eab3427a1511f437cf44b805baad745c83ffb922
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2010 Martin Willi
4 * Copyright (C) 2010 revosec AG
5 * Copyright (C) 2006 Daniel Roethlisberger
6 * Copyright (C) 2005 Jan Hutter
7 * Hochschule fuer Technik Rapperswil
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 */
19
20 #include <stdlib.h>
21 #include <string.h>
22
23 #include "message.h"
24
25 #include <library.h>
26 #include <daemon.h>
27 #include <sa/ike_sa_id.h>
28 #include <encoding/generator.h>
29 #include <encoding/parser.h>
30 #include <utils/linked_list.h>
31 #include <encoding/payloads/encodings.h>
32 #include <encoding/payloads/payload.h>
33 #include <encoding/payloads/encryption_payload.h>
34 #include <encoding/payloads/unknown_payload.h>
35 #include <encoding/payloads/cp_payload.h>
36
37 /**
38 * Max number of notify payloads per IKEv2 Message
39 */
40 #define MAX_NOTIFY_PAYLOADS 20
41
42 /**
43 * Max number of delete payloads per IKEv2 Message
44 */
45 #define MAX_DELETE_PAYLOADS 20
46
47 /**
48 * Max number of certificate payloads per IKEv2 Message
49 */
50 #define MAX_CERT_PAYLOADS 8
51
52 /**
53 * Max number of Vendor ID payloads per IKEv2 Message
54 */
55 #define MAX_VID_PAYLOADS 20
56
57 /**
58 * A payload rule defines the rules for a payload
59 * in a specific message rule. It defines if and how
60 * many times a payload must/can occur in a message
61 * and if it must be encrypted.
62 */
63 typedef struct {
64 /* Payload type */
65 payload_type_t type;
66 /* Minimal occurrence of this payload. */
67 size_t min_occurence;
68 /* Max occurrence of this payload. */
69 size_t max_occurence;
70 /* TRUE if payload must be encrypted */
71 bool encrypted;
72 /* If payload occurs, the message rule is fulfilled */
73 bool sufficient;
74 } payload_rule_t;
75
76 /**
77 * payload ordering structure allows us to reorder payloads according to RFC.
78 */
79 typedef struct {
80 /** payload type */
81 payload_type_t type;
82 /** notify type, if payload == NOTIFY */
83 notify_type_t notify;
84 } payload_order_t;
85
86 /**
87 * A message rule defines the kind of a message,
88 * if it has encrypted contents and a list
89 * of payload ordering rules and payload parsing rules.
90 */
91 typedef struct {
92 /** Type of message. */
93 exchange_type_t exchange_type;
94 /** Is message a request or response. */
95 bool is_request;
96 /** Message contains encrypted payloads. */
97 bool encrypted;
98 /** Number of payload rules which will follow */
99 int rule_count;
100 /** Pointer to first payload rule */
101 payload_rule_t *rules;
102 /** Number of payload order rules */
103 int order_count;
104 /** payload ordering rules */
105 payload_order_t *order;
106 } message_rule_t;
107
108 /**
109 * Message rule for IKE_SA_INIT from initiator.
110 */
111 static payload_rule_t ike_sa_init_i_rules[] = {
112 /* payload type min max encr suff */
113 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
114 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
115 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
116 {NONCE, 1, 1, FALSE, FALSE},
117 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
118 };
119
120 /**
121 * payload order for IKE_SA_INIT initiator
122 */
123 static payload_order_t ike_sa_init_i_order[] = {
124 /* payload type notify type */
125 {NOTIFY, COOKIE},
126 {SECURITY_ASSOCIATION, 0},
127 {KEY_EXCHANGE, 0},
128 {NONCE, 0},
129 {NOTIFY, NAT_DETECTION_SOURCE_IP},
130 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
131 {NOTIFY, 0},
132 {VENDOR_ID, 0},
133 };
134
135 /**
136 * Message rule for IKE_SA_INIT from responder.
137 */
138 static payload_rule_t ike_sa_init_r_rules[] = {
139 /* payload type min max encr suff */
140 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
141 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
142 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
143 {NONCE, 1, 1, FALSE, FALSE},
144 {CERTIFICATE_REQUEST, 0, 1, FALSE, FALSE},
145 {VENDOR_ID, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
146 };
147
148 /**
149 * payload order for IKE_SA_INIT responder
150 */
151 static payload_order_t ike_sa_init_r_order[] = {
152 /* payload type notify type */
153 {SECURITY_ASSOCIATION, 0},
154 {KEY_EXCHANGE, 0},
155 {NONCE, 0},
156 {NOTIFY, NAT_DETECTION_SOURCE_IP},
157 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
158 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
159 {CERTIFICATE_REQUEST, 0},
160 {NOTIFY, 0},
161 {VENDOR_ID, 0},
162 };
163
164 /**
165 * Message rule for IKE_AUTH from initiator.
166 */
167 static payload_rule_t ike_auth_i_rules[] = {
168 /* payload type min max encr suff */
169 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
170 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
171 {AUTHENTICATION, 0, 1, TRUE, TRUE},
172 {ID_INITIATOR, 0, 1, TRUE, FALSE},
173 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
174 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
175 {ID_RESPONDER, 0, 1, TRUE, FALSE},
176 #ifdef ME
177 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
178 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
179 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
180 #else
181 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
182 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
183 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
184 #endif /* ME */
185 {CONFIGURATION, 0, 1, TRUE, FALSE},
186 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
187 };
188
189 /**
190 * payload order for IKE_AUTH initiator
191 */
192 static payload_order_t ike_auth_i_order[] = {
193 /* payload type notify type */
194 {ID_INITIATOR, 0},
195 {CERTIFICATE, 0},
196 {NOTIFY, INITIAL_CONTACT},
197 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
198 {CERTIFICATE_REQUEST, 0},
199 {ID_RESPONDER, 0},
200 {AUTHENTICATION, 0},
201 {EXTENSIBLE_AUTHENTICATION, 0},
202 {CONFIGURATION, 0},
203 {NOTIFY, IPCOMP_SUPPORTED},
204 {NOTIFY, USE_TRANSPORT_MODE},
205 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
206 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
207 {SECURITY_ASSOCIATION, 0},
208 {TRAFFIC_SELECTOR_INITIATOR, 0},
209 {TRAFFIC_SELECTOR_RESPONDER, 0},
210 {NOTIFY, MOBIKE_SUPPORTED},
211 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
212 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
213 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
214 {NOTIFY, 0},
215 {VENDOR_ID, 0},
216 };
217
218 /**
219 * Message rule for IKE_AUTH from responder.
220 */
221 static payload_rule_t ike_auth_r_rules[] = {
222 /* payload type min max encr suff */
223 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
224 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
225 {AUTHENTICATION, 0, 1, TRUE, TRUE},
226 {CERTIFICATE, 0, MAX_CERT_PAYLOADS, TRUE, FALSE},
227 {ID_RESPONDER, 0, 1, TRUE, FALSE},
228 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
229 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
230 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
231 {CONFIGURATION, 0, 1, TRUE, FALSE},
232 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
233 };
234
235 /**
236 * payload order for IKE_AUTH responder
237 */
238 static payload_order_t ike_auth_r_order[] = {
239 /* payload type notify type */
240 {ID_RESPONDER, 0},
241 {CERTIFICATE, 0},
242 {AUTHENTICATION, 0},
243 {EXTENSIBLE_AUTHENTICATION, 0},
244 {CONFIGURATION, 0},
245 {NOTIFY, IPCOMP_SUPPORTED},
246 {NOTIFY, USE_TRANSPORT_MODE},
247 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
248 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
249 {SECURITY_ASSOCIATION, 0},
250 {TRAFFIC_SELECTOR_INITIATOR, 0},
251 {TRAFFIC_SELECTOR_RESPONDER, 0},
252 {NOTIFY, AUTH_LIFETIME},
253 {NOTIFY, MOBIKE_SUPPORTED},
254 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
255 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
256 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
257 {NOTIFY, 0},
258 {VENDOR_ID, 0},
259 };
260
261 /**
262 * Message rule for INFORMATIONAL from initiator.
263 */
264 static payload_rule_t informational_i_rules[] = {
265 /* payload type min max encr suff */
266 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
267 {CONFIGURATION, 0, 1, TRUE, FALSE},
268 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
269 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
270 };
271
272 /**
273 * payload order for INFORMATIONAL initiator
274 */
275 static payload_order_t informational_i_order[] = {
276 /* payload type notify type */
277 {NOTIFY, UPDATE_SA_ADDRESSES},
278 {NOTIFY, NAT_DETECTION_SOURCE_IP},
279 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
280 {NOTIFY, COOKIE2},
281 {NOTIFY, 0},
282 {DELETE, 0},
283 {CONFIGURATION, 0},
284 };
285
286 /**
287 * Message rule for INFORMATIONAL from responder.
288 */
289 static payload_rule_t informational_r_rules[] = {
290 /* payload type min max encr suff */
291 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
292 {CONFIGURATION, 0, 1, TRUE, FALSE},
293 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
294 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
295 };
296
297 /**
298 * payload order for INFORMATIONAL responder
299 */
300 static payload_order_t informational_r_order[] = {
301 /* payload type notify type */
302 {NOTIFY, UPDATE_SA_ADDRESSES},
303 {NOTIFY, NAT_DETECTION_SOURCE_IP},
304 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
305 {NOTIFY, COOKIE2},
306 {NOTIFY, 0},
307 {DELETE, 0},
308 {CONFIGURATION, 0},
309 };
310
311 /**
312 * Message rule for CREATE_CHILD_SA from initiator.
313 */
314 static payload_rule_t create_child_sa_i_rules[] = {
315 /* payload type min max encr suff */
316 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
317 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
318 {NONCE, 1, 1, TRUE, FALSE},
319 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
320 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
321 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
322 {CONFIGURATION, 0, 1, TRUE, FALSE},
323 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
324 };
325
326 /**
327 * payload order for CREATE_CHILD_SA from initiator.
328 */
329 static payload_order_t create_child_sa_i_order[] = {
330 /* payload type notify type */
331 {NOTIFY, REKEY_SA},
332 {NOTIFY, IPCOMP_SUPPORTED},
333 {NOTIFY, USE_TRANSPORT_MODE},
334 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
335 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
336 {SECURITY_ASSOCIATION, 0},
337 {NONCE, 0},
338 {KEY_EXCHANGE, 0},
339 {TRAFFIC_SELECTOR_INITIATOR, 0},
340 {TRAFFIC_SELECTOR_RESPONDER, 0},
341 {NOTIFY, 0},
342 };
343
344 /**
345 * Message rule for CREATE_CHILD_SA from responder.
346 */
347 static payload_rule_t create_child_sa_r_rules[] = {
348 /* payload type min max encr suff */
349 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
350 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
351 {NONCE, 1, 1, TRUE, FALSE},
352 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
353 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
354 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
355 {CONFIGURATION, 0, 1, TRUE, FALSE},
356 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE},
357 };
358
359 /**
360 * payload order for CREATE_CHILD_SA from responder.
361 */
362 static payload_order_t create_child_sa_r_order[] = {
363 /* payload type notify type */
364 {NOTIFY, IPCOMP_SUPPORTED},
365 {NOTIFY, USE_TRANSPORT_MODE},
366 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
367 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
368 {SECURITY_ASSOCIATION, 0},
369 {NONCE, 0},
370 {KEY_EXCHANGE, 0},
371 {TRAFFIC_SELECTOR_INITIATOR, 0},
372 {TRAFFIC_SELECTOR_RESPONDER, 0},
373 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
374 {NOTIFY, 0},
375 };
376
377 #ifdef ME
378 /**
379 * Message rule for ME_CONNECT from initiator.
380 */
381 static payload_rule_t me_connect_i_rules[] = {
382 /* payload type min max encr suff */
383 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
384 {ID_PEER, 1, 1, TRUE, FALSE},
385 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
386 };
387
388 /**
389 * payload order for ME_CONNECT from initiator.
390 */
391 static payload_order_t me_connect_i_order[] = {
392 /* payload type notify type */
393 {NOTIFY, 0},
394 {ID_PEER, 0},
395 {VENDOR_ID, 0},
396 };
397
398 /**
399 * Message rule for ME_CONNECT from responder.
400 */
401 static payload_rule_t me_connect_r_rules[] = {
402 /* payload type min max encr suff */
403 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
404 {VENDOR_ID, 0, MAX_VID_PAYLOADS, TRUE, FALSE}
405 };
406
407 /**
408 * payload order for ME_CONNECT from responder.
409 */
410 static payload_order_t me_connect_r_order[] = {
411 /* payload type notify type */
412 {NOTIFY, 0},
413 {VENDOR_ID, 0},
414 };
415 #endif /* ME */
416
417 #ifdef USE_IKEV1
418 /**
419 * Message rule for ID_PROT from initiator.
420 */
421 static payload_rule_t id_prot_i_rules[] = {
422 /* payload type min max encr suff */
423 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
424 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
425 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
426 {NONCE_V1, 0, 1, FALSE, FALSE},
427 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
428 {ID_V1, 0, 1, TRUE, FALSE},
429 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
430 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
431 {HASH_V1, 0, 1, TRUE, FALSE},
432 };
433
434 /**
435 * payload order for ID_PROT from initiator.
436 */
437 static payload_order_t id_prot_i_order[] = {
438 /* payload type notify type */
439 {SECURITY_ASSOCIATION_V1, 0},
440 {KEY_EXCHANGE_V1, 0},
441 {NONCE_V1, 0},
442 {ID_V1, 0},
443 {CERTIFICATE_V1, 0},
444 {SIGNATURE_V1, 0},
445 {HASH_V1, 0},
446 {NOTIFICATION_V1, 0},
447 {VENDOR_ID_V1, 0},
448 };
449
450 /**
451 * Message rule for ID_PROT from responder.
452 */
453 static payload_rule_t id_prot_r_rules[] = {
454 /* payload type min max encr suff */
455 {NOTIFICATION_V1, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
456 {SECURITY_ASSOCIATION_V1, 0, 1, FALSE, FALSE},
457 {KEY_EXCHANGE_V1, 0, 1, FALSE, FALSE},
458 {NONCE_V1, 0, 1, FALSE, FALSE},
459 {VENDOR_ID_V1, 0, MAX_VID_PAYLOADS, FALSE, FALSE},
460 {ID_V1, 0, 1, TRUE, FALSE},
461 {CERTIFICATE_V1, 0, 1, TRUE, FALSE},
462 {SIGNATURE_V1, 0, 1, TRUE, FALSE},
463 {HASH_V1, 0, 1, TRUE, FALSE},
464 };
465
466 /**
467 * payload order for ID_PROT from responder.
468 */
469 static payload_order_t id_prot_r_order[] = {
470 /* payload type notify type */
471 {SECURITY_ASSOCIATION_V1, 0},
472 {KEY_EXCHANGE_V1, 0},
473 {NONCE_V1, 0},
474 {ID_V1, 0},
475 {CERTIFICATE_V1, 0},
476 {SIGNATURE_V1, 0},
477 {HASH_V1, 0},
478 {NOTIFICATION_V1, 0},
479 {VENDOR_ID_V1, 0},
480 };
481 #endif /* USE_IKEV1 */
482
483 /**
484 * Message rules, defines allowed payloads.
485 */
486 static message_rule_t message_rules[] = {
487 {IKE_SA_INIT, TRUE, FALSE,
488 countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
489 countof(ike_sa_init_i_order), ike_sa_init_i_order,
490 },
491 {IKE_SA_INIT, FALSE, FALSE,
492 countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
493 countof(ike_sa_init_r_order), ike_sa_init_r_order,
494 },
495 {IKE_AUTH, TRUE, TRUE,
496 countof(ike_auth_i_rules), ike_auth_i_rules,
497 countof(ike_auth_i_order), ike_auth_i_order,
498 },
499 {IKE_AUTH, FALSE, TRUE,
500 countof(ike_auth_r_rules), ike_auth_r_rules,
501 countof(ike_auth_r_order), ike_auth_r_order,
502 },
503 {INFORMATIONAL, TRUE, TRUE,
504 countof(informational_i_rules), informational_i_rules,
505 countof(informational_i_order), informational_i_order,
506 },
507 {INFORMATIONAL, FALSE, TRUE,
508 countof(informational_r_rules), informational_r_rules,
509 countof(informational_r_order), informational_r_order,
510 },
511 {CREATE_CHILD_SA, TRUE, TRUE,
512 countof(create_child_sa_i_rules), create_child_sa_i_rules,
513 countof(create_child_sa_i_order), create_child_sa_i_order,
514 },
515 {CREATE_CHILD_SA, FALSE, TRUE,
516 countof(create_child_sa_r_rules), create_child_sa_r_rules,
517 countof(create_child_sa_r_order), create_child_sa_r_order,
518 },
519 #ifdef ME
520 {ME_CONNECT, TRUE, TRUE,
521 countof(me_connect_i_rules), me_connect_i_rules,
522 countof(me_connect_i_order), me_connect_i_order,
523 },
524 {ME_CONNECT, FALSE, TRUE,
525 countof(me_connect_r_rules), me_connect_r_rules,
526 countof(me_connect_r_order), me_connect_r_order,
527 },
528 #endif /* ME */
529 #ifdef USE_IKEV1
530 {ID_PROT, TRUE, FALSE,
531 countof(id_prot_i_rules), id_prot_i_rules,
532 countof(id_prot_i_order), id_prot_i_order,
533 },
534 {ID_PROT, FALSE, FALSE,
535 countof(id_prot_r_rules), id_prot_r_rules,
536 countof(id_prot_r_order), id_prot_r_order,
537 },
538 /* TODO-IKEv1: define rules for other exchanges */
539 #endif /* USE_IKEV1 */
540 };
541
542
543 typedef struct private_message_t private_message_t;
544
545 /**
546 * Private data of an message_t object.
547 */
548 struct private_message_t {
549
550 /**
551 * Public part of a message_t object.
552 */
553 message_t public;
554
555 /**
556 * Minor version of message.
557 */
558 u_int8_t major_version;
559
560 /**
561 * Major version of message.
562 */
563 u_int8_t minor_version;
564
565 /**
566 * First Payload in message.
567 */
568 payload_type_t first_payload;
569
570 /**
571 * Assigned exchange type.
572 */
573 exchange_type_t exchange_type;
574
575 /**
576 * TRUE if message is a request, FALSE if a reply.
577 */
578 bool is_request;
579
580 /**
581 * Higher version supported?
582 */
583 bool version_flag;
584
585 /**
586 * Reserved bits in IKE header
587 */
588 bool reserved[5];
589
590 /**
591 * Sorting of message disabled?
592 */
593 bool sort_disabled;
594
595 /**
596 * Message ID of this message.
597 */
598 u_int32_t message_id;
599
600 /**
601 * ID of assigned IKE_SA.
602 */
603 ike_sa_id_t *ike_sa_id;
604
605 /**
606 * Assigned UDP packet, stores incoming packet or last generated one.
607 */
608 packet_t *packet;
609
610 /**
611 * Linked List where payload data are stored in.
612 */
613 linked_list_t *payloads;
614
615 /**
616 * Assigned parser to parse Header and Body of this message.
617 */
618 parser_t *parser;
619
620 /**
621 * The message rule for this message instance
622 */
623 message_rule_t *rule;
624 };
625
626 /**
627 * Get the message rule that applies to this message
628 */
629 static message_rule_t* get_message_rule(private_message_t *this)
630 {
631 int i;
632
633 for (i = 0; i < countof(message_rules); i++)
634 {
635 if ((this->exchange_type == message_rules[i].exchange_type) &&
636 (this->is_request == message_rules[i].is_request))
637 {
638 return &message_rules[i];
639 }
640 }
641 return NULL;
642 }
643
644 /**
645 * Look up a payload rule
646 */
647 static payload_rule_t* get_payload_rule(private_message_t *this,
648 payload_type_t type)
649 {
650 int i;
651
652 for (i = 0; i < this->rule->rule_count;i++)
653 {
654 if (this->rule->rules[i].type == type)
655 {
656 return &this->rule->rules[i];
657 }
658 }
659 return NULL;
660 }
661
662 METHOD(message_t, set_ike_sa_id, void,
663 private_message_t *this,ike_sa_id_t *ike_sa_id)
664 {
665 DESTROY_IF(this->ike_sa_id);
666 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
667 }
668
669 METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
670 private_message_t *this)
671 {
672 return this->ike_sa_id;
673 }
674
675 METHOD(message_t, set_message_id, void,
676 private_message_t *this,u_int32_t message_id)
677 {
678 this->message_id = message_id;
679 }
680
681 METHOD(message_t, get_message_id, u_int32_t,
682 private_message_t *this)
683 {
684 return this->message_id;
685 }
686
687 METHOD(message_t, get_initiator_spi, u_int64_t,
688 private_message_t *this)
689 {
690 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
691 }
692
693 METHOD(message_t, get_responder_spi, u_int64_t,
694 private_message_t *this)
695 {
696 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
697 }
698
699 METHOD(message_t, set_major_version, void,
700 private_message_t *this, u_int8_t major_version)
701 {
702 this->major_version = major_version;
703 }
704
705 METHOD(message_t, get_major_version, u_int8_t,
706 private_message_t *this)
707 {
708 return this->major_version;
709 }
710
711 METHOD(message_t, set_minor_version, void,
712 private_message_t *this,u_int8_t minor_version)
713 {
714 this->minor_version = minor_version;
715 }
716
717 METHOD(message_t, get_minor_version, u_int8_t,
718 private_message_t *this)
719 {
720 return this->minor_version;
721 }
722
723 METHOD(message_t, set_exchange_type, void,
724 private_message_t *this, exchange_type_t exchange_type)
725 {
726 this->exchange_type = exchange_type;
727 }
728
729 METHOD(message_t, get_exchange_type, exchange_type_t,
730 private_message_t *this)
731 {
732 return this->exchange_type;
733 }
734
735 METHOD(message_t, get_first_payload_type, payload_type_t,
736 private_message_t *this)
737 {
738 return this->first_payload;
739 }
740
741 METHOD(message_t, set_request, void,
742 private_message_t *this, bool request)
743 {
744 this->is_request = request;
745 }
746
747 METHOD(message_t, get_request, bool,
748 private_message_t *this)
749 {
750 return this->is_request;
751 }
752
753 METHOD(message_t, set_version_flag, void,
754 private_message_t *this)
755 {
756 this->version_flag = TRUE;
757 }
758
759 METHOD(message_t, get_reserved_header_bit, bool,
760 private_message_t *this, u_int nr)
761 {
762 if (nr < countof(this->reserved))
763 {
764 return this->reserved[nr];
765 }
766 return FALSE;
767 }
768
769 METHOD(message_t, set_reserved_header_bit, void,
770 private_message_t *this, u_int nr)
771 {
772 if (nr < countof(this->reserved))
773 {
774 this->reserved[nr] = TRUE;
775 }
776 }
777
778 METHOD(message_t, is_encoded, bool,
779 private_message_t *this)
780 {
781 return this->packet->get_data(this->packet).ptr != NULL;
782 }
783
784 METHOD(message_t, add_payload, void,
785 private_message_t *this, payload_t *payload)
786 {
787 payload_t *last_payload;
788
789 if (this->payloads->get_count(this->payloads) > 0)
790 {
791 this->payloads->get_last(this->payloads, (void **)&last_payload);
792 last_payload->set_next_type(last_payload, payload->get_type(payload));
793 }
794 else
795 {
796 this->first_payload = payload->get_type(payload);
797 }
798 payload->set_next_type(payload, NO_PAYLOAD);
799 this->payloads->insert_last(this->payloads, payload);
800
801 DBG2(DBG_ENC ,"added payload of type %N to message",
802 payload_type_names, payload->get_type(payload));
803 }
804
805 METHOD(message_t, add_notify, void,
806 private_message_t *this, bool flush, notify_type_t type, chunk_t data)
807 {
808 notify_payload_t *notify;
809 payload_t *payload;
810
811 if (flush)
812 {
813 while (this->payloads->remove_last(this->payloads,
814 (void**)&payload) == SUCCESS)
815 {
816 payload->destroy(payload);
817 }
818 }
819 notify = notify_payload_create();
820 notify->set_notify_type(notify, type);
821 notify->set_notification_data(notify, data);
822 add_payload(this, (payload_t*)notify);
823 }
824
825 METHOD(message_t, set_source, void,
826 private_message_t *this, host_t *host)
827 {
828 this->packet->set_source(this->packet, host);
829 }
830
831 METHOD(message_t, set_destination, void,
832 private_message_t *this, host_t *host)
833 {
834 this->packet->set_destination(this->packet, host);
835 }
836
837 METHOD(message_t, get_source, host_t*,
838 private_message_t *this)
839 {
840 return this->packet->get_source(this->packet);
841 }
842
843 METHOD(message_t, get_destination, host_t*,
844 private_message_t *this)
845 {
846 return this->packet->get_destination(this->packet);
847 }
848
849 METHOD(message_t, create_payload_enumerator, enumerator_t*,
850 private_message_t *this)
851 {
852 return this->payloads->create_enumerator(this->payloads);
853 }
854
855 METHOD(message_t, remove_payload_at, void,
856 private_message_t *this, enumerator_t *enumerator)
857 {
858 this->payloads->remove_at(this->payloads, enumerator);
859 }
860
861 METHOD(message_t, get_payload, payload_t*,
862 private_message_t *this, payload_type_t type)
863 {
864 payload_t *current, *found = NULL;
865 enumerator_t *enumerator;
866
867 enumerator = create_payload_enumerator(this);
868 while (enumerator->enumerate(enumerator, &current))
869 {
870 if (current->get_type(current) == type)
871 {
872 found = current;
873 break;
874 }
875 }
876 enumerator->destroy(enumerator);
877 return found;
878 }
879
880 METHOD(message_t, get_notify, notify_payload_t*,
881 private_message_t *this, notify_type_t type)
882 {
883 enumerator_t *enumerator;
884 notify_payload_t *notify = NULL;
885 payload_t *payload;
886
887 enumerator = create_payload_enumerator(this);
888 while (enumerator->enumerate(enumerator, &payload))
889 {
890 if (payload->get_type(payload) == NOTIFY)
891 {
892 notify = (notify_payload_t*)payload;
893 if (notify->get_notify_type(notify) == type)
894 {
895 break;
896 }
897 notify = NULL;
898 }
899 }
900 enumerator->destroy(enumerator);
901 return notify;
902 }
903
904 /**
905 * get a string representation of the message
906 */
907 static char* get_string(private_message_t *this, char *buf, int len)
908 {
909 enumerator_t *enumerator;
910 payload_t *payload;
911 int written;
912 char *pos = buf;
913
914 memset(buf, 0, len);
915 len--;
916
917 written = snprintf(pos, len, "%N %s %d [",
918 exchange_type_names, this->exchange_type,
919 this->is_request ? "request" : "response",
920 this->message_id);
921 if (written >= len || written < 0)
922 {
923 return "";
924 }
925 pos += written;
926 len -= written;
927
928 enumerator = create_payload_enumerator(this);
929 while (enumerator->enumerate(enumerator, &payload))
930 {
931 written = snprintf(pos, len, " %N", payload_type_short_names,
932 payload->get_type(payload));
933 if (written >= len || written < 0)
934 {
935 return buf;
936 }
937 pos += written;
938 len -= written;
939 if (payload->get_type(payload) == NOTIFY)
940 {
941 notify_payload_t *notify;
942 notify_type_t type;
943 chunk_t data;
944
945 notify = (notify_payload_t*)payload;
946 type = notify->get_notify_type(notify);
947 data = notify->get_notification_data(notify);
948 if (type == MS_NOTIFY_STATUS && data.len == 4)
949 {
950 written = snprintf(pos, len, "(%N(%d))", notify_type_short_names,
951 type, untoh32(data.ptr));
952 }
953 else
954 {
955 written = snprintf(pos, len, "(%N)", notify_type_short_names,
956 type);
957 }
958 if (written >= len || written < 0)
959 {
960 return buf;
961 }
962 pos += written;
963 len -= written;
964 }
965 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
966 {
967 eap_payload_t *eap = (eap_payload_t*)payload;
968 u_int32_t vendor;
969 eap_type_t type;
970 char method[64] = "";
971
972 type = eap->get_type(eap, &vendor);
973 if (type)
974 {
975 if (vendor)
976 {
977 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
978 }
979 else
980 {
981 snprintf(method, sizeof(method), "/%N",
982 eap_type_short_names, type);
983 }
984 }
985 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
986 eap->get_code(eap), method);
987 if (written >= len || written < 0)
988 {
989 return buf;
990 }
991 pos += written;
992 len -= written;
993 }
994 if (payload->get_type(payload) == CONFIGURATION)
995 {
996 cp_payload_t *cp = (cp_payload_t*)payload;
997 enumerator_t *attributes;
998 configuration_attribute_t *attribute;
999 bool first = TRUE;
1000
1001 attributes = cp->create_attribute_enumerator(cp);
1002 while (attributes->enumerate(attributes, &attribute))
1003 {
1004 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
1005 configuration_attribute_type_short_names,
1006 attribute->get_type(attribute));
1007 if (written >= len || written < 0)
1008 {
1009 return buf;
1010 }
1011 pos += written;
1012 len -= written;
1013 first = FALSE;
1014 }
1015 attributes->destroy(attributes);
1016 if (!first)
1017 {
1018 written = snprintf(pos, len, ")");
1019 if (written >= len || written < 0)
1020 {
1021 return buf;
1022 }
1023 pos += written;
1024 len -= written;
1025 }
1026 }
1027 }
1028 enumerator->destroy(enumerator);
1029
1030 /* remove last space */
1031 snprintf(pos, len, " ]");
1032 return buf;
1033 }
1034
1035 /**
1036 * reorder payloads depending on reordering rules
1037 */
1038 static void order_payloads(private_message_t *this)
1039 {
1040 linked_list_t *list;
1041 payload_t *payload;
1042 int i;
1043
1044 /* move to temp list */
1045 list = linked_list_create();
1046 while (this->payloads->remove_last(this->payloads,
1047 (void**)&payload) == SUCCESS)
1048 {
1049 list->insert_first(list, payload);
1050 }
1051 /* for each rule, ... */
1052 for (i = 0; i < this->rule->order_count; i++)
1053 {
1054 enumerator_t *enumerator;
1055 notify_payload_t *notify;
1056 payload_order_t order;
1057
1058 order = this->rule->order[i];
1059
1060 /* ... find all payload ... */
1061 enumerator = list->create_enumerator(list);
1062 while (enumerator->enumerate(enumerator, &payload))
1063 {
1064 /* ... with that type ... */
1065 if (payload->get_type(payload) == order.type)
1066 {
1067 notify = (notify_payload_t*)payload;
1068
1069 /**... and check notify for type. */
1070 if (order.type != NOTIFY || order.notify == 0 ||
1071 order.notify == notify->get_notify_type(notify))
1072 {
1073 list->remove_at(list, enumerator);
1074 add_payload(this, payload);
1075 }
1076 }
1077 }
1078 enumerator->destroy(enumerator);
1079 }
1080 /* append all payloads without a rule to the end */
1081 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1082 {
1083 /* do not complain about payloads in private use space */
1084 if (payload->get_type(payload) < 128)
1085 {
1086 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1087 payload_type_names, payload->get_type(payload),
1088 exchange_type_names, this->rule->exchange_type,
1089 this->rule->is_request ? "request" : "response");
1090 }
1091 add_payload(this, payload);
1092 }
1093 list->destroy(list);
1094 }
1095
1096 /**
1097 * Wrap payloads in a encryption payload
1098 */
1099 static encryption_payload_t* wrap_payloads(private_message_t *this)
1100 {
1101 encryption_payload_t *encryption;
1102 linked_list_t *payloads;
1103 payload_t *current;
1104
1105 /* copy all payloads in a temporary list */
1106 payloads = linked_list_create();
1107 while (this->payloads->remove_first(this->payloads,
1108 (void**)&current) == SUCCESS)
1109 {
1110 payloads->insert_last(payloads, current);
1111 }
1112
1113 encryption = encryption_payload_create();
1114 while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
1115 {
1116 payload_rule_t *rule;
1117 payload_type_t type;
1118 bool encrypt = TRUE;
1119
1120 type = current->get_type(current);
1121 rule = get_payload_rule(this, type);
1122 if (rule)
1123 {
1124 encrypt = rule->encrypted;
1125 }
1126 if (encrypt)
1127 {
1128 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1129 payload_type_names, type);
1130 encryption->add_payload(encryption, current);
1131 }
1132 else
1133 {
1134 DBG2(DBG_ENC, "insert payload %N unencrypted",
1135 payload_type_names, type);
1136 add_payload(this, current);
1137 }
1138 }
1139 payloads->destroy(payloads);
1140
1141 return encryption;
1142 }
1143
1144 METHOD(message_t, disable_sort, void,
1145 private_message_t *this)
1146 {
1147 this->sort_disabled = TRUE;
1148 }
1149
1150 METHOD(message_t, generate, status_t,
1151 private_message_t *this, aead_t *aead, packet_t **packet)
1152 {
1153 generator_t *generator;
1154 ike_header_t *ike_header;
1155 payload_t *payload, *next;
1156 encryption_payload_t *encryption = NULL;
1157 enumerator_t *enumerator;
1158 chunk_t chunk;
1159 char str[BUF_LEN];
1160 u_int32_t *lenpos;
1161 bool *reserved;
1162 int i;
1163
1164 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1165 {
1166 DBG1(DBG_ENC, "exchange type is not defined");
1167 return INVALID_STATE;
1168 }
1169
1170 if (this->packet->get_source(this->packet) == NULL ||
1171 this->packet->get_destination(this->packet) == NULL)
1172 {
1173 DBG1(DBG_ENC, "source/destination not defined");
1174 return INVALID_STATE;
1175 }
1176
1177 this->rule = get_message_rule(this);
1178 if (!this->rule)
1179 {
1180 DBG1(DBG_ENC, "no message rules specified for this message type");
1181 return NOT_SUPPORTED;
1182 }
1183
1184 if (!this->sort_disabled)
1185 {
1186 order_payloads(this);
1187 }
1188
1189 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1190
1191 if (aead && this->rule->encrypted)
1192 {
1193 encryption = wrap_payloads(this);
1194 }
1195 else
1196 {
1197 DBG2(DBG_ENC, "not encrypting payloads");
1198 }
1199
1200 ike_header = ike_header_create_version(this->major_version,
1201 this->minor_version);
1202 ike_header->set_exchange_type(ike_header, this->exchange_type);
1203 ike_header->set_message_id(ike_header, this->message_id);
1204 ike_header->set_response_flag(ike_header, !this->is_request);
1205 ike_header->set_version_flag(ike_header, this->version_flag);
1206 ike_header->set_initiator_flag(ike_header,
1207 this->ike_sa_id->is_initiator(this->ike_sa_id));
1208 ike_header->set_initiator_spi(ike_header,
1209 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1210 ike_header->set_responder_spi(ike_header,
1211 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1212
1213 for (i = 0; i < countof(this->reserved); i++)
1214 {
1215 reserved = payload_get_field(&ike_header->payload_interface,
1216 RESERVED_BIT, i);
1217 if (reserved)
1218 {
1219 *reserved = this->reserved[i];
1220 }
1221 }
1222
1223 generator = generator_create();
1224
1225 /* generate all payloads with proper next type */
1226 payload = (payload_t*)ike_header;
1227 enumerator = create_payload_enumerator(this);
1228 while (enumerator->enumerate(enumerator, &next))
1229 {
1230 payload->set_next_type(payload, next->get_type(next));
1231 generator->generate_payload(generator, payload);
1232 payload = next;
1233 }
1234 enumerator->destroy(enumerator);
1235 payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
1236 generator->generate_payload(generator, payload);
1237 ike_header->destroy(ike_header);
1238
1239 if (encryption)
1240 {
1241 u_int32_t *lenpos;
1242
1243 /* build associated data (without header of encryption payload) */
1244 chunk = generator->get_chunk(generator, &lenpos);
1245 encryption->set_transform(encryption, aead);
1246 /* fill in length, including encryption payload */
1247 htoun32(lenpos, chunk.len + encryption->get_length(encryption));
1248
1249 this->payloads->insert_last(this->payloads, encryption);
1250 if (!encryption->encrypt(encryption, chunk))
1251 {
1252 generator->destroy(generator);
1253 return INVALID_STATE;
1254 }
1255 generator->generate_payload(generator, &encryption->payload_interface);
1256 }
1257 chunk = generator->get_chunk(generator, &lenpos);
1258 htoun32(lenpos, chunk.len);
1259 this->packet->set_data(this->packet, chunk_clone(chunk));
1260 generator->destroy(generator);
1261
1262 *packet = this->packet->clone(this->packet);
1263 return SUCCESS;
1264 }
1265
1266 METHOD(message_t, get_packet, packet_t*,
1267 private_message_t *this)
1268 {
1269 if (this->packet == NULL)
1270 {
1271 return NULL;
1272 }
1273 return this->packet->clone(this->packet);
1274 }
1275
1276 METHOD(message_t, get_packet_data, chunk_t,
1277 private_message_t *this)
1278 {
1279 if (this->packet == NULL)
1280 {
1281 return chunk_empty;
1282 }
1283 return chunk_clone(this->packet->get_data(this->packet));
1284 }
1285
1286 METHOD(message_t, parse_header, status_t,
1287 private_message_t *this)
1288 {
1289 ike_header_t *ike_header;
1290 status_t status;
1291 bool *reserved;
1292 int i;
1293
1294 DBG2(DBG_ENC, "parsing header of message");
1295
1296 this->parser->reset_context(this->parser);
1297 status = this->parser->parse_payload(this->parser, HEADER,
1298 (payload_t**)&ike_header);
1299 if (status != SUCCESS)
1300 {
1301 DBG1(DBG_ENC, "header could not be parsed");
1302 return status;
1303
1304 }
1305
1306 status = ike_header->payload_interface.verify(
1307 &ike_header->payload_interface);
1308 if (status != SUCCESS)
1309 {
1310 DBG1(DBG_ENC, "header verification failed");
1311 ike_header->destroy(ike_header);
1312 return status;
1313 }
1314
1315 DESTROY_IF(this->ike_sa_id);
1316 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1317 ike_header->get_responder_spi(ike_header),
1318 ike_header->get_initiator_flag(ike_header));
1319
1320 this->exchange_type = ike_header->get_exchange_type(ike_header);
1321 this->message_id = ike_header->get_message_id(ike_header);
1322 this->is_request = !ike_header->get_response_flag(ike_header);
1323 this->major_version = ike_header->get_maj_version(ike_header);
1324 this->minor_version = ike_header->get_min_version(ike_header);
1325 this->first_payload = ike_header->payload_interface.get_next_type(
1326 &ike_header->payload_interface);
1327 for (i = 0; i < countof(this->reserved); i++)
1328 {
1329 reserved = payload_get_field(&ike_header->payload_interface,
1330 RESERVED_BIT, i);
1331 if (reserved)
1332 {
1333 this->reserved[i] = *reserved;
1334 }
1335 }
1336 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1337 this->is_request ? "request" : "response");
1338
1339 ike_header->destroy(ike_header);
1340
1341 this->rule = get_message_rule(this);
1342 if (!this->rule)
1343 {
1344 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1345 exchange_type_names, this->exchange_type,
1346 this->is_request ? "request" : "response");
1347 }
1348 return status;
1349 }
1350
1351 /**
1352 * Check if a payload is for a mediation extension connectivity check
1353 */
1354 static bool is_connectivity_check(private_message_t *this, payload_t *payload)
1355 {
1356 #ifdef ME
1357 if (this->exchange_type == INFORMATIONAL &&
1358 payload->get_type(payload) == NOTIFY)
1359 {
1360 notify_payload_t *notify = (notify_payload_t*)payload;
1361
1362 switch (notify->get_notify_type(notify))
1363 {
1364 case ME_CONNECTID:
1365 case ME_ENDPOINT:
1366 case ME_CONNECTAUTH:
1367 return TRUE;
1368 default:
1369 break;
1370 }
1371 }
1372 #endif /* !ME */
1373 return FALSE;
1374 }
1375
1376 /**
1377 * Decrypt payload from the encryption payload
1378 */
1379 static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
1380 {
1381 bool was_encrypted = FALSE;
1382 payload_t *payload, *previous = NULL;
1383 enumerator_t *enumerator;
1384 payload_rule_t *rule;
1385 payload_type_t type;
1386 status_t status = SUCCESS;
1387
1388 enumerator = this->payloads->create_enumerator(this->payloads);
1389 while (enumerator->enumerate(enumerator, &payload))
1390 {
1391 type = payload->get_type(payload);
1392
1393 DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
1394
1395 if (type == ENCRYPTED)
1396 {
1397 encryption_payload_t *encryption;
1398 payload_t *encrypted;
1399 chunk_t chunk;
1400
1401 encryption = (encryption_payload_t*)payload;
1402
1403 DBG2(DBG_ENC, "found an encryption payload");
1404
1405 if (this->payloads->has_more(this->payloads, enumerator))
1406 {
1407 DBG1(DBG_ENC, "encrypted payload is not last payload");
1408 status = VERIFY_ERROR;
1409 break;
1410 }
1411 encryption->set_transform(encryption, aead);
1412 chunk = this->packet->get_data(this->packet);
1413 if (chunk.len < encryption->get_length(encryption))
1414 {
1415 DBG1(DBG_ENC, "invalid payload length");
1416 status = VERIFY_ERROR;
1417 break;
1418 }
1419 chunk.len -= encryption->get_length(encryption);
1420 status = encryption->decrypt(encryption, chunk);
1421 if (status != SUCCESS)
1422 {
1423 break;
1424 }
1425
1426 was_encrypted = TRUE;
1427 this->payloads->remove_at(this->payloads, enumerator);
1428
1429 while ((encrypted = encryption->remove_payload(encryption)))
1430 {
1431 type = encrypted->get_type(encrypted);
1432 if (previous)
1433 {
1434 previous->set_next_type(previous, type);
1435 }
1436 else
1437 {
1438 this->first_payload = type;
1439 }
1440 DBG2(DBG_ENC, "insert decrypted payload of type "
1441 "%N at end of list", payload_type_names, type);
1442 this->payloads->insert_last(this->payloads, encrypted);
1443 previous = encrypted;
1444 }
1445 encryption->destroy(encryption);
1446 }
1447 if (payload_is_known(type) && !was_encrypted &&
1448 !is_connectivity_check(this, payload))
1449 {
1450 rule = get_payload_rule(this, type);
1451 if (!rule || rule->encrypted)
1452 {
1453 DBG1(DBG_ENC, "payload type %N was not encrypted",
1454 payload_type_names, type);
1455 status = FAILED;
1456 break;
1457 }
1458 }
1459 previous = payload;
1460 }
1461 enumerator->destroy(enumerator);
1462 return status;
1463 }
1464
1465 /**
1466 * Verify a message and all payload according to message/payload rules
1467 */
1468 static status_t verify(private_message_t *this)
1469 {
1470 bool complete = FALSE;
1471 int i;
1472
1473 DBG2(DBG_ENC, "verifying message structure");
1474
1475 /* check for payloads with wrong count*/
1476 for (i = 0; i < this->rule->rule_count; i++)
1477 {
1478 enumerator_t *enumerator;
1479 payload_t *payload;
1480 payload_rule_t *rule;
1481 int found = 0;
1482
1483 rule = &this->rule->rules[i];
1484 enumerator = create_payload_enumerator(this);
1485 while (enumerator->enumerate(enumerator, &payload))
1486 {
1487 payload_type_t type;
1488
1489 type = payload->get_type(payload);
1490 if (type == rule->type)
1491 {
1492 found++;
1493 DBG2(DBG_ENC, "found payload of type %N",
1494 payload_type_names, type);
1495 if (found > rule->max_occurence)
1496 {
1497 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1498 "occurred in current message", payload_type_names,
1499 type, rule->max_occurence, found);
1500 enumerator->destroy(enumerator);
1501 return VERIFY_ERROR;
1502 }
1503 }
1504 }
1505 enumerator->destroy(enumerator);
1506
1507 if (!complete && found < rule->min_occurence)
1508 {
1509 DBG1(DBG_ENC, "payload of type %N not occurred %d times (%d)",
1510 payload_type_names, rule->type, rule->min_occurence, found);
1511 return VERIFY_ERROR;
1512 }
1513 if (found && rule->sufficient)
1514 {
1515 complete = TRUE;
1516 }
1517 }
1518 return SUCCESS;
1519 }
1520
1521 METHOD(message_t, parse_body, status_t,
1522 private_message_t *this, aead_t *aead)
1523 {
1524 status_t status = SUCCESS;
1525 payload_t *payload;
1526 payload_type_t type;
1527 char str[BUF_LEN];
1528
1529 type = this->first_payload;
1530
1531 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1532 payload_type_names, type);
1533
1534 while (type != NO_PAYLOAD)
1535 {
1536 DBG2(DBG_ENC, "starting parsing a %N payload",
1537 payload_type_names, type);
1538
1539 status = this->parser->parse_payload(this->parser, type, &payload);
1540 if (status != SUCCESS)
1541 {
1542 DBG1(DBG_ENC, "payload type %N could not be parsed",
1543 payload_type_names, type);
1544 return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED;
1545 }
1546
1547 DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
1548 status = payload->verify(payload);
1549 if (status != SUCCESS)
1550 {
1551 DBG1(DBG_ENC, "%N payload verification failed",
1552 payload_type_names, type);
1553 payload->destroy(payload);
1554 return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED;
1555 }
1556
1557 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1558 payload_type_names, type);
1559 this->payloads->insert_last(this->payloads, payload);
1560
1561 /* an encryption payload is the last one, so STOP here. decryption is
1562 * done later */
1563 if (type == ENCRYPTED)
1564 {
1565 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1566 payload_type_names, type);
1567 break;
1568 }
1569 type = payload->get_next_type(payload);
1570 }
1571
1572 status = decrypt_payloads(this, aead);
1573 if (status != SUCCESS)
1574 {
1575 DBG1(DBG_ENC, "could not decrypt payloads");
1576 return status;
1577 }
1578
1579 status = verify(this);
1580 if (status != SUCCESS)
1581 {
1582 return status;
1583 }
1584
1585 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1586
1587 return SUCCESS;
1588 }
1589
1590 METHOD(message_t, destroy, void,
1591 private_message_t *this)
1592 {
1593 DESTROY_IF(this->ike_sa_id);
1594 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1595 this->packet->destroy(this->packet);
1596 this->parser->destroy(this->parser);
1597 free(this);
1598 }
1599
1600 /*
1601 * Described in Header-File
1602 */
1603 message_t *message_create_from_packet(packet_t *packet)
1604 {
1605 private_message_t *this;
1606
1607 INIT(this,
1608 .public = {
1609 .set_major_version = _set_major_version,
1610 .get_major_version = _get_major_version,
1611 .set_minor_version = _set_minor_version,
1612 .get_minor_version = _get_minor_version,
1613 .set_message_id = _set_message_id,
1614 .get_message_id = _get_message_id,
1615 .get_initiator_spi = _get_initiator_spi,
1616 .get_responder_spi = _get_responder_spi,
1617 .set_ike_sa_id = _set_ike_sa_id,
1618 .get_ike_sa_id = _get_ike_sa_id,
1619 .set_exchange_type = _set_exchange_type,
1620 .get_exchange_type = _get_exchange_type,
1621 .get_first_payload_type = _get_first_payload_type,
1622 .set_request = _set_request,
1623 .get_request = _get_request,
1624 .set_version_flag = _set_version_flag,
1625 .get_reserved_header_bit = _get_reserved_header_bit,
1626 .set_reserved_header_bit = _set_reserved_header_bit,
1627 .add_payload = _add_payload,
1628 .add_notify = _add_notify,
1629 .disable_sort = _disable_sort,
1630 .generate = _generate,
1631 .is_encoded = _is_encoded,
1632 .set_source = _set_source,
1633 .get_source = _get_source,
1634 .set_destination = _set_destination,
1635 .get_destination = _get_destination,
1636 .create_payload_enumerator = _create_payload_enumerator,
1637 .remove_payload_at = _remove_payload_at,
1638 .get_payload = _get_payload,
1639 .get_notify = _get_notify,
1640 .parse_header = _parse_header,
1641 .parse_body = _parse_body,
1642 .get_packet = _get_packet,
1643 .get_packet_data = _get_packet_data,
1644 .destroy = _destroy,
1645 },
1646 .major_version = IKEV2_MAJOR_VERSION,
1647 .minor_version = IKEV2_MINOR_VERSION,
1648 .exchange_type = EXCHANGE_TYPE_UNDEFINED,
1649 .is_request = TRUE,
1650 .first_payload = NO_PAYLOAD,
1651 .packet = packet,
1652 .payloads = linked_list_create(),
1653 .parser = parser_create(packet->get_data(packet)),
1654 );
1655
1656 return (&this->public);
1657 }
1658
1659 /*
1660 * Described in Header.
1661 */
1662 message_t *message_create()
1663 {
1664 return message_create_from_packet(packet_create());
1665 }
1666