Handle unsupported IKEv1 exchange types more specifically.
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/keymat_v1.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/hash_payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * A payload rule defines the rules for a payload
64 * in a specific message rule. It defines if and how
65 * many times a payload must/can occur in a message
66 * and if it must be encrypted.
67 */
68 typedef struct {
69 /* Payload type */
70 payload_type_t type;
71 /* Minimal occurrence of this payload. */
72 size_t min_occurence;
73 /* Max occurrence of this payload. */
74 size_t max_occurence;
75 /* TRUE if payload must be encrypted */
76 bool encrypted;
77 /* If payload occurs, the message rule is fulfilled */
78 bool sufficient;
79 } payload_rule_t;
80
81 /**
82 * payload ordering structure allows us to reorder payloads according to RFC.
83 */
84 typedef struct {
85 /** payload type */
86 payload_type_t type;
87 /** notify type, if payload == NOTIFY */
88 notify_type_t notify;
89 } payload_order_t;
90
91 /**
92 * A message rule defines the kind of a message,
93 * if it has encrypted contents and a list
94 * of payload ordering rules and payload parsing rules.
95 */
96 typedef struct {
97 /** Type of message. */
98 exchange_type_t exchange_type;
99 /** Is message a request or response. */
100 bool is_request;
101 /** Message contains encrypted payloads. */
102 bool encrypted;
103 /** Number of payload rules which will follow */
104 int rule_count;
105 /** Pointer to first payload rule */
106 payload_rule_t *rules;
107 /** Number of payload order rules */
108 int order_count;
109 /** payload ordering rules */
110 payload_order_t *order;
111 } message_rule_t;
112
113 /**
114 * Message rule for IKE_SA_INIT from initiator.
115 */
116 static payload_rule_t ike_sa_init_i_rules[] = {
117 /* payload type min max encr suff */
118 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
119 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
120 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
121 {NONCE, 1, 1, FALSE, FALSE},
122 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
123 };
124
125 /**
126 * payload order for IKE_SA_INIT initiator
127 */
128 static payload_order_t ike_sa_init_i_order[] = {
129 /* payload type notify type */
130 {NOTIFY, COOKIE},
131 {SECURITY_ASSOCIATION, 0},
132 {KEY_EXCHANGE, 0},
133 {NONCE, 0},
134 {NOTIFY, NAT_DETECTION_SOURCE_IP},
135 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
136 {NOTIFY, 0},
137 {VENDOR_ID, 0},
138 };
139
140 /**
141 * Message rule for IKE_SA_INIT from responder.
142 */
143 static payload_rule_t ike_sa_init_r_rules[] = {
144 /* payload type min max encr suff */
145 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
146 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
147 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
148 {NONCE, 1, 1, FALSE, FALSE},
149 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
150 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
151 };
152
153 /**
154 * payload order for IKE_SA_INIT responder
155 */
156 static payload_order_t ike_sa_init_r_order[] = {
157 /* payload type notify type */
158 {SECURITY_ASSOCIATION, 0},
159 {KEY_EXCHANGE, 0},
160 {NONCE, 0},
161 {NOTIFY, NAT_DETECTION_SOURCE_IP},
162 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
163 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
164 {CERTIFICATE_REQUEST, 0},
165 {NOTIFY, 0},
166 {VENDOR_ID, 0},
167 };
168
169 /**
170 * Message rule for IKE_AUTH from initiator.
171 */
172 static payload_rule_t ike_auth_i_rules[] = {
173 /* payload type min max encr suff */
174 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
175 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
176 {AUTHENTICATION, 0, 1, TRUE, TRUE},
177 {ID_INITIATOR, 0, 1, TRUE, FALSE},
178 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
179 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
180 {ID_RESPONDER, 0, 1, TRUE, FALSE},
181 #ifdef ME
182 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
184 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
185 #else
186 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
187 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
189 #endif /* ME */
190 {CONFIGURATION, 0, 1, TRUE, FALSE},
191 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
192 };
193
194 /**
195 * payload order for IKE_AUTH initiator
196 */
197 static payload_order_t ike_auth_i_order[] = {
198 /* payload type notify type */
199 {ID_INITIATOR, 0},
200 {CERTIFICATE, 0},
201 {NOTIFY, INITIAL_CONTACT},
202 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
203 {CERTIFICATE_REQUEST, 0},
204 {ID_RESPONDER, 0},
205 {AUTHENTICATION, 0},
206 {EXTENSIBLE_AUTHENTICATION, 0},
207 {CONFIGURATION, 0},
208 {NOTIFY, IPCOMP_SUPPORTED},
209 {NOTIFY, USE_TRANSPORT_MODE},
210 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
211 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
212 {SECURITY_ASSOCIATION, 0},
213 {TRAFFIC_SELECTOR_INITIATOR, 0},
214 {TRAFFIC_SELECTOR_RESPONDER, 0},
215 {NOTIFY, MOBIKE_SUPPORTED},
216 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
217 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
218 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
219 {NOTIFY, 0},
220 {VENDOR_ID, 0},
221 };
222
223 /**
224 * Message rule for IKE_AUTH from responder.
225 */
226 static payload_rule_t ike_auth_r_rules[] = {
227 /* payload type min max encr suff */
228 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
229 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
230 {AUTHENTICATION, 0, 1, TRUE, TRUE},
231 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
232 {ID_RESPONDER, 0, 1, TRUE, FALSE},
233 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
234 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
235 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
236 {CONFIGURATION, 0, 1, TRUE, FALSE},
237 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
238 };
239
240 /**
241 * payload order for IKE_AUTH responder
242 */
243 static payload_order_t ike_auth_r_order[] = {
244 /* payload type notify type */
245 {ID_RESPONDER, 0},
246 {CERTIFICATE, 0},
247 {AUTHENTICATION, 0},
248 {EXTENSIBLE_AUTHENTICATION, 0},
249 {CONFIGURATION, 0},
250 {NOTIFY, IPCOMP_SUPPORTED},
251 {NOTIFY, USE_TRANSPORT_MODE},
252 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
253 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
254 {SECURITY_ASSOCIATION, 0},
255 {TRAFFIC_SELECTOR_INITIATOR, 0},
256 {TRAFFIC_SELECTOR_RESPONDER, 0},
257 {NOTIFY, AUTH_LIFETIME},
258 {NOTIFY, MOBIKE_SUPPORTED},
259 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
260 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
261 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
262 {NOTIFY, 0},
263 {VENDOR_ID, 0},
264 };
265
266 /**
267 * Message rule for INFORMATIONAL from initiator.
268 */
269 static payload_rule_t informational_i_rules[] = {
270 /* payload type min max encr suff */
271 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
272 {CONFIGURATION, 0, 1, TRUE, FALSE},
273 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
274 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
275 };
276
277 /**
278 * payload order for INFORMATIONAL initiator
279 */
280 static payload_order_t informational_i_order[] = {
281 /* payload type notify type */
282 {NOTIFY, UPDATE_SA_ADDRESSES},
283 {NOTIFY, NAT_DETECTION_SOURCE_IP},
284 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
285 {NOTIFY, COOKIE2},
286 {NOTIFY, 0},
287 {DELETE, 0},
288 {CONFIGURATION, 0},
289 };
290
291 /**
292 * Message rule for INFORMATIONAL from responder.
293 */
294 static payload_rule_t informational_r_rules[] = {
295 /* payload type min max encr suff */
296 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
297 {CONFIGURATION, 0, 1, TRUE, FALSE},
298 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
299 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
300 };
301
302 /**
303 * payload order for INFORMATIONAL responder
304 */
305 static payload_order_t informational_r_order[] = {
306 /* payload type notify type */
307 {NOTIFY, UPDATE_SA_ADDRESSES},
308 {NOTIFY, NAT_DETECTION_SOURCE_IP},
309 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
310 {NOTIFY, COOKIE2},
311 {NOTIFY, 0},
312 {DELETE, 0},
313 {CONFIGURATION, 0},
314 };
315
316 /**
317 * Message rule for CREATE_CHILD_SA from initiator.
318 */
319 static payload_rule_t create_child_sa_i_rules[] = {
320 /* payload type min max encr suff */
321 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
322 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
323 {NONCE, 1, 1, TRUE, FALSE},
324 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
325 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
326 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
327 {CONFIGURATION, 0, 1, TRUE, FALSE},
328 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
329 };
330
331 /**
332 * payload order for CREATE_CHILD_SA from initiator.
333 */
334 static payload_order_t create_child_sa_i_order[] = {
335 /* payload type notify type */
336 {NOTIFY, REKEY_SA},
337 {NOTIFY, IPCOMP_SUPPORTED},
338 {NOTIFY, USE_TRANSPORT_MODE},
339 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
340 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
341 {SECURITY_ASSOCIATION, 0},
342 {NONCE, 0},
343 {KEY_EXCHANGE, 0},
344 {TRAFFIC_SELECTOR_INITIATOR, 0},
345 {TRAFFIC_SELECTOR_RESPONDER, 0},
346 {NOTIFY, 0},
347 };
348
349 /**
350 * Message rule for CREATE_CHILD_SA from responder.
351 */
352 static payload_rule_t create_child_sa_r_rules[] = {
353 /* payload type min max encr suff */
354 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
355 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
356 {NONCE, 1, 1, TRUE, FALSE},
357 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
359 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
360 {CONFIGURATION, 0, 1, TRUE, FALSE},
361 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
362 };
363
364 /**
365 * payload order for CREATE_CHILD_SA from responder.
366 */
367 static payload_order_t create_child_sa_r_order[] = {
368 /* payload type notify type */
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
379 {NOTIFY, 0},
380 };
381
382 #ifdef ME
383 /**
384 * Message rule for ME_CONNECT from initiator.
385 */
386 static payload_rule_t me_connect_i_rules[] = {
387 /* payload type min max encr suff */
388 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
389 {ID_PEER, 1, 1, TRUE, FALSE},
390 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
391 };
392
393 /**
394 * payload order for ME_CONNECT from initiator.
395 */
396 static payload_order_t me_connect_i_order[] = {
397 /* payload type notify type */
398 {NOTIFY, 0},
399 {ID_PEER, 0},
400 {VENDOR_ID, 0},
401 };
402
403 /**
404 * Message rule for ME_CONNECT from responder.
405 */
406 static payload_rule_t me_connect_r_rules[] = {
407 /* payload type min max encr suff */
408 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
409 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
410 };
411
412 /**
413 * payload order for ME_CONNECT from responder.
414 */
415 static payload_order_t me_connect_r_order[] = {
416 /* payload type notify type */
417 {NOTIFY, 0},
418 {VENDOR_ID, 0},
419 };
420 #endif /* ME */
421
422 #ifdef USE_IKEV1
423 /**
424 * Message rule for ID_PROT from initiator.
425 */
426 static payload_rule_t id_prot_i_rules[] = {
427 /* payload type min max encr suff */
428 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
429 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
430 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
431 {NONCE_V1, 0, 1, FALSE, FALSE},
432 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
433 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
434 {ID_V1, 0, 1, TRUE, FALSE},
435 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
436 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
437 {HASH_V1, 0, 1, TRUE, FALSE},
438 };
439
440 /**
441 * payload order for ID_PROT from initiator.
442 */
443 static payload_order_t id_prot_i_order[] = {
444 /* payload type notify type */
445 {SECURITY_ASSOCIATION_V1, 0},
446 {KEY_EXCHANGE_V1, 0},
447 {NONCE_V1, 0},
448 {ID_V1, 0},
449 {CERTIFICATE_V1, 0},
450 {SIGNATURE_V1, 0},
451 {HASH_V1, 0},
452 {CERTIFICATE_REQUEST_V1, 0},
453 {NOTIFY_V1, 0},
454 {VENDOR_ID_V1, 0},
455 };
456
457 /**
458 * Message rule for ID_PROT from responder.
459 */
460 static payload_rule_t id_prot_r_rules[] = {
461 /* payload type min max encr suff */
462 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
463 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
464 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
465 {NONCE_V1, 0, 1, FALSE, FALSE},
466 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
467 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
468 {ID_V1, 0, 1, TRUE, FALSE},
469 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
470 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
471 {HASH_V1, 0, 1, TRUE, FALSE},
472 };
473
474 /**
475 * payload order for ID_PROT from responder.
476 */
477 static payload_order_t id_prot_r_order[] = {
478 /* payload type notify type */
479 {SECURITY_ASSOCIATION_V1, 0},
480 {KEY_EXCHANGE_V1, 0},
481 {NONCE_V1, 0},
482 {ID_V1, 0},
483 {CERTIFICATE_V1, 0},
484 {SIGNATURE_V1, 0},
485 {HASH_V1, 0},
486 {CERTIFICATE_REQUEST_V1, 0},
487 {NOTIFY_V1, 0},
488 {VENDOR_ID_V1, 0},
489 };
490
491 /**
492 * Message rule for AGGRESSIVE from initiator.
493 */
494 static payload_rule_t aggressive_i_rules[] = {
495 /* payload type min max encr suff */
496 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
497 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
498 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
499 {NONCE_V1, 0, 1, FALSE, FALSE},
500 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
501 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
502 {ID_V1, 0, 1, FALSE, FALSE},
503 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
504 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
505 {HASH_V1, 0, 1, FALSE, FALSE},
506 };
507
508 /**
509 * payload order for AGGRESSIVE from initiator.
510 */
511 static payload_order_t aggressive_i_order[] = {
512 /* payload type notify type */
513 {SECURITY_ASSOCIATION_V1, 0},
514 {KEY_EXCHANGE_V1, 0},
515 {NONCE_V1, 0},
516 {ID_V1, 0},
517 {CERTIFICATE_V1, 0},
518 {SIGNATURE_V1, 0},
519 {HASH_V1, 0},
520 {CERTIFICATE_REQUEST_V1, 0},
521 {NOTIFY_V1, 0},
522 {VENDOR_ID_V1, 0},
523 };
524
525 /**
526 * Message rule for AGGRESSIVE from responder.
527 */
528 static payload_rule_t aggressive_r_rules[] = {
529 /* payload type min max encr suff */
530 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
531 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
532 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
533 {NONCE_V1, 0, 1, FALSE, FALSE},
534 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
535 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
536 {ID_V1, 0, 1, FALSE, FALSE},
537 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
538 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
539 {HASH_V1, 0, 1, FALSE, FALSE},
540 };
541
542 /**
543 * payload order for AGGRESSIVE from responder.
544 */
545 static payload_order_t aggressive_r_order[] = {
546 /* payload type notify type */
547 {SECURITY_ASSOCIATION_V1, 0},
548 {KEY_EXCHANGE_V1, 0},
549 {NONCE_V1, 0},
550 {ID_V1, 0},
551 {CERTIFICATE_V1, 0},
552 {SIGNATURE_V1, 0},
553 {HASH_V1, 0},
554 {CERTIFICATE_REQUEST_V1, 0},
555 {NOTIFY_V1, 0},
556 {VENDOR_ID_V1, 0},
557 };
558
559 /**
560 * Message rule for INFORMATIONAL_V1 from initiator.
561 */
562 static payload_rule_t informational_i_rules_v1[] = {
563 /* payload type min max encr suff */
564 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
565 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
566 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
567 };
568
569 /**
570 * payload order for INFORMATIONAL_V1 from initiator.
571 */
572 static payload_order_t informational_i_order_v1[] = {
573 /* payload type notify type */
574 {NOTIFY_V1, 0},
575 {DELETE_V1, 0},
576 {VENDOR_ID_V1, 0},
577 };
578
579 /**
580 * Message rule for QUICK_MODE from initiator.
581 */
582 static payload_rule_t quick_mode_i_rules[] = {
583 /* payload type min max encr suff */
584 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
585 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
586 {HASH_V1, 0, 1, TRUE, FALSE},
587 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
588 {NONCE_V1, 0, 1, TRUE, FALSE},
589 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
590 {ID_V1, 0, 2, TRUE, FALSE},
591 };
592
593 /**
594 * payload order for QUICK_MODE from initiator.
595 */
596 static payload_order_t quick_mode_i_order[] = {
597 /* payload type notify type */
598 {NOTIFY_V1, 0},
599 {VENDOR_ID_V1, 0},
600 {HASH_V1, 0},
601 {SECURITY_ASSOCIATION_V1, 0},
602 {NONCE_V1, 0},
603 {KEY_EXCHANGE_V1, 0},
604 {ID_V1, 0},
605 };
606
607 /**
608 * Message rule for QUICK_MODE from responder.
609 */
610 static payload_rule_t quick_mode_r_rules[] = {
611 /* payload type min max encr suff */
612 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
613 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
614 {HASH_V1, 0, 1, TRUE, FALSE},
615 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
616 {NONCE_V1, 0, 1, TRUE, FALSE},
617 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
618 {ID_V1, 0, 2, TRUE, FALSE},
619 };
620
621 /**
622 * payload order for QUICK_MODE from responder.
623 */
624 static payload_order_t quick_mode_r_order[] = {
625 /* payload type notify type */
626 {NOTIFY_V1, 0},
627 {VENDOR_ID_V1, 0},
628 {HASH_V1, 0},
629 {SECURITY_ASSOCIATION_V1, 0},
630 {NONCE_V1, 0},
631 {KEY_EXCHANGE_V1, 0},
632 {ID_V1, 0},
633 };
634
635 /**
636 * Message rule for TRANSACTION.
637 */
638 static payload_rule_t transaction_payload_rules_v1[] = {
639 /* payload type min max encr suff */
640 {HASH_V1, 0, 1, TRUE, FALSE},
641 {CONFIGURATION_V1, 1, 1, FALSE, FALSE},
642 };
643
644 /**
645 * Payload order for TRANSACTION.
646 */
647 static payload_order_t transaction_payload_order_v1[] = {
648 /* payload type notify type */
649 {HASH_V1, 0},
650 {CONFIGURATION_V1, 0},
651 };
652
653 #endif /* USE_IKEV1 */
654
655 /**
656 * Message rules, defines allowed payloads.
657 */
658 static message_rule_t message_rules[] = {
659 {IKE_SA_INIT, TRUE, FALSE,
660 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
661 countof(ike_sa_init_i_order), ike_sa_init_i_order,
662 },
663 {IKE_SA_INIT, FALSE, FALSE,
664 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
665 countof(ike_sa_init_r_order), ike_sa_init_r_order,
666 },
667 {IKE_AUTH, TRUE, TRUE,
668 countof(ike_auth_i_rules), ike_auth_i_rules,
669 countof(ike_auth_i_order), ike_auth_i_order,
670 },
671 {IKE_AUTH, FALSE, TRUE,
672 countof(ike_auth_r_rules), ike_auth_r_rules,
673 countof(ike_auth_r_order), ike_auth_r_order,
674 },
675 {INFORMATIONAL, TRUE, TRUE,
676 countof(informational_i_rules), informational_i_rules,
677 countof(informational_i_order), informational_i_order,
678 },
679 {INFORMATIONAL, FALSE, TRUE,
680 countof(informational_r_rules), informational_r_rules,
681 countof(informational_r_order), informational_r_order,
682 },
683 {CREATE_CHILD_SA, TRUE, TRUE,
684 countof(create_child_sa_i_rules), create_child_sa_i_rules,
685 countof(create_child_sa_i_order), create_child_sa_i_order,
686 },
687 {CREATE_CHILD_SA, FALSE, TRUE,
688 countof(create_child_sa_r_rules), create_child_sa_r_rules,
689 countof(create_child_sa_r_order), create_child_sa_r_order,
690 },
691 #ifdef ME
692 {ME_CONNECT, TRUE, TRUE,
693 countof(me_connect_i_rules), me_connect_i_rules,
694 countof(me_connect_i_order), me_connect_i_order,
695 },
696 {ME_CONNECT, FALSE, TRUE,
697 countof(me_connect_r_rules), me_connect_r_rules,
698 countof(me_connect_r_order), me_connect_r_order,
699 },
700 #endif /* ME */
701 #ifdef USE_IKEV1
702 {ID_PROT, TRUE, FALSE,
703 countof(id_prot_i_rules), id_prot_i_rules,
704 countof(id_prot_i_order), id_prot_i_order,
705 },
706 {ID_PROT, FALSE, FALSE,
707 countof(id_prot_r_rules), id_prot_r_rules,
708 countof(id_prot_r_order), id_prot_r_order,
709 },
710 {AGGRESSIVE, TRUE, FALSE,
711 countof(aggressive_i_rules), aggressive_i_rules,
712 countof(aggressive_i_order), aggressive_i_order,
713 },
714 {AGGRESSIVE, FALSE, FALSE,
715 countof(aggressive_r_rules), aggressive_r_rules,
716 countof(aggressive_r_order), aggressive_r_order,
717 },
718 {INFORMATIONAL_V1, TRUE, TRUE,
719 countof(informational_i_rules_v1), informational_i_rules_v1,
720 countof(informational_i_order_v1), informational_i_order_v1,
721 },
722 {QUICK_MODE, TRUE, TRUE,
723 countof(quick_mode_i_rules), quick_mode_i_rules,
724 countof(quick_mode_i_order), quick_mode_i_order,
725 },
726 {QUICK_MODE, FALSE, TRUE,
727 countof(quick_mode_r_rules), quick_mode_r_rules,
728 countof(quick_mode_r_order), quick_mode_r_order,
729 },
730 {TRANSACTION, TRUE, TRUE,
731 countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
732 countof(transaction_payload_order_v1), transaction_payload_order_v1,
733 },
734 {TRANSACTION, FALSE, TRUE,
735 countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
736 countof(transaction_payload_order_v1), transaction_payload_order_v1,
737 },
738 /* TODO-IKEv1: define rules for other exchanges */
739 #endif /* USE_IKEV1 */
740 };
741
742
743 typedef struct private_message_t private_message_t;
744
745 /**
746 * Private data of an message_t object.
747 */
748 struct private_message_t {
749
750 /**
751 * Public part of a message_t object.
752 */
753 message_t public;
754
755 /**
756 * Minor version of message.
757 */
758 u_int8_t major_version;
759
760 /**
761 * Major version of message.
762 */
763 u_int8_t minor_version;
764
765 /**
766 * First Payload in message.
767 */
768 payload_type_t first_payload;
769
770 /**
771 * Assigned exchange type.
772 */
773 exchange_type_t exchange_type;
774
775 /**
776 * TRUE if message is a request, FALSE if a reply.
777 */
778 bool is_request;
779
780 /**
781 * The message is encrypted (IKEv1)
782 */
783 bool is_encrypted;
784
785 /**
786 * Higher version supported?
787 */
788 bool version_flag;
789
790 /**
791 * Reserved bits in IKE header
792 */
793 bool reserved[2];
794
795 /**
796 * Sorting of message disabled?
797 */
798 bool sort_disabled;
799
800 /**
801 * Message ID of this message.
802 */
803 u_int32_t message_id;
804
805 /**
806 * ID of assigned IKE_SA.
807 */
808 ike_sa_id_t *ike_sa_id;
809
810 /**
811 * Assigned UDP packet, stores incoming packet or last generated one.
812 */
813 packet_t *packet;
814
815 /**
816 * Linked List where payload data are stored in.
817 */
818 linked_list_t *payloads;
819
820 /**
821 * Assigned parser to parse Header and Body of this message.
822 */
823 parser_t *parser;
824
825 /**
826 * The message rule for this message instance
827 */
828 message_rule_t *rule;
829 };
830
831 /**
832 * Get the message rule that applies to this message
833 */
834 static message_rule_t* get_message_rule(private_message_t *this)
835 {
836 int i;
837
838 for (i = 0; i < countof(message_rules); i++)
839 {
840 if ((this->exchange_type == message_rules[i].exchange_type) &&
841 (this->is_request == message_rules[i].is_request))
842 {
843 return &message_rules[i];
844 }
845 }
846 return NULL;
847 }
848
849 /**
850 * Look up a payload rule
851 */
852 static payload_rule_t* get_payload_rule(private_message_t *this,
853 payload_type_t type)
854 {
855 int i;
856
857 for (i = 0; i < this->rule->rule_count;i++)
858 {
859 if (this->rule->rules[i].type == type)
860 {
861 return &this->rule->rules[i];
862 }
863 }
864 return NULL;
865 }
866
867 METHOD(message_t, set_ike_sa_id, void,
868 private_message_t *this,ike_sa_id_t *ike_sa_id)
869 {
870 DESTROY_IF(this->ike_sa_id);
871 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
872 }
873
874 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
875 private_message_t *this)
876 {
877 return this->ike_sa_id;
878 }
879
880 METHOD(message_t, set_message_id, void,
881 private_message_t *this,u_int32_t message_id)
882 {
883 this->message_id = message_id;
884 }
885
886 METHOD(message_t, get_message_id, u_int32_t,
887 private_message_t *this)
888 {
889 return this->message_id;
890 }
891
892 METHOD(message_t, get_initiator_spi, u_int64_t,
893 private_message_t *this)
894 {
895 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
896 }
897
898 METHOD(message_t, get_responder_spi, u_int64_t,
899 private_message_t *this)
900 {
901 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
902 }
903
904 METHOD(message_t, set_major_version, void,
905 private_message_t *this, u_int8_t major_version)
906 {
907 this->major_version = major_version;
908 }
909
910 METHOD(message_t, get_major_version, u_int8_t,
911 private_message_t *this)
912 {
913 return this->major_version;
914 }
915
916 METHOD(message_t, set_minor_version, void,
917 private_message_t *this,u_int8_t minor_version)
918 {
919 this->minor_version = minor_version;
920 }
921
922 METHOD(message_t, get_minor_version, u_int8_t,
923 private_message_t *this)
924 {
925 return this->minor_version;
926 }
927
928 METHOD(message_t, set_exchange_type, void,
929 private_message_t *this, exchange_type_t exchange_type)
930 {
931 this->exchange_type = exchange_type;
932 }
933
934 METHOD(message_t, get_exchange_type, exchange_type_t,
935 private_message_t *this)
936 {
937 return this->exchange_type;
938 }
939
940 METHOD(message_t, get_first_payload_type, payload_type_t,
941 private_message_t *this)
942 {
943 return this->first_payload;
944 }
945
946 METHOD(message_t, set_request, void,
947 private_message_t *this, bool request)
948 {
949 this->is_request = request;
950 }
951
952 METHOD(message_t, get_request, bool,
953 private_message_t *this)
954 {
955 return this->is_request;
956 }
957
958 METHOD(message_t, set_version_flag, void,
959 private_message_t *this)
960 {
961 this->version_flag = TRUE;
962 }
963
964 METHOD(message_t, get_reserved_header_bit, bool,
965 private_message_t *this, u_int nr)
966 {
967 if (nr < countof(this->reserved))
968 {
969 return this->reserved[nr];
970 }
971 return FALSE;
972 }
973
974 METHOD(message_t, set_reserved_header_bit, void,
975 private_message_t *this, u_int nr)
976 {
977 if (nr < countof(this->reserved))
978 {
979 this->reserved[nr] = TRUE;
980 }
981 }
982
983 METHOD(message_t, is_encoded, bool,
984 private_message_t *this)
985 {
986 return this->packet->get_data(this->packet).ptr != NULL;
987 }
988
989 METHOD(message_t, add_payload, void,
990 private_message_t *this, payload_t *payload)
991 {
992 payload_t *last_payload;
993
994 if (this->payloads->get_count(this->payloads) > 0)
995 {
996 this->payloads->get_last(this->payloads, (void **)&last_payload);
997 last_payload->set_next_type(last_payload, payload->get_type(payload));
998 }
999 else
1000 {
1001 this->first_payload = payload->get_type(payload);
1002 }
1003 payload->set_next_type(payload, NO_PAYLOAD);
1004 this->payloads->insert_last(this->payloads, payload);
1005
1006 DBG2(DBG_ENC ,"added payload of type %N to message",
1007 payload_type_names, payload->get_type(payload));
1008 }
1009
1010 METHOD(message_t, add_notify, void,
1011 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
1012 {
1013 notify_payload_t *notify;
1014 payload_t *payload;
1015
1016 if (flush)
1017 {
1018 while (this->payloads->remove_last(this->payloads,
1019 (void**)&payload) == SUCCESS)
1020 {
1021 payload->destroy(payload);
1022 }
1023 }
1024 if (this->major_version == IKEV2_MAJOR_VERSION)
1025 {
1026 notify = notify_payload_create(NOTIFY);
1027 }
1028 else
1029 {
1030 notify = notify_payload_create(NOTIFY_V1);
1031 }
1032 notify->set_notify_type(notify, type);
1033 notify->set_notification_data(notify, data);
1034 add_payload(this, (payload_t*)notify);
1035 }
1036
1037 METHOD(message_t, set_source, void,
1038 private_message_t *this, host_t *host)
1039 {
1040 this->packet->set_source(this->packet, host);
1041 }
1042
1043 METHOD(message_t, set_destination, void,
1044 private_message_t *this, host_t *host)
1045 {
1046 this->packet->set_destination(this->packet, host);
1047 }
1048
1049 METHOD(message_t, get_source, host_t*,
1050 private_message_t *this)
1051 {
1052 return this->packet->get_source(this->packet);
1053 }
1054
1055 METHOD(message_t, get_destination, host_t*,
1056 private_message_t *this)
1057 {
1058 return this->packet->get_destination(this->packet);
1059 }
1060
1061 METHOD(message_t, create_payload_enumerator, enumerator_t*,
1062 private_message_t *this)
1063 {
1064 return this->payloads->create_enumerator(this->payloads);
1065 }
1066
1067 METHOD(message_t, remove_payload_at, void,
1068 private_message_t *this, enumerator_t *enumerator)
1069 {
1070 this->payloads->remove_at(this->payloads, enumerator);
1071 }
1072
1073 METHOD(message_t, get_payload, payload_t*,
1074 private_message_t *this, payload_type_t type)
1075 {
1076 payload_t *current, *found = NULL;
1077 enumerator_t *enumerator;
1078
1079 enumerator = create_payload_enumerator(this);
1080 while (enumerator->enumerate(enumerator, &current))
1081 {
1082 if (current->get_type(current) == type)
1083 {
1084 found = current;
1085 break;
1086 }
1087 }
1088 enumerator->destroy(enumerator);
1089 return found;
1090 }
1091
1092 METHOD(message_t, get_notify, notify_payload_t*,
1093 private_message_t *this, notify_type_t type)
1094 {
1095 enumerator_t *enumerator;
1096 notify_payload_t *notify = NULL;
1097 payload_t *payload;
1098
1099 enumerator = create_payload_enumerator(this);
1100 while (enumerator->enumerate(enumerator, &payload))
1101 {
1102 if (payload->get_type(payload) == NOTIFY)
1103 {
1104 notify = (notify_payload_t*)payload;
1105 if (notify->get_notify_type(notify) == type)
1106 {
1107 break;
1108 }
1109 notify = NULL;
1110 }
1111 }
1112 enumerator->destroy(enumerator);
1113 return notify;
1114 }
1115
1116 /**
1117 * get a string representation of the message
1118 */
1119 static char* get_string(private_message_t *this, char *buf, int len)
1120 {
1121 enumerator_t *enumerator;
1122 payload_t *payload;
1123 int written;
1124 char *pos = buf;
1125
1126 memset(buf, 0, len);
1127 len--;
1128
1129 written = snprintf(pos, len, "%N %s %u [",
1130 exchange_type_names, this->exchange_type,
1131 this->is_request ? "request" : "response",
1132 this->message_id);
1133 if (written >= len || written < 0)
1134 {
1135 return "";
1136 }
1137 pos += written;
1138 len -= written;
1139
1140 enumerator = create_payload_enumerator(this);
1141 while (enumerator->enumerate(enumerator, &payload))
1142 {
1143 written = snprintf(pos, len, " %N", payload_type_short_names,
1144 payload->get_type(payload));
1145 if (written >= len || written < 0)
1146 {
1147 return buf;
1148 }
1149 pos += written;
1150 len -= written;
1151 if (payload->get_type(payload) == NOTIFY)
1152 {
1153 notify_payload_t *notify;
1154 notify_type_t type;
1155 chunk_t data;
1156
1157 notify = (notify_payload_t*)payload;
1158 type = notify->get_notify_type(notify);
1159 data = notify->get_notification_data(notify);
1160 if (type == MS_NOTIFY_STATUS && data.len == 4)
1161 {
1162 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1163 type, untoh32(data.ptr));
1164 }
1165 else
1166 {
1167 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1168 type);
1169 }
1170 if (written >= len || written < 0)
1171 {
1172 return buf;
1173 }
1174 pos += written;
1175 len -= written;
1176 }
1177 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1178 {
1179 eap_payload_t *eap = (eap_payload_t*)payload;
1180 u_int32_t vendor;
1181 eap_type_t type;
1182 char method[64] = "";
1183
1184 type = eap->get_type(eap, &vendor);
1185 if (type)
1186 {
1187 if (vendor)
1188 {
1189 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1190 }
1191 else
1192 {
1193 snprintf(method, sizeof(method), "/%N",
1194 eap_type_short_names, type);
1195 }
1196 }
1197 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1198 eap->get_code(eap), method);
1199 if (written >= len || written < 0)
1200 {
1201 return buf;
1202 }
1203 pos += written;
1204 len -= written;
1205 }
1206 if (payload->get_type(payload) == CONFIGURATION)
1207 {
1208 cp_payload_t *cp = (cp_payload_t*)payload;
1209 enumerator_t *attributes;
1210 configuration_attribute_t *attribute;
1211 bool first = TRUE;
1212
1213 attributes = cp->create_attribute_enumerator(cp);
1214 while (attributes->enumerate(attributes, &attribute))
1215 {
1216 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1217 configuration_attribute_type_short_names,
1218 attribute->get_type(attribute));
1219 if (written >= len || written < 0)
1220 {
1221 return buf;
1222 }
1223 pos += written;
1224 len -= written;
1225 first = FALSE;
1226 }
1227 attributes->destroy(attributes);
1228 if (!first)
1229 {
1230 written = snprintf(pos, len, ")");
1231 if (written >= len || written < 0)
1232 {
1233 return buf;
1234 }
1235 pos += written;
1236 len -= written;
1237 }
1238 }
1239 }
1240 enumerator->destroy(enumerator);
1241
1242 /* remove last space */
1243 snprintf(pos, len, " ]");
1244 return buf;
1245 }
1246
1247 /**
1248 * reorder payloads depending on reordering rules
1249 */
1250 static void order_payloads(private_message_t *this)
1251 {
1252 linked_list_t *list;
1253 payload_t *payload;
1254 int i;
1255
1256 /* move to temp list */
1257 list = linked_list_create();
1258 while (this->payloads->remove_last(this->payloads,
1259 (void**)&payload) == SUCCESS)
1260 {
1261 list->insert_first(list, payload);
1262 }
1263 /* for each rule, ... */
1264 for (i = 0; i < this->rule->order_count; i++)
1265 {
1266 enumerator_t *enumerator;
1267 notify_payload_t *notify;
1268 payload_order_t order;
1269
1270 order = this->rule->order[i];
1271
1272 /* ... find all payload ... */
1273 enumerator = list->create_enumerator(list);
1274 while (enumerator->enumerate(enumerator, &payload))
1275 {
1276 /* ... with that type ... */
1277 if (payload->get_type(payload) == order.type)
1278 {
1279 notify = (notify_payload_t*)payload;
1280
1281 /**... and check notify for type. */
1282 if (order.type != NOTIFY || order.notify == 0 ||
1283 order.notify == notify->get_notify_type(notify))
1284 {
1285 list->remove_at(list, enumerator);
1286 add_payload(this, payload);
1287 }
1288 }
1289 }
1290 enumerator->destroy(enumerator);
1291 }
1292 /* append all payloads without a rule to the end */
1293 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1294 {
1295 /* do not complain about payloads in private use space */
1296 if (payload->get_type(payload) < 128)
1297 {
1298 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1299 payload_type_names, payload->get_type(payload),
1300 exchange_type_names, this->rule->exchange_type,
1301 this->rule->is_request ? "request" : "response");
1302 }
1303 add_payload(this, payload);
1304 }
1305 list->destroy(list);
1306 }
1307
1308 /**
1309 * Wrap payloads in an encryption payload
1310 */
1311 static encryption_payload_t* wrap_payloads(private_message_t *this,
1312 payload_type_t encryption_type)
1313 {
1314 encryption_payload_t *encryption;
1315 linked_list_t *payloads;
1316 payload_t *current;
1317
1318 /* copy all payloads in a temporary list */
1319 payloads = linked_list_create();
1320 while (this->payloads->remove_first(this->payloads,
1321 (void**)&current) == SUCCESS)
1322 {
1323 payloads->insert_last(payloads, current);
1324 }
1325
1326 encryption = encryption_payload_create(encryption_type);
1327 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1328 {
1329 payload_rule_t *rule;
1330 payload_type_t type;
1331 bool encrypt = TRUE;
1332
1333 type = current->get_type(current);
1334 rule = get_payload_rule(this, type);
1335 if (rule)
1336 {
1337 encrypt = rule->encrypted;
1338 }
1339 if (encrypt || this->is_encrypted)
1340 { /* encryption is forced for IKEv1 */
1341 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1342 payload_type_names, type);
1343 encryption->add_payload(encryption, current);
1344 }
1345 else
1346 {
1347 DBG2(DBG_ENC, "insert payload %N unencrypted",
1348 payload_type_names, type);
1349 add_payload(this, current);
1350 }
1351 }
1352 payloads->destroy(payloads);
1353
1354 return encryption;
1355 }
1356
1357 METHOD(message_t, disable_sort, void,
1358 private_message_t *this)
1359 {
1360 this->sort_disabled = TRUE;
1361 }
1362
1363 METHOD(message_t, generate, status_t,
1364 private_message_t *this, keymat_t *keymat, packet_t **packet)
1365 {
1366 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1367 generator_t *generator;
1368 ike_header_t *ike_header;
1369 payload_t *payload, *next;
1370 encryption_payload_t *encryption = NULL;
1371 payload_type_t next_type;
1372 enumerator_t *enumerator;
1373 aead_t *aead;
1374 chunk_t chunk;
1375 char str[BUF_LEN];
1376 u_int32_t *lenpos;
1377 bool encrypted = FALSE, *reserved;
1378 int i;
1379
1380 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1381 {
1382 DBG1(DBG_ENC, "exchange type is not defined");
1383 return INVALID_STATE;
1384 }
1385
1386 if (this->packet->get_source(this->packet) == NULL ||
1387 this->packet->get_destination(this->packet) == NULL)
1388 {
1389 DBG1(DBG_ENC, "source/destination not defined");
1390 return INVALID_STATE;
1391 }
1392
1393 this->rule = get_message_rule(this);
1394 if (!this->rule)
1395 {
1396 DBG1(DBG_ENC, "no message rules specified for this message type");
1397 return NOT_SUPPORTED;
1398 }
1399
1400 if (!this->sort_disabled)
1401 {
1402 order_payloads(this);
1403 }
1404
1405 if (this->major_version == IKEV2_MAJOR_VERSION)
1406 {
1407 encrypted = this->rule->encrypted;
1408 }
1409 else
1410 {
1411 /* get a hash for this message, if any is required */
1412 chunk_t hash = keymat_v1->get_hash_phase2(keymat_v1, &this->public);
1413 if (hash.ptr)
1414 { /* insert a HASH payload as first payload */
1415 hash_payload_t *hash_payload = hash_payload_create();
1416 hash_payload->set_hash(hash_payload, hash);
1417 this->payloads->insert_first(this->payloads,
1418 (payload_t*)hash_payload);
1419 chunk_free(&hash);
1420 }
1421
1422 /* if at least one payload requires encryption, encrypt the message.
1423 * if we have no key material available, the flag will be reset below */
1424 enumerator = this->payloads->create_enumerator(this->payloads);
1425 while (enumerator->enumerate(enumerator, (void**)&payload))
1426 {
1427 payload_rule_t *rule;
1428 rule = get_payload_rule(this, payload->get_type(payload));
1429 if (rule && rule->encrypted)
1430 {
1431 this->is_encrypted = TRUE;
1432 encrypted = TRUE;
1433 break;
1434 }
1435 }
1436 enumerator->destroy(enumerator);
1437 }
1438
1439 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1440
1441 aead = keymat->get_aead(keymat, FALSE);
1442 if (aead && encrypted)
1443 {
1444 encryption = wrap_payloads(this, this->is_encrypted ? ENCRYPTED_V1
1445 : ENCRYPTED);
1446 }
1447 else
1448 {
1449 DBG2(DBG_ENC, "not encrypting payloads");
1450 this->is_encrypted = FALSE;
1451 }
1452
1453 ike_header = ike_header_create_version(this->major_version,
1454 this->minor_version);
1455 ike_header->set_exchange_type(ike_header, this->exchange_type);
1456 ike_header->set_message_id(ike_header, this->message_id);
1457 if (this->major_version == IKEV2_MAJOR_VERSION)
1458 {
1459 ike_header->set_response_flag(ike_header, !this->is_request);
1460 ike_header->set_version_flag(ike_header, this->version_flag);
1461 ike_header->set_initiator_flag(ike_header,
1462 this->ike_sa_id->is_initiator(this->ike_sa_id));
1463 }
1464 else
1465 {
1466 ike_header->set_encryption_flag(ike_header, this->is_encrypted);
1467 }
1468 ike_header->set_initiator_spi(ike_header,
1469 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1470 ike_header->set_responder_spi(ike_header,
1471 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1472
1473 for (i = 0; i < countof(this->reserved); i++)
1474 {
1475 reserved = payload_get_field(&ike_header->payload_interface,
1476 RESERVED_BIT, i);
1477 if (reserved)
1478 {
1479 *reserved = this->reserved[i];
1480 }
1481 }
1482
1483 generator = generator_create();
1484
1485 /* generate all payloads with proper next type */
1486 payload = (payload_t*)ike_header;
1487 enumerator = create_payload_enumerator(this);
1488 while (enumerator->enumerate(enumerator, &next))
1489 {
1490 payload->set_next_type(payload, next->get_type(next));
1491 generator->generate_payload(generator, payload);
1492 payload = next;
1493 }
1494 enumerator->destroy(enumerator);
1495 if (this->is_encrypted)
1496 { /* for encrypted IKEv1 messages */
1497 next_type = encryption->payload_interface.get_next_type(
1498 (payload_t*)encryption);
1499 }
1500 else
1501 {
1502 next_type = encryption ? ENCRYPTED : NO_PAYLOAD;
1503 }
1504 payload->set_next_type(payload, next_type);
1505 generator->generate_payload(generator, payload);
1506 ike_header->destroy(ike_header);
1507
1508 if (encryption)
1509 { /* set_transform() has to be called before get_length() */
1510 encryption->set_transform(encryption, aead);
1511 if (this->is_encrypted)
1512 { /* for IKEv1 instead of associated data we provide the IV */
1513 chunk = keymat_v1->get_iv(keymat_v1, this->message_id);
1514 }
1515 else
1516 { /* build associated data (without header of encryption payload) */
1517 chunk = generator->get_chunk(generator, &lenpos);
1518 /* fill in length, including encryption payload */
1519 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1520 }
1521 this->payloads->insert_last(this->payloads, encryption);
1522 if (!encryption->encrypt(encryption, chunk))
1523 {
1524 generator->destroy(generator);
1525 return INVALID_STATE;
1526 }
1527 generator->generate_payload(generator, &encryption->payload_interface);
1528 }
1529 chunk = generator->get_chunk(generator, &lenpos);
1530 htoun32(lenpos, chunk.len);
1531 this->packet->set_data(this->packet, chunk_clone(chunk));
1532 if (this->is_encrypted)
1533 { /* update the IV for the next IKEv1 message */
1534 chunk_t last_block;
1535 size_t bs = aead->get_block_size(aead);
1536 last_block = chunk_create(chunk.ptr + chunk.len - bs, bs);
1537 keymat_v1->update_iv(keymat_v1, this->message_id, last_block);
1538 keymat_v1->confirm_iv(keymat_v1, this->message_id);
1539 }
1540 generator->destroy(generator);
1541 *packet = this->packet->clone(this->packet);
1542 return SUCCESS;
1543 }
1544
1545 METHOD(message_t, get_packet, packet_t*,
1546 private_message_t *this)
1547 {
1548 if (this->packet == NULL)
1549 {
1550 return NULL;
1551 }
1552 return this->packet->clone(this->packet);
1553 }
1554
1555 METHOD(message_t, get_packet_data, chunk_t,
1556 private_message_t *this)
1557 {
1558 if (this->packet == NULL)
1559 {
1560 return chunk_empty;
1561 }
1562 return this->packet->get_data(this->packet);
1563 }
1564
1565 METHOD(message_t, parse_header, status_t,
1566 private_message_t *this)
1567 {
1568 ike_header_t *ike_header;
1569 status_t status;
1570 bool *reserved;
1571 int i;
1572
1573 DBG2(DBG_ENC, "parsing header of message");
1574
1575 this->parser->reset_context(this->parser);
1576 status = this->parser->parse_payload(this->parser, HEADER,
1577 (payload_t**)&ike_header);
1578 if (status != SUCCESS)
1579 {
1580 DBG1(DBG_ENC, "header could not be parsed");
1581 return status;
1582
1583 }
1584
1585 status = ike_header->payload_interface.verify(
1586 &ike_header->payload_interface);
1587 if (status != SUCCESS)
1588 {
1589 DBG1(DBG_ENC, "header verification failed");
1590 ike_header->destroy(ike_header);
1591 return status;
1592 }
1593
1594 DESTROY_IF(this->ike_sa_id);
1595 this->ike_sa_id = ike_sa_id_create(
1596 ike_header->get_initiator_spi(ike_header),
1597 ike_header->get_responder_spi(ike_header),
1598 ike_header->get_initiator_flag(ike_header));
1599
1600 this->exchange_type = ike_header->get_exchange_type(ike_header);
1601 this->message_id = ike_header->get_message_id(ike_header);
1602 this->major_version = ike_header->get_maj_version(ike_header);
1603 this->minor_version = ike_header->get_min_version(ike_header);
1604 if (this->major_version == IKEV2_MAJOR_VERSION)
1605 {
1606 this->is_request = !ike_header->get_response_flag(ike_header);
1607 }
1608 else
1609 {
1610 this->is_encrypted = ike_header->get_encryption_flag(ike_header);
1611 }
1612 this->first_payload = ike_header->payload_interface.get_next_type(
1613 &ike_header->payload_interface);
1614 for (i = 0; i < countof(this->reserved); i++)
1615 {
1616 reserved = payload_get_field(&ike_header->payload_interface,
1617 RESERVED_BIT, i);
1618 if (reserved)
1619 {
1620 this->reserved[i] = *reserved;
1621 }
1622 }
1623 ike_header->destroy(ike_header);
1624
1625 DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
1626 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
1627 "message" : (this->is_request ? "request" : "response"));
1628 return SUCCESS;
1629 }
1630
1631 /**
1632 * Check if a payload is for a mediation extension connectivity check
1633 */
1634 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1635 {
1636 #ifdef ME
1637 if (this->exchange_type == INFORMATIONAL &&
1638 payload->get_type(payload) == NOTIFY)
1639 {
1640 notify_payload_t *notify = (notify_payload_t*)payload;
1641
1642 switch (notify->get_notify_type(notify))
1643 {
1644 case ME_CONNECTID:
1645 case ME_ENDPOINT:
1646 case ME_CONNECTAUTH:
1647 return TRUE;
1648 default:
1649 break;
1650 }
1651 }
1652 #endif /* !ME */
1653 return FALSE;
1654 }
1655
1656 /**
1657 * Parses and verifies the unencrypted payloads contained in the message
1658 */
1659 static status_t parse_payloads(private_message_t *this)
1660 {
1661 payload_type_t type = this->first_payload;
1662 payload_t *payload;
1663 status_t status;
1664
1665 if (this->is_encrypted)
1666 { /* wrap the whole encrypted IKEv1 message in a special encryption
1667 * payload which is then handled just like a regular payload */
1668 encryption_payload_t *encryption;
1669 status = this->parser->parse_payload(this->parser, ENCRYPTED_V1,
1670 (payload_t**)&encryption);
1671 if (status != SUCCESS)
1672 {
1673 DBG1(DBG_ENC, "failed to wrap encrypted IKEv1 message");
1674 return PARSE_ERROR;
1675 }
1676 encryption->payload_interface.set_next_type((payload_t*)encryption,
1677 this->first_payload);
1678 this->payloads->insert_last(this->payloads, encryption);
1679 return SUCCESS;
1680 }
1681
1682 while (type != NO_PAYLOAD)
1683 {
1684 DBG2(DBG_ENC, "starting parsing a %N payload",
1685 payload_type_names, type);
1686
1687 status = this->parser->parse_payload(this->parser, type, &payload);
1688 if (status != SUCCESS)
1689 {
1690 DBG1(DBG_ENC, "payload type %N could not be parsed",
1691 payload_type_names, type);
1692 return PARSE_ERROR;
1693 }
1694
1695 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1696 status = payload->verify(payload);
1697 if (status != SUCCESS)
1698 {
1699 DBG1(DBG_ENC, "%N payload verification failed",
1700 payload_type_names, type);
1701 payload->destroy(payload);
1702 return VERIFY_ERROR;
1703 }
1704
1705 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1706 payload_type_names, type);
1707 this->payloads->insert_last(this->payloads, payload);
1708
1709 /* an encryption payload is the last one, so STOP here. decryption is
1710 * done later */
1711 if (type == ENCRYPTED)
1712 {
1713 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1714 payload_type_names, type);
1715 break;
1716 }
1717 type = payload->get_next_type(payload);
1718 }
1719 return SUCCESS;
1720 }
1721
1722 /**
1723 * Decrypt payload from the encryption payload
1724 */
1725 static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
1726 {
1727 bool was_encrypted = FALSE;
1728 payload_t *payload, *previous = NULL;
1729 enumerator_t *enumerator;
1730 payload_rule_t *rule;
1731 payload_type_t type;
1732 aead_t *aead;
1733 status_t status = SUCCESS;
1734
1735 enumerator = this->payloads->create_enumerator(this->payloads);
1736 while (enumerator->enumerate(enumerator, &payload))
1737 {
1738 type = payload->get_type(payload);
1739
1740 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1741
1742 if (type == ENCRYPTED || type == ENCRYPTED_V1)
1743 {
1744 encryption_payload_t *encryption;
1745 payload_t *encrypted;
1746 chunk_t chunk;
1747 size_t bs;
1748
1749 encryption = (encryption_payload_t*)payload;
1750
1751 DBG2(DBG_ENC, "found an encryption payload");
1752
1753 if (this->payloads->has_more(this->payloads, enumerator))
1754 {
1755 DBG1(DBG_ENC, "encrypted payload is not last payload");
1756 status = VERIFY_ERROR;
1757 break;
1758 }
1759 aead = keymat->get_aead(keymat, TRUE);
1760 bs = aead->get_block_size(aead);
1761 encryption->set_transform(encryption, aead);
1762 chunk = this->packet->get_data(this->packet);
1763 if (chunk.len < encryption->get_length(encryption) ||
1764 chunk.len < bs)
1765 {
1766 DBG1(DBG_ENC, "invalid payload length");
1767 status = VERIFY_ERROR;
1768 break;
1769 }
1770 if (type == ENCRYPTED_V1)
1771 { /* instead of associated data we provide the IV, we also update
1772 * the IV with the last encrypted block */
1773 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1774 chunk_t last_block = chunk_create(chunk.ptr + chunk.len - bs,
1775 bs);
1776 chunk = keymat_v1->get_iv(keymat_v1, this->message_id);
1777 keymat_v1->update_iv(keymat_v1, this->message_id, last_block);
1778 }
1779 else
1780 {
1781 chunk.len -= encryption->get_length(encryption);
1782 }
1783 status = encryption->decrypt(encryption, chunk);
1784 if (status != SUCCESS)
1785 {
1786 break;
1787 }
1788
1789 was_encrypted = TRUE;
1790 this->payloads->remove_at(this->payloads, enumerator);
1791
1792 while ((encrypted = encryption->remove_payload(encryption)))
1793 {
1794 type = encrypted->get_type(encrypted);
1795 if (previous)
1796 {
1797 previous->set_next_type(previous, type);
1798 }
1799 else
1800 {
1801 this->first_payload = type;
1802 }
1803 DBG2(DBG_ENC, "insert decrypted payload of type "
1804 "%N at end of list", payload_type_names, type);
1805 this->payloads->insert_last(this->payloads, encrypted);
1806 previous = encrypted;
1807 }
1808 encryption->destroy(encryption);
1809 }
1810 if (payload_is_known(type) && !was_encrypted &&
1811 !is_connectivity_check(this, payload))
1812 {
1813 rule = get_payload_rule(this, type);
1814 if (!rule || rule->encrypted)
1815 {
1816 DBG1(DBG_ENC, "payload type %N was not encrypted",
1817 payload_type_names, type);
1818 status = FAILED;
1819 break;
1820 }
1821 }
1822 previous = payload;
1823 }
1824 enumerator->destroy(enumerator);
1825 return status;
1826 }
1827
1828 /**
1829 * Verify a message and all payload according to message/payload rules
1830 */
1831 static status_t verify(private_message_t *this)
1832 {
1833 bool complete = FALSE;
1834 int i;
1835
1836 DBG2(DBG_ENC, "verifying message structure");
1837
1838 /* check for payloads with wrong count */
1839 for (i = 0; i < this->rule->rule_count; i++)
1840 {
1841 enumerator_t *enumerator;
1842 payload_t *payload;
1843 payload_rule_t *rule;
1844 int found = 0;
1845
1846 rule = &this->rule->rules[i];
1847 enumerator = create_payload_enumerator(this);
1848 while (enumerator->enumerate(enumerator, &payload))
1849 {
1850 payload_type_t type;
1851
1852 type = payload->get_type(payload);
1853 if (type == rule->type)
1854 {
1855 found++;
1856 DBG2(DBG_ENC, "found payload of type %N",
1857 payload_type_names, type);
1858 if (found > rule->max_occurence)
1859 {
1860 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1861 "occurred in current message", payload_type_names,
1862 type, rule->max_occurence, found);
1863 enumerator->destroy(enumerator);
1864 return VERIFY_ERROR;
1865 }
1866 }
1867 }
1868 enumerator->destroy(enumerator);
1869
1870 if (!complete && found < rule->min_occurence)
1871 {
1872 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1873 payload_type_names, rule->type, rule->min_occurence, found);
1874 return VERIFY_ERROR;
1875 }
1876 if (found && rule->sufficient)
1877 {
1878 complete = TRUE;
1879 }
1880 }
1881 return SUCCESS;
1882 }
1883
1884 METHOD(message_t, parse_body, status_t,
1885 private_message_t *this, keymat_t *keymat)
1886 {
1887 status_t status = SUCCESS;
1888 char str[BUF_LEN];
1889
1890 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1891 payload_type_names, this->first_payload);
1892
1893 this->rule = get_message_rule(this);
1894 if (!this->rule)
1895 {
1896 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1897 exchange_type_names, this->exchange_type,
1898 this->is_request ? "request" : "response");
1899 return NOT_SUPPORTED;
1900 }
1901
1902 status = parse_payloads(this);
1903 if (status != SUCCESS)
1904 { /* error is already logged */
1905 return status;
1906 }
1907
1908 status = decrypt_payloads(this, keymat);
1909 if (status != SUCCESS)
1910 {
1911 DBG1(DBG_ENC, "could not decrypt payloads");
1912 return status;
1913 }
1914
1915 status = verify(this);
1916 if (status != SUCCESS)
1917 {
1918 return status;
1919 }
1920
1921 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1922
1923 if (this->major_version == IKEV1_MAJOR_VERSION)
1924 {
1925 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1926 chunk_t hash;
1927 hash = keymat_v1->get_hash_phase2(keymat_v1, &this->public);
1928 if (hash.ptr)
1929 {
1930 hash_payload_t *hash_payload;
1931 chunk_t other_hash;
1932 if (this->first_payload != HASH_V1)
1933 {
1934 DBG1(DBG_ENC, "expected HASH payload as first payload");
1935 chunk_free(&hash);
1936 return VERIFY_ERROR;
1937 }
1938 hash_payload = (hash_payload_t*)get_payload(this, HASH_V1);
1939 other_hash = hash_payload->get_hash(hash_payload);
1940 if (!chunk_equals(hash, other_hash))
1941 {
1942 DBG1(DBG_ENC, "our hash does not match received %B",
1943 &other_hash);
1944 chunk_free(&hash);
1945 return VERIFY_ERROR;
1946 }
1947 DBG2(DBG_ENC, "verified IKEv1 message with hash %B", &hash);
1948 chunk_free(&hash);
1949 }
1950 }
1951
1952 if (this->is_encrypted)
1953 { /* TODO-IKEv1: this should be done later when we know this is no
1954 * retransmit */
1955 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1956 keymat_v1->confirm_iv(keymat_v1, this->message_id);
1957 }
1958
1959 return SUCCESS;
1960 }
1961
1962 METHOD(message_t, destroy, void,
1963 private_message_t *this)
1964 {
1965 DESTROY_IF(this->ike_sa_id);
1966 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1967 this->packet->destroy(this->packet);
1968 this->parser->destroy(this->parser);
1969 free(this);
1970 }
1971
1972 /*
1973 * Described in header.
1974 */
1975 message_t *message_create_from_packet(packet_t *packet)
1976 {
1977 private_message_t *this;
1978
1979 INIT(this,
1980 .public = {
1981 .set_major_version = _set_major_version,
1982 .get_major_version = _get_major_version,
1983 .set_minor_version = _set_minor_version,
1984 .get_minor_version = _get_minor_version,
1985 .set_message_id = _set_message_id,
1986 .get_message_id = _get_message_id,
1987 .get_initiator_spi = _get_initiator_spi,
1988 .get_responder_spi = _get_responder_spi,
1989 .set_ike_sa_id = _set_ike_sa_id,
1990 .get_ike_sa_id = _get_ike_sa_id,
1991 .set_exchange_type = _set_exchange_type,
1992 .get_exchange_type = _get_exchange_type,
1993 .get_first_payload_type = _get_first_payload_type,
1994 .set_request = _set_request,
1995 .get_request = _get_request,
1996 .set_version_flag = _set_version_flag,
1997 .get_reserved_header_bit = _get_reserved_header_bit,
1998 .set_reserved_header_bit = _set_reserved_header_bit,
1999 .add_payload = _add_payload,
2000 .add_notify = _add_notify,
2001 .disable_sort = _disable_sort,
2002 .generate = _generate,
2003 .is_encoded = _is_encoded,
2004 .set_source = _set_source,
2005 .get_source = _get_source,
2006 .set_destination = _set_destination,
2007 .get_destination = _get_destination,
2008 .create_payload_enumerator = _create_payload_enumerator,
2009 .remove_payload_at = _remove_payload_at,
2010 .get_payload = _get_payload,
2011 .get_notify = _get_notify,
2012 .parse_header = _parse_header,
2013 .parse_body = _parse_body,
2014 .get_packet = _get_packet,
2015 .get_packet_data = _get_packet_data,
2016 .destroy = _destroy,
2017 },
2018 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
2019 .is_request = TRUE,
2020 .first_payload = NO_PAYLOAD,
2021 .packet = packet,
2022 .payloads = linked_list_create(),
2023 .parser = parser_create(packet->get_data(packet)),
2024 );
2025
2026 return &this->public;
2027 }
2028
2029 /*
2030 * Described in header.
2031 */
2032 message_t *message_create(int major, int minor)
2033 {
2034 message_t *this = message_create_from_packet(packet_create());
2035
2036 this->set_major_version(this, major);
2037 this->set_minor_version(this, minor);
2038
2039 return this;
2040 }