823a97f0f8c60743a97a90c803db884eeea3d320
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 Message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 Message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 Message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of Vendor ID payloads per IKEv2 Message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * A payload rule defines the rules for a payload
59 * in a specific message rule. It defines if and how
60 * many times a payload must/can occur in a message
61 * and if it must be encrypted.
62 */
63 typedef struct {
64 /* Payload type */
65 payload_type_t type;
66 /* Minimal occurrence of this payload. */
67 size_t min_occurence;
68 /* Max occurrence of this payload. */
69 size_t max_occurence;
70 /* TRUE if payload must be encrypted */
71 bool encrypted;
72 /* If payload occurs, the message rule is fulfilled */
73 bool sufficient;
74 } payload_rule_t;
75
76 /**
77 * payload ordering structure allows us to reorder payloads according to RFC.
78 */
79 typedef struct {
80 /** payload type */
81 payload_type_t type;
82 /** notify type, if payload == NOTIFY */
83 notify_type_t notify;
84 } payload_order_t;
85
86 /**
87 * A message rule defines the kind of a message,
88 * if it has encrypted contents and a list
89 * of payload ordering rules and payload parsing rules.
90 */
91 typedef struct {
92 /** Type of message. */
93 exchange_type_t exchange_type;
94 /** Is message a request or response. */
95 bool is_request;
96 /** Message contains encrypted payloads. */
97 bool encrypted;
98 /** Number of payload rules which will follow */
99 int rule_count;
100 /** Pointer to first payload rule */
101 payload_rule_t *rules;
102 /** Number of payload order rules */
103 int order_count;
104 /** payload ordering rules */
105 payload_order_t *order;
106 } message_rule_t;
107
108 /**
109 * Message rule for IKE_SA_INIT from initiator.
110 */
111 static payload_rule_t ike_sa_init_i_rules[] = {
112 /* payload type min max encr suff */
113 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
114 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
115 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
116 {NONCE, 1, 1, FALSE, FALSE},
117 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
118 };
119
120 /**
121 * payload order for IKE_SA_INIT initiator
122 */
123 static payload_order_t ike_sa_init_i_order[] = {
124 /* payload type notify type */
125 {NOTIFY, COOKIE},
126 {SECURITY_ASSOCIATION, 0},
127 {KEY_EXCHANGE, 0},
128 {NONCE, 0},
129 {NOTIFY, NAT_DETECTION_SOURCE_IP},
130 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
131 {NOTIFY, 0},
132 {VENDOR_ID, 0},
133 };
134
135 /**
136 * Message rule for IKE_SA_INIT from responder.
137 */
138 static payload_rule_t ike_sa_init_r_rules[] = {
139 /* payload type min max encr suff */
140 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
141 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
142 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
143 {NONCE, 1, 1, FALSE, FALSE},
144 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
145 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
146 };
147
148 /**
149 * payload order for IKE_SA_INIT responder
150 */
151 static payload_order_t ike_sa_init_r_order[] = {
152 /* payload type notify type */
153 {SECURITY_ASSOCIATION, 0},
154 {KEY_EXCHANGE, 0},
155 {NONCE, 0},
156 {NOTIFY, NAT_DETECTION_SOURCE_IP},
157 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
158 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
159 {CERTIFICATE_REQUEST, 0},
160 {NOTIFY, 0},
161 {VENDOR_ID, 0},
162 };
163
164 /**
165 * Message rule for IKE_AUTH from initiator.
166 */
167 static payload_rule_t ike_auth_i_rules[] = {
168 /* payload type min max encr suff */
169 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
170 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
171 {AUTHENTICATION, 0, 1, TRUE, TRUE},
172 {ID_INITIATOR, 0, 1, TRUE, FALSE},
173 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
174 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
175 {ID_RESPONDER, 0, 1, TRUE, FALSE},
176 #ifdef ME
177 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
178 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
179 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
180 #else
181 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
182 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
184 #endif /* ME */
185 {CONFIGURATION, 0, 1, TRUE, FALSE},
186 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
187 };
188
189 /**
190 * payload order for IKE_AUTH initiator
191 */
192 static payload_order_t ike_auth_i_order[] = {
193 /* payload type notify type */
194 {ID_INITIATOR, 0},
195 {CERTIFICATE, 0},
196 {NOTIFY, INITIAL_CONTACT},
197 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
198 {CERTIFICATE_REQUEST, 0},
199 {ID_RESPONDER, 0},
200 {AUTHENTICATION, 0},
201 {EXTENSIBLE_AUTHENTICATION, 0},
202 {CONFIGURATION, 0},
203 {NOTIFY, IPCOMP_SUPPORTED},
204 {NOTIFY, USE_TRANSPORT_MODE},
205 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
206 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
207 {SECURITY_ASSOCIATION, 0},
208 {TRAFFIC_SELECTOR_INITIATOR, 0},
209 {TRAFFIC_SELECTOR_RESPONDER, 0},
210 {NOTIFY, MOBIKE_SUPPORTED},
211 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
212 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
213 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
214 {NOTIFY, 0},
215 {VENDOR_ID, 0},
216 };
217
218 /**
219 * Message rule for IKE_AUTH from responder.
220 */
221 static payload_rule_t ike_auth_r_rules[] = {
222 /* payload type min max encr suff */
223 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
224 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
225 {AUTHENTICATION, 0, 1, TRUE, TRUE},
226 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
227 {ID_RESPONDER, 0, 1, TRUE, FALSE},
228 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
229 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
230 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
231 {CONFIGURATION, 0, 1, TRUE, FALSE},
232 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
233 };
234
235 /**
236 * payload order for IKE_AUTH responder
237 */
238 static payload_order_t ike_auth_r_order[] = {
239 /* payload type notify type */
240 {ID_RESPONDER, 0},
241 {CERTIFICATE, 0},
242 {AUTHENTICATION, 0},
243 {EXTENSIBLE_AUTHENTICATION, 0},
244 {CONFIGURATION, 0},
245 {NOTIFY, IPCOMP_SUPPORTED},
246 {NOTIFY, USE_TRANSPORT_MODE},
247 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
248 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
249 {SECURITY_ASSOCIATION, 0},
250 {TRAFFIC_SELECTOR_INITIATOR, 0},
251 {TRAFFIC_SELECTOR_RESPONDER, 0},
252 {NOTIFY, AUTH_LIFETIME},
253 {NOTIFY, MOBIKE_SUPPORTED},
254 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
255 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
256 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
257 {NOTIFY, 0},
258 {VENDOR_ID, 0},
259 };
260
261 /**
262 * Message rule for INFORMATIONAL from initiator.
263 */
264 static payload_rule_t informational_i_rules[] = {
265 /* payload type min max encr suff */
266 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
267 {CONFIGURATION, 0, 1, TRUE, FALSE},
268 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
269 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for INFORMATIONAL initiator
274 */
275 static payload_order_t informational_i_order[] = {
276 /* payload type notify type */
277 {NOTIFY, UPDATE_SA_ADDRESSES},
278 {NOTIFY, NAT_DETECTION_SOURCE_IP},
279 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
280 {NOTIFY, COOKIE2},
281 {NOTIFY, 0},
282 {DELETE, 0},
283 {CONFIGURATION, 0},
284 };
285
286 /**
287 * Message rule for INFORMATIONAL from responder.
288 */
289 static payload_rule_t informational_r_rules[] = {
290 /* payload type min max encr suff */
291 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
292 {CONFIGURATION, 0, 1, TRUE, FALSE},
293 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
294 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
295 };
296
297 /**
298 * payload order for INFORMATIONAL responder
299 */
300 static payload_order_t informational_r_order[] = {
301 /* payload type notify type */
302 {NOTIFY, UPDATE_SA_ADDRESSES},
303 {NOTIFY, NAT_DETECTION_SOURCE_IP},
304 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
305 {NOTIFY, COOKIE2},
306 {NOTIFY, 0},
307 {DELETE, 0},
308 {CONFIGURATION, 0},
309 };
310
311 /**
312 * Message rule for CREATE_CHILD_SA from initiator.
313 */
314 static payload_rule_t create_child_sa_i_rules[] = {
315 /* payload type min max encr suff */
316 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
317 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
318 {NONCE, 1, 1, TRUE, FALSE},
319 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
320 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
321 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
322 {CONFIGURATION, 0, 1, TRUE, FALSE},
323 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
324 };
325
326 /**
327 * payload order for CREATE_CHILD_SA from initiator.
328 */
329 static payload_order_t create_child_sa_i_order[] = {
330 /* payload type notify type */
331 {NOTIFY, REKEY_SA},
332 {NOTIFY, IPCOMP_SUPPORTED},
333 {NOTIFY, USE_TRANSPORT_MODE},
334 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
335 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
336 {SECURITY_ASSOCIATION, 0},
337 {NONCE, 0},
338 {KEY_EXCHANGE, 0},
339 {TRAFFIC_SELECTOR_INITIATOR, 0},
340 {TRAFFIC_SELECTOR_RESPONDER, 0},
341 {NOTIFY, 0},
342 };
343
344 /**
345 * Message rule for CREATE_CHILD_SA from responder.
346 */
347 static payload_rule_t create_child_sa_r_rules[] = {
348 /* payload type min max encr suff */
349 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
350 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
351 {NONCE, 1, 1, TRUE, FALSE},
352 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
353 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
354 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
355 {CONFIGURATION, 0, 1, TRUE, FALSE},
356 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
357 };
358
359 /**
360 * payload order for CREATE_CHILD_SA from responder.
361 */
362 static payload_order_t create_child_sa_r_order[] = {
363 /* payload type notify type */
364 {NOTIFY, IPCOMP_SUPPORTED},
365 {NOTIFY, USE_TRANSPORT_MODE},
366 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
367 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
368 {SECURITY_ASSOCIATION, 0},
369 {NONCE, 0},
370 {KEY_EXCHANGE, 0},
371 {TRAFFIC_SELECTOR_INITIATOR, 0},
372 {TRAFFIC_SELECTOR_RESPONDER, 0},
373 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
374 {NOTIFY, 0},
375 };
376
377 #ifdef ME
378 /**
379 * Message rule for ME_CONNECT from initiator.
380 */
381 static payload_rule_t me_connect_i_rules[] = {
382 /* payload type min max encr suff */
383 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
384 {ID_PEER, 1, 1, TRUE, FALSE},
385 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
386 };
387
388 /**
389 * payload order for ME_CONNECT from initiator.
390 */
391 static payload_order_t me_connect_i_order[] = {
392 /* payload type notify type */
393 {NOTIFY, 0},
394 {ID_PEER, 0},
395 {VENDOR_ID, 0},
396 };
397
398 /**
399 * Message rule for ME_CONNECT from responder.
400 */
401 static payload_rule_t me_connect_r_rules[] = {
402 /* payload type min max encr suff */
403 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
404 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
405 };
406
407 /**
408 * payload order for ME_CONNECT from responder.
409 */
410 static payload_order_t me_connect_r_order[] = {
411 /* payload type notify type */
412 {NOTIFY, 0},
413 {VENDOR_ID, 0},
414 };
415 #endif /* ME */
416
417 #ifdef USE_IKEV1
418 /**
419 * Message rule for ID_PROT from initiator.
420 */
421 static payload_rule_t id_prot_i_rules[] = {
422 /* payload type min max encr suff */
423 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
424 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
425 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
426 {NONCE_V1, 0, 1, FALSE, FALSE},
427 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
428 {ID_V1, 0, 1, TRUE, FALSE},
429 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
430 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
431 {HASH_V1, 0, 1, TRUE, FALSE},
432 };
433
434 /**
435 * payload order for ID_PROT from initiator.
436 */
437 static payload_order_t id_prot_i_order[] = {
438 /* payload type notify type */
439 {SECURITY_ASSOCIATION_V1, 0},
440 {KEY_EXCHANGE_V1, 0},
441 {NONCE_V1, 0},
442 {ID_V1, 0},
443 {CERTIFICATE_V1, 0},
444 {SIGNATURE_V1, 0},
445 {HASH_V1, 0},
446 {NOTIFICATION_V1, 0},
447 {VENDOR_ID_V1, 0},
448 };
449
450 /**
451 * Message rule for ID_PROT from responder.
452 */
453 static payload_rule_t id_prot_r_rules[] = {
454 /* payload type min max encr suff */
455 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
456 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
457 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
458 {NONCE_V1, 0, 1, FALSE, FALSE},
459 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
460 {ID_V1, 0, 1, TRUE, FALSE},
461 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
462 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
463 {HASH_V1, 0, 1, TRUE, FALSE},
464 };
465
466 /**
467 * payload order for ID_PROT from responder.
468 */
469 static payload_order_t id_prot_r_order[] = {
470 /* payload type notify type */
471 {SECURITY_ASSOCIATION_V1, 0},
472 {KEY_EXCHANGE_V1, 0},
473 {NONCE_V1, 0},
474 {ID_V1, 0},
475 {CERTIFICATE_V1, 0},
476 {SIGNATURE_V1, 0},
477 {HASH_V1, 0},
478 {NOTIFICATION_V1, 0},
479 {VENDOR_ID_V1, 0},
480 };
481
482 /**
483 * Message rule for AGGRESSIVE from initiator.
484 */
485 static payload_rule_t aggressive_i_rules[] = {
486 /* payload type min max encr suff */
487 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
488 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
489 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
490 {NONCE_V1, 0, 1, FALSE, FALSE},
491 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
492 {ID_V1, 0, 1, FALSE, FALSE},
493 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
494 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
495 {HASH_V1, 0, 1, FALSE, FALSE},
496 };
497
498 /**
499 * payload order for AGGRESSIVE from initiator.
500 */
501 static payload_order_t aggressive_i_order[] = {
502 /* payload type notify type */
503 {SECURITY_ASSOCIATION_V1, 0},
504 {KEY_EXCHANGE_V1, 0},
505 {NONCE_V1, 0},
506 {ID_V1, 0},
507 {CERTIFICATE_V1, 0},
508 {SIGNATURE_V1, 0},
509 {HASH_V1, 0},
510 {NOTIFICATION_V1, 0},
511 {VENDOR_ID_V1, 0},
512 };
513
514 /**
515 * Message rule for AGGRESSIVE from responder.
516 */
517 static payload_rule_t aggressive_r_rules[] = {
518 /* payload type min max encr suff */
519 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
520 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
521 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
522 {NONCE_V1, 0, 1, FALSE, FALSE},
523 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
524 {ID_V1, 0, 1, FALSE, FALSE},
525 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
526 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
527 {HASH_V1, 0, 1, FALSE, FALSE},
528 };
529
530 /**
531 * payload order for AGGRESSIVE from responder.
532 */
533 static payload_order_t aggressive_r_order[] = {
534 /* payload type notify type */
535 {SECURITY_ASSOCIATION_V1, 0},
536 {KEY_EXCHANGE_V1, 0},
537 {NONCE_V1, 0},
538 {ID_V1, 0},
539 {CERTIFICATE_V1, 0},
540 {SIGNATURE_V1, 0},
541 {HASH_V1, 0},
542 {NOTIFICATION_V1, 0},
543 {VENDOR_ID_V1, 0},
544 };
545
546 /**
547 * Message rule for INFORMATIONAL_V1 from initiator.
548 */
549 static payload_rule_t informational_i_rules_v1[] = {
550 /* payload type min max encr suff */
551 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
552 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
553 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
554 };
555
556 /**
557 * payload order for INFORMATIONAL_V1 from initiator.
558 */
559 static payload_order_t informational_i_order_v1[] = {
560 /* payload type notify type */
561 {NOTIFICATION_V1, 0},
562 {DELETE_V1, 0},
563 {VENDOR_ID_V1, 0},
564 };
565 #endif /* USE_IKEV1 */
566
567 /**
568 * Message rules, defines allowed payloads.
569 */
570 static message_rule_t message_rules[] = {
571 {IKE_SA_INIT, TRUE, FALSE,
572 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
573 countof(ike_sa_init_i_order), ike_sa_init_i_order,
574 },
575 {IKE_SA_INIT, FALSE, FALSE,
576 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
577 countof(ike_sa_init_r_order), ike_sa_init_r_order,
578 },
579 {IKE_AUTH, TRUE, TRUE,
580 countof(ike_auth_i_rules), ike_auth_i_rules,
581 countof(ike_auth_i_order), ike_auth_i_order,
582 },
583 {IKE_AUTH, FALSE, TRUE,
584 countof(ike_auth_r_rules), ike_auth_r_rules,
585 countof(ike_auth_r_order), ike_auth_r_order,
586 },
587 {INFORMATIONAL, TRUE, TRUE,
588 countof(informational_i_rules), informational_i_rules,
589 countof(informational_i_order), informational_i_order,
590 },
591 {INFORMATIONAL, FALSE, TRUE,
592 countof(informational_r_rules), informational_r_rules,
593 countof(informational_r_order), informational_r_order,
594 },
595 {CREATE_CHILD_SA, TRUE, TRUE,
596 countof(create_child_sa_i_rules), create_child_sa_i_rules,
597 countof(create_child_sa_i_order), create_child_sa_i_order,
598 },
599 {CREATE_CHILD_SA, FALSE, TRUE,
600 countof(create_child_sa_r_rules), create_child_sa_r_rules,
601 countof(create_child_sa_r_order), create_child_sa_r_order,
602 },
603 #ifdef ME
604 {ME_CONNECT, TRUE, TRUE,
605 countof(me_connect_i_rules), me_connect_i_rules,
606 countof(me_connect_i_order), me_connect_i_order,
607 },
608 {ME_CONNECT, FALSE, TRUE,
609 countof(me_connect_r_rules), me_connect_r_rules,
610 countof(me_connect_r_order), me_connect_r_order,
611 },
612 #endif /* ME */
613 #ifdef USE_IKEV1
614 {ID_PROT, TRUE, FALSE,
615 countof(id_prot_i_rules), id_prot_i_rules,
616 countof(id_prot_i_order), id_prot_i_order,
617 },
618 {ID_PROT, FALSE, FALSE,
619 countof(id_prot_r_rules), id_prot_r_rules,
620 countof(id_prot_r_order), id_prot_r_order,
621 },
622 {AGGRESSIVE, TRUE, FALSE,
623 countof(aggressive_i_rules), aggressive_i_rules,
624 countof(aggressive_i_order), aggressive_i_order,
625 },
626 {AGGRESSIVE, FALSE, FALSE,
627 countof(aggressive_r_rules), aggressive_r_rules,
628 countof(aggressive_r_order), aggressive_r_order,
629 },
630 {INFORMATIONAL_V1, TRUE, TRUE,
631 countof(informational_i_rules_v1), informational_i_rules_v1,
632 countof(informational_i_order_v1), informational_i_order_v1,
633 },
634 /* TODO-IKEv1: define rules for other exchanges */
635 #endif /* USE_IKEV1 */
636 };
637
638
639 typedef struct private_message_t private_message_t;
640
641 /**
642 * Private data of an message_t object.
643 */
644 struct private_message_t {
645
646 /**
647 * Public part of a message_t object.
648 */
649 message_t public;
650
651 /**
652 * Minor version of message.
653 */
654 u_int8_t major_version;
655
656 /**
657 * Major version of message.
658 */
659 u_int8_t minor_version;
660
661 /**
662 * First Payload in message.
663 */
664 payload_type_t first_payload;
665
666 /**
667 * Assigned exchange type.
668 */
669 exchange_type_t exchange_type;
670
671 /**
672 * TRUE if message is a request, FALSE if a reply.
673 */
674 bool is_request;
675
676 /**
677 * Higher version supported?
678 */
679 bool version_flag;
680
681 /**
682 * Reserved bits in IKE header
683 */
684 bool reserved[5];
685
686 /**
687 * Sorting of message disabled?
688 */
689 bool sort_disabled;
690
691 /**
692 * Message ID of this message.
693 */
694 u_int32_t message_id;
695
696 /**
697 * ID of assigned IKE_SA.
698 */
699 ike_sa_id_t *ike_sa_id;
700
701 /**
702 * Assigned UDP packet, stores incoming packet or last generated one.
703 */
704 packet_t *packet;
705
706 /**
707 * Linked List where payload data are stored in.
708 */
709 linked_list_t *payloads;
710
711 /**
712 * Assigned parser to parse Header and Body of this message.
713 */
714 parser_t *parser;
715
716 /**
717 * The message rule for this message instance
718 */
719 message_rule_t *rule;
720 };
721
722 /**
723 * Get the message rule that applies to this message
724 */
725 static message_rule_t* get_message_rule(private_message_t *this)
726 {
727 int i;
728
729 for (i = 0; i < countof(message_rules); i++)
730 {
731 if ((this->exchange_type == message_rules[i].exchange_type) &&
732 (this->is_request == message_rules[i].is_request))
733 {
734 return &message_rules[i];
735 }
736 }
737 return NULL;
738 }
739
740 /**
741 * Look up a payload rule
742 */
743 static payload_rule_t* get_payload_rule(private_message_t *this,
744 payload_type_t type)
745 {
746 int i;
747
748 for (i = 0; i < this->rule->rule_count;i++)
749 {
750 if (this->rule->rules[i].type == type)
751 {
752 return &this->rule->rules[i];
753 }
754 }
755 return NULL;
756 }
757
758 METHOD(message_t, set_ike_sa_id, void,
759 private_message_t *this,ike_sa_id_t *ike_sa_id)
760 {
761 DESTROY_IF(this->ike_sa_id);
762 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
763 }
764
765 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
766 private_message_t *this)
767 {
768 return this->ike_sa_id;
769 }
770
771 METHOD(message_t, set_message_id, void,
772 private_message_t *this,u_int32_t message_id)
773 {
774 this->message_id = message_id;
775 }
776
777 METHOD(message_t, get_message_id, u_int32_t,
778 private_message_t *this)
779 {
780 return this->message_id;
781 }
782
783 METHOD(message_t, get_initiator_spi, u_int64_t,
784 private_message_t *this)
785 {
786 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
787 }
788
789 METHOD(message_t, get_responder_spi, u_int64_t,
790 private_message_t *this)
791 {
792 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
793 }
794
795 METHOD(message_t, set_major_version, void,
796 private_message_t *this, u_int8_t major_version)
797 {
798 this->major_version = major_version;
799 }
800
801 METHOD(message_t, get_major_version, u_int8_t,
802 private_message_t *this)
803 {
804 return this->major_version;
805 }
806
807 METHOD(message_t, set_minor_version, void,
808 private_message_t *this,u_int8_t minor_version)
809 {
810 this->minor_version = minor_version;
811 }
812
813 METHOD(message_t, get_minor_version, u_int8_t,
814 private_message_t *this)
815 {
816 return this->minor_version;
817 }
818
819 METHOD(message_t, set_exchange_type, void,
820 private_message_t *this, exchange_type_t exchange_type)
821 {
822 this->exchange_type = exchange_type;
823 }
824
825 METHOD(message_t, get_exchange_type, exchange_type_t,
826 private_message_t *this)
827 {
828 return this->exchange_type;
829 }
830
831 METHOD(message_t, get_first_payload_type, payload_type_t,
832 private_message_t *this)
833 {
834 return this->first_payload;
835 }
836
837 METHOD(message_t, set_request, void,
838 private_message_t *this, bool request)
839 {
840 this->is_request = request;
841 }
842
843 METHOD(message_t, get_request, bool,
844 private_message_t *this)
845 {
846 return this->is_request;
847 }
848
849 METHOD(message_t, set_version_flag, void,
850 private_message_t *this)
851 {
852 this->version_flag = TRUE;
853 }
854
855 METHOD(message_t, get_reserved_header_bit, bool,
856 private_message_t *this, u_int nr)
857 {
858 if (nr < countof(this->reserved))
859 {
860 return this->reserved[nr];
861 }
862 return FALSE;
863 }
864
865 METHOD(message_t, set_reserved_header_bit, void,
866 private_message_t *this, u_int nr)
867 {
868 if (nr < countof(this->reserved))
869 {
870 this->reserved[nr] = TRUE;
871 }
872 }
873
874 METHOD(message_t, is_encoded, bool,
875 private_message_t *this)
876 {
877 return this->packet->get_data(this->packet).ptr != NULL;
878 }
879
880 METHOD(message_t, add_payload, void,
881 private_message_t *this, payload_t *payload)
882 {
883 payload_t *last_payload;
884
885 if (this->payloads->get_count(this->payloads) > 0)
886 {
887 this->payloads->get_last(this->payloads, (void **)&last_payload);
888 last_payload->set_next_type(last_payload, payload->get_type(payload));
889 }
890 else
891 {
892 this->first_payload = payload->get_type(payload);
893 }
894 payload->set_next_type(payload, NO_PAYLOAD);
895 this->payloads->insert_last(this->payloads, payload);
896
897 DBG2(DBG_ENC ,"added payload of type %N to message",
898 payload_type_names, payload->get_type(payload));
899 }
900
901 METHOD(message_t, add_notify, void,
902 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
903 {
904 notify_payload_t *notify;
905 payload_t *payload;
906
907 if (flush)
908 {
909 while (this->payloads->remove_last(this->payloads,
910 (void**)&payload) == SUCCESS)
911 {
912 payload->destroy(payload);
913 }
914 }
915 notify = notify_payload_create();
916 notify->set_notify_type(notify, type);
917 notify->set_notification_data(notify, data);
918 add_payload(this, (payload_t*)notify);
919 }
920
921 METHOD(message_t, set_source, void,
922 private_message_t *this, host_t *host)
923 {
924 this->packet->set_source(this->packet, host);
925 }
926
927 METHOD(message_t, set_destination, void,
928 private_message_t *this, host_t *host)
929 {
930 this->packet->set_destination(this->packet, host);
931 }
932
933 METHOD(message_t, get_source, host_t*,
934 private_message_t *this)
935 {
936 return this->packet->get_source(this->packet);
937 }
938
939 METHOD(message_t, get_destination, host_t*,
940 private_message_t *this)
941 {
942 return this->packet->get_destination(this->packet);
943 }
944
945 METHOD(message_t, create_payload_enumerator, enumerator_t*,
946 private_message_t *this)
947 {
948 return this->payloads->create_enumerator(this->payloads);
949 }
950
951 METHOD(message_t, remove_payload_at, void,
952 private_message_t *this, enumerator_t *enumerator)
953 {
954 this->payloads->remove_at(this->payloads, enumerator);
955 }
956
957 METHOD(message_t, get_payload, payload_t*,
958 private_message_t *this, payload_type_t type)
959 {
960 payload_t *current, *found = NULL;
961 enumerator_t *enumerator;
962
963 enumerator = create_payload_enumerator(this);
964 while (enumerator->enumerate(enumerator, &current))
965 {
966 if (current->get_type(current) == type)
967 {
968 found = current;
969 break;
970 }
971 }
972 enumerator->destroy(enumerator);
973 return found;
974 }
975
976 METHOD(message_t, get_notify, notify_payload_t*,
977 private_message_t *this, notify_type_t type)
978 {
979 enumerator_t *enumerator;
980 notify_payload_t *notify = NULL;
981 payload_t *payload;
982
983 enumerator = create_payload_enumerator(this);
984 while (enumerator->enumerate(enumerator, &payload))
985 {
986 if (payload->get_type(payload) == NOTIFY)
987 {
988 notify = (notify_payload_t*)payload;
989 if (notify->get_notify_type(notify) == type)
990 {
991 break;
992 }
993 notify = NULL;
994 }
995 }
996 enumerator->destroy(enumerator);
997 return notify;
998 }
999
1000 /**
1001 * get a string representation of the message
1002 */
1003 static char* get_string(private_message_t *this, char *buf, int len)
1004 {
1005 enumerator_t *enumerator;
1006 payload_t *payload;
1007 int written;
1008 char *pos = buf;
1009
1010 memset(buf, 0, len);
1011 len--;
1012
1013 written = snprintf(pos, len, "%N %s %d [",
1014 exchange_type_names, this->exchange_type,
1015 this->is_request ? "request" : "response",
1016 this->message_id);
1017 if (written >= len || written < 0)
1018 {
1019 return "";
1020 }
1021 pos += written;
1022 len -= written;
1023
1024 enumerator = create_payload_enumerator(this);
1025 while (enumerator->enumerate(enumerator, &payload))
1026 {
1027 written = snprintf(pos, len, " %N", payload_type_short_names,
1028 payload->get_type(payload));
1029 if (written >= len || written < 0)
1030 {
1031 return buf;
1032 }
1033 pos += written;
1034 len -= written;
1035 if (payload->get_type(payload) == NOTIFY)
1036 {
1037 notify_payload_t *notify;
1038 notify_type_t type;
1039 chunk_t data;
1040
1041 notify = (notify_payload_t*)payload;
1042 type = notify->get_notify_type(notify);
1043 data = notify->get_notification_data(notify);
1044 if (type == MS_NOTIFY_STATUS && data.len == 4)
1045 {
1046 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1047 type, untoh32(data.ptr));
1048 }
1049 else
1050 {
1051 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1052 type);
1053 }
1054 if (written >= len || written < 0)
1055 {
1056 return buf;
1057 }
1058 pos += written;
1059 len -= written;
1060 }
1061 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1062 {
1063 eap_payload_t *eap = (eap_payload_t*)payload;
1064 u_int32_t vendor;
1065 eap_type_t type;
1066 char method[64] = "";
1067
1068 type = eap->get_type(eap, &vendor);
1069 if (type)
1070 {
1071 if (vendor)
1072 {
1073 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1074 }
1075 else
1076 {
1077 snprintf(method, sizeof(method), "/%N",
1078 eap_type_short_names, type);
1079 }
1080 }
1081 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1082 eap->get_code(eap), method);
1083 if (written >= len || written < 0)
1084 {
1085 return buf;
1086 }
1087 pos += written;
1088 len -= written;
1089 }
1090 if (payload->get_type(payload) == CONFIGURATION)
1091 {
1092 cp_payload_t *cp = (cp_payload_t*)payload;
1093 enumerator_t *attributes;
1094 configuration_attribute_t *attribute;
1095 bool first = TRUE;
1096
1097 attributes = cp->create_attribute_enumerator(cp);
1098 while (attributes->enumerate(attributes, &attribute))
1099 {
1100 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1101 configuration_attribute_type_short_names,
1102 attribute->get_type(attribute));
1103 if (written >= len || written < 0)
1104 {
1105 return buf;
1106 }
1107 pos += written;
1108 len -= written;
1109 first = FALSE;
1110 }
1111 attributes->destroy(attributes);
1112 if (!first)
1113 {
1114 written = snprintf(pos, len, ")");
1115 if (written >= len || written < 0)
1116 {
1117 return buf;
1118 }
1119 pos += written;
1120 len -= written;
1121 }
1122 }
1123 }
1124 enumerator->destroy(enumerator);
1125
1126 /* remove last space */
1127 snprintf(pos, len, " ]");
1128 return buf;
1129 }
1130
1131 /**
1132 * reorder payloads depending on reordering rules
1133 */
1134 static void order_payloads(private_message_t *this)
1135 {
1136 linked_list_t *list;
1137 payload_t *payload;
1138 int i;
1139
1140 /* move to temp list */
1141 list = linked_list_create();
1142 while (this->payloads->remove_last(this->payloads,
1143 (void**)&payload) == SUCCESS)
1144 {
1145 list->insert_first(list, payload);
1146 }
1147 /* for each rule, ... */
1148 for (i = 0; i < this->rule->order_count; i++)
1149 {
1150 enumerator_t *enumerator;
1151 notify_payload_t *notify;
1152 payload_order_t order;
1153
1154 order = this->rule->order[i];
1155
1156 /* ... find all payload ... */
1157 enumerator = list->create_enumerator(list);
1158 while (enumerator->enumerate(enumerator, &payload))
1159 {
1160 /* ... with that type ... */
1161 if (payload->get_type(payload) == order.type)
1162 {
1163 notify = (notify_payload_t*)payload;
1164
1165 /**... and check notify for type. */
1166 if (order.type != NOTIFY || order.notify == 0 ||
1167 order.notify == notify->get_notify_type(notify))
1168 {
1169 list->remove_at(list, enumerator);
1170 add_payload(this, payload);
1171 }
1172 }
1173 }
1174 enumerator->destroy(enumerator);
1175 }
1176 /* append all payloads without a rule to the end */
1177 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1178 {
1179 /* do not complain about payloads in private use space */
1180 if (payload->get_type(payload) < 128)
1181 {
1182 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1183 payload_type_names, payload->get_type(payload),
1184 exchange_type_names, this->rule->exchange_type,
1185 this->rule->is_request ? "request" : "response");
1186 }
1187 add_payload(this, payload);
1188 }
1189 list->destroy(list);
1190 }
1191
1192 /**
1193 * Wrap payloads in a encryption payload
1194 */
1195 static encryption_payload_t* wrap_payloads(private_message_t *this)
1196 {
1197 encryption_payload_t *encryption;
1198 linked_list_t *payloads;
1199 payload_t *current;
1200
1201 /* copy all payloads in a temporary list */
1202 payloads = linked_list_create();
1203 while (this->payloads->remove_first(this->payloads,
1204 (void**)&current) == SUCCESS)
1205 {
1206 payloads->insert_last(payloads, current);
1207 }
1208
1209 encryption = encryption_payload_create();
1210 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1211 {
1212 payload_rule_t *rule;
1213 payload_type_t type;
1214 bool encrypt = TRUE;
1215
1216 type = current->get_type(current);
1217 rule = get_payload_rule(this, type);
1218 if (rule)
1219 {
1220 encrypt = rule->encrypted;
1221 }
1222 if (encrypt)
1223 {
1224 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1225 payload_type_names, type);
1226 encryption->add_payload(encryption, current);
1227 }
1228 else
1229 {
1230 DBG2(DBG_ENC, "insert payload %N unencrypted",
1231 payload_type_names, type);
1232 add_payload(this, current);
1233 }
1234 }
1235 payloads->destroy(payloads);
1236
1237 return encryption;
1238 }
1239
1240 METHOD(message_t, disable_sort, void,
1241 private_message_t *this)
1242 {
1243 this->sort_disabled = TRUE;
1244 }
1245
1246 METHOD(message_t, generate, status_t,
1247 private_message_t *this, aead_t *aead, packet_t **packet)
1248 {
1249 generator_t *generator;
1250 ike_header_t *ike_header;
1251 payload_t *payload, *next;
1252 encryption_payload_t *encryption = NULL;
1253 enumerator_t *enumerator;
1254 chunk_t chunk;
1255 char str[BUF_LEN];
1256 u_int32_t *lenpos;
1257 bool *reserved;
1258 int i;
1259
1260 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1261 {
1262 DBG1(DBG_ENC, "exchange type is not defined");
1263 return INVALID_STATE;
1264 }
1265
1266 if (this->packet->get_source(this->packet) == NULL ||
1267 this->packet->get_destination(this->packet) == NULL)
1268 {
1269 DBG1(DBG_ENC, "source/destination not defined");
1270 return INVALID_STATE;
1271 }
1272
1273 this->rule = get_message_rule(this);
1274 if (!this->rule)
1275 {
1276 DBG1(DBG_ENC, "no message rules specified for this message type");
1277 return NOT_SUPPORTED;
1278 }
1279
1280 if (!this->sort_disabled)
1281 {
1282 order_payloads(this);
1283 }
1284
1285 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1286
1287 if (aead && this->rule->encrypted)
1288 {
1289 encryption = wrap_payloads(this);
1290 }
1291 else
1292 {
1293 DBG2(DBG_ENC, "not encrypting payloads");
1294 }
1295
1296 ike_header = ike_header_create_version(this->major_version,
1297 this->minor_version);
1298 ike_header->set_exchange_type(ike_header, this->exchange_type);
1299 ike_header->set_message_id(ike_header, this->message_id);
1300 ike_header->set_response_flag(ike_header, !this->is_request);
1301 ike_header->set_version_flag(ike_header, this->version_flag);
1302 ike_header->set_initiator_flag(ike_header,
1303 this->ike_sa_id->is_initiator(this->ike_sa_id));
1304 ike_header->set_initiator_spi(ike_header,
1305 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1306 ike_header->set_responder_spi(ike_header,
1307 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1308
1309 for (i = 0; i < countof(this->reserved); i++)
1310 {
1311 reserved = payload_get_field(&ike_header->payload_interface,
1312 RESERVED_BIT, i);
1313 if (reserved)
1314 {
1315 *reserved = this->reserved[i];
1316 }
1317 }
1318
1319 generator = generator_create();
1320
1321 /* generate all payloads with proper next type */
1322 payload = (payload_t*)ike_header;
1323 enumerator = create_payload_enumerator(this);
1324 while (enumerator->enumerate(enumerator, &next))
1325 {
1326 payload->set_next_type(payload, next->get_type(next));
1327 generator->generate_payload(generator, payload);
1328 payload = next;
1329 }
1330 enumerator->destroy(enumerator);
1331 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1332 generator->generate_payload(generator, payload);
1333 ike_header->destroy(ike_header);
1334
1335 if (encryption)
1336 {
1337 u_int32_t *lenpos;
1338
1339 /* build associated data (without header of encryption payload) */
1340 chunk = generator->get_chunk(generator, &lenpos);
1341 encryption->set_transform(encryption, aead);
1342 /* fill in length, including encryption payload */
1343 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1344
1345 this->payloads->insert_last(this->payloads, encryption);
1346 if (!encryption->encrypt(encryption, chunk))
1347 {
1348 generator->destroy(generator);
1349 return INVALID_STATE;
1350 }
1351 generator->generate_payload(generator, &encryption->payload_interface);
1352 }
1353 chunk = generator->get_chunk(generator, &lenpos);
1354 htoun32(lenpos, chunk.len);
1355 this->packet->set_data(this->packet, chunk_clone(chunk));
1356 generator->destroy(generator);
1357
1358 *packet = this->packet->clone(this->packet);
1359 return SUCCESS;
1360 }
1361
1362 METHOD(message_t, get_packet, packet_t*,
1363 private_message_t *this)
1364 {
1365 if (this->packet == NULL)
1366 {
1367 return NULL;
1368 }
1369 return this->packet->clone(this->packet);
1370 }
1371
1372 METHOD(message_t, get_packet_data, chunk_t,
1373 private_message_t *this)
1374 {
1375 if (this->packet == NULL)
1376 {
1377 return chunk_empty;
1378 }
1379 return chunk_clone(this->packet->get_data(this->packet));
1380 }
1381
1382 METHOD(message_t, parse_header, status_t,
1383 private_message_t *this)
1384 {
1385 ike_header_t *ike_header;
1386 status_t status;
1387 bool *reserved;
1388 int i;
1389
1390 DBG2(DBG_ENC, "parsing header of message");
1391
1392 this->parser->reset_context(this->parser);
1393 status = this->parser->parse_payload(this->parser, HEADER,
1394 (payload_t**)&ike_header);
1395 if (status != SUCCESS)
1396 {
1397 DBG1(DBG_ENC, "header could not be parsed");
1398 return status;
1399
1400 }
1401
1402 status = ike_header->payload_interface.verify(
1403 &ike_header->payload_interface);
1404 if (status != SUCCESS)
1405 {
1406 DBG1(DBG_ENC, "header verification failed");
1407 ike_header->destroy(ike_header);
1408 return status;
1409 }
1410
1411 DESTROY_IF(this->ike_sa_id);
1412 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1413 ike_header->get_responder_spi(ike_header),
1414 ike_header->get_initiator_flag(ike_header));
1415
1416 this->exchange_type = ike_header->get_exchange_type(ike_header);
1417 this->message_id = ike_header->get_message_id(ike_header);
1418 this->is_request = !ike_header->get_response_flag(ike_header);
1419 this->major_version = ike_header->get_maj_version(ike_header);
1420 this->minor_version = ike_header->get_min_version(ike_header);
1421 this->first_payload = ike_header->payload_interface.get_next_type(
1422 &ike_header->payload_interface);
1423 for (i = 0; i < countof(this->reserved); i++)
1424 {
1425 reserved = payload_get_field(&ike_header->payload_interface,
1426 RESERVED_BIT, i);
1427 if (reserved)
1428 {
1429 this->reserved[i] = *reserved;
1430 }
1431 }
1432 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1433 this->is_request ? "request" : "response");
1434
1435 ike_header->destroy(ike_header);
1436
1437 this->rule = get_message_rule(this);
1438 if (!this->rule)
1439 {
1440 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1441 exchange_type_names, this->exchange_type,
1442 this->is_request ? "request" : "response");
1443 }
1444 return status;
1445 }
1446
1447 /**
1448 * Check if a payload is for a mediation extension connectivity check
1449 */
1450 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1451 {
1452 #ifdef ME
1453 if (this->exchange_type == INFORMATIONAL &&
1454 payload->get_type(payload) == NOTIFY)
1455 {
1456 notify_payload_t *notify = (notify_payload_t*)payload;
1457
1458 switch (notify->get_notify_type(notify))
1459 {
1460 case ME_CONNECTID:
1461 case ME_ENDPOINT:
1462 case ME_CONNECTAUTH:
1463 return TRUE;
1464 default:
1465 break;
1466 }
1467 }
1468 #endif /* !ME */
1469 return FALSE;
1470 }
1471
1472 /**
1473 * Decrypt payload from the encryption payload
1474 */
1475 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1476 {
1477 bool was_encrypted = FALSE;
1478 payload_t *payload, *previous = NULL;
1479 enumerator_t *enumerator;
1480 payload_rule_t *rule;
1481 payload_type_t type;
1482 status_t status = SUCCESS;
1483
1484 enumerator = this->payloads->create_enumerator(this->payloads);
1485 while (enumerator->enumerate(enumerator, &payload))
1486 {
1487 type = payload->get_type(payload);
1488
1489 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1490
1491 if (type == ENCRYPTED)
1492 {
1493 encryption_payload_t *encryption;
1494 payload_t *encrypted;
1495 chunk_t chunk;
1496
1497 encryption = (encryption_payload_t*)payload;
1498
1499 DBG2(DBG_ENC, "found an encryption payload");
1500
1501 if (this->payloads->has_more(this->payloads, enumerator))
1502 {
1503 DBG1(DBG_ENC, "encrypted payload is not last payload");
1504 status = VERIFY_ERROR;
1505 break;
1506 }
1507 encryption->set_transform(encryption, aead);
1508 chunk = this->packet->get_data(this->packet);
1509 if (chunk.len < encryption->get_length(encryption))
1510 {
1511 DBG1(DBG_ENC, "invalid payload length");
1512 status = VERIFY_ERROR;
1513 break;
1514 }
1515 chunk.len -= encryption->get_length(encryption);
1516 status = encryption->decrypt(encryption, chunk);
1517 if (status != SUCCESS)
1518 {
1519 break;
1520 }
1521
1522 was_encrypted = TRUE;
1523 this->payloads->remove_at(this->payloads, enumerator);
1524
1525 while ((encrypted = encryption->remove_payload(encryption)))
1526 {
1527 type = encrypted->get_type(encrypted);
1528 if (previous)
1529 {
1530 previous->set_next_type(previous, type);
1531 }
1532 else
1533 {
1534 this->first_payload = type;
1535 }
1536 DBG2(DBG_ENC, "insert decrypted payload of type "
1537 "%N at end of list", payload_type_names, type);
1538 this->payloads->insert_last(this->payloads, encrypted);
1539 previous = encrypted;
1540 }
1541 encryption->destroy(encryption);
1542 }
1543 if (payload_is_known(type) && !was_encrypted &&
1544 !is_connectivity_check(this, payload))
1545 {
1546 rule = get_payload_rule(this, type);
1547 if (!rule || rule->encrypted)
1548 {
1549 DBG1(DBG_ENC, "payload type %N was not encrypted",
1550 payload_type_names, type);
1551 status = FAILED;
1552 break;
1553 }
1554 }
1555 previous = payload;
1556 }
1557 enumerator->destroy(enumerator);
1558 return status;
1559 }
1560
1561 /**
1562 * Verify a message and all payload according to message/payload rules
1563 */
1564 static status_t verify(private_message_t *this)
1565 {
1566 bool complete = FALSE;
1567 int i;
1568
1569 DBG2(DBG_ENC, "verifying message structure");
1570
1571 /* check for payloads with wrong count*/
1572 for (i = 0; i < this->rule->rule_count; i++)
1573 {
1574 enumerator_t *enumerator;
1575 payload_t *payload;
1576 payload_rule_t *rule;
1577 int found = 0;
1578
1579 rule = &this->rule->rules[i];
1580 enumerator = create_payload_enumerator(this);
1581 while (enumerator->enumerate(enumerator, &payload))
1582 {
1583 payload_type_t type;
1584
1585 type = payload->get_type(payload);
1586 if (type == rule->type)
1587 {
1588 found++;
1589 DBG2(DBG_ENC, "found payload of type %N",
1590 payload_type_names, type);
1591 if (found > rule->max_occurence)
1592 {
1593 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1594 "occurred in current message", payload_type_names,
1595 type, rule->max_occurence, found);
1596 enumerator->destroy(enumerator);
1597 return VERIFY_ERROR;
1598 }
1599 }
1600 }
1601 enumerator->destroy(enumerator);
1602
1603 if (!complete && found < rule->min_occurence)
1604 {
1605 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1606 payload_type_names, rule->type, rule->min_occurence, found);
1607 return VERIFY_ERROR;
1608 }
1609 if (found && rule->sufficient)
1610 {
1611 complete = TRUE;
1612 }
1613 }
1614 return SUCCESS;
1615 }
1616
1617 METHOD(message_t, parse_body, status_t,
1618 private_message_t *this, aead_t *aead)
1619 {
1620 status_t status = SUCCESS;
1621 payload_t *payload;
1622 payload_type_t type;
1623 char str[BUF_LEN];
1624
1625 type = this->first_payload;
1626
1627 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1628 payload_type_names, type);
1629
1630 while (type != NO_PAYLOAD)
1631 {
1632 DBG2(DBG_ENC, "starting parsing a %N payload",
1633 payload_type_names, type);
1634
1635 status = this->parser->parse_payload(this->parser, type, &payload);
1636 if (status != SUCCESS)
1637 {
1638 DBG1(DBG_ENC, "payload type %N could not be parsed",
1639 payload_type_names, type);
1640 return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
1641 }
1642
1643 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1644 status = payload->verify(payload);
1645 if (status != SUCCESS)
1646 {
1647 DBG1(DBG_ENC, "%N payload verification failed",
1648 payload_type_names, type);
1649 payload->destroy(payload);
1650 return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
1651 }
1652
1653 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1654 payload_type_names, type);
1655 this->payloads->insert_last(this->payloads, payload);
1656
1657 /* an encryption payload is the last one, so STOP here. decryption is
1658 * done later */
1659 if (type == ENCRYPTED)
1660 {
1661 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1662 payload_type_names, type);
1663 break;
1664 }
1665 type = payload->get_next_type(payload);
1666 }
1667
1668 status = decrypt_payloads(this, aead);
1669 if (status != SUCCESS)
1670 {
1671 DBG1(DBG_ENC, "could not decrypt payloads");
1672 return status;
1673 }
1674
1675 status = verify(this);
1676 if (status != SUCCESS)
1677 {
1678 return status;
1679 }
1680
1681 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1682
1683 return SUCCESS;
1684 }
1685
1686 METHOD(message_t, destroy, void,
1687 private_message_t *this)
1688 {
1689 DESTROY_IF(this->ike_sa_id);
1690 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1691 this->packet->destroy(this->packet);
1692 this->parser->destroy(this->parser);
1693 free(this);
1694 }
1695
1696 /*
1697 * Described in Header-File
1698 */
1699 message_t *message_create_from_packet(packet_t *packet)
1700 {
1701 private_message_t *this;
1702
1703 INIT(this,
1704 .public = {
1705 .set_major_version = _set_major_version,
1706 .get_major_version = _get_major_version,
1707 .set_minor_version = _set_minor_version,
1708 .get_minor_version = _get_minor_version,
1709 .set_message_id = _set_message_id,
1710 .get_message_id = _get_message_id,
1711 .get_initiator_spi = _get_initiator_spi,
1712 .get_responder_spi = _get_responder_spi,
1713 .set_ike_sa_id = _set_ike_sa_id,
1714 .get_ike_sa_id = _get_ike_sa_id,
1715 .set_exchange_type = _set_exchange_type,
1716 .get_exchange_type = _get_exchange_type,
1717 .get_first_payload_type = _get_first_payload_type,
1718 .set_request = _set_request,
1719 .get_request = _get_request,
1720 .set_version_flag = _set_version_flag,
1721 .get_reserved_header_bit = _get_reserved_header_bit,
1722 .set_reserved_header_bit = _set_reserved_header_bit,
1723 .add_payload = _add_payload,
1724 .add_notify = _add_notify,
1725 .disable_sort = _disable_sort,
1726 .generate = _generate,
1727 .is_encoded = _is_encoded,
1728 .set_source = _set_source,
1729 .get_source = _get_source,
1730 .set_destination = _set_destination,
1731 .get_destination = _get_destination,
1732 .create_payload_enumerator = _create_payload_enumerator,
1733 .remove_payload_at = _remove_payload_at,
1734 .get_payload = _get_payload,
1735 .get_notify = _get_notify,
1736 .parse_header = _parse_header,
1737 .parse_body = _parse_body,
1738 .get_packet = _get_packet,
1739 .get_packet_data = _get_packet_data,
1740 .destroy = _destroy,
1741 },
1742 .major_version = IKEV2_MAJOR_VERSION,
1743 .minor_version = IKEV2_MINOR_VERSION,
1744 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1745 .is_request = TRUE,
1746 .first_payload = NO_PAYLOAD,
1747 .packet = packet,
1748 .payloads = linked_list_create(),
1749 .parser = parser_create(packet->get_data(packet)),
1750 );
1751
1752 return (&this->public);
1753 }
1754
1755 /*
1756 * Described in Header.
1757 */
1758 message_t *message_create()
1759 {
1760 return message_create_from_packet(packet_create());
1761 }
1762