Message rules for IKEv1 AGGRESSIVE exchange added.
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 Message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 Message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 Message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of Vendor ID payloads per IKEv2 Message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * A payload rule defines the rules for a payload
59 * in a specific message rule. It defines if and how
60 * many times a payload must/can occur in a message
61 * and if it must be encrypted.
62 */
63 typedef struct {
64 /* Payload type */
65 payload_type_t type;
66 /* Minimal occurrence of this payload. */
67 size_t min_occurence;
68 /* Max occurrence of this payload. */
69 size_t max_occurence;
70 /* TRUE if payload must be encrypted */
71 bool encrypted;
72 /* If payload occurs, the message rule is fulfilled */
73 bool sufficient;
74 } payload_rule_t;
75
76 /**
77 * payload ordering structure allows us to reorder payloads according to RFC.
78 */
79 typedef struct {
80 /** payload type */
81 payload_type_t type;
82 /** notify type, if payload == NOTIFY */
83 notify_type_t notify;
84 } payload_order_t;
85
86 /**
87 * A message rule defines the kind of a message,
88 * if it has encrypted contents and a list
89 * of payload ordering rules and payload parsing rules.
90 */
91 typedef struct {
92 /** Type of message. */
93 exchange_type_t exchange_type;
94 /** Is message a request or response. */
95 bool is_request;
96 /** Message contains encrypted payloads. */
97 bool encrypted;
98 /** Number of payload rules which will follow */
99 int rule_count;
100 /** Pointer to first payload rule */
101 payload_rule_t *rules;
102 /** Number of payload order rules */
103 int order_count;
104 /** payload ordering rules */
105 payload_order_t *order;
106 } message_rule_t;
107
108 /**
109 * Message rule for IKE_SA_INIT from initiator.
110 */
111 static payload_rule_t ike_sa_init_i_rules[] = {
112 /* payload type min max encr suff */
113 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
114 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
115 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
116 {NONCE, 1, 1, FALSE, FALSE},
117 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
118 };
119
120 /**
121 * payload order for IKE_SA_INIT initiator
122 */
123 static payload_order_t ike_sa_init_i_order[] = {
124 /* payload type notify type */
125 {NOTIFY, COOKIE},
126 {SECURITY_ASSOCIATION, 0},
127 {KEY_EXCHANGE, 0},
128 {NONCE, 0},
129 {NOTIFY, NAT_DETECTION_SOURCE_IP},
130 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
131 {NOTIFY, 0},
132 {VENDOR_ID, 0},
133 };
134
135 /**
136 * Message rule for IKE_SA_INIT from responder.
137 */
138 static payload_rule_t ike_sa_init_r_rules[] = {
139 /* payload type min max encr suff */
140 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
141 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
142 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
143 {NONCE, 1, 1, FALSE, FALSE},
144 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
145 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
146 };
147
148 /**
149 * payload order for IKE_SA_INIT responder
150 */
151 static payload_order_t ike_sa_init_r_order[] = {
152 /* payload type notify type */
153 {SECURITY_ASSOCIATION, 0},
154 {KEY_EXCHANGE, 0},
155 {NONCE, 0},
156 {NOTIFY, NAT_DETECTION_SOURCE_IP},
157 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
158 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
159 {CERTIFICATE_REQUEST, 0},
160 {NOTIFY, 0},
161 {VENDOR_ID, 0},
162 };
163
164 /**
165 * Message rule for IKE_AUTH from initiator.
166 */
167 static payload_rule_t ike_auth_i_rules[] = {
168 /* payload type min max encr suff */
169 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
170 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
171 {AUTHENTICATION, 0, 1, TRUE, TRUE},
172 {ID_INITIATOR, 0, 1, TRUE, FALSE},
173 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
174 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
175 {ID_RESPONDER, 0, 1, TRUE, FALSE},
176 #ifdef ME
177 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
178 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
179 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
180 #else
181 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
182 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
184 #endif /* ME */
185 {CONFIGURATION, 0, 1, TRUE, FALSE},
186 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
187 };
188
189 /**
190 * payload order for IKE_AUTH initiator
191 */
192 static payload_order_t ike_auth_i_order[] = {
193 /* payload type notify type */
194 {ID_INITIATOR, 0},
195 {CERTIFICATE, 0},
196 {NOTIFY, INITIAL_CONTACT},
197 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
198 {CERTIFICATE_REQUEST, 0},
199 {ID_RESPONDER, 0},
200 {AUTHENTICATION, 0},
201 {EXTENSIBLE_AUTHENTICATION, 0},
202 {CONFIGURATION, 0},
203 {NOTIFY, IPCOMP_SUPPORTED},
204 {NOTIFY, USE_TRANSPORT_MODE},
205 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
206 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
207 {SECURITY_ASSOCIATION, 0},
208 {TRAFFIC_SELECTOR_INITIATOR, 0},
209 {TRAFFIC_SELECTOR_RESPONDER, 0},
210 {NOTIFY, MOBIKE_SUPPORTED},
211 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
212 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
213 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
214 {NOTIFY, 0},
215 {VENDOR_ID, 0},
216 };
217
218 /**
219 * Message rule for IKE_AUTH from responder.
220 */
221 static payload_rule_t ike_auth_r_rules[] = {
222 /* payload type min max encr suff */
223 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
224 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
225 {AUTHENTICATION, 0, 1, TRUE, TRUE},
226 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
227 {ID_RESPONDER, 0, 1, TRUE, FALSE},
228 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
229 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
230 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
231 {CONFIGURATION, 0, 1, TRUE, FALSE},
232 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
233 };
234
235 /**
236 * payload order for IKE_AUTH responder
237 */
238 static payload_order_t ike_auth_r_order[] = {
239 /* payload type notify type */
240 {ID_RESPONDER, 0},
241 {CERTIFICATE, 0},
242 {AUTHENTICATION, 0},
243 {EXTENSIBLE_AUTHENTICATION, 0},
244 {CONFIGURATION, 0},
245 {NOTIFY, IPCOMP_SUPPORTED},
246 {NOTIFY, USE_TRANSPORT_MODE},
247 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
248 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
249 {SECURITY_ASSOCIATION, 0},
250 {TRAFFIC_SELECTOR_INITIATOR, 0},
251 {TRAFFIC_SELECTOR_RESPONDER, 0},
252 {NOTIFY, AUTH_LIFETIME},
253 {NOTIFY, MOBIKE_SUPPORTED},
254 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
255 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
256 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
257 {NOTIFY, 0},
258 {VENDOR_ID, 0},
259 };
260
261 /**
262 * Message rule for INFORMATIONAL from initiator.
263 */
264 static payload_rule_t informational_i_rules[] = {
265 /* payload type min max encr suff */
266 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
267 {CONFIGURATION, 0, 1, TRUE, FALSE},
268 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
269 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for INFORMATIONAL initiator
274 */
275 static payload_order_t informational_i_order[] = {
276 /* payload type notify type */
277 {NOTIFY, UPDATE_SA_ADDRESSES},
278 {NOTIFY, NAT_DETECTION_SOURCE_IP},
279 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
280 {NOTIFY, COOKIE2},
281 {NOTIFY, 0},
282 {DELETE, 0},
283 {CONFIGURATION, 0},
284 };
285
286 /**
287 * Message rule for INFORMATIONAL from responder.
288 */
289 static payload_rule_t informational_r_rules[] = {
290 /* payload type min max encr suff */
291 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
292 {CONFIGURATION, 0, 1, TRUE, FALSE},
293 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
294 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
295 };
296
297 /**
298 * payload order for INFORMATIONAL responder
299 */
300 static payload_order_t informational_r_order[] = {
301 /* payload type notify type */
302 {NOTIFY, UPDATE_SA_ADDRESSES},
303 {NOTIFY, NAT_DETECTION_SOURCE_IP},
304 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
305 {NOTIFY, COOKIE2},
306 {NOTIFY, 0},
307 {DELETE, 0},
308 {CONFIGURATION, 0},
309 };
310
311 /**
312 * Message rule for CREATE_CHILD_SA from initiator.
313 */
314 static payload_rule_t create_child_sa_i_rules[] = {
315 /* payload type min max encr suff */
316 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
317 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
318 {NONCE, 1, 1, TRUE, FALSE},
319 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
320 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
321 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
322 {CONFIGURATION, 0, 1, TRUE, FALSE},
323 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
324 };
325
326 /**
327 * payload order for CREATE_CHILD_SA from initiator.
328 */
329 static payload_order_t create_child_sa_i_order[] = {
330 /* payload type notify type */
331 {NOTIFY, REKEY_SA},
332 {NOTIFY, IPCOMP_SUPPORTED},
333 {NOTIFY, USE_TRANSPORT_MODE},
334 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
335 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
336 {SECURITY_ASSOCIATION, 0},
337 {NONCE, 0},
338 {KEY_EXCHANGE, 0},
339 {TRAFFIC_SELECTOR_INITIATOR, 0},
340 {TRAFFIC_SELECTOR_RESPONDER, 0},
341 {NOTIFY, 0},
342 };
343
344 /**
345 * Message rule for CREATE_CHILD_SA from responder.
346 */
347 static payload_rule_t create_child_sa_r_rules[] = {
348 /* payload type min max encr suff */
349 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
350 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
351 {NONCE, 1, 1, TRUE, FALSE},
352 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
353 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
354 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
355 {CONFIGURATION, 0, 1, TRUE, FALSE},
356 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
357 };
358
359 /**
360 * payload order for CREATE_CHILD_SA from responder.
361 */
362 static payload_order_t create_child_sa_r_order[] = {
363 /* payload type notify type */
364 {NOTIFY, IPCOMP_SUPPORTED},
365 {NOTIFY, USE_TRANSPORT_MODE},
366 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
367 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
368 {SECURITY_ASSOCIATION, 0},
369 {NONCE, 0},
370 {KEY_EXCHANGE, 0},
371 {TRAFFIC_SELECTOR_INITIATOR, 0},
372 {TRAFFIC_SELECTOR_RESPONDER, 0},
373 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
374 {NOTIFY, 0},
375 };
376
377 #ifdef ME
378 /**
379 * Message rule for ME_CONNECT from initiator.
380 */
381 static payload_rule_t me_connect_i_rules[] = {
382 /* payload type min max encr suff */
383 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
384 {ID_PEER, 1, 1, TRUE, FALSE},
385 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
386 };
387
388 /**
389 * payload order for ME_CONNECT from initiator.
390 */
391 static payload_order_t me_connect_i_order[] = {
392 /* payload type notify type */
393 {NOTIFY, 0},
394 {ID_PEER, 0},
395 {VENDOR_ID, 0},
396 };
397
398 /**
399 * Message rule for ME_CONNECT from responder.
400 */
401 static payload_rule_t me_connect_r_rules[] = {
402 /* payload type min max encr suff */
403 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
404 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
405 };
406
407 /**
408 * payload order for ME_CONNECT from responder.
409 */
410 static payload_order_t me_connect_r_order[] = {
411 /* payload type notify type */
412 {NOTIFY, 0},
413 {VENDOR_ID, 0},
414 };
415 #endif /* ME */
416
417 #ifdef USE_IKEV1
418 /**
419 * Message rule for ID_PROT from initiator.
420 */
421 static payload_rule_t id_prot_i_rules[] = {
422 /* payload type min max encr suff */
423 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
424 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
425 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
426 {NONCE_V1, 0, 1, FALSE, FALSE},
427 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
428 {ID_V1, 0, 1, TRUE, FALSE},
429 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
430 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
431 {HASH_V1, 0, 1, TRUE, FALSE},
432 };
433
434 /**
435 * payload order for ID_PROT from initiator.
436 */
437 static payload_order_t id_prot_i_order[] = {
438 /* payload type notify type */
439 {SECURITY_ASSOCIATION_V1, 0},
440 {KEY_EXCHANGE_V1, 0},
441 {NONCE_V1, 0},
442 {ID_V1, 0},
443 {CERTIFICATE_V1, 0},
444 {SIGNATURE_V1, 0},
445 {HASH_V1, 0},
446 {NOTIFICATION_V1, 0},
447 {VENDOR_ID_V1, 0},
448 };
449
450 /**
451 * Message rule for ID_PROT from responder.
452 */
453 static payload_rule_t id_prot_r_rules[] = {
454 /* payload type min max encr suff */
455 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
456 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
457 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
458 {NONCE_V1, 0, 1, FALSE, FALSE},
459 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
460 {ID_V1, 0, 1, TRUE, FALSE},
461 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
462 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
463 {HASH_V1, 0, 1, TRUE, FALSE},
464 };
465
466 /**
467 * payload order for ID_PROT from responder.
468 */
469 static payload_order_t id_prot_r_order[] = {
470 /* payload type notify type */
471 {SECURITY_ASSOCIATION_V1, 0},
472 {KEY_EXCHANGE_V1, 0},
473 {NONCE_V1, 0},
474 {ID_V1, 0},
475 {CERTIFICATE_V1, 0},
476 {SIGNATURE_V1, 0},
477 {HASH_V1, 0},
478 {NOTIFICATION_V1, 0},
479 {VENDOR_ID_V1, 0},
480 };
481
482 /**
483 * Message rule for AGGRESSIVE from initiator.
484 */
485 static payload_rule_t aggressive_i_rules[] = {
486 /* payload type min max encr suff */
487 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
488 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
489 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
490 {NONCE_V1, 0, 1, FALSE, FALSE},
491 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
492 {ID_V1, 0, 1, FALSE, FALSE},
493 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
494 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
495 {HASH_V1, 0, 1, FALSE, FALSE},
496 };
497
498 /**
499 * payload order for AGGRESSIVE from initiator.
500 */
501 static payload_order_t aggressive_i_order[] = {
502 /* payload type notify type */
503 {SECURITY_ASSOCIATION_V1, 0},
504 {KEY_EXCHANGE_V1, 0},
505 {NONCE_V1, 0},
506 {ID_V1, 0},
507 {CERTIFICATE_V1, 0},
508 {SIGNATURE_V1, 0},
509 {HASH_V1, 0},
510 {NOTIFICATION_V1, 0},
511 {VENDOR_ID_V1, 0},
512 };
513
514 /**
515 * Message rule for AGGRESSIVE from responder.
516 */
517 static payload_rule_t aggressive_r_rules[] = {
518 /* payload type min max encr suff */
519 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
520 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
521 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
522 {NONCE_V1, 0, 1, FALSE, FALSE},
523 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
524 {ID_V1, 0, 1, FALSE, FALSE},
525 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
526 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
527 {HASH_V1, 0, 1, FALSE, FALSE},
528 };
529
530 /**
531 * payload order for AGGRESSIVE from responder.
532 */
533 static payload_order_t aggressive_r_order[] = {
534 /* payload type notify type */
535 {SECURITY_ASSOCIATION_V1, 0},
536 {KEY_EXCHANGE_V1, 0},
537 {NONCE_V1, 0},
538 {ID_V1, 0},
539 {CERTIFICATE_V1, 0},
540 {SIGNATURE_V1, 0},
541 {HASH_V1, 0},
542 {NOTIFICATION_V1, 0},
543 {VENDOR_ID_V1, 0},
544 };
545 #endif /* USE_IKEV1 */
546
547 /**
548 * Message rules, defines allowed payloads.
549 */
550 static message_rule_t message_rules[] = {
551 {IKE_SA_INIT, TRUE, FALSE,
552 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
553 countof(ike_sa_init_i_order), ike_sa_init_i_order,
554 },
555 {IKE_SA_INIT, FALSE, FALSE,
556 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
557 countof(ike_sa_init_r_order), ike_sa_init_r_order,
558 },
559 {IKE_AUTH, TRUE, TRUE,
560 countof(ike_auth_i_rules), ike_auth_i_rules,
561 countof(ike_auth_i_order), ike_auth_i_order,
562 },
563 {IKE_AUTH, FALSE, TRUE,
564 countof(ike_auth_r_rules), ike_auth_r_rules,
565 countof(ike_auth_r_order), ike_auth_r_order,
566 },
567 {INFORMATIONAL, TRUE, TRUE,
568 countof(informational_i_rules), informational_i_rules,
569 countof(informational_i_order), informational_i_order,
570 },
571 {INFORMATIONAL, FALSE, TRUE,
572 countof(informational_r_rules), informational_r_rules,
573 countof(informational_r_order), informational_r_order,
574 },
575 {CREATE_CHILD_SA, TRUE, TRUE,
576 countof(create_child_sa_i_rules), create_child_sa_i_rules,
577 countof(create_child_sa_i_order), create_child_sa_i_order,
578 },
579 {CREATE_CHILD_SA, FALSE, TRUE,
580 countof(create_child_sa_r_rules), create_child_sa_r_rules,
581 countof(create_child_sa_r_order), create_child_sa_r_order,
582 },
583 #ifdef ME
584 {ME_CONNECT, TRUE, TRUE,
585 countof(me_connect_i_rules), me_connect_i_rules,
586 countof(me_connect_i_order), me_connect_i_order,
587 },
588 {ME_CONNECT, FALSE, TRUE,
589 countof(me_connect_r_rules), me_connect_r_rules,
590 countof(me_connect_r_order), me_connect_r_order,
591 },
592 #endif /* ME */
593 #ifdef USE_IKEV1
594 {ID_PROT, TRUE, FALSE,
595 countof(id_prot_i_rules), id_prot_i_rules,
596 countof(id_prot_i_order), id_prot_i_order,
597 },
598 {ID_PROT, FALSE, FALSE,
599 countof(id_prot_r_rules), id_prot_r_rules,
600 countof(id_prot_r_order), id_prot_r_order,
601 },
602 {AGGRESSIVE, TRUE, FALSE,
603 countof(aggressive_i_rules), aggressive_i_rules,
604 countof(aggressive_i_order), aggressive_i_order,
605 },
606 {AGGRESSIVE, FALSE, FALSE,
607 countof(aggressive_r_rules), aggressive_r_rules,
608 countof(aggressive_r_order), aggressive_r_order,
609 },
610 /* TODO-IKEv1: define rules for other exchanges */
611 #endif /* USE_IKEV1 */
612 };
613
614
615 typedef struct private_message_t private_message_t;
616
617 /**
618 * Private data of an message_t object.
619 */
620 struct private_message_t {
621
622 /**
623 * Public part of a message_t object.
624 */
625 message_t public;
626
627 /**
628 * Minor version of message.
629 */
630 u_int8_t major_version;
631
632 /**
633 * Major version of message.
634 */
635 u_int8_t minor_version;
636
637 /**
638 * First Payload in message.
639 */
640 payload_type_t first_payload;
641
642 /**
643 * Assigned exchange type.
644 */
645 exchange_type_t exchange_type;
646
647 /**
648 * TRUE if message is a request, FALSE if a reply.
649 */
650 bool is_request;
651
652 /**
653 * Higher version supported?
654 */
655 bool version_flag;
656
657 /**
658 * Reserved bits in IKE header
659 */
660 bool reserved[5];
661
662 /**
663 * Sorting of message disabled?
664 */
665 bool sort_disabled;
666
667 /**
668 * Message ID of this message.
669 */
670 u_int32_t message_id;
671
672 /**
673 * ID of assigned IKE_SA.
674 */
675 ike_sa_id_t *ike_sa_id;
676
677 /**
678 * Assigned UDP packet, stores incoming packet or last generated one.
679 */
680 packet_t *packet;
681
682 /**
683 * Linked List where payload data are stored in.
684 */
685 linked_list_t *payloads;
686
687 /**
688 * Assigned parser to parse Header and Body of this message.
689 */
690 parser_t *parser;
691
692 /**
693 * The message rule for this message instance
694 */
695 message_rule_t *rule;
696 };
697
698 /**
699 * Get the message rule that applies to this message
700 */
701 static message_rule_t* get_message_rule(private_message_t *this)
702 {
703 int i;
704
705 for (i = 0; i < countof(message_rules); i++)
706 {
707 if ((this->exchange_type == message_rules[i].exchange_type) &&
708 (this->is_request == message_rules[i].is_request))
709 {
710 return &message_rules[i];
711 }
712 }
713 return NULL;
714 }
715
716 /**
717 * Look up a payload rule
718 */
719 static payload_rule_t* get_payload_rule(private_message_t *this,
720 payload_type_t type)
721 {
722 int i;
723
724 for (i = 0; i < this->rule->rule_count;i++)
725 {
726 if (this->rule->rules[i].type == type)
727 {
728 return &this->rule->rules[i];
729 }
730 }
731 return NULL;
732 }
733
734 METHOD(message_t, set_ike_sa_id, void,
735 private_message_t *this,ike_sa_id_t *ike_sa_id)
736 {
737 DESTROY_IF(this->ike_sa_id);
738 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
739 }
740
741 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
742 private_message_t *this)
743 {
744 return this->ike_sa_id;
745 }
746
747 METHOD(message_t, set_message_id, void,
748 private_message_t *this,u_int32_t message_id)
749 {
750 this->message_id = message_id;
751 }
752
753 METHOD(message_t, get_message_id, u_int32_t,
754 private_message_t *this)
755 {
756 return this->message_id;
757 }
758
759 METHOD(message_t, get_initiator_spi, u_int64_t,
760 private_message_t *this)
761 {
762 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
763 }
764
765 METHOD(message_t, get_responder_spi, u_int64_t,
766 private_message_t *this)
767 {
768 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
769 }
770
771 METHOD(message_t, set_major_version, void,
772 private_message_t *this, u_int8_t major_version)
773 {
774 this->major_version = major_version;
775 }
776
777 METHOD(message_t, get_major_version, u_int8_t,
778 private_message_t *this)
779 {
780 return this->major_version;
781 }
782
783 METHOD(message_t, set_minor_version, void,
784 private_message_t *this,u_int8_t minor_version)
785 {
786 this->minor_version = minor_version;
787 }
788
789 METHOD(message_t, get_minor_version, u_int8_t,
790 private_message_t *this)
791 {
792 return this->minor_version;
793 }
794
795 METHOD(message_t, set_exchange_type, void,
796 private_message_t *this, exchange_type_t exchange_type)
797 {
798 this->exchange_type = exchange_type;
799 }
800
801 METHOD(message_t, get_exchange_type, exchange_type_t,
802 private_message_t *this)
803 {
804 return this->exchange_type;
805 }
806
807 METHOD(message_t, get_first_payload_type, payload_type_t,
808 private_message_t *this)
809 {
810 return this->first_payload;
811 }
812
813 METHOD(message_t, set_request, void,
814 private_message_t *this, bool request)
815 {
816 this->is_request = request;
817 }
818
819 METHOD(message_t, get_request, bool,
820 private_message_t *this)
821 {
822 return this->is_request;
823 }
824
825 METHOD(message_t, set_version_flag, void,
826 private_message_t *this)
827 {
828 this->version_flag = TRUE;
829 }
830
831 METHOD(message_t, get_reserved_header_bit, bool,
832 private_message_t *this, u_int nr)
833 {
834 if (nr < countof(this->reserved))
835 {
836 return this->reserved[nr];
837 }
838 return FALSE;
839 }
840
841 METHOD(message_t, set_reserved_header_bit, void,
842 private_message_t *this, u_int nr)
843 {
844 if (nr < countof(this->reserved))
845 {
846 this->reserved[nr] = TRUE;
847 }
848 }
849
850 METHOD(message_t, is_encoded, bool,
851 private_message_t *this)
852 {
853 return this->packet->get_data(this->packet).ptr != NULL;
854 }
855
856 METHOD(message_t, add_payload, void,
857 private_message_t *this, payload_t *payload)
858 {
859 payload_t *last_payload;
860
861 if (this->payloads->get_count(this->payloads) > 0)
862 {
863 this->payloads->get_last(this->payloads, (void **)&last_payload);
864 last_payload->set_next_type(last_payload, payload->get_type(payload));
865 }
866 else
867 {
868 this->first_payload = payload->get_type(payload);
869 }
870 payload->set_next_type(payload, NO_PAYLOAD);
871 this->payloads->insert_last(this->payloads, payload);
872
873 DBG2(DBG_ENC ,"added payload of type %N to message",
874 payload_type_names, payload->get_type(payload));
875 }
876
877 METHOD(message_t, add_notify, void,
878 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
879 {
880 notify_payload_t *notify;
881 payload_t *payload;
882
883 if (flush)
884 {
885 while (this->payloads->remove_last(this->payloads,
886 (void**)&payload) == SUCCESS)
887 {
888 payload->destroy(payload);
889 }
890 }
891 notify = notify_payload_create();
892 notify->set_notify_type(notify, type);
893 notify->set_notification_data(notify, data);
894 add_payload(this, (payload_t*)notify);
895 }
896
897 METHOD(message_t, set_source, void,
898 private_message_t *this, host_t *host)
899 {
900 this->packet->set_source(this->packet, host);
901 }
902
903 METHOD(message_t, set_destination, void,
904 private_message_t *this, host_t *host)
905 {
906 this->packet->set_destination(this->packet, host);
907 }
908
909 METHOD(message_t, get_source, host_t*,
910 private_message_t *this)
911 {
912 return this->packet->get_source(this->packet);
913 }
914
915 METHOD(message_t, get_destination, host_t*,
916 private_message_t *this)
917 {
918 return this->packet->get_destination(this->packet);
919 }
920
921 METHOD(message_t, create_payload_enumerator, enumerator_t*,
922 private_message_t *this)
923 {
924 return this->payloads->create_enumerator(this->payloads);
925 }
926
927 METHOD(message_t, remove_payload_at, void,
928 private_message_t *this, enumerator_t *enumerator)
929 {
930 this->payloads->remove_at(this->payloads, enumerator);
931 }
932
933 METHOD(message_t, get_payload, payload_t*,
934 private_message_t *this, payload_type_t type)
935 {
936 payload_t *current, *found = NULL;
937 enumerator_t *enumerator;
938
939 enumerator = create_payload_enumerator(this);
940 while (enumerator->enumerate(enumerator, &current))
941 {
942 if (current->get_type(current) == type)
943 {
944 found = current;
945 break;
946 }
947 }
948 enumerator->destroy(enumerator);
949 return found;
950 }
951
952 METHOD(message_t, get_notify, notify_payload_t*,
953 private_message_t *this, notify_type_t type)
954 {
955 enumerator_t *enumerator;
956 notify_payload_t *notify = NULL;
957 payload_t *payload;
958
959 enumerator = create_payload_enumerator(this);
960 while (enumerator->enumerate(enumerator, &payload))
961 {
962 if (payload->get_type(payload) == NOTIFY)
963 {
964 notify = (notify_payload_t*)payload;
965 if (notify->get_notify_type(notify) == type)
966 {
967 break;
968 }
969 notify = NULL;
970 }
971 }
972 enumerator->destroy(enumerator);
973 return notify;
974 }
975
976 /**
977 * get a string representation of the message
978 */
979 static char* get_string(private_message_t *this, char *buf, int len)
980 {
981 enumerator_t *enumerator;
982 payload_t *payload;
983 int written;
984 char *pos = buf;
985
986 memset(buf, 0, len);
987 len--;
988
989 written = snprintf(pos, len, "%N %s %d [",
990 exchange_type_names, this->exchange_type,
991 this->is_request ? "request" : "response",
992 this->message_id);
993 if (written >= len || written < 0)
994 {
995 return "";
996 }
997 pos += written;
998 len -= written;
999
1000 enumerator = create_payload_enumerator(this);
1001 while (enumerator->enumerate(enumerator, &payload))
1002 {
1003 written = snprintf(pos, len, " %N", payload_type_short_names,
1004 payload->get_type(payload));
1005 if (written >= len || written < 0)
1006 {
1007 return buf;
1008 }
1009 pos += written;
1010 len -= written;
1011 if (payload->get_type(payload) == NOTIFY)
1012 {
1013 notify_payload_t *notify;
1014 notify_type_t type;
1015 chunk_t data;
1016
1017 notify = (notify_payload_t*)payload;
1018 type = notify->get_notify_type(notify);
1019 data = notify->get_notification_data(notify);
1020 if (type == MS_NOTIFY_STATUS && data.len == 4)
1021 {
1022 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1023 type, untoh32(data.ptr));
1024 }
1025 else
1026 {
1027 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1028 type);
1029 }
1030 if (written >= len || written < 0)
1031 {
1032 return buf;
1033 }
1034 pos += written;
1035 len -= written;
1036 }
1037 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1038 {
1039 eap_payload_t *eap = (eap_payload_t*)payload;
1040 u_int32_t vendor;
1041 eap_type_t type;
1042 char method[64] = "";
1043
1044 type = eap->get_type(eap, &vendor);
1045 if (type)
1046 {
1047 if (vendor)
1048 {
1049 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1050 }
1051 else
1052 {
1053 snprintf(method, sizeof(method), "/%N",
1054 eap_type_short_names, type);
1055 }
1056 }
1057 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1058 eap->get_code(eap), method);
1059 if (written >= len || written < 0)
1060 {
1061 return buf;
1062 }
1063 pos += written;
1064 len -= written;
1065 }
1066 if (payload->get_type(payload) == CONFIGURATION)
1067 {
1068 cp_payload_t *cp = (cp_payload_t*)payload;
1069 enumerator_t *attributes;
1070 configuration_attribute_t *attribute;
1071 bool first = TRUE;
1072
1073 attributes = cp->create_attribute_enumerator(cp);
1074 while (attributes->enumerate(attributes, &attribute))
1075 {
1076 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1077 configuration_attribute_type_short_names,
1078 attribute->get_type(attribute));
1079 if (written >= len || written < 0)
1080 {
1081 return buf;
1082 }
1083 pos += written;
1084 len -= written;
1085 first = FALSE;
1086 }
1087 attributes->destroy(attributes);
1088 if (!first)
1089 {
1090 written = snprintf(pos, len, ")");
1091 if (written >= len || written < 0)
1092 {
1093 return buf;
1094 }
1095 pos += written;
1096 len -= written;
1097 }
1098 }
1099 }
1100 enumerator->destroy(enumerator);
1101
1102 /* remove last space */
1103 snprintf(pos, len, " ]");
1104 return buf;
1105 }
1106
1107 /**
1108 * reorder payloads depending on reordering rules
1109 */
1110 static void order_payloads(private_message_t *this)
1111 {
1112 linked_list_t *list;
1113 payload_t *payload;
1114 int i;
1115
1116 /* move to temp list */
1117 list = linked_list_create();
1118 while (this->payloads->remove_last(this->payloads,
1119 (void**)&payload) == SUCCESS)
1120 {
1121 list->insert_first(list, payload);
1122 }
1123 /* for each rule, ... */
1124 for (i = 0; i < this->rule->order_count; i++)
1125 {
1126 enumerator_t *enumerator;
1127 notify_payload_t *notify;
1128 payload_order_t order;
1129
1130 order = this->rule->order[i];
1131
1132 /* ... find all payload ... */
1133 enumerator = list->create_enumerator(list);
1134 while (enumerator->enumerate(enumerator, &payload))
1135 {
1136 /* ... with that type ... */
1137 if (payload->get_type(payload) == order.type)
1138 {
1139 notify = (notify_payload_t*)payload;
1140
1141 /**... and check notify for type. */
1142 if (order.type != NOTIFY || order.notify == 0 ||
1143 order.notify == notify->get_notify_type(notify))
1144 {
1145 list->remove_at(list, enumerator);
1146 add_payload(this, payload);
1147 }
1148 }
1149 }
1150 enumerator->destroy(enumerator);
1151 }
1152 /* append all payloads without a rule to the end */
1153 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1154 {
1155 /* do not complain about payloads in private use space */
1156 if (payload->get_type(payload) < 128)
1157 {
1158 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1159 payload_type_names, payload->get_type(payload),
1160 exchange_type_names, this->rule->exchange_type,
1161 this->rule->is_request ? "request" : "response");
1162 }
1163 add_payload(this, payload);
1164 }
1165 list->destroy(list);
1166 }
1167
1168 /**
1169 * Wrap payloads in a encryption payload
1170 */
1171 static encryption_payload_t* wrap_payloads(private_message_t *this)
1172 {
1173 encryption_payload_t *encryption;
1174 linked_list_t *payloads;
1175 payload_t *current;
1176
1177 /* copy all payloads in a temporary list */
1178 payloads = linked_list_create();
1179 while (this->payloads->remove_first(this->payloads,
1180 (void**)&current) == SUCCESS)
1181 {
1182 payloads->insert_last(payloads, current);
1183 }
1184
1185 encryption = encryption_payload_create();
1186 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1187 {
1188 payload_rule_t *rule;
1189 payload_type_t type;
1190 bool encrypt = TRUE;
1191
1192 type = current->get_type(current);
1193 rule = get_payload_rule(this, type);
1194 if (rule)
1195 {
1196 encrypt = rule->encrypted;
1197 }
1198 if (encrypt)
1199 {
1200 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1201 payload_type_names, type);
1202 encryption->add_payload(encryption, current);
1203 }
1204 else
1205 {
1206 DBG2(DBG_ENC, "insert payload %N unencrypted",
1207 payload_type_names, type);
1208 add_payload(this, current);
1209 }
1210 }
1211 payloads->destroy(payloads);
1212
1213 return encryption;
1214 }
1215
1216 METHOD(message_t, disable_sort, void,
1217 private_message_t *this)
1218 {
1219 this->sort_disabled = TRUE;
1220 }
1221
1222 METHOD(message_t, generate, status_t,
1223 private_message_t *this, aead_t *aead, packet_t **packet)
1224 {
1225 generator_t *generator;
1226 ike_header_t *ike_header;
1227 payload_t *payload, *next;
1228 encryption_payload_t *encryption = NULL;
1229 enumerator_t *enumerator;
1230 chunk_t chunk;
1231 char str[BUF_LEN];
1232 u_int32_t *lenpos;
1233 bool *reserved;
1234 int i;
1235
1236 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1237 {
1238 DBG1(DBG_ENC, "exchange type is not defined");
1239 return INVALID_STATE;
1240 }
1241
1242 if (this->packet->get_source(this->packet) == NULL ||
1243 this->packet->get_destination(this->packet) == NULL)
1244 {
1245 DBG1(DBG_ENC, "source/destination not defined");
1246 return INVALID_STATE;
1247 }
1248
1249 this->rule = get_message_rule(this);
1250 if (!this->rule)
1251 {
1252 DBG1(DBG_ENC, "no message rules specified for this message type");
1253 return NOT_SUPPORTED;
1254 }
1255
1256 if (!this->sort_disabled)
1257 {
1258 order_payloads(this);
1259 }
1260
1261 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1262
1263 if (aead && this->rule->encrypted)
1264 {
1265 encryption = wrap_payloads(this);
1266 }
1267 else
1268 {
1269 DBG2(DBG_ENC, "not encrypting payloads");
1270 }
1271
1272 ike_header = ike_header_create_version(this->major_version,
1273 this->minor_version);
1274 ike_header->set_exchange_type(ike_header, this->exchange_type);
1275 ike_header->set_message_id(ike_header, this->message_id);
1276 ike_header->set_response_flag(ike_header, !this->is_request);
1277 ike_header->set_version_flag(ike_header, this->version_flag);
1278 ike_header->set_initiator_flag(ike_header,
1279 this->ike_sa_id->is_initiator(this->ike_sa_id));
1280 ike_header->set_initiator_spi(ike_header,
1281 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1282 ike_header->set_responder_spi(ike_header,
1283 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1284
1285 for (i = 0; i < countof(this->reserved); i++)
1286 {
1287 reserved = payload_get_field(&ike_header->payload_interface,
1288 RESERVED_BIT, i);
1289 if (reserved)
1290 {
1291 *reserved = this->reserved[i];
1292 }
1293 }
1294
1295 generator = generator_create();
1296
1297 /* generate all payloads with proper next type */
1298 payload = (payload_t*)ike_header;
1299 enumerator = create_payload_enumerator(this);
1300 while (enumerator->enumerate(enumerator, &next))
1301 {
1302 payload->set_next_type(payload, next->get_type(next));
1303 generator->generate_payload(generator, payload);
1304 payload = next;
1305 }
1306 enumerator->destroy(enumerator);
1307 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1308 generator->generate_payload(generator, payload);
1309 ike_header->destroy(ike_header);
1310
1311 if (encryption)
1312 {
1313 u_int32_t *lenpos;
1314
1315 /* build associated data (without header of encryption payload) */
1316 chunk = generator->get_chunk(generator, &lenpos);
1317 encryption->set_transform(encryption, aead);
1318 /* fill in length, including encryption payload */
1319 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1320
1321 this->payloads->insert_last(this->payloads, encryption);
1322 if (!encryption->encrypt(encryption, chunk))
1323 {
1324 generator->destroy(generator);
1325 return INVALID_STATE;
1326 }
1327 generator->generate_payload(generator, &encryption->payload_interface);
1328 }
1329 chunk = generator->get_chunk(generator, &lenpos);
1330 htoun32(lenpos, chunk.len);
1331 this->packet->set_data(this->packet, chunk_clone(chunk));
1332 generator->destroy(generator);
1333
1334 *packet = this->packet->clone(this->packet);
1335 return SUCCESS;
1336 }
1337
1338 METHOD(message_t, get_packet, packet_t*,
1339 private_message_t *this)
1340 {
1341 if (this->packet == NULL)
1342 {
1343 return NULL;
1344 }
1345 return this->packet->clone(this->packet);
1346 }
1347
1348 METHOD(message_t, get_packet_data, chunk_t,
1349 private_message_t *this)
1350 {
1351 if (this->packet == NULL)
1352 {
1353 return chunk_empty;
1354 }
1355 return chunk_clone(this->packet->get_data(this->packet));
1356 }
1357
1358 METHOD(message_t, parse_header, status_t,
1359 private_message_t *this)
1360 {
1361 ike_header_t *ike_header;
1362 status_t status;
1363 bool *reserved;
1364 int i;
1365
1366 DBG2(DBG_ENC, "parsing header of message");
1367
1368 this->parser->reset_context(this->parser);
1369 status = this->parser->parse_payload(this->parser, HEADER,
1370 (payload_t**)&ike_header);
1371 if (status != SUCCESS)
1372 {
1373 DBG1(DBG_ENC, "header could not be parsed");
1374 return status;
1375
1376 }
1377
1378 status = ike_header->payload_interface.verify(
1379 &ike_header->payload_interface);
1380 if (status != SUCCESS)
1381 {
1382 DBG1(DBG_ENC, "header verification failed");
1383 ike_header->destroy(ike_header);
1384 return status;
1385 }
1386
1387 DESTROY_IF(this->ike_sa_id);
1388 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1389 ike_header->get_responder_spi(ike_header),
1390 ike_header->get_initiator_flag(ike_header));
1391
1392 this->exchange_type = ike_header->get_exchange_type(ike_header);
1393 this->message_id = ike_header->get_message_id(ike_header);
1394 this->is_request = !ike_header->get_response_flag(ike_header);
1395 this->major_version = ike_header->get_maj_version(ike_header);
1396 this->minor_version = ike_header->get_min_version(ike_header);
1397 this->first_payload = ike_header->payload_interface.get_next_type(
1398 &ike_header->payload_interface);
1399 for (i = 0; i < countof(this->reserved); i++)
1400 {
1401 reserved = payload_get_field(&ike_header->payload_interface,
1402 RESERVED_BIT, i);
1403 if (reserved)
1404 {
1405 this->reserved[i] = *reserved;
1406 }
1407 }
1408 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1409 this->is_request ? "request" : "response");
1410
1411 ike_header->destroy(ike_header);
1412
1413 this->rule = get_message_rule(this);
1414 if (!this->rule)
1415 {
1416 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1417 exchange_type_names, this->exchange_type,
1418 this->is_request ? "request" : "response");
1419 }
1420 return status;
1421 }
1422
1423 /**
1424 * Check if a payload is for a mediation extension connectivity check
1425 */
1426 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1427 {
1428 #ifdef ME
1429 if (this->exchange_type == INFORMATIONAL &&
1430 payload->get_type(payload) == NOTIFY)
1431 {
1432 notify_payload_t *notify = (notify_payload_t*)payload;
1433
1434 switch (notify->get_notify_type(notify))
1435 {
1436 case ME_CONNECTID:
1437 case ME_ENDPOINT:
1438 case ME_CONNECTAUTH:
1439 return TRUE;
1440 default:
1441 break;
1442 }
1443 }
1444 #endif /* !ME */
1445 return FALSE;
1446 }
1447
1448 /**
1449 * Decrypt payload from the encryption payload
1450 */
1451 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1452 {
1453 bool was_encrypted = FALSE;
1454 payload_t *payload, *previous = NULL;
1455 enumerator_t *enumerator;
1456 payload_rule_t *rule;
1457 payload_type_t type;
1458 status_t status = SUCCESS;
1459
1460 enumerator = this->payloads->create_enumerator(this->payloads);
1461 while (enumerator->enumerate(enumerator, &payload))
1462 {
1463 type = payload->get_type(payload);
1464
1465 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1466
1467 if (type == ENCRYPTED)
1468 {
1469 encryption_payload_t *encryption;
1470 payload_t *encrypted;
1471 chunk_t chunk;
1472
1473 encryption = (encryption_payload_t*)payload;
1474
1475 DBG2(DBG_ENC, "found an encryption payload");
1476
1477 if (this->payloads->has_more(this->payloads, enumerator))
1478 {
1479 DBG1(DBG_ENC, "encrypted payload is not last payload");
1480 status = VERIFY_ERROR;
1481 break;
1482 }
1483 encryption->set_transform(encryption, aead);
1484 chunk = this->packet->get_data(this->packet);
1485 if (chunk.len < encryption->get_length(encryption))
1486 {
1487 DBG1(DBG_ENC, "invalid payload length");
1488 status = VERIFY_ERROR;
1489 break;
1490 }
1491 chunk.len -= encryption->get_length(encryption);
1492 status = encryption->decrypt(encryption, chunk);
1493 if (status != SUCCESS)
1494 {
1495 break;
1496 }
1497
1498 was_encrypted = TRUE;
1499 this->payloads->remove_at(this->payloads, enumerator);
1500
1501 while ((encrypted = encryption->remove_payload(encryption)))
1502 {
1503 type = encrypted->get_type(encrypted);
1504 if (previous)
1505 {
1506 previous->set_next_type(previous, type);
1507 }
1508 else
1509 {
1510 this->first_payload = type;
1511 }
1512 DBG2(DBG_ENC, "insert decrypted payload of type "
1513 "%N at end of list", payload_type_names, type);
1514 this->payloads->insert_last(this->payloads, encrypted);
1515 previous = encrypted;
1516 }
1517 encryption->destroy(encryption);
1518 }
1519 if (payload_is_known(type) && !was_encrypted &&
1520 !is_connectivity_check(this, payload))
1521 {
1522 rule = get_payload_rule(this, type);
1523 if (!rule || rule->encrypted)
1524 {
1525 DBG1(DBG_ENC, "payload type %N was not encrypted",
1526 payload_type_names, type);
1527 status = FAILED;
1528 break;
1529 }
1530 }
1531 previous = payload;
1532 }
1533 enumerator->destroy(enumerator);
1534 return status;
1535 }
1536
1537 /**
1538 * Verify a message and all payload according to message/payload rules
1539 */
1540 static status_t verify(private_message_t *this)
1541 {
1542 bool complete = FALSE;
1543 int i;
1544
1545 DBG2(DBG_ENC, "verifying message structure");
1546
1547 /* check for payloads with wrong count*/
1548 for (i = 0; i < this->rule->rule_count; i++)
1549 {
1550 enumerator_t *enumerator;
1551 payload_t *payload;
1552 payload_rule_t *rule;
1553 int found = 0;
1554
1555 rule = &this->rule->rules[i];
1556 enumerator = create_payload_enumerator(this);
1557 while (enumerator->enumerate(enumerator, &payload))
1558 {
1559 payload_type_t type;
1560
1561 type = payload->get_type(payload);
1562 if (type == rule->type)
1563 {
1564 found++;
1565 DBG2(DBG_ENC, "found payload of type %N",
1566 payload_type_names, type);
1567 if (found > rule->max_occurence)
1568 {
1569 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1570 "occurred in current message", payload_type_names,
1571 type, rule->max_occurence, found);
1572 enumerator->destroy(enumerator);
1573 return VERIFY_ERROR;
1574 }
1575 }
1576 }
1577 enumerator->destroy(enumerator);
1578
1579 if (!complete && found < rule->min_occurence)
1580 {
1581 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1582 payload_type_names, rule->type, rule->min_occurence, found);
1583 return VERIFY_ERROR;
1584 }
1585 if (found && rule->sufficient)
1586 {
1587 complete = TRUE;
1588 }
1589 }
1590 return SUCCESS;
1591 }
1592
1593 METHOD(message_t, parse_body, status_t,
1594 private_message_t *this, aead_t *aead)
1595 {
1596 status_t status = SUCCESS;
1597 payload_t *payload;
1598 payload_type_t type;
1599 char str[BUF_LEN];
1600
1601 type = this->first_payload;
1602
1603 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1604 payload_type_names, type);
1605
1606 while (type != NO_PAYLOAD)
1607 {
1608 DBG2(DBG_ENC, "starting parsing a %N payload",
1609 payload_type_names, type);
1610
1611 status = this->parser->parse_payload(this->parser, type, &payload);
1612 if (status != SUCCESS)
1613 {
1614 DBG1(DBG_ENC, "payload type %N could not be parsed",
1615 payload_type_names, type);
1616 return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
1617 }
1618
1619 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1620 status = payload->verify(payload);
1621 if (status != SUCCESS)
1622 {
1623 DBG1(DBG_ENC, "%N payload verification failed",
1624 payload_type_names, type);
1625 payload->destroy(payload);
1626 return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
1627 }
1628
1629 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1630 payload_type_names, type);
1631 this->payloads->insert_last(this->payloads, payload);
1632
1633 /* an encryption payload is the last one, so STOP here. decryption is
1634 * done later */
1635 if (type == ENCRYPTED)
1636 {
1637 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1638 payload_type_names, type);
1639 break;
1640 }
1641 type = payload->get_next_type(payload);
1642 }
1643
1644 status = decrypt_payloads(this, aead);
1645 if (status != SUCCESS)
1646 {
1647 DBG1(DBG_ENC, "could not decrypt payloads");
1648 return status;
1649 }
1650
1651 status = verify(this);
1652 if (status != SUCCESS)
1653 {
1654 return status;
1655 }
1656
1657 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1658
1659 return SUCCESS;
1660 }
1661
1662 METHOD(message_t, destroy, void,
1663 private_message_t *this)
1664 {
1665 DESTROY_IF(this->ike_sa_id);
1666 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1667 this->packet->destroy(this->packet);
1668 this->parser->destroy(this->parser);
1669 free(this);
1670 }
1671
1672 /*
1673 * Described in Header-File
1674 */
1675 message_t *message_create_from_packet(packet_t *packet)
1676 {
1677 private_message_t *this;
1678
1679 INIT(this,
1680 .public = {
1681 .set_major_version = _set_major_version,
1682 .get_major_version = _get_major_version,
1683 .set_minor_version = _set_minor_version,
1684 .get_minor_version = _get_minor_version,
1685 .set_message_id = _set_message_id,
1686 .get_message_id = _get_message_id,
1687 .get_initiator_spi = _get_initiator_spi,
1688 .get_responder_spi = _get_responder_spi,
1689 .set_ike_sa_id = _set_ike_sa_id,
1690 .get_ike_sa_id = _get_ike_sa_id,
1691 .set_exchange_type = _set_exchange_type,
1692 .get_exchange_type = _get_exchange_type,
1693 .get_first_payload_type = _get_first_payload_type,
1694 .set_request = _set_request,
1695 .get_request = _get_request,
1696 .set_version_flag = _set_version_flag,
1697 .get_reserved_header_bit = _get_reserved_header_bit,
1698 .set_reserved_header_bit = _set_reserved_header_bit,
1699 .add_payload = _add_payload,
1700 .add_notify = _add_notify,
1701 .disable_sort = _disable_sort,
1702 .generate = _generate,
1703 .is_encoded = _is_encoded,
1704 .set_source = _set_source,
1705 .get_source = _get_source,
1706 .set_destination = _set_destination,
1707 .get_destination = _get_destination,
1708 .create_payload_enumerator = _create_payload_enumerator,
1709 .remove_payload_at = _remove_payload_at,
1710 .get_payload = _get_payload,
1711 .get_notify = _get_notify,
1712 .parse_header = _parse_header,
1713 .parse_body = _parse_body,
1714 .get_packet = _get_packet,
1715 .get_packet_data = _get_packet_data,
1716 .destroy = _destroy,
1717 },
1718 .major_version = IKEV2_MAJOR_VERSION,
1719 .minor_version = IKEV2_MINOR_VERSION,
1720 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1721 .is_request = TRUE,
1722 .first_payload = NO_PAYLOAD,
1723 .packet = packet,
1724 .payloads = linked_list_create(),
1725 .parser = parser_create(packet->get_data(packet)),
1726 );
1727
1728 return (&this->public);
1729 }
1730
1731 /*
1732 * Described in Header.
1733 */
1734 message_t *message_create()
1735 {
1736 return message_create_from_packet(packet_create());
1737 }
1738