afa9b1956d0783afe2194aa41d17eb2c8bbb5762
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of vendor ID payloads per IKEv2 message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * Max number of certificate request payloads per IKEv1 message
59 */
60 #define MAX_CERTREQ_PAYLOADS 5
61
62 /**
63 * A payload rule defines the rules for a payload
64 * in a specific message rule. It defines if and how
65 * many times a payload must/can occur in a message
66 * and if it must be encrypted.
67 */
68 typedef struct {
69 /* Payload type */
70 payload_type_t type;
71 /* Minimal occurrence of this payload. */
72 size_t min_occurence;
73 /* Max occurrence of this payload. */
74 size_t max_occurence;
75 /* TRUE if payload must be encrypted */
76 bool encrypted;
77 /* If payload occurs, the message rule is fulfilled */
78 bool sufficient;
79 } payload_rule_t;
80
81 /**
82 * payload ordering structure allows us to reorder payloads according to RFC.
83 */
84 typedef struct {
85 /** payload type */
86 payload_type_t type;
87 /** notify type, if payload == NOTIFY */
88 notify_type_t notify;
89 } payload_order_t;
90
91 /**
92 * A message rule defines the kind of a message,
93 * if it has encrypted contents and a list
94 * of payload ordering rules and payload parsing rules.
95 */
96 typedef struct {
97 /** Type of message. */
98 exchange_type_t exchange_type;
99 /** Is message a request or response. */
100 bool is_request;
101 /** Message contains encrypted payloads. */
102 bool encrypted;
103 /** Number of payload rules which will follow */
104 int rule_count;
105 /** Pointer to first payload rule */
106 payload_rule_t *rules;
107 /** Number of payload order rules */
108 int order_count;
109 /** payload ordering rules */
110 payload_order_t *order;
111 } message_rule_t;
112
113 /**
114 * Message rule for IKE_SA_INIT from initiator.
115 */
116 static payload_rule_t ike_sa_init_i_rules[] = {
117 /* payload type min max encr suff */
118 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
119 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
120 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
121 {NONCE, 1, 1, FALSE, FALSE},
122 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
123 };
124
125 /**
126 * payload order for IKE_SA_INIT initiator
127 */
128 static payload_order_t ike_sa_init_i_order[] = {
129 /* payload type notify type */
130 {NOTIFY, COOKIE},
131 {SECURITY_ASSOCIATION, 0},
132 {KEY_EXCHANGE, 0},
133 {NONCE, 0},
134 {NOTIFY, NAT_DETECTION_SOURCE_IP},
135 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
136 {NOTIFY, 0},
137 {VENDOR_ID, 0},
138 };
139
140 /**
141 * Message rule for IKE_SA_INIT from responder.
142 */
143 static payload_rule_t ike_sa_init_r_rules[] = {
144 /* payload type min max encr suff */
145 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
146 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
147 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
148 {NONCE, 1, 1, FALSE, FALSE},
149 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
150 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
151 };
152
153 /**
154 * payload order for IKE_SA_INIT responder
155 */
156 static payload_order_t ike_sa_init_r_order[] = {
157 /* payload type notify type */
158 {SECURITY_ASSOCIATION, 0},
159 {KEY_EXCHANGE, 0},
160 {NONCE, 0},
161 {NOTIFY, NAT_DETECTION_SOURCE_IP},
162 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
163 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
164 {CERTIFICATE_REQUEST, 0},
165 {NOTIFY, 0},
166 {VENDOR_ID, 0},
167 };
168
169 /**
170 * Message rule for IKE_AUTH from initiator.
171 */
172 static payload_rule_t ike_auth_i_rules[] = {
173 /* payload type min max encr suff */
174 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
175 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
176 {AUTHENTICATION, 0, 1, TRUE, TRUE},
177 {ID_INITIATOR, 0, 1, TRUE, FALSE},
178 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
179 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
180 {ID_RESPONDER, 0, 1, TRUE, FALSE},
181 #ifdef ME
182 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
184 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
185 #else
186 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
187 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
188 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
189 #endif /* ME */
190 {CONFIGURATION, 0, 1, TRUE, FALSE},
191 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
192 };
193
194 /**
195 * payload order for IKE_AUTH initiator
196 */
197 static payload_order_t ike_auth_i_order[] = {
198 /* payload type notify type */
199 {ID_INITIATOR, 0},
200 {CERTIFICATE, 0},
201 {NOTIFY, INITIAL_CONTACT},
202 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
203 {CERTIFICATE_REQUEST, 0},
204 {ID_RESPONDER, 0},
205 {AUTHENTICATION, 0},
206 {EXTENSIBLE_AUTHENTICATION, 0},
207 {CONFIGURATION, 0},
208 {NOTIFY, IPCOMP_SUPPORTED},
209 {NOTIFY, USE_TRANSPORT_MODE},
210 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
211 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
212 {SECURITY_ASSOCIATION, 0},
213 {TRAFFIC_SELECTOR_INITIATOR, 0},
214 {TRAFFIC_SELECTOR_RESPONDER, 0},
215 {NOTIFY, MOBIKE_SUPPORTED},
216 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
217 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
218 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
219 {NOTIFY, 0},
220 {VENDOR_ID, 0},
221 };
222
223 /**
224 * Message rule for IKE_AUTH from responder.
225 */
226 static payload_rule_t ike_auth_r_rules[] = {
227 /* payload type min max encr suff */
228 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
229 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
230 {AUTHENTICATION, 0, 1, TRUE, TRUE},
231 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
232 {ID_RESPONDER, 0, 1, TRUE, FALSE},
233 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
234 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
235 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
236 {CONFIGURATION, 0, 1, TRUE, FALSE},
237 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
238 };
239
240 /**
241 * payload order for IKE_AUTH responder
242 */
243 static payload_order_t ike_auth_r_order[] = {
244 /* payload type notify type */
245 {ID_RESPONDER, 0},
246 {CERTIFICATE, 0},
247 {AUTHENTICATION, 0},
248 {EXTENSIBLE_AUTHENTICATION, 0},
249 {CONFIGURATION, 0},
250 {NOTIFY, IPCOMP_SUPPORTED},
251 {NOTIFY, USE_TRANSPORT_MODE},
252 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
253 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
254 {SECURITY_ASSOCIATION, 0},
255 {TRAFFIC_SELECTOR_INITIATOR, 0},
256 {TRAFFIC_SELECTOR_RESPONDER, 0},
257 {NOTIFY, AUTH_LIFETIME},
258 {NOTIFY, MOBIKE_SUPPORTED},
259 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
260 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
261 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
262 {NOTIFY, 0},
263 {VENDOR_ID, 0},
264 };
265
266 /**
267 * Message rule for INFORMATIONAL from initiator.
268 */
269 static payload_rule_t informational_i_rules[] = {
270 /* payload type min max encr suff */
271 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
272 {CONFIGURATION, 0, 1, TRUE, FALSE},
273 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
274 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
275 };
276
277 /**
278 * payload order for INFORMATIONAL initiator
279 */
280 static payload_order_t informational_i_order[] = {
281 /* payload type notify type */
282 {NOTIFY, UPDATE_SA_ADDRESSES},
283 {NOTIFY, NAT_DETECTION_SOURCE_IP},
284 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
285 {NOTIFY, COOKIE2},
286 {NOTIFY, 0},
287 {DELETE, 0},
288 {CONFIGURATION, 0},
289 };
290
291 /**
292 * Message rule for INFORMATIONAL from responder.
293 */
294 static payload_rule_t informational_r_rules[] = {
295 /* payload type min max encr suff */
296 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
297 {CONFIGURATION, 0, 1, TRUE, FALSE},
298 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
299 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
300 };
301
302 /**
303 * payload order for INFORMATIONAL responder
304 */
305 static payload_order_t informational_r_order[] = {
306 /* payload type notify type */
307 {NOTIFY, UPDATE_SA_ADDRESSES},
308 {NOTIFY, NAT_DETECTION_SOURCE_IP},
309 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
310 {NOTIFY, COOKIE2},
311 {NOTIFY, 0},
312 {DELETE, 0},
313 {CONFIGURATION, 0},
314 };
315
316 /**
317 * Message rule for CREATE_CHILD_SA from initiator.
318 */
319 static payload_rule_t create_child_sa_i_rules[] = {
320 /* payload type min max encr suff */
321 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
322 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
323 {NONCE, 1, 1, TRUE, FALSE},
324 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
325 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
326 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
327 {CONFIGURATION, 0, 1, TRUE, FALSE},
328 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
329 };
330
331 /**
332 * payload order for CREATE_CHILD_SA from initiator.
333 */
334 static payload_order_t create_child_sa_i_order[] = {
335 /* payload type notify type */
336 {NOTIFY, REKEY_SA},
337 {NOTIFY, IPCOMP_SUPPORTED},
338 {NOTIFY, USE_TRANSPORT_MODE},
339 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
340 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
341 {SECURITY_ASSOCIATION, 0},
342 {NONCE, 0},
343 {KEY_EXCHANGE, 0},
344 {TRAFFIC_SELECTOR_INITIATOR, 0},
345 {TRAFFIC_SELECTOR_RESPONDER, 0},
346 {NOTIFY, 0},
347 };
348
349 /**
350 * Message rule for CREATE_CHILD_SA from responder.
351 */
352 static payload_rule_t create_child_sa_r_rules[] = {
353 /* payload type min max encr suff */
354 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
355 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
356 {NONCE, 1, 1, TRUE, FALSE},
357 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
359 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
360 {CONFIGURATION, 0, 1, TRUE, FALSE},
361 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
362 };
363
364 /**
365 * payload order for CREATE_CHILD_SA from responder.
366 */
367 static payload_order_t create_child_sa_r_order[] = {
368 /* payload type notify type */
369 {NOTIFY, IPCOMP_SUPPORTED},
370 {NOTIFY, USE_TRANSPORT_MODE},
371 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
372 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
373 {SECURITY_ASSOCIATION, 0},
374 {NONCE, 0},
375 {KEY_EXCHANGE, 0},
376 {TRAFFIC_SELECTOR_INITIATOR, 0},
377 {TRAFFIC_SELECTOR_RESPONDER, 0},
378 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
379 {NOTIFY, 0},
380 };
381
382 #ifdef ME
383 /**
384 * Message rule for ME_CONNECT from initiator.
385 */
386 static payload_rule_t me_connect_i_rules[] = {
387 /* payload type min max encr suff */
388 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
389 {ID_PEER, 1, 1, TRUE, FALSE},
390 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
391 };
392
393 /**
394 * payload order for ME_CONNECT from initiator.
395 */
396 static payload_order_t me_connect_i_order[] = {
397 /* payload type notify type */
398 {NOTIFY, 0},
399 {ID_PEER, 0},
400 {VENDOR_ID, 0},
401 };
402
403 /**
404 * Message rule for ME_CONNECT from responder.
405 */
406 static payload_rule_t me_connect_r_rules[] = {
407 /* payload type min max encr suff */
408 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
409 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
410 };
411
412 /**
413 * payload order for ME_CONNECT from responder.
414 */
415 static payload_order_t me_connect_r_order[] = {
416 /* payload type notify type */
417 {NOTIFY, 0},
418 {VENDOR_ID, 0},
419 };
420 #endif /* ME */
421
422 #ifdef USE_IKEV1
423 /**
424 * Message rule for ID_PROT from initiator.
425 */
426 static payload_rule_t id_prot_i_rules[] = {
427 /* payload type min max encr suff */
428 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
429 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
430 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
431 {NONCE_V1, 0, 1, FALSE, FALSE},
432 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
433 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
434 {ID_V1, 0, 1, TRUE, FALSE},
435 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
436 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
437 {HASH_V1, 0, 1, TRUE, FALSE},
438 };
439
440 /**
441 * payload order for ID_PROT from initiator.
442 */
443 static payload_order_t id_prot_i_order[] = {
444 /* payload type notify type */
445 {SECURITY_ASSOCIATION_V1, 0},
446 {KEY_EXCHANGE_V1, 0},
447 {NONCE_V1, 0},
448 {ID_V1, 0},
449 {CERTIFICATE_V1, 0},
450 {SIGNATURE_V1, 0},
451 {HASH_V1, 0},
452 {CERTIFICATE_REQUEST_V1, 0},
453 {NOTIFY_V1, 0},
454 {VENDOR_ID_V1, 0},
455 };
456
457 /**
458 * Message rule for ID_PROT from responder.
459 */
460 static payload_rule_t id_prot_r_rules[] = {
461 /* payload type min max encr suff */
462 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
463 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
464 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
465 {NONCE_V1, 0, 1, FALSE, FALSE},
466 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
467 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
468 {ID_V1, 0, 1, TRUE, FALSE},
469 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
470 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
471 {HASH_V1, 0, 1, TRUE, FALSE},
472 };
473
474 /**
475 * payload order for ID_PROT from responder.
476 */
477 static payload_order_t id_prot_r_order[] = {
478 /* payload type notify type */
479 {SECURITY_ASSOCIATION_V1, 0},
480 {KEY_EXCHANGE_V1, 0},
481 {NONCE_V1, 0},
482 {ID_V1, 0},
483 {CERTIFICATE_V1, 0},
484 {SIGNATURE_V1, 0},
485 {HASH_V1, 0},
486 {CERTIFICATE_REQUEST_V1, 0},
487 {NOTIFY_V1, 0},
488 {VENDOR_ID_V1, 0},
489 };
490
491 /**
492 * Message rule for AGGRESSIVE from initiator.
493 */
494 static payload_rule_t aggressive_i_rules[] = {
495 /* payload type min max encr suff */
496 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
497 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
498 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
499 {NONCE_V1, 0, 1, FALSE, FALSE},
500 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
501 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
502 {ID_V1, 0, 1, FALSE, FALSE},
503 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
504 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
505 {HASH_V1, 0, 1, FALSE, FALSE},
506 };
507
508 /**
509 * payload order for AGGRESSIVE from initiator.
510 */
511 static payload_order_t aggressive_i_order[] = {
512 /* payload type notify type */
513 {SECURITY_ASSOCIATION_V1, 0},
514 {KEY_EXCHANGE_V1, 0},
515 {NONCE_V1, 0},
516 {ID_V1, 0},
517 {CERTIFICATE_V1, 0},
518 {SIGNATURE_V1, 0},
519 {HASH_V1, 0},
520 {CERTIFICATE_REQUEST_V1, 0},
521 {NOTIFY_V1, 0},
522 {VENDOR_ID_V1, 0},
523 };
524
525 /**
526 * Message rule for AGGRESSIVE from responder.
527 */
528 static payload_rule_t aggressive_r_rules[] = {
529 /* payload type min max encr suff */
530 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
531 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
532 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
533 {NONCE_V1, 0, 1, FALSE, FALSE},
534 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
535 {CERTIFICATE_REQUEST_V1, 0, MAX_CERTREQ_PAYLOADS, FALSE, FALSE},
536 {ID_V1, 0, 1, FALSE, FALSE},
537 {CERTIFICATE_V1, 0, 1, FALSE, FALSE},
538 {SIGNATURE_V1, 0, 1, FALSE, FALSE},
539 {HASH_V1, 0, 1, FALSE, FALSE},
540 };
541
542 /**
543 * payload order for AGGRESSIVE from responder.
544 */
545 static payload_order_t aggressive_r_order[] = {
546 /* payload type notify type */
547 {SECURITY_ASSOCIATION_V1, 0},
548 {KEY_EXCHANGE_V1, 0},
549 {NONCE_V1, 0},
550 {ID_V1, 0},
551 {CERTIFICATE_V1, 0},
552 {SIGNATURE_V1, 0},
553 {HASH_V1, 0},
554 {CERTIFICATE_REQUEST_V1, 0},
555 {NOTIFY_V1, 0},
556 {VENDOR_ID_V1, 0},
557 };
558
559 /**
560 * Message rule for INFORMATIONAL_V1 from initiator.
561 */
562 static payload_rule_t informational_i_rules_v1[] = {
563 /* payload type min max encr suff */
564 {NOTIFY_V1, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
565 {DELETE_V1, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
566 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
567 };
568
569 /**
570 * payload order for INFORMATIONAL_V1 from initiator.
571 */
572 static payload_order_t informational_i_order_v1[] = {
573 /* payload type notify type */
574 {NOTIFY_V1, 0},
575 {DELETE_V1, 0},
576 {VENDOR_ID_V1, 0},
577 };
578 #endif /* USE_IKEV1 */
579
580 /**
581 * Message rules, defines allowed payloads.
582 */
583 static message_rule_t message_rules[] = {
584 {IKE_SA_INIT, TRUE, FALSE,
585 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
586 countof(ike_sa_init_i_order), ike_sa_init_i_order,
587 },
588 {IKE_SA_INIT, FALSE, FALSE,
589 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
590 countof(ike_sa_init_r_order), ike_sa_init_r_order,
591 },
592 {IKE_AUTH, TRUE, TRUE,
593 countof(ike_auth_i_rules), ike_auth_i_rules,
594 countof(ike_auth_i_order), ike_auth_i_order,
595 },
596 {IKE_AUTH, FALSE, TRUE,
597 countof(ike_auth_r_rules), ike_auth_r_rules,
598 countof(ike_auth_r_order), ike_auth_r_order,
599 },
600 {INFORMATIONAL, TRUE, TRUE,
601 countof(informational_i_rules), informational_i_rules,
602 countof(informational_i_order), informational_i_order,
603 },
604 {INFORMATIONAL, FALSE, TRUE,
605 countof(informational_r_rules), informational_r_rules,
606 countof(informational_r_order), informational_r_order,
607 },
608 {CREATE_CHILD_SA, TRUE, TRUE,
609 countof(create_child_sa_i_rules), create_child_sa_i_rules,
610 countof(create_child_sa_i_order), create_child_sa_i_order,
611 },
612 {CREATE_CHILD_SA, FALSE, TRUE,
613 countof(create_child_sa_r_rules), create_child_sa_r_rules,
614 countof(create_child_sa_r_order), create_child_sa_r_order,
615 },
616 #ifdef ME
617 {ME_CONNECT, TRUE, TRUE,
618 countof(me_connect_i_rules), me_connect_i_rules,
619 countof(me_connect_i_order), me_connect_i_order,
620 },
621 {ME_CONNECT, FALSE, TRUE,
622 countof(me_connect_r_rules), me_connect_r_rules,
623 countof(me_connect_r_order), me_connect_r_order,
624 },
625 #endif /* ME */
626 #ifdef USE_IKEV1
627 {ID_PROT, TRUE, FALSE,
628 countof(id_prot_i_rules), id_prot_i_rules,
629 countof(id_prot_i_order), id_prot_i_order,
630 },
631 {ID_PROT, FALSE, FALSE,
632 countof(id_prot_r_rules), id_prot_r_rules,
633 countof(id_prot_r_order), id_prot_r_order,
634 },
635 {AGGRESSIVE, TRUE, FALSE,
636 countof(aggressive_i_rules), aggressive_i_rules,
637 countof(aggressive_i_order), aggressive_i_order,
638 },
639 {AGGRESSIVE, FALSE, FALSE,
640 countof(aggressive_r_rules), aggressive_r_rules,
641 countof(aggressive_r_order), aggressive_r_order,
642 },
643 {INFORMATIONAL_V1, TRUE, TRUE,
644 countof(informational_i_rules_v1), informational_i_rules_v1,
645 countof(informational_i_order_v1), informational_i_order_v1,
646 },
647 /* TODO-IKEv1: define rules for other exchanges */
648 #endif /* USE_IKEV1 */
649 };
650
651
652 typedef struct private_message_t private_message_t;
653
654 /**
655 * Private data of an message_t object.
656 */
657 struct private_message_t {
658
659 /**
660 * Public part of a message_t object.
661 */
662 message_t public;
663
664 /**
665 * Minor version of message.
666 */
667 u_int8_t major_version;
668
669 /**
670 * Major version of message.
671 */
672 u_int8_t minor_version;
673
674 /**
675 * First Payload in message.
676 */
677 payload_type_t first_payload;
678
679 /**
680 * Assigned exchange type.
681 */
682 exchange_type_t exchange_type;
683
684 /**
685 * TRUE if message is a request, FALSE if a reply.
686 */
687 bool is_request;
688
689 /**
690 * The message is encrypted (IKEv1)
691 */
692 bool is_encrypted;
693
694 /**
695 * Higher version supported?
696 */
697 bool version_flag;
698
699 /**
700 * Reserved bits in IKE header
701 */
702 bool reserved[2];
703
704 /**
705 * Sorting of message disabled?
706 */
707 bool sort_disabled;
708
709 /**
710 * Message ID of this message.
711 */
712 u_int32_t message_id;
713
714 /**
715 * ID of assigned IKE_SA.
716 */
717 ike_sa_id_t *ike_sa_id;
718
719 /**
720 * Assigned UDP packet, stores incoming packet or last generated one.
721 */
722 packet_t *packet;
723
724 /**
725 * Linked List where payload data are stored in.
726 */
727 linked_list_t *payloads;
728
729 /**
730 * Assigned parser to parse Header and Body of this message.
731 */
732 parser_t *parser;
733
734 /**
735 * The message rule for this message instance
736 */
737 message_rule_t *rule;
738 };
739
740 /**
741 * Get the message rule that applies to this message
742 */
743 static message_rule_t* get_message_rule(private_message_t *this)
744 {
745 int i;
746
747 for (i = 0; i < countof(message_rules); i++)
748 {
749 if ((this->exchange_type == message_rules[i].exchange_type) &&
750 (this->is_request == message_rules[i].is_request))
751 {
752 return &message_rules[i];
753 }
754 }
755 return NULL;
756 }
757
758 /**
759 * Look up a payload rule
760 */
761 static payload_rule_t* get_payload_rule(private_message_t *this,
762 payload_type_t type)
763 {
764 int i;
765
766 for (i = 0; i < this->rule->rule_count;i++)
767 {
768 if (this->rule->rules[i].type == type)
769 {
770 return &this->rule->rules[i];
771 }
772 }
773 return NULL;
774 }
775
776 METHOD(message_t, set_ike_sa_id, void,
777 private_message_t *this,ike_sa_id_t *ike_sa_id)
778 {
779 DESTROY_IF(this->ike_sa_id);
780 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
781 }
782
783 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
784 private_message_t *this)
785 {
786 return this->ike_sa_id;
787 }
788
789 METHOD(message_t, set_message_id, void,
790 private_message_t *this,u_int32_t message_id)
791 {
792 this->message_id = message_id;
793 }
794
795 METHOD(message_t, get_message_id, u_int32_t,
796 private_message_t *this)
797 {
798 return this->message_id;
799 }
800
801 METHOD(message_t, get_initiator_spi, u_int64_t,
802 private_message_t *this)
803 {
804 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
805 }
806
807 METHOD(message_t, get_responder_spi, u_int64_t,
808 private_message_t *this)
809 {
810 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
811 }
812
813 METHOD(message_t, set_major_version, void,
814 private_message_t *this, u_int8_t major_version)
815 {
816 this->major_version = major_version;
817 }
818
819 METHOD(message_t, get_major_version, u_int8_t,
820 private_message_t *this)
821 {
822 return this->major_version;
823 }
824
825 METHOD(message_t, set_minor_version, void,
826 private_message_t *this,u_int8_t minor_version)
827 {
828 this->minor_version = minor_version;
829 }
830
831 METHOD(message_t, get_minor_version, u_int8_t,
832 private_message_t *this)
833 {
834 return this->minor_version;
835 }
836
837 METHOD(message_t, set_exchange_type, void,
838 private_message_t *this, exchange_type_t exchange_type)
839 {
840 this->exchange_type = exchange_type;
841 }
842
843 METHOD(message_t, get_exchange_type, exchange_type_t,
844 private_message_t *this)
845 {
846 return this->exchange_type;
847 }
848
849 METHOD(message_t, get_first_payload_type, payload_type_t,
850 private_message_t *this)
851 {
852 return this->first_payload;
853 }
854
855 METHOD(message_t, set_request, void,
856 private_message_t *this, bool request)
857 {
858 this->is_request = request;
859 }
860
861 METHOD(message_t, get_request, bool,
862 private_message_t *this)
863 {
864 return this->is_request;
865 }
866
867 METHOD(message_t, set_version_flag, void,
868 private_message_t *this)
869 {
870 this->version_flag = TRUE;
871 }
872
873 METHOD(message_t, get_reserved_header_bit, bool,
874 private_message_t *this, u_int nr)
875 {
876 if (nr < countof(this->reserved))
877 {
878 return this->reserved[nr];
879 }
880 return FALSE;
881 }
882
883 METHOD(message_t, set_reserved_header_bit, void,
884 private_message_t *this, u_int nr)
885 {
886 if (nr < countof(this->reserved))
887 {
888 this->reserved[nr] = TRUE;
889 }
890 }
891
892 METHOD(message_t, is_encoded, bool,
893 private_message_t *this)
894 {
895 return this->packet->get_data(this->packet).ptr != NULL;
896 }
897
898 METHOD(message_t, add_payload, void,
899 private_message_t *this, payload_t *payload)
900 {
901 payload_t *last_payload;
902
903 if (this->payloads->get_count(this->payloads) > 0)
904 {
905 this->payloads->get_last(this->payloads, (void **)&last_payload);
906 last_payload->set_next_type(last_payload, payload->get_type(payload));
907 }
908 else
909 {
910 this->first_payload = payload->get_type(payload);
911 }
912 payload->set_next_type(payload, NO_PAYLOAD);
913 this->payloads->insert_last(this->payloads, payload);
914
915 DBG2(DBG_ENC ,"added payload of type %N to message",
916 payload_type_names, payload->get_type(payload));
917 }
918
919 METHOD(message_t, add_notify, void,
920 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
921 {
922 notify_payload_t *notify;
923 payload_t *payload;
924
925 if (flush)
926 {
927 while (this->payloads->remove_last(this->payloads,
928 (void**)&payload) == SUCCESS)
929 {
930 payload->destroy(payload);
931 }
932 }
933 if (this->major_version == IKEV2_MAJOR_VERSION)
934 {
935 notify = notify_payload_create(NOTIFY);
936 }
937 else
938 {
939 notify = notify_payload_create(NOTIFY_V1);
940 }
941 notify->set_notify_type(notify, type);
942 notify->set_notification_data(notify, data);
943 add_payload(this, (payload_t*)notify);
944 }
945
946 METHOD(message_t, set_source, void,
947 private_message_t *this, host_t *host)
948 {
949 this->packet->set_source(this->packet, host);
950 }
951
952 METHOD(message_t, set_destination, void,
953 private_message_t *this, host_t *host)
954 {
955 this->packet->set_destination(this->packet, host);
956 }
957
958 METHOD(message_t, get_source, host_t*,
959 private_message_t *this)
960 {
961 return this->packet->get_source(this->packet);
962 }
963
964 METHOD(message_t, get_destination, host_t*,
965 private_message_t *this)
966 {
967 return this->packet->get_destination(this->packet);
968 }
969
970 METHOD(message_t, create_payload_enumerator, enumerator_t*,
971 private_message_t *this)
972 {
973 return this->payloads->create_enumerator(this->payloads);
974 }
975
976 METHOD(message_t, remove_payload_at, void,
977 private_message_t *this, enumerator_t *enumerator)
978 {
979 this->payloads->remove_at(this->payloads, enumerator);
980 }
981
982 METHOD(message_t, get_payload, payload_t*,
983 private_message_t *this, payload_type_t type)
984 {
985 payload_t *current, *found = NULL;
986 enumerator_t *enumerator;
987
988 enumerator = create_payload_enumerator(this);
989 while (enumerator->enumerate(enumerator, &current))
990 {
991 if (current->get_type(current) == type)
992 {
993 found = current;
994 break;
995 }
996 }
997 enumerator->destroy(enumerator);
998 return found;
999 }
1000
1001 METHOD(message_t, get_notify, notify_payload_t*,
1002 private_message_t *this, notify_type_t type)
1003 {
1004 enumerator_t *enumerator;
1005 notify_payload_t *notify = NULL;
1006 payload_t *payload;
1007
1008 enumerator = create_payload_enumerator(this);
1009 while (enumerator->enumerate(enumerator, &payload))
1010 {
1011 if (payload->get_type(payload) == NOTIFY)
1012 {
1013 notify = (notify_payload_t*)payload;
1014 if (notify->get_notify_type(notify) == type)
1015 {
1016 break;
1017 }
1018 notify = NULL;
1019 }
1020 }
1021 enumerator->destroy(enumerator);
1022 return notify;
1023 }
1024
1025 /**
1026 * get a string representation of the message
1027 */
1028 static char* get_string(private_message_t *this, char *buf, int len)
1029 {
1030 enumerator_t *enumerator;
1031 payload_t *payload;
1032 int written;
1033 char *pos = buf;
1034
1035 memset(buf, 0, len);
1036 len--;
1037
1038 written = snprintf(pos, len, "%N %s %d [",
1039 exchange_type_names, this->exchange_type,
1040 this->is_request ? "request" : "response",
1041 this->message_id);
1042 if (written >= len || written < 0)
1043 {
1044 return "";
1045 }
1046 pos += written;
1047 len -= written;
1048
1049 enumerator = create_payload_enumerator(this);
1050 while (enumerator->enumerate(enumerator, &payload))
1051 {
1052 written = snprintf(pos, len, " %N", payload_type_short_names,
1053 payload->get_type(payload));
1054 if (written >= len || written < 0)
1055 {
1056 return buf;
1057 }
1058 pos += written;
1059 len -= written;
1060 if (payload->get_type(payload) == NOTIFY)
1061 {
1062 notify_payload_t *notify;
1063 notify_type_t type;
1064 chunk_t data;
1065
1066 notify = (notify_payload_t*)payload;
1067 type = notify->get_notify_type(notify);
1068 data = notify->get_notification_data(notify);
1069 if (type == MS_NOTIFY_STATUS && data.len == 4)
1070 {
1071 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
1072 type, untoh32(data.ptr));
1073 }
1074 else
1075 {
1076 written = snprintf(pos, len, "(%N)", notify_type_short_names,
1077 type);
1078 }
1079 if (written >= len || written < 0)
1080 {
1081 return buf;
1082 }
1083 pos += written;
1084 len -= written;
1085 }
1086 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
1087 {
1088 eap_payload_t *eap = (eap_payload_t*)payload;
1089 u_int32_t vendor;
1090 eap_type_t type;
1091 char method[64] = "";
1092
1093 type = eap->get_type(eap, &vendor);
1094 if (type)
1095 {
1096 if (vendor)
1097 {
1098 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
1099 }
1100 else
1101 {
1102 snprintf(method, sizeof(method), "/%N",
1103 eap_type_short_names, type);
1104 }
1105 }
1106 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
1107 eap->get_code(eap), method);
1108 if (written >= len || written < 0)
1109 {
1110 return buf;
1111 }
1112 pos += written;
1113 len -= written;
1114 }
1115 if (payload->get_type(payload) == CONFIGURATION)
1116 {
1117 cp_payload_t *cp = (cp_payload_t*)payload;
1118 enumerator_t *attributes;
1119 configuration_attribute_t *attribute;
1120 bool first = TRUE;
1121
1122 attributes = cp->create_attribute_enumerator(cp);
1123 while (attributes->enumerate(attributes, &attribute))
1124 {
1125 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1126 configuration_attribute_type_short_names,
1127 attribute->get_type(attribute));
1128 if (written >= len || written < 0)
1129 {
1130 return buf;
1131 }
1132 pos += written;
1133 len -= written;
1134 first = FALSE;
1135 }
1136 attributes->destroy(attributes);
1137 if (!first)
1138 {
1139 written = snprintf(pos, len, ")");
1140 if (written >= len || written < 0)
1141 {
1142 return buf;
1143 }
1144 pos += written;
1145 len -= written;
1146 }
1147 }
1148 }
1149 enumerator->destroy(enumerator);
1150
1151 /* remove last space */
1152 snprintf(pos, len, " ]");
1153 return buf;
1154 }
1155
1156 /**
1157 * reorder payloads depending on reordering rules
1158 */
1159 static void order_payloads(private_message_t *this)
1160 {
1161 linked_list_t *list;
1162 payload_t *payload;
1163 int i;
1164
1165 /* move to temp list */
1166 list = linked_list_create();
1167 while (this->payloads->remove_last(this->payloads,
1168 (void**)&payload) == SUCCESS)
1169 {
1170 list->insert_first(list, payload);
1171 }
1172 /* for each rule, ... */
1173 for (i = 0; i < this->rule->order_count; i++)
1174 {
1175 enumerator_t *enumerator;
1176 notify_payload_t *notify;
1177 payload_order_t order;
1178
1179 order = this->rule->order[i];
1180
1181 /* ... find all payload ... */
1182 enumerator = list->create_enumerator(list);
1183 while (enumerator->enumerate(enumerator, &payload))
1184 {
1185 /* ... with that type ... */
1186 if (payload->get_type(payload) == order.type)
1187 {
1188 notify = (notify_payload_t*)payload;
1189
1190 /**... and check notify for type. */
1191 if (order.type != NOTIFY || order.notify == 0 ||
1192 order.notify == notify->get_notify_type(notify))
1193 {
1194 list->remove_at(list, enumerator);
1195 add_payload(this, payload);
1196 }
1197 }
1198 }
1199 enumerator->destroy(enumerator);
1200 }
1201 /* append all payloads without a rule to the end */
1202 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1203 {
1204 /* do not complain about payloads in private use space */
1205 if (payload->get_type(payload) < 128)
1206 {
1207 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1208 payload_type_names, payload->get_type(payload),
1209 exchange_type_names, this->rule->exchange_type,
1210 this->rule->is_request ? "request" : "response");
1211 }
1212 add_payload(this, payload);
1213 }
1214 list->destroy(list);
1215 }
1216
1217 /**
1218 * Wrap payloads in a encryption payload
1219 */
1220 static encryption_payload_t* wrap_payloads(private_message_t *this)
1221 {
1222 encryption_payload_t *encryption;
1223 linked_list_t *payloads;
1224 payload_t *current;
1225
1226 /* copy all payloads in a temporary list */
1227 payloads = linked_list_create();
1228 while (this->payloads->remove_first(this->payloads,
1229 (void**)&current) == SUCCESS)
1230 {
1231 payloads->insert_last(payloads, current);
1232 }
1233
1234 encryption = encryption_payload_create();
1235 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1236 {
1237 payload_rule_t *rule;
1238 payload_type_t type;
1239 bool encrypt = TRUE;
1240
1241 type = current->get_type(current);
1242 rule = get_payload_rule(this, type);
1243 if (rule)
1244 {
1245 encrypt = rule->encrypted;
1246 }
1247 if (encrypt)
1248 {
1249 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1250 payload_type_names, type);
1251 encryption->add_payload(encryption, current);
1252 }
1253 else
1254 {
1255 DBG2(DBG_ENC, "insert payload %N unencrypted",
1256 payload_type_names, type);
1257 add_payload(this, current);
1258 }
1259 }
1260 payloads->destroy(payloads);
1261
1262 return encryption;
1263 }
1264
1265 METHOD(message_t, disable_sort, void,
1266 private_message_t *this)
1267 {
1268 this->sort_disabled = TRUE;
1269 }
1270
1271 METHOD(message_t, generate, status_t,
1272 private_message_t *this, aead_t *aead, packet_t **packet)
1273 {
1274 generator_t *generator;
1275 ike_header_t *ike_header;
1276 payload_t *payload, *next;
1277 encryption_payload_t *encryption = NULL;
1278 enumerator_t *enumerator;
1279 chunk_t chunk;
1280 char str[BUF_LEN];
1281 u_int32_t *lenpos;
1282 bool *reserved;
1283 int i;
1284
1285 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1286 {
1287 DBG1(DBG_ENC, "exchange type is not defined");
1288 return INVALID_STATE;
1289 }
1290
1291 if (this->packet->get_source(this->packet) == NULL ||
1292 this->packet->get_destination(this->packet) == NULL)
1293 {
1294 DBG1(DBG_ENC, "source/destination not defined");
1295 return INVALID_STATE;
1296 }
1297
1298 this->rule = get_message_rule(this);
1299 if (!this->rule)
1300 {
1301 DBG1(DBG_ENC, "no message rules specified for this message type");
1302 return NOT_SUPPORTED;
1303 }
1304
1305 if (!this->sort_disabled)
1306 {
1307 order_payloads(this);
1308 }
1309
1310 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1311
1312 if (aead && this->rule->encrypted)
1313 {
1314 encryption = wrap_payloads(this);
1315 }
1316 else
1317 {
1318 DBG2(DBG_ENC, "not encrypting payloads");
1319 }
1320
1321 ike_header = ike_header_create_version(this->major_version,
1322 this->minor_version);
1323 ike_header->set_exchange_type(ike_header, this->exchange_type);
1324 ike_header->set_message_id(ike_header, this->message_id);
1325 if (this->major_version == IKEV2_MAJOR_VERSION)
1326 {
1327 ike_header->set_response_flag(ike_header, !this->is_request);
1328 ike_header->set_version_flag(ike_header, this->version_flag);
1329 ike_header->set_initiator_flag(ike_header,
1330 this->ike_sa_id->is_initiator(this->ike_sa_id));
1331 }
1332 ike_header->set_initiator_spi(ike_header,
1333 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1334 ike_header->set_responder_spi(ike_header,
1335 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1336
1337 for (i = 0; i < countof(this->reserved); i++)
1338 {
1339 reserved = payload_get_field(&ike_header->payload_interface,
1340 RESERVED_BIT, i);
1341 if (reserved)
1342 {
1343 *reserved = this->reserved[i];
1344 }
1345 }
1346
1347 generator = generator_create();
1348
1349 /* generate all payloads with proper next type */
1350 payload = (payload_t*)ike_header;
1351 enumerator = create_payload_enumerator(this);
1352 while (enumerator->enumerate(enumerator, &next))
1353 {
1354 payload->set_next_type(payload, next->get_type(next));
1355 generator->generate_payload(generator, payload);
1356 payload = next;
1357 }
1358 enumerator->destroy(enumerator);
1359 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1360 generator->generate_payload(generator, payload);
1361 ike_header->destroy(ike_header);
1362
1363 if (encryption)
1364 {
1365 u_int32_t *lenpos;
1366
1367 /* build associated data (without header of encryption payload) */
1368 chunk = generator->get_chunk(generator, &lenpos);
1369 encryption->set_transform(encryption, aead);
1370 /* fill in length, including encryption payload */
1371 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1372
1373 this->payloads->insert_last(this->payloads, encryption);
1374 if (!encryption->encrypt(encryption, chunk))
1375 {
1376 generator->destroy(generator);
1377 return INVALID_STATE;
1378 }
1379 generator->generate_payload(generator, &encryption->payload_interface);
1380 }
1381 chunk = generator->get_chunk(generator, &lenpos);
1382 htoun32(lenpos, chunk.len);
1383 this->packet->set_data(this->packet, chunk_clone(chunk));
1384 generator->destroy(generator);
1385
1386 *packet = this->packet->clone(this->packet);
1387 return SUCCESS;
1388 }
1389
1390 METHOD(message_t, get_packet, packet_t*,
1391 private_message_t *this)
1392 {
1393 if (this->packet == NULL)
1394 {
1395 return NULL;
1396 }
1397 return this->packet->clone(this->packet);
1398 }
1399
1400 METHOD(message_t, get_packet_data, chunk_t,
1401 private_message_t *this)
1402 {
1403 if (this->packet == NULL)
1404 {
1405 return chunk_empty;
1406 }
1407 return this->packet->get_data(this->packet);
1408 }
1409
1410 METHOD(message_t, parse_header, status_t,
1411 private_message_t *this)
1412 {
1413 ike_header_t *ike_header;
1414 status_t status;
1415 bool *reserved;
1416 int i;
1417
1418 DBG2(DBG_ENC, "parsing header of message");
1419
1420 this->parser->reset_context(this->parser);
1421 status = this->parser->parse_payload(this->parser, HEADER,
1422 (payload_t**)&ike_header);
1423 if (status != SUCCESS)
1424 {
1425 DBG1(DBG_ENC, "header could not be parsed");
1426 return status;
1427
1428 }
1429
1430 status = ike_header->payload_interface.verify(
1431 &ike_header->payload_interface);
1432 if (status != SUCCESS)
1433 {
1434 DBG1(DBG_ENC, "header verification failed");
1435 ike_header->destroy(ike_header);
1436 return status;
1437 }
1438
1439 DESTROY_IF(this->ike_sa_id);
1440 this->ike_sa_id = ike_sa_id_create(
1441 ike_header->get_initiator_spi(ike_header),
1442 ike_header->get_responder_spi(ike_header),
1443 ike_header->get_initiator_flag(ike_header));
1444
1445 this->exchange_type = ike_header->get_exchange_type(ike_header);
1446 this->message_id = ike_header->get_message_id(ike_header);
1447 this->is_request = !ike_header->get_response_flag(ike_header);
1448 this->is_encrypted = ike_header->get_encryption_flag(ike_header);
1449 this->major_version = ike_header->get_maj_version(ike_header);
1450 this->minor_version = ike_header->get_min_version(ike_header);
1451 this->first_payload = ike_header->payload_interface.get_next_type(
1452 &ike_header->payload_interface);
1453 for (i = 0; i < countof(this->reserved); i++)
1454 {
1455 reserved = payload_get_field(&ike_header->payload_interface,
1456 RESERVED_BIT, i);
1457 if (reserved)
1458 {
1459 this->reserved[i] = *reserved;
1460 }
1461 }
1462 ike_header->destroy(ike_header);
1463
1464 DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
1465 this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
1466 "message" : (this->is_request ? "request" : "response"));
1467 return SUCCESS;
1468 }
1469
1470 /**
1471 * Check if a payload is for a mediation extension connectivity check
1472 */
1473 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1474 {
1475 #ifdef ME
1476 if (this->exchange_type == INFORMATIONAL &&
1477 payload->get_type(payload) == NOTIFY)
1478 {
1479 notify_payload_t *notify = (notify_payload_t*)payload;
1480
1481 switch (notify->get_notify_type(notify))
1482 {
1483 case ME_CONNECTID:
1484 case ME_ENDPOINT:
1485 case ME_CONNECTAUTH:
1486 return TRUE;
1487 default:
1488 break;
1489 }
1490 }
1491 #endif /* !ME */
1492 return FALSE;
1493 }
1494
1495 /**
1496 * Parses and verifies the unencrypted payloads contained in the message
1497 */
1498 static status_t parse_payloads(private_message_t *this)
1499 {
1500 payload_type_t type = this->first_payload;
1501 payload_t *payload;
1502 status_t status;
1503
1504 while (type != NO_PAYLOAD)
1505 {
1506 DBG2(DBG_ENC, "starting parsing a %N payload",
1507 payload_type_names, type);
1508
1509 status = this->parser->parse_payload(this->parser, type, &payload);
1510 if (status != SUCCESS)
1511 {
1512 DBG1(DBG_ENC, "payload type %N could not be parsed",
1513 payload_type_names, type);
1514 return PARSE_ERROR;
1515 }
1516
1517 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1518 status = payload->verify(payload);
1519 if (status != SUCCESS)
1520 {
1521 DBG1(DBG_ENC, "%N payload verification failed",
1522 payload_type_names, type);
1523 payload->destroy(payload);
1524 return VERIFY_ERROR;
1525 }
1526
1527 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1528 payload_type_names, type);
1529 this->payloads->insert_last(this->payloads, payload);
1530
1531 /* an encryption payload is the last one, so STOP here. decryption is
1532 * done later */
1533 if (type == ENCRYPTED)
1534 {
1535 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1536 payload_type_names, type);
1537 break;
1538 }
1539 type = payload->get_next_type(payload);
1540 }
1541 return SUCCESS;
1542 }
1543
1544 /**
1545 * Decrypt payload from the encryption payload
1546 */
1547 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1548 {
1549 bool was_encrypted = FALSE;
1550 payload_t *payload, *previous = NULL;
1551 enumerator_t *enumerator;
1552 payload_rule_t *rule;
1553 payload_type_t type;
1554 status_t status = SUCCESS;
1555
1556 enumerator = this->payloads->create_enumerator(this->payloads);
1557 while (enumerator->enumerate(enumerator, &payload))
1558 {
1559 type = payload->get_type(payload);
1560
1561 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1562
1563 if (type == ENCRYPTED)
1564 {
1565 encryption_payload_t *encryption;
1566 payload_t *encrypted;
1567 chunk_t chunk;
1568
1569 encryption = (encryption_payload_t*)payload;
1570
1571 DBG2(DBG_ENC, "found an encryption payload");
1572
1573 if (this->payloads->has_more(this->payloads, enumerator))
1574 {
1575 DBG1(DBG_ENC, "encrypted payload is not last payload");
1576 status = VERIFY_ERROR;
1577 break;
1578 }
1579 encryption->set_transform(encryption, aead);
1580 chunk = this->packet->get_data(this->packet);
1581 if (chunk.len < encryption->get_length(encryption))
1582 {
1583 DBG1(DBG_ENC, "invalid payload length");
1584 status = VERIFY_ERROR;
1585 break;
1586 }
1587 chunk.len -= encryption->get_length(encryption);
1588 status = encryption->decrypt(encryption, chunk);
1589 if (status != SUCCESS)
1590 {
1591 break;
1592 }
1593
1594 was_encrypted = TRUE;
1595 this->payloads->remove_at(this->payloads, enumerator);
1596
1597 while ((encrypted = encryption->remove_payload(encryption)))
1598 {
1599 type = encrypted->get_type(encrypted);
1600 if (previous)
1601 {
1602 previous->set_next_type(previous, type);
1603 }
1604 else
1605 {
1606 this->first_payload = type;
1607 }
1608 DBG2(DBG_ENC, "insert decrypted payload of type "
1609 "%N at end of list", payload_type_names, type);
1610 this->payloads->insert_last(this->payloads, encrypted);
1611 previous = encrypted;
1612 }
1613 encryption->destroy(encryption);
1614 }
1615 if (payload_is_known(type) && !was_encrypted &&
1616 !is_connectivity_check(this, payload))
1617 {
1618 rule = get_payload_rule(this, type);
1619 if (!rule || rule->encrypted)
1620 {
1621 DBG1(DBG_ENC, "payload type %N was not encrypted",
1622 payload_type_names, type);
1623 status = FAILED;
1624 break;
1625 }
1626 }
1627 previous = payload;
1628 }
1629 enumerator->destroy(enumerator);
1630 return status;
1631 }
1632
1633 /**
1634 * Verify a message and all payload according to message/payload rules
1635 */
1636 static status_t verify(private_message_t *this)
1637 {
1638 bool complete = FALSE;
1639 int i;
1640
1641 DBG2(DBG_ENC, "verifying message structure");
1642
1643 /* check for payloads with wrong count*/
1644 for (i = 0; i < this->rule->rule_count; i++)
1645 {
1646 enumerator_t *enumerator;
1647 payload_t *payload;
1648 payload_rule_t *rule;
1649 int found = 0;
1650
1651 rule = &this->rule->rules[i];
1652 enumerator = create_payload_enumerator(this);
1653 while (enumerator->enumerate(enumerator, &payload))
1654 {
1655 payload_type_t type;
1656
1657 type = payload->get_type(payload);
1658 if (type == rule->type)
1659 {
1660 found++;
1661 DBG2(DBG_ENC, "found payload of type %N",
1662 payload_type_names, type);
1663 if (found > rule->max_occurence)
1664 {
1665 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1666 "occurred in current message", payload_type_names,
1667 type, rule->max_occurence, found);
1668 enumerator->destroy(enumerator);
1669 return VERIFY_ERROR;
1670 }
1671 }
1672 }
1673 enumerator->destroy(enumerator);
1674
1675 if (!complete && found < rule->min_occurence)
1676 {
1677 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1678 payload_type_names, rule->type, rule->min_occurence, found);
1679 return VERIFY_ERROR;
1680 }
1681 if (found && rule->sufficient)
1682 {
1683 complete = TRUE;
1684 }
1685 }
1686 return SUCCESS;
1687 }
1688
1689 METHOD(message_t, parse_body, status_t,
1690 private_message_t *this, aead_t *aead)
1691 {
1692 status_t status = SUCCESS;
1693 char str[BUF_LEN];
1694
1695 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1696 payload_type_names, this->first_payload);
1697
1698 this->rule = get_message_rule(this);
1699 if (!this->rule)
1700 {
1701 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1702 exchange_type_names, this->exchange_type,
1703 this->is_request ? "request" : "response");
1704 return PARSE_ERROR;
1705 }
1706
1707 status = parse_payloads(this);
1708 if (status != SUCCESS)
1709 { /* error is already logged */
1710 return status;
1711 }
1712
1713 status = decrypt_payloads(this, aead);
1714 if (status != SUCCESS)
1715 {
1716 DBG1(DBG_ENC, "could not decrypt payloads");
1717 return status;
1718 }
1719
1720 status = verify(this);
1721 if (status != SUCCESS)
1722 {
1723 return status;
1724 }
1725
1726 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1727
1728 return SUCCESS;
1729 }
1730
1731 METHOD(message_t, destroy, void,
1732 private_message_t *this)
1733 {
1734 DESTROY_IF(this->ike_sa_id);
1735 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1736 this->packet->destroy(this->packet);
1737 this->parser->destroy(this->parser);
1738 free(this);
1739 }
1740
1741 /*
1742 * Described in header.
1743 */
1744 message_t *message_create_from_packet(packet_t *packet)
1745 {
1746 private_message_t *this;
1747
1748 INIT(this,
1749 .public = {
1750 .set_major_version = _set_major_version,
1751 .get_major_version = _get_major_version,
1752 .set_minor_version = _set_minor_version,
1753 .get_minor_version = _get_minor_version,
1754 .set_message_id = _set_message_id,
1755 .get_message_id = _get_message_id,
1756 .get_initiator_spi = _get_initiator_spi,
1757 .get_responder_spi = _get_responder_spi,
1758 .set_ike_sa_id = _set_ike_sa_id,
1759 .get_ike_sa_id = _get_ike_sa_id,
1760 .set_exchange_type = _set_exchange_type,
1761 .get_exchange_type = _get_exchange_type,
1762 .get_first_payload_type = _get_first_payload_type,
1763 .set_request = _set_request,
1764 .get_request = _get_request,
1765 .set_version_flag = _set_version_flag,
1766 .get_reserved_header_bit = _get_reserved_header_bit,
1767 .set_reserved_header_bit = _set_reserved_header_bit,
1768 .add_payload = _add_payload,
1769 .add_notify = _add_notify,
1770 .disable_sort = _disable_sort,
1771 .generate = _generate,
1772 .is_encoded = _is_encoded,
1773 .set_source = _set_source,
1774 .get_source = _get_source,
1775 .set_destination = _set_destination,
1776 .get_destination = _get_destination,
1777 .create_payload_enumerator = _create_payload_enumerator,
1778 .remove_payload_at = _remove_payload_at,
1779 .get_payload = _get_payload,
1780 .get_notify = _get_notify,
1781 .parse_header = _parse_header,
1782 .parse_body = _parse_body,
1783 .get_packet = _get_packet,
1784 .get_packet_data = _get_packet_data,
1785 .destroy = _destroy,
1786 },
1787 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1788 .is_request = TRUE,
1789 .first_payload = NO_PAYLOAD,
1790 .packet = packet,
1791 .payloads = linked_list_create(),
1792 .parser = parser_create(packet->get_data(packet)),
1793 );
1794
1795 return &this->public;
1796 }
1797
1798 /*
1799 * Described in header.
1800 */
1801 message_t *message_create(int major, int minor)
1802 {
1803 message_t *this = message_create_from_packet(packet_create());
1804
1805 this->set_major_version(this, major);
1806 this->set_minor_version(this, minor);
1807
1808 return this;
1809 }
1810