Allow creation of message_t objects for IKEv1 packets.
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * A payload rule defines the rules for a payload
64 * in a specific message rule. It defines if and how
65 * many times a payload must/can occur in a message
66 * and if it must be encrypted.
67 */
68 typedef struct {
69 /* Payload type */
70 payload_type_t type;
71 /* Minimal occurrence of this payload. */
72 size_t min_occurence;
73 /* Max occurrence of this payload. */
74 size_t max_occurence;
75 /* TRUE if payload must be encrypted */
76 bool encrypted;
77 /* If payload occurs, the message rule is fulfilled */
78 bool sufficient;
79 } payload_rule_t;
80
81 /**
82 * payload ordering structure allows us to reorder payloads according to RFC.
83 */
84 typedef struct {
85 /** payload type */
86 payload_type_t type;
87 /** notify type, if payload == NOTIFY */
88 notify_type_t notify;
89 } payload_order_t;
90
91 /**
92 * A message rule defines the kind of a message,
93 * if it has encrypted contents and a list
94 * of payload ordering rules and payload parsing rules.
95 */
96 typedef struct {
97 /** Type of message. */
98 exchange_type_t exchange_type;
99 /** Is message a request or response. */
100 bool is_request;
101 /** Message contains encrypted payloads. */
102 bool encrypted;
103 /** Number of payload rules which will follow */
104 int rule_count;
105 /** Pointer to first payload rule */
106 payload_rule_t *rules;
107 /** Number of payload order rules */
108 int order_count;
109 /** payload ordering rules */
110 payload_order_t *order;
111 } message_rule_t;
112
113 /**
114 * Message rule for IKE_SA_INIT from initiator.
115 */
116 static payload_rule_t ike_sa_init_i_rules[] = {
117 /* payload type min max encr suff */
118 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
119 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
120 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
121 {NONCE, 1, 1, FALSE, FALSE},
122 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
123 };
124
125 /**
126 * payload order for IKE_SA_INIT initiator
127 */
128 static payload_order_t ike_sa_init_i_order[] = {
129 /* payload type notify type */
130 {NOTIFY, COOKIE},
131 {SECURITY_ASSOCIATION, 0},
132 {KEY_EXCHANGE, 0},
133 {NONCE, 0},
134 {NOTIFY, NAT_DETECTION_SOURCE_IP},
135 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
136 {NOTIFY, 0},
137 {VENDOR_ID, 0},
138 };
139
140 /**
141 * Message rule for IKE_SA_INIT from responder.
142 */
143 static payload_rule_t ike_sa_init_r_rules[] = {
144 /* payload type min max encr suff */
145 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
146 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
147 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
148 {NONCE, 1, 1, FALSE, FALSE},
149 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
150 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
151 };
152
153 /**
154 * payload order for IKE_SA_INIT responder
155 */
156 static payload_order_t ike_sa_init_r_order[] = {
157 /* payload type notify type */
158 {SECURITY_ASSOCIATION, 0},
159 {KEY_EXCHANGE, 0},
160 {NONCE, 0},
161 {NOTIFY, NAT_DETECTION_SOURCE_IP},
162 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
163 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
164 {CERTIFICATE_REQUEST, 0},
165 {NOTIFY, 0},
166 {VENDOR_ID, 0},
167 };
168
169 /**
170 * Message rule for IKE_AUTH from initiator.
171 */
172 static payload_rule_t ike_auth_i_rules[] = {
173 /* payload type min max encr suff */
174 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
175 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
176 {AUTHENTICATION, 0, 1, TRUE, TRUE},
177 {ID_INITIATOR, 0, 1, TRUE, FALSE},
178 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
179 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
180 {ID_RESPONDER, 0, 1, TRUE, FALSE},
181 #ifdef ME
182 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
184 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
185 #else
186 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
187 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
189 #endif /* ME */
190 {CONFIGURATION, 0, 1, TRUE, FALSE},
191 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
192 };
193
194 /**
195 * payload order for IKE_AUTH initiator
196 */
197 static payload_order_t ike_auth_i_order[] = {
198 /* payload type notify type */
199 {ID_INITIATOR, 0},
200 {CERTIFICATE, 0},
201 {NOTIFY, INITIAL_CONTACT},
202 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
203 {CERTIFICATE_REQUEST, 0},
204 {ID_RESPONDER, 0},
205 {AUTHENTICATION, 0},
206 {EXTENSIBLE_AUTHENTICATION, 0},
207 {CONFIGURATION, 0},
208 {NOTIFY, IPCOMP_SUPPORTED},
209 {NOTIFY, USE_TRANSPORT_MODE},
210 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
211 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
212 {SECURITY_ASSOCIATION, 0},
213 {TRAFFIC_SELECTOR_INITIATOR, 0},
214 {TRAFFIC_SELECTOR_RESPONDER, 0},
215 {NOTIFY, MOBIKE_SUPPORTED},
216 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
217 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
218 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
219 {NOTIFY, 0},
220 {VENDOR_ID, 0},
221 };
222
223 /**
224 * Message rule for IKE_AUTH from responder.
225 */
226 static payload_rule_t ike_auth_r_rules[] = {
227 /* payload type min max encr suff */
228 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
229 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
230 {AUTHENTICATION, 0, 1, TRUE, TRUE},
231 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
232 {ID_RESPONDER, 0, 1, TRUE, FALSE},
233 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
234 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
235 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
236 {CONFIGURATION, 0, 1, TRUE, FALSE},
237 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
238 };
239
240 /**
241 * payload order for IKE_AUTH responder
242 */
243 static payload_order_t ike_auth_r_order[] = {
244 /* payload type notify type */
245 {ID_RESPONDER, 0},
246 {CERTIFICATE, 0},
247 {AUTHENTICATION, 0},
248 {EXTENSIBLE_AUTHENTICATION, 0},
249 {CONFIGURATION, 0},
250 {NOTIFY, IPCOMP_SUPPORTED},
251 {NOTIFY, USE_TRANSPORT_MODE},
252 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
253 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
254 {SECURITY_ASSOCIATION, 0},
255 {TRAFFIC_SELECTOR_INITIATOR, 0},
256 {TRAFFIC_SELECTOR_RESPONDER, 0},
257 {NOTIFY, AUTH_LIFETIME},
258 {NOTIFY, MOBIKE_SUPPORTED},
259 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
260 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
261 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
262 {NOTIFY, 0},
263 {VENDOR_ID, 0},
264 };
265
266 /**
267 * Message rule for INFORMATIONAL from initiator.
268 */
269 static payload_rule_t informational_i_rules[] = {
270 /* payload type min max encr suff */
271 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
272 {CONFIGURATION, 0, 1, TRUE, FALSE},
273 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
274 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
275 };
276
277 /**
278 * payload order for INFORMATIONAL initiator
279 */
280 static payload_order_t informational_i_order[] = {
281 /* payload type notify type */
282 {NOTIFY, UPDATE_SA_ADDRESSES},
283 {NOTIFY, NAT_DETECTION_SOURCE_IP},
284 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
285 {NOTIFY, COOKIE2},
286 {NOTIFY, 0},
287 {DELETE, 0},
288 {CONFIGURATION, 0},
289 };
290
291 /**
292 * Message rule for INFORMATIONAL from responder.
293 */
294 static payload_rule_t informational_r_rules[] = {
295 /* payload type min max encr suff */
296 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
297 {CONFIGURATION, 0, 1, TRUE, FALSE},
298 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
299 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
300 };
301
302 /**
303 * payload order for INFORMATIONAL responder
304 */
305 static payload_order_t informational_r_order[] = {
306 /* payload type notify type */
307 {NOTIFY, UPDATE_SA_ADDRESSES},
308 {NOTIFY, NAT_DETECTION_SOURCE_IP},
309 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
310 {NOTIFY, COOKIE2},
311 {NOTIFY, 0},
312 {DELETE, 0},
313 {CONFIGURATION, 0},
314 };
315
316 /**
317 * Message rule for CREATE_CHILD_SA from initiator.
318 */
319 static payload_rule_t create_child_sa_i_rules[] = {
320 /* payload type min max encr suff */
321 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
322 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
323 {NONCE, 1, 1, TRUE, FALSE},
324 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
325 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
326 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
327 {CONFIGURATION, 0, 1, TRUE, FALSE},
328 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
329 };
330
331 /**
332 * payload order for CREATE_CHILD_SA from initiator.
333 */
334 static payload_order_t create_child_sa_i_order[] = {
335 /* payload type notify type */
336 {NOTIFY, REKEY_SA},
337 {NOTIFY, IPCOMP_SUPPORTED},
338 {NOTIFY, USE_TRANSPORT_MODE},
339 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
340 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
341 {SECURITY_ASSOCIATION, 0},
342 {NONCE, 0},
343 {KEY_EXCHANGE, 0},
344 {TRAFFIC_SELECTOR_INITIATOR, 0},
345 {TRAFFIC_SELECTOR_RESPONDER, 0},
346 {NOTIFY, 0},
347 };
348
349 /**
350 * Message rule for CREATE_CHILD_SA from responder.
351 */
352 static payload_rule_t create_child_sa_r_rules[] = {
353 /* payload type min max encr suff */
354 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
355 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
356 {NONCE, 1, 1, TRUE, FALSE},
357 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
359 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
360 {CONFIGURATION, 0, 1, TRUE, FALSE},
361 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
362 };
363
364 /**
365 * payload order for CREATE_CHILD_SA from responder.
366 */
367 static payload_order_t create_child_sa_r_order[] = {
368 /* payload type notify type */
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
379 {NOTIFY, 0},
380 };
381
382 #ifdef ME
383 /**
384 * Message rule for ME_CONNECT from initiator.
385 */
386 static payload_rule_t me_connect_i_rules[] = {
387 /* payload type min max encr suff */
388 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
389 {ID_PEER, 1, 1, TRUE, FALSE},
390 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
391 };
392
393 /**
394 * payload order for ME_CONNECT from initiator.
395 */
396 static payload_order_t me_connect_i_order[] = {
397 /* payload type notify type */
398 {NOTIFY, 0},
399 {ID_PEER, 0},
400 {VENDOR_ID, 0},
401 };
402
403 /**
404 * Message rule for ME_CONNECT from responder.
405 */
406 static payload_rule_t me_connect_r_rules[] = {
407 /* payload type min max encr suff */
408 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
409 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
410 };
411
412 /**
413 * payload order for ME_CONNECT from responder.
414 */
415 static payload_order_t me_connect_r_order[] = {
416 /* payload type notify type */
417 {NOTIFY, 0},
418 {VENDOR_ID, 0},
419 };
420 #endif /* ME */
421
422 #ifdef USE_IKEV1
423 /**
424 * Message rule for ID_PROT from initiator.
425 */
426 static payload_rule_t id_prot_i_rules[] = {
427 /* payload type min max encr suff */
428 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
429 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
430 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
431 {NONCE_V1, 0, 1, FALSE, FALSE},
432 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
433 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
434 {ID_V1, 0, 1, TRUE, FALSE},
435 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
436 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
437 {HASH_V1, 0, 1, TRUE, FALSE},
438 };
439
440 /**
441 * payload order for ID_PROT from initiator.
442 */
443 static payload_order_t id_prot_i_order[] = {
444 /* payload type notify type */
445 {SECURITY_ASSOCIATION_V1, 0},
446 {KEY_EXCHANGE_V1, 0},
447 {NONCE_V1, 0},
448 {ID_V1, 0},
449 {CERTIFICATE_V1, 0},
450 {SIGNATURE_V1, 0},
451 {HASH_V1, 0},
452 {CERTIFICATE_REQUEST_V1, 0},
453 {NOTIFICATION_V1, 0},
454 {VENDOR_ID_V1, 0},
455 };
456
457 /**
458 * Message rule for ID_PROT from responder.
459 */
460 static payload_rule_t id_prot_r_rules[] = {
461 /* payload type min max encr suff */
462 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
463 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
464 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
465 {NONCE_V1, 0, 1, FALSE, FALSE},
466 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
467 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
468 {ID_V1, 0, 1, TRUE, FALSE},
469 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
470 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
471 {HASH_V1, 0, 1, TRUE, FALSE},
472 };
473
474 /**
475 * payload order for ID_PROT from responder.
476 */
477 static payload_order_t id_prot_r_order[] = {
478 /* payload type notify type */
479 {SECURITY_ASSOCIATION_V1, 0},
480 {KEY_EXCHANGE_V1, 0},
481 {NONCE_V1, 0},
482 {ID_V1, 0},
483 {CERTIFICATE_V1, 0},
484 {SIGNATURE_V1, 0},
485 {HASH_V1, 0},
486 {CERTIFICATE_REQUEST_V1, 0},
487 {NOTIFICATION_V1, 0},
488 {VENDOR_ID_V1, 0},
489 };
490
491 /**
492 * Message rule for AGGRESSIVE from initiator.
493 */
494 static payload_rule_t aggressive_i_rules[] = {
495 /* payload type min max encr suff */
496 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
497 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
498 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
499 {NONCE_V1, 0, 1, FALSE, FALSE},
500 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
501 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
502 {ID_V1, 0, 1, FALSE, FALSE},
503 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
504 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
505 {HASH_V1, 0, 1, FALSE, FALSE},
506 };
507
508 /**
509 * payload order for AGGRESSIVE from initiator.
510 */
511 static payload_order_t aggressive_i_order[] = {
512 /* payload type notify type */
513 {SECURITY_ASSOCIATION_V1, 0},
514 {KEY_EXCHANGE_V1, 0},
515 {NONCE_V1, 0},
516 {ID_V1, 0},
517 {CERTIFICATE_V1, 0},
518 {SIGNATURE_V1, 0},
519 {HASH_V1, 0},
520 {CERTIFICATE_REQUEST_V1, 0},
521 {NOTIFICATION_V1, 0},
522 {VENDOR_ID_V1, 0},
523 };
524
525 /**
526 * Message rule for AGGRESSIVE from responder.
527 */
528 static payload_rule_t aggressive_r_rules[] = {
529 /* payload type min max encr suff */
530 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
531 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
532 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
533 {NONCE_V1, 0, 1, FALSE, FALSE},
534 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
535 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
536 {ID_V1, 0, 1, FALSE, FALSE},
537 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
538 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
539 {HASH_V1, 0, 1, FALSE, FALSE},
540 };
541
542 /**
543 * payload order for AGGRESSIVE from responder.
544 */
545 static payload_order_t aggressive_r_order[] = {
546 /* payload type notify type */
547 {SECURITY_ASSOCIATION_V1, 0},
548 {KEY_EXCHANGE_V1, 0},
549 {NONCE_V1, 0},
550 {ID_V1, 0},
551 {CERTIFICATE_V1, 0},
552 {SIGNATURE_V1, 0},
553 {HASH_V1, 0},
554 {CERTIFICATE_REQUEST_V1, 0},
555 {NOTIFICATION_V1, 0},
556 {VENDOR_ID_V1, 0},
557 };
558
559 /**
560 * Message rule for INFORMATIONAL_V1 from initiator.
561 */
562 static payload_rule_t informational_i_rules_v1[] = {
563 /* payload type min max encr suff */
564 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
565 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
566 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
567 };
568
569 /**
570 * payload order for INFORMATIONAL_V1 from initiator.
571 */
572 static payload_order_t informational_i_order_v1[] = {
573 /* payload type notify type */
574 {NOTIFICATION_V1, 0},
575 {DELETE_V1, 0},
576 {VENDOR_ID_V1, 0},
577 };
578 #endif /* USE_IKEV1 */
579
580 /**
581 * Message rules, defines allowed payloads.
582 */
583 static message_rule_t message_rules[] = {
584 {IKE_SA_INIT, TRUE, FALSE,
585 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
586 countof(ike_sa_init_i_order), ike_sa_init_i_order,
587 },
588 {IKE_SA_INIT, FALSE, FALSE,
589 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
590 countof(ike_sa_init_r_order), ike_sa_init_r_order,
591 },
592 {IKE_AUTH, TRUE, TRUE,
593 countof(ike_auth_i_rules), ike_auth_i_rules,
594 countof(ike_auth_i_order), ike_auth_i_order,
595 },
596 {IKE_AUTH, FALSE, TRUE,
597 countof(ike_auth_r_rules), ike_auth_r_rules,
598 countof(ike_auth_r_order), ike_auth_r_order,
599 },
600 {INFORMATIONAL, TRUE, TRUE,
601 countof(informational_i_rules), informational_i_rules,
602 countof(informational_i_order), informational_i_order,
603 },
604 {INFORMATIONAL, FALSE, TRUE,
605 countof(informational_r_rules), informational_r_rules,
606 countof(informational_r_order), informational_r_order,
607 },
608 {CREATE_CHILD_SA, TRUE, TRUE,
609 countof(create_child_sa_i_rules), create_child_sa_i_rules,
610 countof(create_child_sa_i_order), create_child_sa_i_order,
611 },
612 {CREATE_CHILD_SA, FALSE, TRUE,
613 countof(create_child_sa_r_rules), create_child_sa_r_rules,
614 countof(create_child_sa_r_order), create_child_sa_r_order,
615 },
616 #ifdef ME
617 {ME_CONNECT, TRUE, TRUE,
618 countof(me_connect_i_rules), me_connect_i_rules,
619 countof(me_connect_i_order), me_connect_i_order,
620 },
621 {ME_CONNECT, FALSE, TRUE,
622 countof(me_connect_r_rules), me_connect_r_rules,
623 countof(me_connect_r_order), me_connect_r_order,
624 },
625 #endif /* ME */
626 #ifdef USE_IKEV1
627 {ID_PROT, TRUE, FALSE,
628 countof(id_prot_i_rules), id_prot_i_rules,
629 countof(id_prot_i_order), id_prot_i_order,
630 },
631 {ID_PROT, FALSE, FALSE,
632 countof(id_prot_r_rules), id_prot_r_rules,
633 countof(id_prot_r_order), id_prot_r_order,
634 },
635 {AGGRESSIVE, TRUE, FALSE,
636 countof(aggressive_i_rules), aggressive_i_rules,
637 countof(aggressive_i_order), aggressive_i_order,
638 },
639 {AGGRESSIVE, FALSE, FALSE,
640 countof(aggressive_r_rules), aggressive_r_rules,
641 countof(aggressive_r_order), aggressive_r_order,
642 },
643 {INFORMATIONAL_V1, TRUE, TRUE,
644 countof(informational_i_rules_v1), informational_i_rules_v1,
645 countof(informational_i_order_v1), informational_i_order_v1,
646 },
647 /* TODO-IKEv1: define rules for other exchanges */
648 #endif /* USE_IKEV1 */
649 };
650
651
652 typedef struct private_message_t private_message_t;
653
654 /**
655 * Private data of an message_t object.
656 */
657 struct private_message_t {
658
659 /**
660 * Public part of a message_t object.
661 */
662 message_t public;
663
664 /**
665 * Minor version of message.
666 */
667 u_int8_t major_version;
668
669 /**
670 * Major version of message.
671 */
672 u_int8_t minor_version;
673
674 /**
675 * First Payload in message.
676 */
677 payload_type_t first_payload;
678
679 /**
680 * Assigned exchange type.
681 */
682 exchange_type_t exchange_type;
683
684 /**
685 * TRUE if message is a request, FALSE if a reply.
686 */
687 bool is_request;
688
689 /**
690 * The message is encrypted (IKEv1)
691 */
692 bool is_encrypted;
693
694 /**
695 * Higher version supported?
696 */
697 bool version_flag;
698
699 /**
700 * Reserved bits in IKE header
701 */
702 bool reserved[2];
703
704 /**
705 * Sorting of message disabled?
706 */
707 bool sort_disabled;
708
709 /**
710 * Message ID of this message.
711 */
712 u_int32_t message_id;
713
714 /**
715 * ID of assigned IKE_SA.
716 */
717 ike_sa_id_t *ike_sa_id;
718
719 /**
720 * Assigned UDP packet, stores incoming packet or last generated one.
721 */
722 packet_t *packet;
723
724 /**
725 * Linked List where payload data are stored in.
726 */
727 linked_list_t *payloads;
728
729 /**
730 * Assigned parser to parse Header and Body of this message.
731 */
732 parser_t *parser;
733
734 /**
735 * The message rule for this message instance
736 */
737 message_rule_t *rule;
738 };
739
740 /**
741 * Get the message rule that applies to this message
742 */
743 static message_rule_t* get_message_rule(private_message_t *this)
744 {
745 int i;
746
747 for (i = 0; i < countof(message_rules); i++)
748 {
749 if ((this->exchange_type == message_rules[i].exchange_type) &&
750 (this->is_request == message_rules[i].is_request))
751 {
752 return &message_rules[i];
753 }
754 }
755 return NULL;
756 }
757
758 /**
759 * Look up a payload rule
760 */
761 static payload_rule_t* get_payload_rule(private_message_t *this,
762 payload_type_t type)
763 {
764 int i;
765
766 for (i = 0; i < this->rule->rule_count;i++)
767 {
768 if (this->rule->rules[i].type == type)
769 {
770 return &this->rule->rules[i];
771 }
772 }
773 return NULL;
774 }
775
776 METHOD(message_t, set_ike_sa_id, void,
777 private_message_t *this,ike_sa_id_t *ike_sa_id)
778 {
779 DESTROY_IF(this->ike_sa_id);
780 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
781 }
782
783 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
784 private_message_t *this)
785 {
786 return this->ike_sa_id;
787 }
788
789 METHOD(message_t, set_message_id, void,
790 private_message_t *this,u_int32_t message_id)
791 {
792 this->message_id = message_id;
793 }
794
795 METHOD(message_t, get_message_id, u_int32_t,
796 private_message_t *this)
797 {
798 return this->message_id;
799 }
800
801 METHOD(message_t, get_initiator_spi, u_int64_t,
802 private_message_t *this)
803 {
804 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
805 }
806
807 METHOD(message_t, get_responder_spi, u_int64_t,
808 private_message_t *this)
809 {
810 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
811 }
812
813 METHOD(message_t, set_major_version, void,
814 private_message_t *this, u_int8_t major_version)
815 {
816 this->major_version = major_version;
817 }
818
819 METHOD(message_t, get_major_version, u_int8_t,
820 private_message_t *this)
821 {
822 return this->major_version;
823 }
824
825 METHOD(message_t, set_minor_version, void,
826 private_message_t *this,u_int8_t minor_version)
827 {
828 this->minor_version = minor_version;
829 }
830
831 METHOD(message_t, get_minor_version, u_int8_t,
832 private_message_t *this)
833 {
834 return this->minor_version;
835 }
836
837 METHOD(message_t, set_exchange_type, void,
838 private_message_t *this, exchange_type_t exchange_type)
839 {
840 this->exchange_type = exchange_type;
841 }
842
843 METHOD(message_t, get_exchange_type, exchange_type_t,
844 private_message_t *this)
845 {
846 return this->exchange_type;
847 }
848
849 METHOD(message_t, get_first_payload_type, payload_type_t,
850 private_message_t *this)
851 {
852 return this->first_payload;
853 }
854
855 METHOD(message_t, set_request, void,
856 private_message_t *this, bool request)
857 {
858 this->is_request = request;
859 }
860
861 METHOD(message_t, get_request, bool,
862 private_message_t *this)
863 {
864 return this->is_request;
865 }
866
867 METHOD(message_t, set_version_flag, void,
868 private_message_t *this)
869 {
870 this->version_flag = TRUE;
871 }
872
873 METHOD(message_t, get_reserved_header_bit, bool,
874 private_message_t *this, u_int nr)
875 {
876 if (nr < countof(this->reserved))
877 {
878 return this->reserved[nr];
879 }
880 return FALSE;
881 }
882
883 METHOD(message_t, set_reserved_header_bit, void,
884 private_message_t *this, u_int nr)
885 {
886 if (nr < countof(this->reserved))
887 {
888 this->reserved[nr] = TRUE;
889 }
890 }
891
892 METHOD(message_t, is_encoded, bool,
893 private_message_t *this)
894 {
895 return this->packet->get_data(this->packet).ptr != NULL;
896 }
897
898 METHOD(message_t, add_payload, void,
899 private_message_t *this, payload_t *payload)
900 {
901 payload_t *last_payload;
902
903 if (this->payloads->get_count(this->payloads) > 0)
904 {
905 this->payloads->get_last(this->payloads, (void **)&last_payload);
906 last_payload->set_next_type(last_payload, payload->get_type(payload));
907 }
908 else
909 {
910 this->first_payload = payload->get_type(payload);
911 }
912 payload->set_next_type(payload, NO_PAYLOAD);
913 this->payloads->insert_last(this->payloads, payload);
914
915 DBG2(DBG_ENC ,"added payload of type %N to message",
916 payload_type_names, payload->get_type(payload));
917 }
918
919 METHOD(message_t, add_notify, void,
920 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
921 {
922 notify_payload_t *notify;
923 payload_t *payload;
924
925 if (flush)
926 {
927 while (this->payloads->remove_last(this->payloads,
928 (void**)&payload) == SUCCESS)
929 {
930 payload->destroy(payload);
931 }
932 }
933 notify = notify_payload_create();
934 notify->set_notify_type(notify, type);
935 notify->set_notification_data(notify, data);
936 add_payload(this, (payload_t*)notify);
937 }
938
939 METHOD(message_t, set_source, void,
940 private_message_t *this, host_t *host)
941 {
942 this->packet->set_source(this->packet, host);
943 }
944
945 METHOD(message_t, set_destination, void,
946 private_message_t *this, host_t *host)
947 {
948 this->packet->set_destination(this->packet, host);
949 }
950
951 METHOD(message_t, get_source, host_t*,
952 private_message_t *this)
953 {
954 return this->packet->get_source(this->packet);
955 }
956
957 METHOD(message_t, get_destination, host_t*,
958 private_message_t *this)
959 {
960 return this->packet->get_destination(this->packet);
961 }
962
963 METHOD(message_t, create_payload_enumerator, enumerator_t*,
964 private_message_t *this)
965 {
966 return this->payloads->create_enumerator(this->payloads);
967 }
968
969 METHOD(message_t, remove_payload_at, void,
970 private_message_t *this, enumerator_t *enumerator)
971 {
972 this->payloads->remove_at(this->payloads, enumerator);
973 }
974
975 METHOD(message_t, get_payload, payload_t*,
976 private_message_t *this, payload_type_t type)
977 {
978 payload_t *current, *found = NULL;
979 enumerator_t *enumerator;
980
981 enumerator = create_payload_enumerator(this);
982 while (enumerator->enumerate(enumerator, &current))
983 {
984 if (current->get_type(current) == type)
985 {
986 found = current;
987 break;
988 }
989 }
990 enumerator->destroy(enumerator);
991 return found;
992 }
993
994 METHOD(message_t, get_notify, notify_payload_t*,
995 private_message_t *this, notify_type_t type)
996 {
997 enumerator_t *enumerator;
998 notify_payload_t *notify = NULL;
999 payload_t *payload;
1000
1001 enumerator = create_payload_enumerator(this);
1002 while (enumerator->enumerate(enumerator, &payload))
1003 {
1004 if (payload->get_type(payload) == NOTIFY)
1005 {
1006 notify = (notify_payload_t*)payload;
1007 if (notify->get_notify_type(notify) == type)
1008 {
1009 break;
1010 }
1011 notify = NULL;
1012 }
1013 }
1014 enumerator->destroy(enumerator);
1015 return notify;
1016 }
1017
1018 /**
1019 * get a string representation of the message
1020 */
1021 static char* get_string(private_message_t *this, char *buf, int len)
1022 {
1023 enumerator_t *enumerator;
1024 payload_t *payload;
1025 int written;
1026 char *pos = buf;
1027
1028 memset(buf, 0, len);
1029 len--;
1030
1031 written = snprintf(pos, len, "%N %s %d [",
1032 exchange_type_names, this->exchange_type,
1033 this->is_request ? "request" : "response",
1034 this->message_id);
1035 if (written >= len || written < 0)
1036 {
1037 return "";
1038 }
1039 pos += written;
1040 len -= written;
1041
1042 enumerator = create_payload_enumerator(this);
1043 while (enumerator->enumerate(enumerator, &payload))
1044 {
1045 written = snprintf(pos, len, " %N", payload_type_short_names,
1046 payload->get_type(payload));
1047 if (written >= len || written < 0)
1048 {
1049 return buf;
1050 }
1051 pos += written;
1052 len -= written;
1053 if (payload->get_type(payload) == NOTIFY)
1054 {
1055 notify_payload_t *notify;
1056 notify_type_t type;
1057 chunk_t data;
1058
1059 notify = (notify_payload_t*)payload;
1060 type = notify->get_notify_type(notify);
1061 data = notify->get_notification_data(notify);
1062 if (type == MS_NOTIFY_STATUS && data.len == 4)
1063 {
1064 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1065 type, untoh32(data.ptr));
1066 }
1067 else
1068 {
1069 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1070 type);
1071 }
1072 if (written >= len || written < 0)
1073 {
1074 return buf;
1075 }
1076 pos += written;
1077 len -= written;
1078 }
1079 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1080 {
1081 eap_payload_t *eap = (eap_payload_t*)payload;
1082 u_int32_t vendor;
1083 eap_type_t type;
1084 char method[64] = "";
1085
1086 type = eap->get_type(eap, &vendor);
1087 if (type)
1088 {
1089 if (vendor)
1090 {
1091 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1092 }
1093 else
1094 {
1095 snprintf(method, sizeof(method), "/%N",
1096 eap_type_short_names, type);
1097 }
1098 }
1099 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1100 eap->get_code(eap), method);
1101 if (written >= len || written < 0)
1102 {
1103 return buf;
1104 }
1105 pos += written;
1106 len -= written;
1107 }
1108 if (payload->get_type(payload) == CONFIGURATION)
1109 {
1110 cp_payload_t *cp = (cp_payload_t*)payload;
1111 enumerator_t *attributes;
1112 configuration_attribute_t *attribute;
1113 bool first = TRUE;
1114
1115 attributes = cp->create_attribute_enumerator(cp);
1116 while (attributes->enumerate(attributes, &attribute))
1117 {
1118 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1119 configuration_attribute_type_short_names,
1120 attribute->get_type(attribute));
1121 if (written >= len || written < 0)
1122 {
1123 return buf;
1124 }
1125 pos += written;
1126 len -= written;
1127 first = FALSE;
1128 }
1129 attributes->destroy(attributes);
1130 if (!first)
1131 {
1132 written = snprintf(pos, len, ")");
1133 if (written >= len || written < 0)
1134 {
1135 return buf;
1136 }
1137 pos += written;
1138 len -= written;
1139 }
1140 }
1141 }
1142 enumerator->destroy(enumerator);
1143
1144 /* remove last space */
1145 snprintf(pos, len, " ]");
1146 return buf;
1147 }
1148
1149 /**
1150 * reorder payloads depending on reordering rules
1151 */
1152 static void order_payloads(private_message_t *this)
1153 {
1154 linked_list_t *list;
1155 payload_t *payload;
1156 int i;
1157
1158 /* move to temp list */
1159 list = linked_list_create();
1160 while (this->payloads->remove_last(this->payloads,
1161 (void**)&payload) == SUCCESS)
1162 {
1163 list->insert_first(list, payload);
1164 }
1165 /* for each rule, ... */
1166 for (i = 0; i < this->rule->order_count; i++)
1167 {
1168 enumerator_t *enumerator;
1169 notify_payload_t *notify;
1170 payload_order_t order;
1171
1172 order = this->rule->order[i];
1173
1174 /* ... find all payload ... */
1175 enumerator = list->create_enumerator(list);
1176 while (enumerator->enumerate(enumerator, &payload))
1177 {
1178 /* ... with that type ... */
1179 if (payload->get_type(payload) == order.type)
1180 {
1181 notify = (notify_payload_t*)payload;
1182
1183 /**... and check notify for type. */
1184 if (order.type != NOTIFY || order.notify == 0 ||
1185 order.notify == notify->get_notify_type(notify))
1186 {
1187 list->remove_at(list, enumerator);
1188 add_payload(this, payload);
1189 }
1190 }
1191 }
1192 enumerator->destroy(enumerator);
1193 }
1194 /* append all payloads without a rule to the end */
1195 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1196 {
1197 /* do not complain about payloads in private use space */
1198 if (payload->get_type(payload) < 128)
1199 {
1200 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1201 payload_type_names, payload->get_type(payload),
1202 exchange_type_names, this->rule->exchange_type,
1203 this->rule->is_request ? "request" : "response");
1204 }
1205 add_payload(this, payload);
1206 }
1207 list->destroy(list);
1208 }
1209
1210 /**
1211 * Wrap payloads in a encryption payload
1212 */
1213 static encryption_payload_t* wrap_payloads(private_message_t *this)
1214 {
1215 encryption_payload_t *encryption;
1216 linked_list_t *payloads;
1217 payload_t *current;
1218
1219 /* copy all payloads in a temporary list */
1220 payloads = linked_list_create();
1221 while (this->payloads->remove_first(this->payloads,
1222 (void**)&current) == SUCCESS)
1223 {
1224 payloads->insert_last(payloads, current);
1225 }
1226
1227 encryption = encryption_payload_create();
1228 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1229 {
1230 payload_rule_t *rule;
1231 payload_type_t type;
1232 bool encrypt = TRUE;
1233
1234 type = current->get_type(current);
1235 rule = get_payload_rule(this, type);
1236 if (rule)
1237 {
1238 encrypt = rule->encrypted;
1239 }
1240 if (encrypt)
1241 {
1242 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1243 payload_type_names, type);
1244 encryption->add_payload(encryption, current);
1245 }
1246 else
1247 {
1248 DBG2(DBG_ENC, "insert payload %N unencrypted",
1249 payload_type_names, type);
1250 add_payload(this, current);
1251 }
1252 }
1253 payloads->destroy(payloads);
1254
1255 return encryption;
1256 }
1257
1258 METHOD(message_t, disable_sort, void,
1259 private_message_t *this)
1260 {
1261 this->sort_disabled = TRUE;
1262 }
1263
1264 METHOD(message_t, generate, status_t,
1265 private_message_t *this, aead_t *aead, packet_t **packet)
1266 {
1267 generator_t *generator;
1268 ike_header_t *ike_header;
1269 payload_t *payload, *next;
1270 encryption_payload_t *encryption = NULL;
1271 enumerator_t *enumerator;
1272 chunk_t chunk;
1273 char str[BUF_LEN];
1274 u_int32_t *lenpos;
1275 bool *reserved;
1276 int i;
1277
1278 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1279 {
1280 DBG1(DBG_ENC, "exchange type is not defined");
1281 return INVALID_STATE;
1282 }
1283
1284 if (this->packet->get_source(this->packet) == NULL ||
1285 this->packet->get_destination(this->packet) == NULL)
1286 {
1287 DBG1(DBG_ENC, "source/destination not defined");
1288 return INVALID_STATE;
1289 }
1290
1291 this->rule = get_message_rule(this);
1292 if (!this->rule)
1293 {
1294 DBG1(DBG_ENC, "no message rules specified for this message type");
1295 return NOT_SUPPORTED;
1296 }
1297
1298 if (!this->sort_disabled)
1299 {
1300 order_payloads(this);
1301 }
1302
1303 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1304
1305 if (aead && this->rule->encrypted)
1306 {
1307 encryption = wrap_payloads(this);
1308 }
1309 else
1310 {
1311 DBG2(DBG_ENC, "not encrypting payloads");
1312 }
1313
1314 ike_header = ike_header_create_version(this->major_version,
1315 this->minor_version);
1316 ike_header->set_exchange_type(ike_header, this->exchange_type);
1317 ike_header->set_message_id(ike_header, this->message_id);
1318 ike_header->set_response_flag(ike_header, !this->is_request);
1319 ike_header->set_version_flag(ike_header, this->version_flag);
1320 ike_header->set_initiator_flag(ike_header,
1321 this->ike_sa_id->is_initiator(this->ike_sa_id));
1322 ike_header->set_initiator_spi(ike_header,
1323 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1324 ike_header->set_responder_spi(ike_header,
1325 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1326
1327 for (i = 0; i < countof(this->reserved); i++)
1328 {
1329 reserved = payload_get_field(&ike_header->payload_interface,
1330 RESERVED_BIT, i);
1331 if (reserved)
1332 {
1333 *reserved = this->reserved[i];
1334 }
1335 }
1336
1337 generator = generator_create();
1338
1339 /* generate all payloads with proper next type */
1340 payload = (payload_t*)ike_header;
1341 enumerator = create_payload_enumerator(this);
1342 while (enumerator->enumerate(enumerator, &next))
1343 {
1344 payload->set_next_type(payload, next->get_type(next));
1345 generator->generate_payload(generator, payload);
1346 payload = next;
1347 }
1348 enumerator->destroy(enumerator);
1349 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1350 generator->generate_payload(generator, payload);
1351 ike_header->destroy(ike_header);
1352
1353 if (encryption)
1354 {
1355 u_int32_t *lenpos;
1356
1357 /* build associated data (without header of encryption payload) */
1358 chunk = generator->get_chunk(generator, &lenpos);
1359 encryption->set_transform(encryption, aead);
1360 /* fill in length, including encryption payload */
1361 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1362
1363 this->payloads->insert_last(this->payloads, encryption);
1364 if (!encryption->encrypt(encryption, chunk))
1365 {
1366 generator->destroy(generator);
1367 return INVALID_STATE;
1368 }
1369 generator->generate_payload(generator, &encryption->payload_interface);
1370 }
1371 chunk = generator->get_chunk(generator, &lenpos);
1372 htoun32(lenpos, chunk.len);
1373 this->packet->set_data(this->packet, chunk_clone(chunk));
1374 generator->destroy(generator);
1375
1376 *packet = this->packet->clone(this->packet);
1377 return SUCCESS;
1378 }
1379
1380 METHOD(message_t, get_packet, packet_t*,
1381 private_message_t *this)
1382 {
1383 if (this->packet == NULL)
1384 {
1385 return NULL;
1386 }
1387 return this->packet->clone(this->packet);
1388 }
1389
1390 METHOD(message_t, get_packet_data, chunk_t,
1391 private_message_t *this)
1392 {
1393 if (this->packet == NULL)
1394 {
1395 return chunk_empty;
1396 }
1397 return chunk_clone(this->packet->get_data(this->packet));
1398 }
1399
1400 METHOD(message_t, parse_header, status_t,
1401 private_message_t *this)
1402 {
1403 ike_header_t *ike_header;
1404 status_t status;
1405 bool *reserved;
1406 int i;
1407
1408 DBG2(DBG_ENC, "parsing header of message");
1409
1410 this->parser->reset_context(this->parser);
1411 status = this->parser->parse_payload(this->parser, HEADER,
1412 (payload_t**)&ike_header);
1413 if (status != SUCCESS)
1414 {
1415 DBG1(DBG_ENC, "header could not be parsed");
1416 return status;
1417
1418 }
1419
1420 status = ike_header->payload_interface.verify(
1421 &ike_header->payload_interface);
1422 if (status != SUCCESS)
1423 {
1424 DBG1(DBG_ENC, "header verification failed");
1425 ike_header->destroy(ike_header);
1426 return status;
1427 }
1428
1429 DESTROY_IF(this->ike_sa_id);
1430 this->ike_sa_id = ike_sa_id_create(
1431 ike_header->get_initiator_spi(ike_header),
1432 ike_header->get_responder_spi(ike_header),
1433 ike_header->get_initiator_flag(ike_header));
1434
1435 this->exchange_type = ike_header->get_exchange_type(ike_header);
1436 this->message_id = ike_header->get_message_id(ike_header);
1437 this->is_request = !ike_header->get_response_flag(ike_header);
1438 this->is_encrypted = ike_header->get_encryption_flag(ike_header);
1439 this->major_version = ike_header->get_maj_version(ike_header);
1440 this->minor_version = ike_header->get_min_version(ike_header);
1441 this->first_payload = ike_header->payload_interface.get_next_type(
1442 &ike_header->payload_interface);
1443 for (i = 0; i < countof(this->reserved); i++)
1444 {
1445 reserved = payload_get_field(&ike_header->payload_interface,
1446 RESERVED_BIT, i);
1447 if (reserved)
1448 {
1449 this->reserved[i] = *reserved;
1450 }
1451 }
1452 ike_header->destroy(ike_header);
1453
1454 DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
1455 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
1456 "message" : (this->is_request ? "request" : "response"));
1457 return SUCCESS;
1458 }
1459
1460 /**
1461 * Check if a payload is for a mediation extension connectivity check
1462 */
1463 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1464 {
1465 #ifdef ME
1466 if (this->exchange_type == INFORMATIONAL &&
1467 payload->get_type(payload) == NOTIFY)
1468 {
1469 notify_payload_t *notify = (notify_payload_t*)payload;
1470
1471 switch (notify->get_notify_type(notify))
1472 {
1473 case ME_CONNECTID:
1474 case ME_ENDPOINT:
1475 case ME_CONNECTAUTH:
1476 return TRUE;
1477 default:
1478 break;
1479 }
1480 }
1481 #endif /* !ME */
1482 return FALSE;
1483 }
1484
1485 /**
1486 * Decrypt payload from the encryption payload
1487 */
1488 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1489 {
1490 bool was_encrypted = FALSE;
1491 payload_t *payload, *previous = NULL;
1492 enumerator_t *enumerator;
1493 payload_rule_t *rule;
1494 payload_type_t type;
1495 status_t status = SUCCESS;
1496
1497 enumerator = this->payloads->create_enumerator(this->payloads);
1498 while (enumerator->enumerate(enumerator, &payload))
1499 {
1500 type = payload->get_type(payload);
1501
1502 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1503
1504 if (type == ENCRYPTED)
1505 {
1506 encryption_payload_t *encryption;
1507 payload_t *encrypted;
1508 chunk_t chunk;
1509
1510 encryption = (encryption_payload_t*)payload;
1511
1512 DBG2(DBG_ENC, "found an encryption payload");
1513
1514 if (this->payloads->has_more(this->payloads, enumerator))
1515 {
1516 DBG1(DBG_ENC, "encrypted payload is not last payload");
1517 status = VERIFY_ERROR;
1518 break;
1519 }
1520 encryption->set_transform(encryption, aead);
1521 chunk = this->packet->get_data(this->packet);
1522 if (chunk.len < encryption->get_length(encryption))
1523 {
1524 DBG1(DBG_ENC, "invalid payload length");
1525 status = VERIFY_ERROR;
1526 break;
1527 }
1528 chunk.len -= encryption->get_length(encryption);
1529 status = encryption->decrypt(encryption, chunk);
1530 if (status != SUCCESS)
1531 {
1532 break;
1533 }
1534
1535 was_encrypted = TRUE;
1536 this->payloads->remove_at(this->payloads, enumerator);
1537
1538 while ((encrypted = encryption->remove_payload(encryption)))
1539 {
1540 type = encrypted->get_type(encrypted);
1541 if (previous)
1542 {
1543 previous->set_next_type(previous, type);
1544 }
1545 else
1546 {
1547 this->first_payload = type;
1548 }
1549 DBG2(DBG_ENC, "insert decrypted payload of type "
1550 "%N at end of list", payload_type_names, type);
1551 this->payloads->insert_last(this->payloads, encrypted);
1552 previous = encrypted;
1553 }
1554 encryption->destroy(encryption);
1555 }
1556 if (payload_is_known(type) && !was_encrypted &&
1557 !is_connectivity_check(this, payload))
1558 {
1559 rule = get_payload_rule(this, type);
1560 if (!rule || rule->encrypted)
1561 {
1562 DBG1(DBG_ENC, "payload type %N was not encrypted",
1563 payload_type_names, type);
1564 status = FAILED;
1565 break;
1566 }
1567 }
1568 previous = payload;
1569 }
1570 enumerator->destroy(enumerator);
1571 return status;
1572 }
1573
1574 /**
1575 * Verify a message and all payload according to message/payload rules
1576 */
1577 static status_t verify(private_message_t *this)
1578 {
1579 bool complete = FALSE;
1580 int i;
1581
1582 DBG2(DBG_ENC, "verifying message structure");
1583
1584 /* check for payloads with wrong count*/
1585 for (i = 0; i < this->rule->rule_count; i++)
1586 {
1587 enumerator_t *enumerator;
1588 payload_t *payload;
1589 payload_rule_t *rule;
1590 int found = 0;
1591
1592 rule = &this->rule->rules[i];
1593 enumerator = create_payload_enumerator(this);
1594 while (enumerator->enumerate(enumerator, &payload))
1595 {
1596 payload_type_t type;
1597
1598 type = payload->get_type(payload);
1599 if (type == rule->type)
1600 {
1601 found++;
1602 DBG2(DBG_ENC, "found payload of type %N",
1603 payload_type_names, type);
1604 if (found > rule->max_occurence)
1605 {
1606 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1607 "occurred in current message", payload_type_names,
1608 type, rule->max_occurence, found);
1609 enumerator->destroy(enumerator);
1610 return VERIFY_ERROR;
1611 }
1612 }
1613 }
1614 enumerator->destroy(enumerator);
1615
1616 if (!complete && found < rule->min_occurence)
1617 {
1618 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1619 payload_type_names, rule->type, rule->min_occurence, found);
1620 return VERIFY_ERROR;
1621 }
1622 if (found && rule->sufficient)
1623 {
1624 complete = TRUE;
1625 }
1626 }
1627 return SUCCESS;
1628 }
1629
1630 METHOD(message_t, parse_body, status_t,
1631 private_message_t *this, aead_t *aead)
1632 {
1633 status_t status = SUCCESS;
1634 payload_t *payload;
1635 payload_type_t type;
1636 char str[BUF_LEN];
1637
1638 type = this->first_payload;
1639
1640 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1641 payload_type_names, type);
1642
1643 this->rule = get_message_rule(this);
1644 if (!this->rule)
1645 {
1646 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1647 exchange_type_names, this->exchange_type,
1648 this->is_request ? "request" : "response");
1649 return PARSE_ERROR;
1650 }
1651
1652 while (type != NO_PAYLOAD)
1653 {
1654 DBG2(DBG_ENC, "starting parsing a %N payload",
1655 payload_type_names, type);
1656
1657 status = this->parser->parse_payload(this->parser, type, &payload);
1658 if (status != SUCCESS)
1659 {
1660 DBG1(DBG_ENC, "payload type %N could not be parsed",
1661 payload_type_names, type);
1662 return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
1663 }
1664
1665 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1666 status = payload->verify(payload);
1667 if (status != SUCCESS)
1668 {
1669 DBG1(DBG_ENC, "%N payload verification failed",
1670 payload_type_names, type);
1671 payload->destroy(payload);
1672 return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
1673 }
1674
1675 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1676 payload_type_names, type);
1677 this->payloads->insert_last(this->payloads, payload);
1678
1679 /* an encryption payload is the last one, so STOP here. decryption is
1680 * done later */
1681 if (type == ENCRYPTED)
1682 {
1683 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1684 payload_type_names, type);
1685 break;
1686 }
1687 type = payload->get_next_type(payload);
1688 }
1689
1690 status = decrypt_payloads(this, aead);
1691 if (status != SUCCESS)
1692 {
1693 DBG1(DBG_ENC, "could not decrypt payloads");
1694 return status;
1695 }
1696
1697 status = verify(this);
1698 if (status != SUCCESS)
1699 {
1700 return status;
1701 }
1702
1703 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1704
1705 return SUCCESS;
1706 }
1707
1708 METHOD(message_t, destroy, void,
1709 private_message_t *this)
1710 {
1711 DESTROY_IF(this->ike_sa_id);
1712 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1713 this->packet->destroy(this->packet);
1714 this->parser->destroy(this->parser);
1715 free(this);
1716 }
1717
1718 /*
1719 * Described in header.
1720 */
1721 message_t *message_create_from_packet(packet_t *packet)
1722 {
1723 private_message_t *this;
1724
1725 INIT(this,
1726 .public = {
1727 .set_major_version = _set_major_version,
1728 .get_major_version = _get_major_version,
1729 .set_minor_version = _set_minor_version,
1730 .get_minor_version = _get_minor_version,
1731 .set_message_id = _set_message_id,
1732 .get_message_id = _get_message_id,
1733 .get_initiator_spi = _get_initiator_spi,
1734 .get_responder_spi = _get_responder_spi,
1735 .set_ike_sa_id = _set_ike_sa_id,
1736 .get_ike_sa_id = _get_ike_sa_id,
1737 .set_exchange_type = _set_exchange_type,
1738 .get_exchange_type = _get_exchange_type,
1739 .get_first_payload_type = _get_first_payload_type,
1740 .set_request = _set_request,
1741 .get_request = _get_request,
1742 .set_version_flag = _set_version_flag,
1743 .get_reserved_header_bit = _get_reserved_header_bit,
1744 .set_reserved_header_bit = _set_reserved_header_bit,
1745 .add_payload = _add_payload,
1746 .add_notify = _add_notify,
1747 .disable_sort = _disable_sort,
1748 .generate = _generate,
1749 .is_encoded = _is_encoded,
1750 .set_source = _set_source,
1751 .get_source = _get_source,
1752 .set_destination = _set_destination,
1753 .get_destination = _get_destination,
1754 .create_payload_enumerator = _create_payload_enumerator,
1755 .remove_payload_at = _remove_payload_at,
1756 .get_payload = _get_payload,
1757 .get_notify = _get_notify,
1758 .parse_header = _parse_header,
1759 .parse_body = _parse_body,
1760 .get_packet = _get_packet,
1761 .get_packet_data = _get_packet_data,
1762 .destroy = _destroy,
1763 },
1764 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1765 .is_request = TRUE,
1766 .first_payload = NO_PAYLOAD,
1767 .packet = packet,
1768 .payloads = linked_list_create(),
1769 .parser = parser_create(packet->get_data(packet)),
1770 );
1771
1772 return &this->public;
1773 }
1774
1775 /*
1776 * Described in header.
1777 */
1778 message_t *message_create(int major, int minor)
1779 {
1780 message_t *this = message_create_from_packet(packet_create());
1781
1782 this->set_major_version(this, major);
1783 this->set_minor_version(this, minor);
1784
1785 return this;
1786 }
1787