increased message buffer to cope with NCP's innumerable UNITY Configuration Payloads
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 Message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 Message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 Message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of Vendor ID payloads per IKEv2 Message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * A payload rule defines the rules for a payload
59 * in a specific message rule. It defines if and how
60 * many times a payload must/can occur in a message
61 * and if it must be encrypted.
62 */
63 typedef struct {
64 /* Payload type */
65 payload_type_t type;
66 /* Minimal occurrence of this payload. */
67 size_t min_occurence;
68 /* Max occurrence of this payload. */
69 size_t max_occurence;
70 /* TRUE if payload must be encrypted */
71 bool encrypted;
72 /* If payload occurs, the message rule is fulfilled */
73 bool sufficient;
74 } payload_rule_t;
75
76 /**
77 * payload ordering structure allows us to reorder payloads according to RFC.
78 */
79 typedef struct {
80 /** payload type */
81 payload_type_t type;
82 /** notify type, if payload == NOTIFY */
83 notify_type_t notify;
84 } payload_order_t;
85
86 /**
87 * A message rule defines the kind of a message,
88 * if it has encrypted contents and a list
89 * of payload ordering rules and payload parsing rules.
90 */
91 typedef struct {
92 /** Type of message. */
93 exchange_type_t exchange_type;
94 /** Is message a request or response. */
95 bool is_request;
96 /** Message contains encrypted payloads. */
97 bool encrypted;
98 /** Number of payload rules which will follow */
99 int rule_count;
100 /** Pointer to first payload rule */
101 payload_rule_t *rules;
102 /** Number of payload order rules */
103 int order_count;
104 /** payload ordering rules */
105 payload_order_t *order;
106 } message_rule_t;
107
108 /**
109 * Message rule for IKE_SA_INIT from initiator.
110 */
111 static payload_rule_t ike_sa_init_i_rules[] = {
112 /* payload type min max encr suff */
113 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
114 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
115 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
116 {NONCE, 1, 1, FALSE, FALSE},
117 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
118 };
119
120 /**
121 * payload order for IKE_SA_INIT initiator
122 */
123 static payload_order_t ike_sa_init_i_order[] = {
124 /* payload type notify type */
125 {NOTIFY, COOKIE},
126 {SECURITY_ASSOCIATION, 0},
127 {KEY_EXCHANGE, 0},
128 {NONCE, 0},
129 {NOTIFY, NAT_DETECTION_SOURCE_IP},
130 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
131 {NOTIFY, 0},
132 {VENDOR_ID, 0},
133 };
134
135 /**
136 * Message rule for IKE_SA_INIT from responder.
137 */
138 static payload_rule_t ike_sa_init_r_rules[] = {
139 /* payload type min max encr suff */
140 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
141 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
142 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
143 {NONCE, 1, 1, FALSE, FALSE},
144 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
145 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
146 };
147
148 /**
149 * payload order for IKE_SA_INIT responder
150 */
151 static payload_order_t ike_sa_init_r_order[] = {
152 /* payload type notify type */
153 {SECURITY_ASSOCIATION, 0},
154 {KEY_EXCHANGE, 0},
155 {NONCE, 0},
156 {NOTIFY, NAT_DETECTION_SOURCE_IP},
157 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
158 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
159 {CERTIFICATE_REQUEST, 0},
160 {NOTIFY, 0},
161 {VENDOR_ID, 0},
162 };
163
164 /**
165 * Message rule for IKE_AUTH from initiator.
166 */
167 static payload_rule_t ike_auth_i_rules[] = {
168 /* payload type min max encr suff */
169 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
170 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
171 {AUTHENTICATION, 0, 1, TRUE, TRUE},
172 {ID_INITIATOR, 0, 1, TRUE, FALSE},
173 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
174 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
175 {ID_RESPONDER, 0, 1, TRUE, FALSE},
176 #ifdef ME
177 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
178 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
179 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
180 #else
181 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
182 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
184 #endif /* ME */
185 {CONFIGURATION, 0, 1, TRUE, FALSE},
186 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
187 };
188
189 /**
190 * payload order for IKE_AUTH initiator
191 */
192 static payload_order_t ike_auth_i_order[] = {
193 /* payload type notify type */
194 {ID_INITIATOR, 0},
195 {CERTIFICATE, 0},
196 {NOTIFY, INITIAL_CONTACT},
197 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
198 {CERTIFICATE_REQUEST, 0},
199 {ID_RESPONDER, 0},
200 {AUTHENTICATION, 0},
201 {EXTENSIBLE_AUTHENTICATION, 0},
202 {CONFIGURATION, 0},
203 {NOTIFY, IPCOMP_SUPPORTED},
204 {NOTIFY, USE_TRANSPORT_MODE},
205 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
206 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
207 {SECURITY_ASSOCIATION, 0},
208 {TRAFFIC_SELECTOR_INITIATOR, 0},
209 {TRAFFIC_SELECTOR_RESPONDER, 0},
210 {NOTIFY, MOBIKE_SUPPORTED},
211 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
212 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
213 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
214 {NOTIFY, 0},
215 {VENDOR_ID, 0},
216 };
217
218 /**
219 * Message rule for IKE_AUTH from responder.
220 */
221 static payload_rule_t ike_auth_r_rules[] = {
222 /* payload type min max encr suff */
223 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
224 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
225 {AUTHENTICATION, 0, 1, TRUE, TRUE},
226 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
227 {ID_RESPONDER, 0, 1, TRUE, FALSE},
228 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
229 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
230 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
231 {CONFIGURATION, 0, 1, TRUE, FALSE},
232 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
233 };
234
235 /**
236 * payload order for IKE_AUTH responder
237 */
238 static payload_order_t ike_auth_r_order[] = {
239 /* payload type notify type */
240 {ID_RESPONDER, 0},
241 {CERTIFICATE, 0},
242 {AUTHENTICATION, 0},
243 {EXTENSIBLE_AUTHENTICATION, 0},
244 {CONFIGURATION, 0},
245 {NOTIFY, IPCOMP_SUPPORTED},
246 {NOTIFY, USE_TRANSPORT_MODE},
247 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
248 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
249 {SECURITY_ASSOCIATION, 0},
250 {TRAFFIC_SELECTOR_INITIATOR, 0},
251 {TRAFFIC_SELECTOR_RESPONDER, 0},
252 {NOTIFY, AUTH_LIFETIME},
253 {NOTIFY, MOBIKE_SUPPORTED},
254 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
255 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
256 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
257 {NOTIFY, 0},
258 {VENDOR_ID, 0},
259 };
260
261 /**
262 * Message rule for INFORMATIONAL from initiator.
263 */
264 static payload_rule_t informational_i_rules[] = {
265 /* payload type min max encr suff */
266 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
267 {CONFIGURATION, 0, 1, TRUE, FALSE},
268 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
269 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for INFORMATIONAL initiator
274 */
275 static payload_order_t informational_i_order[] = {
276 /* payload type notify type */
277 {NOTIFY, UPDATE_SA_ADDRESSES},
278 {NOTIFY, NAT_DETECTION_SOURCE_IP},
279 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
280 {NOTIFY, COOKIE2},
281 {NOTIFY, 0},
282 {DELETE, 0},
283 {CONFIGURATION, 0},
284 };
285
286 /**
287 * Message rule for INFORMATIONAL from responder.
288 */
289 static payload_rule_t informational_r_rules[] = {
290 /* payload type min max encr suff */
291 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
292 {CONFIGURATION, 0, 1, TRUE, FALSE},
293 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
294 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
295 };
296
297 /**
298 * payload order for INFORMATIONAL responder
299 */
300 static payload_order_t informational_r_order[] = {
301 /* payload type notify type */
302 {NOTIFY, UPDATE_SA_ADDRESSES},
303 {NOTIFY, NAT_DETECTION_SOURCE_IP},
304 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
305 {NOTIFY, COOKIE2},
306 {NOTIFY, 0},
307 {DELETE, 0},
308 {CONFIGURATION, 0},
309 };
310
311 /**
312 * Message rule for CREATE_CHILD_SA from initiator.
313 */
314 static payload_rule_t create_child_sa_i_rules[] = {
315 /* payload type min max encr suff */
316 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
317 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
318 {NONCE, 1, 1, TRUE, FALSE},
319 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
320 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
321 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
322 {CONFIGURATION, 0, 1, TRUE, FALSE},
323 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
324 };
325
326 /**
327 * payload order for CREATE_CHILD_SA from initiator.
328 */
329 static payload_order_t create_child_sa_i_order[] = {
330 /* payload type notify type */
331 {NOTIFY, REKEY_SA},
332 {NOTIFY, IPCOMP_SUPPORTED},
333 {NOTIFY, USE_TRANSPORT_MODE},
334 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
335 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
336 {SECURITY_ASSOCIATION, 0},
337 {NONCE, 0},
338 {KEY_EXCHANGE, 0},
339 {TRAFFIC_SELECTOR_INITIATOR, 0},
340 {TRAFFIC_SELECTOR_RESPONDER, 0},
341 {NOTIFY, 0},
342 };
343
344 /**
345 * Message rule for CREATE_CHILD_SA from responder.
346 */
347 static payload_rule_t create_child_sa_r_rules[] = {
348 /* payload type min max encr suff */
349 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
350 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
351 {NONCE, 1, 1, TRUE, FALSE},
352 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
353 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
354 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
355 {CONFIGURATION, 0, 1, TRUE, FALSE},
356 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
357 };
358
359 /**
360 * payload order for CREATE_CHILD_SA from responder.
361 */
362 static payload_order_t create_child_sa_r_order[] = {
363 /* payload type notify type */
364 {NOTIFY, IPCOMP_SUPPORTED},
365 {NOTIFY, USE_TRANSPORT_MODE},
366 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
367 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
368 {SECURITY_ASSOCIATION, 0},
369 {NONCE, 0},
370 {KEY_EXCHANGE, 0},
371 {TRAFFIC_SELECTOR_INITIATOR, 0},
372 {TRAFFIC_SELECTOR_RESPONDER, 0},
373 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
374 {NOTIFY, 0},
375 };
376
377 #ifdef ME
378 /**
379 * Message rule for ME_CONNECT from initiator.
380 */
381 static payload_rule_t me_connect_i_rules[] = {
382 /* payload type min max encr suff */
383 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
384 {ID_PEER, 1, 1, TRUE, FALSE},
385 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
386 };
387
388 /**
389 * payload order for ME_CONNECT from initiator.
390 */
391 static payload_order_t me_connect_i_order[] = {
392 /* payload type notify type */
393 {NOTIFY, 0},
394 {ID_PEER, 0},
395 {VENDOR_ID, 0},
396 };
397
398 /**
399 * Message rule for ME_CONNECT from responder.
400 */
401 static payload_rule_t me_connect_r_rules[] = {
402 /* payload type min max encr suff */
403 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
404 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
405 };
406
407 /**
408 * payload order for ME_CONNECT from responder.
409 */
410 static payload_order_t me_connect_r_order[] = {
411 /* payload type notify type */
412 {NOTIFY, 0},
413 {VENDOR_ID, 0},
414 };
415 #endif /* ME */
416
417 /**
418 * Message rules, defines allowed payloads.
419 */
420 static message_rule_t message_rules[] = {
421 {IKE_SA_INIT, TRUE, FALSE,
422 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
423 countof(ike_sa_init_i_order), ike_sa_init_i_order,
424 },
425 {IKE_SA_INIT, FALSE, FALSE,
426 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
427 countof(ike_sa_init_r_order), ike_sa_init_r_order,
428 },
429 {IKE_AUTH, TRUE, TRUE,
430 countof(ike_auth_i_rules), ike_auth_i_rules,
431 countof(ike_auth_i_order), ike_auth_i_order,
432 },
433 {IKE_AUTH, FALSE, TRUE,
434 countof(ike_auth_r_rules), ike_auth_r_rules,
435 countof(ike_auth_r_order), ike_auth_r_order,
436 },
437 {INFORMATIONAL, TRUE, TRUE,
438 countof(informational_i_rules), informational_i_rules,
439 countof(informational_i_order), informational_i_order,
440 },
441 {INFORMATIONAL, FALSE, TRUE,
442 countof(informational_r_rules), informational_r_rules,
443 countof(informational_r_order), informational_r_order,
444 },
445 {CREATE_CHILD_SA, TRUE, TRUE,
446 countof(create_child_sa_i_rules), create_child_sa_i_rules,
447 countof(create_child_sa_i_order), create_child_sa_i_order,
448 },
449 {CREATE_CHILD_SA, FALSE, TRUE,
450 countof(create_child_sa_r_rules), create_child_sa_r_rules,
451 countof(create_child_sa_r_order), create_child_sa_r_order,
452 },
453 #ifdef ME
454 {ME_CONNECT, TRUE, TRUE,
455 countof(me_connect_i_rules), me_connect_i_rules,
456 countof(me_connect_i_order), me_connect_i_order,
457 },
458 {ME_CONNECT, FALSE, TRUE,
459 countof(me_connect_r_rules), me_connect_r_rules,
460 countof(me_connect_r_order), me_connect_r_order,
461 },
462 #endif /* ME */
463 };
464
465
466 typedef struct private_message_t private_message_t;
467
468 /**
469 * Private data of an message_t object.
470 */
471 struct private_message_t {
472
473 /**
474 * Public part of a message_t object.
475 */
476 message_t public;
477
478 /**
479 * Minor version of message.
480 */
481 u_int8_t major_version;
482
483 /**
484 * Major version of message.
485 */
486 u_int8_t minor_version;
487
488 /**
489 * First Payload in message.
490 */
491 payload_type_t first_payload;
492
493 /**
494 * Assigned exchange type.
495 */
496 exchange_type_t exchange_type;
497
498 /**
499 * TRUE if message is a request, FALSE if a reply.
500 */
501 bool is_request;
502
503 /**
504 * Higher version supported?
505 */
506 bool version_flag;
507
508 /**
509 * Reserved bits in IKE header
510 */
511 bool reserved[5];
512
513 /**
514 * Sorting of message disabled?
515 */
516 bool sort_disabled;
517
518 /**
519 * Message ID of this message.
520 */
521 u_int32_t message_id;
522
523 /**
524 * ID of assigned IKE_SA.
525 */
526 ike_sa_id_t *ike_sa_id;
527
528 /**
529 * Assigned UDP packet, stores incoming packet or last generated one.
530 */
531 packet_t *packet;
532
533 /**
534 * Linked List where payload data are stored in.
535 */
536 linked_list_t *payloads;
537
538 /**
539 * Assigned parser to parse Header and Body of this message.
540 */
541 parser_t *parser;
542
543 /**
544 * The message rule for this message instance
545 */
546 message_rule_t *rule;
547 };
548
549 /**
550 * Get the message rule that applies to this message
551 */
552 static message_rule_t* get_message_rule(private_message_t *this)
553 {
554 int i;
555
556 for (i = 0; i < countof(message_rules); i++)
557 {
558 if ((this->exchange_type == message_rules[i].exchange_type) &&
559 (this->is_request == message_rules[i].is_request))
560 {
561 return &message_rules[i];
562 }
563 }
564 return NULL;
565 }
566
567 /**
568 * Look up a payload rule
569 */
570 static payload_rule_t* get_payload_rule(private_message_t *this,
571 payload_type_t type)
572 {
573 int i;
574
575 for (i = 0; i < this->rule->rule_count;i++)
576 {
577 if (this->rule->rules[i].type == type)
578 {
579 return &this->rule->rules[i];
580 }
581 }
582 return NULL;
583 }
584
585 METHOD(message_t, set_ike_sa_id, void,
586 private_message_t *this,ike_sa_id_t *ike_sa_id)
587 {
588 DESTROY_IF(this->ike_sa_id);
589 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
590 }
591
592 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
593 private_message_t *this)
594 {
595 return this->ike_sa_id;
596 }
597
598 METHOD(message_t, set_message_id, void,
599 private_message_t *this,u_int32_t message_id)
600 {
601 this->message_id = message_id;
602 }
603
604 METHOD(message_t, get_message_id, u_int32_t,
605 private_message_t *this)
606 {
607 return this->message_id;
608 }
609
610 METHOD(message_t, get_initiator_spi, u_int64_t,
611 private_message_t *this)
612 {
613 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
614 }
615
616 METHOD(message_t, get_responder_spi, u_int64_t,
617 private_message_t *this)
618 {
619 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
620 }
621
622 METHOD(message_t, set_major_version, void,
623 private_message_t *this, u_int8_t major_version)
624 {
625 this->major_version = major_version;
626 }
627
628 METHOD(message_t, get_major_version, u_int8_t,
629 private_message_t *this)
630 {
631 return this->major_version;
632 }
633
634 METHOD(message_t, set_minor_version, void,
635 private_message_t *this,u_int8_t minor_version)
636 {
637 this->minor_version = minor_version;
638 }
639
640 METHOD(message_t, get_minor_version, u_int8_t,
641 private_message_t *this)
642 {
643 return this->minor_version;
644 }
645
646 METHOD(message_t, set_exchange_type, void,
647 private_message_t *this, exchange_type_t exchange_type)
648 {
649 this->exchange_type = exchange_type;
650 }
651
652 METHOD(message_t, get_exchange_type, exchange_type_t,
653 private_message_t *this)
654 {
655 return this->exchange_type;
656 }
657
658 METHOD(message_t, get_first_payload_type, payload_type_t,
659 private_message_t *this)
660 {
661 return this->first_payload;
662 }
663
664 METHOD(message_t, set_request, void,
665 private_message_t *this, bool request)
666 {
667 this->is_request = request;
668 }
669
670 METHOD(message_t, get_request, bool,
671 private_message_t *this)
672 {
673 return this->is_request;
674 }
675
676 METHOD(message_t, set_version_flag, void,
677 private_message_t *this)
678 {
679 this->version_flag = TRUE;
680 }
681
682 METHOD(message_t, get_reserved_header_bit, bool,
683 private_message_t *this, u_int nr)
684 {
685 if (nr < countof(this->reserved))
686 {
687 return this->reserved[nr];
688 }
689 return FALSE;
690 }
691
692 METHOD(message_t, set_reserved_header_bit, void,
693 private_message_t *this, u_int nr)
694 {
695 if (nr < countof(this->reserved))
696 {
697 this->reserved[nr] = TRUE;
698 }
699 }
700
701 METHOD(message_t, is_encoded, bool,
702 private_message_t *this)
703 {
704 return this->packet->get_data(this->packet).ptr != NULL;
705 }
706
707 METHOD(message_t, add_payload, void,
708 private_message_t *this, payload_t *payload)
709 {
710 payload_t *last_payload;
711
712 if (this->payloads->get_count(this->payloads) > 0)
713 {
714 this->payloads->get_last(this->payloads, (void **)&last_payload);
715 last_payload->set_next_type(last_payload, payload->get_type(payload));
716 }
717 else
718 {
719 this->first_payload = payload->get_type(payload);
720 }
721 payload->set_next_type(payload, NO_PAYLOAD);
722 this->payloads->insert_last(this->payloads, payload);
723
724 DBG2(DBG_ENC ,"added payload of type %N to message",
725 payload_type_names, payload->get_type(payload));
726 }
727
728 METHOD(message_t, add_notify, void,
729 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
730 {
731 notify_payload_t *notify;
732 payload_t *payload;
733
734 if (flush)
735 {
736 while (this->payloads->remove_last(this->payloads,
737 (void**)&payload) == SUCCESS)
738 {
739 payload->destroy(payload);
740 }
741 }
742 notify = notify_payload_create();
743 notify->set_notify_type(notify, type);
744 notify->set_notification_data(notify, data);
745 add_payload(this, (payload_t*)notify);
746 }
747
748 METHOD(message_t, set_source, void,
749 private_message_t *this, host_t *host)
750 {
751 this->packet->set_source(this->packet, host);
752 }
753
754 METHOD(message_t, set_destination, void,
755 private_message_t *this, host_t *host)
756 {
757 this->packet->set_destination(this->packet, host);
758 }
759
760 METHOD(message_t, get_source, host_t*,
761 private_message_t *this)
762 {
763 return this->packet->get_source(this->packet);
764 }
765
766 METHOD(message_t, get_destination, host_t*,
767 private_message_t *this)
768 {
769 return this->packet->get_destination(this->packet);
770 }
771
772 METHOD(message_t, create_payload_enumerator, enumerator_t*,
773 private_message_t *this)
774 {
775 return this->payloads->create_enumerator(this->payloads);
776 }
777
778 METHOD(message_t, remove_payload_at, void,
779 private_message_t *this, enumerator_t *enumerator)
780 {
781 this->payloads->remove_at(this->payloads, enumerator);
782 }
783
784 METHOD(message_t, get_payload, payload_t*,
785 private_message_t *this, payload_type_t type)
786 {
787 payload_t *current, *found = NULL;
788 enumerator_t *enumerator;
789
790 enumerator = create_payload_enumerator(this);
791 while (enumerator->enumerate(enumerator, &current))
792 {
793 if (current->get_type(current) == type)
794 {
795 found = current;
796 break;
797 }
798 }
799 enumerator->destroy(enumerator);
800 return found;
801 }
802
803 METHOD(message_t, get_notify, notify_payload_t*,
804 private_message_t *this, notify_type_t type)
805 {
806 enumerator_t *enumerator;
807 notify_payload_t *notify = NULL;
808 payload_t *payload;
809
810 enumerator = create_payload_enumerator(this);
811 while (enumerator->enumerate(enumerator, &payload))
812 {
813 if (payload->get_type(payload) == NOTIFY)
814 {
815 notify = (notify_payload_t*)payload;
816 if (notify->get_notify_type(notify) == type)
817 {
818 break;
819 }
820 notify = NULL;
821 }
822 }
823 enumerator->destroy(enumerator);
824 return notify;
825 }
826
827 /**
828 * get a string representation of the message
829 */
830 static char* get_string(private_message_t *this, char *buf, int len)
831 {
832 enumerator_t *enumerator;
833 payload_t *payload;
834 int written;
835 char *pos = buf;
836
837 memset(buf, 0, len);
838 len--;
839
840 written = snprintf(pos, len, "%N %s %d [",
841 exchange_type_names, this->exchange_type,
842 this->is_request ? "request" : "response",
843 this->message_id);
844 if (written >= len || written < 0)
845 {
846 return "";
847 }
848 pos += written;
849 len -= written;
850
851 enumerator = create_payload_enumerator(this);
852 while (enumerator->enumerate(enumerator, &payload))
853 {
854 written = snprintf(pos, len, " %N", payload_type_short_names,
855 payload->get_type(payload));
856 if (written >= len || written < 0)
857 {
858 return buf;
859 }
860 pos += written;
861 len -= written;
862 if (payload->get_type(payload) == NOTIFY)
863 {
864 notify_payload_t *notify;
865 notify_type_t type;
866 chunk_t data;
867
868 notify = (notify_payload_t*)payload;
869 type = notify->get_notify_type(notify);
870 data = notify->get_notification_data(notify);
871 if (type == MS_NOTIFY_STATUS && data.len == 4)
872 {
873 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
874 type, untoh32(data.ptr));
875 }
876 else
877 {
878 written = snprintf(pos, len, "(%N)", notify_type_short_names,
879 type);
880 }
881 if (written >= len || written < 0)
882 {
883 return buf;
884 }
885 pos += written;
886 len -= written;
887 }
888 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
889 {
890 eap_payload_t *eap = (eap_payload_t*)payload;
891 u_int32_t vendor;
892 eap_type_t type;
893 char method[64] = "";
894
895 type = eap->get_type(eap, &vendor);
896 if (type)
897 {
898 if (vendor)
899 {
900 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
901 }
902 else
903 {
904 snprintf(method, sizeof(method), "/%N",
905 eap_type_short_names, type);
906 }
907 }
908 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
909 eap->get_code(eap), method);
910 if (written >= len || written < 0)
911 {
912 return buf;
913 }
914 pos += written;
915 len -= written;
916 }
917 if (payload->get_type(payload) == CONFIGURATION)
918 {
919 cp_payload_t *cp = (cp_payload_t*)payload;
920 enumerator_t *attributes;
921 configuration_attribute_t *attribute;
922 bool first = TRUE;
923
924 attributes = cp->create_attribute_enumerator(cp);
925 while (attributes->enumerate(attributes, &attribute))
926 {
927 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
928 configuration_attribute_type_short_names,
929 attribute->get_type(attribute));
930 if (written >= len || written < 0)
931 {
932 return buf;
933 }
934 pos += written;
935 len -= written;
936 first = FALSE;
937 }
938 attributes->destroy(attributes);
939 if (!first)
940 {
941 written = snprintf(pos, len, ")");
942 if (written >= len || written < 0)
943 {
944 return buf;
945 }
946 pos += written;
947 len -= written;
948 }
949 }
950 }
951 enumerator->destroy(enumerator);
952
953 /* remove last space */
954 snprintf(pos, len, " ]");
955 return buf;
956 }
957
958 /**
959 * reorder payloads depending on reordering rules
960 */
961 static void order_payloads(private_message_t *this)
962 {
963 linked_list_t *list;
964 payload_t *payload;
965 int i;
966
967 /* move to temp list */
968 list = linked_list_create();
969 while (this->payloads->remove_last(this->payloads,
970 (void**)&payload) == SUCCESS)
971 {
972 list->insert_first(list, payload);
973 }
974 /* for each rule, ... */
975 for (i = 0; i < this->rule->order_count; i++)
976 {
977 enumerator_t *enumerator;
978 notify_payload_t *notify;
979 payload_order_t order;
980
981 order = this->rule->order[i];
982
983 /* ... find all payload ... */
984 enumerator = list->create_enumerator(list);
985 while (enumerator->enumerate(enumerator, &payload))
986 {
987 /* ... with that type ... */
988 if (payload->get_type(payload) == order.type)
989 {
990 notify = (notify_payload_t*)payload;
991
992 /**... and check notify for type. */
993 if (order.type != NOTIFY || order.notify == 0 ||
994 order.notify == notify->get_notify_type(notify))
995 {
996 list->remove_at(list, enumerator);
997 add_payload(this, payload);
998 }
999 }
1000 }
1001 enumerator->destroy(enumerator);
1002 }
1003 /* append all payloads without a rule to the end */
1004 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1005 {
1006 /* do not complain about payloads in private use space */
1007 if (payload->get_type(payload) < 128)
1008 {
1009 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1010 payload_type_names, payload->get_type(payload),
1011 exchange_type_names, this->rule->exchange_type,
1012 this->rule->is_request ? "request" : "response");
1013 }
1014 add_payload(this, payload);
1015 }
1016 list->destroy(list);
1017 }
1018
1019 /**
1020 * Wrap payloads in a encryption payload
1021 */
1022 static encryption_payload_t* wrap_payloads(private_message_t *this)
1023 {
1024 encryption_payload_t *encryption;
1025 linked_list_t *payloads;
1026 payload_t *current;
1027
1028 /* copy all payloads in a temporary list */
1029 payloads = linked_list_create();
1030 while (this->payloads->remove_first(this->payloads,
1031 (void**)&current) == SUCCESS)
1032 {
1033 payloads->insert_last(payloads, current);
1034 }
1035
1036 encryption = encryption_payload_create();
1037 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1038 {
1039 payload_rule_t *rule;
1040 payload_type_t type;
1041 bool encrypt = TRUE;
1042
1043 type = current->get_type(current);
1044 rule = get_payload_rule(this, type);
1045 if (rule)
1046 {
1047 encrypt = rule->encrypted;
1048 }
1049 if (encrypt)
1050 {
1051 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1052 payload_type_names, type);
1053 encryption->add_payload(encryption, current);
1054 }
1055 else
1056 {
1057 DBG2(DBG_ENC, "insert payload %N unencrypted",
1058 payload_type_names, type);
1059 add_payload(this, current);
1060 }
1061 }
1062 payloads->destroy(payloads);
1063
1064 return encryption;
1065 }
1066
1067 METHOD(message_t, disable_sort, void,
1068 private_message_t *this)
1069 {
1070 this->sort_disabled = TRUE;
1071 }
1072
1073 METHOD(message_t, generate, status_t,
1074 private_message_t *this, aead_t *aead, packet_t **packet)
1075 {
1076 generator_t *generator;
1077 ike_header_t *ike_header;
1078 payload_t *payload, *next;
1079 encryption_payload_t *encryption = NULL;
1080 enumerator_t *enumerator;
1081 chunk_t chunk;
1082 char str[BUF_LEN];
1083 u_int32_t *lenpos;
1084 bool *reserved;
1085 int i;
1086
1087 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1088 {
1089 DBG1(DBG_ENC, "exchange type is not defined");
1090 return INVALID_STATE;
1091 }
1092
1093 if (this->packet->get_source(this->packet) == NULL ||
1094 this->packet->get_destination(this->packet) == NULL)
1095 {
1096 DBG1(DBG_ENC, "source/destination not defined");
1097 return INVALID_STATE;
1098 }
1099
1100 this->rule = get_message_rule(this);
1101 if (!this->rule)
1102 {
1103 DBG1(DBG_ENC, "no message rules specified for this message type");
1104 return NOT_SUPPORTED;
1105 }
1106
1107 if (!this->sort_disabled)
1108 {
1109 order_payloads(this);
1110 }
1111
1112 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1113
1114 if (aead && this->rule->encrypted)
1115 {
1116 encryption = wrap_payloads(this);
1117 }
1118 else
1119 {
1120 DBG2(DBG_ENC, "not encrypting payloads");
1121 }
1122
1123 ike_header = ike_header_create();
1124 ike_header->set_maj_version(ike_header, this->major_version);
1125 ike_header->set_min_version(ike_header, this->minor_version);
1126 ike_header->set_exchange_type(ike_header, this->exchange_type);
1127 ike_header->set_message_id(ike_header, this->message_id);
1128 ike_header->set_response_flag(ike_header, !this->is_request);
1129 ike_header->set_version_flag(ike_header, this->version_flag);
1130 ike_header->set_initiator_flag(ike_header,
1131 this->ike_sa_id->is_initiator(this->ike_sa_id));
1132 ike_header->set_initiator_spi(ike_header,
1133 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1134 ike_header->set_responder_spi(ike_header,
1135 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1136
1137 for (i = 0; i < countof(this->reserved); i++)
1138 {
1139 reserved = payload_get_field(&ike_header->payload_interface,
1140 RESERVED_BIT, i);
1141 if (reserved)
1142 {
1143 *reserved = this->reserved[i];
1144 }
1145 }
1146
1147 generator = generator_create();
1148
1149 /* generate all payloads with proper next type */
1150 payload = (payload_t*)ike_header;
1151 enumerator = create_payload_enumerator(this);
1152 while (enumerator->enumerate(enumerator, &next))
1153 {
1154 payload->set_next_type(payload, next->get_type(next));
1155 generator->generate_payload(generator, payload);
1156 payload = next;
1157 }
1158 enumerator->destroy(enumerator);
1159 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1160 generator->generate_payload(generator, payload);
1161 ike_header->destroy(ike_header);
1162
1163 if (encryption)
1164 {
1165 u_int32_t *lenpos;
1166
1167 /* build associated data (without header of encryption payload) */
1168 chunk = generator->get_chunk(generator, &lenpos);
1169 encryption->set_transform(encryption, aead);
1170 /* fill in length, including encryption payload */
1171 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1172
1173 this->payloads->insert_last(this->payloads, encryption);
1174 if (!encryption->encrypt(encryption, chunk))
1175 {
1176 generator->destroy(generator);
1177 return INVALID_STATE;
1178 }
1179 generator->generate_payload(generator, &encryption->payload_interface);
1180 }
1181 chunk = generator->get_chunk(generator, &lenpos);
1182 htoun32(lenpos, chunk.len);
1183 this->packet->set_data(this->packet, chunk_clone(chunk));
1184 generator->destroy(generator);
1185
1186 *packet = this->packet->clone(this->packet);
1187 return SUCCESS;
1188 }
1189
1190 METHOD(message_t, get_packet, packet_t*,
1191 private_message_t *this)
1192 {
1193 if (this->packet == NULL)
1194 {
1195 return NULL;
1196 }
1197 return this->packet->clone(this->packet);
1198 }
1199
1200 METHOD(message_t, get_packet_data, chunk_t,
1201 private_message_t *this)
1202 {
1203 if (this->packet == NULL)
1204 {
1205 return chunk_empty;
1206 }
1207 return chunk_clone(this->packet->get_data(this->packet));
1208 }
1209
1210 METHOD(message_t, parse_header, status_t,
1211 private_message_t *this)
1212 {
1213 ike_header_t *ike_header;
1214 status_t status;
1215 bool *reserved;
1216 int i;
1217
1218 DBG2(DBG_ENC, "parsing header of message");
1219
1220 this->parser->reset_context(this->parser);
1221 status = this->parser->parse_payload(this->parser, HEADER,
1222 (payload_t**)&ike_header);
1223 if (status != SUCCESS)
1224 {
1225 DBG1(DBG_ENC, "header could not be parsed");
1226 return status;
1227
1228 }
1229
1230 status = ike_header->payload_interface.verify(
1231 &ike_header->payload_interface);
1232 if (status != SUCCESS)
1233 {
1234 DBG1(DBG_ENC, "header verification failed");
1235 ike_header->destroy(ike_header);
1236 return status;
1237 }
1238
1239 DESTROY_IF(this->ike_sa_id);
1240 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1241 ike_header->get_responder_spi(ike_header),
1242 ike_header->get_initiator_flag(ike_header));
1243
1244 this->exchange_type = ike_header->get_exchange_type(ike_header);
1245 this->message_id = ike_header->get_message_id(ike_header);
1246 this->is_request = !ike_header->get_response_flag(ike_header);
1247 this->major_version = ike_header->get_maj_version(ike_header);
1248 this->minor_version = ike_header->get_min_version(ike_header);
1249 this->first_payload = ike_header->payload_interface.get_next_type(
1250 &ike_header->payload_interface);
1251 for (i = 0; i < countof(this->reserved); i++)
1252 {
1253 reserved = payload_get_field(&ike_header->payload_interface,
1254 RESERVED_BIT, i);
1255 if (reserved)
1256 {
1257 this->reserved[i] = *reserved;
1258 }
1259 }
1260 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1261 this->is_request ? "request" : "response");
1262
1263 ike_header->destroy(ike_header);
1264
1265 this->rule = get_message_rule(this);
1266 if (!this->rule)
1267 {
1268 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1269 exchange_type_names, this->exchange_type,
1270 this->is_request ? "request" : "response");
1271 }
1272 return status;
1273 }
1274
1275 /**
1276 * Check if a payload is for a mediation extension connectivity check
1277 */
1278 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1279 {
1280 #ifdef ME
1281 if (this->exchange_type == INFORMATIONAL &&
1282 payload->get_type(payload) == NOTIFY)
1283 {
1284 notify_payload_t *notify = (notify_payload_t*)payload;
1285
1286 switch (notify->get_notify_type(notify))
1287 {
1288 case ME_CONNECTID:
1289 case ME_ENDPOINT:
1290 case ME_CONNECTAUTH:
1291 return TRUE;
1292 default:
1293 break;
1294 }
1295 }
1296 #endif /* !ME */
1297 return FALSE;
1298 }
1299
1300 /**
1301 * Decrypt payload from the encryption payload
1302 */
1303 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1304 {
1305 bool was_encrypted = FALSE;
1306 payload_t *payload, *previous = NULL;
1307 enumerator_t *enumerator;
1308 payload_rule_t *rule;
1309 payload_type_t type;
1310 status_t status = SUCCESS;
1311
1312 enumerator = this->payloads->create_enumerator(this->payloads);
1313 while (enumerator->enumerate(enumerator, &payload))
1314 {
1315 type = payload->get_type(payload);
1316
1317 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1318
1319 if (type == ENCRYPTED)
1320 {
1321 encryption_payload_t *encryption;
1322 payload_t *encrypted;
1323 chunk_t chunk;
1324
1325 encryption = (encryption_payload_t*)payload;
1326
1327 DBG2(DBG_ENC, "found an encryption payload");
1328
1329 if (this->payloads->has_more(this->payloads, enumerator))
1330 {
1331 DBG1(DBG_ENC, "encrypted payload is not last payload");
1332 status = VERIFY_ERROR;
1333 break;
1334 }
1335 encryption->set_transform(encryption, aead);
1336 chunk = this->packet->get_data(this->packet);
1337 if (chunk.len < encryption->get_length(encryption))
1338 {
1339 DBG1(DBG_ENC, "invalid payload length");
1340 status = VERIFY_ERROR;
1341 break;
1342 }
1343 chunk.len -= encryption->get_length(encryption);
1344 status = encryption->decrypt(encryption, chunk);
1345 if (status != SUCCESS)
1346 {
1347 break;
1348 }
1349
1350 was_encrypted = TRUE;
1351 this->payloads->remove_at(this->payloads, enumerator);
1352
1353 while ((encrypted = encryption->remove_payload(encryption)))
1354 {
1355 type = encrypted->get_type(encrypted);
1356 if (previous)
1357 {
1358 previous->set_next_type(previous, type);
1359 }
1360 else
1361 {
1362 this->first_payload = type;
1363 }
1364 DBG2(DBG_ENC, "insert decrypted payload of type "
1365 "%N at end of list", payload_type_names, type);
1366 this->payloads->insert_last(this->payloads, encrypted);
1367 previous = encrypted;
1368 }
1369 encryption->destroy(encryption);
1370 }
1371 if (payload_is_known(type) && !was_encrypted &&
1372 !is_connectivity_check(this, payload))
1373 {
1374 rule = get_payload_rule(this, type);
1375 if (!rule || rule->encrypted)
1376 {
1377 DBG1(DBG_ENC, "payload type %N was not encrypted",
1378 payload_type_names, type);
1379 status = FAILED;
1380 break;
1381 }
1382 }
1383 previous = payload;
1384 }
1385 enumerator->destroy(enumerator);
1386 return status;
1387 }
1388
1389 /**
1390 * Verify a message and all payload according to message/payload rules
1391 */
1392 static status_t verify(private_message_t *this)
1393 {
1394 bool complete = FALSE;
1395 int i;
1396
1397 DBG2(DBG_ENC, "verifying message structure");
1398
1399 /* check for payloads with wrong count*/
1400 for (i = 0; i < this->rule->rule_count; i++)
1401 {
1402 enumerator_t *enumerator;
1403 payload_t *payload;
1404 payload_rule_t *rule;
1405 int found = 0;
1406
1407 rule = &this->rule->rules[i];
1408 enumerator = create_payload_enumerator(this);
1409 while (enumerator->enumerate(enumerator, &payload))
1410 {
1411 payload_type_t type;
1412
1413 type = payload->get_type(payload);
1414 if (type == rule->type)
1415 {
1416 found++;
1417 DBG2(DBG_ENC, "found payload of type %N",
1418 payload_type_names, type);
1419 if (found > rule->max_occurence)
1420 {
1421 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1422 "occurred in current message", payload_type_names,
1423 type, rule->max_occurence, found);
1424 enumerator->destroy(enumerator);
1425 return VERIFY_ERROR;
1426 }
1427 }
1428 }
1429 enumerator->destroy(enumerator);
1430
1431 if (!complete && found < rule->min_occurence)
1432 {
1433 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1434 payload_type_names, rule->type, rule->min_occurence, found);
1435 return VERIFY_ERROR;
1436 }
1437 if (found && rule->sufficient)
1438 {
1439 complete = TRUE;
1440 }
1441 }
1442 return SUCCESS;
1443 }
1444
1445 METHOD(message_t, parse_body, status_t,
1446 private_message_t *this, aead_t *aead)
1447 {
1448 status_t status = SUCCESS;
1449 payload_t *payload;
1450 payload_type_t type;
1451 char str[BUF_LEN];
1452
1453 type = this->first_payload;
1454
1455 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1456 payload_type_names, type);
1457
1458 while (type != NO_PAYLOAD)
1459 {
1460 DBG2(DBG_ENC, "starting parsing a %N payload",
1461 payload_type_names, type);
1462
1463 status = this->parser->parse_payload(this->parser, type, &payload);
1464 if (status != SUCCESS)
1465 {
1466 DBG1(DBG_ENC, "payload type %N could not be parsed",
1467 payload_type_names, type);
1468 return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
1469 }
1470
1471 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1472 status = payload->verify(payload);
1473 if (status != SUCCESS)
1474 {
1475 DBG1(DBG_ENC, "%N payload verification failed",
1476 payload_type_names, type);
1477 payload->destroy(payload);
1478 return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
1479 }
1480
1481 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1482 payload_type_names, type);
1483 this->payloads->insert_last(this->payloads, payload);
1484
1485 /* an encryption payload is the last one, so STOP here. decryption is
1486 * done later */
1487 if (type == ENCRYPTED)
1488 {
1489 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1490 payload_type_names, type);
1491 break;
1492 }
1493 type = payload->get_next_type(payload);
1494 }
1495
1496 status = decrypt_payloads(this, aead);
1497 if (status != SUCCESS)
1498 {
1499 DBG1(DBG_ENC, "could not decrypt payloads");
1500 return status;
1501 }
1502
1503 status = verify(this);
1504 if (status != SUCCESS)
1505 {
1506 return status;
1507 }
1508
1509 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1510
1511 return SUCCESS;
1512 }
1513
1514 METHOD(message_t, destroy, void,
1515 private_message_t *this)
1516 {
1517 DESTROY_IF(this->ike_sa_id);
1518 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1519 this->packet->destroy(this->packet);
1520 this->parser->destroy(this->parser);
1521 free(this);
1522 }
1523
1524 /*
1525 * Described in Header-File
1526 */
1527 message_t *message_create_from_packet(packet_t *packet)
1528 {
1529 private_message_t *this;
1530
1531 INIT(this,
1532 .public = {
1533 .set_major_version = _set_major_version,
1534 .get_major_version = _get_major_version,
1535 .set_minor_version = _set_minor_version,
1536 .get_minor_version = _get_minor_version,
1537 .set_message_id = _set_message_id,
1538 .get_message_id = _get_message_id,
1539 .get_initiator_spi = _get_initiator_spi,
1540 .get_responder_spi = _get_responder_spi,
1541 .set_ike_sa_id = _set_ike_sa_id,
1542 .get_ike_sa_id = _get_ike_sa_id,
1543 .set_exchange_type = _set_exchange_type,
1544 .get_exchange_type = _get_exchange_type,
1545 .get_first_payload_type = _get_first_payload_type,
1546 .set_request = _set_request,
1547 .get_request = _get_request,
1548 .set_version_flag = _set_version_flag,
1549 .get_reserved_header_bit = _get_reserved_header_bit,
1550 .set_reserved_header_bit = _set_reserved_header_bit,
1551 .add_payload = _add_payload,
1552 .add_notify = _add_notify,
1553 .disable_sort = _disable_sort,
1554 .generate = _generate,
1555 .is_encoded = _is_encoded,
1556 .set_source = _set_source,
1557 .get_source = _get_source,
1558 .set_destination = _set_destination,
1559 .get_destination = _get_destination,
1560 .create_payload_enumerator = _create_payload_enumerator,
1561 .remove_payload_at = _remove_payload_at,
1562 .get_payload = _get_payload,
1563 .get_notify = _get_notify,
1564 .parse_header = _parse_header,
1565 .parse_body = _parse_body,
1566 .get_packet = _get_packet,
1567 .get_packet_data = _get_packet_data,
1568 .destroy = _destroy,
1569 },
1570 .major_version = IKE_MAJOR_VERSION,
1571 .minor_version = IKE_MINOR_VERSION,
1572 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1573 .is_request = TRUE,
1574 .first_payload = NO_PAYLOAD,
1575 .packet = packet,
1576 .payloads = linked_list_create(),
1577 .parser = parser_create(packet->get_data(packet)),
1578 );
1579
1580 return (&this->public);
1581 }
1582
1583 /*
1584 * Described in Header.
1585 */
1586 message_t *message_create()
1587 {
1588 return message_create_from_packet(packet_create());
1589 }
1590