Register hmac/xcbc algorithms after potentially underlying PKCS#11
[strongswan.git] / src / libcharon / encoding / message.c
1 /*
2 * Copyright (C) 2006-2007 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include "message.h"
23
24 #include <library.h>
25 #include <daemon.h>
26 #include <sa/ike_sa_id.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/linked_list.h>
30 #include <encoding/payloads/encodings.h>
31 #include <encoding/payloads/payload.h>
32 #include <encoding/payloads/encryption_payload.h>
33 #include <encoding/payloads/unknown_payload.h>
34 #include <encoding/payloads/cp_payload.h>
35
36 /**
37 * Max number of notify payloads per IKEv2 Message
38 */
39 #define MAX_NOTIFY_PAYLOADS 20
40
41 /**
42 * Max number of delete payloads per IKEv2 Message
43 */
44 #define MAX_DELETE_PAYLOADS 20
45
46
47 typedef struct payload_rule_t payload_rule_t;
48
49 /**
50 * A payload rule defines the rules for a payload
51 * in a specific message rule. It defines if and how
52 * many times a payload must/can occur in a message
53 * and if it must be encrypted.
54 */
55 struct payload_rule_t {
56 /**
57 * Payload type.
58 */
59 payload_type_t payload_type;
60
61 /**
62 * Minimal occurence of this payload.
63 */
64 size_t min_occurence;
65
66 /**
67 * Max occurence of this payload.
68 */
69 size_t max_occurence;
70
71 /**
72 * TRUE if payload must be encrypted
73 */
74 bool encrypted;
75
76 /**
77 * If this payload occurs, the message rule is
78 * fullfilled in any case. This applies e.g. to
79 * notify_payloads.
80 */
81 bool sufficient;
82 };
83
84 typedef struct payload_order_t payload_order_t;
85
86 /**
87 * payload ordering structure allows us to reorder payloads according to RFC.
88 */
89 struct payload_order_t {
90
91 /**
92 * payload type
93 */
94 payload_type_t type;
95
96 /**
97 * notify type, if payload == NOTIFY
98 */
99 notify_type_t notify;
100 };
101
102
103 typedef struct message_rule_t message_rule_t;
104
105 /**
106 * A message rule defines the kind of a message,
107 * if it has encrypted contents and a list
108 * of payload ordering rules and payload parsing rules.
109 */
110 struct message_rule_t {
111 /**
112 * Type of message.
113 */
114 exchange_type_t exchange_type;
115
116 /**
117 * Is message a request or response.
118 */
119 bool is_request;
120
121 /**
122 * Message contains encrypted content.
123 */
124 bool encrypted_content;
125
126 /**
127 * Number of payload rules which will follow
128 */
129 int payload_rule_count;
130
131 /**
132 * Pointer to first payload rule
133 */
134 payload_rule_t *payload_rules;
135
136 /**
137 * Number of payload order rules
138 */
139 int payload_order_count;
140
141 /**
142 * payload ordering rules
143 */
144 payload_order_t *payload_order;
145 };
146
147 /**
148 * Message rule for IKE_SA_INIT from initiator.
149 */
150 static payload_rule_t ike_sa_init_i_payload_rules[] = {
151 /* payload type min max encr suff */
152 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, FALSE},
153 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
154 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
155 {NONCE, 1, 1, FALSE, FALSE},
156 {VENDOR_ID, 0, 10, FALSE, FALSE},
157 };
158
159 /**
160 * payload order for IKE_SA_INIT initiator
161 */
162 static payload_order_t ike_sa_init_i_payload_order[] = {
163 /* payload type notify type */
164 {NOTIFY, COOKIE},
165 {SECURITY_ASSOCIATION, 0},
166 {KEY_EXCHANGE, 0},
167 {NONCE, 0},
168 {NOTIFY, NAT_DETECTION_SOURCE_IP},
169 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
170 {NOTIFY, 0},
171 {VENDOR_ID, 0},
172 };
173
174 /**
175 * Message rule for IKE_SA_INIT from responder.
176 */
177 static payload_rule_t ike_sa_init_r_payload_rules[] = {
178 /* payload type min max encr suff */
179 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, FALSE, TRUE},
180 {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE},
181 {KEY_EXCHANGE, 1, 1, FALSE, FALSE},
182 {NONCE, 1, 1, FALSE, FALSE},
183 {VENDOR_ID, 0, 10, FALSE, FALSE},
184 };
185
186 /**
187 * payload order for IKE_SA_INIT responder
188 */
189 static payload_order_t ike_sa_init_r_payload_order[] = {
190 /* payload type notify type */
191 {SECURITY_ASSOCIATION, 0},
192 {KEY_EXCHANGE, 0},
193 {NONCE, 0},
194 {NOTIFY, NAT_DETECTION_SOURCE_IP},
195 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
196 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
197 {CERTIFICATE_REQUEST, 0},
198 {NOTIFY, 0},
199 {VENDOR_ID, 0},
200 };
201
202 /**
203 * Message rule for IKE_AUTH from initiator.
204 */
205 static payload_rule_t ike_auth_i_payload_rules[] = {
206 /* payload type min max encr suff */
207 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
208 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
209 {AUTHENTICATION, 0, 1, TRUE, TRUE},
210 {ID_INITIATOR, 0, 1, TRUE, FALSE},
211 {CERTIFICATE, 0, 4, TRUE, FALSE},
212 {CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
213 {ID_RESPONDER, 0, 1, TRUE, FALSE},
214 #ifdef ME
215 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
216 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
217 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
218 #else
219 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
220 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
221 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
222 #endif /* ME */
223 {CONFIGURATION, 0, 1, TRUE, FALSE},
224 {VENDOR_ID, 0, 10, TRUE, FALSE},
225 };
226
227 /**
228 * payload order for IKE_AUTH initiator
229 */
230 static payload_order_t ike_auth_i_payload_order[] = {
231 /* payload type notify type */
232 {ID_INITIATOR, 0},
233 {CERTIFICATE, 0},
234 {NOTIFY, INITIAL_CONTACT},
235 {NOTIFY, HTTP_CERT_LOOKUP_SUPPORTED},
236 {CERTIFICATE_REQUEST, 0},
237 {ID_RESPONDER, 0},
238 {AUTHENTICATION, 0},
239 {EXTENSIBLE_AUTHENTICATION, 0},
240 {CONFIGURATION, 0},
241 {NOTIFY, IPCOMP_SUPPORTED},
242 {NOTIFY, USE_TRANSPORT_MODE},
243 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
244 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
245 {SECURITY_ASSOCIATION, 0},
246 {TRAFFIC_SELECTOR_INITIATOR, 0},
247 {TRAFFIC_SELECTOR_RESPONDER, 0},
248 {NOTIFY, MOBIKE_SUPPORTED},
249 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
250 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
251 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
252 {NOTIFY, 0},
253 {VENDOR_ID, 0},
254 };
255
256 /**
257 * Message rule for IKE_AUTH from responder.
258 */
259 static payload_rule_t ike_auth_r_payload_rules[] = {
260 /* payload type min max encr suff */
261 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
262 {EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
263 {AUTHENTICATION, 0, 1, TRUE, TRUE},
264 {CERTIFICATE, 0, 4, TRUE, FALSE},
265 {ID_RESPONDER, 0, 1, TRUE, FALSE},
266 {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
267 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
268 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
269 {CONFIGURATION, 0, 1, TRUE, FALSE},
270 {VENDOR_ID, 0, 10, TRUE, FALSE},
271 };
272
273 /**
274 * payload order for IKE_AUTH responder
275 */
276 static payload_order_t ike_auth_r_payload_order[] = {
277 /* payload type notify type */
278 {ID_RESPONDER, 0},
279 {CERTIFICATE, 0},
280 {AUTHENTICATION, 0},
281 {EXTENSIBLE_AUTHENTICATION, 0},
282 {CONFIGURATION, 0},
283 {NOTIFY, IPCOMP_SUPPORTED},
284 {NOTIFY, USE_TRANSPORT_MODE},
285 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
286 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
287 {SECURITY_ASSOCIATION, 0},
288 {TRAFFIC_SELECTOR_INITIATOR, 0},
289 {TRAFFIC_SELECTOR_RESPONDER, 0},
290 {NOTIFY, AUTH_LIFETIME},
291 {NOTIFY, MOBIKE_SUPPORTED},
292 {NOTIFY, ADDITIONAL_IP4_ADDRESS},
293 {NOTIFY, ADDITIONAL_IP6_ADDRESS},
294 {NOTIFY, NO_ADDITIONAL_ADDRESSES},
295 {NOTIFY, 0},
296 {VENDOR_ID, 0},
297 };
298
299 /**
300 * Message rule for INFORMATIONAL from initiator.
301 */
302 static payload_rule_t informational_i_payload_rules[] = {
303 /* payload type min max encr suff */
304 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
305 {CONFIGURATION, 0, 1, TRUE, FALSE},
306 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
307 {VENDOR_ID, 0, 10, TRUE, FALSE},
308 };
309
310 /**
311 * payload order for INFORMATIONAL initiator
312 */
313 static payload_order_t informational_i_payload_order[] = {
314 /* payload type notify type */
315 {NOTIFY, UPDATE_SA_ADDRESSES},
316 {NOTIFY, NAT_DETECTION_SOURCE_IP},
317 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
318 {NOTIFY, COOKIE2},
319 {NOTIFY, 0},
320 {DELETE, 0},
321 {CONFIGURATION, 0},
322 };
323
324 /**
325 * Message rule for INFORMATIONAL from responder.
326 */
327 static payload_rule_t informational_r_payload_rules[] = {
328 /* payload type min max encr suff */
329 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
330 {CONFIGURATION, 0, 1, TRUE, FALSE},
331 {DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
332 {VENDOR_ID, 0, 10, TRUE, FALSE},
333 };
334
335 /**
336 * payload order for INFORMATIONAL responder
337 */
338 static payload_order_t informational_r_payload_order[] = {
339 /* payload type notify type */
340 {NOTIFY, UPDATE_SA_ADDRESSES},
341 {NOTIFY, NAT_DETECTION_SOURCE_IP},
342 {NOTIFY, NAT_DETECTION_DESTINATION_IP},
343 {NOTIFY, COOKIE2},
344 {NOTIFY, 0},
345 {DELETE, 0},
346 {CONFIGURATION, 0},
347 };
348
349 /**
350 * Message rule for CREATE_CHILD_SA from initiator.
351 */
352 static payload_rule_t create_child_sa_i_payload_rules[] = {
353 /* payload type min max encr suff */
354 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
355 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
356 {NONCE, 1, 1, TRUE, FALSE},
357 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
358 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
359 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
360 {CONFIGURATION, 0, 1, TRUE, FALSE},
361 {VENDOR_ID, 0, 10, TRUE, FALSE},
362 };
363
364 /**
365 * payload order for CREATE_CHILD_SA from initiator.
366 */
367 static payload_order_t create_child_sa_i_payload_order[] = {
368 /* payload type notify type */
369 {NOTIFY, REKEY_SA},
370 {NOTIFY, IPCOMP_SUPPORTED},
371 {NOTIFY, USE_TRANSPORT_MODE},
372 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
373 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
374 {SECURITY_ASSOCIATION, 0},
375 {NONCE, 0},
376 {KEY_EXCHANGE, 0},
377 {TRAFFIC_SELECTOR_INITIATOR, 0},
378 {TRAFFIC_SELECTOR_RESPONDER, 0},
379 {NOTIFY, 0},
380 };
381
382 /**
383 * Message rule for CREATE_CHILD_SA from responder.
384 */
385 static payload_rule_t create_child_sa_r_payload_rules[] = {
386 /* payload type min max encr suff */
387 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
388 {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
389 {NONCE, 1, 1, TRUE, FALSE},
390 {KEY_EXCHANGE, 0, 1, TRUE, FALSE},
391 {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
392 {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
393 {CONFIGURATION, 0, 1, TRUE, FALSE},
394 {VENDOR_ID, 0, 10, TRUE, FALSE},
395 };
396
397 /**
398 * payload order for CREATE_CHILD_SA from responder.
399 */
400 static payload_order_t create_child_sa_r_payload_order[] = {
401 /* payload type notify type */
402 {NOTIFY, IPCOMP_SUPPORTED},
403 {NOTIFY, USE_TRANSPORT_MODE},
404 {NOTIFY, ESP_TFC_PADDING_NOT_SUPPORTED},
405 {NOTIFY, NON_FIRST_FRAGMENTS_ALSO},
406 {SECURITY_ASSOCIATION, 0},
407 {NONCE, 0},
408 {KEY_EXCHANGE, 0},
409 {TRAFFIC_SELECTOR_INITIATOR, 0},
410 {TRAFFIC_SELECTOR_RESPONDER, 0},
411 {NOTIFY, ADDITIONAL_TS_POSSIBLE},
412 {NOTIFY, 0},
413 };
414
415 #ifdef ME
416 /**
417 * Message rule for ME_CONNECT from initiator.
418 */
419 static payload_rule_t me_connect_i_payload_rules[] = {
420 /* payload type min max encr suff */
421 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
422 {ID_PEER, 1, 1, TRUE, FALSE},
423 {VENDOR_ID, 0, 10, TRUE, FALSE}
424 };
425
426 /**
427 * payload order for ME_CONNECT from initiator.
428 */
429 static payload_order_t me_connect_i_payload_order[] = {
430 /* payload type notify type */
431 {NOTIFY, 0},
432 {ID_PEER, 0},
433 {VENDOR_ID, 0},
434 };
435
436 /**
437 * Message rule for ME_CONNECT from responder.
438 */
439 static payload_rule_t me_connect_r_payload_rules[] = {
440 /* payload type min max encr suff */
441 {NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
442 {VENDOR_ID, 0, 10, TRUE, FALSE}
443 };
444
445 /**
446 * payload order for ME_CONNECT from responder.
447 */
448 static payload_order_t me_connect_r_payload_order[] = {
449 /* payload type notify type */
450 {NOTIFY, 0},
451 {VENDOR_ID, 0},
452 };
453 #endif /* ME */
454
455 /**
456 * Message rules, defines allowed payloads.
457 */
458 static message_rule_t message_rules[] = {
459 {IKE_SA_INIT, TRUE, FALSE,
460 (sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
461 ike_sa_init_i_payload_rules,
462 (sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
463 ike_sa_init_i_payload_order,
464 },
465 {IKE_SA_INIT, FALSE, FALSE,
466 (sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
467 ike_sa_init_r_payload_rules,
468 (sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
469 ike_sa_init_r_payload_order,
470 },
471 {IKE_AUTH, TRUE, TRUE,
472 (sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
473 ike_auth_i_payload_rules,
474 (sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
475 ike_auth_i_payload_order,
476 },
477 {IKE_AUTH, FALSE, TRUE,
478 (sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
479 ike_auth_r_payload_rules,
480 (sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
481 ike_auth_r_payload_order,
482 },
483 {INFORMATIONAL, TRUE, TRUE,
484 (sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
485 informational_i_payload_rules,
486 (sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
487 informational_i_payload_order,
488 },
489 {INFORMATIONAL, FALSE, TRUE,
490 (sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
491 informational_r_payload_rules,
492 (sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
493 informational_r_payload_order,
494 },
495 {CREATE_CHILD_SA, TRUE, TRUE,
496 (sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
497 create_child_sa_i_payload_rules,
498 (sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
499 create_child_sa_i_payload_order,
500 },
501 {CREATE_CHILD_SA, FALSE, TRUE,
502 (sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
503 create_child_sa_r_payload_rules,
504 (sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
505 create_child_sa_r_payload_order,
506 },
507 #ifdef ME
508 {ME_CONNECT, TRUE, TRUE,
509 (sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
510 me_connect_i_payload_rules,
511 (sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
512 me_connect_i_payload_order,
513 },
514 {ME_CONNECT, FALSE, TRUE,
515 (sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
516 me_connect_r_payload_rules,
517 (sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
518 me_connect_r_payload_order,
519 },
520 #endif /* ME */
521 };
522
523
524 typedef struct private_message_t private_message_t;
525
526 /**
527 * Private data of an message_t object.
528 */
529 struct private_message_t {
530
531 /**
532 * Public part of a message_t object.
533 */
534 message_t public;
535
536 /**
537 * Minor version of message.
538 */
539 u_int8_t major_version;
540
541 /**
542 * Major version of message.
543 */
544 u_int8_t minor_version;
545
546 /**
547 * First Payload in message.
548 */
549 payload_type_t first_payload;
550
551 /**
552 * Assigned exchange type.
553 */
554 exchange_type_t exchange_type;
555
556 /**
557 * TRUE if message is a request, FALSE if a reply.
558 */
559 bool is_request;
560
561 /**
562 * Message ID of this message.
563 */
564 u_int32_t message_id;
565
566 /**
567 * ID of assigned IKE_SA.
568 */
569 ike_sa_id_t *ike_sa_id;
570
571 /**
572 * Assigned UDP packet, stores incoming packet or last generated one.
573 */
574 packet_t *packet;
575
576 /**
577 * Linked List where payload data are stored in.
578 */
579 linked_list_t *payloads;
580
581 /**
582 * Assigned parser to parse Header and Body of this message.
583 */
584 parser_t *parser;
585
586 /**
587 * The message rule for this message instance
588 */
589 message_rule_t *message_rule;
590 };
591
592 /**
593 * Implementation of private_message_t.set_message_rule.
594 */
595 static status_t set_message_rule(private_message_t *this)
596 {
597 int i;
598
599 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
600 {
601 if ((this->exchange_type == message_rules[i].exchange_type) &&
602 (this->is_request == message_rules[i].is_request))
603 {
604 /* found rule for given exchange_type*/
605 this->message_rule = &(message_rules[i]);
606 return SUCCESS;
607 }
608 }
609 this->message_rule = NULL;
610 return NOT_FOUND;
611 }
612
613 /**
614 * Implementation of private_message_t.get_payload_rule.
615 */
616 static status_t get_payload_rule(private_message_t *this,
617 payload_type_t payload_type, payload_rule_t **payload_rule)
618 {
619 int i;
620
621 for (i = 0; i < this->message_rule->payload_rule_count;i++)
622 {
623 if (this->message_rule->payload_rules[i].payload_type == payload_type)
624 {
625 *payload_rule = &(this->message_rule->payload_rules[i]);
626 return SUCCESS;
627 }
628 }
629
630 *payload_rule = NULL;
631 return NOT_FOUND;
632 }
633
634 /**
635 * Implementation of message_t.set_ike_sa_id.
636 */
637 static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
638 {
639 DESTROY_IF(this->ike_sa_id);
640 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
641 }
642
643 /**
644 * Implementation of message_t.get_ike_sa_id.
645 */
646 static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
647 {
648 return this->ike_sa_id;
649 }
650
651 /**
652 * Implementation of message_t.set_message_id.
653 */
654 static void set_message_id(private_message_t *this,u_int32_t message_id)
655 {
656 this->message_id = message_id;
657 }
658
659 /**
660 * Implementation of message_t.get_message_id.
661 */
662 static u_int32_t get_message_id(private_message_t *this)
663 {
664 return this->message_id;
665 }
666
667 /**
668 * Implementation of message_t.get_initiator_spi.
669 */
670 static u_int64_t get_initiator_spi(private_message_t *this)
671 {
672 return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
673 }
674
675 /**
676 * Implementation of message_t.get_responder_spi.
677 */
678 static u_int64_t get_responder_spi(private_message_t *this)
679 {
680 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
681 }
682
683 /**
684 * Implementation of message_t.set_major_version.
685 */
686 static void set_major_version(private_message_t *this,u_int8_t major_version)
687 {
688 this->major_version = major_version;
689 }
690
691 /**
692 * Implementation of message_t.set_major_version.
693 */
694 static u_int8_t get_major_version(private_message_t *this)
695 {
696 return this->major_version;
697 }
698
699 /**
700 * Implementation of message_t.set_minor_version.
701 */
702 static void set_minor_version(private_message_t *this,u_int8_t minor_version)
703 {
704 this->minor_version = minor_version;
705 }
706
707 /**
708 * Implementation of message_t.get_minor_version.
709 */
710 static u_int8_t get_minor_version(private_message_t *this)
711 {
712 return this->minor_version;
713 }
714
715 /**
716 * Implementation of message_t.set_exchange_type.
717 */
718 static void set_exchange_type(private_message_t *this,
719 exchange_type_t exchange_type)
720 {
721 this->exchange_type = exchange_type;
722 }
723
724 /**
725 * Implementation of message_t.get_exchange_type.
726 */
727 static exchange_type_t get_exchange_type(private_message_t *this)
728 {
729 return this->exchange_type;
730 }
731
732 /**
733 * Implementation of message_t.get_first_payload_type.
734 */
735 static payload_type_t get_first_payload_type(private_message_t *this)
736 {
737 return this->first_payload;
738 }
739
740 /**
741 * Implementation of message_t.set_request.
742 */
743 static void set_request(private_message_t *this, bool request)
744 {
745 this->is_request = request;
746 }
747
748 /**
749 * Implementation of message_t.get_request.
750 */
751 static exchange_type_t get_request(private_message_t *this)
752 {
753 return this->is_request;
754 }
755
756 /**
757 * Is this message in an encoded form?
758 */
759 static bool is_encoded(private_message_t *this)
760 {
761 chunk_t data = this->packet->get_data(this->packet);
762
763 if (data.ptr == NULL)
764 {
765 return FALSE;
766 }
767 return TRUE;
768 }
769
770 /**
771 * Implementation of message_t.add_payload.
772 */
773 static void add_payload(private_message_t *this, payload_t *payload)
774 {
775 payload_t *last_payload;
776
777 if (this->payloads->get_count(this->payloads) > 0)
778 {
779 this->payloads->get_last(this->payloads, (void **)&last_payload);
780 last_payload->set_next_type(last_payload, payload->get_type(payload));
781 }
782 else
783 {
784 this->first_payload = payload->get_type(payload);
785 }
786 payload->set_next_type(payload, NO_PAYLOAD);
787 this->payloads->insert_last(this->payloads, payload);
788
789 DBG2(DBG_ENC ,"added payload of type %N to message",
790 payload_type_names, payload->get_type(payload));
791 }
792
793 /**
794 * Implementation of message_t.add_notify.
795 */
796 static void add_notify(private_message_t *this, bool flush, notify_type_t type,
797 chunk_t data)
798 {
799 notify_payload_t *notify;
800 payload_t *payload;
801
802 if (flush)
803 {
804 while (this->payloads->remove_last(this->payloads,
805 (void**)&payload) == SUCCESS)
806 {
807 payload->destroy(payload);
808 }
809 }
810 notify = notify_payload_create();
811 notify->set_notify_type(notify, type);
812 notify->set_notification_data(notify, data);
813 add_payload(this, (payload_t*)notify);
814 }
815
816 /**
817 * Implementation of message_t.set_source.
818 */
819 static void set_source(private_message_t *this, host_t *host)
820 {
821 this->packet->set_source(this->packet, host);
822 }
823
824 /**
825 * Implementation of message_t.set_destination.
826 */
827 static void set_destination(private_message_t *this, host_t *host)
828 {
829 this->packet->set_destination(this->packet, host);
830 }
831
832 /**
833 * Implementation of message_t.get_source.
834 */
835 static host_t* get_source(private_message_t *this)
836 {
837 return this->packet->get_source(this->packet);
838 }
839
840 /**
841 * Implementation of message_t.get_destination.
842 */
843 static host_t * get_destination(private_message_t *this)
844 {
845 return this->packet->get_destination(this->packet);
846 }
847
848 /**
849 * Implementation of message_t.create_payload_enumerator.
850 */
851 static enumerator_t *create_payload_enumerator(private_message_t *this)
852 {
853 return this->payloads->create_enumerator(this->payloads);
854 }
855
856 /**
857 * Implementation of message_t.get_payload.
858 */
859 static payload_t *get_payload(private_message_t *this, payload_type_t type)
860 {
861 payload_t *current, *found = NULL;
862 enumerator_t *enumerator;
863
864 enumerator = create_payload_enumerator(this);
865 while (enumerator->enumerate(enumerator, &current))
866 {
867 if (current->get_type(current) == type)
868 {
869 found = current;
870 break;
871 }
872 }
873 enumerator->destroy(enumerator);
874 return found;
875 }
876
877 /**
878 * Implementation of message_t.get_notify
879 */
880 static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
881 {
882 enumerator_t *enumerator;
883 notify_payload_t *notify = NULL;
884 payload_t *payload;
885
886 enumerator = create_payload_enumerator(this);
887 while (enumerator->enumerate(enumerator, &payload))
888 {
889 if (payload->get_type(payload) == NOTIFY)
890 {
891 notify = (notify_payload_t*)payload;
892 if (notify->get_notify_type(notify) == type)
893 {
894 break;
895 }
896 notify = NULL;
897 }
898 }
899 enumerator->destroy(enumerator);
900 return notify;
901 }
902
903 /**
904 * get a string representation of the message
905 */
906 static char* get_string(private_message_t *this, char *buf, int len)
907 {
908 enumerator_t *enumerator;
909 payload_t *payload;
910 int written;
911 char *pos = buf;
912
913 memset(buf, 0, len);
914 len--;
915
916 written = snprintf(pos, len, "%N %s %d [",
917 exchange_type_names, this->exchange_type,
918 this->is_request ? "request" : "response",
919 this->message_id);
920 if (written >= len || written < 0)
921 {
922 return "";
923 }
924 pos += written;
925 len -= written;
926
927 enumerator = create_payload_enumerator(this);
928 while (enumerator->enumerate(enumerator, &payload))
929 {
930 written = snprintf(pos, len, " %N", payload_type_short_names,
931 payload->get_type(payload));
932 if (written >= len || written < 0)
933 {
934 return buf;
935 }
936 pos += written;
937 len -= written;
938 if (payload->get_type(payload) == NOTIFY)
939 {
940 notify_payload_t *notify = (notify_payload_t*)payload;
941 written = snprintf(pos, len, "(%N)", notify_type_short_names,
942 notify->get_notify_type(notify));
943 if (written >= len || written < 0)
944 {
945 return buf;
946 }
947 pos += written;
948 len -= written;
949 }
950 if (payload->get_type(payload) == EXTENSIBLE_AUTHENTICATION)
951 {
952 eap_payload_t *eap = (eap_payload_t*)payload;
953 u_int32_t vendor;
954 eap_type_t type;
955 char method[64] = "";
956
957 type = eap->get_type(eap, &vendor);
958 if (type)
959 {
960 if (vendor)
961 {
962 snprintf(method, sizeof(method), "/%d-%d", type, vendor);
963 }
964 else
965 {
966 snprintf(method, sizeof(method), "/%N",
967 eap_type_short_names, type);
968 }
969 }
970 written = snprintf(pos, len, "/%N%s", eap_code_short_names,
971 eap->get_code(eap), method);
972 if (written >= len || written < 0)
973 {
974 return buf;
975 }
976 pos += written;
977 len -= written;
978 }
979 if (payload->get_type(payload) == CONFIGURATION)
980 {
981 cp_payload_t *cp = (cp_payload_t*)payload;
982 enumerator_t *attributes;
983 configuration_attribute_t *attribute;
984 bool first = TRUE;
985
986 attributes = cp->create_attribute_enumerator(cp);
987 while (attributes->enumerate(attributes, &attribute))
988 {
989 written = snprintf(pos, len, "%s%N", first ? "(" : " ",
990 configuration_attribute_type_short_names,
991 attribute->get_type(attribute));
992 if (written >= len || written < 0)
993 {
994 return buf;
995 }
996 pos += written;
997 len -= written;
998 first = FALSE;
999 }
1000 attributes->destroy(attributes);
1001 if (!first)
1002 {
1003 written = snprintf(pos, len, ")");
1004 if (written >= len || written < 0)
1005 {
1006 return buf;
1007 }
1008 pos += written;
1009 len -= written;
1010 }
1011 }
1012 }
1013 enumerator->destroy(enumerator);
1014
1015 /* remove last space */
1016 snprintf(pos, len, " ]");
1017 return buf;
1018 }
1019
1020 /**
1021 * reorder payloads depending on reordering rules
1022 */
1023 static void order_payloads(private_message_t *this)
1024 {
1025 linked_list_t *list;
1026 payload_t *payload;
1027 int i;
1028
1029 /* move to temp list */
1030 list = linked_list_create();
1031 while (this->payloads->remove_last(this->payloads,
1032 (void**)&payload) == SUCCESS)
1033 {
1034 list->insert_first(list, payload);
1035 }
1036 /* for each rule, ... */
1037 for (i = 0; i < this->message_rule->payload_order_count; i++)
1038 {
1039 enumerator_t *enumerator;
1040 notify_payload_t *notify;
1041 payload_order_t order = this->message_rule->payload_order[i];
1042
1043 /* ... find all payload ... */
1044 enumerator = list->create_enumerator(list);
1045 while (enumerator->enumerate(enumerator, &payload))
1046 {
1047 /* ... with that type ... */
1048 if (payload->get_type(payload) == order.type)
1049 {
1050 notify = (notify_payload_t*)payload;
1051
1052 /**... and check notify for type. */
1053 if (order.type != NOTIFY || order.notify == 0 ||
1054 order.notify == notify->get_notify_type(notify))
1055 {
1056 list->remove_at(list, enumerator);
1057 add_payload(this, payload);
1058 }
1059 }
1060 }
1061 enumerator->destroy(enumerator);
1062 }
1063 /* append all payloads without a rule to the end */
1064 while (list->remove_last(list, (void**)&payload) == SUCCESS)
1065 {
1066 /* do not complain about payloads in private use space */
1067 if (payload->get_type(payload) < 128)
1068 {
1069 DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
1070 payload_type_names, payload->get_type(payload),
1071 exchange_type_names, this->message_rule->exchange_type,
1072 this->message_rule->is_request ? "request" : "response");
1073 }
1074 add_payload(this, payload);
1075 }
1076 list->destroy(list);
1077 }
1078
1079 /**
1080 * Implementation of private_message_t.encrypt_payloads.
1081 */
1082 static status_t encrypt_payloads(private_message_t *this,
1083 crypter_t *crypter, signer_t* signer)
1084 {
1085 encryption_payload_t *encryption;
1086 linked_list_t *payloads;
1087 payload_t *current;
1088 status_t status;
1089
1090 if (!this->message_rule->encrypted_content)
1091 {
1092 DBG2(DBG_ENC, "message doesn't have to be encrypted");
1093 /* message contains no content to encrypt */
1094 return SUCCESS;
1095 }
1096
1097 if (!crypter || !signer)
1098 {
1099 DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
1100 /* message contains no content to encrypt */
1101 return SUCCESS;
1102 }
1103
1104 DBG2(DBG_ENC, "copy all payloads to a temporary list");
1105 payloads = linked_list_create();
1106
1107 /* first copy all payloads in a temporary list */
1108 while (this->payloads->get_count(this->payloads) > 0)
1109 {
1110 this->payloads->remove_first(this->payloads, (void**)&current);
1111 payloads->insert_last(payloads, current);
1112 }
1113
1114 encryption = encryption_payload_create();
1115
1116 DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
1117 while (payloads->get_count(payloads) > 0)
1118 {
1119 payload_rule_t *rule;
1120 payload_type_t type;
1121 bool to_encrypt = TRUE;
1122
1123 payloads->remove_first(payloads, (void**)&current);
1124
1125 type = current->get_type(current);
1126 if (get_payload_rule(this, type, &rule) == SUCCESS)
1127 {
1128 to_encrypt = rule->encrypted;
1129 }
1130 if (to_encrypt)
1131 {
1132 DBG2(DBG_ENC, "insert payload %N to encryption payload",
1133 payload_type_names, current->get_type(current));
1134 encryption->add_payload(encryption, current);
1135 }
1136 else
1137 {
1138 DBG2(DBG_ENC, "insert payload %N unencrypted",
1139 payload_type_names, current->get_type(current));
1140 add_payload(this, (payload_t*)current);
1141 }
1142 }
1143
1144 DBG2(DBG_ENC, "encrypting encryption payload");
1145 encryption->set_transforms(encryption, crypter, signer);
1146 status = encryption->encrypt(encryption);
1147 DBG2(DBG_ENC, "add encrypted payload to payload list");
1148 add_payload(this, (payload_t*)encryption);
1149
1150 payloads->destroy(payloads);
1151
1152 return status;
1153 }
1154
1155 /**
1156 * Implementation of message_t.generate.
1157 */
1158 static status_t generate(private_message_t *this, crypter_t *crypter,
1159 signer_t* signer, packet_t **packet)
1160 {
1161 generator_t *generator;
1162 ike_header_t *ike_header;
1163 payload_t *payload, *next_payload;
1164 enumerator_t *enumerator;
1165 status_t status;
1166 chunk_t packet_data;
1167 char str[256];
1168
1169 if (is_encoded(this))
1170 {
1171 /* already generated, return a new packet clone */
1172 *packet = this->packet->clone(this->packet);
1173 return SUCCESS;
1174 }
1175
1176 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
1177 {
1178 DBG1(DBG_ENC, "exchange type is not defined");
1179 return INVALID_STATE;
1180 }
1181
1182 if (this->packet->get_source(this->packet) == NULL ||
1183 this->packet->get_destination(this->packet) == NULL)
1184 {
1185 DBG1(DBG_ENC, "%s not defined",
1186 !this->packet->get_source(this->packet) ? "source" : "destination");
1187 return INVALID_STATE;
1188 }
1189
1190 /* set the rules for this messge */
1191 status = set_message_rule(this);
1192 if (status != SUCCESS)
1193 {
1194 DBG1(DBG_ENC, "no message rules specified for this message type");
1195 return NOT_SUPPORTED;
1196 }
1197
1198 order_payloads(this);
1199
1200 DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
1201
1202 /* going to encrypt all content which have to be encrypted */
1203 status = encrypt_payloads(this, crypter, signer);
1204 if (status != SUCCESS)
1205 {
1206 DBG1(DBG_ENC, "payload encryption failed");
1207 return status;
1208 }
1209
1210 /* build ike header */
1211 ike_header = ike_header_create();
1212
1213 ike_header->set_exchange_type(ike_header, this->exchange_type);
1214 ike_header->set_message_id(ike_header, this->message_id);
1215 ike_header->set_response_flag(ike_header, !this->is_request);
1216 ike_header->set_initiator_flag(ike_header,
1217 this->ike_sa_id->is_initiator(this->ike_sa_id));
1218 ike_header->set_initiator_spi(ike_header,
1219 this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
1220 ike_header->set_responder_spi(ike_header,
1221 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1222
1223 generator = generator_create();
1224
1225 payload = (payload_t*)ike_header;
1226
1227 /* generate every payload expect last one, this is done later*/
1228 enumerator = create_payload_enumerator(this);
1229 while (enumerator->enumerate(enumerator, &next_payload))
1230 {
1231 payload->set_next_type(payload, next_payload->get_type(next_payload));
1232 generator->generate_payload(generator, payload);
1233 payload = next_payload;
1234 }
1235 enumerator->destroy(enumerator);
1236
1237 /* last payload has no next payload*/
1238 payload->set_next_type(payload, NO_PAYLOAD);
1239
1240 generator->generate_payload(generator, payload);
1241
1242 ike_header->destroy(ike_header);
1243
1244 /* build packet */
1245 generator->write_to_chunk(generator, &packet_data);
1246 generator->destroy(generator);
1247
1248 /* if last payload is of type encrypted, integrity checksum if necessary */
1249 if (payload->get_type(payload) == ENCRYPTED)
1250 {
1251 DBG2(DBG_ENC, "build signature on whole message");
1252 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
1253 status = encryption_payload->build_signature(encryption_payload, packet_data);
1254 if (status != SUCCESS)
1255 {
1256 return status;
1257 }
1258 }
1259
1260 this->packet->set_data(this->packet, packet_data);
1261
1262 /* clone packet for caller */
1263 *packet = this->packet->clone(this->packet);
1264
1265 DBG2(DBG_ENC, "message generated successfully");
1266 return SUCCESS;
1267 }
1268
1269 /**
1270 * Implementation of message_t.get_packet.
1271 */
1272 static packet_t *get_packet(private_message_t *this)
1273 {
1274 if (this->packet == NULL)
1275 {
1276 return NULL;
1277 }
1278 return this->packet->clone(this->packet);
1279 }
1280
1281 /**
1282 * Implementation of message_t.get_packet_data.
1283 */
1284 static chunk_t get_packet_data(private_message_t *this)
1285 {
1286 if (this->packet == NULL)
1287 {
1288 return chunk_empty;
1289 }
1290 return chunk_clone(this->packet->get_data(this->packet));
1291 }
1292
1293 /**
1294 * Implementation of message_t.parse_header.
1295 */
1296 static status_t parse_header(private_message_t *this)
1297 {
1298 ike_header_t *ike_header;
1299 status_t status;
1300
1301 DBG2(DBG_ENC, "parsing header of message");
1302
1303 this->parser->reset_context(this->parser);
1304 status = this->parser->parse_payload(this->parser, HEADER,
1305 (payload_t**)&ike_header);
1306 if (status != SUCCESS)
1307 {
1308 DBG1(DBG_ENC, "header could not be parsed");
1309 return status;
1310
1311 }
1312
1313 /* verify payload */
1314 status = ike_header->payload_interface.verify(
1315 &ike_header->payload_interface);
1316 if (status != SUCCESS)
1317 {
1318 DBG1(DBG_ENC, "header verification failed");
1319 ike_header->destroy(ike_header);
1320 return status;
1321 }
1322
1323 if (this->ike_sa_id != NULL)
1324 {
1325 this->ike_sa_id->destroy(this->ike_sa_id);
1326 }
1327
1328 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
1329 ike_header->get_responder_spi(ike_header),
1330 ike_header->get_initiator_flag(ike_header));
1331
1332 this->exchange_type = ike_header->get_exchange_type(ike_header);
1333 this->message_id = ike_header->get_message_id(ike_header);
1334 this->is_request = (!(ike_header->get_response_flag(ike_header)));
1335 this->major_version = ike_header->get_maj_version(ike_header);
1336 this->minor_version = ike_header->get_min_version(ike_header);
1337 this->first_payload = ike_header->payload_interface.get_next_type(
1338 &ike_header->payload_interface);
1339
1340 DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
1341 this->is_request ? "request" : "response");
1342
1343 ike_header->destroy(ike_header);
1344
1345 /* get the rules for this messge */
1346 status = set_message_rule(this);
1347 if (status != SUCCESS)
1348 {
1349 DBG1(DBG_ENC, "no message rules specified for a %N %s",
1350 exchange_type_names, this->exchange_type,
1351 this->is_request ? "request" : "response");
1352 }
1353
1354 return status;
1355 }
1356
1357 /**
1358 * Implementation of private_message_t.decrypt_and_verify_payloads.
1359 */
1360 static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
1361 signer_t* signer)
1362 {
1363 bool current_payload_was_encrypted = FALSE;
1364 payload_t *previous_payload = NULL;
1365 int payload_number = 1;
1366 iterator_t *iterator;
1367 payload_t *current_payload;
1368 status_t status;
1369
1370 iterator = this->payloads->create_iterator(this->payloads,TRUE);
1371
1372 /* process each payload and decrypt a encryption payload */
1373 while(iterator->iterate(iterator, (void**)&current_payload))
1374 {
1375 payload_rule_t *payload_rule;
1376 payload_type_t current_payload_type;
1377
1378 /* needed to check */
1379 current_payload_type = current_payload->get_type(current_payload);
1380
1381 DBG2(DBG_ENC, "process payload of type %N",
1382 payload_type_names, current_payload_type);
1383
1384 if (current_payload_type == ENCRYPTED)
1385 {
1386 encryption_payload_t *encryption_payload;
1387 payload_t *current_encrypted_payload;
1388
1389 encryption_payload = (encryption_payload_t*)current_payload;
1390
1391 DBG2(DBG_ENC, "found an encryption payload");
1392
1393 if (payload_number != this->payloads->get_count(this->payloads))
1394 {
1395 /* encrypted payload is not last one */
1396 DBG1(DBG_ENC, "encrypted payload is not last payload");
1397 iterator->destroy(iterator);
1398 return VERIFY_ERROR;
1399 }
1400 /* decrypt */
1401 encryption_payload->set_transforms(encryption_payload,
1402 crypter, signer);
1403 DBG2(DBG_ENC, "verify signature of encryption payload");
1404 status = encryption_payload->verify_signature(encryption_payload,
1405 this->packet->get_data(this->packet));
1406 if (status != SUCCESS)
1407 {
1408 DBG1(DBG_ENC, "encryption payload signature invalid");
1409 iterator->destroy(iterator);
1410 return FAILED;
1411 }
1412 DBG2(DBG_ENC, "decrypting content of encryption payload");
1413 status = encryption_payload->decrypt(encryption_payload);
1414 if (status != SUCCESS)
1415 {
1416 DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
1417 iterator->destroy(iterator);
1418 return PARSE_ERROR;
1419 }
1420
1421 /* needed later to find out if a payload was encrypted */
1422 current_payload_was_encrypted = TRUE;
1423
1424 /* check if there are payloads contained in the encryption payload */
1425 if (encryption_payload->get_payload_count(encryption_payload) == 0)
1426 {
1427 DBG2(DBG_ENC, "encrypted payload is empty");
1428 /* remove the encryption payload, is not needed anymore */
1429 iterator->remove(iterator);
1430 /* encrypted payload contains no other payload */
1431 current_payload_type = NO_PAYLOAD;
1432 }
1433 else
1434 {
1435 /* encryption_payload is replaced with first payload contained
1436 * in encryption_payload */
1437 encryption_payload->remove_first_payload(encryption_payload,
1438 &current_encrypted_payload);
1439 iterator->replace(iterator, NULL,
1440 (void *)current_encrypted_payload);
1441 current_payload_type = current_encrypted_payload->get_type(
1442 current_encrypted_payload);
1443 }
1444
1445 /* is the current paylad the first in the message? */
1446 if (previous_payload == NULL)
1447 {
1448 /* yes, set the first payload type of the message to the
1449 * current type */
1450 this->first_payload = current_payload_type;
1451 }
1452 else
1453 {
1454 /* no, set the next_type of the previous payload to the
1455 * current type */
1456 previous_payload->set_next_type(previous_payload,
1457 current_payload_type);
1458 }
1459
1460 /* all encrypted payloads are added to the payload list */
1461 while (encryption_payload->get_payload_count(encryption_payload) > 0)
1462 {
1463 encryption_payload->remove_first_payload(encryption_payload,
1464 &current_encrypted_payload);
1465 DBG2(DBG_ENC, "insert unencrypted payload of type "
1466 "%N at end of list", payload_type_names,
1467 current_encrypted_payload->get_type(
1468 current_encrypted_payload));
1469 this->payloads->insert_last(this->payloads,
1470 current_encrypted_payload);
1471 }
1472
1473 /* encryption payload is processed, payloads are moved. Destroy it. */
1474 encryption_payload->destroy(encryption_payload);
1475 }
1476
1477 /* we allow unknown payloads of any type and don't bother if it was
1478 * encrypted. Not our problem. */
1479 if (current_payload_type != UNKNOWN_PAYLOAD &&
1480 current_payload_type != NO_PAYLOAD)
1481 {
1482 /* get the ruleset for found payload */
1483 status = get_payload_rule(this, current_payload_type, &payload_rule);
1484 if (status != SUCCESS)
1485 {
1486 /* payload is not allowed */
1487 DBG1(DBG_ENC, "payload type %N not allowed",
1488 payload_type_names, current_payload_type);
1489 iterator->destroy(iterator);
1490 return VERIFY_ERROR;
1491 }
1492
1493 /* check if the payload was encrypted, and if it should been have
1494 * encrypted */
1495 if (payload_rule->encrypted != current_payload_was_encrypted)
1496 {
1497 /* payload was not encrypted, but should have been.
1498 * or vice-versa */
1499 DBG1(DBG_ENC, "payload type %N should be %s!",
1500 payload_type_names, current_payload_type,
1501 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1502 iterator->destroy(iterator);
1503 return VERIFY_ERROR;
1504 }
1505 }
1506 /* advance to the next payload */
1507 payload_number++;
1508 /* is stored to set next payload in case of found encryption payload */
1509 previous_payload = current_payload;
1510 }
1511 iterator->destroy(iterator);
1512 return SUCCESS;
1513 }
1514
1515 /**
1516 * Implementation of private_message_t.verify.
1517 */
1518 static status_t verify(private_message_t *this)
1519 {
1520 int i;
1521 enumerator_t *enumerator;
1522 payload_t *current_payload;
1523 size_t total_found_payloads = 0;
1524
1525 DBG2(DBG_ENC, "verifying message structure");
1526
1527 /* check for payloads with wrong count*/
1528 for (i = 0; i < this->message_rule->payload_rule_count; i++)
1529 {
1530 size_t found_payloads = 0;
1531 payload_rule_t *rule;
1532
1533 rule = &this->message_rule->payload_rules[i];
1534 enumerator = create_payload_enumerator(this);
1535
1536 /* check all payloads for specific rule */
1537 while (enumerator->enumerate(enumerator, &current_payload))
1538 {
1539 payload_type_t current_payload_type;
1540 unknown_payload_t *unknown_payload;
1541
1542 current_payload_type = current_payload->get_type(current_payload);
1543 if (current_payload_type == UNKNOWN_PAYLOAD)
1544 {
1545 /* unknown payloads are ignored, IF they are not critical */
1546 unknown_payload = (unknown_payload_t*)current_payload;
1547 if (unknown_payload->is_critical(unknown_payload))
1548 {
1549 DBG1(DBG_ENC, "%N is not supported, but its critical!",
1550 payload_type_names, current_payload_type);
1551 enumerator->destroy(enumerator);
1552 return NOT_SUPPORTED;
1553 }
1554 }
1555 else if (current_payload_type == rule->payload_type)
1556 {
1557 found_payloads++;
1558 total_found_payloads++;
1559 DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
1560 rule->payload_type);
1561
1562 /* as soon as ohe payload occures more then specified,
1563 * the verification fails */
1564 if (found_payloads >
1565 rule->max_occurence)
1566 {
1567 DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
1568 "occured in current message", payload_type_names,
1569 current_payload_type, rule->max_occurence,
1570 found_payloads);
1571 enumerator->destroy(enumerator);
1572 return VERIFY_ERROR;
1573 }
1574 }
1575 }
1576 enumerator->destroy(enumerator);
1577
1578 if (found_payloads < rule->min_occurence)
1579 {
1580 DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
1581 payload_type_names, rule->payload_type, rule->min_occurence,
1582 found_payloads);
1583 return VERIFY_ERROR;
1584 }
1585 if (rule->sufficient)
1586 {
1587 return SUCCESS;
1588 }
1589 }
1590 return SUCCESS;
1591 }
1592
1593 /**
1594 * Implementation of message_t.parse_body.
1595 */
1596 static status_t parse_body(private_message_t *this, crypter_t *crypter,
1597 signer_t *signer)
1598 {
1599 status_t status = SUCCESS;
1600 payload_type_t current_payload_type;
1601 char str[256];
1602
1603 current_payload_type = this->first_payload;
1604
1605 DBG2(DBG_ENC, "parsing body of message, first payload is %N",
1606 payload_type_names, current_payload_type);
1607
1608 /* parse payload for payload, while there are more available */
1609 while ((current_payload_type != NO_PAYLOAD))
1610 {
1611 payload_t *current_payload;
1612
1613 DBG2(DBG_ENC, "starting parsing a %N payload",
1614 payload_type_names, current_payload_type);
1615
1616 /* parse current payload */
1617 status = this->parser->parse_payload(this->parser, current_payload_type,
1618 (payload_t**)&current_payload);
1619 if (status != SUCCESS)
1620 {
1621 DBG1(DBG_ENC, "payload type %N could not be parsed",
1622 payload_type_names, current_payload_type);
1623 return PARSE_ERROR;
1624 }
1625
1626 DBG2(DBG_ENC, "verifying payload of type %N",
1627 payload_type_names, current_payload_type);
1628
1629 /* verify it, stop parsig if its invalid */
1630 status = current_payload->verify(current_payload);
1631 if (status != SUCCESS)
1632 {
1633 DBG1(DBG_ENC, "%N payload verification failed",
1634 payload_type_names, current_payload_type);
1635 current_payload->destroy(current_payload);
1636 return VERIFY_ERROR;
1637 }
1638
1639 DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
1640 payload_type_names, current_payload_type);
1641 this->payloads->insert_last(this->payloads,current_payload);
1642
1643 /* an encryption payload is the last one, so STOP here. decryption is
1644 * done later */
1645 if (current_payload_type == ENCRYPTED)
1646 {
1647 DBG2(DBG_ENC, "%N payload found. Stop parsing",
1648 payload_type_names, current_payload_type);
1649 break;
1650 }
1651
1652 /* get next payload type */
1653 current_payload_type = current_payload->get_next_type(current_payload);
1654 }
1655
1656 if (current_payload_type == ENCRYPTED)
1657 {
1658 status = decrypt_payloads(this,crypter,signer);
1659 if (status != SUCCESS)
1660 {
1661 DBG1(DBG_ENC, "could not decrypt payloads");
1662 return status;
1663 }
1664 }
1665
1666 status = verify(this);
1667 if (status != SUCCESS)
1668 {
1669 return status;
1670 }
1671
1672 DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
1673
1674 return SUCCESS;
1675 }
1676
1677 /**
1678 * Implementation of message_t.destroy.
1679 */
1680 static void destroy (private_message_t *this)
1681 {
1682 DESTROY_IF(this->ike_sa_id);
1683 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
1684 this->packet->destroy(this->packet);
1685 this->parser->destroy(this->parser);
1686 free(this);
1687 }
1688
1689 /*
1690 * Described in Header-File
1691 */
1692 message_t *message_create_from_packet(packet_t *packet)
1693 {
1694 private_message_t *this = malloc_thing(private_message_t);
1695
1696 /* public functions */
1697 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1698 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1699 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1700 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1701 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1702 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1703 this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
1704 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1705 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1706 this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
1707 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1708 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1709 this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
1710 this->public.set_request = (void(*)(message_t*, bool))set_request;
1711 this->public.get_request = (bool(*)(message_t*))get_request;
1712 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1713 this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
1714 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1715 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1716 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1717 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1718 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1719 this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
1720 this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
1721 this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
1722 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1723 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1724 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1725 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1726 this->public.destroy = (void(*)(message_t*))destroy;
1727
1728 /* private values */
1729 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1730 this->is_request = TRUE;
1731 this->ike_sa_id = NULL;
1732 this->first_payload = NO_PAYLOAD;
1733 this->message_id = 0;
1734
1735 /* private values */
1736 if (packet == NULL)
1737 {
1738 packet = packet_create();
1739 }
1740 this->message_rule = NULL;
1741 this->packet = packet;
1742 this->payloads = linked_list_create();
1743
1744 /* parser is created from data of packet */
1745 this->parser = parser_create(this->packet->get_data(this->packet));
1746
1747 return (&this->public);
1748 }
1749
1750 /*
1751 * Described in Header.
1752 */
1753 message_t *message_create()
1754 {
1755 return message_create_from_packet(NULL);
1756 }
1757