Print message ID as unsigned integer
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * A payload rule defines the rules for a payload
64 * in a specific message rule. It defines if and how
65 * many times a payload must/can occur in a message
66 * and if it must be encrypted.
67 */
68 typedef struct {
69 /* Payload type */
70 payload_type_t type;
71 /* Minimal occurrence of this payload. */
72 size_t min_occurence;
73 /* Max occurrence of this payload. */
74 size_t max_occurence;
75 /* TRUE if payload must be encrypted */
76 bool encrypted;
77 /* If payload occurs, the message rule is fulfilled */
78 bool sufficient;
79 } payload_rule_t;
80
81 /**
82 * payload ordering structure allows us to reorder payloads according to RFC.
83 */
84 typedef struct {
85 /** payload type */
86 payload_type_t type;
87 /** notify type, if payload == NOTIFY */
88 notify_type_t notify;
89 } payload_order_t;
90
91 /**
92 * A message rule defines the kind of a message,
93 * if it has encrypted contents and a list
94 * of payload ordering rules and payload parsing rules.
95 */
96 typedef struct {
97 /** Type of message. */
98 exchange_type_t exchange_type;
99 /** Is message a request or response. */
100 bool is_request;
101 /** Message contains encrypted payloads. */
102 bool encrypted;
103 /** Number of payload rules which will follow */
104 int rule_count;
105 /** Pointer to first payload rule */
106 payload_rule_t *rules;
107 /** Number of payload order rules */
108 int order_count;
109 /** payload ordering rules */
110 payload_order_t *order;
111 } message_rule_t;
112
113 /**
114 * Message rule for IKE_SA_INIT from initiator.
115 */
116 static payload_rule_t ike_sa_init_i_rules[] = {
117 /* payload type min max encr suff */
118 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
119 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
120 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
121 {NONCE, 1, 1, FALSE, FALSE},
122 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
123 };
124
125 /**
126 * payload order for IKE_SA_INIT initiator
127 */
128 static payload_order_t ike_sa_init_i_order[] = {
129 /* payload type notify type */
130 {NOTIFY, COOKIE},
131 {SECURITY_ASSOCIATION, 0},
132 {KEY_EXCHANGE, 0},
133 {NONCE, 0},
134 {NOTIFY, NAT_DETECTION_SOURCE_IP},
135 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
136 {NOTIFY, 0},
137 {VENDOR_ID, 0},
138 };
139
140 /**
141 * Message rule for IKE_SA_INIT from responder.
142 */
143 static payload_rule_t ike_sa_init_r_rules[] = {
144 /* payload type min max encr suff */
145 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
146 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
147 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
148 {NONCE, 1, 1, FALSE, FALSE},
149 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
150 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
151 };
152
153 /**
154 * payload order for IKE_SA_INIT responder
155 */
156 static payload_order_t ike_sa_init_r_order[] = {
157 /* payload type notify type */
158 {SECURITY_ASSOCIATION, 0},
159 {KEY_EXCHANGE, 0},
160 {NONCE, 0},
161 {NOTIFY, NAT_DETECTION_SOURCE_IP},
162 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
163 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
164 {CERTIFICATE_REQUEST, 0},
165 {NOTIFY, 0},
166 {VENDOR_ID, 0},
167 };
168
169 /**
170 * Message rule for IKE_AUTH from initiator.
171 */
172 static payload_rule_t ike_auth_i_rules[] = {
173 /* payload type min max encr suff */
174 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
175 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
176 {AUTHENTICATION, 0, 1, TRUE, TRUE},
177 {ID_INITIATOR, 0, 1, TRUE, FALSE},
178 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
179 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
180 {ID_RESPONDER, 0, 1, TRUE, FALSE},
181 #ifdef ME
182 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
184 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
185 #else
186 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
187 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
189 #endif /* ME */
190 {CONFIGURATION, 0, 1, TRUE, FALSE},
191 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
192 };
193
194 /**
195 * payload order for IKE_AUTH initiator
196 */
197 static payload_order_t ike_auth_i_order[] = {
198 /* payload type notify type */
199 {ID_INITIATOR, 0},
200 {CERTIFICATE, 0},
201 {NOTIFY, INITIAL_CONTACT},
202 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
203 {CERTIFICATE_REQUEST, 0},
204 {ID_RESPONDER, 0},
205 {AUTHENTICATION, 0},
206 {EXTENSIBLE_AUTHENTICATION, 0},
207 {CONFIGURATION, 0},
208 {NOTIFY, IPCOMP_SUPPORTED},
209 {NOTIFY, USE_TRANSPORT_MODE},
210 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
211 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
212 {SECURITY_ASSOCIATION, 0},
213 {TRAFFIC_SELECTOR_INITIATOR, 0},
214 {TRAFFIC_SELECTOR_RESPONDER, 0},
215 {NOTIFY, MOBIKE_SUPPORTED},
216 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
217 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
218 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
219 {NOTIFY, 0},
220 {VENDOR_ID, 0},
221 };
222
223 /**
224 * Message rule for IKE_AUTH from responder.
225 */
226 static payload_rule_t ike_auth_r_rules[] = {
227 /* payload type min max encr suff */
228 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
229 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
230 {AUTHENTICATION, 0, 1, TRUE, TRUE},
231 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
232 {ID_RESPONDER, 0, 1, TRUE, FALSE},
233 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
234 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
235 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
236 {CONFIGURATION, 0, 1, TRUE, FALSE},
237 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
238 };
239
240 /**
241 * payload order for IKE_AUTH responder
242 */
243 static payload_order_t ike_auth_r_order[] = {
244 /* payload type notify type */
245 {ID_RESPONDER, 0},
246 {CERTIFICATE, 0},
247 {AUTHENTICATION, 0},
248 {EXTENSIBLE_AUTHENTICATION, 0},
249 {CONFIGURATION, 0},
250 {NOTIFY, IPCOMP_SUPPORTED},
251 {NOTIFY, USE_TRANSPORT_MODE},
252 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
253 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
254 {SECURITY_ASSOCIATION, 0},
255 {TRAFFIC_SELECTOR_INITIATOR, 0},
256 {TRAFFIC_SELECTOR_RESPONDER, 0},
257 {NOTIFY, AUTH_LIFETIME},
258 {NOTIFY, MOBIKE_SUPPORTED},
259 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
260 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
261 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
262 {NOTIFY, 0},
263 {VENDOR_ID, 0},
264 };
265
266 /**
267 * Message rule for INFORMATIONAL from initiator.
268 */
269 static payload_rule_t informational_i_rules[] = {
270 /* payload type min max encr suff */
271 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
272 {CONFIGURATION, 0, 1, TRUE, FALSE},
273 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
274 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
275 };
276
277 /**
278 * payload order for INFORMATIONAL initiator
279 */
280 static payload_order_t informational_i_order[] = {
281 /* payload type notify type */
282 {NOTIFY, UPDATE_SA_ADDRESSES},
283 {NOTIFY, NAT_DETECTION_SOURCE_IP},
284 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
285 {NOTIFY, COOKIE2},
286 {NOTIFY, 0},
287 {DELETE, 0},
288 {CONFIGURATION, 0},
289 };
290
291 /**
292 * Message rule for INFORMATIONAL from responder.
293 */
294 static payload_rule_t informational_r_rules[] = {
295 /* payload type min max encr suff */
296 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
297 {CONFIGURATION, 0, 1, TRUE, FALSE},
298 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
299 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
300 };
301
302 /**
303 * payload order for INFORMATIONAL responder
304 */
305 static payload_order_t informational_r_order[] = {
306 /* payload type notify type */
307 {NOTIFY, UPDATE_SA_ADDRESSES},
308 {NOTIFY, NAT_DETECTION_SOURCE_IP},
309 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
310 {NOTIFY, COOKIE2},
311 {NOTIFY, 0},
312 {DELETE, 0},
313 {CONFIGURATION, 0},
314 };
315
316 /**
317 * Message rule for CREATE_CHILD_SA from initiator.
318 */
319 static payload_rule_t create_child_sa_i_rules[] = {
320 /* payload type min max encr suff */
321 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
322 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
323 {NONCE, 1, 1, TRUE, FALSE},
324 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
325 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
326 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
327 {CONFIGURATION, 0, 1, TRUE, FALSE},
328 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
329 };
330
331 /**
332 * payload order for CREATE_CHILD_SA from initiator.
333 */
334 static payload_order_t create_child_sa_i_order[] = {
335 /* payload type notify type */
336 {NOTIFY, REKEY_SA},
337 {NOTIFY, IPCOMP_SUPPORTED},
338 {NOTIFY, USE_TRANSPORT_MODE},
339 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
340 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
341 {SECURITY_ASSOCIATION, 0},
342 {NONCE, 0},
343 {KEY_EXCHANGE, 0},
344 {TRAFFIC_SELECTOR_INITIATOR, 0},
345 {TRAFFIC_SELECTOR_RESPONDER, 0},
346 {NOTIFY, 0},
347 };
348
349 /**
350 * Message rule for CREATE_CHILD_SA from responder.
351 */
352 static payload_rule_t create_child_sa_r_rules[] = {
353 /* payload type min max encr suff */
354 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
355 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
356 {NONCE, 1, 1, TRUE, FALSE},
357 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
359 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
360 {CONFIGURATION, 0, 1, TRUE, FALSE},
361 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
362 };
363
364 /**
365 * payload order for CREATE_CHILD_SA from responder.
366 */
367 static payload_order_t create_child_sa_r_order[] = {
368 /* payload type notify type */
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
379 {NOTIFY, 0},
380 };
381
382 #ifdef ME
383 /**
384 * Message rule for ME_CONNECT from initiator.
385 */
386 static payload_rule_t me_connect_i_rules[] = {
387 /* payload type min max encr suff */
388 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
389 {ID_PEER, 1, 1, TRUE, FALSE},
390 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
391 };
392
393 /**
394 * payload order for ME_CONNECT from initiator.
395 */
396 static payload_order_t me_connect_i_order[] = {
397 /* payload type notify type */
398 {NOTIFY, 0},
399 {ID_PEER, 0},
400 {VENDOR_ID, 0},
401 };
402
403 /**
404 * Message rule for ME_CONNECT from responder.
405 */
406 static payload_rule_t me_connect_r_rules[] = {
407 /* payload type min max encr suff */
408 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
409 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
410 };
411
412 /**
413 * payload order for ME_CONNECT from responder.
414 */
415 static payload_order_t me_connect_r_order[] = {
416 /* payload type notify type */
417 {NOTIFY, 0},
418 {VENDOR_ID, 0},
419 };
420 #endif /* ME */
421
422 #ifdef USE_IKEV1
423 /**
424 * Message rule for ID_PROT from initiator.
425 */
426 static payload_rule_t id_prot_i_rules[] = {
427 /* payload type min max encr suff */
428 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
429 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
430 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
431 {NONCE_V1, 0, 1, FALSE, FALSE},
432 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
433 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
434 {ID_V1, 0, 1, TRUE, FALSE},
435 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
436 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
437 {HASH_V1, 0, 1, TRUE, FALSE},
438 };
439
440 /**
441 * payload order for ID_PROT from initiator.
442 */
443 static payload_order_t id_prot_i_order[] = {
444 /* payload type notify type */
445 {SECURITY_ASSOCIATION_V1, 0},
446 {KEY_EXCHANGE_V1, 0},
447 {NONCE_V1, 0},
448 {ID_V1, 0},
449 {CERTIFICATE_V1, 0},
450 {SIGNATURE_V1, 0},
451 {HASH_V1, 0},
452 {CERTIFICATE_REQUEST_V1, 0},
453 {NOTIFY_V1, 0},
454 {VENDOR_ID_V1, 0},
455 };
456
457 /**
458 * Message rule for ID_PROT from responder.
459 */
460 static payload_rule_t id_prot_r_rules[] = {
461 /* payload type min max encr suff */
462 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
463 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
464 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
465 {NONCE_V1, 0, 1, FALSE, FALSE},
466 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
467 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
468 {ID_V1, 0, 1, TRUE, FALSE},
469 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
470 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
471 {HASH_V1, 0, 1, TRUE, FALSE},
472 };
473
474 /**
475 * payload order for ID_PROT from responder.
476 */
477 static payload_order_t id_prot_r_order[] = {
478 /* payload type notify type */
479 {SECURITY_ASSOCIATION_V1, 0},
480 {KEY_EXCHANGE_V1, 0},
481 {NONCE_V1, 0},
482 {ID_V1, 0},
483 {CERTIFICATE_V1, 0},
484 {SIGNATURE_V1, 0},
485 {HASH_V1, 0},
486 {CERTIFICATE_REQUEST_V1, 0},
487 {NOTIFY_V1, 0},
488 {VENDOR_ID_V1, 0},
489 };
490
491 /**
492 * Message rule for AGGRESSIVE from initiator.
493 */
494 static payload_rule_t aggressive_i_rules[] = {
495 /* payload type min max encr suff */
496 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
497 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
498 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
499 {NONCE_V1, 0, 1, FALSE, FALSE},
500 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
501 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
502 {ID_V1, 0, 1, FALSE, FALSE},
503 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
504 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
505 {HASH_V1, 0, 1, FALSE, FALSE},
506 };
507
508 /**
509 * payload order for AGGRESSIVE from initiator.
510 */
511 static payload_order_t aggressive_i_order[] = {
512 /* payload type notify type */
513 {SECURITY_ASSOCIATION_V1, 0},
514 {KEY_EXCHANGE_V1, 0},
515 {NONCE_V1, 0},
516 {ID_V1, 0},
517 {CERTIFICATE_V1, 0},
518 {SIGNATURE_V1, 0},
519 {HASH_V1, 0},
520 {CERTIFICATE_REQUEST_V1, 0},
521 {NOTIFY_V1, 0},
522 {VENDOR_ID_V1, 0},
523 };
524
525 /**
526 * Message rule for AGGRESSIVE from responder.
527 */
528 static payload_rule_t aggressive_r_rules[] = {
529 /* payload type min max encr suff */
530 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
531 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
532 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
533 {NONCE_V1, 0, 1, FALSE, FALSE},
534 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
535 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
536 {ID_V1, 0, 1, FALSE, FALSE},
537 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
538 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
539 {HASH_V1, 0, 1, FALSE, FALSE},
540 };
541
542 /**
543 * payload order for AGGRESSIVE from responder.
544 */
545 static payload_order_t aggressive_r_order[] = {
546 /* payload type notify type */
547 {SECURITY_ASSOCIATION_V1, 0},
548 {KEY_EXCHANGE_V1, 0},
549 {NONCE_V1, 0},
550 {ID_V1, 0},
551 {CERTIFICATE_V1, 0},
552 {SIGNATURE_V1, 0},
553 {HASH_V1, 0},
554 {CERTIFICATE_REQUEST_V1, 0},
555 {NOTIFY_V1, 0},
556 {VENDOR_ID_V1, 0},
557 };
558
559 /**
560 * Message rule for INFORMATIONAL_V1 from initiator.
561 */
562 static payload_rule_t informational_i_rules_v1[] = {
563 /* payload type min max encr suff */
564 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
565 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
566 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
567 };
568
569 /**
570 * payload order for INFORMATIONAL_V1 from initiator.
571 */
572 static payload_order_t informational_i_order_v1[] = {
573 /* payload type notify type */
574 {NOTIFY_V1, 0},
575 {DELETE_V1, 0},
576 {VENDOR_ID_V1, 0},
577 };
578
579 /**
580 * Message rule for QUICK_MODE from initiator.
581 */
582 static payload_rule_t quick_mode_i_rules[] = {
583 /* payload type min max encr suff */
584 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
585 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
586 {HASH_V1, 0, 1, TRUE, FALSE},
587 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
588 {NONCE_V1, 0, 1, TRUE, FALSE},
589 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
590 {ID_V1, 0, 2, TRUE, FALSE},
591 };
592
593 /**
594 * payload order for QUICK_MODE from initiator.
595 */
596 static payload_order_t quick_mode_i_order[] = {
597 /* payload type notify type */
598 {NOTIFY_V1, 0},
599 {VENDOR_ID_V1, 0},
600 {HASH_V1, 0},
601 {SECURITY_ASSOCIATION_V1, 0},
602 {NONCE_V1, 0},
603 {KEY_EXCHANGE_V1, 0},
604 {ID_V1, 0},
605 };
606
607 /**
608 * Message rule for QUICK_MODE from responder.
609 */
610 static payload_rule_t quick_mode_r_rules[] = {
611 /* payload type min max encr suff */
612 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
613 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
614 {HASH_V1, 0, 1, TRUE, FALSE},
615 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
616 {NONCE_V1, 0, 1, TRUE, FALSE},
617 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
618 {ID_V1, 0, 2, TRUE, FALSE},
619 };
620
621 /**
622 * payload order for QUICK_MODE from responder.
623 */
624 static payload_order_t quick_mode_r_order[] = {
625 /* payload type notify type */
626 {NOTIFY_V1, 0},
627 {VENDOR_ID_V1, 0},
628 {HASH_V1, 0},
629 {SECURITY_ASSOCIATION_V1, 0},
630 {NONCE_V1, 0},
631 {KEY_EXCHANGE_V1, 0},
632 {ID_V1, 0},
633 };
634
635 #endif /* USE_IKEV1 */
636
637 /**
638 * Message rules, defines allowed payloads.
639 */
640 static message_rule_t message_rules[] = {
641 {IKE_SA_INIT, TRUE, FALSE,
642 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
643 countof(ike_sa_init_i_order), ike_sa_init_i_order,
644 },
645 {IKE_SA_INIT, FALSE, FALSE,
646 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
647 countof(ike_sa_init_r_order), ike_sa_init_r_order,
648 },
649 {IKE_AUTH, TRUE, TRUE,
650 countof(ike_auth_i_rules), ike_auth_i_rules,
651 countof(ike_auth_i_order), ike_auth_i_order,
652 },
653 {IKE_AUTH, FALSE, TRUE,
654 countof(ike_auth_r_rules), ike_auth_r_rules,
655 countof(ike_auth_r_order), ike_auth_r_order,
656 },
657 {INFORMATIONAL, TRUE, TRUE,
658 countof(informational_i_rules), informational_i_rules,
659 countof(informational_i_order), informational_i_order,
660 },
661 {INFORMATIONAL, FALSE, TRUE,
662 countof(informational_r_rules), informational_r_rules,
663 countof(informational_r_order), informational_r_order,
664 },
665 {CREATE_CHILD_SA, TRUE, TRUE,
666 countof(create_child_sa_i_rules), create_child_sa_i_rules,
667 countof(create_child_sa_i_order), create_child_sa_i_order,
668 },
669 {CREATE_CHILD_SA, FALSE, TRUE,
670 countof(create_child_sa_r_rules), create_child_sa_r_rules,
671 countof(create_child_sa_r_order), create_child_sa_r_order,
672 },
673 #ifdef ME
674 {ME_CONNECT, TRUE, TRUE,
675 countof(me_connect_i_rules), me_connect_i_rules,
676 countof(me_connect_i_order), me_connect_i_order,
677 },
678 {ME_CONNECT, FALSE, TRUE,
679 countof(me_connect_r_rules), me_connect_r_rules,
680 countof(me_connect_r_order), me_connect_r_order,
681 },
682 #endif /* ME */
683 #ifdef USE_IKEV1
684 {ID_PROT, TRUE, FALSE,
685 countof(id_prot_i_rules), id_prot_i_rules,
686 countof(id_prot_i_order), id_prot_i_order,
687 },
688 {ID_PROT, FALSE, FALSE,
689 countof(id_prot_r_rules), id_prot_r_rules,
690 countof(id_prot_r_order), id_prot_r_order,
691 },
692 {AGGRESSIVE, TRUE, FALSE,
693 countof(aggressive_i_rules), aggressive_i_rules,
694 countof(aggressive_i_order), aggressive_i_order,
695 },
696 {AGGRESSIVE, FALSE, FALSE,
697 countof(aggressive_r_rules), aggressive_r_rules,
698 countof(aggressive_r_order), aggressive_r_order,
699 },
700 {INFORMATIONAL_V1, TRUE, TRUE,
701 countof(informational_i_rules_v1), informational_i_rules_v1,
702 countof(informational_i_order_v1), informational_i_order_v1,
703 },
704 {QUICK_MODE, TRUE, TRUE,
705 countof(quick_mode_i_rules), quick_mode_i_rules,
706 countof(quick_mode_i_order), quick_mode_i_order,
707 },
708 {QUICK_MODE, FALSE, TRUE,
709 countof(quick_mode_r_rules), quick_mode_r_rules,
710 countof(quick_mode_r_order), quick_mode_r_order,
711 },
712 /* TODO-IKEv1: define rules for other exchanges */
713 #endif /* USE_IKEV1 */
714 };
715
716
717 typedef struct private_message_t private_message_t;
718
719 /**
720 * Private data of an message_t object.
721 */
722 struct private_message_t {
723
724 /**
725 * Public part of a message_t object.
726 */
727 message_t public;
728
729 /**
730 * Minor version of message.
731 */
732 u_int8_t major_version;
733
734 /**
735 * Major version of message.
736 */
737 u_int8_t minor_version;
738
739 /**
740 * First Payload in message.
741 */
742 payload_type_t first_payload;
743
744 /**
745 * Assigned exchange type.
746 */
747 exchange_type_t exchange_type;
748
749 /**
750 * TRUE if message is a request, FALSE if a reply.
751 */
752 bool is_request;
753
754 /**
755 * The message is encrypted (IKEv1)
756 */
757 bool is_encrypted;
758
759 /**
760 * Higher version supported?
761 */
762 bool version_flag;
763
764 /**
765 * Reserved bits in IKE header
766 */
767 bool reserved[2];
768
769 /**
770 * Sorting of message disabled?
771 */
772 bool sort_disabled;
773
774 /**
775 * Message ID of this message.
776 */
777 u_int32_t message_id;
778
779 /**
780 * ID of assigned IKE_SA.
781 */
782 ike_sa_id_t *ike_sa_id;
783
784 /**
785 * Assigned UDP packet, stores incoming packet or last generated one.
786 */
787 packet_t *packet;
788
789 /**
790 * Linked List where payload data are stored in.
791 */
792 linked_list_t *payloads;
793
794 /**
795 * Assigned parser to parse Header and Body of this message.
796 */
797 parser_t *parser;
798
799 /**
800 * The message rule for this message instance
801 */
802 message_rule_t *rule;
803 };
804
805 /**
806 * Get the message rule that applies to this message
807 */
808 static message_rule_t* get_message_rule(private_message_t *this)
809 {
810 int i;
811
812 for (i = 0; i < countof(message_rules); i++)
813 {
814 if ((this->exchange_type == message_rules[i].exchange_type) &&
815 (this->is_request == message_rules[i].is_request))
816 {
817 return &message_rules[i];
818 }
819 }
820 return NULL;
821 }
822
823 /**
824 * Look up a payload rule
825 */
826 static payload_rule_t* get_payload_rule(private_message_t *this,
827 payload_type_t type)
828 {
829 int i;
830
831 for (i = 0; i < this->rule->rule_count;i++)
832 {
833 if (this->rule->rules[i].type == type)
834 {
835 return &this->rule->rules[i];
836 }
837 }
838 return NULL;
839 }
840
841 METHOD(message_t, set_ike_sa_id, void,
842 private_message_t *this,ike_sa_id_t *ike_sa_id)
843 {
844 DESTROY_IF(this->ike_sa_id);
845 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
846 }
847
848 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
849 private_message_t *this)
850 {
851 return this->ike_sa_id;
852 }
853
854 METHOD(message_t, set_message_id, void,
855 private_message_t *this,u_int32_t message_id)
856 {
857 this->message_id = message_id;
858 }
859
860 METHOD(message_t, get_message_id, u_int32_t,
861 private_message_t *this)
862 {
863 return this->message_id;
864 }
865
866 METHOD(message_t, get_initiator_spi, u_int64_t,
867 private_message_t *this)
868 {
869 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
870 }
871
872 METHOD(message_t, get_responder_spi, u_int64_t,
873 private_message_t *this)
874 {
875 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
876 }
877
878 METHOD(message_t, set_major_version, void,
879 private_message_t *this, u_int8_t major_version)
880 {
881 this->major_version = major_version;
882 }
883
884 METHOD(message_t, get_major_version, u_int8_t,
885 private_message_t *this)
886 {
887 return this->major_version;
888 }
889
890 METHOD(message_t, set_minor_version, void,
891 private_message_t *this,u_int8_t minor_version)
892 {
893 this->minor_version = minor_version;
894 }
895
896 METHOD(message_t, get_minor_version, u_int8_t,
897 private_message_t *this)
898 {
899 return this->minor_version;
900 }
901
902 METHOD(message_t, set_exchange_type, void,
903 private_message_t *this, exchange_type_t exchange_type)
904 {
905 this->exchange_type = exchange_type;
906 }
907
908 METHOD(message_t, get_exchange_type, exchange_type_t,
909 private_message_t *this)
910 {
911 return this->exchange_type;
912 }
913
914 METHOD(message_t, get_first_payload_type, payload_type_t,
915 private_message_t *this)
916 {
917 return this->first_payload;
918 }
919
920 METHOD(message_t, set_request, void,
921 private_message_t *this, bool request)
922 {
923 this->is_request = request;
924 }
925
926 METHOD(message_t, get_request, bool,
927 private_message_t *this)
928 {
929 return this->is_request;
930 }
931
932 METHOD(message_t, set_version_flag, void,
933 private_message_t *this)
934 {
935 this->version_flag = TRUE;
936 }
937
938 METHOD(message_t, get_reserved_header_bit, bool,
939 private_message_t *this, u_int nr)
940 {
941 if (nr < countof(this->reserved))
942 {
943 return this->reserved[nr];
944 }
945 return FALSE;
946 }
947
948 METHOD(message_t, set_reserved_header_bit, void,
949 private_message_t *this, u_int nr)
950 {
951 if (nr < countof(this->reserved))
952 {
953 this->reserved[nr] = TRUE;
954 }
955 }
956
957 METHOD(message_t, is_encoded, bool,
958 private_message_t *this)
959 {
960 return this->packet->get_data(this->packet).ptr != NULL;
961 }
962
963 METHOD(message_t, add_payload, void,
964 private_message_t *this, payload_t *payload)
965 {
966 payload_t *last_payload;
967
968 if (this->payloads->get_count(this->payloads) > 0)
969 {
970 this->payloads->get_last(this->payloads, (void **)&last_payload);
971 last_payload->set_next_type(last_payload, payload->get_type(payload));
972 }
973 else
974 {
975 this->first_payload = payload->get_type(payload);
976 }
977 payload->set_next_type(payload, NO_PAYLOAD);
978 this->payloads->insert_last(this->payloads, payload);
979
980 DBG2(DBG_ENC ,"added payload of type %N to message",
981 payload_type_names, payload->get_type(payload));
982 }
983
984 METHOD(message_t, add_notify, void,
985 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
986 {
987 notify_payload_t *notify;
988 payload_t *payload;
989
990 if (flush)
991 {
992 while (this->payloads->remove_last(this->payloads,
993 (void**)&payload) == SUCCESS)
994 {
995 payload->destroy(payload);
996 }
997 }
998 if (this->major_version == IKEV2_MAJOR_VERSION)
999 {
1000 notify = notify_payload_create(NOTIFY);
1001 }
1002 else
1003 {
1004 notify = notify_payload_create(NOTIFY_V1);
1005 }
1006 notify->set_notify_type(notify, type);
1007 notify->set_notification_data(notify, data);
1008 add_payload(this, (payload_t*)notify);
1009 }
1010
1011 METHOD(message_t, set_source, void,
1012 private_message_t *this, host_t *host)
1013 {
1014 this->packet->set_source(this->packet, host);
1015 }
1016
1017 METHOD(message_t, set_destination, void,
1018 private_message_t *this, host_t *host)
1019 {
1020 this->packet->set_destination(this->packet, host);
1021 }
1022
1023 METHOD(message_t, get_source, host_t*,
1024 private_message_t *this)
1025 {
1026 return this->packet->get_source(this->packet);
1027 }
1028
1029 METHOD(message_t, get_destination, host_t*,
1030 private_message_t *this)
1031 {
1032 return this->packet->get_destination(this->packet);
1033 }
1034
1035 METHOD(message_t, create_payload_enumerator, enumerator_t*,
1036 private_message_t *this)
1037 {
1038 return this->payloads->create_enumerator(this->payloads);
1039 }
1040
1041 METHOD(message_t, remove_payload_at, void,
1042 private_message_t *this, enumerator_t *enumerator)
1043 {
1044 this->payloads->remove_at(this->payloads, enumerator);
1045 }
1046
1047 METHOD(message_t, get_payload, payload_t*,
1048 private_message_t *this, payload_type_t type)
1049 {
1050 payload_t *current, *found = NULL;
1051 enumerator_t *enumerator;
1052
1053 enumerator = create_payload_enumerator(this);
1054 while (enumerator->enumerate(enumerator, &current))
1055 {
1056 if (current->get_type(current) == type)
1057 {
1058 found = current;
1059 break;
1060 }
1061 }
1062 enumerator->destroy(enumerator);
1063 return found;
1064 }
1065
1066 METHOD(message_t, get_notify, notify_payload_t*,
1067 private_message_t *this, notify_type_t type)
1068 {
1069 enumerator_t *enumerator;
1070 notify_payload_t *notify = NULL;
1071 payload_t *payload;
1072
1073 enumerator = create_payload_enumerator(this);
1074 while (enumerator->enumerate(enumerator, &payload))
1075 {
1076 if (payload->get_type(payload) == NOTIFY)
1077 {
1078 notify = (notify_payload_t*)payload;
1079 if (notify->get_notify_type(notify) == type)
1080 {
1081 break;
1082 }
1083 notify = NULL;
1084 }
1085 }
1086 enumerator->destroy(enumerator);
1087 return notify;
1088 }
1089
1090 /**
1091 * get a string representation of the message
1092 */
1093 static char* get_string(private_message_t *this, char *buf, int len)
1094 {
1095 enumerator_t *enumerator;
1096 payload_t *payload;
1097 int written;
1098 char *pos = buf;
1099
1100 memset(buf, 0, len);
1101 len--;
1102
1103 written = snprintf(pos, len, "%N %s %u [",
1104 exchange_type_names, this->exchange_type,
1105 this->is_request ? "request" : "response",
1106 this->message_id);
1107 if (written >= len || written < 0)
1108 {
1109 return "";
1110 }
1111 pos += written;
1112 len -= written;
1113
1114 enumerator = create_payload_enumerator(this);
1115 while (enumerator->enumerate(enumerator, &payload))
1116 {
1117 written = snprintf(pos, len, " %N", payload_type_short_names,
1118 payload->get_type(payload));
1119 if (written >= len || written < 0)
1120 {
1121 return buf;
1122 }
1123 pos += written;
1124 len -= written;
1125 if (payload->get_type(payload) == NOTIFY)
1126 {
1127 notify_payload_t *notify;
1128 notify_type_t type;
1129 chunk_t data;
1130
1131 notify = (notify_payload_t*)payload;
1132 type = notify->get_notify_type(notify);
1133 data = notify->get_notification_data(notify);
1134 if (type == MS_NOTIFY_STATUS && data.len == 4)
1135 {
1136 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1137 type, untoh32(data.ptr));
1138 }
1139 else
1140 {
1141 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1142 type);
1143 }
1144 if (written >= len || written < 0)
1145 {
1146 return buf;
1147 }
1148 pos += written;
1149 len -= written;
1150 }
1151 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1152 {
1153 eap_payload_t *eap = (eap_payload_t*)payload;
1154 u_int32_t vendor;
1155 eap_type_t type;
1156 char method[64] = "";
1157
1158 type = eap->get_type(eap, &vendor);
1159 if (type)
1160 {
1161 if (vendor)
1162 {
1163 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1164 }
1165 else
1166 {
1167 snprintf(method, sizeof(method), "/%N",
1168 eap_type_short_names, type);
1169 }
1170 }
1171 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1172 eap->get_code(eap), method);
1173 if (written >= len || written < 0)
1174 {
1175 return buf;
1176 }
1177 pos += written;
1178 len -= written;
1179 }
1180 if (payload->get_type(payload) == CONFIGURATION)
1181 {
1182 cp_payload_t *cp = (cp_payload_t*)payload;
1183 enumerator_t *attributes;
1184 configuration_attribute_t *attribute;
1185 bool first = TRUE;
1186
1187 attributes = cp->create_attribute_enumerator(cp);
1188 while (attributes->enumerate(attributes, &attribute))
1189 {
1190 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1191 configuration_attribute_type_short_names,
1192 attribute->get_type(attribute));
1193 if (written >= len || written < 0)
1194 {
1195 return buf;
1196 }
1197 pos += written;
1198 len -= written;
1199 first = FALSE;
1200 }
1201 attributes->destroy(attributes);
1202 if (!first)
1203 {
1204 written = snprintf(pos, len, ")");
1205 if (written >= len || written < 0)
1206 {
1207 return buf;
1208 }
1209 pos += written;
1210 len -= written;
1211 }
1212 }
1213 }
1214 enumerator->destroy(enumerator);
1215
1216 /* remove last space */
1217 snprintf(pos, len, " ]");
1218 return buf;
1219 }
1220
1221 /**
1222 * reorder payloads depending on reordering rules
1223 */
1224 static void order_payloads(private_message_t *this)
1225 {
1226 linked_list_t *list;
1227 payload_t *payload;
1228 int i;
1229
1230 /* move to temp list */
1231 list = linked_list_create();
1232 while (this->payloads->remove_last(this->payloads,
1233 (void**)&payload) == SUCCESS)
1234 {
1235 list->insert_first(list, payload);
1236 }
1237 /* for each rule, ... */
1238 for (i = 0; i < this->rule->order_count; i++)
1239 {
1240 enumerator_t *enumerator;
1241 notify_payload_t *notify;
1242 payload_order_t order;
1243
1244 order = this->rule->order[i];
1245
1246 /* ... find all payload ... */
1247 enumerator = list->create_enumerator(list);
1248 while (enumerator->enumerate(enumerator, &payload))
1249 {
1250 /* ... with that type ... */
1251 if (payload->get_type(payload) == order.type)
1252 {
1253 notify = (notify_payload_t*)payload;
1254
1255 /**... and check notify for type. */
1256 if (order.type != NOTIFY || order.notify == 0 ||
1257 order.notify == notify->get_notify_type(notify))
1258 {
1259 list->remove_at(list, enumerator);
1260 add_payload(this, payload);
1261 }
1262 }
1263 }
1264 enumerator->destroy(enumerator);
1265 }
1266 /* append all payloads without a rule to the end */
1267 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1268 {
1269 /* do not complain about payloads in private use space */
1270 if (payload->get_type(payload) < 128)
1271 {
1272 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1273 payload_type_names, payload->get_type(payload),
1274 exchange_type_names, this->rule->exchange_type,
1275 this->rule->is_request ? "request" : "response");
1276 }
1277 add_payload(this, payload);
1278 }
1279 list->destroy(list);
1280 }
1281
1282 /**
1283 * Wrap payloads in a encryption payload
1284 */
1285 static encryption_payload_t* wrap_payloads(private_message_t *this)
1286 {
1287 encryption_payload_t *encryption;
1288 linked_list_t *payloads;
1289 payload_t *current;
1290
1291 /* copy all payloads in a temporary list */
1292 payloads = linked_list_create();
1293 while (this->payloads->remove_first(this->payloads,
1294 (void**)&current) == SUCCESS)
1295 {
1296 payloads->insert_last(payloads, current);
1297 }
1298
1299 encryption = encryption_payload_create();
1300 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1301 {
1302 payload_rule_t *rule;
1303 payload_type_t type;
1304 bool encrypt = TRUE;
1305
1306 type = current->get_type(current);
1307 rule = get_payload_rule(this, type);
1308 if (rule)
1309 {
1310 encrypt = rule->encrypted;
1311 }
1312 if (encrypt)
1313 {
1314 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1315 payload_type_names, type);
1316 encryption->add_payload(encryption, current);
1317 }
1318 else
1319 {
1320 DBG2(DBG_ENC, "insert payload %N unencrypted",
1321 payload_type_names, type);
1322 add_payload(this, current);
1323 }
1324 }
1325 payloads->destroy(payloads);
1326
1327 return encryption;
1328 }
1329
1330 METHOD(message_t, disable_sort, void,
1331 private_message_t *this)
1332 {
1333 this->sort_disabled = TRUE;
1334 }
1335
1336 METHOD(message_t, generate, status_t,
1337 private_message_t *this, aead_t *aead, packet_t **packet)
1338 {
1339 generator_t *generator;
1340 ike_header_t *ike_header;
1341 payload_t *payload, *next;
1342 encryption_payload_t *encryption = NULL;
1343 enumerator_t *enumerator;
1344 chunk_t chunk;
1345 char str[BUF_LEN];
1346 u_int32_t *lenpos;
1347 bool *reserved;
1348 int i;
1349
1350 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1351 {
1352 DBG1(DBG_ENC, "exchange type is not defined");
1353 return INVALID_STATE;
1354 }
1355
1356 if (this->packet->get_source(this->packet) == NULL ||
1357 this->packet->get_destination(this->packet) == NULL)
1358 {
1359 DBG1(DBG_ENC, "source/destination not defined");
1360 return INVALID_STATE;
1361 }
1362
1363 this->rule = get_message_rule(this);
1364 if (!this->rule)
1365 {
1366 DBG1(DBG_ENC, "no message rules specified for this message type");
1367 return NOT_SUPPORTED;
1368 }
1369
1370 if (!this->sort_disabled)
1371 {
1372 order_payloads(this);
1373 }
1374
1375 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1376
1377 if (aead && this->rule->encrypted)
1378 {
1379 encryption = wrap_payloads(this);
1380 }
1381 else
1382 {
1383 DBG2(DBG_ENC, "not encrypting payloads");
1384 }
1385
1386 ike_header = ike_header_create_version(this->major_version,
1387 this->minor_version);
1388 ike_header->set_exchange_type(ike_header, this->exchange_type);
1389 ike_header->set_message_id(ike_header, this->message_id);
1390 if (this->major_version == IKEV2_MAJOR_VERSION)
1391 {
1392 ike_header->set_response_flag(ike_header, !this->is_request);
1393 ike_header->set_version_flag(ike_header, this->version_flag);
1394 ike_header->set_initiator_flag(ike_header,
1395 this->ike_sa_id->is_initiator(this->ike_sa_id));
1396 }
1397 ike_header->set_initiator_spi(ike_header,
1398 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1399 ike_header->set_responder_spi(ike_header,
1400 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1401
1402 for (i = 0; i < countof(this->reserved); i++)
1403 {
1404 reserved = payload_get_field(&ike_header->payload_interface,
1405 RESERVED_BIT, i);
1406 if (reserved)
1407 {
1408 *reserved = this->reserved[i];
1409 }
1410 }
1411
1412 generator = generator_create();
1413
1414 /* generate all payloads with proper next type */
1415 payload = (payload_t*)ike_header;
1416 enumerator = create_payload_enumerator(this);
1417 while (enumerator->enumerate(enumerator, &next))
1418 {
1419 payload->set_next_type(payload, next->get_type(next));
1420 generator->generate_payload(generator, payload);
1421 payload = next;
1422 }
1423 enumerator->destroy(enumerator);
1424 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1425 generator->generate_payload(generator, payload);
1426 ike_header->destroy(ike_header);
1427
1428 if (encryption)
1429 {
1430 u_int32_t *lenpos;
1431
1432 /* build associated data (without header of encryption payload) */
1433 chunk = generator->get_chunk(generator, &lenpos);
1434 encryption->set_transform(encryption, aead);
1435 /* fill in length, including encryption payload */
1436 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1437
1438 this->payloads->insert_last(this->payloads, encryption);
1439 if (!encryption->encrypt(encryption, chunk))
1440 {
1441 generator->destroy(generator);
1442 return INVALID_STATE;
1443 }
1444 generator->generate_payload(generator, &encryption->payload_interface);
1445 }
1446 chunk = generator->get_chunk(generator, &lenpos);
1447 htoun32(lenpos, chunk.len);
1448 this->packet->set_data(this->packet, chunk_clone(chunk));
1449 generator->destroy(generator);
1450
1451 *packet = this->packet->clone(this->packet);
1452 return SUCCESS;
1453 }
1454
1455 METHOD(message_t, get_packet, packet_t*,
1456 private_message_t *this)
1457 {
1458 if (this->packet == NULL)
1459 {
1460 return NULL;
1461 }
1462 return this->packet->clone(this->packet);
1463 }
1464
1465 METHOD(message_t, get_packet_data, chunk_t,
1466 private_message_t *this)
1467 {
1468 if (this->packet == NULL)
1469 {
1470 return chunk_empty;
1471 }
1472 return this->packet->get_data(this->packet);
1473 }
1474
1475 METHOD(message_t, parse_header, status_t,
1476 private_message_t *this)
1477 {
1478 ike_header_t *ike_header;
1479 status_t status;
1480 bool *reserved;
1481 int i;
1482
1483 DBG2(DBG_ENC, "parsing header of message");
1484
1485 this->parser->reset_context(this->parser);
1486 status = this->parser->parse_payload(this->parser, HEADER,
1487 (payload_t**)&ike_header);
1488 if (status != SUCCESS)
1489 {
1490 DBG1(DBG_ENC, "header could not be parsed");
1491 return status;
1492
1493 }
1494
1495 status = ike_header->payload_interface.verify(
1496 &ike_header->payload_interface);
1497 if (status != SUCCESS)
1498 {
1499 DBG1(DBG_ENC, "header verification failed");
1500 ike_header->destroy(ike_header);
1501 return status;
1502 }
1503
1504 DESTROY_IF(this->ike_sa_id);
1505 this->ike_sa_id = ike_sa_id_create(
1506 ike_header->get_initiator_spi(ike_header),
1507 ike_header->get_responder_spi(ike_header),
1508 ike_header->get_initiator_flag(ike_header));
1509
1510 this->exchange_type = ike_header->get_exchange_type(ike_header);
1511 this->message_id = ike_header->get_message_id(ike_header);
1512 this->is_request = !ike_header->get_response_flag(ike_header);
1513 this->is_encrypted = ike_header->get_encryption_flag(ike_header);
1514 this->major_version = ike_header->get_maj_version(ike_header);
1515 this->minor_version = ike_header->get_min_version(ike_header);
1516 this->first_payload = ike_header->payload_interface.get_next_type(
1517 &ike_header->payload_interface);
1518 for (i = 0; i < countof(this->reserved); i++)
1519 {
1520 reserved = payload_get_field(&ike_header->payload_interface,
1521 RESERVED_BIT, i);
1522 if (reserved)
1523 {
1524 this->reserved[i] = *reserved;
1525 }
1526 }
1527 ike_header->destroy(ike_header);
1528
1529 DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
1530 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
1531 "message" : (this->is_request ? "request" : "response"));
1532 return SUCCESS;
1533 }
1534
1535 /**
1536 * Check if a payload is for a mediation extension connectivity check
1537 */
1538 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1539 {
1540 #ifdef ME
1541 if (this->exchange_type == INFORMATIONAL &&
1542 payload->get_type(payload) == NOTIFY)
1543 {
1544 notify_payload_t *notify = (notify_payload_t*)payload;
1545
1546 switch (notify->get_notify_type(notify))
1547 {
1548 case ME_CONNECTID:
1549 case ME_ENDPOINT:
1550 case ME_CONNECTAUTH:
1551 return TRUE;
1552 default:
1553 break;
1554 }
1555 }
1556 #endif /* !ME */
1557 return FALSE;
1558 }
1559
1560 /**
1561 * Parses and verifies the unencrypted payloads contained in the message
1562 */
1563 static status_t parse_payloads(private_message_t *this)
1564 {
1565 payload_type_t type = this->first_payload;
1566 payload_t *payload;
1567 status_t status;
1568
1569 while (type != NO_PAYLOAD)
1570 {
1571 DBG2(DBG_ENC, "starting parsing a %N payload",
1572 payload_type_names, type);
1573
1574 status = this->parser->parse_payload(this->parser, type, &payload);
1575 if (status != SUCCESS)
1576 {
1577 DBG1(DBG_ENC, "payload type %N could not be parsed",
1578 payload_type_names, type);
1579 return PARSE_ERROR;
1580 }
1581
1582 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1583 status = payload->verify(payload);
1584 if (status != SUCCESS)
1585 {
1586 DBG1(DBG_ENC, "%N payload verification failed",
1587 payload_type_names, type);
1588 payload->destroy(payload);
1589 return VERIFY_ERROR;
1590 }
1591
1592 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1593 payload_type_names, type);
1594 this->payloads->insert_last(this->payloads, payload);
1595
1596 /* an encryption payload is the last one, so STOP here. decryption is
1597 * done later */
1598 if (type == ENCRYPTED)
1599 {
1600 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1601 payload_type_names, type);
1602 break;
1603 }
1604 type = payload->get_next_type(payload);
1605 }
1606 return SUCCESS;
1607 }
1608
1609 /**
1610 * Decrypt payload from the encryption payload
1611 */
1612 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1613 {
1614 bool was_encrypted = FALSE;
1615 payload_t *payload, *previous = NULL;
1616 enumerator_t *enumerator;
1617 payload_rule_t *rule;
1618 payload_type_t type;
1619 status_t status = SUCCESS;
1620
1621 enumerator = this->payloads->create_enumerator(this->payloads);
1622 while (enumerator->enumerate(enumerator, &payload))
1623 {
1624 type = payload->get_type(payload);
1625
1626 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1627
1628 if (type == ENCRYPTED)
1629 {
1630 encryption_payload_t *encryption;
1631 payload_t *encrypted;
1632 chunk_t chunk;
1633
1634 encryption = (encryption_payload_t*)payload;
1635
1636 DBG2(DBG_ENC, "found an encryption payload");
1637
1638 if (this->payloads->has_more(this->payloads, enumerator))
1639 {
1640 DBG1(DBG_ENC, "encrypted payload is not last payload");
1641 status = VERIFY_ERROR;
1642 break;
1643 }
1644 encryption->set_transform(encryption, aead);
1645 chunk = this->packet->get_data(this->packet);
1646 if (chunk.len < encryption->get_length(encryption))
1647 {
1648 DBG1(DBG_ENC, "invalid payload length");
1649 status = VERIFY_ERROR;
1650 break;
1651 }
1652 chunk.len -= encryption->get_length(encryption);
1653 status = encryption->decrypt(encryption, chunk);
1654 if (status != SUCCESS)
1655 {
1656 break;
1657 }
1658
1659 was_encrypted = TRUE;
1660 this->payloads->remove_at(this->payloads, enumerator);
1661
1662 while ((encrypted = encryption->remove_payload(encryption)))
1663 {
1664 type = encrypted->get_type(encrypted);
1665 if (previous)
1666 {
1667 previous->set_next_type(previous, type);
1668 }
1669 else
1670 {
1671 this->first_payload = type;
1672 }
1673 DBG2(DBG_ENC, "insert decrypted payload of type "
1674 "%N at end of list", payload_type_names, type);
1675 this->payloads->insert_last(this->payloads, encrypted);
1676 previous = encrypted;
1677 }
1678 encryption->destroy(encryption);
1679 }
1680 if (payload_is_known(type) && !was_encrypted &&
1681 !is_connectivity_check(this, payload))
1682 {
1683 rule = get_payload_rule(this, type);
1684 if (!rule || rule->encrypted)
1685 {
1686 DBG1(DBG_ENC, "payload type %N was not encrypted",
1687 payload_type_names, type);
1688 status = FAILED;
1689 break;
1690 }
1691 }
1692 previous = payload;
1693 }
1694 enumerator->destroy(enumerator);
1695 return status;
1696 }
1697
1698 /**
1699 * Verify a message and all payload according to message/payload rules
1700 */
1701 static status_t verify(private_message_t *this)
1702 {
1703 bool complete = FALSE;
1704 int i;
1705
1706 DBG2(DBG_ENC, "verifying message structure");
1707
1708 /* check for payloads with wrong count*/
1709 for (i = 0; i < this->rule->rule_count; i++)
1710 {
1711 enumerator_t *enumerator;
1712 payload_t *payload;
1713 payload_rule_t *rule;
1714 int found = 0;
1715
1716 rule = &this->rule->rules[i];
1717 enumerator = create_payload_enumerator(this);
1718 while (enumerator->enumerate(enumerator, &payload))
1719 {
1720 payload_type_t type;
1721
1722 type = payload->get_type(payload);
1723 if (type == rule->type)
1724 {
1725 found++;
1726 DBG2(DBG_ENC, "found payload of type %N",
1727 payload_type_names, type);
1728 if (found > rule->max_occurence)
1729 {
1730 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1731 "occurred in current message", payload_type_names,
1732 type, rule->max_occurence, found);
1733 enumerator->destroy(enumerator);
1734 return VERIFY_ERROR;
1735 }
1736 }
1737 }
1738 enumerator->destroy(enumerator);
1739
1740 if (!complete && found < rule->min_occurence)
1741 {
1742 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1743 payload_type_names, rule->type, rule->min_occurence, found);
1744 return VERIFY_ERROR;
1745 }
1746 if (found && rule->sufficient)
1747 {
1748 complete = TRUE;
1749 }
1750 }
1751 return SUCCESS;
1752 }
1753
1754 METHOD(message_t, parse_body, status_t,
1755 private_message_t *this, aead_t *aead)
1756 {
1757 status_t status = SUCCESS;
1758 char str[BUF_LEN];
1759
1760 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1761 payload_type_names, this->first_payload);
1762
1763 this->rule = get_message_rule(this);
1764 if (!this->rule)
1765 {
1766 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1767 exchange_type_names, this->exchange_type,
1768 this->is_request ? "request" : "response");
1769 return PARSE_ERROR;
1770 }
1771
1772 status = parse_payloads(this);
1773 if (status != SUCCESS)
1774 { /* error is already logged */
1775 return status;
1776 }
1777
1778 status = decrypt_payloads(this, aead);
1779 if (status != SUCCESS)
1780 {
1781 DBG1(DBG_ENC, "could not decrypt payloads");
1782 return status;
1783 }
1784
1785 status = verify(this);
1786 if (status != SUCCESS)
1787 {
1788 return status;
1789 }
1790
1791 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1792
1793 return SUCCESS;
1794 }
1795
1796 METHOD(message_t, destroy, void,
1797 private_message_t *this)
1798 {
1799 DESTROY_IF(this->ike_sa_id);
1800 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1801 this->packet->destroy(this->packet);
1802 this->parser->destroy(this->parser);
1803 free(this);
1804 }
1805
1806 /*
1807 * Described in header.
1808 */
1809 message_t *message_create_from_packet(packet_t *packet)
1810 {
1811 private_message_t *this;
1812
1813 INIT(this,
1814 .public = {
1815 .set_major_version = _set_major_version,
1816 .get_major_version = _get_major_version,
1817 .set_minor_version = _set_minor_version,
1818 .get_minor_version = _get_minor_version,
1819 .set_message_id = _set_message_id,
1820 .get_message_id = _get_message_id,
1821 .get_initiator_spi = _get_initiator_spi,
1822 .get_responder_spi = _get_responder_spi,
1823 .set_ike_sa_id = _set_ike_sa_id,
1824 .get_ike_sa_id = _get_ike_sa_id,
1825 .set_exchange_type = _set_exchange_type,
1826 .get_exchange_type = _get_exchange_type,
1827 .get_first_payload_type = _get_first_payload_type,
1828 .set_request = _set_request,
1829 .get_request = _get_request,
1830 .set_version_flag = _set_version_flag,
1831 .get_reserved_header_bit = _get_reserved_header_bit,
1832 .set_reserved_header_bit = _set_reserved_header_bit,
1833 .add_payload = _add_payload,
1834 .add_notify = _add_notify,
1835 .disable_sort = _disable_sort,
1836 .generate = _generate,
1837 .is_encoded = _is_encoded,
1838 .set_source = _set_source,
1839 .get_source = _get_source,
1840 .set_destination = _set_destination,
1841 .get_destination = _get_destination,
1842 .create_payload_enumerator = _create_payload_enumerator,
1843 .remove_payload_at = _remove_payload_at,
1844 .get_payload = _get_payload,
1845 .get_notify = _get_notify,
1846 .parse_header = _parse_header,
1847 .parse_body = _parse_body,
1848 .get_packet = _get_packet,
1849 .get_packet_data = _get_packet_data,
1850 .destroy = _destroy,
1851 },
1852 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1853 .is_request = TRUE,
1854 .first_payload = NO_PAYLOAD,
1855 .packet = packet,
1856 .payloads = linked_list_create(),
1857 .parser = parser_create(packet->get_data(packet)),
1858 );
1859
1860 return &this->public;
1861 }
1862
1863 /*
1864 * Described in header.
1865 */
1866 message_t *message_create(int major, int minor)
1867 {
1868 message_t *this = message_create_from_packet(packet_create());
1869
1870 this->set_major_version(this, major);
1871 this->set_minor_version(this, minor);
1872
1873 return this;
1874 }
1875