALSE},
516 };
517
518 /**
519 * payload order for AGGRESSIVE from initiator.
520 */
521 static payload_order_t aggressive_i_order[] = {
522 /* payload type notify type */
523 {SECURITY_ASSOCIATION_V1, 0},
524 {KEY_EXCHANGE_V1, 0},
525 {NONCE_V1, 0},
526 {ID_V1, 0},
527 {CERTIFICATE_V1, 0},
528 {NAT_D_V1, 0},
529 {SIGNATURE_V1, 0},
530 {HASH_V1, 0},
531 {CERTIFICATE_REQUEST_V1, 0},
532 {NOTIFY_V1, 0},
533 {VENDOR_ID_V1, 0},
534 };
535
536 /**
537 * Message rule for AGGRESSIVE from responder.
538 */
539 static payload_rule_t aggressive_r_rules[] = {
540 /* payload type min max encr suff */
541 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
542 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
543 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
544 {NONCE_V1, 0, 1, FALSE, FALSE},
545 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
546 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
547 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
548 {ID_V1, 0, 1, FALSE, FALSE},
549 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
550 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
551 {HASH_V1, 0, 1, FALSE, FALSE},
552 };
553
554 /**
555 * payload order for AGGRESSIVE from responder.
556 */
557 static payload_order_t aggressive_r_order[] = {
558 /* payload type notify type */
559 {SECURITY_ASSOCIATION_V1, 0},
560 {KEY_EXCHANGE_V1, 0},
561 {NONCE_V1, 0},
562 {ID_V1, 0},
563 {CERTIFICATE_V1, 0},
564 {NAT_D_V1, 0},
565 {SIGNATURE_V1, 0},
566 {HASH_V1, 0},
567 {CERTIFICATE_REQUEST_V1, 0},
568 {NOTIFY_V1, 0},
569 {VENDOR_ID_V1, 0},
570 };
571
572 /**
573 * Message rule for INFORMATIONAL_V1 from initiator.
574 */
575 static payload_rule_t informational_i_rules_v1[] = {
576 /* payload type min max encr suff */
577 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
578 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
579 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
580 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
581 };
582
583 /**
584 * payload order for INFORMATIONAL_V1 from initiator.
585 */
586 static payload_order_t informational_i_order_v1[] = {
587 /* payload type notify type */
588 {NOTIFY_V1, 0},
589 {DELETE_V1, 0},
590 {VENDOR_ID_V1, 0},
591 };
592
593 /**
594 * Message rule for INFORMATIONAL_V1 from responder.
595 */
596 static payload_rule_t informational_r_rules_v1[] = {
597 /* payload type min max encr suff */
598 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
599 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
600 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
601 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
602 };
603
604 /**
605 * payload order for INFORMATIONAL_V1 from responder.
606 */
607 static payload_order_t informational_r_order_v1[] = {
608 /* payload type notify type */
609 {NOTIFY_V1, 0},
610 {DELETE_V1, 0},
611 {VENDOR_ID_V1, 0},
612 };
613
614 /**
615 * Message rule for QUICK_MODE from initiator.
616 */
617 static payload_rule_t quick_mode_i_rules[] = {
618 /* payload type min max encr suff */
619 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
620 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
621 {HASH_V1, 0, 1, TRUE, FALSE},
622 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
623 {NONCE_V1, 0, 1, TRUE, FALSE},
624 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
625 {ID_V1, 0, 2, TRUE, FALSE},
626 {NAT_OA_V1, 0, 2, TRUE, FALSE},
627 };
628
629 /**
630 * payload order for QUICK_MODE from initiator.
631 */
632 static payload_order_t quick_mode_i_order[] = {
633 /* payload type notify type */
634 {NOTIFY_V1, 0},
635 {VENDOR_ID_V1, 0},
636 {HASH_V1, 0},
637 {SECURITY_ASSOCIATION_V1, 0},
638 {NONCE_V1, 0},
639 {KEY_EXCHANGE_V1, 0},
640 {ID_V1, 0},
641 {NAT_OA_V1, 0},
642 };
643
644 /**
645 * Message rule for QUICK_MODE from responder.
646 */
647 static payload_rule_t quick_mode_r_rules[] = {
648 /* payload type min max encr suff */
649 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
650 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
651 {HASH_V1, 0, 1, TRUE, FALSE},
652 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
653 {NONCE_V1, 0, 1, TRUE, FALSE},
654 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
655 {ID_V1, 0, 2, TRUE, FALSE},
656 {NAT_OA_V1, 0, 2, TRUE, FALSE},
657 };
658
659 /**
660 * payload order for QUICK_MODE from responder.
661 */
662 static payload_order_t quick_mode_r_order[] = {
663 /* payload type notify type */
664 {NOTIFY_V1, 0},
665 {VENDOR_ID_V1, 0},
666 {HASH_V1, 0},
667 {SECURITY_ASSOCIATION_V1, 0},
668 {NONCE_V1, 0},
669 {KEY_EXCHANGE_V1, 0},
670 {ID_V1, 0},
671 {NAT_OA_V1, 0},
672 };
673
674 /**
675 * Message rule for TRANSACTION.
676 */
677 static payload_rule_t transaction_payload_rules_v1[] = {
678 /* payload type min max encr suff */
679 {HASH_V1, 0, 1, TRUE, FALSE},
680 {CONFIGURATION_V1, 1, 1, FALSE, FALSE},
681 };
682
683 /**
684 * Payload order for TRANSACTION.
685 */
686 static payload_order_t transaction_payload_order_v1[] = {
687 /* payload type notify type */
688 {HASH_V1, 0},
689 {CONFIGURATION_V1, 0},
690 };
691
692 #endif /* USE_IKEV1 */
693
694 /**
695 * Message rules, defines allowed payloads.
696 */
697 static message_rule_t message_rules[] = {
698 {IKE_SA_INIT, TRUE, FALSE,
699 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
700 countof(ike_sa_init_i_order), ike_sa_init_i_order,
701 },
702 {IKE_SA_INIT, FALSE, FALSE,
703 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
704 countof(ike_sa_init_r_order), ike_sa_init_r_order,
705 },
706 {IKE_AUTH, TRUE, TRUE,
707 countof(ike_auth_i_rules), ike_auth_i_rules,
708 countof(ike_auth_i_order), ike_auth_i_order,
709 },
710 {IKE_AUTH, FALSE, TRUE,
711 countof(ike_auth_r_rules), ike_auth_r_rules,
712 countof(ike_auth_r_order), ike_auth_r_order,
713 },
714 {INFORMATIONAL, TRUE, TRUE,
715 countof(informational_i_rules), informational_i_rules,
716 countof(informational_i_order), informational_i_order,
717 },
718 {INFORMATIONAL, FALSE, TRUE,
719 countof(informational_r_rules), informational_r_rules,
720 countof(informational_r_order), informational_r_order,
721 },
722 {CREATE_CHILD_SA, TRUE, TRUE,
723 countof(create_child_sa_i_rules), create_child_sa_i_rules,
724 countof(create_child_sa_i_order), create_child_sa_i_order,
725 },
726 {CREATE_CHILD_SA, FALSE, TRUE,
727 countof(create_child_sa_r_rules), create_child_sa_r_rules,
728 countof(create_child_sa_r_order), create_child_sa_r_order,
729 },
730 #ifdef ME
731 {ME_CONNECT, TRUE, TRUE,
732 countof(me_connect_i_rules), me_connect_i_rules,
733 countof(me_connect_i_order), me_connect_i_order,
734 },
735 {ME_CONNECT, FALSE, TRUE,
736 countof(me_connect_r_rules), me_connect_r_rules,
737 countof(me_connect_r_order), me_connect_r_order,
738 },
739 #endif /* ME */
740 #ifdef USE_IKEV1
741 {ID_PROT, TRUE, FALSE,
742 countof(id_prot_i_rules), id_prot_i_rules,
743 countof(id_prot_i_order), id_prot_i_order,
744 },
745 {ID_PROT, FALSE, FALSE,
746 countof(id_prot_r_rules), id_prot_r_rules,
747 countof(id_prot_r_order), id_prot_r_order,
748 },
749 {AGGRESSIVE, TRUE, FALSE,
750 countof(aggressive_i_rules), aggressive_i_rules,
751 countof(aggressive_i_order), aggressive_i_order,
752 },
753 {AGGRESSIVE, FALSE, FALSE,
754 countof(aggressive_r_rules), aggressive_r_rules,
755 countof(aggressive_r_order), aggressive_r_order,
756 },
757 {INFORMATIONAL_V1, TRUE, TRUE,
758 countof(informational_i_rules_v1), informational_i_rules_v1,
759 countof(informational_i_order_v1), informational_i_order_v1,
760 },
761 {INFORMATIONAL_V1, FALSE, TRUE,
762 countof(informational_r_rules_v1), informational_r_rules_v1,
763 countof(informational_r_order_v1), informational_r_order_v1,
764 },
765 {QUICK_MODE, TRUE, TRUE,
766 countof(quick_mode_i_rules), quick_mode_i_rules,
767 countof(quick_mode_i_order), quick_mode_i_order,
768 },
769 {QUICK_MODE, FALSE, TRUE,
770 countof(quick_mode_r_rules), quick_mode_r_rules,
771 countof(quick_mode_r_order), quick_mode_r_order,
772 },
773 {TRANSACTION, TRUE, TRUE,
774 countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
775 countof(transaction_payload_order_v1), transaction_payload_order_v1,
776 },
777 {TRANSACTION, FALSE, TRUE,
778 countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
779 countof(transaction_payload_order_v1), transaction_payload_order_v1,
780 },
781 /* TODO-IKEv1: define rules for other exchanges */
782 #endif /* USE_IKEV1 */
783 };
784
785
786 typedef struct private_message_t private_message_t;
787
788 /**
789 * Private data of an message_t object.
790 */
791 struct private_message_t {
792
793 /**
794 * Public part of a message_t object.
795 */
796 message_t public;
797
798 /**
799 * Minor version of message.
800 */
801 u_int8_t major_version;
802
803 /**
804 * Major version of message.
805 */
806 u_int8_t minor_version;
807
808 /**
809 * First Payload in message.
810 */
811 payload_type_t first_payload;
812
813 /**
814 * Assigned exchange type.
815 */
816 exchange_type_t exchange_type;
817
818 /**
819 * TRUE if message is a request, FALSE if a reply.
820 */
821 bool is_request;
822
823 /**
824 * The message is encrypted (IKEv1)
825 */
826 bool is_encrypted;
827
828 /**
829 * Higher version supported?
830 */
831 bool version_flag;
832
833 /**
834 * Reserved bits in IKE header
835 */
836 bool reserved[2];
837
838 /**
839 * Sorting of message disabled?
840 */
841 bool sort_disabled;
842
843 /**
844 * Message ID of this message.
845 */
846 u_int32_t message_id;
847
848 /**
849 * ID of assigned IKE_SA.
850 */
851 ike_sa_id_t *ike_sa_id;
852
853 /**
854 * Assigned UDP packet, stores incoming packet or last generated one.
855 */
856 packet_t *packet;
857
858 /**
859 * Linked List where payload data are stored in.
860 */
861 linked_list_t *payloads;
862
863 /**
864 * Assigned parser to parse Header and Body of this message.
865 */
866 parser_t *parser;
867
868 /**
869 * The message rule for this message instance
870 */
871 message_rule_t *rule;
872 };
873
874 /**
875 * Get the message rule that applies to this message
876 */
877 static message_rule_t* get_message_rule(private_message_t *this)
878 {
879 int i;
880
881 for (i = 0; i < countof(message_rules); i++)
882 {
883 if ((this->exchange_type == message_rules[i].exchange_type) &&
884 (this->is_request == message_rules[i].is_request))
885 {
886 return &message_rules[i];
887 }
888 }
889 return NULL;
890 }
891
892 /**
893 * Look up a payload rule
894 */
895 static payload_rule_t* get_payload_rule(private_message_t *this,
896 payload_type_t type)
897 {
898 int i;
899
900 for (i = 0; i < this->rule->rule_count;i++)
901 {
902 if (this->rule->rules[i].type == type)
903 {
904 return &this->rule->rules[i];
905 }
906 }
907 return NULL;
908 }
909
910 METHOD(message_t, set_ike_sa_id, void,
911 private_message_t *this,ike_sa_id_t *ike_sa_id)
912 {
913 DESTROY_IF(this->ike_sa_id);
914 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
915 }
916
917 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
918 private_message_t *this)
919 {
920 return this->ike_sa_id;
921 }
922
923 METHOD(message_t, set_message_id, void,
924 private_message_t *this,u_int32_t message_id)
925 {
926 this->message_id = message_id;
927 }
928
929 METHOD(message_t, get_message_id, u_int32_t,
930 private_message_t *this)
931 {
932 return this->message_id;
933 }
934
935 METHOD(message_t, get_initiator_spi, u_int64_t,
936 private_message_t *this)
937 {
938 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
939 }
940
941 METHOD(message_t, get_responder_spi, u_int64_t,
942 private_message_t *this)
943 {
944 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
945 }
946
947 METHOD(message_t, set_major_version, void,
948 private_message_t *this, u_int8_t major_version)
949 {
950 this->major_version = major_version;
951 }
952
953 METHOD(message_t, get_major_version, u_int8_t,
954 private_message_t *this)
955 {
956 return this->major_version;
957 }
958
959 METHOD(message_t, set_minor_version, void,
960 private_message_t *this,u_int8_t minor_version)
961 {
962 this->minor_version = minor_version;
963 }
964
965 METHOD(message_t, get_minor_version, u_int8_t,
966 private_message_t *this)
967 {
968 return this->minor_version;
969 }
970
971 METHOD(message_t, set_exchange_type, void,
972 private_message_t *this, exchange_type_t exchange_type)
973 {
974 this->exchange_type = exchange_type;
975 }
976
977 METHOD(message_t, get_exchange_type, exchange_type_t,
978 private_message_t *this)
979 {
980 return this->exchange_type;
981 }
982
983 METHOD(message_t, get_first_payload_type, payload_type_t,
984 private_message_t *this)
985 {
986 return this->first_payload;
987 }
988
989 METHOD(message_t, set_request, void,
990 private_message_t *this, bool request)
991 {
992 this->is_request = request;
993 }
994
995 METHOD(message_t, get_request, bool,
996 private_message_t *this)
997 {
998 return this->is_request;
999 }
1000
1001 METHOD(message_t, set_version_flag, void,
1002 private_message_t *this)
1003 {
1004 this->version_flag = TRUE;
1005 }
1006
1007 METHOD(message_t, get_reserved_header_bit, bool,
1008 private_message_t *this, u_int nr)
1009 {
1010 if (nr < countof(this->reserved))
1011 {
1012 return this->reserved[nr];
1013 }
1014 return FALSE;
1015 }
1016
1017 METHOD(message_t, set_reserved_header_bit, void,
1018 private_message_t *this, u_int nr)
1019 {
1020 if (nr < countof(this->reserved))
1021 {
1022 this->reserved[nr] = TRUE;
1023 }
1024 }
1025
1026 METHOD(message_t, is_encoded, bool,
1027 private_message_t *this)
1028 {
1029 return this->packet->get_data(this->packet).ptr != NULL;
1030 }
1031
1032 METHOD(message_t, add_payload, void,
1033 private_message_t *this, payload_t *payload)
1034 {
1035 payload_t *last_payload;
1036
1037 if (this->payloads->get_count(this->payloads) > 0)
1038 {
1039 this->payloads->get_last(this->payloads, (void **)&last_payload);
1040 last_payload->set_next_type(last_payload, payload->get_type(payload));
1041 }
1042 else
1043 {
1044 this->first_payload = payload->get_type(payload);
1045 }
1046 payload->set_next_type(payload, NO_PAYLOAD);
1047 this->payloads->insert_last(this->payloads, payload);
1048
1049 DBG2(DBG_ENC ,"added payload of type %N to message",
1050 payload_type_names, payload->get_type(payload));
1051 }
1052
1053 METHOD(message_t, add_notify, void,
1054 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
1055 {
1056 notify_payload_t *notify;
1057 payload_t *payload;
1058
1059 if (flush)
1060 {
1061 while (this->payloads->remove_last(this->payloads,
1062 (void**)&payload) == SUCCESS)
1063 {
1064 payload->destroy(payload);
1065 }
1066 }
1067 if (this->major_version == IKEV2_MAJOR_VERSION)
1068 {
1069 notify = notify_payload_create(NOTIFY);
1070 }
1071 else
1072 {
1073 notify = notify_payload_create(NOTIFY_V1);
1074 }
1075 notify->set_notify_type(notify, type);
1076 notify->set_notification_data(notify, data);
1077 add_payload(this, (payload_t*)notify);
1078 }
1079
1080 METHOD(message_t, set_source, void,
1081 private_message_t *this, host_t *host)
1082 {
1083 this->packet->set_source(this->packet, host);
1084 }
1085
1086 METHOD(message_t, set_destination, void,
1087 private_message_t *this, host_t *host)
1088 {
1089 this->packet->set_destination(this->packet, host);
1090 }
1091
1092 METHOD(message_t, get_source, host_t*,
1093 private_message_t *this)
1094 {
1095 return this->packet->get_source(this->packet);
1096 }
1097
1098 METHOD(message_t, get_destination, host_t*,
1099 private_message_t *this)
1100 {
1101 return this->packet->get_destination(this->packet);
1102 }
1103
1104 METHOD(message_t, create_payload_enumerator, enumerator_t*,
1105 private_message_t *this)
1106 {
1107 return this->payloads->create_enumerator(this->payloads);
1108 }
1109
1110 METHOD(message_t, remove_payload_at, void,
1111 private_message_t *this, enumerator_t *enumerator)
1112 {
1113 this->payloads->remove_at(this->payloads, enumerator);
1114 }
1115
1116 METHOD(message_t, get_payload, payload_t*,
1117 private_message_t *this, payload_type_t type)
1118 {
1119 payload_t *current, *found = NULL;
1120 enumerator_t *enumerator;
1121
1122 enumerator = create_payload_enumerator(this);
1123 while (enumerator->enumerate(enumerator, &current))
1124 {
1125 if (current->get_type(current) == type)
1126 {
1127 found = current;
1128 break;
1129 }
1130 }
1131 enumerator->destroy(enumerator);
1132 return found;
1133 }
1134
1135 METHOD(message_t, get_notify, notify_payload_t*,
1136 private_message_t *this, notify_type_t type)
1137 {
1138 enumerator_t *enumerator;
1139 notify_payload_t *notify = NULL;
1140 payload_t *payload;
1141
1142 enumerator = create_payload_enumerator(this);
1143 while (enumerator->enumerate(enumerator, &payload))
1144 {
1145 if (payload->get_type(payload) == NOTIFY)
1146 {
1147 notify = (notify_payload_t*)payload;
1148 if (notify->get_notify_type(notify) == type)
1149 {
1150 break;
1151 }
1152 notify = NULL;
1153 }
1154 }
1155 enumerator->destroy(enumerator);
1156 return notify;
1157 }
1158
1159 /**
1160 * get a string representation of the message
1161 */
1162 static char* get_string(private_message_t *this, char *buf, int len)
1163 {
1164 enumerator_t *enumerator;
1165 payload_t *payload;
1166 int written;
1167 char *pos = buf;
1168
1169 memset(buf, 0, len);
1170 len--;
1171
1172 written = snprintf(pos, len, "%N %s %u [",
1173 exchange_type_names, this->exchange_type,
1174 this->is_request ? "request" : "response",
1175 this->message_id);
1176 if (written >= len || written < 0)
1177 {
1178 return "";
1179 }
1180 pos += written;
1181 len -= written;
1182
1183 enumerator = create_payload_enumerator(this);
1184 while (enumerator->enumerate(enumerator, &payload))
1185 {
1186 written = snprintf(pos, len, " %N", payload_type_short_names,
1187 payload->get_type(payload));
1188 if (written >= len || written < 0)
1189 {
1190 return buf;
1191 }
1192 pos += written;
1193 len -= written;
1194 if (payload->get_type(payload) == NOTIFY)
1195 {
1196 notify_payload_t *notify;
1197 notify_type_t type;
1198 chunk_t data;
1199
1200 notify = (notify_payload_t*)payload;
1201 type = notify->get_notify_type(notify);
1202 data = notify->get_notification_data(notify);
1203 if (type == MS_NOTIFY_STATUS && data.len == 4)
1204 {
1205 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1206 type, untoh32(data.ptr));
1207 }
1208 else
1209 {
1210 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1211 type);
1212 }
1213 if (written >= len || written < 0)
1214 {
1215 return buf;
1216 }
1217 pos += written;
1218 len -= written;
1219 }
1220 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1221 {
1222 eap_payload_t *eap = (eap_payload_t*)payload;
1223 u_int32_t vendor;
1224 eap_type_t type;
1225 char method[64] = "";
1226
1227 type = eap->get_type(eap, &vendor);
1228 if (type)
1229 {
1230 if (vendor)
1231 {
1232 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1233 }
1234 else
1235 {
1236 snprintf(method, sizeof(method), "/%N",
1237 eap_type_short_names, type);
1238 }
1239 }
1240 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1241 eap->get_code(eap), method);
1242 if (written >= len || written < 0)
1243 {
1244 return buf;
1245 }
1246 pos += written;
1247 len -= written;
1248 }
1249 if (payload->get_type(payload) == CONFIGURATION)
1250 {
1251 cp_payload_t *cp = (cp_payload_t*)payload;
1252 enumerator_t *attributes;
1253 configuration_attribute_t *attribute;
1254 bool first = TRUE;
1255
1256 attributes = cp->create_attribute_enumerator(cp);
1257 while (attributes->enumerate(attributes, &attribute))
1258 {
1259 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1260 configuration_attribute_type_short_names,
1261 attribute->get_type(attribute));
1262 if (written >= len || written < 0)
1263 {
1264 return buf;
1265 }
1266 pos += written;
1267 len -= written;
1268 first = FALSE;
1269 }
1270 attributes->destroy(attributes);
1271 if (!first)
1272 {
1273 written = snprintf(pos, len, ")");
1274 if (written >= len || written < 0)
1275 {
1276 return buf;
1277 }
1278 pos += written;
1279 len -= written;
1280 }
1281 }
1282 }
1283 enumerator->destroy(enumerator);
1284
1285 /* remove last space */
1286 snprintf(pos, len, " ]");
1287 return buf;
1288 }
1289
1290 /**
1291 * reorder payloads depending on reordering rules
1292 */
1293 static void order_payloads(private_message_t *this)
1294 {
1295 linked_list_t *list;
1296 payload_t *payload;
1297 int i;
1298
1299 /* move to temp list */
1300 list = linked_list_create();
1301 while (this->payloads->remove_last(this->payloads,
1302 (void**)&payload) == SUCCESS)
1303 {
1304 list->insert_first(list, payload);
1305 }
1306 /* for each rule, ... */
1307 for (i = 0; i < this->rule->order_count; i++)
1308 {
1309 enumerator_t *enumerator;
1310 notify_payload_t *notify;
1311 payload_order_t order;
1312
1313 order = this->rule->order[i];
1314
1315 /* ... find all payload ... */
1316 enumerator = list->create_enumerator(list);
1317 while (enumerator->enumerate(enumerator, &payload))
1318 {
1319 /* ... with that type ... */
1320 if (payload->get_type(payload) == order.type)
1321 {
1322 notify = (notify_payload_t*)payload;
1323
1324 /**... and check notify for type. */
1325 if (order.type != NOTIFY || order.notify == 0 ||
1326 order.notify == notify->get_notify_type(notify))
1327 {
1328 list->remove_at(list, enumerator);
1329 add_payload(this, payload);
1330 }
1331 }
1332 }
1333 enumerator->destroy(enumerator);
1334 }
1335 /* append all payloads without a rule to the end */
1336 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1337 {
1338 /* do not complain about payloads in private use space */
1339 if (payload->get_type(payload) < 128)
1340 {
1341 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1342 payload_type_names, payload->get_type(payload),
1343 exchange_type_names, this->rule->exchange_type,
1344 this->rule->is_request ? "request" : "response");
1345 }
1346 add_payload(this, payload);
1347 }
1348 list->destroy(list);
1349 }
1350
1351 /**
1352 * Wrap payloads in an encryption payload
1353 */
1354 static encryption_payload_t* wrap_payloads(private_message_t *this,
1355 payload_type_t encryption_type)
1356 {
1357 encryption_payload_t *encryption;
1358 linked_list_t *payloads;
1359 payload_t *current;
1360
1361 /* copy all payloads in a temporary list */
1362 payloads = linked_list_create();
1363 while (this->payloads->remove_first(this->payloads,
1364 (void**)&current) == SUCCESS)
1365 {
1366 payloads->insert_last(payloads, current);
1367 }
1368
1369 encryption = encryption_payload_create(encryption_type);
1370 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1371 {
1372 payload_rule_t *rule;
1373 payload_type_t type;
1374 bool encrypt = TRUE;
1375
1376 type = current->get_type(current);
1377 rule = get_payload_rule(this, type);
1378 if (rule)
1379 {
1380 encrypt = rule->encrypted;
1381 }
1382 if (encrypt || this->is_encrypted)
1383 { /* encryption is forced for IKEv1 */
1384 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1385 payload_type_names, type);
1386 encryption->add_payload(encryption, current);
1387 }
1388 else
1389 {
1390 DBG2(DBG_ENC, "insert payload %N unencrypted",
1391 payload_type_names, type);
1392 add_payload(this, current);
1393 }
1394 }
1395 payloads->destroy(payloads);
1396
1397 return encryption;
1398 }
1399
1400 METHOD(message_t, disable_sort, void,
1401 private_message_t *this)
1402 {
1403 this->sort_disabled = TRUE;
1404 }
1405
1406 METHOD(message_t, generate, status_t,
1407 private_message_t *this, keymat_t *keymat, packet_t **packet)
1408 {
1409 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1410 generator_t *generator;
1411 ike_header_t *ike_header;
1412 payload_t *payload, *next;
1413 encryption_payload_t *encryption = NULL;
1414 payload_type_t next_type;
1415 enumerator_t *enumerator;
1416 aead_t *aead;
1417 chunk_t chunk;
1418 char str[BUF_LEN];
1419 u_int32_t *lenpos;
1420 bool encrypted = FALSE, *reserved;
1421 int i;
1422
1423 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1424 {
1425 DBG1(DBG_ENC, "exchange type is not defined");
1426 return INVALID_STATE;
1427 }
1428
1429 if (this->packet->get_source(this->packet) == NULL ||
1430 this->packet->get_destination(this->packet) == NULL)
1431 {
1432 DBG1(DBG_ENC, "source/destination not defined");
1433 return INVALID_STATE;
1434 }
1435
1436 this->rule = get_message_rule(this);
1437 if (!this->rule)
1438 {
1439 DBG1(DBG_ENC, "no message rules specified for this message type");
1440 return NOT_SUPPORTED;
1441 }
1442
1443 if (!this->sort_disabled)
1444 {
1445 order_payloads(this);
1446 }
1447
1448 if (this->major_version == IKEV2_MAJOR_VERSION)
1449 {
1450 encrypted = this->rule->encrypted;
1451 }
1452 else
1453 {
1454 /* get a hash for this message, if any is required */
1455 chunk_t hash = keymat_v1->get_hash_phase2(keymat_v1, &this->public);
1456 if (hash.ptr)
1457 { /* insert a HASH payload as first payload */
1458 hash_payload_t *hash_payload = hash_payload_create(HASH_V1);
1459 hash_payload->set_hash(hash_payload, hash);
1460 this->payloads->insert_first(this->payloads,
1461 (payload_t*)hash_payload);
1462
1463 if (this->exchange_type == INFORMATIONAL_V1)
1464 {
1465 DBG3(DBG_ENC, "encrypting IKEv1 INFORMATIONAL exchange message");
1466 this->is_encrypted = TRUE;
1467 encrypted = TRUE;
1468 }
1469
1470 chunk_free(&hash);
1471 }
1472
1473 if (!encrypted)
1474 {
1475 /* if at least one payload requires encryption, encrypt the message.
1476 * if we have no key material available, the flag will be reset below */
1477 enumerator = this->payloads->create_enumerator(this->payloads);
1478 while (enumerator->enumerate(enumerator, (void**)&payload))
1479 {
1480 payload_rule_t *rule;
1481 rule = get_payload_rule(this, payload->get_type(payload));
1482 if (rule && rule->encrypted)
1483 {
1484 this->is_encrypted = TRUE;
1485 encrypted = TRUE;
1486 break;
1487 }
1488 }
1489 enumerator->destroy(enumerator);
1490 }
1491 }
1492
1493 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1494
1495 aead = keymat->get_aead(keymat, FALSE);
1496 if (aead && encrypted)
1497 {
1498 encryption = wrap_payloads(this, this->is_encrypted ? ENCRYPTED_V1
1499 : ENCRYPTED);
1500 }
1501 else
1502 {
1503 DBG2(DBG_ENC, "not encrypting payloads");
1504 this->is_encrypted = FALSE;
1505 }
1506
1507 ike_header = ike_header_create_version(this->major_version,
1508 this->minor_version);
1509 ike_header->set_exchange_type(ike_header, this->exchange_type);
1510 ike_header->set_message_id(ike_header, this->message_id);
1511 if (this->major_version == IKEV2_MAJOR_VERSION)
1512 {
1513 ike_header->set_response_flag(ike_header, !this->is_request);
1514 ike_header->set_version_flag(ike_header, this->version_flag);
1515 ike_header->set_initiator_flag(ike_header,
1516 this->ike_sa_id->is_initiator(this->ike_sa_id));
1517 }
1518 else
1519 {
1520 ike_header->set_encryption_flag(ike_header, this->is_encrypted);
1521 }
1522 ike_header->set_initiator_spi(ike_header,
1523 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1524 ike_header->set_responder_spi(ike_header,
1525 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1526
1527 for (i = 0; i < countof(this->reserved); i++)
1528 {
1529 reserved = payload_get_field(&ike_header->payload_interface,
1530 RESERVED_BIT, i);
1531 if (reserved)
1532 {
1533 *reserved = this->reserved[i];
1534 }
1535 }
1536
1537 generator = generator_create();
1538
1539 /* generate all payloads with proper next type */
1540 payload = (payload_t*)ike_header;
1541 enumerator = create_payload_enumerator(this);
1542 while (enumerator->enumerate(enumerator, &next))
1543 {
1544 payload->set_next_type(payload, next->get_type(next));
1545 generator->generate_payload(generator, payload);
1546 payload = next;
1547 }
1548 enumerator->destroy(enumerator);
1549 if (this->is_encrypted)
1550 { /* for encrypted IKEv1 messages */
1551 next_type = encryption->payload_interface.get_next_type(
1552 (payload_t*)encryption);
1553 }
1554 else
1555 {
1556 next_type = encryption ? ENCRYPTED : NO_PAYLOAD;
1557 }
1558 payload->set_next_type(payload, next_type);
1559 generator->generate_payload(generator, payload);
1560 ike_header->destroy(ike_header);
1561
1562 if (encryption)
1563 { /* set_transform() has to be called before get_length() */
1564 encryption->set_transform(encryption, aead);
1565 if (this->is_encrypted)
1566 { /* for IKEv1 instead of associated data we provide the IV */
1567 chunk = keymat_v1->get_iv(keymat_v1, this->message_id);
1568 }
1569 else
1570 { /* build associated data (without header of encryption payload) */
1571 chunk = generator->get_chunk(generator, &lenpos);
1572 /* fill in length, including encryption payload */
1573 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1574 }
1575 this->payloads->insert_last(this->payloads, encryption);
1576 if (!encryption->encrypt(encryption, chunk))
1577 {
1578 generator->destroy(generator);
1579 return INVALID_STATE;
1580 }
1581 generator->generate_payload(generator, &encryption->payload_interface);
1582 }
1583 chunk = generator->get_chunk(generator, &lenpos);
1584 htoun32(lenpos, chunk.len);
1585 this->packet->set_data(this->packet, chunk_clone(chunk));
1586 if (this->is_encrypted)
1587 { /* update the IV for the next IKEv1 message */
1588 chunk_t last_block;
1589 size_t bs = aead->get_block_size(aead);
1590 last_block = chunk_create(chunk.ptr + chunk.len - bs, bs);
1591 keymat_v1->update_iv(keymat_v1, this->message_id, last_block);
1592 keymat_v1->confirm_iv(keymat_v1, this->message_id);
1593 }
1594 generator->destroy(generator);
1595 *packet = this->packet->clone(this->packet);
1596 return SUCCESS;
1597 }
1598
1599 METHOD(message_t, get_packet, packet_t*,
1600 private_message_t *this)
1601 {
1602 if (this->packet == NULL)
1603 {
1604 return NULL;
1605 }
1606 return this->packet->clone(this->packet);
1607 }
1608
1609 METHOD(message_t, get_packet_data, chunk_t,
1610 private_message_t *this)
1611 {
1612 if (this->packet == NULL)
1613 {
1614 return chunk_empty;
1615 }
1616 return this->packet->get_data(this->packet);
1617 }
1618
1619 METHOD(message_t, parse_header, status_t,
1620 private_message_t *this)
1621 {
1622 ike_header_t *ike_header;
1623 status_t status;
1624 bool *reserved;
1625 int i;
1626
1627 DBG2(DBG_ENC, "parsing header of message");
1628
1629 this->parser->reset_context(this->parser);
1630 status = this->parser->parse_payload(this->parser, HEADER,
1631 (payload_t**)&ike_header);
1632 if (status != SUCCESS)
1633 {
1634 DBG1(DBG_ENC, "header could not be parsed");
1635 return status;
1636
1637 }
1638
1639 status = ike_header->payload_interface.verify(
1640 &ike_header->payload_interface);
1641 if (status != SUCCESS)
1642 {
1643 DBG1(DBG_ENC, "header verification failed");
1644 ike_header->destroy(ike_header);
1645 return status;
1646 }
1647
1648 DESTROY_IF(this->ike_sa_id);
1649 this->ike_sa_id = ike_sa_id_create(
1650 ike_header->get_initiator_spi(ike_header),
1651 ike_header->get_responder_spi(ike_header),
1652 ike_header->get_initiator_flag(ike_header));
1653
1654 this->exchange_type = ike_header->get_exchange_type(ike_header);
1655 this->message_id = ike_header->get_message_id(ike_header);
1656 this->major_version = ike_header->get_maj_version(ike_header);
1657 this->minor_version = ike_header->get_min_version(ike_header);
1658 if (this->major_version == IKEV2_MAJOR_VERSION)
1659 {
1660 this->is_request = !ike_header->get_response_flag(ike_header);
1661 }
1662 else
1663 {
1664 this->is_encrypted = ike_header->get_encryption_flag(ike_header);
1665 }
1666 this->first_payload = ike_header->payload_interface.get_next_type(
1667 &ike_header->payload_interface);
1668 for (i = 0; i < countof(this->reserved); i++)
1669 {
1670 reserved = payload_get_field(&ike_header->payload_interface,
1671 RESERVED_BIT, i);
1672 if (reserved)
1673 {
1674 this->reserved[i] = *reserved;
1675 }
1676 }
1677 ike_header->destroy(ike_header);
1678
1679 DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
1680 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
1681 "message" : (this->is_request ? "request" : "response"));
1682 return SUCCESS;
1683 }
1684
1685 /**
1686 * Check if a payload is for a mediation extension connectivity check
1687 */
1688 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1689 {
1690 #ifdef ME
1691 if (this->exchange_type == INFORMATIONAL &&
1692 payload->get_type(payload) == NOTIFY)
1693 {
1694 notify_payload_t *notify = (notify_payload_t*)payload;
1695
1696 switch (notify->get_notify_type(notify))
1697 {
1698 case ME_CONNECTID:
1699 case ME_ENDPOINT:
1700 case ME_CONNECTAUTH:
1701 return TRUE;
1702 default:
1703 break;
1704 }
1705 }
1706 #endif /* !ME */
1707 return FALSE;
1708 }
1709
1710 /**
1711 * Parses and verifies the unencrypted payloads contained in the message
1712 */
1713 static status_t parse_payloads(private_message_t *this)
1714 {
1715 payload_type_t type = this->first_payload;
1716 payload_t *payload;
1717 status_t status;
1718
1719 if (this->is_encrypted)
1720 { /* wrap the whole encrypted IKEv1 message in a special encryption
1721 * payload which is then handled just like a regular payload */
1722 encryption_payload_t *encryption;
1723 status = this->parser->parse_payload(this->parser, ENCRYPTED_V1,
1724 (payload_t**)&encryption);
1725 if (status != SUCCESS)
1726 {
1727 DBG1(DBG_ENC, "failed to wrap encrypted IKEv1 message");
1728 return PARSE_ERROR;
1729 }
1730 encryption->payload_interface.set_next_type((payload_t*)encryption,
1731 this->first_payload);
1732 this->payloads->insert_last(this->payloads, encryption);
1733 return SUCCESS;
1734 }
1735
1736 while (type != NO_PAYLOAD)
1737 {
1738 DBG2(DBG_ENC, "starting parsing a %N payload",
1739 payload_type_names, type);
1740
1741 status = this->parser->parse_payload(this->parser, type, &payload);
1742 if (status != SUCCESS)
1743 {
1744 DBG1(DBG_ENC, "payload type %N could not be parsed",
1745 payload_type_names, type);
1746 return PARSE_ERROR;
1747 }
1748
1749 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1750 status = payload->verify(payload);
1751 if (status != SUCCESS)
1752 {
1753 DBG1(DBG_ENC, "%N payload verification failed",
1754 payload_type_names, type);
1755 payload->destroy(payload);
1756 return VERIFY_ERROR;
1757 }
1758
1759 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1760 payload_type_names, type);
1761 this->payloads->insert_last(this->payloads, payload);
1762
1763 /* an encryption payload is the last one, so STOP here. decryption is
1764 * done later */
1765 if (type == ENCRYPTED)
1766 {
1767 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1768 payload_type_names, type);
1769 break;
1770 }
1771 type = payload->get_next_type(payload);
1772 }
1773 return SUCCESS;
1774 }
1775
1776 /**
1777 * Decrypt payload from the encryption payload
1778 */
1779 static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
1780 {
1781 bool was_encrypted = FALSE;
1782 payload_t *payload, *previous = NULL;
1783 enumerator_t *enumerator;
1784 payload_rule_t *rule;
1785 payload_type_t type;
1786 aead_t *aead;
1787 status_t status = SUCCESS;
1788
1789 enumerator = this->payloads->create_enumerator(this->payloads);
1790 while (enumerator->enumerate(enumerator, &payload))
1791 {
1792 type = payload->get_type(payload);
1793
1794 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1795
1796 if (type == ENCRYPTED || type == ENCRYPTED_V1)
1797 {
1798 encryption_payload_t *encryption;
1799 payload_t *encrypted;
1800 chunk_t chunk;
1801 size_t bs;
1802
1803 encryption = (encryption_payload_t*)payload;
1804
1805 DBG2(DBG_ENC, "found an encryption payload");
1806
1807 if (this->payloads->has_more(this->payloads, enumerator))
1808 {
1809 DBG1(DBG_ENC, "encrypted payload is not last payload");
1810 status = VERIFY_ERROR;
1811 break;
1812 }
1813 aead = keymat->get_aead(keymat, TRUE);
1814 bs = aead->get_block_size(aead);
1815 encryption->set_transform(encryption, aead);
1816 chunk = this->packet->get_data(this->packet);
1817 if (chunk.len < encryption->get_length(encryption) ||
1818 chunk.len < bs)
1819 {
1820 DBG1(DBG_ENC, "invalid payload length");
1821 status = VERIFY_ERROR;
1822 break;
1823 }
1824 if (type == ENCRYPTED_V1)
1825 { /* instead of associated data we provide the IV, we also update
1826 * the IV with the last encrypted block */
1827 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1828 chunk_t last_block = chunk_create(chunk.ptr + chunk.len - bs,
1829 bs);
1830 chunk = keymat_v1->get_iv(keymat_v1, this->message_id);
1831 keymat_v1->update_iv(keymat_v1, this->message_id, last_block);
1832 }
1833 else
1834 {
1835 chunk.len -= encryption->get_length(encryption);
1836 }
1837 status = encryption->decrypt(encryption, chunk);
1838 if (status != SUCCESS)
1839 {
1840 break;
1841 }
1842
1843 was_encrypted = TRUE;
1844 this->payloads->remove_at(this->payloads, enumerator);
1845
1846 while ((encrypted = encryption->remove_payload(encryption)))
1847 {
1848 type = encrypted->get_type(encrypted);
1849 if (previous)
1850 {
1851 previous->set_next_type(previous, type);
1852 }
1853 else
1854 {
1855 this->first_payload = type;
1856 }
1857 DBG2(DBG_ENC, "insert decrypted payload of type "
1858 "%N at end of list", payload_type_names, type);
1859 this->payloads->insert_last(this->payloads, encrypted);
1860 previous = encrypted;
1861 }
1862 encryption->destroy(encryption);
1863 }
1864 if (payload_is_known(type) && !was_encrypted &&
1865 !is_connectivity_check(this, payload))
1866 {
1867 rule = get_payload_rule(this, type);
1868 if (!rule || rule->encrypted)
1869 {
1870 DBG1(DBG_ENC, "payload type %N was not encrypted",
1871 payload_type_names, type);
1872 status = FAILED;
1873 break;
1874 }
1875 }
1876 previous = payload;
1877 }
1878 enumerator->destroy(enumerator);
1879 return status;
1880 }
1881
1882 /**
1883 * Verify a message and all payload according to message/payload rules
1884 */
1885 static status_t verify(private_message_t *this)
1886 {
1887 bool complete = FALSE;
1888 int i;
1889
1890 DBG2(DBG_ENC, "verifying message structure");
1891
1892 /* check for payloads with wrong count */
1893 for (i = 0; i < this->rule->rule_count; i++)
1894 {
1895 enumerator_t *enumerator;
1896 payload_t *payload;
1897 payload_rule_t *rule;
1898 int found = 0;
1899
1900 rule = &this->rule->rules[i];
1901 enumerator = create_payload_enumerator(this);
1902 while (enumerator->enumerate(enumerator, &payload))
1903 {
1904 payload_type_t type;
1905
1906 type = payload->get_type(payload);
1907 if (type == rule->type)
1908 {
1909 found++;
1910 DBG2(DBG_ENC, "found payload of type %N",
1911 payload_type_names, type);
1912 if (found > rule->max_occurence)
1913 {
1914 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1915 "occurred in current message", payload_type_names,
1916 type, rule->max_occurence, found);
1917 enumerator->destroy(enumerator);
1918 return VERIFY_ERROR;
1919 }
1920 }
1921 }
1922 enumerator->destroy(enumerator);
1923
1924 if (!complete && found < rule->min_occurence)
1925 {
1926 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1927 payload_type_names, rule->type, rule->min_occurence, found);
1928 return VERIFY_ERROR;
1929 }
1930 if (found && rule->sufficient)
1931 {
1932 complete = TRUE;
1933 }
1934 }
1935 return SUCCESS;
1936 }
1937
1938 METHOD(message_t, parse_body, status_t,
1939 private_message_t *this, keymat_t *keymat)
1940 {
1941 status_t status = SUCCESS;
1942 char str[BUF_LEN];
1943
1944 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1945 payload_type_names, this->first_payload);
1946
1947 this->rule = get_message_rule(this);
1948 if (!this->rule)
1949 {
1950 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1951 exchange_type_names, this->exchange_type,
1952 this->is_request ? "request" : "response");
1953 return NOT_SUPPORTED;
1954 }
1955
1956 status = parse_payloads(this);
1957 if (status != SUCCESS)
1958 { /* error is already logged */
1959 return status;
1960 }
1961
1962 status = decrypt_payloads(this, keymat);
1963 if (status != SUCCESS)
1964 {
1965 DBG1(DBG_ENC, "could not decrypt payloads");
1966 return status;
1967 }
1968
1969 status = verify(this);
1970 if (status != SUCCESS)
1971 {
1972 return status;
1973 }
1974
1975 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1976
1977 if (this->major_version == IKEV1_MAJOR_VERSION)
1978 {
1979 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1980 chunk_t hash;
1981 hash = keymat_v1->get_hash_phase2(keymat_v1, &this->public);
1982 if (hash.ptr)
1983 {
1984 hash_payload_t *hash_payload;
1985 chunk_t other_hash;
1986 if ((this->first_payload != HASH_V1) && (this->public.get_exchange_type(&this->public) != INFORMATIONAL_V1))
1987 {
1988 DBG1(DBG_ENC, "expected HASH payload as first payload");
1989 chunk_free(&hash);
1990 return VERIFY_ERROR;
1991 }
1992 if (this->first_payload == HASH_V1)
1993 {
1994 hash_payload = (hash_payload_t*)get_payload(this, HASH_V1);
1995 other_hash = hash_payload->get_hash(hash_payload);
1996 if (!chunk_equals(hash, other_hash))
1997 {
1998 DBG1(DBG_ENC, "our hash does not match received %B",
1999 &other_hash);
2000 chunk_free(&hash);
2001 return FAILED;
2002 }
2003 DBG2(DBG_ENC, "verified IKEv1 message with hash %B", &hash);
2004 }
2005 chunk_free(&hash);
2006 }
2007 }
2008
2009 if (this->is_encrypted)
2010 { /* TODO-IKEv1: this should be done later when we know this is no
2011 * retransmit */
2012 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
2013 keymat_v1->confirm_iv(keymat_v1, this->message_id);
2014 }
2015
2016 return SUCCESS;
2017 }
2018
2019 METHOD(message_t, destroy, void,
2020 private_message_t *this)
2021 {
2022 DESTROY_IF(this->ike_sa_id);
2023 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
2024 this->packet->destroy(this->packet);
2025 this->parser->destroy(this->parser);
2026 free(this);
2027 }
2028
2029 /*
2030 * Described in header.
2031 */
2032 message_t *message_create_from_packet(packet_t *packet)
2033 {
2034 private_message_t *this;
2035
2036 INIT(this,
2037 .public = {
2038 .set_major_version = _set_major_version,
2039 .get_major_version = _get_major_version,
2040 .set_minor_version = _set_minor_version,
2041 .get_minor_version = _get_minor_version,
2042 .set_message_id = _set_message_id,
2043 .get_message_id = _get_message_id,
2044 .get_initiator_spi = _get_initiator_spi,
2045 .get_responder_spi = _get_responder_spi,
2046 .set_ike_sa_id = _set_ike_sa_id,
2047 .get_ike_sa_id = _get_ike_sa_id,
2048 .set_exchange_type = _set_exchange_type,
2049 .get_exchange_type = _get_exchange_type,
2050 .get_first_payload_type = _get_first_payload_type,
2051 .set_request = _set_request,
2052 .get_request = _get_request,
2053 .set_version_flag = _set_version_flag,
2054 .get_reserved_header_bit = _get_reserved_header_bit,
2055 .set_reserved_header_bit = _set_reserved_header_bit,
2056 .add_payload = _add_payload,
2057 .add_notify = _add_notify,
2058 .disable_sort = _disable_sort,
2059 .generate = _generate,
2060 .is_encoded = _is_encoded,
2061 .set_source = _set_source,
2062 .get_source = _get_source,
2063 .set_destination = _set_destination,
2064 .get_destination = _get_destination,
2065 .create_payload_enumerator = _create_payload_enumerator,
2066 .remove_payload_at = _remove_payload_at,
2067 .get_payload = _get_payload,
2068 .get_notify = _get_notify,
2069 .parse_header = _parse_header,
2070 .parse_body = _parse_body,
2071 .get_packet = _get_packet,
2072 .get_packet_data = _get_packet_data,
2073 .destroy = _destroy,
2074 },
2075 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
2076 .is_request = TRUE,
2077 .first_payload = NO_PAYLOAD,
2078 .packet = packet,
2079 .payloads = linked_list_create(),
2080 .parser = parser_create(packet->get_data(packet)),
2081 );
2082
2083 return &this->public;
2084 }
2085
2086 /*
2087 * Described in header.
2088 */
2089 message_t *message_create(int major, int minor)
2090 {
2091 message_t *this = message_create_from_packet(packet_create());
2092
2093 this->set_major_version(this, major);
2094 this->set_minor_version(this, minor);
2095
2096 return this;
2097 }