Store the major IKE version on ike_sa_id_t.
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ikev1/keymat_v1.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/hash_payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * Max number of NAT-D payloads per IKEv1 message
64 */
65 #define MAX_NAT_D_PAYLOADS 5
66
67 /**
68 * A payload rule defines the rules for a payload
69 * in a specific message rule. It defines if and how
70 * many times a payload must/can occur in a message
71 * and if it must be encrypted.
72 */
73 typedef struct {
74 /* Payload type */
75 payload_type_t type;
76 /* Minimal occurrence of this payload. */
77 size_t min_occurence;
78 /* Max occurrence of this payload. */
79 size_t max_occurence;
80 /* TRUE if payload must be encrypted */
81 bool encrypted;
82 /* If payload occurs, the message rule is fulfilled */
83 bool sufficient;
84 } payload_rule_t;
85
86 /**
87 * payload ordering structure allows us to reorder payloads according to RFC.
88 */
89 typedef struct {
90 /** payload type */
91 payload_type_t type;
92 /** notify type, if payload == NOTIFY */
93 notify_type_t notify;
94 } payload_order_t;
95
96 /**
97 * A message rule defines the kind of a message,
98 * if it has encrypted contents and a list
99 * of payload ordering rules and payload parsing rules.
100 */
101 typedef struct {
102 /** Type of message. */
103 exchange_type_t exchange_type;
104 /** Is message a request or response. */
105 bool is_request;
106 /** Message contains encrypted payloads. */
107 bool encrypted;
108 /** Number of payload rules which will follow */
109 int rule_count;
110 /** Pointer to first payload rule */
111 payload_rule_t *rules;
112 /** Number of payload order rules */
113 int order_count;
114 /** payload ordering rules */
115 payload_order_t *order;
116 } message_rule_t;
117
118 /**
119 * Message rule for IKE_SA_INIT from initiator.
120 */
121 static payload_rule_t ike_sa_init_i_rules[] = {
122 /* payload type min max encr suff */
123 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
124 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
125 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
126 {NONCE, 1, 1, FALSE, FALSE},
127 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
128 };
129
130 /**
131 * payload order for IKE_SA_INIT initiator
132 */
133 static payload_order_t ike_sa_init_i_order[] = {
134 /* payload type notify type */
135 {NOTIFY, COOKIE},
136 {SECURITY_ASSOCIATION, 0},
137 {KEY_EXCHANGE, 0},
138 {NONCE, 0},
139 {NOTIFY, NAT_DETECTION_SOURCE_IP},
140 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
141 {NOTIFY, 0},
142 {VENDOR_ID, 0},
143 };
144
145 /**
146 * Message rule for IKE_SA_INIT from responder.
147 */
148 static payload_rule_t ike_sa_init_r_rules[] = {
149 /* payload type min max encr suff */
150 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
151 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
152 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
153 {NONCE, 1, 1, FALSE, FALSE},
154 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
155 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
156 };
157
158 /**
159 * payload order for IKE_SA_INIT responder
160 */
161 static payload_order_t ike_sa_init_r_order[] = {
162 /* payload type notify type */
163 {SECURITY_ASSOCIATION, 0},
164 {KEY_EXCHANGE, 0},
165 {NONCE, 0},
166 {NOTIFY, NAT_DETECTION_SOURCE_IP},
167 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
168 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
169 {CERTIFICATE_REQUEST, 0},
170 {NOTIFY, 0},
171 {VENDOR_ID, 0},
172 };
173
174 /**
175 * Message rule for IKE_AUTH from initiator.
176 */
177 static payload_rule_t ike_auth_i_rules[] = {
178 /* payload type min max encr suff */
179 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
180 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
181 {AUTHENTICATION, 0, 1, TRUE, TRUE},
182 {ID_INITIATOR, 0, 1, TRUE, FALSE},
183 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
184 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
185 {ID_RESPONDER, 0, 1, TRUE, FALSE},
186 #ifdef ME
187 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
189 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
190 #else
191 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
192 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
193 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
194 #endif /* ME */
195 {CONFIGURATION, 0, 1, TRUE, FALSE},
196 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
197 };
198
199 /**
200 * payload order for IKE_AUTH initiator
201 */
202 static payload_order_t ike_auth_i_order[] = {
203 /* payload type notify type */
204 {ID_INITIATOR, 0},
205 {CERTIFICATE, 0},
206 {NOTIFY, INITIAL_CONTACT},
207 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
208 {CERTIFICATE_REQUEST, 0},
209 {ID_RESPONDER, 0},
210 {AUTHENTICATION, 0},
211 {EXTENSIBLE_AUTHENTICATION, 0},
212 {CONFIGURATION, 0},
213 {NOTIFY, IPCOMP_SUPPORTED},
214 {NOTIFY, USE_TRANSPORT_MODE},
215 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
216 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
217 {SECURITY_ASSOCIATION, 0},
218 {TRAFFIC_SELECTOR_INITIATOR, 0},
219 {TRAFFIC_SELECTOR_RESPONDER, 0},
220 {NOTIFY, MOBIKE_SUPPORTED},
221 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
222 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
223 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
224 {NOTIFY, 0},
225 {VENDOR_ID, 0},
226 };
227
228 /**
229 * Message rule for IKE_AUTH from responder.
230 */
231 static payload_rule_t ike_auth_r_rules[] = {
232 /* payload type min max encr suff */
233 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
234 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
235 {AUTHENTICATION, 0, 1, TRUE, TRUE},
236 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
237 {ID_RESPONDER, 0, 1, TRUE, FALSE},
238 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
239 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
240 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
241 {CONFIGURATION, 0, 1, TRUE, FALSE},
242 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
243 };
244
245 /**
246 * payload order for IKE_AUTH responder
247 */
248 static payload_order_t ike_auth_r_order[] = {
249 /* payload type notify type */
250 {ID_RESPONDER, 0},
251 {CERTIFICATE, 0},
252 {AUTHENTICATION, 0},
253 {EXTENSIBLE_AUTHENTICATION, 0},
254 {CONFIGURATION, 0},
255 {NOTIFY, IPCOMP_SUPPORTED},
256 {NOTIFY, USE_TRANSPORT_MODE},
257 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
258 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
259 {SECURITY_ASSOCIATION, 0},
260 {TRAFFIC_SELECTOR_INITIATOR, 0},
261 {TRAFFIC_SELECTOR_RESPONDER, 0},
262 {NOTIFY, AUTH_LIFETIME},
263 {NOTIFY, MOBIKE_SUPPORTED},
264 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
265 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
266 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
267 {NOTIFY, 0},
268 {VENDOR_ID, 0},
269 };
270
271 /**
272 * Message rule for INFORMATIONAL from initiator.
273 */
274 static payload_rule_t informational_i_rules[] = {
275 /* payload type min max encr suff */
276 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
277 {CONFIGURATION, 0, 1, TRUE, FALSE},
278 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
279 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
280 };
281
282 /**
283 * payload order for INFORMATIONAL initiator
284 */
285 static payload_order_t informational_i_order[] = {
286 /* payload type notify type */
287 {NOTIFY, UPDATE_SA_ADDRESSES},
288 {NOTIFY, NAT_DETECTION_SOURCE_IP},
289 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
290 {NOTIFY, COOKIE2},
291 {NOTIFY, 0},
292 {DELETE, 0},
293 {CONFIGURATION, 0},
294 };
295
296 /**
297 * Message rule for INFORMATIONAL from responder.
298 */
299 static payload_rule_t informational_r_rules[] = {
300 /* payload type min max encr suff */
301 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
302 {CONFIGURATION, 0, 1, TRUE, FALSE},
303 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
304 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
305 };
306
307 /**
308 * payload order for INFORMATIONAL responder
309 */
310 static payload_order_t informational_r_order[] = {
311 /* payload type notify type */
312 {NOTIFY, UPDATE_SA_ADDRESSES},
313 {NOTIFY, NAT_DETECTION_SOURCE_IP},
314 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
315 {NOTIFY, COOKIE2},
316 {NOTIFY, 0},
317 {DELETE, 0},
318 {CONFIGURATION, 0},
319 };
320
321 /**
322 * Message rule for CREATE_CHILD_SA from initiator.
323 */
324 static payload_rule_t create_child_sa_i_rules[] = {
325 /* payload type min max encr suff */
326 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
327 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
328 {NONCE, 1, 1, TRUE, FALSE},
329 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
330 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
331 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
332 {CONFIGURATION, 0, 1, TRUE, FALSE},
333 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
334 };
335
336 /**
337 * payload order for CREATE_CHILD_SA from initiator.
338 */
339 static payload_order_t create_child_sa_i_order[] = {
340 /* payload type notify type */
341 {NOTIFY, REKEY_SA},
342 {NOTIFY, IPCOMP_SUPPORTED},
343 {NOTIFY, USE_TRANSPORT_MODE},
344 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
345 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
346 {SECURITY_ASSOCIATION, 0},
347 {NONCE, 0},
348 {KEY_EXCHANGE, 0},
349 {TRAFFIC_SELECTOR_INITIATOR, 0},
350 {TRAFFIC_SELECTOR_RESPONDER, 0},
351 {NOTIFY, 0},
352 };
353
354 /**
355 * Message rule for CREATE_CHILD_SA from responder.
356 */
357 static payload_rule_t create_child_sa_r_rules[] = {
358 /* payload type min max encr suff */
359 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
360 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
361 {NONCE, 1, 1, TRUE, FALSE},
362 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
363 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
364 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
365 {CONFIGURATION, 0, 1, TRUE, FALSE},
366 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
367 };
368
369 /**
370 * payload order for CREATE_CHILD_SA from responder.
371 */
372 static payload_order_t create_child_sa_r_order[] = {
373 /* payload type notify type */
374 {NOTIFY, IPCOMP_SUPPORTED},
375 {NOTIFY, USE_TRANSPORT_MODE},
376 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
377 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
378 {SECURITY_ASSOCIATION, 0},
379 {NONCE, 0},
380 {KEY_EXCHANGE, 0},
381 {TRAFFIC_SELECTOR_INITIATOR, 0},
382 {TRAFFIC_SELECTOR_RESPONDER, 0},
383 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
384 {NOTIFY, 0},
385 };
386
387 #ifdef ME
388 /**
389 * Message rule for ME_CONNECT from initiator.
390 */
391 static payload_rule_t me_connect_i_rules[] = {
392 /* payload type min max encr suff */
393 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
394 {ID_PEER, 1, 1, TRUE, FALSE},
395 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
396 };
397
398 /**
399 * payload order for ME_CONNECT from initiator.
400 */
401 static payload_order_t me_connect_i_order[] = {
402 /* payload type notify type */
403 {NOTIFY, 0},
404 {ID_PEER, 0},
405 {VENDOR_ID, 0},
406 };
407
408 /**
409 * Message rule for ME_CONNECT from responder.
410 */
411 static payload_rule_t me_connect_r_rules[] = {
412 /* payload type min max encr suff */
413 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
414 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
415 };
416
417 /**
418 * payload order for ME_CONNECT from responder.
419 */
420 static payload_order_t me_connect_r_order[] = {
421 /* payload type notify type */
422 {NOTIFY, 0},
423 {VENDOR_ID, 0},
424 };
425 #endif /* ME */
426
427 #ifdef USE_IKEV1
428 /**
429 * Message rule for ID_PROT from initiator.
430 */
431 static payload_rule_t id_prot_i_rules[] = {
432 /* payload type min max encr suff */
433 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
434 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
435 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
436 {NONCE_V1, 0, 1, FALSE, FALSE},
437 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
438 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
439 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
440 {ID_V1, 0, 1, TRUE, FALSE},
441 {CERTIFICATE_V1, 0, 2, TRUE, FALSE},
442 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
443 {HASH_V1, 0, 1, TRUE, FALSE},
444 };
445
446 /**
447 * payload order for ID_PROT from initiator.
448 */
449 static payload_order_t id_prot_i_order[] = {
450 /* payload type notify type */
451 {SECURITY_ASSOCIATION_V1, 0},
452 {KEY_EXCHANGE_V1, 0},
453 {NONCE_V1, 0},
454 {ID_V1, 0},
455 {CERTIFICATE_V1, 0},
456 {SIGNATURE_V1, 0},
457 {HASH_V1, 0},
458 {CERTIFICATE_REQUEST_V1, 0},
459 {NOTIFY_V1, 0},
460 {VENDOR_ID_V1, 0},
461 {NAT_D_V1, 0},
462 };
463
464 /**
465 * Message rule for ID_PROT from responder.
466 */
467 static payload_rule_t id_prot_r_rules[] = {
468 /* payload type min max encr suff */
469 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
470 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
471 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
472 {NONCE_V1, 0, 1, FALSE, FALSE},
473 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
474 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
475 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
476 {ID_V1, 0, 1, TRUE, FALSE},
477 {CERTIFICATE_V1, 0, 2, TRUE, FALSE},
478 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
479 {HASH_V1, 0, 1, TRUE, FALSE},
480 };
481
482 /**
483 * payload order for ID_PROT from responder.
484 */
485 static payload_order_t id_prot_r_order[] = {
486 /* payload type notify type */
487 {SECURITY_ASSOCIATION_V1, 0},
488 {KEY_EXCHANGE_V1, 0},
489 {NONCE_V1, 0},
490 {ID_V1, 0},
491 {CERTIFICATE_V1, 0},
492 {SIGNATURE_V1, 0},
493 {HASH_V1, 0},
494 {CERTIFICATE_REQUEST_V1, 0},
495 {NOTIFY_V1, 0},
496 {VENDOR_ID_V1, 0},
497 {NAT_D_V1, 0},
498 };
499
500 /**
501 * Message rule for AGGRESSIVE from initiator.
502 */
503 static payload_rule_t aggressive_i_rules[] = {
504 /* payload type min max encr suff */
505 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
506 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
507 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
508 {NONCE_V1, 0, 1, FALSE, FALSE},
509 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
510 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
511 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
512 {ID_V1, 0, 1, FALSE, FALSE},
513 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
514 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
515 {HASH_V1, 0, 1, TRUE, FALSE},
516 };
517
518 /**
519 * payload order for AGGRESSIVE from initiator.
520 */
521 static payload_order_t aggressive_i_order[] = {
522 /* payload type notify type */
523 {SECURITY_ASSOCIATION_V1, 0},
524 {KEY_EXCHANGE_V1, 0},
525 {NONCE_V1, 0},
526 {ID_V1, 0},
527 {CERTIFICATE_V1, 0},
528 {NAT_D_V1, 0},
529 {SIGNATURE_V1, 0},
530 {HASH_V1, 0},
531 {CERTIFICATE_REQUEST_V1, 0},
532 {NOTIFY_V1, 0},
533 {VENDOR_ID_V1, 0},
534 };
535
536 /**
537 * Message rule for AGGRESSIVE from responder.
538 */
539 static payload_rule_t aggressive_r_rules[] = {
540 /* payload type min max encr suff */
541 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
542 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
543 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
544 {NONCE_V1, 0, 1, FALSE, FALSE},
545 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
546 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
547 {NAT_D_V1, 0, MAX_NAT_D_PAYLOADS, FALSE, FALSE},
548 {ID_V1, 0, 1, FALSE, FALSE},
549 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
550 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
551 {HASH_V1, 0, 1, FALSE, FALSE},
552 };
553
554 /**
555 * payload order for AGGRESSIVE from responder.
556 */
557 static payload_order_t aggressive_r_order[] = {
558 /* payload type notify type */
559 {SECURITY_ASSOCIATION_V1, 0},
560 {KEY_EXCHANGE_V1, 0},
561 {NONCE_V1, 0},
562 {ID_V1, 0},
563 {CERTIFICATE_V1, 0},
564 {NAT_D_V1, 0},
565 {SIGNATURE_V1, 0},
566 {HASH_V1, 0},
567 {CERTIFICATE_REQUEST_V1, 0},
568 {NOTIFY_V1, 0},
569 {VENDOR_ID_V1, 0},
570 };
571
572 /**
573 * Message rule for INFORMATIONAL_V1 from initiator.
574 */
575 static payload_rule_t informational_i_rules_v1[] = {
576 /* payload type min max encr suff */
577 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
578 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
579 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
580 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
581 };
582
583 /**
584 * payload order for INFORMATIONAL_V1 from initiator.
585 */
586 static payload_order_t informational_i_order_v1[] = {
587 /* payload type notify type */
588 {NOTIFY_V1, 0},
589 {DELETE_V1, 0},
590 {VENDOR_ID_V1, 0},
591 };
592
593 /**
594 * Message rule for INFORMATIONAL_V1 from responder.
595 */
596 static payload_rule_t informational_r_rules_v1[] = {
597 /* payload type min max encr suff */
598 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
599 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
600 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
601 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
602 };
603
604 /**
605 * payload order for INFORMATIONAL_V1 from responder.
606 */
607 static payload_order_t informational_r_order_v1[] = {
608 /* payload type notify type */
609 {NOTIFY_V1, 0},
610 {DELETE_V1, 0},
611 {VENDOR_ID_V1, 0},
612 };
613
614 /**
615 * Message rule for QUICK_MODE from initiator.
616 */
617 static payload_rule_t quick_mode_i_rules[] = {
618 /* payload type min max encr suff */
619 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
620 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
621 {HASH_V1, 0, 1, TRUE, FALSE},
622 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
623 {NONCE_V1, 0, 1, TRUE, FALSE},
624 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
625 {ID_V1, 0, 2, TRUE, FALSE},
626 {NAT_OA_V1, 0, 2, TRUE, FALSE},
627 };
628
629 /**
630 * payload order for QUICK_MODE from initiator.
631 */
632 static payload_order_t quick_mode_i_order[] = {
633 /* payload type notify type */
634 {NOTIFY_V1, 0},
635 {VENDOR_ID_V1, 0},
636 {HASH_V1, 0},
637 {SECURITY_ASSOCIATION_V1, 0},
638 {NONCE_V1, 0},
639 {KEY_EXCHANGE_V1, 0},
640 {ID_V1, 0},
641 {NAT_OA_V1, 0},
642 };
643
644 /**
645 * Message rule for QUICK_MODE from responder.
646 */
647 static payload_rule_t quick_mode_r_rules[] = {
648 /* payload type min max encr suff */
649 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
650 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
651 {HASH_V1, 0, 1, TRUE, FALSE},
652 {SECURITY_ASSOCIATION_V1, 0, 2, TRUE, FALSE},
653 {NONCE_V1, 0, 1, TRUE, FALSE},
654 {KEY_EXCHANGE_V1, 0, 1, TRUE, FALSE},
655 {ID_V1, 0, 2, TRUE, FALSE},
656 {NAT_OA_V1, 0, 2, TRUE, FALSE},
657 };
658
659 /**
660 * payload order for QUICK_MODE from responder.
661 */
662 static payload_order_t quick_mode_r_order[] = {
663 /* payload type notify type */
664 {NOTIFY_V1, 0},
665 {VENDOR_ID_V1, 0},
666 {HASH_V1, 0},
667 {SECURITY_ASSOCIATION_V1, 0},
668 {NONCE_V1, 0},
669 {KEY_EXCHANGE_V1, 0},
670 {ID_V1, 0},
671 {NAT_OA_V1, 0},
672 };
673
674 /**
675 * Message rule for TRANSACTION.
676 */
677 static payload_rule_t transaction_payload_rules_v1[] = {
678 /* payload type min max encr suff */
679 {HASH_V1, 0, 1, TRUE, FALSE},
680 {CONFIGURATION_V1, 1, 1, FALSE, FALSE},
681 };
682
683 /**
684 * Payload order for TRANSACTION.
685 */
686 static payload_order_t transaction_payload_order_v1[] = {
687 /* payload type notify type */
688 {HASH_V1, 0},
689 {CONFIGURATION_V1, 0},
690 };
691
692 #endif /* USE_IKEV1 */
693
694 /**
695 * Message rules, defines allowed payloads.
696 */
697 static message_rule_t message_rules[] = {
698 {IKE_SA_INIT, TRUE, FALSE,
699 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
700 countof(ike_sa_init_i_order), ike_sa_init_i_order,
701 },
702 {IKE_SA_INIT, FALSE, FALSE,
703 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
704 countof(ike_sa_init_r_order), ike_sa_init_r_order,
705 },
706 {IKE_AUTH, TRUE, TRUE,
707 countof(ike_auth_i_rules), ike_auth_i_rules,
708 countof(ike_auth_i_order), ike_auth_i_order,
709 },
710 {IKE_AUTH, FALSE, TRUE,
711 countof(ike_auth_r_rules), ike_auth_r_rules,
712 countof(ike_auth_r_order), ike_auth_r_order,
713 },
714 {INFORMATIONAL, TRUE, TRUE,
715 countof(informational_i_rules), informational_i_rules,
716 countof(informational_i_order), informational_i_order,
717 },
718 {INFORMATIONAL, FALSE, TRUE,
719 countof(informational_r_rules), informational_r_rules,
720 countof(informational_r_order), informational_r_order,
721 },
722 {CREATE_CHILD_SA, TRUE, TRUE,
723 countof(create_child_sa_i_rules), create_child_sa_i_rules,
724 countof(create_child_sa_i_order), create_child_sa_i_order,
725 },
726 {CREATE_CHILD_SA, FALSE, TRUE,
727 countof(create_child_sa_r_rules), create_child_sa_r_rules,
728 countof(create_child_sa_r_order), create_child_sa_r_order,
729 },
730 #ifdef ME
731 {ME_CONNECT, TRUE, TRUE,
732 countof(me_connect_i_rules), me_connect_i_rules,
733 countof(me_connect_i_order), me_connect_i_order,
734 },
735 {ME_CONNECT, FALSE, TRUE,
736 countof(me_connect_r_rules), me_connect_r_rules,
737 countof(me_connect_r_order), me_connect_r_order,
738 },
739 #endif /* ME */
740 #ifdef USE_IKEV1
741 {ID_PROT, TRUE, FALSE,
742 countof(id_prot_i_rules), id_prot_i_rules,
743 countof(id_prot_i_order), id_prot_i_order,
744 },
745 {ID_PROT, FALSE, FALSE,
746 countof(id_prot_r_rules), id_prot_r_rules,
747 countof(id_prot_r_order), id_prot_r_order,
748 },
749 {AGGRESSIVE, TRUE, FALSE,
750 countof(aggressive_i_rules), aggressive_i_rules,
751 countof(aggressive_i_order), aggressive_i_order,
752 },
753 {AGGRESSIVE, FALSE, FALSE,
754 countof(aggressive_r_rules), aggressive_r_rules,
755 countof(aggressive_r_order), aggressive_r_order,
756 },
757 {INFORMATIONAL_V1, TRUE, TRUE,
758 countof(informational_i_rules_v1), informational_i_rules_v1,
759 countof(informational_i_order_v1), informational_i_order_v1,
760 },
761 {INFORMATIONAL_V1, FALSE, TRUE,
762 countof(informational_r_rules_v1), informational_r_rules_v1,
763 countof(informational_r_order_v1), informational_r_order_v1,
764 },
765 {QUICK_MODE, TRUE, TRUE,
766 countof(quick_mode_i_rules), quick_mode_i_rules,
767 countof(quick_mode_i_order), quick_mode_i_order,
768 },
769 {QUICK_MODE, FALSE, TRUE,
770 countof(quick_mode_r_rules), quick_mode_r_rules,
771 countof(quick_mode_r_order), quick_mode_r_order,
772 },
773 {TRANSACTION, TRUE, TRUE,
774 countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
775 countof(transaction_payload_order_v1), transaction_payload_order_v1,
776 },
777 {TRANSACTION, FALSE, TRUE,
778 countof(transaction_payload_rules_v1), transaction_payload_rules_v1,
779 countof(transaction_payload_order_v1), transaction_payload_order_v1,
780 },
781 /* TODO-IKEv1: define rules for other exchanges */
782 #endif /* USE_IKEV1 */
783 };
784
785
786 typedef struct private_message_t private_message_t;
787
788 /**
789 * Private data of an message_t object.
790 */
791 struct private_message_t {
792
793 /**
794 * Public part of a message_t object.
795 */
796 message_t public;
797
798 /**
799 * Minor version of message.
800 */
801 u_int8_t major_version;
802
803 /**
804 * Major version of message.
805 */
806 u_int8_t minor_version;
807
808 /**
809 * First Payload in message.
810 */
811 payload_type_t first_payload;
812
813 /**
814 * Assigned exchange type.
815 */
816 exchange_type_t exchange_type;
817
818 /**
819 * TRUE if message is a request, FALSE if a reply.
820 */
821 bool is_request;
822
823 /**
824 * The message is encrypted (IKEv1)
825 */
826 bool is_encrypted;
827
828 /**
829 * Higher version supported?
830 */
831 bool version_flag;
832
833 /**
834 * Reserved bits in IKE header
835 */
836 bool reserved[2];
837
838 /**
839 * Sorting of message disabled?
840 */
841 bool sort_disabled;
842
843 /**
844 * Message ID of this message.
845 */
846 u_int32_t message_id;
847
848 /**
849 * ID of assigned IKE_SA.
850 */
851 ike_sa_id_t *ike_sa_id;
852
853 /**
854 * Assigned UDP packet, stores incoming packet or last generated one.
855 */
856 packet_t *packet;
857
858 /**
859 * Linked List where payload data are stored in.
860 */
861 linked_list_t *payloads;
862
863 /**
864 * Assigned parser to parse Header and Body of this message.
865 */
866 parser_t *parser;
867
868 /**
869 * The message rule for this message instance
870 */
871 message_rule_t *rule;
872 };
873
874 /**
875 * Get the message rule that applies to this message
876 */
877 static message_rule_t* get_message_rule(private_message_t *this)
878 {
879 int i;
880
881 for (i = 0; i < countof(message_rules); i++)
882 {
883 if ((this->exchange_type == message_rules[i].exchange_type) &&
884 (this->is_request == message_rules[i].is_request))
885 {
886 return &message_rules[i];
887 }
888 }
889 return NULL;
890 }
891
892 /**
893 * Look up a payload rule
894 */
895 static payload_rule_t* get_payload_rule(private_message_t *this,
896 payload_type_t type)
897 {
898 int i;
899
900 for (i = 0; i < this->rule->rule_count;i++)
901 {
902 if (this->rule->rules[i].type == type)
903 {
904 return &this->rule->rules[i];
905 }
906 }
907 return NULL;
908 }
909
910 METHOD(message_t, set_ike_sa_id, void,
911 private_message_t *this,ike_sa_id_t *ike_sa_id)
912 {
913 DESTROY_IF(this->ike_sa_id);
914 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
915 }
916
917 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
918 private_message_t *this)
919 {
920 return this->ike_sa_id;
921 }
922
923 METHOD(message_t, set_message_id, void,
924 private_message_t *this,u_int32_t message_id)
925 {
926 this->message_id = message_id;
927 }
928
929 METHOD(message_t, get_message_id, u_int32_t,
930 private_message_t *this)
931 {
932 return this->message_id;
933 }
934
935 METHOD(message_t, get_initiator_spi, u_int64_t,
936 private_message_t *this)
937 {
938 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
939 }
940
941 METHOD(message_t, get_responder_spi, u_int64_t,
942 private_message_t *this)
943 {
944 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
945 }
946
947 METHOD(message_t, set_major_version, void,
948 private_message_t *this, u_int8_t major_version)
949 {
950 this->major_version = major_version;
951 }
952
953 METHOD(message_t, get_major_version, u_int8_t,
954 private_message_t *this)
955 {
956 return this->major_version;
957 }
958
959 METHOD(message_t, set_minor_version, void,
960 private_message_t *this,u_int8_t minor_version)
961 {
962 this->minor_version = minor_version;
963 }
964
965 METHOD(message_t, get_minor_version, u_int8_t,
966 private_message_t *this)
967 {
968 return this->minor_version;
969 }
970
971 METHOD(message_t, set_exchange_type, void,
972 private_message_t *this, exchange_type_t exchange_type)
973 {
974 this->exchange_type = exchange_type;
975 }
976
977 METHOD(message_t, get_exchange_type, exchange_type_t,
978 private_message_t *this)
979 {
980 return this->exchange_type;
981 }
982
983 METHOD(message_t, get_first_payload_type, payload_type_t,
984 private_message_t *this)
985 {
986 return this->first_payload;
987 }
988
989 METHOD(message_t, set_request, void,
990 private_message_t *this, bool request)
991 {
992 this->is_request = request;
993 }
994
995 METHOD(message_t, get_request, bool,
996 private_message_t *this)
997 {
998 return this->is_request;
999 }
1000
1001 METHOD(message_t, set_version_flag, void,
1002 private_message_t *this)
1003 {
1004 this->version_flag = TRUE;
1005 }
1006
1007 METHOD(message_t, get_reserved_header_bit, bool,
1008 private_message_t *this, u_int nr)
1009 {
1010 if (nr < countof(this->reserved))
1011 {
1012 return this->reserved[nr];
1013 }
1014 return FALSE;
1015 }
1016
1017 METHOD(message_t, set_reserved_header_bit, void,
1018 private_message_t *this, u_int nr)
1019 {
1020 if (nr < countof(this->reserved))
1021 {
1022 this->reserved[nr] = TRUE;
1023 }
1024 }
1025
1026 METHOD(message_t, is_encoded, bool,
1027 private_message_t *this)
1028 {
1029 return this->packet->get_data(this->packet).ptr != NULL;
1030 }
1031
1032 METHOD(message_t, add_payload, void,
1033 private_message_t *this, payload_t *payload)
1034 {
1035 payload_t *last_payload;
1036
1037 if (this->payloads->get_count(this->payloads) > 0)
1038 {
1039 this->payloads->get_last(this->payloads, (void **)&last_payload);
1040 last_payload->set_next_type(last_payload, payload->get_type(payload));
1041 }
1042 else
1043 {
1044 this->first_payload = payload->get_type(payload);
1045 }
1046 payload->set_next_type(payload, NO_PAYLOAD);
1047 this->payloads->insert_last(this->payloads, payload);
1048
1049 DBG2(DBG_ENC ,"added payload of type %N to message",
1050 payload_type_names, payload->get_type(payload));
1051 }
1052
1053 METHOD(message_t, add_notify, void,
1054 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
1055 {
1056 notify_payload_t *notify;
1057 payload_t *payload;
1058
1059 if (flush)
1060 {
1061 while (this->payloads->remove_last(this->payloads,
1062 (void**)&payload) == SUCCESS)
1063 {
1064 payload->destroy(payload);
1065 }
1066 }
1067 if (this->major_version == IKEV2_MAJOR_VERSION)
1068 {
1069 notify = notify_payload_create(NOTIFY);
1070 }
1071 else
1072 {
1073 notify = notify_payload_create(NOTIFY_V1);
1074 }
1075 notify->set_notify_type(notify, type);
1076 notify->set_notification_data(notify, data);
1077 add_payload(this, (payload_t*)notify);
1078 }
1079
1080 METHOD(message_t, set_source, void,
1081 private_message_t *this, host_t *host)
1082 {
1083 this->packet->set_source(this->packet, host);
1084 }
1085
1086 METHOD(message_t, set_destination, void,
1087 private_message_t *this, host_t *host)
1088 {
1089 this->packet->set_destination(this->packet, host);
1090 }
1091
1092 METHOD(message_t, get_source, host_t*,
1093 private_message_t *this)
1094 {
1095 return this->packet->get_source(this->packet);
1096 }
1097
1098 METHOD(message_t, get_destination, host_t*,
1099 private_message_t *this)
1100 {
1101 return this->packet->get_destination(this->packet);
1102 }
1103
1104 METHOD(message_t, create_payload_enumerator, enumerator_t*,
1105 private_message_t *this)
1106 {
1107 return this->payloads->create_enumerator(this->payloads);
1108 }
1109
1110 METHOD(message_t, remove_payload_at, void,
1111 private_message_t *this, enumerator_t *enumerator)
1112 {
1113 this->payloads->remove_at(this->payloads, enumerator);
1114 }
1115
1116 METHOD(message_t, get_payload, payload_t*,
1117 private_message_t *this, payload_type_t type)
1118 {
1119 payload_t *current, *found = NULL;
1120 enumerator_t *enumerator;
1121
1122 enumerator = create_payload_enumerator(this);
1123 while (enumerator->enumerate(enumerator, &current))
1124 {
1125 if (current->get_type(current) == type)
1126 {
1127 found = current;
1128 break;
1129 }
1130 }
1131 enumerator->destroy(enumerator);
1132 return found;
1133 }
1134
1135 METHOD(message_t, get_notify, notify_payload_t*,
1136 private_message_t *this, notify_type_t type)
1137 {
1138 enumerator_t *enumerator;
1139 notify_payload_t *notify = NULL;
1140 payload_t *payload;
1141
1142 enumerator = create_payload_enumerator(this);
1143 while (enumerator->enumerate(enumerator, &payload))
1144 {
1145 if (payload->get_type(payload) == NOTIFY ||
1146 payload->get_type(payload) == NOTIFY_V1)
1147 {
1148 notify = (notify_payload_t*)payload;
1149 if (notify->get_notify_type(notify) == type)
1150 {
1151 break;
1152 }
1153 notify = NULL;
1154 }
1155 }
1156 enumerator->destroy(enumerator);
1157 return notify;
1158 }
1159
1160 /**
1161 * get a string representation of the message
1162 */
1163 static char* get_string(private_message_t *this, char *buf, int len)
1164 {
1165 enumerator_t *enumerator;
1166 payload_t *payload;
1167 int written;
1168 char *pos = buf;
1169
1170 memset(buf, 0, len);
1171 len--;
1172
1173 written = snprintf(pos, len, "%N %s %u [",
1174 exchange_type_names, this->exchange_type,
1175 this->is_request ? "request" : "response",
1176 this->message_id);
1177 if (written >= len || written < 0)
1178 {
1179 return "";
1180 }
1181 pos += written;
1182 len -= written;
1183
1184 enumerator = create_payload_enumerator(this);
1185 while (enumerator->enumerate(enumerator, &payload))
1186 {
1187 written = snprintf(pos, len, " %N", payload_type_short_names,
1188 payload->get_type(payload));
1189 if (written >= len || written < 0)
1190 {
1191 return buf;
1192 }
1193 pos += written;
1194 len -= written;
1195 if (payload->get_type(payload) == NOTIFY ||
1196 payload->get_type(payload) == NOTIFY_V1)
1197 {
1198 notify_payload_t *notify;
1199 notify_type_t type;
1200 chunk_t data;
1201
1202 notify = (notify_payload_t*)payload;
1203 type = notify->get_notify_type(notify);
1204 data = notify->get_notification_data(notify);
1205 if (type == MS_NOTIFY_STATUS && data.len == 4)
1206 {
1207 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1208 type, untoh32(data.ptr));
1209 }
1210 else
1211 {
1212 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1213 type);
1214 }
1215 if (written >= len || written < 0)
1216 {
1217 return buf;
1218 }
1219 pos += written;
1220 len -= written;
1221 }
1222 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1223 {
1224 eap_payload_t *eap = (eap_payload_t*)payload;
1225 u_int32_t vendor;
1226 eap_type_t type;
1227 char method[64] = "";
1228
1229 type = eap->get_type(eap, &vendor);
1230 if (type)
1231 {
1232 if (vendor)
1233 {
1234 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1235 }
1236 else
1237 {
1238 snprintf(method, sizeof(method), "/%N",
1239 eap_type_short_names, type);
1240 }
1241 }
1242 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1243 eap->get_code(eap), method);
1244 if (written >= len || written < 0)
1245 {
1246 return buf;
1247 }
1248 pos += written;
1249 len -= written;
1250 }
1251 if (payload->get_type(payload) == CONFIGURATION)
1252 {
1253 cp_payload_t *cp = (cp_payload_t*)payload;
1254 enumerator_t *attributes;
1255 configuration_attribute_t *attribute;
1256 bool first = TRUE;
1257
1258 attributes = cp->create_attribute_enumerator(cp);
1259 while (attributes->enumerate(attributes, &attribute))
1260 {
1261 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1262 configuration_attribute_type_short_names,
1263 attribute->get_type(attribute));
1264 if (written >= len || written < 0)
1265 {
1266 return buf;
1267 }
1268 pos += written;
1269 len -= written;
1270 first = FALSE;
1271 }
1272 attributes->destroy(attributes);
1273 if (!first)
1274 {
1275 written = snprintf(pos, len, ")");
1276 if (written >= len || written < 0)
1277 {
1278 return buf;
1279 }
1280 pos += written;
1281 len -= written;
1282 }
1283 }
1284 }
1285 enumerator->destroy(enumerator);
1286
1287 /* remove last space */
1288 snprintf(pos, len, " ]");
1289 return buf;
1290 }
1291
1292 /**
1293 * reorder payloads depending on reordering rules
1294 */
1295 static void order_payloads(private_message_t *this)
1296 {
1297 linked_list_t *list;
1298 payload_t *payload;
1299 int i;
1300
1301 /* move to temp list */
1302 list = linked_list_create();
1303 while (this->payloads->remove_last(this->payloads,
1304 (void**)&payload) == SUCCESS)
1305 {
1306 list->insert_first(list, payload);
1307 }
1308 /* for each rule, ... */
1309 for (i = 0; i < this->rule->order_count; i++)
1310 {
1311 enumerator_t *enumerator;
1312 notify_payload_t *notify;
1313 payload_order_t order;
1314
1315 order = this->rule->order[i];
1316
1317 /* ... find all payload ... */
1318 enumerator = list->create_enumerator(list);
1319 while (enumerator->enumerate(enumerator, &payload))
1320 {
1321 /* ... with that type ... */
1322 if (payload->get_type(payload) == order.type)
1323 {
1324 notify = (notify_payload_t*)payload;
1325
1326 /**... and check notify for type. */
1327 if (order.type != NOTIFY || order.notify == 0 ||
1328 order.notify == notify->get_notify_type(notify))
1329 {
1330 list->remove_at(list, enumerator);
1331 add_payload(this, payload);
1332 }
1333 }
1334 }
1335 enumerator->destroy(enumerator);
1336 }
1337 /* append all payloads without a rule to the end */
1338 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1339 {
1340 /* do not complain about payloads in private use space */
1341 if (payload->get_type(payload) < 128)
1342 {
1343 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1344 payload_type_names, payload->get_type(payload),
1345 exchange_type_names, this->rule->exchange_type,
1346 this->rule->is_request ? "request" : "response");
1347 }
1348 add_payload(this, payload);
1349 }
1350 list->destroy(list);
1351 }
1352
1353 /**
1354 * Wrap payloads in an encryption payload
1355 */
1356 static encryption_payload_t* wrap_payloads(private_message_t *this)
1357 {
1358 encryption_payload_t *encryption;
1359 linked_list_t *payloads;
1360 payload_t *current;
1361
1362 /* copy all payloads in a temporary list */
1363 payloads = linked_list_create();
1364 while (this->payloads->remove_first(this->payloads,
1365 (void**)&current) == SUCCESS)
1366 {
1367 payloads->insert_last(payloads, current);
1368 }
1369
1370 if (this->is_encrypted)
1371 {
1372 encryption = encryption_payload_create(ENCRYPTED_V1);
1373 }
1374 else
1375 {
1376 encryption = encryption_payload_create(ENCRYPTED);
1377 }
1378 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1379 {
1380 payload_rule_t *rule;
1381 payload_type_t type;
1382 bool encrypt = TRUE;
1383
1384 type = current->get_type(current);
1385 rule = get_payload_rule(this, type);
1386 if (rule)
1387 {
1388 encrypt = rule->encrypted;
1389 }
1390 if (encrypt || this->is_encrypted)
1391 { /* encryption is forced for IKEv1 */
1392 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1393 payload_type_names, type);
1394 encryption->add_payload(encryption, current);
1395 }
1396 else
1397 {
1398 DBG2(DBG_ENC, "insert payload %N unencrypted",
1399 payload_type_names, type);
1400 add_payload(this, current);
1401 }
1402 }
1403 payloads->destroy(payloads);
1404
1405 return encryption;
1406 }
1407
1408 METHOD(message_t, disable_sort, void,
1409 private_message_t *this)
1410 {
1411 this->sort_disabled = TRUE;
1412 }
1413
1414 METHOD(message_t, generate, status_t,
1415 private_message_t *this, keymat_t *keymat, packet_t **packet)
1416 {
1417 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1418 generator_t *generator;
1419 ike_header_t *ike_header;
1420 payload_t *payload, *next;
1421 encryption_payload_t *encryption = NULL;
1422 payload_type_t next_type;
1423 enumerator_t *enumerator;
1424 aead_t *aead = NULL;
1425 chunk_t chunk, hash = chunk_empty;
1426 char str[BUF_LEN];
1427 u_int32_t *lenpos;
1428 bool encrypted = FALSE, *reserved;
1429 int i;
1430
1431 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1432 {
1433 DBG1(DBG_ENC, "exchange type is not defined");
1434 return INVALID_STATE;
1435 }
1436
1437 if (this->packet->get_source(this->packet) == NULL ||
1438 this->packet->get_destination(this->packet) == NULL)
1439 {
1440 DBG1(DBG_ENC, "source/destination not defined");
1441 return INVALID_STATE;
1442 }
1443
1444 this->rule = get_message_rule(this);
1445 if (!this->rule)
1446 {
1447 DBG1(DBG_ENC, "no message rules specified for this message type");
1448 return NOT_SUPPORTED;
1449 }
1450
1451 if (!this->sort_disabled)
1452 {
1453 order_payloads(this);
1454 }
1455 if (keymat && keymat->get_version(keymat) == IKEV1)
1456 {
1457 /* get a hash for this message, if any is required */
1458 hash = keymat_v1->get_hash_phase2(keymat_v1, &this->public);
1459 if (hash.ptr)
1460 { /* insert a HASH payload as first payload */
1461 hash_payload_t *hash_payload;
1462
1463 hash_payload = hash_payload_create(HASH_V1);
1464 hash_payload->set_hash(hash_payload, hash);
1465 this->payloads->insert_first(this->payloads, hash_payload);
1466 if (this->exchange_type == INFORMATIONAL_V1)
1467 {
1468 this->is_encrypted = encrypted = TRUE;
1469 }
1470 chunk_free(&hash);
1471 }
1472 }
1473 if (this->major_version == IKEV2_MAJOR_VERSION)
1474 {
1475 encrypted = this->rule->encrypted;
1476 }
1477 else if (!encrypted)
1478 {
1479 /* If at least one payload requires encryption, encrypt the message.
1480 * If no key material is available, the flag will be reset below. */
1481 enumerator = this->payloads->create_enumerator(this->payloads);
1482 while (enumerator->enumerate(enumerator, (void**)&payload))
1483 {
1484 payload_rule_t *rule;
1485
1486 rule = get_payload_rule(this, payload->get_type(payload));
1487 if (rule && rule->encrypted)
1488 {
1489 this->is_encrypted = encrypted = TRUE;
1490 break;
1491 }
1492 }
1493 enumerator->destroy(enumerator);
1494 }
1495
1496 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1497
1498 if (keymat)
1499 {
1500 aead = keymat->get_aead(keymat, FALSE);
1501 }
1502 if (aead && encrypted)
1503 {
1504 encryption = wrap_payloads(this);
1505 }
1506 else
1507 {
1508 DBG2(DBG_ENC, "not encrypting payloads");
1509 this->is_encrypted = FALSE;
1510 }
1511
1512 ike_header = ike_header_create_version(this->major_version,
1513 this->minor_version);
1514 ike_header->set_exchange_type(ike_header, this->exchange_type);
1515 ike_header->set_message_id(ike_header, this->message_id);
1516 if (this->major_version == IKEV2_MAJOR_VERSION)
1517 {
1518 ike_header->set_response_flag(ike_header, !this->is_request);
1519 ike_header->set_version_flag(ike_header, this->version_flag);
1520 ike_header->set_initiator_flag(ike_header,
1521 this->ike_sa_id->is_initiator(this->ike_sa_id));
1522 }
1523 else
1524 {
1525 ike_header->set_encryption_flag(ike_header, this->is_encrypted);
1526 }
1527 ike_header->set_initiator_spi(ike_header,
1528 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1529 ike_header->set_responder_spi(ike_header,
1530 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1531
1532 for (i = 0; i < countof(this->reserved); i++)
1533 {
1534 reserved = payload_get_field(&ike_header->payload_interface,
1535 RESERVED_BIT, i);
1536 if (reserved)
1537 {
1538 *reserved = this->reserved[i];
1539 }
1540 }
1541
1542 generator = generator_create();
1543
1544 /* generate all payloads with proper next type */
1545 payload = (payload_t*)ike_header;
1546 enumerator = create_payload_enumerator(this);
1547 while (enumerator->enumerate(enumerator, &next))
1548 {
1549 payload->set_next_type(payload, next->get_type(next));
1550 generator->generate_payload(generator, payload);
1551 payload = next;
1552 }
1553 enumerator->destroy(enumerator);
1554 if (this->is_encrypted)
1555 { /* for encrypted IKEv1 messages */
1556 next_type = encryption->payload_interface.get_next_type(
1557 (payload_t*)encryption);
1558 }
1559 else
1560 {
1561 next_type = encryption ? ENCRYPTED : NO_PAYLOAD;
1562 }
1563 payload->set_next_type(payload, next_type);
1564 generator->generate_payload(generator, payload);
1565 ike_header->destroy(ike_header);
1566
1567 if (encryption)
1568 { /* set_transform() has to be called before get_length() */
1569 encryption->set_transform(encryption, aead);
1570 if (this->is_encrypted)
1571 { /* for IKEv1 instead of associated data we provide the IV */
1572 chunk = keymat_v1->get_iv(keymat_v1, this->message_id);
1573 }
1574 else
1575 { /* build associated data (without header of encryption payload) */
1576 chunk = generator->get_chunk(generator, &lenpos);
1577 /* fill in length, including encryption payload */
1578 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1579 }
1580 this->payloads->insert_last(this->payloads, encryption);
1581 if (!encryption->encrypt(encryption, chunk))
1582 {
1583 generator->destroy(generator);
1584 return INVALID_STATE;
1585 }
1586 generator->generate_payload(generator, &encryption->payload_interface);
1587 }
1588 chunk = generator->get_chunk(generator, &lenpos);
1589 htoun32(lenpos, chunk.len);
1590 this->packet->set_data(this->packet, chunk_clone(chunk));
1591 if (this->is_encrypted)
1592 {
1593 /* update the IV for the next IKEv1 message */
1594 chunk_t last_block;
1595 size_t bs;
1596
1597 bs = aead->get_block_size(aead);
1598 last_block = chunk_create(chunk.ptr + chunk.len - bs, bs);
1599 keymat_v1->update_iv(keymat_v1, this->message_id, last_block);
1600 keymat_v1->confirm_iv(keymat_v1, this->message_id);
1601 }
1602 generator->destroy(generator);
1603 *packet = this->packet->clone(this->packet);
1604 return SUCCESS;
1605 }
1606
1607 METHOD(message_t, get_packet, packet_t*,
1608 private_message_t *this)
1609 {
1610 if (this->packet == NULL)
1611 {
1612 return NULL;
1613 }
1614 return this->packet->clone(this->packet);
1615 }
1616
1617 METHOD(message_t, get_packet_data, chunk_t,
1618 private_message_t *this)
1619 {
1620 if (this->packet == NULL)
1621 {
1622 return chunk_empty;
1623 }
1624 return this->packet->get_data(this->packet);
1625 }
1626
1627 METHOD(message_t, parse_header, status_t,
1628 private_message_t *this)
1629 {
1630 ike_header_t *ike_header;
1631 status_t status;
1632 bool *reserved;
1633 int i;
1634
1635 DBG2(DBG_ENC, "parsing header of message");
1636
1637 this->parser->reset_context(this->parser);
1638 status = this->parser->parse_payload(this->parser, HEADER,
1639 (payload_t**)&ike_header);
1640 if (status != SUCCESS)
1641 {
1642 DBG1(DBG_ENC, "header could not be parsed");
1643 return status;
1644
1645 }
1646
1647 status = ike_header->payload_interface.verify(
1648 &ike_header->payload_interface);
1649 if (status != SUCCESS)
1650 {
1651 DBG1(DBG_ENC, "header verification failed");
1652 ike_header->destroy(ike_header);
1653 return status;
1654 }
1655
1656 DESTROY_IF(this->ike_sa_id);
1657 this->ike_sa_id = ike_sa_id_create(
1658 ike_header->get_maj_version(ike_header),
1659 ike_header->get_initiator_spi(ike_header),
1660 ike_header->get_responder_spi(ike_header),
1661 ike_header->get_initiator_flag(ike_header));
1662
1663 this->exchange_type = ike_header->get_exchange_type(ike_header);
1664 this->message_id = ike_header->get_message_id(ike_header);
1665 this->major_version = ike_header->get_maj_version(ike_header);
1666 this->minor_version = ike_header->get_min_version(ike_header);
1667 if (this->major_version == IKEV2_MAJOR_VERSION)
1668 {
1669 this->is_request = !ike_header->get_response_flag(ike_header);
1670 }
1671 else
1672 {
1673 this->is_encrypted = ike_header->get_encryption_flag(ike_header);
1674 }
1675 this->first_payload = ike_header->payload_interface.get_next_type(
1676 &ike_header->payload_interface);
1677 for (i = 0; i < countof(this->reserved); i++)
1678 {
1679 reserved = payload_get_field(&ike_header->payload_interface,
1680 RESERVED_BIT, i);
1681 if (reserved)
1682 {
1683 this->reserved[i] = *reserved;
1684 }
1685 }
1686 ike_header->destroy(ike_header);
1687
1688 DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
1689 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
1690 "message" : (this->is_request ? "request" : "response"));
1691 return SUCCESS;
1692 }
1693
1694 /**
1695 * Check if a payload is for a mediation extension connectivity check
1696 */
1697 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1698 {
1699 #ifdef ME
1700 if (this->exchange_type == INFORMATIONAL &&
1701 payload->get_type(payload) == NOTIFY)
1702 {
1703 notify_payload_t *notify = (notify_payload_t*)payload;
1704
1705 switch (notify->get_notify_type(notify))
1706 {
1707 case ME_CONNECTID:
1708 case ME_ENDPOINT:
1709 case ME_CONNECTAUTH:
1710 return TRUE;
1711 default:
1712 break;
1713 }
1714 }
1715 #endif /* !ME */
1716 return FALSE;
1717 }
1718
1719 /**
1720 * Parses and verifies the unencrypted payloads contained in the message
1721 */
1722 static status_t parse_payloads(private_message_t *this)
1723 {
1724 payload_type_t type = this->first_payload;
1725 payload_t *payload;
1726 status_t status;
1727
1728 if (this->is_encrypted)
1729 { /* wrap the whole encrypted IKEv1 message in a special encryption
1730 * payload which is then handled just like a regular payload */
1731 encryption_payload_t *encryption;
1732
1733 status = this->parser->parse_payload(this->parser, ENCRYPTED_V1,
1734 (payload_t**)&encryption);
1735 if (status != SUCCESS)
1736 {
1737 DBG1(DBG_ENC, "failed to wrap encrypted IKEv1 message");
1738 return PARSE_ERROR;
1739 }
1740 encryption->payload_interface.set_next_type((payload_t*)encryption,
1741 this->first_payload);
1742 this->payloads->insert_last(this->payloads, encryption);
1743 return SUCCESS;
1744 }
1745
1746 while (type != NO_PAYLOAD)
1747 {
1748 DBG2(DBG_ENC, "starting parsing a %N payload",
1749 payload_type_names, type);
1750
1751 status = this->parser->parse_payload(this->parser, type, &payload);
1752 if (status != SUCCESS)
1753 {
1754 DBG1(DBG_ENC, "payload type %N could not be parsed",
1755 payload_type_names, type);
1756 return PARSE_ERROR;
1757 }
1758
1759 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1760 status = payload->verify(payload);
1761 if (status != SUCCESS)
1762 {
1763 DBG1(DBG_ENC, "%N payload verification failed",
1764 payload_type_names, type);
1765 payload->destroy(payload);
1766 return VERIFY_ERROR;
1767 }
1768
1769 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1770 payload_type_names, type);
1771 this->payloads->insert_last(this->payloads, payload);
1772
1773 /* an encryption payload is the last one, so STOP here. decryption is
1774 * done later */
1775 if (type == ENCRYPTED)
1776 {
1777 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1778 payload_type_names, type);
1779 break;
1780 }
1781 type = payload->get_next_type(payload);
1782 }
1783 return SUCCESS;
1784 }
1785
1786 /**
1787 * Decrypt payload from the encryption payload
1788 */
1789 static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
1790 {
1791 bool was_encrypted = FALSE;
1792 payload_t *payload, *previous = NULL;
1793 enumerator_t *enumerator;
1794 payload_rule_t *rule;
1795 payload_type_t type;
1796 aead_t *aead;
1797 status_t status = SUCCESS;
1798
1799 enumerator = this->payloads->create_enumerator(this->payloads);
1800 while (enumerator->enumerate(enumerator, &payload))
1801 {
1802 type = payload->get_type(payload);
1803
1804 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1805
1806 if (type == ENCRYPTED || type == ENCRYPTED_V1)
1807 {
1808 encryption_payload_t *encryption;
1809 payload_t *encrypted;
1810 chunk_t chunk;
1811 size_t bs;
1812
1813 encryption = (encryption_payload_t*)payload;
1814
1815 DBG2(DBG_ENC, "found an encryption payload");
1816
1817 if (this->payloads->has_more(this->payloads, enumerator))
1818 {
1819 DBG1(DBG_ENC, "encrypted payload is not last payload");
1820 status = VERIFY_ERROR;
1821 break;
1822 }
1823 if (!keymat)
1824 {
1825 DBG1(DBG_ENC, "found encryption payload, but no keymat");
1826 status = INVALID_ARG;
1827 break;
1828 }
1829 aead = keymat->get_aead(keymat, TRUE);
1830 if (!aead)
1831 {
1832 DBG1(DBG_ENC, "found encryption payload, but no transform set");
1833 status = INVALID_ARG;
1834 break;
1835 }
1836 bs = aead->get_block_size(aead);
1837 encryption->set_transform(encryption, aead);
1838 chunk = this->packet->get_data(this->packet);
1839 if (chunk.len < encryption->get_length(encryption) ||
1840 chunk.len < bs)
1841 {
1842 DBG1(DBG_ENC, "invalid payload length");
1843 status = VERIFY_ERROR;
1844 break;
1845 }
1846 if (keymat->get_version(keymat) == IKEV1)
1847 { /* instead of associated data we provide the IV, we also update
1848 * the IV with the last encrypted block */
1849 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
1850 chunk_t last_block;
1851
1852 last_block = chunk_create(chunk.ptr + chunk.len - bs, bs);
1853 chunk = keymat_v1->get_iv(keymat_v1, this->message_id);
1854 keymat_v1->update_iv(keymat_v1, this->message_id, last_block);
1855 }
1856 else
1857 {
1858 chunk.len -= encryption->get_length(encryption);
1859 }
1860 status = encryption->decrypt(encryption, chunk);
1861 if (status != SUCCESS)
1862 {
1863 break;
1864 }
1865
1866 was_encrypted = TRUE;
1867 this->payloads->remove_at(this->payloads, enumerator);
1868
1869 while ((encrypted = encryption->remove_payload(encryption)))
1870 {
1871 type = encrypted->get_type(encrypted);
1872 if (previous)
1873 {
1874 previous->set_next_type(previous, type);
1875 }
1876 else
1877 {
1878 this->first_payload = type;
1879 }
1880 DBG2(DBG_ENC, "insert decrypted payload of type "
1881 "%N at end of list", payload_type_names, type);
1882 this->payloads->insert_last(this->payloads, encrypted);
1883 previous = encrypted;
1884 }
1885 encryption->destroy(encryption);
1886 }
1887 if (payload_is_known(type) && !was_encrypted &&
1888 !is_connectivity_check(this, payload) &&
1889 this->exchange_type != AGGRESSIVE)
1890 {
1891 rule = get_payload_rule(this, type);
1892 if (!rule || rule->encrypted)
1893 {
1894 DBG1(DBG_ENC, "payload type %N was not encrypted",
1895 payload_type_names, type);
1896 status = FAILED;
1897 break;
1898 }
1899 }
1900 previous = payload;
1901 }
1902 enumerator->destroy(enumerator);
1903 return status;
1904 }
1905
1906 /**
1907 * Verify a message and all payload according to message/payload rules
1908 */
1909 static status_t verify(private_message_t *this)
1910 {
1911 bool complete = FALSE;
1912 int i;
1913
1914 DBG2(DBG_ENC, "verifying message structure");
1915
1916 /* check for payloads with wrong count */
1917 for (i = 0; i < this->rule->rule_count; i++)
1918 {
1919 enumerator_t *enumerator;
1920 payload_t *payload;
1921 payload_rule_t *rule;
1922 int found = 0;
1923
1924 rule = &this->rule->rules[i];
1925 enumerator = create_payload_enumerator(this);
1926 while (enumerator->enumerate(enumerator, &payload))
1927 {
1928 payload_type_t type;
1929
1930 type = payload->get_type(payload);
1931 if (type == rule->type)
1932 {
1933 found++;
1934 DBG2(DBG_ENC, "found payload of type %N",
1935 payload_type_names, type);
1936 if (found > rule->max_occurence)
1937 {
1938 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1939 "occurred in current message", payload_type_names,
1940 type, rule->max_occurence, found);
1941 enumerator->destroy(enumerator);
1942 return VERIFY_ERROR;
1943 }
1944 }
1945 }
1946 enumerator->destroy(enumerator);
1947
1948 if (!complete && found < rule->min_occurence)
1949 {
1950 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1951 payload_type_names, rule->type, rule->min_occurence, found);
1952 return VERIFY_ERROR;
1953 }
1954 if (found && rule->sufficient)
1955 {
1956 complete = TRUE;
1957 }
1958 }
1959 return SUCCESS;
1960 }
1961
1962 METHOD(message_t, parse_body, status_t,
1963 private_message_t *this, keymat_t *keymat)
1964 {
1965 status_t status = SUCCESS;
1966 char str[BUF_LEN];
1967
1968 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1969 payload_type_names, this->first_payload);
1970
1971 this->rule = get_message_rule(this);
1972 if (!this->rule)
1973 {
1974 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1975 exchange_type_names, this->exchange_type,
1976 this->is_request ? "request" : "response");
1977 return NOT_SUPPORTED;
1978 }
1979
1980 status = parse_payloads(this);
1981 if (status != SUCCESS)
1982 { /* error is already logged */
1983 return status;
1984 }
1985
1986 status = decrypt_payloads(this, keymat);
1987 if (status != SUCCESS)
1988 {
1989 DBG1(DBG_ENC, "could not decrypt payloads");
1990 return status;
1991 }
1992
1993 status = verify(this);
1994 if (status != SUCCESS)
1995 {
1996 return status;
1997 }
1998
1999 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
2000
2001 if (keymat && keymat->get_version(keymat) == IKEV1)
2002 {
2003 keymat_v1_t *keymat_v1 = (keymat_v1_t*)keymat;
2004 chunk_t hash;
2005
2006 hash = keymat_v1->get_hash_phase2(keymat_v1, &this->public);
2007 if (hash.ptr)
2008 {
2009 hash_payload_t *hash_payload;
2010 chunk_t other_hash;
2011
2012 if (this->first_payload != HASH_V1)
2013 {
2014 if (this->exchange_type == INFORMATIONAL_V1)
2015 {
2016 DBG1(DBG_ENC, "ignoring unprotected INFORMATIONAL from %H",
2017 this->packet->get_source(this->packet));
2018 }
2019 else
2020 {
2021 DBG1(DBG_ENC, "expected HASH payload as first payload");
2022 }
2023 chunk_free(&hash);
2024 return VERIFY_ERROR;
2025 }
2026 hash_payload = (hash_payload_t*)get_payload(this, HASH_V1);
2027 other_hash = hash_payload->get_hash(hash_payload);
2028 if (!chunk_equals(hash, other_hash))
2029 {
2030 DBG1(DBG_ENC, "our hash does not match received %B",
2031 &other_hash);
2032 chunk_free(&hash);
2033 return FAILED;
2034 }
2035 DBG2(DBG_ENC, "verified IKEv1 message with hash %B", &hash);
2036 chunk_free(&hash);
2037 }
2038 if (this->is_encrypted)
2039 { /* message verified, confirm IV */
2040 keymat_v1->confirm_iv(keymat_v1, this->message_id);
2041 }
2042 }
2043 return SUCCESS;
2044 }
2045
2046 METHOD(message_t, destroy, void,
2047 private_message_t *this)
2048 {
2049 DESTROY_IF(this->ike_sa_id);
2050 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
2051 this->packet->destroy(this->packet);
2052 this->parser->destroy(this->parser);
2053 free(this);
2054 }
2055
2056 /*
2057 * Described in header.
2058 */
2059 message_t *message_create_from_packet(packet_t *packet)
2060 {
2061 private_message_t *this;
2062
2063 INIT(this,
2064 .public = {
2065 .set_major_version = _set_major_version,
2066 .get_major_version = _get_major_version,
2067 .set_minor_version = _set_minor_version,
2068 .get_minor_version = _get_minor_version,
2069 .set_message_id = _set_message_id,
2070 .get_message_id = _get_message_id,
2071 .get_initiator_spi = _get_initiator_spi,
2072 .get_responder_spi = _get_responder_spi,
2073 .set_ike_sa_id = _set_ike_sa_id,
2074 .get_ike_sa_id = _get_ike_sa_id,
2075 .set_exchange_type = _set_exchange_type,
2076 .get_exchange_type = _get_exchange_type,
2077 .get_first_payload_type = _get_first_payload_type,
2078 .set_request = _set_request,
2079 .get_request = _get_request,
2080 .set_version_flag = _set_version_flag,
2081 .get_reserved_header_bit = _get_reserved_header_bit,
2082 .set_reserved_header_bit = _set_reserved_header_bit,
2083 .add_payload = _add_payload,
2084 .add_notify = _add_notify,
2085 .disable_sort = _disable_sort,
2086 .generate = _generate,
2087 .is_encoded = _is_encoded,
2088 .set_source = _set_source,
2089 .get_source = _get_source,
2090 .set_destination = _set_destination,
2091 .get_destination = _get_destination,
2092 .create_payload_enumerator = _create_payload_enumerator,
2093 .remove_payload_at = _remove_payload_at,
2094 .get_payload = _get_payload,
2095 .get_notify = _get_notify,
2096 .parse_header = _parse_header,
2097 .parse_body = _parse_body,
2098 .get_packet = _get_packet,
2099 .get_packet_data = _get_packet_data,
2100 .destroy = _destroy,
2101 },
2102 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
2103 .is_request = TRUE,
2104 .first_payload = NO_PAYLOAD,
2105 .packet = packet,
2106 .payloads = linked_list_create(),
2107 .parser = parser_create(packet->get_data(packet)),
2108 );
2109
2110 return &this->public;
2111 }
2112
2113 /*
2114 * Described in header.
2115 */
2116 message_t *message_create(int major, int minor)
2117 {
2118 message_t *this = message_create_from_packet(packet_create());
2119
2120 this->set_major_version(this, major);
2121 this->set_minor_version(this, minor);
2122
2123 return this;
2124 }