Moving charon to libcharon.
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include "message.h"
23
24 #include <library.h>
25 #include <daemon.h>
26 #include <sa/ike_sa_id.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/linked_list.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/encryption_payload.h>
33 #include <encoding/payloads/unknown_payload.h>
34
35 /**
36 * Max number of notify payloads per IKEv2 Message
37 */
38 #define MAX_NOTIFY_PAYLOADS 20
39
40 /**
41 * Max number of delete payloads per IKEv2 Message
42 */
43 #define MAX_DELETE_PAYLOADS 20
44
45
46 typedef struct payload_rule_t payload_rule_t;
47
48 /**
49 * A payload rule defines the rules for a payload
50 * in a specific message rule. It defines if and how
51 * many times a payload must/can occur in a message
52 * and if it must be encrypted.
53 */
54 struct payload_rule_t {
55 /**
56 * Payload type.
57 */
58 payload_type_t payload_type;
59
60 /**
61 * Minimal occurence of this payload.
62 */
63 size_t min_occurence;
64
65 /**
66 * Max occurence of this payload.
67 */
68 size_t max_occurence;
69
70 /**
71 * TRUE if payload must be encrypted
72 */
73 bool encrypted;
74
75 /**
76 * If this payload occurs, the message rule is
77 * fullfilled in any case. This applies e.g. to
78 * notify_payloads.
79 */
80 bool sufficient;
81 };
82
83 typedef struct payload_order_t payload_order_t;
84
85 /**
86 * payload ordering structure allows us to reorder payloads according to RFC.
87 */
88 struct payload_order_t {
89
90 /**
91 * payload type
92 */
93 payload_type_t type;
94
95 /**
96 * notify type, if payload == NOTIFY
97 */
98 notify_type_t notify;
99 };
100
101
102 typedef struct message_rule_t message_rule_t;
103
104 /**
105 * A message rule defines the kind of a message,
106 * if it has encrypted contents and a list
107 * of payload ordering rules and payload parsing rules.
108 */
109 struct message_rule_t {
110 /**
111 * Type of message.
112 */
113 exchange_type_t exchange_type;
114
115 /**
116 * Is message a request or response.
117 */
118 bool is_request;
119
120 /**
121 * Message contains encrypted content.
122 */
123 bool encrypted_content;
124
125 /**
126 * Number of payload rules which will follow
127 */
128 int payload_rule_count;
129
130 /**
131 * Pointer to first payload rule
132 */
133 payload_rule_t *payload_rules;
134
135 /**
136 * Number of payload order rules
137 */
138 int payload_order_count;
139
140 /**
141 * payload ordering rules
142 */
143 payload_order_t *payload_order;
144 };
145
146 /**
147 * Message rule for IKE_SA_INIT from initiator.
148 */
149 static payload_rule_t ike_sa_init_i_payload_rules[] = {
150 /* payload type min max encr suff */
151 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
152 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
153 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
154 {NONCE, 1, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, 10, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT initiator
160 */
161 static payload_order_t ike_sa_init_i_payload_order[] = {
162 /* payload type notify type */
163 {NOTIFY, COOKIE},
164 {SECURITY_ASSOCIATION, 0},
165 {KEY_EXCHANGE, 0},
166 {NONCE, 0},
167 {NOTIFY, NAT_DETECTION_SOURCE_IP},
168 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
169 {NOTIFY, 0},
170 {VENDOR_ID, 0},
171 };
172
173 /**
174 * Message rule for IKE_SA_INIT from responder.
175 */
176 static payload_rule_t ike_sa_init_r_payload_rules[] = {
177 /* payload type min max encr suff */
178 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
179 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
180 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
181 {NONCE, 1, 1, FALSE, FALSE},
182 {VENDOR_ID, 0, 10, FALSE, FALSE},
183 };
184
185 /**
186 * payload order for IKE_SA_INIT responder
187 */
188 static payload_order_t ike_sa_init_r_payload_order[] = {
189 /* payload type notify type */
190 {SECURITY_ASSOCIATION, 0},
191 {KEY_EXCHANGE, 0},
192 {NONCE, 0},
193 {NOTIFY, NAT_DETECTION_SOURCE_IP},
194 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
195 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
196 {CERTIFICATE_REQUEST, 0},
197 {NOTIFY, 0},
198 {VENDOR_ID, 0},
199 };
200
201 /**
202 * Message rule for IKE_AUTH from initiator.
203 */
204 static payload_rule_t ike_auth_i_payload_rules[] = {
205 /* payload type min max encr suff */
206 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
207 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
208 {AUTHENTICATION, 0, 1, TRUE, TRUE},
209 {ID_INITIATOR, 0, 1, TRUE, FALSE},
210 {CERTIFICATE, 0, 4, TRUE, FALSE},
211 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
212 {ID_RESPONDER, 0, 1, TRUE, FALSE},
213 #ifdef ME
214 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
215 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
217 #else
218 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
219 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
220 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
221 #endif /* ME */
222 {CONFIGURATION, 0, 1, TRUE, FALSE},
223 {VENDOR_ID, 0, 10, TRUE, FALSE},
224 };
225
226 /**
227 * payload order for IKE_AUTH initiator
228 */
229 static payload_order_t ike_auth_i_payload_order[] = {
230 /* payload type notify type */
231 {ID_INITIATOR, 0},
232 {CERTIFICATE, 0},
233 {NOTIFY, INITIAL_CONTACT},
234 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
235 {CERTIFICATE_REQUEST, 0},
236 {ID_RESPONDER, 0},
237 {AUTHENTICATION, 0},
238 {EXTENSIBLE_AUTHENTICATION, 0},
239 {CONFIGURATION, 0},
240 {NOTIFY, IPCOMP_SUPPORTED},
241 {NOTIFY, USE_TRANSPORT_MODE},
242 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
243 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
244 {SECURITY_ASSOCIATION, 0},
245 {TRAFFIC_SELECTOR_INITIATOR, 0},
246 {TRAFFIC_SELECTOR_RESPONDER, 0},
247 {NOTIFY, MOBIKE_SUPPORTED},
248 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
249 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
250 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
251 {NOTIFY, 0},
252 {VENDOR_ID, 0},
253 };
254
255 /**
256 * Message rule for IKE_AUTH from responder.
257 */
258 static payload_rule_t ike_auth_r_payload_rules[] = {
259 /* payload type min max encr suff */
260 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
261 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
262 {AUTHENTICATION, 0, 1, TRUE, TRUE},
263 {CERTIFICATE, 0, 4, TRUE, FALSE},
264 {ID_RESPONDER, 0, 1, TRUE, FALSE},
265 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
266 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
267 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
268 {CONFIGURATION, 0, 1, TRUE, FALSE},
269 {VENDOR_ID, 0, 10, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for IKE_AUTH responder
274 */
275 static payload_order_t ike_auth_r_payload_order[] = {
276 /* payload type notify type */
277 {ID_RESPONDER, 0},
278 {CERTIFICATE, 0},
279 {AUTHENTICATION, 0},
280 {EXTENSIBLE_AUTHENTICATION, 0},
281 {CONFIGURATION, 0},
282 {NOTIFY, IPCOMP_SUPPORTED},
283 {NOTIFY, USE_TRANSPORT_MODE},
284 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
285 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
286 {SECURITY_ASSOCIATION, 0},
287 {TRAFFIC_SELECTOR_INITIATOR, 0},
288 {TRAFFIC_SELECTOR_RESPONDER, 0},
289 {NOTIFY, AUTH_LIFETIME},
290 {NOTIFY, MOBIKE_SUPPORTED},
291 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
292 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
293 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
294 {NOTIFY, 0},
295 {VENDOR_ID, 0},
296 };
297
298 /**
299 * Message rule for INFORMATIONAL from initiator.
300 */
301 static payload_rule_t informational_i_payload_rules[] = {
302 /* payload type min max encr suff */
303 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
304 {CONFIGURATION, 0, 1, TRUE, FALSE},
305 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
306 {VENDOR_ID, 0, 10, TRUE, FALSE},
307 };
308
309 /**
310 * payload order for INFORMATIONAL initiator
311 */
312 static payload_order_t informational_i_payload_order[] = {
313 /* payload type notify type */
314 {NOTIFY, UPDATE_SA_ADDRESSES},
315 {NOTIFY, NAT_DETECTION_SOURCE_IP},
316 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
317 {NOTIFY, COOKIE2},
318 {NOTIFY, 0},
319 {DELETE, 0},
320 {CONFIGURATION, 0},
321 };
322
323 /**
324 * Message rule for INFORMATIONAL from responder.
325 */
326 static payload_rule_t informational_r_payload_rules[] = {
327 /* payload type min max encr suff */
328 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
329 {CONFIGURATION, 0, 1, TRUE, FALSE},
330 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
331 {VENDOR_ID, 0, 10, TRUE, FALSE},
332 };
333
334 /**
335 * payload order for INFORMATIONAL responder
336 */
337 static payload_order_t informational_r_payload_order[] = {
338 /* payload type notify type */
339 {NOTIFY, UPDATE_SA_ADDRESSES},
340 {NOTIFY, NAT_DETECTION_SOURCE_IP},
341 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
342 {NOTIFY, COOKIE2},
343 {NOTIFY, 0},
344 {DELETE, 0},
345 {CONFIGURATION, 0},
346 };
347
348 /**
349 * Message rule for CREATE_CHILD_SA from initiator.
350 */
351 static payload_rule_t create_child_sa_i_payload_rules[] = {
352 /* payload type min max encr suff */
353 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
354 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
355 {NONCE, 1, 1, TRUE, FALSE},
356 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
357 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
359 {CONFIGURATION, 0, 1, TRUE, FALSE},
360 {VENDOR_ID, 0, 10, TRUE, FALSE},
361 };
362
363 /**
364 * payload order for CREATE_CHILD_SA from initiator.
365 */
366 static payload_order_t create_child_sa_i_payload_order[] = {
367 /* payload type notify type */
368 {NOTIFY, REKEY_SA},
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, 0},
379 };
380
381 /**
382 * Message rule for CREATE_CHILD_SA from responder.
383 */
384 static payload_rule_t create_child_sa_r_payload_rules[] = {
385 /* payload type min max encr suff */
386 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
387 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
388 {NONCE, 1, 1, TRUE, FALSE},
389 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
390 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
391 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
392 {CONFIGURATION, 0, 1, TRUE, FALSE},
393 {VENDOR_ID, 0, 10, TRUE, FALSE},
394 };
395
396 /**
397 * payload order for CREATE_CHILD_SA from responder.
398 */
399 static payload_order_t create_child_sa_r_payload_order[] = {
400 /* payload type notify type */
401 {NOTIFY, IPCOMP_SUPPORTED},
402 {NOTIFY, USE_TRANSPORT_MODE},
403 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
404 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
405 {SECURITY_ASSOCIATION, 0},
406 {NONCE, 0},
407 {KEY_EXCHANGE, 0},
408 {TRAFFIC_SELECTOR_INITIATOR, 0},
409 {TRAFFIC_SELECTOR_RESPONDER, 0},
410 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
411 {NOTIFY, 0},
412 };
413
414 #ifdef ME
415 /**
416 * Message rule for ME_CONNECT from initiator.
417 */
418 static payload_rule_t me_connect_i_payload_rules[] = {
419 /* payload type min max encr suff */
420 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
421 {ID_PEER, 1, 1, TRUE, FALSE},
422 {VENDOR_ID, 0, 10, TRUE, FALSE}
423 };
424
425 /**
426 * payload order for ME_CONNECT from initiator.
427 */
428 static payload_order_t me_connect_i_payload_order[] = {
429 /* payload type notify type */
430 {NOTIFY, 0},
431 {ID_PEER, 0},
432 {VENDOR_ID, 0},
433 };
434
435 /**
436 * Message rule for ME_CONNECT from responder.
437 */
438 static payload_rule_t me_connect_r_payload_rules[] = {
439 /* payload type min max encr suff */
440 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
441 {VENDOR_ID, 0, 10, TRUE, FALSE}
442 };
443
444 /**
445 * payload order for ME_CONNECT from responder.
446 */
447 static payload_order_t me_connect_r_payload_order[] = {
448 /* payload type notify type */
449 {NOTIFY, 0},
450 {VENDOR_ID, 0},
451 };
452 #endif /* ME */
453
454 /**
455 * Message rules, defines allowed payloads.
456 */
457 static message_rule_t message_rules[] = {
458 {IKE_SA_INIT, TRUE, FALSE,
459 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
460 ike_sa_init_i_payload_rules,
461 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
462 ike_sa_init_i_payload_order,
463 },
464 {IKE_SA_INIT, FALSE, FALSE,
465 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
466 ike_sa_init_r_payload_rules,
467 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
468 ike_sa_init_r_payload_order,
469 },
470 {IKE_AUTH, TRUE, TRUE,
471 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
472 ike_auth_i_payload_rules,
473 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
474 ike_auth_i_payload_order,
475 },
476 {IKE_AUTH, FALSE, TRUE,
477 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
478 ike_auth_r_payload_rules,
479 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
480 ike_auth_r_payload_order,
481 },
482 {INFORMATIONAL, TRUE, TRUE,
483 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
484 informational_i_payload_rules,
485 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
486 informational_i_payload_order,
487 },
488 {INFORMATIONAL, FALSE, TRUE,
489 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
490 informational_r_payload_rules,
491 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
492 informational_r_payload_order,
493 },
494 {CREATE_CHILD_SA, TRUE, TRUE,
495 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
496 create_child_sa_i_payload_rules,
497 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
498 create_child_sa_i_payload_order,
499 },
500 {CREATE_CHILD_SA, FALSE, TRUE,
501 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
502 create_child_sa_r_payload_rules,
503 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
504 create_child_sa_r_payload_order,
505 },
506 #ifdef ME
507 {ME_CONNECT, TRUE, TRUE,
508 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
509 me_connect_i_payload_rules,
510 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
511 me_connect_i_payload_order,
512 },
513 {ME_CONNECT, FALSE, TRUE,
514 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
515 me_connect_r_payload_rules,
516 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
517 me_connect_r_payload_order,
518 },
519 #endif /* ME */
520 };
521
522
523 typedef struct private_message_t private_message_t;
524
525 /**
526 * Private data of an message_t object.
527 */
528 struct private_message_t {
529
530 /**
531 * Public part of a message_t object.
532 */
533 message_t public;
534
535 /**
536 * Minor version of message.
537 */
538 u_int8_t major_version;
539
540 /**
541 * Major version of message.
542 */
543 u_int8_t minor_version;
544
545 /**
546 * First Payload in message.
547 */
548 payload_type_t first_payload;
549
550 /**
551 * Assigned exchange type.
552 */
553 exchange_type_t exchange_type;
554
555 /**
556 * TRUE if message is a request, FALSE if a reply.
557 */
558 bool is_request;
559
560 /**
561 * Message ID of this message.
562 */
563 u_int32_t message_id;
564
565 /**
566 * ID of assigned IKE_SA.
567 */
568 ike_sa_id_t *ike_sa_id;
569
570 /**
571 * Assigned UDP packet, stores incoming packet or last generated one.
572 */
573 packet_t *packet;
574
575 /**
576 * Linked List where payload data are stored in.
577 */
578 linked_list_t *payloads;
579
580 /**
581 * Assigned parser to parse Header and Body of this message.
582 */
583 parser_t *parser;
584
585 /**
586 * The message rule for this message instance
587 */
588 message_rule_t *message_rule;
589 };
590
591 /**
592 * Implementation of private_message_t.set_message_rule.
593 */
594 static status_t set_message_rule(private_message_t *this)
595 {
596 int i;
597
598 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
599 {
600 if ((this->exchange_type == message_rules[i].exchange_type) &&
601 (this->is_request == message_rules[i].is_request))
602 {
603 /* found rule for given exchange_type*/
604 this->message_rule = &(message_rules[i]);
605 return SUCCESS;
606 }
607 }
608 this->message_rule = NULL;
609 return NOT_FOUND;
610 }
611
612 /**
613 * Implementation of private_message_t.get_payload_rule.
614 */
615 static status_t get_payload_rule(private_message_t *this,
616 payload_type_t payload_type, payload_rule_t **payload_rule)
617 {
618 int i;
619
620 for (i = 0; i < this->message_rule->payload_rule_count;i++)
621 {
622 if (this->message_rule->payload_rules[i].payload_type == payload_type)
623 {
624 *payload_rule = &(this->message_rule->payload_rules[i]);
625 return SUCCESS;
626 }
627 }
628
629 *payload_rule = NULL;
630 return NOT_FOUND;
631 }
632
633 /**
634 * Implementation of message_t.set_ike_sa_id.
635 */
636 static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
637 {
638 DESTROY_IF(this->ike_sa_id);
639 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
640 }
641
642 /**
643 * Implementation of message_t.get_ike_sa_id.
644 */
645 static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
646 {
647 return this->ike_sa_id;
648 }
649
650 /**
651 * Implementation of message_t.set_message_id.
652 */
653 static void set_message_id(private_message_t *this,u_int32_t message_id)
654 {
655 this->message_id = message_id;
656 }
657
658 /**
659 * Implementation of message_t.get_message_id.
660 */
661 static u_int32_t get_message_id(private_message_t *this)
662 {
663 return this->message_id;
664 }
665
666 /**
667 * Implementation of message_t.get_initiator_spi.
668 */
669 static u_int64_t get_initiator_spi(private_message_t *this)
670 {
671 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
672 }
673
674 /**
675 * Implementation of message_t.get_responder_spi.
676 */
677 static u_int64_t get_responder_spi(private_message_t *this)
678 {
679 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
680 }
681
682 /**
683 * Implementation of message_t.set_major_version.
684 */
685 static void set_major_version(private_message_t *this,u_int8_t major_version)
686 {
687 this->major_version = major_version;
688 }
689
690 /**
691 * Implementation of message_t.set_major_version.
692 */
693 static u_int8_t get_major_version(private_message_t *this)
694 {
695 return this->major_version;
696 }
697
698 /**
699 * Implementation of message_t.set_minor_version.
700 */
701 static void set_minor_version(private_message_t *this,u_int8_t minor_version)
702 {
703 this->minor_version = minor_version;
704 }
705
706 /**
707 * Implementation of message_t.get_minor_version.
708 */
709 static u_int8_t get_minor_version(private_message_t *this)
710 {
711 return this->minor_version;
712 }
713
714 /**
715 * Implementation of message_t.set_exchange_type.
716 */
717 static void set_exchange_type(private_message_t *this,
718 exchange_type_t exchange_type)
719 {
720 this->exchange_type = exchange_type;
721 }
722
723 /**
724 * Implementation of message_t.get_exchange_type.
725 */
726 static exchange_type_t get_exchange_type(private_message_t *this)
727 {
728 return this->exchange_type;
729 }
730
731 /**
732 * Implementation of message_t.get_first_payload_type.
733 */
734 static payload_type_t get_first_payload_type(private_message_t *this)
735 {
736 return this->first_payload;
737 }
738
739 /**
740 * Implementation of message_t.set_request.
741 */
742 static void set_request(private_message_t *this, bool request)
743 {
744 this->is_request = request;
745 }
746
747 /**
748 * Implementation of message_t.get_request.
749 */
750 static exchange_type_t get_request(private_message_t *this)
751 {
752 return this->is_request;
753 }
754
755 /**
756 * Is this message in an encoded form?
757 */
758 static bool is_encoded(private_message_t *this)
759 {
760 chunk_t data = this->packet->get_data(this->packet);
761
762 if (data.ptr == NULL)
763 {
764 return FALSE;
765 }
766 return TRUE;
767 }
768
769 /**
770 * Implementation of message_t.add_payload.
771 */
772 static void add_payload(private_message_t *this, payload_t *payload)
773 {
774 payload_t *last_payload;
775
776 if (this->payloads->get_count(this->payloads) > 0)
777 {
778 this->payloads->get_last(this->payloads, (void **)&last_payload);
779 last_payload->set_next_type(last_payload, payload->get_type(payload));
780 }
781 else
782 {
783 this->first_payload = payload->get_type(payload);
784 }
785 payload->set_next_type(payload, NO_PAYLOAD);
786 this->payloads->insert_last(this->payloads, payload);
787
788 DBG2(DBG_ENC ,"added payload of type %N to message",
789 payload_type_names, payload->get_type(payload));
790 }
791
792 /**
793 * Implementation of message_t.add_notify.
794 */
795 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
796 chunk_t data)
797 {
798 notify_payload_t *notify;
799 payload_t *payload;
800
801 if (flush)
802 {
803 while (this->payloads->remove_last(this->payloads,
804 (void**)&payload) == SUCCESS)
805 {
806 payload->destroy(payload);
807 }
808 }
809 notify = notify_payload_create();
810 notify->set_notify_type(notify, type);
811 notify->set_notification_data(notify, data);
812 add_payload(this, (payload_t*)notify);
813 }
814
815 /**
816 * Implementation of message_t.set_source.
817 */
818 static void set_source(private_message_t *this, host_t *host)
819 {
820 this->packet->set_source(this->packet, host);
821 }
822
823 /**
824 * Implementation of message_t.set_destination.
825 */
826 static void set_destination(private_message_t *this, host_t *host)
827 {
828 this->packet->set_destination(this->packet, host);
829 }
830
831 /**
832 * Implementation of message_t.get_source.
833 */
834 static host_t* get_source(private_message_t *this)
835 {
836 return this->packet->get_source(this->packet);
837 }
838
839 /**
840 * Implementation of message_t.get_destination.
841 */
842 static host_t * get_destination(private_message_t *this)
843 {
844 return this->packet->get_destination(this->packet);
845 }
846
847 /**
848 * Implementation of message_t.create_payload_enumerator.
849 */
850 static enumerator_t *create_payload_enumerator(private_message_t *this)
851 {
852 return this->payloads->create_enumerator(this->payloads);
853 }
854
855 /**
856 * Implementation of message_t.get_payload.
857 */
858 static payload_t *get_payload(private_message_t *this, payload_type_t type)
859 {
860 payload_t *current, *found = NULL;
861 enumerator_t *enumerator;
862
863 enumerator = create_payload_enumerator(this);
864 while (enumerator->enumerate(enumerator, &current))
865 {
866 if (current->get_type(current) == type)
867 {
868 found = current;
869 break;
870 }
871 }
872 enumerator->destroy(enumerator);
873 return found;
874 }
875
876 /**
877 * Implementation of message_t.get_notify
878 */
879 static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
880 {
881 enumerator_t *enumerator;
882 notify_payload_t *notify = NULL;
883 payload_t *payload;
884
885 enumerator = create_payload_enumerator(this);
886 while (enumerator->enumerate(enumerator, &payload))
887 {
888 if (payload->get_type(payload) == NOTIFY)
889 {
890 notify = (notify_payload_t*)payload;
891 if (notify->get_notify_type(notify) == type)
892 {
893 break;
894 }
895 notify = NULL;
896 }
897 }
898 enumerator->destroy(enumerator);
899 return notify;
900 }
901
902 /**
903 * get a string representation of the message
904 */
905 static char* get_string(private_message_t *this, char *buf, int len)
906 {
907 enumerator_t *enumerator;
908 payload_t *payload;
909 int written;
910 char *pos = buf;
911
912 memset(buf, 0, len);
913 len--;
914
915 written = snprintf(pos, len, "%N %s %d [",
916 exchange_type_names, this->exchange_type,
917 this->is_request ? "request" : "response",
918 this->message_id);
919 if (written >= len || written < 0)
920 {
921 return "";
922 }
923 pos += written;
924 len -= written;
925
926 enumerator = create_payload_enumerator(this);
927 while (enumerator->enumerate(enumerator, &payload))
928 {
929 written = snprintf(pos, len, " %N", payload_type_short_names,
930 payload->get_type(payload));
931 if (written >= len || written < 0)
932 {
933 return buf;
934 }
935 pos += written;
936 len -= written;
937 if (payload->get_type(payload) == NOTIFY)
938 {
939 notify_payload_t *notify = (notify_payload_t*)payload;
940 written = snprintf(pos, len, "(%N)", notify_type_short_names,
941 notify->get_notify_type(notify));
942 if (written >= len || written < 0)
943 {
944 return buf;
945 }
946 pos += written;
947 len -= written;
948 }
949 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
950 {
951 eap_payload_t *eap = (eap_payload_t*)payload;
952 u_int32_t vendor;
953 eap_type_t type;
954 char method[64] = "";
955
956 type = eap->get_type(eap, &vendor);
957 if (type)
958 {
959 if (vendor)
960 {
961 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
962 }
963 else
964 {
965 snprintf(method, sizeof(method), "/%N",
966 eap_type_short_names, type);
967 }
968 }
969 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
970 eap->get_code(eap), method);
971 if (written >= len || written < 0)
972 {
973 return buf;
974 }
975 pos += written;
976 len -= written;
977 }
978 }
979 enumerator->destroy(enumerator);
980
981 /* remove last space */
982 snprintf(pos, len, " ]");
983 return buf;
984 }
985
986 /**
987 * reorder payloads depending on reordering rules
988 */
989 static void order_payloads(private_message_t *this)
990 {
991 linked_list_t *list;
992 payload_t *payload;
993 int i;
994
995 /* move to temp list */
996 list = linked_list_create();
997 while (this->payloads->remove_last(this->payloads,
998 (void**)&payload) == SUCCESS)
999 {
1000 list->insert_first(list, payload);
1001 }
1002 /* for each rule, ... */
1003 for (i = 0; i < this->message_rule->payload_order_count; i++)
1004 {
1005 enumerator_t *enumerator;
1006 notify_payload_t *notify;
1007 payload_order_t order = this->message_rule->payload_order[i];
1008
1009 /* ... find all payload ... */
1010 enumerator = list->create_enumerator(list);
1011 while (enumerator->enumerate(enumerator, &payload))
1012 {
1013 /* ... with that type ... */
1014 if (payload->get_type(payload) == order.type)
1015 {
1016 notify = (notify_payload_t*)payload;
1017
1018 /**... and check notify for type. */
1019 if (order.type != NOTIFY || order.notify == 0 ||
1020 order.notify == notify->get_notify_type(notify))
1021 {
1022 list->remove_at(list, enumerator);
1023 add_payload(this, payload);
1024 }
1025 }
1026 }
1027 enumerator->destroy(enumerator);
1028 }
1029 /* append all payloads without a rule to the end */
1030 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1031 {
1032 /* do not complain about payloads in private use space */
1033 if (payload->get_type(payload) < 128)
1034 {
1035 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1036 payload_type_names, payload->get_type(payload),
1037 exchange_type_names, this->message_rule->exchange_type,
1038 this->message_rule->is_request ? "request" : "response");
1039 }
1040 add_payload(this, payload);
1041 }
1042 list->destroy(list);
1043 }
1044
1045 /**
1046 * Implementation of private_message_t.encrypt_payloads.
1047 */
1048 static status_t encrypt_payloads(private_message_t *this,
1049 crypter_t *crypter, signer_t* signer)
1050 {
1051 encryption_payload_t *encryption;
1052 linked_list_t *payloads;
1053 payload_t *current;
1054 status_t status;
1055
1056 if (!this->message_rule->encrypted_content)
1057 {
1058 DBG2(DBG_ENC, "message doesn't have to be encrypted");
1059 /* message contains no content to encrypt */
1060 return SUCCESS;
1061 }
1062
1063 if (!crypter || !signer)
1064 {
1065 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1066 /* message contains no content to encrypt */
1067 return SUCCESS;
1068 }
1069
1070 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1071 payloads = linked_list_create();
1072
1073 /* first copy all payloads in a temporary list */
1074 while (this->payloads->get_count(this->payloads) > 0)
1075 {
1076 this->payloads->remove_first(this->payloads, (void**)&current);
1077 payloads->insert_last(payloads, current);
1078 }
1079
1080 encryption = encryption_payload_create();
1081
1082 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1083 while (payloads->get_count(payloads) > 0)
1084 {
1085 payload_rule_t *rule;
1086 payload_type_t type;
1087 bool to_encrypt = TRUE;
1088
1089 payloads->remove_first(payloads, (void**)&current);
1090
1091 type = current->get_type(current);
1092 if (get_payload_rule(this, type, &rule) == SUCCESS)
1093 {
1094 to_encrypt = rule->encrypted;
1095 }
1096 if (to_encrypt)
1097 {
1098 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1099 payload_type_names, current->get_type(current));
1100 encryption->add_payload(encryption, current);
1101 }
1102 else
1103 {
1104 DBG2(DBG_ENC, "insert payload %N unencrypted",
1105 payload_type_names, current->get_type(current));
1106 add_payload(this, (payload_t*)current);
1107 }
1108 }
1109
1110 DBG2(DBG_ENC, "encrypting encryption payload");
1111 encryption->set_transforms(encryption, crypter, signer);
1112 status = encryption->encrypt(encryption);
1113 DBG2(DBG_ENC, "add encrypted payload to payload list");
1114 add_payload(this, (payload_t*)encryption);
1115
1116 payloads->destroy(payloads);
1117
1118 return status;
1119 }
1120
1121 /**
1122 * Implementation of message_t.generate.
1123 */
1124 static status_t generate(private_message_t *this, crypter_t *crypter,
1125 signer_t* signer, packet_t **packet)
1126 {
1127 generator_t *generator;
1128 ike_header_t *ike_header;
1129 payload_t *payload, *next_payload;
1130 enumerator_t *enumerator;
1131 status_t status;
1132 chunk_t packet_data;
1133 char str[256];
1134
1135 if (is_encoded(this))
1136 {
1137 /* already generated, return a new packet clone */
1138 *packet = this->packet->clone(this->packet);
1139 return SUCCESS;
1140 }
1141
1142 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1143 {
1144 DBG1(DBG_ENC, "exchange type is not defined");
1145 return INVALID_STATE;
1146 }
1147
1148 if (this->packet->get_source(this->packet) == NULL ||
1149 this->packet->get_destination(this->packet) == NULL)
1150 {
1151 DBG1(DBG_ENC, "%s not defined",
1152 !this->packet->get_source(this->packet) ? "source" : "destination");
1153 return INVALID_STATE;
1154 }
1155
1156 /* set the rules for this messge */
1157 status = set_message_rule(this);
1158 if (status != SUCCESS)
1159 {
1160 DBG1(DBG_ENC, "no message rules specified for this message type");
1161 return NOT_SUPPORTED;
1162 }
1163
1164 order_payloads(this);
1165
1166 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1167
1168 /* going to encrypt all content which have to be encrypted */
1169 status = encrypt_payloads(this, crypter, signer);
1170 if (status != SUCCESS)
1171 {
1172 DBG1(DBG_ENC, "payload encryption failed");
1173 return status;
1174 }
1175
1176 /* build ike header */
1177 ike_header = ike_header_create();
1178
1179 ike_header->set_exchange_type(ike_header, this->exchange_type);
1180 ike_header->set_message_id(ike_header, this->message_id);
1181 ike_header->set_response_flag(ike_header, !this->is_request);
1182 ike_header->set_initiator_flag(ike_header,
1183 this->ike_sa_id->is_initiator(this->ike_sa_id));
1184 ike_header->set_initiator_spi(ike_header,
1185 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1186 ike_header->set_responder_spi(ike_header,
1187 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1188
1189 generator = generator_create();
1190
1191 payload = (payload_t*)ike_header;
1192
1193 /* generate every payload expect last one, this is done later*/
1194 enumerator = create_payload_enumerator(this);
1195 while (enumerator->enumerate(enumerator, &next_payload))
1196 {
1197 payload->set_next_type(payload, next_payload->get_type(next_payload));
1198 generator->generate_payload(generator, payload);
1199 payload = next_payload;
1200 }
1201 enumerator->destroy(enumerator);
1202
1203 /* last payload has no next payload*/
1204 payload->set_next_type(payload, NO_PAYLOAD);
1205
1206 generator->generate_payload(generator, payload);
1207
1208 ike_header->destroy(ike_header);
1209
1210 /* build packet */
1211 generator->write_to_chunk(generator, &packet_data);
1212 generator->destroy(generator);
1213
1214 /* if last payload is of type encrypted, integrity checksum if necessary */
1215 if (payload->get_type(payload) == ENCRYPTED)
1216 {
1217 DBG2(DBG_ENC, "build signature on whole message");
1218 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1219 status = encryption_payload->build_signature(encryption_payload, packet_data);
1220 if (status != SUCCESS)
1221 {
1222 return status;
1223 }
1224 }
1225
1226 this->packet->set_data(this->packet, packet_data);
1227
1228 /* clone packet for caller */
1229 *packet = this->packet->clone(this->packet);
1230
1231 DBG2(DBG_ENC, "message generated successfully");
1232 return SUCCESS;
1233 }
1234
1235 /**
1236 * Implementation of message_t.get_packet.
1237 */
1238 static packet_t *get_packet(private_message_t *this)
1239 {
1240 if (this->packet == NULL)
1241 {
1242 return NULL;
1243 }
1244 return this->packet->clone(this->packet);
1245 }
1246
1247 /**
1248 * Implementation of message_t.get_packet_data.
1249 */
1250 static chunk_t get_packet_data(private_message_t *this)
1251 {
1252 if (this->packet == NULL)
1253 {
1254 return chunk_empty;
1255 }
1256 return chunk_clone(this->packet->get_data(this->packet));
1257 }
1258
1259 /**
1260 * Implementation of message_t.parse_header.
1261 */
1262 static status_t parse_header(private_message_t *this)
1263 {
1264 ike_header_t *ike_header;
1265 status_t status;
1266
1267 DBG2(DBG_ENC, "parsing header of message");
1268
1269 this->parser->reset_context(this->parser);
1270 status = this->parser->parse_payload(this->parser, HEADER,
1271 (payload_t**)&ike_header);
1272 if (status != SUCCESS)
1273 {
1274 DBG1(DBG_ENC, "header could not be parsed");
1275 return status;
1276
1277 }
1278
1279 /* verify payload */
1280 status = ike_header->payload_interface.verify(
1281 &ike_header->payload_interface);
1282 if (status != SUCCESS)
1283 {
1284 DBG1(DBG_ENC, "header verification failed");
1285 ike_header->destroy(ike_header);
1286 return status;
1287 }
1288
1289 if (this->ike_sa_id != NULL)
1290 {
1291 this->ike_sa_id->destroy(this->ike_sa_id);
1292 }
1293
1294 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1295 ike_header->get_responder_spi(ike_header),
1296 ike_header->get_initiator_flag(ike_header));
1297
1298 this->exchange_type = ike_header->get_exchange_type(ike_header);
1299 this->message_id = ike_header->get_message_id(ike_header);
1300 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1301 this->major_version = ike_header->get_maj_version(ike_header);
1302 this->minor_version = ike_header->get_min_version(ike_header);
1303 this->first_payload = ike_header->payload_interface.get_next_type(
1304 &ike_header->payload_interface);
1305
1306 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1307 this->is_request ? "request" : "response");
1308
1309 ike_header->destroy(ike_header);
1310
1311 /* get the rules for this messge */
1312 status = set_message_rule(this);
1313 if (status != SUCCESS)
1314 {
1315 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1316 exchange_type_names, this->exchange_type,
1317 this->is_request ? "request" : "response");
1318 }
1319
1320 return status;
1321 }
1322
1323 /**
1324 * Implementation of private_message_t.decrypt_and_verify_payloads.
1325 */
1326 static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
1327 signer_t* signer)
1328 {
1329 bool current_payload_was_encrypted = FALSE;
1330 payload_t *previous_payload = NULL;
1331 int payload_number = 1;
1332 iterator_t *iterator;
1333 payload_t *current_payload;
1334 status_t status;
1335
1336 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1337
1338 /* process each payload and decrypt a encryption payload */
1339 while(iterator->iterate(iterator, (void**)&current_payload))
1340 {
1341 payload_rule_t *payload_rule;
1342 payload_type_t current_payload_type;
1343
1344 /* needed to check */
1345 current_payload_type = current_payload->get_type(current_payload);
1346
1347 DBG2(DBG_ENC, "process payload of type %N",
1348 payload_type_names, current_payload_type);
1349
1350 if (current_payload_type == ENCRYPTED)
1351 {
1352 encryption_payload_t *encryption_payload;
1353 payload_t *current_encrypted_payload;
1354
1355 encryption_payload = (encryption_payload_t*)current_payload;
1356
1357 DBG2(DBG_ENC, "found an encryption payload");
1358
1359 if (payload_number != this->payloads->get_count(this->payloads))
1360 {
1361 /* encrypted payload is not last one */
1362 DBG1(DBG_ENC, "encrypted payload is not last payload");
1363 iterator->destroy(iterator);
1364 return VERIFY_ERROR;
1365 }
1366 /* decrypt */
1367 encryption_payload->set_transforms(encryption_payload,
1368 crypter, signer);
1369 DBG2(DBG_ENC, "verify signature of encryption payload");
1370 status = encryption_payload->verify_signature(encryption_payload,
1371 this->packet->get_data(this->packet));
1372 if (status != SUCCESS)
1373 {
1374 DBG1(DBG_ENC, "encryption payload signature invalid");
1375 iterator->destroy(iterator);
1376 return FAILED;
1377 }
1378 DBG2(DBG_ENC, "decrypting content of encryption payload");
1379 status = encryption_payload->decrypt(encryption_payload);
1380 if (status != SUCCESS)
1381 {
1382 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1383 iterator->destroy(iterator);
1384 return PARSE_ERROR;
1385 }
1386
1387 /* needed later to find out if a payload was encrypted */
1388 current_payload_was_encrypted = TRUE;
1389
1390 /* check if there are payloads contained in the encryption payload */
1391 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1392 {
1393 DBG2(DBG_ENC, "encrypted payload is empty");
1394 /* remove the encryption payload, is not needed anymore */
1395 iterator->remove(iterator);
1396 /* encrypted payload contains no other payload */
1397 current_payload_type = NO_PAYLOAD;
1398 }
1399 else
1400 {
1401 /* encryption_payload is replaced with first payload contained
1402 * in encryption_payload */
1403 encryption_payload->remove_first_payload(encryption_payload,
1404 &current_encrypted_payload);
1405 iterator->replace(iterator, NULL,
1406 (void *)current_encrypted_payload);
1407 current_payload_type = current_encrypted_payload->get_type(
1408 current_encrypted_payload);
1409 }
1410
1411 /* is the current paylad the first in the message? */
1412 if (previous_payload == NULL)
1413 {
1414 /* yes, set the first payload type of the message to the
1415 * current type */
1416 this->first_payload = current_payload_type;
1417 }
1418 else
1419 {
1420 /* no, set the next_type of the previous payload to the
1421 * current type */
1422 previous_payload->set_next_type(previous_payload,
1423 current_payload_type);
1424 }
1425
1426 /* all encrypted payloads are added to the payload list */
1427 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1428 {
1429 encryption_payload->remove_first_payload(encryption_payload,
1430 &current_encrypted_payload);
1431 DBG2(DBG_ENC, "insert unencrypted payload of type "
1432 "%N at end of list", payload_type_names,
1433 current_encrypted_payload->get_type(
1434 current_encrypted_payload));
1435 this->payloads->insert_last(this->payloads,
1436 current_encrypted_payload);
1437 }
1438
1439 /* encryption payload is processed, payloads are moved. Destroy it. */
1440 encryption_payload->destroy(encryption_payload);
1441 }
1442
1443 /* we allow unknown payloads of any type and don't bother if it was
1444 * encrypted. Not our problem. */
1445 if (current_payload_type != UNKNOWN_PAYLOAD &&
1446 current_payload_type != NO_PAYLOAD)
1447 {
1448 /* get the ruleset for found payload */
1449 status = get_payload_rule(this, current_payload_type, &payload_rule);
1450 if (status != SUCCESS)
1451 {
1452 /* payload is not allowed */
1453 DBG1(DBG_ENC, "payload type %N not allowed",
1454 payload_type_names, current_payload_type);
1455 iterator->destroy(iterator);
1456 return VERIFY_ERROR;
1457 }
1458
1459 /* check if the payload was encrypted, and if it should been have
1460 * encrypted */
1461 if (payload_rule->encrypted != current_payload_was_encrypted)
1462 {
1463 /* payload was not encrypted, but should have been.
1464 * or vice-versa */
1465 DBG1(DBG_ENC, "payload type %N should be %s!",
1466 payload_type_names, current_payload_type,
1467 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1468 iterator->destroy(iterator);
1469 return VERIFY_ERROR;
1470 }
1471 }
1472 /* advance to the next payload */
1473 payload_number++;
1474 /* is stored to set next payload in case of found encryption payload */
1475 previous_payload = current_payload;
1476 }
1477 iterator->destroy(iterator);
1478 return SUCCESS;
1479 }
1480
1481 /**
1482 * Implementation of private_message_t.verify.
1483 */
1484 static status_t verify(private_message_t *this)
1485 {
1486 int i;
1487 enumerator_t *enumerator;
1488 payload_t *current_payload;
1489 size_t total_found_payloads = 0;
1490
1491 DBG2(DBG_ENC, "verifying message structure");
1492
1493 /* check for payloads with wrong count*/
1494 for (i = 0; i < this->message_rule->payload_rule_count; i++)
1495 {
1496 size_t found_payloads = 0;
1497 payload_rule_t *rule;
1498
1499 rule = &this->message_rule->payload_rules[i];
1500 enumerator = create_payload_enumerator(this);
1501
1502 /* check all payloads for specific rule */
1503 while (enumerator->enumerate(enumerator, &current_payload))
1504 {
1505 payload_type_t current_payload_type;
1506 unknown_payload_t *unknown_payload;
1507
1508 current_payload_type = current_payload->get_type(current_payload);
1509 if (current_payload_type == UNKNOWN_PAYLOAD)
1510 {
1511 /* unknown payloads are ignored, IF they are not critical */
1512 unknown_payload = (unknown_payload_t*)current_payload;
1513 if (unknown_payload->is_critical(unknown_payload))
1514 {
1515 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1516 payload_type_names, current_payload_type);
1517 enumerator->destroy(enumerator);
1518 return NOT_SUPPORTED;
1519 }
1520 }
1521 else if (current_payload_type == rule->payload_type)
1522 {
1523 found_payloads++;
1524 total_found_payloads++;
1525 DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
1526 rule->payload_type);
1527
1528 /* as soon as ohe payload occures more then specified,
1529 * the verification fails */
1530 if (found_payloads >
1531 rule->max_occurence)
1532 {
1533 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1534 "occured in current message", payload_type_names,
1535 current_payload_type, rule->max_occurence,
1536 found_payloads);
1537 enumerator->destroy(enumerator);
1538 return VERIFY_ERROR;
1539 }
1540 }
1541 }
1542
1543 if (found_payloads < rule->min_occurence)
1544 {
1545 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1546 payload_type_names, rule->payload_type, rule->min_occurence,
1547 found_payloads);
1548 enumerator->destroy(enumerator);
1549 return VERIFY_ERROR;
1550 }
1551 if (rule->sufficient &&
1552 this->payloads->get_count(this->payloads) == total_found_payloads)
1553 {
1554 enumerator->destroy(enumerator);
1555 return SUCCESS;
1556 }
1557 enumerator->destroy(enumerator);
1558 }
1559 return SUCCESS;
1560 }
1561
1562 /**
1563 * Implementation of message_t.parse_body.
1564 */
1565 static status_t parse_body(private_message_t *this, crypter_t *crypter,
1566 signer_t *signer)
1567 {
1568 status_t status = SUCCESS;
1569 payload_type_t current_payload_type;
1570 char str[256];
1571
1572 current_payload_type = this->first_payload;
1573
1574 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1575 payload_type_names, current_payload_type);
1576
1577 /* parse payload for payload, while there are more available */
1578 while ((current_payload_type != NO_PAYLOAD))
1579 {
1580 payload_t *current_payload;
1581
1582 DBG2(DBG_ENC, "starting parsing a %N payload",
1583 payload_type_names, current_payload_type);
1584
1585 /* parse current payload */
1586 status = this->parser->parse_payload(this->parser, current_payload_type,
1587 (payload_t**)&current_payload);
1588 if (status != SUCCESS)
1589 {
1590 DBG1(DBG_ENC, "payload type %N could not be parsed",
1591 payload_type_names, current_payload_type);
1592 return PARSE_ERROR;
1593 }
1594
1595 DBG2(DBG_ENC, "verifying payload of type %N",
1596 payload_type_names, current_payload_type);
1597
1598 /* verify it, stop parsig if its invalid */
1599 status = current_payload->verify(current_payload);
1600 if (status != SUCCESS)
1601 {
1602 DBG1(DBG_ENC, "%N payload verification failed",
1603 payload_type_names, current_payload_type);
1604 current_payload->destroy(current_payload);
1605 return VERIFY_ERROR;
1606 }
1607
1608 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1609 payload_type_names, current_payload_type);
1610 this->payloads->insert_last(this->payloads,current_payload);
1611
1612 /* an encryption payload is the last one, so STOP here. decryption is
1613 * done later */
1614 if (current_payload_type == ENCRYPTED)
1615 {
1616 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1617 payload_type_names, current_payload_type);
1618 break;
1619 }
1620
1621 /* get next payload type */
1622 current_payload_type = current_payload->get_next_type(current_payload);
1623 }
1624
1625 if (current_payload_type == ENCRYPTED)
1626 {
1627 status = decrypt_payloads(this,crypter,signer);
1628 if (status != SUCCESS)
1629 {
1630 DBG1(DBG_ENC, "could not decrypt payloads");
1631 return status;
1632 }
1633 }
1634
1635 status = verify(this);
1636 if (status != SUCCESS)
1637 {
1638 return status;
1639 }
1640
1641 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1642
1643 return SUCCESS;
1644 }
1645
1646 /**
1647 * Implementation of message_t.destroy.
1648 */
1649 static void destroy (private_message_t *this)
1650 {
1651 DESTROY_IF(this->ike_sa_id);
1652 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1653 this->packet->destroy(this->packet);
1654 this->parser->destroy(this->parser);
1655 free(this);
1656 }
1657
1658 /*
1659 * Described in Header-File
1660 */
1661 message_t *message_create_from_packet(packet_t *packet)
1662 {
1663 private_message_t *this = malloc_thing(private_message_t);
1664
1665 /* public functions */
1666 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1667 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1668 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1669 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1670 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1671 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1672 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1673 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1674 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1675 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1676 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1677 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1678 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1679 this->public.set_request = (void(*)(message_t*, bool))set_request;
1680 this->public.get_request = (bool(*)(message_t*))get_request;
1681 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1682 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1683 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1684 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1685 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1686 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1687 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1688 this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
1689 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1690 this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
1691 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1692 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1693 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1694 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1695 this->public.destroy = (void(*)(message_t*))destroy;
1696
1697 /* private values */
1698 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1699 this->is_request = TRUE;
1700 this->ike_sa_id = NULL;
1701 this->first_payload = NO_PAYLOAD;
1702 this->message_id = 0;
1703
1704 /* private values */
1705 if (packet == NULL)
1706 {
1707 packet = packet_create();
1708 }
1709 this->message_rule = NULL;
1710 this->packet = packet;
1711 this->payloads = linked_list_create();
1712
1713 /* parser is created from data of packet */
1714 this->parser = parser_create(this->packet->get_data(this->packet));
1715
1716 return (&this->public);
1717 }
1718
1719 /*
1720 * Described in Header.
1721 */
1722 message_t *message_create()
1723 {
1724 return message_create_from_packet(NULL);
1725 }
1726