Certificate request payloads can be sent in pretty much any IKEv1 message.
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * A payload rule defines the rules for a payload
64 * in a specific message rule. It defines if and how
65 * many times a payload must/can occur in a message
66 * and if it must be encrypted.
67 */
68 typedef struct {
69 /* Payload type */
70 payload_type_t type;
71 /* Minimal occurrence of this payload. */
72 size_t min_occurence;
73 /* Max occurrence of this payload. */
74 size_t max_occurence;
75 /* TRUE if payload must be encrypted */
76 bool encrypted;
77 /* If payload occurs, the message rule is fulfilled */
78 bool sufficient;
79 } payload_rule_t;
80
81 /**
82 * payload ordering structure allows us to reorder payloads according to RFC.
83 */
84 typedef struct {
85 /** payload type */
86 payload_type_t type;
87 /** notify type, if payload == NOTIFY */
88 notify_type_t notify;
89 } payload_order_t;
90
91 /**
92 * A message rule defines the kind of a message,
93 * if it has encrypted contents and a list
94 * of payload ordering rules and payload parsing rules.
95 */
96 typedef struct {
97 /** Type of message. */
98 exchange_type_t exchange_type;
99 /** Is message a request or response. */
100 bool is_request;
101 /** Message contains encrypted payloads. */
102 bool encrypted;
103 /** Number of payload rules which will follow */
104 int rule_count;
105 /** Pointer to first payload rule */
106 payload_rule_t *rules;
107 /** Number of payload order rules */
108 int order_count;
109 /** payload ordering rules */
110 payload_order_t *order;
111 } message_rule_t;
112
113 /**
114 * Message rule for IKE_SA_INIT from initiator.
115 */
116 static payload_rule_t ike_sa_init_i_rules[] = {
117 /* payload type min max encr suff */
118 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
119 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
120 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
121 {NONCE, 1, 1, FALSE, FALSE},
122 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
123 };
124
125 /**
126 * payload order for IKE_SA_INIT initiator
127 */
128 static payload_order_t ike_sa_init_i_order[] = {
129 /* payload type notify type */
130 {NOTIFY, COOKIE},
131 {SECURITY_ASSOCIATION, 0},
132 {KEY_EXCHANGE, 0},
133 {NONCE, 0},
134 {NOTIFY, NAT_DETECTION_SOURCE_IP},
135 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
136 {NOTIFY, 0},
137 {VENDOR_ID, 0},
138 };
139
140 /**
141 * Message rule for IKE_SA_INIT from responder.
142 */
143 static payload_rule_t ike_sa_init_r_rules[] = {
144 /* payload type min max encr suff */
145 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
146 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
147 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
148 {NONCE, 1, 1, FALSE, FALSE},
149 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
150 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
151 };
152
153 /**
154 * payload order for IKE_SA_INIT responder
155 */
156 static payload_order_t ike_sa_init_r_order[] = {
157 /* payload type notify type */
158 {SECURITY_ASSOCIATION, 0},
159 {KEY_EXCHANGE, 0},
160 {NONCE, 0},
161 {NOTIFY, NAT_DETECTION_SOURCE_IP},
162 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
163 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
164 {CERTIFICATE_REQUEST, 0},
165 {NOTIFY, 0},
166 {VENDOR_ID, 0},
167 };
168
169 /**
170 * Message rule for IKE_AUTH from initiator.
171 */
172 static payload_rule_t ike_auth_i_rules[] = {
173 /* payload type min max encr suff */
174 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
175 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
176 {AUTHENTICATION, 0, 1, TRUE, TRUE},
177 {ID_INITIATOR, 0, 1, TRUE, FALSE},
178 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
179 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
180 {ID_RESPONDER, 0, 1, TRUE, FALSE},
181 #ifdef ME
182 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
184 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
185 #else
186 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
187 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
189 #endif /* ME */
190 {CONFIGURATION, 0, 1, TRUE, FALSE},
191 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
192 };
193
194 /**
195 * payload order for IKE_AUTH initiator
196 */
197 static payload_order_t ike_auth_i_order[] = {
198 /* payload type notify type */
199 {ID_INITIATOR, 0},
200 {CERTIFICATE, 0},
201 {NOTIFY, INITIAL_CONTACT},
202 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
203 {CERTIFICATE_REQUEST, 0},
204 {ID_RESPONDER, 0},
205 {AUTHENTICATION, 0},
206 {EXTENSIBLE_AUTHENTICATION, 0},
207 {CONFIGURATION, 0},
208 {NOTIFY, IPCOMP_SUPPORTED},
209 {NOTIFY, USE_TRANSPORT_MODE},
210 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
211 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
212 {SECURITY_ASSOCIATION, 0},
213 {TRAFFIC_SELECTOR_INITIATOR, 0},
214 {TRAFFIC_SELECTOR_RESPONDER, 0},
215 {NOTIFY, MOBIKE_SUPPORTED},
216 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
217 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
218 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
219 {NOTIFY, 0},
220 {VENDOR_ID, 0},
221 };
222
223 /**
224 * Message rule for IKE_AUTH from responder.
225 */
226 static payload_rule_t ike_auth_r_rules[] = {
227 /* payload type min max encr suff */
228 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
229 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
230 {AUTHENTICATION, 0, 1, TRUE, TRUE},
231 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
232 {ID_RESPONDER, 0, 1, TRUE, FALSE},
233 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
234 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
235 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
236 {CONFIGURATION, 0, 1, TRUE, FALSE},
237 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
238 };
239
240 /**
241 * payload order for IKE_AUTH responder
242 */
243 static payload_order_t ike_auth_r_order[] = {
244 /* payload type notify type */
245 {ID_RESPONDER, 0},
246 {CERTIFICATE, 0},
247 {AUTHENTICATION, 0},
248 {EXTENSIBLE_AUTHENTICATION, 0},
249 {CONFIGURATION, 0},
250 {NOTIFY, IPCOMP_SUPPORTED},
251 {NOTIFY, USE_TRANSPORT_MODE},
252 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
253 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
254 {SECURITY_ASSOCIATION, 0},
255 {TRAFFIC_SELECTOR_INITIATOR, 0},
256 {TRAFFIC_SELECTOR_RESPONDER, 0},
257 {NOTIFY, AUTH_LIFETIME},
258 {NOTIFY, MOBIKE_SUPPORTED},
259 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
260 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
261 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
262 {NOTIFY, 0},
263 {VENDOR_ID, 0},
264 };
265
266 /**
267 * Message rule for INFORMATIONAL from initiator.
268 */
269 static payload_rule_t informational_i_rules[] = {
270 /* payload type min max encr suff */
271 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
272 {CONFIGURATION, 0, 1, TRUE, FALSE},
273 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
274 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
275 };
276
277 /**
278 * payload order for INFORMATIONAL initiator
279 */
280 static payload_order_t informational_i_order[] = {
281 /* payload type notify type */
282 {NOTIFY, UPDATE_SA_ADDRESSES},
283 {NOTIFY, NAT_DETECTION_SOURCE_IP},
284 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
285 {NOTIFY, COOKIE2},
286 {NOTIFY, 0},
287 {DELETE, 0},
288 {CONFIGURATION, 0},
289 };
290
291 /**
292 * Message rule for INFORMATIONAL from responder.
293 */
294 static payload_rule_t informational_r_rules[] = {
295 /* payload type min max encr suff */
296 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
297 {CONFIGURATION, 0, 1, TRUE, FALSE},
298 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
299 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
300 };
301
302 /**
303 * payload order for INFORMATIONAL responder
304 */
305 static payload_order_t informational_r_order[] = {
306 /* payload type notify type */
307 {NOTIFY, UPDATE_SA_ADDRESSES},
308 {NOTIFY, NAT_DETECTION_SOURCE_IP},
309 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
310 {NOTIFY, COOKIE2},
311 {NOTIFY, 0},
312 {DELETE, 0},
313 {CONFIGURATION, 0},
314 };
315
316 /**
317 * Message rule for CREATE_CHILD_SA from initiator.
318 */
319 static payload_rule_t create_child_sa_i_rules[] = {
320 /* payload type min max encr suff */
321 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
322 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
323 {NONCE, 1, 1, TRUE, FALSE},
324 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
325 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
326 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
327 {CONFIGURATION, 0, 1, TRUE, FALSE},
328 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
329 };
330
331 /**
332 * payload order for CREATE_CHILD_SA from initiator.
333 */
334 static payload_order_t create_child_sa_i_order[] = {
335 /* payload type notify type */
336 {NOTIFY, REKEY_SA},
337 {NOTIFY, IPCOMP_SUPPORTED},
338 {NOTIFY, USE_TRANSPORT_MODE},
339 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
340 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
341 {SECURITY_ASSOCIATION, 0},
342 {NONCE, 0},
343 {KEY_EXCHANGE, 0},
344 {TRAFFIC_SELECTOR_INITIATOR, 0},
345 {TRAFFIC_SELECTOR_RESPONDER, 0},
346 {NOTIFY, 0},
347 };
348
349 /**
350 * Message rule for CREATE_CHILD_SA from responder.
351 */
352 static payload_rule_t create_child_sa_r_rules[] = {
353 /* payload type min max encr suff */
354 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
355 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
356 {NONCE, 1, 1, TRUE, FALSE},
357 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
359 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
360 {CONFIGURATION, 0, 1, TRUE, FALSE},
361 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
362 };
363
364 /**
365 * payload order for CREATE_CHILD_SA from responder.
366 */
367 static payload_order_t create_child_sa_r_order[] = {
368 /* payload type notify type */
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
379 {NOTIFY, 0},
380 };
381
382 #ifdef ME
383 /**
384 * Message rule for ME_CONNECT from initiator.
385 */
386 static payload_rule_t me_connect_i_rules[] = {
387 /* payload type min max encr suff */
388 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
389 {ID_PEER, 1, 1, TRUE, FALSE},
390 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
391 };
392
393 /**
394 * payload order for ME_CONNECT from initiator.
395 */
396 static payload_order_t me_connect_i_order[] = {
397 /* payload type notify type */
398 {NOTIFY, 0},
399 {ID_PEER, 0},
400 {VENDOR_ID, 0},
401 };
402
403 /**
404 * Message rule for ME_CONNECT from responder.
405 */
406 static payload_rule_t me_connect_r_rules[] = {
407 /* payload type min max encr suff */
408 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
409 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
410 };
411
412 /**
413 * payload order for ME_CONNECT from responder.
414 */
415 static payload_order_t me_connect_r_order[] = {
416 /* payload type notify type */
417 {NOTIFY, 0},
418 {VENDOR_ID, 0},
419 };
420 #endif /* ME */
421
422 #ifdef USE_IKEV1
423 /**
424 * Message rule for ID_PROT from initiator.
425 */
426 static payload_rule_t id_prot_i_rules[] = {
427 /* payload type min max encr suff */
428 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
429 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
430 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
431 {NONCE_V1, 0, 1, FALSE, FALSE},
432 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
433 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
434 {ID_V1, 0, 1, TRUE, FALSE},
435 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
436 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
437 {HASH_V1, 0, 1, TRUE, FALSE},
438 };
439
440 /**
441 * payload order for ID_PROT from initiator.
442 */
443 static payload_order_t id_prot_i_order[] = {
444 /* payload type notify type */
445 {SECURITY_ASSOCIATION_V1, 0},
446 {KEY_EXCHANGE_V1, 0},
447 {NONCE_V1, 0},
448 {ID_V1, 0},
449 {CERTIFICATE_V1, 0},
450 {SIGNATURE_V1, 0},
451 {HASH_V1, 0},
452 {CERTIFICATE_REQUEST_V1, 0},
453 {NOTIFICATION_V1, 0},
454 {VENDOR_ID_V1, 0},
455 };
456
457 /**
458 * Message rule for ID_PROT from responder.
459 */
460 static payload_rule_t id_prot_r_rules[] = {
461 /* payload type min max encr suff */
462 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
463 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
464 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
465 {NONCE_V1, 0, 1, FALSE, FALSE},
466 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
467 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
468 {ID_V1, 0, 1, TRUE, FALSE},
469 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
470 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
471 {HASH_V1, 0, 1, TRUE, FALSE},
472 };
473
474 /**
475 * payload order for ID_PROT from responder.
476 */
477 static payload_order_t id_prot_r_order[] = {
478 /* payload type notify type */
479 {SECURITY_ASSOCIATION_V1, 0},
480 {KEY_EXCHANGE_V1, 0},
481 {NONCE_V1, 0},
482 {ID_V1, 0},
483 {CERTIFICATE_V1, 0},
484 {SIGNATURE_V1, 0},
485 {HASH_V1, 0},
486 {CERTIFICATE_REQUEST_V1, 0},
487 {NOTIFICATION_V1, 0},
488 {VENDOR_ID_V1, 0},
489 };
490
491 /**
492 * Message rule for AGGRESSIVE from initiator.
493 */
494 static payload_rule_t aggressive_i_rules[] = {
495 /* payload type min max encr suff */
496 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
497 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
498 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
499 {NONCE_V1, 0, 1, FALSE, FALSE},
500 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
501 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
502 {ID_V1, 0, 1, FALSE, FALSE},
503 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
504 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
505 {HASH_V1, 0, 1, FALSE, FALSE},
506 };
507
508 /**
509 * payload order for AGGRESSIVE from initiator.
510 */
511 static payload_order_t aggressive_i_order[] = {
512 /* payload type notify type */
513 {SECURITY_ASSOCIATION_V1, 0},
514 {KEY_EXCHANGE_V1, 0},
515 {NONCE_V1, 0},
516 {ID_V1, 0},
517 {CERTIFICATE_V1, 0},
518 {SIGNATURE_V1, 0},
519 {HASH_V1, 0},
520 {CERTIFICATE_REQUEST_V1, 0},
521 {NOTIFICATION_V1, 0},
522 {VENDOR_ID_V1, 0},
523 };
524
525 /**
526 * Message rule for AGGRESSIVE from responder.
527 */
528 static payload_rule_t aggressive_r_rules[] = {
529 /* payload type min max encr suff */
530 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
531 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
532 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
533 {NONCE_V1, 0, 1, FALSE, FALSE},
534 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
535 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
536 {ID_V1, 0, 1, FALSE, FALSE},
537 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
538 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
539 {HASH_V1, 0, 1, FALSE, FALSE},
540 };
541
542 /**
543 * payload order for AGGRESSIVE from responder.
544 */
545 static payload_order_t aggressive_r_order[] = {
546 /* payload type notify type */
547 {SECURITY_ASSOCIATION_V1, 0},
548 {KEY_EXCHANGE_V1, 0},
549 {NONCE_V1, 0},
550 {ID_V1, 0},
551 {CERTIFICATE_V1, 0},
552 {SIGNATURE_V1, 0},
553 {HASH_V1, 0},
554 {CERTIFICATE_REQUEST_V1, 0},
555 {NOTIFICATION_V1, 0},
556 {VENDOR_ID_V1, 0},
557 };
558
559 /**
560 * Message rule for INFORMATIONAL_V1 from initiator.
561 */
562 static payload_rule_t informational_i_rules_v1[] = {
563 /* payload type min max encr suff */
564 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
565 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
566 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
567 };
568
569 /**
570 * payload order for INFORMATIONAL_V1 from initiator.
571 */
572 static payload_order_t informational_i_order_v1[] = {
573 /* payload type notify type */
574 {NOTIFICATION_V1, 0},
575 {DELETE_V1, 0},
576 {VENDOR_ID_V1, 0},
577 };
578 #endif /* USE_IKEV1 */
579
580 /**
581 * Message rules, defines allowed payloads.
582 */
583 static message_rule_t message_rules[] = {
584 {IKE_SA_INIT, TRUE, FALSE,
585 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
586 countof(ike_sa_init_i_order), ike_sa_init_i_order,
587 },
588 {IKE_SA_INIT, FALSE, FALSE,
589 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
590 countof(ike_sa_init_r_order), ike_sa_init_r_order,
591 },
592 {IKE_AUTH, TRUE, TRUE,
593 countof(ike_auth_i_rules), ike_auth_i_rules,
594 countof(ike_auth_i_order), ike_auth_i_order,
595 },
596 {IKE_AUTH, FALSE, TRUE,
597 countof(ike_auth_r_rules), ike_auth_r_rules,
598 countof(ike_auth_r_order), ike_auth_r_order,
599 },
600 {INFORMATIONAL, TRUE, TRUE,
601 countof(informational_i_rules), informational_i_rules,
602 countof(informational_i_order), informational_i_order,
603 },
604 {INFORMATIONAL, FALSE, TRUE,
605 countof(informational_r_rules), informational_r_rules,
606 countof(informational_r_order), informational_r_order,
607 },
608 {CREATE_CHILD_SA, TRUE, TRUE,
609 countof(create_child_sa_i_rules), create_child_sa_i_rules,
610 countof(create_child_sa_i_order), create_child_sa_i_order,
611 },
612 {CREATE_CHILD_SA, FALSE, TRUE,
613 countof(create_child_sa_r_rules), create_child_sa_r_rules,
614 countof(create_child_sa_r_order), create_child_sa_r_order,
615 },
616 #ifdef ME
617 {ME_CONNECT, TRUE, TRUE,
618 countof(me_connect_i_rules), me_connect_i_rules,
619 countof(me_connect_i_order), me_connect_i_order,
620 },
621 {ME_CONNECT, FALSE, TRUE,
622 countof(me_connect_r_rules), me_connect_r_rules,
623 countof(me_connect_r_order), me_connect_r_order,
624 },
625 #endif /* ME */
626 #ifdef USE_IKEV1
627 {ID_PROT, TRUE, FALSE,
628 countof(id_prot_i_rules), id_prot_i_rules,
629 countof(id_prot_i_order), id_prot_i_order,
630 },
631 {ID_PROT, FALSE, FALSE,
632 countof(id_prot_r_rules), id_prot_r_rules,
633 countof(id_prot_r_order), id_prot_r_order,
634 },
635 {AGGRESSIVE, TRUE, FALSE,
636 countof(aggressive_i_rules), aggressive_i_rules,
637 countof(aggressive_i_order), aggressive_i_order,
638 },
639 {AGGRESSIVE, FALSE, FALSE,
640 countof(aggressive_r_rules), aggressive_r_rules,
641 countof(aggressive_r_order), aggressive_r_order,
642 },
643 {INFORMATIONAL_V1, TRUE, TRUE,
644 countof(informational_i_rules_v1), informational_i_rules_v1,
645 countof(informational_i_order_v1), informational_i_order_v1,
646 },
647 /* TODO-IKEv1: define rules for other exchanges */
648 #endif /* USE_IKEV1 */
649 };
650
651
652 typedef struct private_message_t private_message_t;
653
654 /**
655 * Private data of an message_t object.
656 */
657 struct private_message_t {
658
659 /**
660 * Public part of a message_t object.
661 */
662 message_t public;
663
664 /**
665 * Minor version of message.
666 */
667 u_int8_t major_version;
668
669 /**
670 * Major version of message.
671 */
672 u_int8_t minor_version;
673
674 /**
675 * First Payload in message.
676 */
677 payload_type_t first_payload;
678
679 /**
680 * Assigned exchange type.
681 */
682 exchange_type_t exchange_type;
683
684 /**
685 * TRUE if message is a request, FALSE if a reply.
686 */
687 bool is_request;
688
689 /**
690 * Higher version supported?
691 */
692 bool version_flag;
693
694 /**
695 * Reserved bits in IKE header
696 */
697 bool reserved[5];
698
699 /**
700 * Sorting of message disabled?
701 */
702 bool sort_disabled;
703
704 /**
705 * Message ID of this message.
706 */
707 u_int32_t message_id;
708
709 /**
710 * ID of assigned IKE_SA.
711 */
712 ike_sa_id_t *ike_sa_id;
713
714 /**
715 * Assigned UDP packet, stores incoming packet or last generated one.
716 */
717 packet_t *packet;
718
719 /**
720 * Linked List where payload data are stored in.
721 */
722 linked_list_t *payloads;
723
724 /**
725 * Assigned parser to parse Header and Body of this message.
726 */
727 parser_t *parser;
728
729 /**
730 * The message rule for this message instance
731 */
732 message_rule_t *rule;
733 };
734
735 /**
736 * Get the message rule that applies to this message
737 */
738 static message_rule_t* get_message_rule(private_message_t *this)
739 {
740 int i;
741
742 for (i = 0; i < countof(message_rules); i++)
743 {
744 if ((this->exchange_type == message_rules[i].exchange_type) &&
745 (this->is_request == message_rules[i].is_request))
746 {
747 return &message_rules[i];
748 }
749 }
750 return NULL;
751 }
752
753 /**
754 * Look up a payload rule
755 */
756 static payload_rule_t* get_payload_rule(private_message_t *this,
757 payload_type_t type)
758 {
759 int i;
760
761 for (i = 0; i < this->rule->rule_count;i++)
762 {
763 if (this->rule->rules[i].type == type)
764 {
765 return &this->rule->rules[i];
766 }
767 }
768 return NULL;
769 }
770
771 METHOD(message_t, set_ike_sa_id, void,
772 private_message_t *this,ike_sa_id_t *ike_sa_id)
773 {
774 DESTROY_IF(this->ike_sa_id);
775 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
776 }
777
778 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
779 private_message_t *this)
780 {
781 return this->ike_sa_id;
782 }
783
784 METHOD(message_t, set_message_id, void,
785 private_message_t *this,u_int32_t message_id)
786 {
787 this->message_id = message_id;
788 }
789
790 METHOD(message_t, get_message_id, u_int32_t,
791 private_message_t *this)
792 {
793 return this->message_id;
794 }
795
796 METHOD(message_t, get_initiator_spi, u_int64_t,
797 private_message_t *this)
798 {
799 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
800 }
801
802 METHOD(message_t, get_responder_spi, u_int64_t,
803 private_message_t *this)
804 {
805 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
806 }
807
808 METHOD(message_t, set_major_version, void,
809 private_message_t *this, u_int8_t major_version)
810 {
811 this->major_version = major_version;
812 }
813
814 METHOD(message_t, get_major_version, u_int8_t,
815 private_message_t *this)
816 {
817 return this->major_version;
818 }
819
820 METHOD(message_t, set_minor_version, void,
821 private_message_t *this,u_int8_t minor_version)
822 {
823 this->minor_version = minor_version;
824 }
825
826 METHOD(message_t, get_minor_version, u_int8_t,
827 private_message_t *this)
828 {
829 return this->minor_version;
830 }
831
832 METHOD(message_t, set_exchange_type, void,
833 private_message_t *this, exchange_type_t exchange_type)
834 {
835 this->exchange_type = exchange_type;
836 }
837
838 METHOD(message_t, get_exchange_type, exchange_type_t,
839 private_message_t *this)
840 {
841 return this->exchange_type;
842 }
843
844 METHOD(message_t, get_first_payload_type, payload_type_t,
845 private_message_t *this)
846 {
847 return this->first_payload;
848 }
849
850 METHOD(message_t, set_request, void,
851 private_message_t *this, bool request)
852 {
853 this->is_request = request;
854 }
855
856 METHOD(message_t, get_request, bool,
857 private_message_t *this)
858 {
859 return this->is_request;
860 }
861
862 METHOD(message_t, set_version_flag, void,
863 private_message_t *this)
864 {
865 this->version_flag = TRUE;
866 }
867
868 METHOD(message_t, get_reserved_header_bit, bool,
869 private_message_t *this, u_int nr)
870 {
871 if (nr < countof(this->reserved))
872 {
873 return this->reserved[nr];
874 }
875 return FALSE;
876 }
877
878 METHOD(message_t, set_reserved_header_bit, void,
879 private_message_t *this, u_int nr)
880 {
881 if (nr < countof(this->reserved))
882 {
883 this->reserved[nr] = TRUE;
884 }
885 }
886
887 METHOD(message_t, is_encoded, bool,
888 private_message_t *this)
889 {
890 return this->packet->get_data(this->packet).ptr != NULL;
891 }
892
893 METHOD(message_t, add_payload, void,
894 private_message_t *this, payload_t *payload)
895 {
896 payload_t *last_payload;
897
898 if (this->payloads->get_count(this->payloads) > 0)
899 {
900 this->payloads->get_last(this->payloads, (void **)&last_payload);
901 last_payload->set_next_type(last_payload, payload->get_type(payload));
902 }
903 else
904 {
905 this->first_payload = payload->get_type(payload);
906 }
907 payload->set_next_type(payload, NO_PAYLOAD);
908 this->payloads->insert_last(this->payloads, payload);
909
910 DBG2(DBG_ENC ,"added payload of type %N to message",
911 payload_type_names, payload->get_type(payload));
912 }
913
914 METHOD(message_t, add_notify, void,
915 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
916 {
917 notify_payload_t *notify;
918 payload_t *payload;
919
920 if (flush)
921 {
922 while (this->payloads->remove_last(this->payloads,
923 (void**)&payload) == SUCCESS)
924 {
925 payload->destroy(payload);
926 }
927 }
928 notify = notify_payload_create();
929 notify->set_notify_type(notify, type);
930 notify->set_notification_data(notify, data);
931 add_payload(this, (payload_t*)notify);
932 }
933
934 METHOD(message_t, set_source, void,
935 private_message_t *this, host_t *host)
936 {
937 this->packet->set_source(this->packet, host);
938 }
939
940 METHOD(message_t, set_destination, void,
941 private_message_t *this, host_t *host)
942 {
943 this->packet->set_destination(this->packet, host);
944 }
945
946 METHOD(message_t, get_source, host_t*,
947 private_message_t *this)
948 {
949 return this->packet->get_source(this->packet);
950 }
951
952 METHOD(message_t, get_destination, host_t*,
953 private_message_t *this)
954 {
955 return this->packet->get_destination(this->packet);
956 }
957
958 METHOD(message_t, create_payload_enumerator, enumerator_t*,
959 private_message_t *this)
960 {
961 return this->payloads->create_enumerator(this->payloads);
962 }
963
964 METHOD(message_t, remove_payload_at, void,
965 private_message_t *this, enumerator_t *enumerator)
966 {
967 this->payloads->remove_at(this->payloads, enumerator);
968 }
969
970 METHOD(message_t, get_payload, payload_t*,
971 private_message_t *this, payload_type_t type)
972 {
973 payload_t *current, *found = NULL;
974 enumerator_t *enumerator;
975
976 enumerator = create_payload_enumerator(this);
977 while (enumerator->enumerate(enumerator, &current))
978 {
979 if (current->get_type(current) == type)
980 {
981 found = current;
982 break;
983 }
984 }
985 enumerator->destroy(enumerator);
986 return found;
987 }
988
989 METHOD(message_t, get_notify, notify_payload_t*,
990 private_message_t *this, notify_type_t type)
991 {
992 enumerator_t *enumerator;
993 notify_payload_t *notify = NULL;
994 payload_t *payload;
995
996 enumerator = create_payload_enumerator(this);
997 while (enumerator->enumerate(enumerator, &payload))
998 {
999 if (payload->get_type(payload) == NOTIFY)
1000 {
1001 notify = (notify_payload_t*)payload;
1002 if (notify->get_notify_type(notify) == type)
1003 {
1004 break;
1005 }
1006 notify = NULL;
1007 }
1008 }
1009 enumerator->destroy(enumerator);
1010 return notify;
1011 }
1012
1013 /**
1014 * get a string representation of the message
1015 */
1016 static char* get_string(private_message_t *this, char *buf, int len)
1017 {
1018 enumerator_t *enumerator;
1019 payload_t *payload;
1020 int written;
1021 char *pos = buf;
1022
1023 memset(buf, 0, len);
1024 len--;
1025
1026 written = snprintf(pos, len, "%N %s %d [",
1027 exchange_type_names, this->exchange_type,
1028 this->is_request ? "request" : "response",
1029 this->message_id);
1030 if (written >= len || written < 0)
1031 {
1032 return "";
1033 }
1034 pos += written;
1035 len -= written;
1036
1037 enumerator = create_payload_enumerator(this);
1038 while (enumerator->enumerate(enumerator, &payload))
1039 {
1040 written = snprintf(pos, len, " %N", payload_type_short_names,
1041 payload->get_type(payload));
1042 if (written >= len || written < 0)
1043 {
1044 return buf;
1045 }
1046 pos += written;
1047 len -= written;
1048 if (payload->get_type(payload) == NOTIFY)
1049 {
1050 notify_payload_t *notify;
1051 notify_type_t type;
1052 chunk_t data;
1053
1054 notify = (notify_payload_t*)payload;
1055 type = notify->get_notify_type(notify);
1056 data = notify->get_notification_data(notify);
1057 if (type == MS_NOTIFY_STATUS && data.len == 4)
1058 {
1059 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1060 type, untoh32(data.ptr));
1061 }
1062 else
1063 {
1064 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1065 type);
1066 }
1067 if (written >= len || written < 0)
1068 {
1069 return buf;
1070 }
1071 pos += written;
1072 len -= written;
1073 }
1074 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1075 {
1076 eap_payload_t *eap = (eap_payload_t*)payload;
1077 u_int32_t vendor;
1078 eap_type_t type;
1079 char method[64] = "";
1080
1081 type = eap->get_type(eap, &vendor);
1082 if (type)
1083 {
1084 if (vendor)
1085 {
1086 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1087 }
1088 else
1089 {
1090 snprintf(method, sizeof(method), "/%N",
1091 eap_type_short_names, type);
1092 }
1093 }
1094 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1095 eap->get_code(eap), method);
1096 if (written >= len || written < 0)
1097 {
1098 return buf;
1099 }
1100 pos += written;
1101 len -= written;
1102 }
1103 if (payload->get_type(payload) == CONFIGURATION)
1104 {
1105 cp_payload_t *cp = (cp_payload_t*)payload;
1106 enumerator_t *attributes;
1107 configuration_attribute_t *attribute;
1108 bool first = TRUE;
1109
1110 attributes = cp->create_attribute_enumerator(cp);
1111 while (attributes->enumerate(attributes, &attribute))
1112 {
1113 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1114 configuration_attribute_type_short_names,
1115 attribute->get_type(attribute));
1116 if (written >= len || written < 0)
1117 {
1118 return buf;
1119 }
1120 pos += written;
1121 len -= written;
1122 first = FALSE;
1123 }
1124 attributes->destroy(attributes);
1125 if (!first)
1126 {
1127 written = snprintf(pos, len, ")");
1128 if (written >= len || written < 0)
1129 {
1130 return buf;
1131 }
1132 pos += written;
1133 len -= written;
1134 }
1135 }
1136 }
1137 enumerator->destroy(enumerator);
1138
1139 /* remove last space */
1140 snprintf(pos, len, " ]");
1141 return buf;
1142 }
1143
1144 /**
1145 * reorder payloads depending on reordering rules
1146 */
1147 static void order_payloads(private_message_t *this)
1148 {
1149 linked_list_t *list;
1150 payload_t *payload;
1151 int i;
1152
1153 /* move to temp list */
1154 list = linked_list_create();
1155 while (this->payloads->remove_last(this->payloads,
1156 (void**)&payload) == SUCCESS)
1157 {
1158 list->insert_first(list, payload);
1159 }
1160 /* for each rule, ... */
1161 for (i = 0; i < this->rule->order_count; i++)
1162 {
1163 enumerator_t *enumerator;
1164 notify_payload_t *notify;
1165 payload_order_t order;
1166
1167 order = this->rule->order[i];
1168
1169 /* ... find all payload ... */
1170 enumerator = list->create_enumerator(list);
1171 while (enumerator->enumerate(enumerator, &payload))
1172 {
1173 /* ... with that type ... */
1174 if (payload->get_type(payload) == order.type)
1175 {
1176 notify = (notify_payload_t*)payload;
1177
1178 /**... and check notify for type. */
1179 if (order.type != NOTIFY || order.notify == 0 ||
1180 order.notify == notify->get_notify_type(notify))
1181 {
1182 list->remove_at(list, enumerator);
1183 add_payload(this, payload);
1184 }
1185 }
1186 }
1187 enumerator->destroy(enumerator);
1188 }
1189 /* append all payloads without a rule to the end */
1190 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1191 {
1192 /* do not complain about payloads in private use space */
1193 if (payload->get_type(payload) < 128)
1194 {
1195 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1196 payload_type_names, payload->get_type(payload),
1197 exchange_type_names, this->rule->exchange_type,
1198 this->rule->is_request ? "request" : "response");
1199 }
1200 add_payload(this, payload);
1201 }
1202 list->destroy(list);
1203 }
1204
1205 /**
1206 * Wrap payloads in a encryption payload
1207 */
1208 static encryption_payload_t* wrap_payloads(private_message_t *this)
1209 {
1210 encryption_payload_t *encryption;
1211 linked_list_t *payloads;
1212 payload_t *current;
1213
1214 /* copy all payloads in a temporary list */
1215 payloads = linked_list_create();
1216 while (this->payloads->remove_first(this->payloads,
1217 (void**)&current) == SUCCESS)
1218 {
1219 payloads->insert_last(payloads, current);
1220 }
1221
1222 encryption = encryption_payload_create();
1223 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1224 {
1225 payload_rule_t *rule;
1226 payload_type_t type;
1227 bool encrypt = TRUE;
1228
1229 type = current->get_type(current);
1230 rule = get_payload_rule(this, type);
1231 if (rule)
1232 {
1233 encrypt = rule->encrypted;
1234 }
1235 if (encrypt)
1236 {
1237 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1238 payload_type_names, type);
1239 encryption->add_payload(encryption, current);
1240 }
1241 else
1242 {
1243 DBG2(DBG_ENC, "insert payload %N unencrypted",
1244 payload_type_names, type);
1245 add_payload(this, current);
1246 }
1247 }
1248 payloads->destroy(payloads);
1249
1250 return encryption;
1251 }
1252
1253 METHOD(message_t, disable_sort, void,
1254 private_message_t *this)
1255 {
1256 this->sort_disabled = TRUE;
1257 }
1258
1259 METHOD(message_t, generate, status_t,
1260 private_message_t *this, aead_t *aead, packet_t **packet)
1261 {
1262 generator_t *generator;
1263 ike_header_t *ike_header;
1264 payload_t *payload, *next;
1265 encryption_payload_t *encryption = NULL;
1266 enumerator_t *enumerator;
1267 chunk_t chunk;
1268 char str[BUF_LEN];
1269 u_int32_t *lenpos;
1270 bool *reserved;
1271 int i;
1272
1273 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1274 {
1275 DBG1(DBG_ENC, "exchange type is not defined");
1276 return INVALID_STATE;
1277 }
1278
1279 if (this->packet->get_source(this->packet) == NULL ||
1280 this->packet->get_destination(this->packet) == NULL)
1281 {
1282 DBG1(DBG_ENC, "source/destination not defined");
1283 return INVALID_STATE;
1284 }
1285
1286 this->rule = get_message_rule(this);
1287 if (!this->rule)
1288 {
1289 DBG1(DBG_ENC, "no message rules specified for this message type");
1290 return NOT_SUPPORTED;
1291 }
1292
1293 if (!this->sort_disabled)
1294 {
1295 order_payloads(this);
1296 }
1297
1298 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1299
1300 if (aead && this->rule->encrypted)
1301 {
1302 encryption = wrap_payloads(this);
1303 }
1304 else
1305 {
1306 DBG2(DBG_ENC, "not encrypting payloads");
1307 }
1308
1309 ike_header = ike_header_create_version(this->major_version,
1310 this->minor_version);
1311 ike_header->set_exchange_type(ike_header, this->exchange_type);
1312 ike_header->set_message_id(ike_header, this->message_id);
1313 ike_header->set_response_flag(ike_header, !this->is_request);
1314 ike_header->set_version_flag(ike_header, this->version_flag);
1315 ike_header->set_initiator_flag(ike_header,
1316 this->ike_sa_id->is_initiator(this->ike_sa_id));
1317 ike_header->set_initiator_spi(ike_header,
1318 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1319 ike_header->set_responder_spi(ike_header,
1320 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1321
1322 for (i = 0; i < countof(this->reserved); i++)
1323 {
1324 reserved = payload_get_field(&ike_header->payload_interface,
1325 RESERVED_BIT, i);
1326 if (reserved)
1327 {
1328 *reserved = this->reserved[i];
1329 }
1330 }
1331
1332 generator = generator_create();
1333
1334 /* generate all payloads with proper next type */
1335 payload = (payload_t*)ike_header;
1336 enumerator = create_payload_enumerator(this);
1337 while (enumerator->enumerate(enumerator, &next))
1338 {
1339 payload->set_next_type(payload, next->get_type(next));
1340 generator->generate_payload(generator, payload);
1341 payload = next;
1342 }
1343 enumerator->destroy(enumerator);
1344 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1345 generator->generate_payload(generator, payload);
1346 ike_header->destroy(ike_header);
1347
1348 if (encryption)
1349 {
1350 u_int32_t *lenpos;
1351
1352 /* build associated data (without header of encryption payload) */
1353 chunk = generator->get_chunk(generator, &lenpos);
1354 encryption->set_transform(encryption, aead);
1355 /* fill in length, including encryption payload */
1356 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1357
1358 this->payloads->insert_last(this->payloads, encryption);
1359 if (!encryption->encrypt(encryption, chunk))
1360 {
1361 generator->destroy(generator);
1362 return INVALID_STATE;
1363 }
1364 generator->generate_payload(generator, &encryption->payload_interface);
1365 }
1366 chunk = generator->get_chunk(generator, &lenpos);
1367 htoun32(lenpos, chunk.len);
1368 this->packet->set_data(this->packet, chunk_clone(chunk));
1369 generator->destroy(generator);
1370
1371 *packet = this->packet->clone(this->packet);
1372 return SUCCESS;
1373 }
1374
1375 METHOD(message_t, get_packet, packet_t*,
1376 private_message_t *this)
1377 {
1378 if (this->packet == NULL)
1379 {
1380 return NULL;
1381 }
1382 return this->packet->clone(this->packet);
1383 }
1384
1385 METHOD(message_t, get_packet_data, chunk_t,
1386 private_message_t *this)
1387 {
1388 if (this->packet == NULL)
1389 {
1390 return chunk_empty;
1391 }
1392 return chunk_clone(this->packet->get_data(this->packet));
1393 }
1394
1395 METHOD(message_t, parse_header, status_t,
1396 private_message_t *this)
1397 {
1398 ike_header_t *ike_header;
1399 status_t status;
1400 bool *reserved;
1401 int i;
1402
1403 DBG2(DBG_ENC, "parsing header of message");
1404
1405 this->parser->reset_context(this->parser);
1406 status = this->parser->parse_payload(this->parser, HEADER,
1407 (payload_t**)&ike_header);
1408 if (status != SUCCESS)
1409 {
1410 DBG1(DBG_ENC, "header could not be parsed");
1411 return status;
1412
1413 }
1414
1415 status = ike_header->payload_interface.verify(
1416 &ike_header->payload_interface);
1417 if (status != SUCCESS)
1418 {
1419 DBG1(DBG_ENC, "header verification failed");
1420 ike_header->destroy(ike_header);
1421 return status;
1422 }
1423
1424 DESTROY_IF(this->ike_sa_id);
1425 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1426 ike_header->get_responder_spi(ike_header),
1427 ike_header->get_initiator_flag(ike_header));
1428
1429 this->exchange_type = ike_header->get_exchange_type(ike_header);
1430 this->message_id = ike_header->get_message_id(ike_header);
1431 this->is_request = !ike_header->get_response_flag(ike_header);
1432 this->major_version = ike_header->get_maj_version(ike_header);
1433 this->minor_version = ike_header->get_min_version(ike_header);
1434 this->first_payload = ike_header->payload_interface.get_next_type(
1435 &ike_header->payload_interface);
1436 for (i = 0; i < countof(this->reserved); i++)
1437 {
1438 reserved = payload_get_field(&ike_header->payload_interface,
1439 RESERVED_BIT, i);
1440 if (reserved)
1441 {
1442 this->reserved[i] = *reserved;
1443 }
1444 }
1445 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1446 this->is_request ? "request" : "response");
1447
1448 ike_header->destroy(ike_header);
1449
1450 this->rule = get_message_rule(this);
1451 if (!this->rule)
1452 {
1453 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1454 exchange_type_names, this->exchange_type,
1455 this->is_request ? "request" : "response");
1456 }
1457 return status;
1458 }
1459
1460 /**
1461 * Check if a payload is for a mediation extension connectivity check
1462 */
1463 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1464 {
1465 #ifdef ME
1466 if (this->exchange_type == INFORMATIONAL &&
1467 payload->get_type(payload) == NOTIFY)
1468 {
1469 notify_payload_t *notify = (notify_payload_t*)payload;
1470
1471 switch (notify->get_notify_type(notify))
1472 {
1473 case ME_CONNECTID:
1474 case ME_ENDPOINT:
1475 case ME_CONNECTAUTH:
1476 return TRUE;
1477 default:
1478 break;
1479 }
1480 }
1481 #endif /* !ME */
1482 return FALSE;
1483 }
1484
1485 /**
1486 * Decrypt payload from the encryption payload
1487 */
1488 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1489 {
1490 bool was_encrypted = FALSE;
1491 payload_t *payload, *previous = NULL;
1492 enumerator_t *enumerator;
1493 payload_rule_t *rule;
1494 payload_type_t type;
1495 status_t status = SUCCESS;
1496
1497 enumerator = this->payloads->create_enumerator(this->payloads);
1498 while (enumerator->enumerate(enumerator, &payload))
1499 {
1500 type = payload->get_type(payload);
1501
1502 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1503
1504 if (type == ENCRYPTED)
1505 {
1506 encryption_payload_t *encryption;
1507 payload_t *encrypted;
1508 chunk_t chunk;
1509
1510 encryption = (encryption_payload_t*)payload;
1511
1512 DBG2(DBG_ENC, "found an encryption payload");
1513
1514 if (this->payloads->has_more(this->payloads, enumerator))
1515 {
1516 DBG1(DBG_ENC, "encrypted payload is not last payload");
1517 status = VERIFY_ERROR;
1518 break;
1519 }
1520 encryption->set_transform(encryption, aead);
1521 chunk = this->packet->get_data(this->packet);
1522 if (chunk.len < encryption->get_length(encryption))
1523 {
1524 DBG1(DBG_ENC, "invalid payload length");
1525 status = VERIFY_ERROR;
1526 break;
1527 }
1528 chunk.len -= encryption->get_length(encryption);
1529 status = encryption->decrypt(encryption, chunk);
1530 if (status != SUCCESS)
1531 {
1532 break;
1533 }
1534
1535 was_encrypted = TRUE;
1536 this->payloads->remove_at(this->payloads, enumerator);
1537
1538 while ((encrypted = encryption->remove_payload(encryption)))
1539 {
1540 type = encrypted->get_type(encrypted);
1541 if (previous)
1542 {
1543 previous->set_next_type(previous, type);
1544 }
1545 else
1546 {
1547 this->first_payload = type;
1548 }
1549 DBG2(DBG_ENC, "insert decrypted payload of type "
1550 "%N at end of list", payload_type_names, type);
1551 this->payloads->insert_last(this->payloads, encrypted);
1552 previous = encrypted;
1553 }
1554 encryption->destroy(encryption);
1555 }
1556 if (payload_is_known(type) && !was_encrypted &&
1557 !is_connectivity_check(this, payload))
1558 {
1559 rule = get_payload_rule(this, type);
1560 if (!rule || rule->encrypted)
1561 {
1562 DBG1(DBG_ENC, "payload type %N was not encrypted",
1563 payload_type_names, type);
1564 status = FAILED;
1565 break;
1566 }
1567 }
1568 previous = payload;
1569 }
1570 enumerator->destroy(enumerator);
1571 return status;
1572 }
1573
1574 /**
1575 * Verify a message and all payload according to message/payload rules
1576 */
1577 static status_t verify(private_message_t *this)
1578 {
1579 bool complete = FALSE;
1580 int i;
1581
1582 DBG2(DBG_ENC, "verifying message structure");
1583
1584 /* check for payloads with wrong count*/
1585 for (i = 0; i < this->rule->rule_count; i++)
1586 {
1587 enumerator_t *enumerator;
1588 payload_t *payload;
1589 payload_rule_t *rule;
1590 int found = 0;
1591
1592 rule = &this->rule->rules[i];
1593 enumerator = create_payload_enumerator(this);
1594 while (enumerator->enumerate(enumerator, &payload))
1595 {
1596 payload_type_t type;
1597
1598 type = payload->get_type(payload);
1599 if (type == rule->type)
1600 {
1601 found++;
1602 DBG2(DBG_ENC, "found payload of type %N",
1603 payload_type_names, type);
1604 if (found > rule->max_occurence)
1605 {
1606 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1607 "occurred in current message", payload_type_names,
1608 type, rule->max_occurence, found);
1609 enumerator->destroy(enumerator);
1610 return VERIFY_ERROR;
1611 }
1612 }
1613 }
1614 enumerator->destroy(enumerator);
1615
1616 if (!complete && found < rule->min_occurence)
1617 {
1618 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1619 payload_type_names, rule->type, rule->min_occurence, found);
1620 return VERIFY_ERROR;
1621 }
1622 if (found && rule->sufficient)
1623 {
1624 complete = TRUE;
1625 }
1626 }
1627 return SUCCESS;
1628 }
1629
1630 METHOD(message_t, parse_body, status_t,
1631 private_message_t *this, aead_t *aead)
1632 {
1633 status_t status = SUCCESS;
1634 payload_t *payload;
1635 payload_type_t type;
1636 char str[BUF_LEN];
1637
1638 type = this->first_payload;
1639
1640 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1641 payload_type_names, type);
1642
1643 while (type != NO_PAYLOAD)
1644 {
1645 DBG2(DBG_ENC, "starting parsing a %N payload",
1646 payload_type_names, type);
1647
1648 status = this->parser->parse_payload(this->parser, type, &payload);
1649 if (status != SUCCESS)
1650 {
1651 DBG1(DBG_ENC, "payload type %N could not be parsed",
1652 payload_type_names, type);
1653 return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
1654 }
1655
1656 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1657 status = payload->verify(payload);
1658 if (status != SUCCESS)
1659 {
1660 DBG1(DBG_ENC, "%N payload verification failed",
1661 payload_type_names, type);
1662 payload->destroy(payload);
1663 return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
1664 }
1665
1666 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1667 payload_type_names, type);
1668 this->payloads->insert_last(this->payloads, payload);
1669
1670 /* an encryption payload is the last one, so STOP here. decryption is
1671 * done later */
1672 if (type == ENCRYPTED)
1673 {
1674 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1675 payload_type_names, type);
1676 break;
1677 }
1678 type = payload->get_next_type(payload);
1679 }
1680
1681 status = decrypt_payloads(this, aead);
1682 if (status != SUCCESS)
1683 {
1684 DBG1(DBG_ENC, "could not decrypt payloads");
1685 return status;
1686 }
1687
1688 status = verify(this);
1689 if (status != SUCCESS)
1690 {
1691 return status;
1692 }
1693
1694 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1695
1696 return SUCCESS;
1697 }
1698
1699 METHOD(message_t, destroy, void,
1700 private_message_t *this)
1701 {
1702 DESTROY_IF(this->ike_sa_id);
1703 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1704 this->packet->destroy(this->packet);
1705 this->parser->destroy(this->parser);
1706 free(this);
1707 }
1708
1709 /*
1710 * Described in Header-File
1711 */
1712 message_t *message_create_from_packet(packet_t *packet)
1713 {
1714 private_message_t *this;
1715
1716 INIT(this,
1717 .public = {
1718 .set_major_version = _set_major_version,
1719 .get_major_version = _get_major_version,
1720 .set_minor_version = _set_minor_version,
1721 .get_minor_version = _get_minor_version,
1722 .set_message_id = _set_message_id,
1723 .get_message_id = _get_message_id,
1724 .get_initiator_spi = _get_initiator_spi,
1725 .get_responder_spi = _get_responder_spi,
1726 .set_ike_sa_id = _set_ike_sa_id,
1727 .get_ike_sa_id = _get_ike_sa_id,
1728 .set_exchange_type = _set_exchange_type,
1729 .get_exchange_type = _get_exchange_type,
1730 .get_first_payload_type = _get_first_payload_type,
1731 .set_request = _set_request,
1732 .get_request = _get_request,
1733 .set_version_flag = _set_version_flag,
1734 .get_reserved_header_bit = _get_reserved_header_bit,
1735 .set_reserved_header_bit = _set_reserved_header_bit,
1736 .add_payload = _add_payload,
1737 .add_notify = _add_notify,
1738 .disable_sort = _disable_sort,
1739 .generate = _generate,
1740 .is_encoded = _is_encoded,
1741 .set_source = _set_source,
1742 .get_source = _get_source,
1743 .set_destination = _set_destination,
1744 .get_destination = _get_destination,
1745 .create_payload_enumerator = _create_payload_enumerator,
1746 .remove_payload_at = _remove_payload_at,
1747 .get_payload = _get_payload,
1748 .get_notify = _get_notify,
1749 .parse_header = _parse_header,
1750 .parse_body = _parse_body,
1751 .get_packet = _get_packet,
1752 .get_packet_data = _get_packet_data,
1753 .destroy = _destroy,
1754 },
1755 .major_version = IKEV2_MAJOR_VERSION,
1756 .minor_version = IKEV2_MINOR_VERSION,
1757 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1758 .is_request = TRUE,
1759 .first_payload = NO_PAYLOAD,
1760 .packet = packet,
1761 .payloads = linked_list_create(),
1762 .parser = parser_create(packet->get_data(packet)),
1763 );
1764
1765 return (&this->public);
1766 }
1767
1768 /*
1769 * Described in Header.
1770 */
1771 message_t *message_create()
1772 {
1773 return message_create_from_packet(packet_create());
1774 }
1775