4 * @brief Implementation of message_t.
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/logger_manager.h>
34 #include <encoding/payloads/encodings.h>
35 #include <encoding/payloads/payload.h>
36 #include <encoding/payloads/encryption_payload.h>
37 #include <encoding/payloads/unknown_payload.h>
40 * Max number of notify payloads per IKEv2 Message
42 #define MAX_NOTIFY_PAYLOADS 10
45 typedef struct payload_rule_t payload_rule_t
;
48 * A payload rule defines the rules for a payload
49 * in a specific message rule. It defines if and how
50 * many times a payload must/can occur in a message
51 * and if it must be encrypted.
53 struct payload_rule_t
{
57 payload_type_t payload_type
;
60 * Minimal occurence of this payload.
65 * Max occurence of this payload.
70 * TRUE if payload must be encrypted
75 * If this payload occurs, the message rule is
76 * fullfilled in any case. This applies e.g. to
82 typedef struct message_rule_t message_rule_t
;
85 * A message rule defines the kind of a message,
86 * if it has encrypted contents and a list
90 struct message_rule_t
{
94 exchange_type_t exchange_type
;
97 * Is message a request or response.
102 * Message contains encrypted content.
104 bool encrypted_content
;
107 * Number of payload rules which will follow
109 size_t payload_rule_count
;
112 * Pointer to first payload rule
114 payload_rule_t
*payload_rules
;
118 * Message rule for IKE_SA_INIT from initiator.
120 static payload_rule_t ike_sa_init_i_payload_rules
[] = {
121 {NOTIFY
,0,MAX_NOTIFY_PAYLOADS
,FALSE
,FALSE
},
122 {SECURITY_ASSOCIATION
,1,1,FALSE
,FALSE
},
123 {KEY_EXCHANGE
,1,1,FALSE
,FALSE
},
124 {NONCE
,1,1,FALSE
,FALSE
},
128 * Message rule for IKE_SA_INIT from responder.
130 static payload_rule_t ike_sa_init_r_payload_rules
[] = {
131 {NOTIFY
,0,MAX_NOTIFY_PAYLOADS
,FALSE
,TRUE
},
132 {SECURITY_ASSOCIATION
,1,1,FALSE
,FALSE
},
133 {KEY_EXCHANGE
,1,1,FALSE
,FALSE
},
134 {NONCE
,1,1,FALSE
,FALSE
},
138 * Message rule for IKE_AUTH from initiator.
140 static payload_rule_t ike_auth_i_payload_rules
[] = {
141 {NOTIFY
,0,MAX_NOTIFY_PAYLOADS
,TRUE
,FALSE
},
142 {ID_INITIATOR
,1,1,TRUE
,FALSE
},
143 {CERTIFICATE
,0,1,TRUE
,FALSE
},
144 {CERTIFICATE_REQUEST
,0,1,TRUE
,FALSE
},
145 {ID_RESPONDER
,0,1,TRUE
,FALSE
},
146 {AUTHENTICATION
,1,1,TRUE
,FALSE
},
147 {SECURITY_ASSOCIATION
,1,1,TRUE
,FALSE
},
148 {TRAFFIC_SELECTOR_INITIATOR
,1,1,TRUE
,FALSE
},
149 {TRAFFIC_SELECTOR_RESPONDER
,1,1,TRUE
,FALSE
},
150 {CONFIGURATION
,0,1,TRUE
,FALSE
},
154 * Message rule for IKE_AUTH from responder.
156 static payload_rule_t ike_auth_r_payload_rules
[] = {
157 {NOTIFY
,0,MAX_NOTIFY_PAYLOADS
,TRUE
,TRUE
},
158 {CERTIFICATE
,0,1,TRUE
,FALSE
},
159 {ID_RESPONDER
,1,1,TRUE
,FALSE
},
160 {AUTHENTICATION
,1,1,TRUE
,FALSE
},
161 {SECURITY_ASSOCIATION
,1,1,TRUE
,FALSE
},
162 {TRAFFIC_SELECTOR_INITIATOR
,1,1,TRUE
,FALSE
},
163 {TRAFFIC_SELECTOR_RESPONDER
,1,1,TRUE
,FALSE
},
164 {CONFIGURATION
,0,1,TRUE
,FALSE
},
169 * Message rule for INFORMATIONAL from initiator.
171 static payload_rule_t informational_i_payload_rules
[] = {
172 {NOTIFY
,0,MAX_NOTIFY_PAYLOADS
,TRUE
,FALSE
},
173 {CONFIGURATION
,0,1,TRUE
,FALSE
},
174 {DELETE
,0,1,TRUE
,FALSE
},
179 * Message rule for INFORMATIONAL from responder.
181 static payload_rule_t informational_r_payload_rules
[] = {
182 {NOTIFY
,0,MAX_NOTIFY_PAYLOADS
,TRUE
,FALSE
},
183 {CONFIGURATION
,0,1,TRUE
,FALSE
},
184 {DELETE
,0,1,TRUE
,FALSE
},
189 * Message rules, defines allowed payloads.
191 static message_rule_t message_rules
[] = {
192 {IKE_SA_INIT
,TRUE
,FALSE
,(sizeof(ike_sa_init_i_payload_rules
)/sizeof(payload_rule_t
)),ike_sa_init_i_payload_rules
},
193 {IKE_SA_INIT
,FALSE
,FALSE
,(sizeof(ike_sa_init_r_payload_rules
)/sizeof(payload_rule_t
)),ike_sa_init_r_payload_rules
},
194 {IKE_AUTH
,TRUE
,TRUE
,(sizeof(ike_auth_i_payload_rules
)/sizeof(payload_rule_t
)),ike_auth_i_payload_rules
},
195 {IKE_AUTH
,FALSE
,TRUE
,(sizeof(ike_auth_r_payload_rules
)/sizeof(payload_rule_t
)),ike_auth_r_payload_rules
},
196 {INFORMATIONAL
,TRUE
,TRUE
,(sizeof(informational_i_payload_rules
)/sizeof(payload_rule_t
)),informational_i_payload_rules
},
197 {INFORMATIONAL
,FALSE
,TRUE
,(sizeof(informational_r_payload_rules
)/sizeof(payload_rule_t
)),informational_r_payload_rules
}
201 typedef struct private_message_t private_message_t
;
204 * Private data of an message_t object.
206 struct private_message_t
{
209 * Public part of a message_t object.
214 * Minor version of message.
216 u_int8_t major_version
;
219 * Major version of message.
221 u_int8_t minor_version
;
224 * First Payload in message.
226 payload_type_t first_payload
;
229 * Assigned exchange type.
231 exchange_type_t exchange_type
;
234 * TRUE if message is a request, FALSE if a reply.
239 * Message ID of this message.
241 u_int32_t message_id
;
244 * ID of assigned IKE_SA.
246 ike_sa_id_t
*ike_sa_id
;
249 * Assigned UDP packet, stores incoming packet or last generated one.
254 * Linked List where payload data are stored in.
256 linked_list_t
*payloads
;
259 * Assigned parser to parse Header and Body of this message.
264 * The message rule for this message instance
266 message_rule_t
*message_rule
;
274 * Sets the private message_rule member to the rule which
275 * applies to this message. Must be called before get_payload_rule().
277 * @param this calling object
280 * - NOT_FOUND if no message rule applies to this message.
282 status_t (*set_message_rule
) (private_message_t
*this);
285 * Gets the payload_rule_t for a specific message_rule_t and payload type.
287 * @param this calling object
288 * @param payload_type payload type
289 * @param[out] payload_rule returned payload_rule_t
292 * - NOT_FOUND if payload not defined in current message rule
293 * - INVALID_STATE if message rule is not set via set_message_rule()
295 status_t (*get_payload_rule
) (private_message_t
*this, payload_type_t payload_type
, payload_rule_t
**payload_rule
);
298 * Encrypts all payloads which has to get encrypted.
300 * Can also be called with messages not containing encrypted content.
302 * @param this calling object
303 * @param crypter crypter_t object
304 * @param signer signer_t object
307 * - INVALID_STATE if no crypter/signer supplied but needed
309 status_t (*encrypt_payloads
) (private_message_t
*this,crypter_t
*crypter
, signer_t
* signer
);
312 * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
314 * @param this calling object
315 * @param crypter crypter_t object
316 * @param signer signer_t object
319 * - FAILED if decryption not successfull
320 * - INVALID_STATE if no crypter/signer supplied but needed
322 status_t (*decrypt_payloads
) (private_message_t
*this,crypter_t
*crypter
, signer_t
* signer
);
325 * Verifies the message. Checks for payloads count.
327 * @param calling object
329 * - SUCCESS if message valid, or
330 * - FAILED if message does not align with message rules.
332 status_t (*verify
) (private_message_t
*this);
336 * Implementation of private_message_t.set_message_rule.
338 static status_t
set_message_rule(private_message_t
*this)
342 for (i
= 0; i
< (sizeof(message_rules
) / sizeof(message_rule_t
)); i
++)
344 if ((this->exchange_type
== message_rules
[i
].exchange_type
) &&
345 (this->is_request
== message_rules
[i
].is_request
))
347 /* found rule for given exchange_type*/
348 this->message_rule
= &(message_rules
[i
]);
352 this->message_rule
= NULL
;
357 * Implementation of private_message_t.get_payload_rule.
359 static status_t
get_payload_rule(private_message_t
*this, payload_type_t payload_type
, payload_rule_t
**payload_rule
)
363 for (i
= 0; i
< this->message_rule
->payload_rule_count
;i
++)
365 if (this->message_rule
->payload_rules
[i
].payload_type
== payload_type
)
367 *payload_rule
= &(this->message_rule
->payload_rules
[i
]);
372 *payload_rule
= NULL
;
377 * Implementation of message_t.set_ike_sa_id.
379 static void set_ike_sa_id (private_message_t
*this,ike_sa_id_t
*ike_sa_id
)
381 this->ike_sa_id
= ike_sa_id
->clone(ike_sa_id
);
385 * Implementation of message_t.get_ike_sa_id.
387 static status_t
get_ike_sa_id (private_message_t
*this,ike_sa_id_t
**ike_sa_id
)
389 if (this->ike_sa_id
== NULL
)
393 *ike_sa_id
= this->ike_sa_id
->clone(this->ike_sa_id
);
398 * Implementation of message_t.set_message_id.
400 static void set_message_id (private_message_t
*this,u_int32_t message_id
)
402 this->message_id
= message_id
;
406 * Implementation of message_t.get_message_id.
408 static u_int32_t
get_message_id (private_message_t
*this)
410 return this->message_id
;
414 * Implementation of message_t.get_responder_spi.
416 static u_int64_t
get_responder_spi (private_message_t
*this)
418 return (this->ike_sa_id
->get_responder_spi(this->ike_sa_id
));
422 * Implementation of message_t.set_major_version.
424 static void set_major_version (private_message_t
*this,u_int8_t major_version
)
426 this->major_version
= major_version
;
431 * Implementation of message_t.set_major_version.
433 static u_int8_t
get_major_version (private_message_t
*this)
435 return this->major_version
;
439 * Implementation of message_t.set_minor_version.
441 static void set_minor_version (private_message_t
*this,u_int8_t minor_version
)
443 this->minor_version
= minor_version
;
447 * Implementation of message_t.get_minor_version.
449 static u_int8_t
get_minor_version (private_message_t
*this)
451 return this->minor_version
;
455 * Implementation of message_t.set_exchange_type.
457 static void set_exchange_type (private_message_t
*this,exchange_type_t exchange_type
)
459 this->exchange_type
= exchange_type
;
463 * Implementation of message_t.get_exchange_type.
465 static exchange_type_t
get_exchange_type (private_message_t
*this)
467 return this->exchange_type
;
471 * Implementation of message_t.set_request.
473 static void set_request (private_message_t
*this,bool request
)
475 this->is_request
= request
;
479 * Implementation of message_t.get_request.
481 static exchange_type_t
get_request (private_message_t
*this)
483 return this->is_request
;
487 * Implementation of message_t.add_payload.
489 static void add_payload(private_message_t
*this, payload_t
*payload
)
491 payload_t
*last_payload
;
492 if (this->payloads
->get_count(this->payloads
) > 0)
494 this->payloads
->get_last(this->payloads
,(void **) &last_payload
);
495 last_payload
->set_next_type(last_payload
, payload
->get_type(payload
));
499 this->first_payload
= payload
->get_type(payload
);
501 payload
->set_next_type(payload
, NO_PAYLOAD
);
502 this->payloads
->insert_last(this->payloads
, (void*)payload
);
504 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "Added payload of type %s to message",
505 mapping_find(payload_type_m
, payload
->get_type(payload
)));
509 * Implementation of message_t.set_source.
511 static void set_source(private_message_t
*this, host_t
*host
)
513 this->packet
->set_source(this->packet
, host
);
517 * Implementation of message_t.set_destination.
519 static void set_destination(private_message_t
*this, host_t
*host
)
522 this->packet
->set_destination(this->packet
, host
);
526 * Implementation of message_t.get_source.
528 static host_t
* get_source(private_message_t
*this)
530 return this->packet
->get_source(this->packet
);
534 * Implementation of message_t.get_destination.
536 static host_t
* get_destination(private_message_t
*this)
538 return this->packet
->get_destination(this->packet
);
542 * Implementation of message_t.get_destination.
544 static iterator_t
*get_payload_iterator(private_message_t
*this)
546 return this->payloads
->create_iterator(this->payloads
, TRUE
);
551 * Implementation of message_t.generate.
553 static status_t
generate(private_message_t
*this, crypter_t
*crypter
, signer_t
* signer
, packet_t
**packet
)
555 generator_t
*generator
;
556 ike_header_t
*ike_header
;
557 payload_t
*payload
, *next_payload
;
558 iterator_t
*iterator
;
562 this->logger
->log(this->logger
, CONTROL
, "Generating message of type %s, contains %d payloads",
563 mapping_find(exchange_type_m
,this->exchange_type
),
564 this->payloads
->get_count(this->payloads
));
566 if (this->exchange_type
== EXCHANGE_TYPE_UNDEFINED
)
568 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Exchange type %s is not defined",
569 mapping_find(exchange_type_m
,this->exchange_type
));
570 return INVALID_STATE
;
573 if (this->packet
->get_source(this->packet
) == NULL
||
574 this->packet
->get_destination(this->packet
) == NULL
)
576 this->logger
->log(this->logger
, ERROR
|LEVEL1
, "%s not defined",
577 !this->packet
->get_source(this->packet
) ? "source" : "destination");
578 return INVALID_STATE
;
581 /* set the rules for this messge */
582 status
= this->set_message_rule(this);
583 if (status
!= SUCCESS
)
585 this->logger
->log(this->logger
, ERROR
, "No message rules specified for a %s %s",
586 mapping_find(exchange_type_m
,this->exchange_type
),
587 this->is_request
? "request" : "response");
588 return NOT_SUPPORTED
;
592 /* going to encrypt all content which have to be encrypted */
593 status
= this->encrypt_payloads(this, crypter
, signer
);
594 if (status
!= SUCCESS
)
596 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Could not encrypt payloads");
600 /* build ike header */
601 ike_header
= ike_header_create();
603 ike_header
->set_exchange_type(ike_header
, this->exchange_type
);
604 ike_header
->set_message_id(ike_header
, this->message_id
);
605 ike_header
->set_response_flag(ike_header
, !this->is_request
);
606 ike_header
->set_initiator_flag(ike_header
, this->ike_sa_id
->is_initiator(this->ike_sa_id
));
607 ike_header
->set_initiator_spi(ike_header
, this->ike_sa_id
->get_initiator_spi(this->ike_sa_id
));
608 ike_header
->set_responder_spi(ike_header
, this->ike_sa_id
->get_responder_spi(this->ike_sa_id
));
610 generator
= generator_create();
612 payload
= (payload_t
*)ike_header
;
615 /* generate every payload expect last one, this is doen later*/
616 iterator
= this->payloads
->create_iterator(this->payloads
, TRUE
);
617 while(iterator
->has_next(iterator
))
619 iterator
->current(iterator
, (void**)&next_payload
);
620 payload
->set_next_type(payload
, next_payload
->get_type(next_payload
));
621 generator
->generate_payload(generator
, payload
);
622 payload
= next_payload
;
624 iterator
->destroy(iterator
);
626 /* last payload has no next payload*/
627 payload
->set_next_type(payload
, NO_PAYLOAD
);
629 generator
->generate_payload(generator
, payload
);
631 ike_header
->destroy(ike_header
);
634 generator
->write_to_chunk(generator
, &packet_data
);
635 generator
->destroy(generator
);
637 /* if last payload is of type encrypted, integrity checksum if necessary */
638 if (payload
->get_type(payload
) == ENCRYPTED
)
640 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Build signature on whole message");
641 encryption_payload_t
*encryption_payload
= (encryption_payload_t
*)payload
;
642 status
= encryption_payload
->build_signature(encryption_payload
, packet_data
);
643 if (status
!= SUCCESS
)
649 this->packet
->set_data(this->packet
, packet_data
);
651 /* clone packet for caller */
652 *packet
= this->packet
->clone(this->packet
);
654 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "Message of type %s generated successfully",
655 mapping_find(exchange_type_m
,this->exchange_type
));
660 * Implementation of message_t.get_packet.
662 static packet_t
*get_packet (private_message_t
*this)
664 return this->packet
->clone(this->packet
);
668 * Implementation of message_t.get_packet_data.
670 static chunk_t
get_packet_data (private_message_t
*this)
672 return chunk_clone(this->packet
->get_data(this->packet
));
676 * Implementation of message_t.parse_header.
678 static status_t
parse_header(private_message_t
*this)
680 ike_header_t
*ike_header
;
684 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "parsing Header of message");
686 this->parser
->reset_context(this->parser
);
687 status
= this->parser
->parse_payload(this->parser
,HEADER
,(payload_t
**) &ike_header
);
688 if (status
!= SUCCESS
)
690 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Header could not be parsed");
696 status
= ike_header
->payload_interface
.verify(&(ike_header
->payload_interface
));
697 if (status
!= SUCCESS
)
699 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Header verification failed");
700 ike_header
->destroy(ike_header
);
704 if (this->ike_sa_id
!= NULL
)
706 this->ike_sa_id
->destroy(this->ike_sa_id
);
709 this->ike_sa_id
= ike_sa_id_create(ike_header
->get_initiator_spi(ike_header
),
710 ike_header
->get_responder_spi(ike_header
),
711 ike_header
->get_initiator_flag(ike_header
));
713 this->exchange_type
= ike_header
->get_exchange_type(ike_header
);
714 this->message_id
= ike_header
->get_message_id(ike_header
);
715 this->is_request
= (!(ike_header
->get_response_flag(ike_header
)));
716 this->major_version
= ike_header
->get_maj_version(ike_header
);
717 this->minor_version
= ike_header
->get_min_version(ike_header
);
718 this->first_payload
= ike_header
->payload_interface
.get_next_type(&(ike_header
->payload_interface
));
720 this->logger
->log(this->logger
, CONTROL
, "Parsed a %s %s",
721 mapping_find(exchange_type_m
, this->exchange_type
),
722 this->is_request
? "request" : "response");
724 ike_header
->destroy(ike_header
);
726 /* get the rules for this messge */
727 status
= this->set_message_rule(this);
728 if (status
!= SUCCESS
)
730 this->logger
->log(this->logger
, ERROR
, "No message rules specified for a %s %s",
731 mapping_find(exchange_type_m
,this->exchange_type
),
732 this->is_request
? "request" : "response");
739 * Implementation of message_t.parse_body.
741 static status_t
parse_body(private_message_t
*this, crypter_t
*crypter
, signer_t
*signer
)
743 status_t status
= SUCCESS
;
744 payload_type_t current_payload_type
;
746 current_payload_type
= this->first_payload
;
748 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "Parsing body of message, first payload is %s",
749 mapping_find(payload_type_m
, current_payload_type
));
751 /* parse payload for payload, while there are more available */
752 while ((current_payload_type
!= NO_PAYLOAD
))
754 payload_t
*current_payload
;
756 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Start parsing a %s payload",
757 mapping_find(payload_type_m
, current_payload_type
));
759 /* parse current payload */
760 status
= this->parser
->parse_payload(this->parser
,current_payload_type
,(payload_t
**) ¤t_payload
);
762 if (status
!= SUCCESS
)
764 this->logger
->log(this->logger
, ERROR
, "Payload type %s could not be parsed",
765 mapping_find(payload_type_m
,current_payload_type
));
769 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Verify payload of type %s",
770 mapping_find(payload_type_m
, current_payload_type
));
772 /* verify it, stop parsig if its invalid */
773 status
= current_payload
->verify(current_payload
);
774 if (status
!= SUCCESS
)
776 this->logger
->log(this->logger
, ERROR
, "%s payload verification failed",
777 mapping_find(payload_type_m
,current_payload_type
));
778 current_payload
->destroy(current_payload
);
779 status
= VERIFY_ERROR
;
783 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "%s payload verified. Adding to payload list",
784 mapping_find(payload_type_m
, current_payload_type
));
785 this->payloads
->insert_last(this->payloads
,current_payload
);
787 /* an encryption payload is the last one, so STOP here. decryption is done later */
788 if (current_payload_type
== ENCRYPTED
)
790 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "%s payload found. Stop parsing",
791 mapping_find(payload_type_m
, current_payload_type
));
795 /* get next payload type */
796 current_payload_type
= current_payload
->get_next_type(current_payload
);
799 if (current_payload_type
== ENCRYPTED
)
800 status
= this->decrypt_payloads(this,crypter
,signer
);
801 if (status
!= SUCCESS
)
803 this->logger
->log(this->logger
, ERROR
, "Could not decrypt payloads");
807 status
= this->verify(this);
808 if (status
!= SUCCESS
)
810 this->logger
->log(this->logger
, ERROR
, "Verification of message failed");
813 this->logger
->log(this->logger
, CONTROL
, "Message %s %s contains %d payloads",
814 mapping_find(exchange_type_m
, this->exchange_type
),
815 this->is_request
? "request" : "response",
816 this->payloads
->get_count(this->payloads
));
822 * Implementation of private_message_t.verify.
824 static status_t
verify(private_message_t
*this)
827 iterator_t
*iterator
;
828 size_t total_found_payloads
= 0;
830 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "Verifying message structure");
832 iterator
= this->payloads
->create_iterator(this->payloads
,TRUE
);
833 /* check for payloads with wrong count*/
834 for (i
= 0; i
< this->message_rule
->payload_rule_count
;i
++)
836 size_t found_payloads
= 0;
838 /* check all payloads for specific rule */
839 iterator
->reset(iterator
);
841 while(iterator
->has_next(iterator
))
843 payload_t
*current_payload
;
844 payload_type_t current_payload_type
;
846 iterator
->current(iterator
,(void **)¤t_payload
);
847 current_payload_type
= current_payload
->get_type(current_payload
);
849 if (current_payload_type
== UNKNOWN_PAYLOAD
)
851 /* unknown payloads are ignored, IF they are not critical */
852 unknown_payload_t
*unknown_payload
= (unknown_payload_t
*)current_payload
;
853 if (unknown_payload
->is_critical(unknown_payload
))
855 this->logger
->log(this->logger
, ERROR
|LEVEL1
, "%s (%d) is not supported, but its critical!",
856 mapping_find(payload_type_m
, current_payload_type
), current_payload_type
);
857 iterator
->destroy(iterator
);
858 return NOT_SUPPORTED
;
861 else if (current_payload_type
== this->message_rule
->payload_rules
[i
].payload_type
)
864 total_found_payloads
++;
865 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Found payload of type %s",
866 mapping_find(payload_type_m
, this->message_rule
->payload_rules
[i
].payload_type
));
868 /* as soon as ohe payload occures more then specified, the verification fails */
869 if (found_payloads
> this->message_rule
->payload_rules
[i
].max_occurence
)
871 this->logger
->log(this->logger
, ERROR
|LEVEL1
, "Payload of type %s more than %d times (%d) occured in current message",
872 mapping_find(payload_type_m
, current_payload_type
),
873 this->message_rule
->payload_rules
[i
].max_occurence
, found_payloads
);
874 iterator
->destroy(iterator
);
880 if (found_payloads
< this->message_rule
->payload_rules
[i
].min_occurence
)
882 this->logger
->log(this->logger
, ERROR
|LEVEL1
, "Payload of type %s not occured %d times (%d)",
883 mapping_find(payload_type_m
, this->message_rule
->payload_rules
[i
].payload_type
),
884 this->message_rule
->payload_rules
[i
].min_occurence
, found_payloads
);
885 iterator
->destroy(iterator
);
888 if ((this->message_rule
->payload_rules
[i
].sufficient
) && (this->payloads
->get_count(this->payloads
) == total_found_payloads
))
890 iterator
->destroy(iterator
);
894 iterator
->destroy(iterator
);
900 * Implementation of private_message_t.decrypt_and_verify_payloads.
902 static status_t
decrypt_payloads(private_message_t
*this,crypter_t
*crypter
, signer_t
* signer
)
904 bool current_payload_was_encrypted
= FALSE
;
905 payload_t
*previous_payload
= NULL
;
906 int payload_number
= 1;
907 iterator_t
*iterator
;
910 iterator
= this->payloads
->create_iterator(this->payloads
,TRUE
);
912 /* process each payload and decrypt a encryption payload */
913 while(iterator
->has_next(iterator
))
915 payload_rule_t
*payload_rule
;
916 payload_type_t current_payload_type
;
917 payload_t
*current_payload
;
919 /* get current payload */
920 iterator
->current(iterator
,(void **)¤t_payload
);
922 /* needed to check */
923 current_payload_type
= current_payload
->get_type(current_payload
);
925 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Process payload of type %s",
926 mapping_find(payload_type_m
,current_payload_type
));
928 if (current_payload_type
== ENCRYPTED
)
930 encryption_payload_t
*encryption_payload
;
931 payload_t
*current_encrypted_payload
;
933 encryption_payload
= (encryption_payload_t
*)current_payload
;
935 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Found an encryption payload");
937 if (payload_number
!= this->payloads
->get_count(this->payloads
))
939 /* encrypted payload is not last one */
940 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Encrypted payload is not last payload");
941 iterator
->destroy(iterator
);
945 encryption_payload
->set_transforms(encryption_payload
, crypter
, signer
);
946 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Verify signature of encryption payload");
947 status
= encryption_payload
->verify_signature(encryption_payload
, this->packet
->get_data(this->packet
));
948 if (status
!= SUCCESS
)
950 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "encryption payload signature invalid");
951 iterator
->destroy(iterator
);
954 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Decrypt content of encryption payload");
955 status
= encryption_payload
->decrypt(encryption_payload
);
956 if (status
!= SUCCESS
)
958 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Encrypted payload could not be decrypted and parsed: %s",
959 mapping_find(status_m
, status
));
960 iterator
->destroy(iterator
);
964 /* needed later to find out if a payload was encrypted */
965 current_payload_was_encrypted
= TRUE
;
967 /* check if there are payloads contained in the encryption payload */
968 if (encryption_payload
->get_payload_count(encryption_payload
) == 0)
970 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Encrypted payload is empty");
971 /* remove the encryption payload, is not needed anymore */
972 iterator
->remove(iterator
);
973 /* encrypted payload contains no other payload */
974 current_payload_type
= NO_PAYLOAD
;
978 /* encryption_payload is replaced with first payload contained in encryption_payload */
979 encryption_payload
->remove_first_payload(encryption_payload
, ¤t_encrypted_payload
);
980 iterator
->replace(iterator
,NULL
,(void *) current_encrypted_payload
);
981 current_payload_type
= current_encrypted_payload
->get_type(current_encrypted_payload
);
984 /* is the current paylad the first in the message? */
985 if (previous_payload
== NULL
)
987 /* yes, set the first payload type of the message to the current type */
988 this->first_payload
= current_payload_type
;
992 /* no, set the next_type of the previous payload to the current type */
993 previous_payload
->set_next_type(previous_payload
, current_payload_type
);
996 /* all encrypted payloads are added to the payload list */
997 while (encryption_payload
->get_payload_count(encryption_payload
) > 0)
999 encryption_payload
->remove_first_payload(encryption_payload
, ¤t_encrypted_payload
);
1000 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Insert unencrypted payload of type %s at end of list.",
1001 mapping_find(payload_type_m
,current_encrypted_payload
->get_type(current_encrypted_payload
)));
1002 this->payloads
->insert_last(this->payloads
,current_encrypted_payload
);
1005 /* encryption payload is processed, payloads are moved. Destroy it. */
1006 encryption_payload
->destroy(encryption_payload
);
1009 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1010 if (current_payload_type
!= UNKNOWN_PAYLOAD
)
1012 /* get the ruleset for found payload */
1013 status
= this->get_payload_rule(this, current_payload_type
, &payload_rule
);
1014 if (status
!= SUCCESS
)
1016 /* payload is not allowed */
1017 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Payload type %s not allowed",mapping_find(payload_type_m
,current_payload_type
));
1018 iterator
->destroy(iterator
);
1022 /* check if the payload was encrypted, and if it should been have encrypted */
1023 if (payload_rule
->encrypted
!= current_payload_was_encrypted
)
1025 /* payload was not encrypted, but should have been. or vice-versa */
1026 this->logger
->log(this->logger
, ERROR
| LEVEL1
, "Payload type %s should be %s!",
1027 mapping_find(payload_type_m
,current_payload_type
),
1028 (payload_rule
->encrypted
) ? "encrypted" : "not encrypted");
1029 iterator
->destroy(iterator
);
1033 /* advance to the next payload */
1035 /* is stored to set next payload in case of found encryption payload */
1036 previous_payload
= current_payload
;
1038 iterator
->destroy(iterator
);
1043 * Implementation of private_message_t.encrypt_payloads.
1045 static status_t
encrypt_payloads (private_message_t
*this,crypter_t
*crypter
, signer_t
* signer
)
1047 encryption_payload_t
*encryption_payload
= NULL
;
1049 linked_list_t
*all_payloads
;
1051 if (!this->message_rule
->encrypted_content
)
1053 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Message doesn't have to be encrypted");
1054 /* message contains no content to encrypt */
1058 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Copy all payloads to a temporary list");
1059 all_payloads
= linked_list_create();
1061 /* first copy all payloads in a temporary list */
1062 while (this->payloads
->get_count(this->payloads
) > 0)
1064 void *current_payload
;
1065 this->payloads
->remove_first(this->payloads
,¤t_payload
);
1066 all_payloads
->insert_last(all_payloads
,current_payload
);
1069 encryption_payload
= encryption_payload_create();
1071 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Check each payloads if they have to get encrypted");
1072 while (all_payloads
->get_count(all_payloads
) > 0)
1074 payload_rule_t
*payload_rule
;
1075 payload_t
*current_payload
;
1076 bool to_encrypt
= FALSE
;
1078 all_payloads
->remove_first(all_payloads
,(void **)¤t_payload
);
1079 this->logger
->log(this->logger
, CONTROL
| LEVEL3
, "Get rule for payload %s",
1080 mapping_find(payload_type_m
,current_payload
->get_type(current_payload
)));
1082 status
= this->get_payload_rule(this,current_payload
->get_type(current_payload
),&payload_rule
);
1083 /* for payload types which are not found in supported payload list, it is presumed
1084 * that they don't have to be encrypted */
1085 if ((status
== SUCCESS
) && (payload_rule
->encrypted
))
1087 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Payload %s has to get encrypted",
1088 mapping_find(payload_type_m
,current_payload
->get_type(current_payload
)));
1091 else if (status
!= SUCCESS
)
1093 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Payload %s not defined for exchange type %s. Handle it anyway",
1094 mapping_find(payload_type_m
,current_payload
->get_type(current_payload
)),
1095 mapping_find(exchange_type_m
,this->exchange_type
));
1100 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Insert payload %s to encryption payload",
1101 mapping_find(payload_type_m
,current_payload
->get_type(current_payload
)));
1103 encryption_payload
->add_payload(encryption_payload
,current_payload
);
1107 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Insert payload %s as payload wich does not have to be encrypted",
1108 mapping_find(payload_type_m
,current_payload
->get_type(current_payload
)));
1109 this->public.add_payload(&(this->public), (payload_t
*)encryption_payload
);
1114 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Set transforms for encryption payload ");
1115 encryption_payload
->set_transforms(encryption_payload
,crypter
,signer
);
1116 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Encrypt all payloads of encrypted payload");
1117 status
= encryption_payload
->encrypt(encryption_payload
);
1118 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Add encrypted payload to payload list");
1119 this->public.add_payload(&(this->public), (payload_t
*)encryption_payload
);
1121 all_payloads
->destroy(all_payloads
);
1128 * Implementation of message_t.destroy.
1130 static void destroy (private_message_t
*this)
1132 iterator_t
*iterator
;
1134 this->logger
->log(this->logger
, CONTROL
|LEVEL3
, "Going to destroy message_t object");
1136 this->packet
->destroy(this->packet
);
1138 if (this->ike_sa_id
!= NULL
)
1140 this->ike_sa_id
->destroy(this->ike_sa_id
);
1143 iterator
= this->payloads
->create_iterator(this->payloads
, TRUE
);
1144 while (iterator
->has_next(iterator
))
1147 iterator
->current(iterator
, (void**)&payload
);
1148 this->logger
->log(this->logger
, CONTROL
|LEVEL3
, "Destroying payload of type %s",
1149 mapping_find(payload_type_m
, payload
->get_type(payload
)));
1150 payload
->destroy(payload
);
1152 iterator
->destroy(iterator
);
1153 this->payloads
->destroy(this->payloads
);
1154 this->parser
->destroy(this->parser
);
1160 * Described in Header-File
1162 message_t
*message_create_from_packet(packet_t
*packet
)
1164 private_message_t
*this = malloc_thing(private_message_t
);
1166 /* public functions */
1167 this->public.set_major_version
= (void(*)(message_t
*, u_int8_t
))set_major_version
;
1168 this->public.get_major_version
= (u_int8_t(*)(message_t
*))get_major_version
;
1169 this->public.set_minor_version
= (void(*)(message_t
*, u_int8_t
))set_minor_version
;
1170 this->public.get_minor_version
= (u_int8_t(*)(message_t
*))get_minor_version
;
1171 this->public.set_message_id
= (void(*)(message_t
*, u_int32_t
))set_message_id
;
1172 this->public.get_message_id
= (u_int32_t(*)(message_t
*))get_message_id
;
1173 this->public.get_responder_spi
= (u_int64_t(*)(message_t
*))get_responder_spi
;
1174 this->public.set_ike_sa_id
= (void(*)(message_t
*, ike_sa_id_t
*))set_ike_sa_id
;
1175 this->public.get_ike_sa_id
= (status_t(*)(message_t
*, ike_sa_id_t
**))get_ike_sa_id
;
1176 this->public.set_exchange_type
= (void(*)(message_t
*, exchange_type_t
))set_exchange_type
;
1177 this->public.get_exchange_type
= (exchange_type_t(*)(message_t
*))get_exchange_type
;
1178 this->public.set_request
= (void(*)(message_t
*, bool))set_request
;
1179 this->public.get_request
= (bool(*)(message_t
*))get_request
;
1180 this->public.add_payload
= (void(*)(message_t
*,payload_t
*))add_payload
;
1181 this->public.generate
= (status_t (*) (message_t
*,crypter_t
*,signer_t
*,packet_t
**)) generate
;
1182 this->public.set_source
= (void (*) (message_t
*,host_t
*)) set_source
;
1183 this->public.get_source
= (host_t
* (*) (message_t
*)) get_source
;
1184 this->public.set_destination
= (void (*) (message_t
*,host_t
*)) set_destination
;
1185 this->public.get_destination
= (host_t
* (*) (message_t
*)) get_destination
;
1186 this->public.get_payload_iterator
= (iterator_t
* (*) (message_t
*)) get_payload_iterator
;
1187 this->public.parse_header
= (status_t (*) (message_t
*)) parse_header
;
1188 this->public.parse_body
= (status_t (*) (message_t
*,crypter_t
*,signer_t
*)) parse_body
;
1189 this->public.get_packet
= (packet_t
* (*) (message_t
*)) get_packet
;
1190 this->public.get_packet_data
= (chunk_t (*) (message_t
*this)) get_packet_data
;
1191 this->public.destroy
= (void(*)(message_t
*))destroy
;
1193 /* private values */
1194 this->exchange_type
= EXCHANGE_TYPE_UNDEFINED
;
1195 this->is_request
= TRUE
;
1196 this->ike_sa_id
= NULL
;
1197 this->first_payload
= NO_PAYLOAD
;
1198 this->message_id
= 0;
1200 /* private functions */
1201 this->set_message_rule
= set_message_rule
;
1202 this->get_payload_rule
= get_payload_rule
;
1203 this->encrypt_payloads
= encrypt_payloads
;
1204 this->decrypt_payloads
= decrypt_payloads
;
1205 this->verify
= verify
;
1207 /* private values */
1210 packet
= packet_create();
1212 this->message_rule
= NULL
;
1213 this->packet
= packet
;
1214 this->payloads
= linked_list_create();
1216 /* parser is created from data of packet */
1217 this->parser
= parser_create(this->packet
->get_data(this->packet
));
1219 this->logger
= logger_manager
->get_logger(logger_manager
, MESSAGE
);
1221 return (&this->public);
1225 * Described in Header.
1227 message_t
*message_create()
1229 return message_create_from_packet(NULL
);
1233 * Described in Header.
1235 message_t
*message_create_notify_reply(host_t
*source
, host_t
*destination
, exchange_type_t exchange_type
, bool original_initiator
,ike_sa_id_t
*ike_sa_id
,notify_message_type_t notify_type
)
1237 message_t
*message
= message_create_from_packet(NULL
);
1238 notify_payload_t
*payload
;
1240 message
->set_source(message
, source
->clone(source
));
1241 message
->set_destination(message
, destination
->clone(destination
));
1242 message
->set_exchange_type(message
, exchange_type
);
1243 message
->set_request(message
, FALSE
);
1244 message
->set_message_id(message
,0);
1245 message
->set_ike_sa_id(message
, ike_sa_id
);
1247 payload
= notify_payload_create_from_protocol_and_type(PROTO_IKE
, notify_type
);
1248 message
->add_payload(message
,(payload_t
*) payload
);