]> git.ipfire.org Git - thirdparty/strongswan.git/blob - programs/charon/charon/encoding/message.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- import of strongswan-2.7.0
[thirdparty/strongswan.git] / programs / charon / charon / encoding / message.c
1 /**
2 * @file message.c
3 *
4 * @brief Implementation of message_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <stdlib.h>
24
25 #include "message.h"
26
27 #include <types.h>
28 #include <daemon.h>
29 #include <sa/ike_sa_id.h>
30 #include <encoding/generator.h>
31 #include <encoding/parser.h>
32 #include <utils/linked_list.h>
33 #include <utils/logger_manager.h>
34 #include <encoding/payloads/encodings.h>
35 #include <encoding/payloads/payload.h>
36 #include <encoding/payloads/encryption_payload.h>
37 #include <encoding/payloads/unknown_payload.h>
38
39 /**
40 * Max number of notify payloads per IKEv2 Message
41 */
42 #define MAX_NOTIFY_PAYLOADS 10
43
44
45 typedef struct payload_rule_t payload_rule_t;
46
47 /**
48 * A payload rule defines the rules for a payload
49 * in a specific message rule. It defines if and how
50 * many times a payload must/can occur in a message
51 * and if it must be encrypted.
52 */
53 struct payload_rule_t {
54 /**
55 * Payload type.
56 */
57 payload_type_t payload_type;
58
59 /**
60 * Minimal occurence of this payload.
61 */
62 size_t min_occurence;
63
64 /**
65 * Max occurence of this payload.
66 */
67 size_t max_occurence;
68
69 /**
70 * TRUE if payload must be encrypted
71 */
72 bool encrypted;
73
74 /**
75 * If this payload occurs, the message rule is
76 * fullfilled in any case. This applies e.g. to
77 * notify_payloads.
78 */
79 bool sufficient;
80 };
81
82 typedef struct message_rule_t message_rule_t;
83
84 /**
85 * A message rule defines the kind of a message,
86 * if it has encrypted contents and a list
87 * of payload rules.
88 *
89 */
90 struct message_rule_t {
91 /**
92 * Type of message.
93 */
94 exchange_type_t exchange_type;
95
96 /**
97 * Is message a request or response.
98 */
99 bool is_request;
100
101 /**
102 * Message contains encrypted content.
103 */
104 bool encrypted_content;
105
106 /**
107 * Number of payload rules which will follow
108 */
109 size_t payload_rule_count;
110
111 /**
112 * Pointer to first payload rule
113 */
114 payload_rule_t *payload_rules;
115 };
116
117 /**
118 * Message rule for IKE_SA_INIT from initiator.
119 */
120 static payload_rule_t ike_sa_init_i_payload_rules[] = {
121 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
122 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
123 {KEY_EXCHANGE,1,1,FALSE,FALSE},
124 {NONCE,1,1,FALSE,FALSE},
125 };
126
127 /**
128 * Message rule for IKE_SA_INIT from responder.
129 */
130 static payload_rule_t ike_sa_init_r_payload_rules[] = {
131 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
132 {SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
133 {KEY_EXCHANGE,1,1,FALSE,FALSE},
134 {NONCE,1,1,FALSE,FALSE},
135 };
136
137 /**
138 * Message rule for IKE_AUTH from initiator.
139 */
140 static payload_rule_t ike_auth_i_payload_rules[] = {
141 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
142 {ID_INITIATOR,1,1,TRUE,FALSE},
143 {CERTIFICATE,0,1,TRUE,FALSE},
144 {CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
145 {ID_RESPONDER,0,1,TRUE,FALSE},
146 {AUTHENTICATION,1,1,TRUE,FALSE},
147 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
148 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
149 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
150 {CONFIGURATION,0,1,TRUE,FALSE},
151 };
152
153 /**
154 * Message rule for IKE_AUTH from responder.
155 */
156 static payload_rule_t ike_auth_r_payload_rules[] = {
157 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
158 {CERTIFICATE,0,1,TRUE,FALSE},
159 {ID_RESPONDER,1,1,TRUE,FALSE},
160 {AUTHENTICATION,1,1,TRUE,FALSE},
161 {SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
162 {TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
163 {TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
164 {CONFIGURATION,0,1,TRUE,FALSE},
165 };
166
167
168 /**
169 * Message rule for INFORMATIONAL from initiator.
170 */
171 static payload_rule_t informational_i_payload_rules[] = {
172 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
173 {CONFIGURATION,0,1,TRUE,FALSE},
174 {DELETE,0,1,TRUE,FALSE},
175
176 };
177
178 /**
179 * Message rule for INFORMATIONAL from responder.
180 */
181 static payload_rule_t informational_r_payload_rules[] = {
182 {NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
183 {CONFIGURATION,0,1,TRUE,FALSE},
184 {DELETE,0,1,TRUE,FALSE},
185 };
186
187
188 /**
189 * Message rules, defines allowed payloads.
190 */
191 static message_rule_t message_rules[] = {
192 {IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
193 {IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
194 {IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
195 {IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
196 {INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
197 {INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules}
198 };
199
200
201 typedef struct private_message_t private_message_t;
202
203 /**
204 * Private data of an message_t object.
205 */
206 struct private_message_t {
207
208 /**
209 * Public part of a message_t object.
210 */
211 message_t public;
212
213 /**
214 * Minor version of message.
215 */
216 u_int8_t major_version;
217
218 /**
219 * Major version of message.
220 */
221 u_int8_t minor_version;
222
223 /**
224 * First Payload in message.
225 */
226 payload_type_t first_payload;
227
228 /**
229 * Assigned exchange type.
230 */
231 exchange_type_t exchange_type;
232
233 /**
234 * TRUE if message is a request, FALSE if a reply.
235 */
236 bool is_request;
237
238 /**
239 * Message ID of this message.
240 */
241 u_int32_t message_id;
242
243 /**
244 * ID of assigned IKE_SA.
245 */
246 ike_sa_id_t *ike_sa_id;
247
248 /**
249 * Assigned UDP packet, stores incoming packet or last generated one.
250 */
251 packet_t *packet;
252
253 /**
254 * Linked List where payload data are stored in.
255 */
256 linked_list_t *payloads;
257
258 /**
259 * Assigned parser to parse Header and Body of this message.
260 */
261 parser_t *parser;
262
263 /**
264 * The message rule for this message instance
265 */
266 message_rule_t *message_rule;
267
268 /**
269 * Assigned logger.
270 */
271 logger_t *logger;
272
273 /**
274 * Sets the private message_rule member to the rule which
275 * applies to this message. Must be called before get_payload_rule().
276 *
277 * @param this calling object
278 * @return
279 * - SUCCESS
280 * - NOT_FOUND if no message rule applies to this message.
281 */
282 status_t (*set_message_rule) (private_message_t *this);
283
284 /**
285 * Gets the payload_rule_t for a specific message_rule_t and payload type.
286 *
287 * @param this calling object
288 * @param payload_type payload type
289 * @param[out] payload_rule returned payload_rule_t
290 * @return
291 * - SUCCESS
292 * - NOT_FOUND if payload not defined in current message rule
293 * - INVALID_STATE if message rule is not set via set_message_rule()
294 */
295 status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
296
297 /**
298 * Encrypts all payloads which has to get encrypted.
299 *
300 * Can also be called with messages not containing encrypted content.
301 *
302 * @param this calling object
303 * @param crypter crypter_t object
304 * @param signer signer_t object
305 * @return
306 * - SUCCESS
307 * - INVALID_STATE if no crypter/signer supplied but needed
308 */
309 status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
310
311 /**
312 * Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
313 *
314 * @param this calling object
315 * @param crypter crypter_t object
316 * @param signer signer_t object
317 * @return
318 * - SUCCESS
319 * - FAILED if decryption not successfull
320 * - INVALID_STATE if no crypter/signer supplied but needed
321 */
322 status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
323
324 /**
325 * Verifies the message. Checks for payloads count.
326 *
327 * @param calling object
328 * @return
329 * - SUCCESS if message valid, or
330 * - FAILED if message does not align with message rules.
331 */
332 status_t (*verify) (private_message_t *this);
333 };
334
335 /**
336 * Implementation of private_message_t.set_message_rule.
337 */
338 static status_t set_message_rule(private_message_t *this)
339 {
340 int i;
341
342 for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
343 {
344 if ((this->exchange_type == message_rules[i].exchange_type) &&
345 (this->is_request == message_rules[i].is_request))
346 {
347 /* found rule for given exchange_type*/
348 this->message_rule = &(message_rules[i]);
349 return SUCCESS;
350 }
351 }
352 this->message_rule = NULL;
353 return NOT_FOUND;
354 }
355
356 /**
357 * Implementation of private_message_t.get_payload_rule.
358 */
359 static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
360 {
361 int i;
362
363 for (i = 0; i < this->message_rule->payload_rule_count;i++)
364 {
365 if (this->message_rule->payload_rules[i].payload_type == payload_type)
366 {
367 *payload_rule = &(this->message_rule->payload_rules[i]);
368 return SUCCESS;
369 }
370 }
371
372 *payload_rule = NULL;
373 return NOT_FOUND;
374 }
375
376 /**
377 * Implementation of message_t.set_ike_sa_id.
378 */
379 static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
380 {
381 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
382 }
383
384 /**
385 * Implementation of message_t.get_ike_sa_id.
386 */
387 static status_t get_ike_sa_id (private_message_t *this,ike_sa_id_t **ike_sa_id)
388 {
389 if (this->ike_sa_id == NULL)
390 {
391 return FAILED;
392 }
393 *ike_sa_id = this->ike_sa_id->clone(this->ike_sa_id);
394 return SUCCESS;
395 }
396
397 /**
398 * Implementation of message_t.set_message_id.
399 */
400 static void set_message_id (private_message_t *this,u_int32_t message_id)
401 {
402 this->message_id = message_id;
403 }
404
405 /**
406 * Implementation of message_t.get_message_id.
407 */
408 static u_int32_t get_message_id (private_message_t *this)
409 {
410 return this->message_id;
411 }
412
413 /**
414 * Implementation of message_t.get_responder_spi.
415 */
416 static u_int64_t get_responder_spi (private_message_t *this)
417 {
418 return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
419 }
420
421 /**
422 * Implementation of message_t.set_major_version.
423 */
424 static void set_major_version (private_message_t *this,u_int8_t major_version)
425 {
426 this->major_version = major_version;
427 }
428
429
430 /**
431 * Implementation of message_t.set_major_version.
432 */
433 static u_int8_t get_major_version (private_message_t *this)
434 {
435 return this->major_version;
436 }
437
438 /**
439 * Implementation of message_t.set_minor_version.
440 */
441 static void set_minor_version (private_message_t *this,u_int8_t minor_version)
442 {
443 this->minor_version = minor_version;
444 }
445
446 /**
447 * Implementation of message_t.get_minor_version.
448 */
449 static u_int8_t get_minor_version (private_message_t *this)
450 {
451 return this->minor_version;
452 }
453
454 /**
455 * Implementation of message_t.set_exchange_type.
456 */
457 static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
458 {
459 this->exchange_type = exchange_type;
460 }
461
462 /**
463 * Implementation of message_t.get_exchange_type.
464 */
465 static exchange_type_t get_exchange_type (private_message_t *this)
466 {
467 return this->exchange_type;
468 }
469
470 /**
471 * Implementation of message_t.set_request.
472 */
473 static void set_request (private_message_t *this,bool request)
474 {
475 this->is_request = request;
476 }
477
478 /**
479 * Implementation of message_t.get_request.
480 */
481 static exchange_type_t get_request (private_message_t *this)
482 {
483 return this->is_request;
484 }
485
486 /**
487 * Implementation of message_t.add_payload.
488 */
489 static void add_payload(private_message_t *this, payload_t *payload)
490 {
491 payload_t *last_payload;
492 if (this->payloads->get_count(this->payloads) > 0)
493 {
494 this->payloads->get_last(this->payloads,(void **) &last_payload);
495 last_payload->set_next_type(last_payload, payload->get_type(payload));
496 }
497 else
498 {
499 this->first_payload = payload->get_type(payload);
500 }
501 payload->set_next_type(payload, NO_PAYLOAD);
502 this->payloads->insert_last(this->payloads, (void*)payload);
503
504 this->logger->log(this->logger, CONTROL|LEVEL1, "Added payload of type %s to message",
505 mapping_find(payload_type_m, payload->get_type(payload)));
506 }
507
508 /**
509 * Implementation of message_t.set_source.
510 */
511 static void set_source(private_message_t *this, host_t *host)
512 {
513 this->packet->set_source(this->packet, host);
514 }
515
516 /**
517 * Implementation of message_t.set_destination.
518 */
519 static void set_destination(private_message_t *this, host_t *host)
520 {
521
522 this->packet->set_destination(this->packet, host);
523 }
524
525 /**
526 * Implementation of message_t.get_source.
527 */
528 static host_t* get_source(private_message_t *this)
529 {
530 return this->packet->get_source(this->packet);
531 }
532
533 /**
534 * Implementation of message_t.get_destination.
535 */
536 static host_t * get_destination(private_message_t *this)
537 {
538 return this->packet->get_destination(this->packet);
539 }
540
541 /**
542 * Implementation of message_t.get_destination.
543 */
544 static iterator_t *get_payload_iterator(private_message_t *this)
545 {
546 return this->payloads->create_iterator(this->payloads, TRUE);
547 }
548
549
550 /**
551 * Implementation of message_t.generate.
552 */
553 static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
554 {
555 generator_t *generator;
556 ike_header_t *ike_header;
557 payload_t *payload, *next_payload;
558 iterator_t *iterator;
559 status_t status;
560 chunk_t packet_data;
561
562 this->logger->log(this->logger, CONTROL, "Generating message of type %s, contains %d payloads",
563 mapping_find(exchange_type_m,this->exchange_type),
564 this->payloads->get_count(this->payloads));
565
566 if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
567 {
568 this->logger->log(this->logger, ERROR | LEVEL1, "Exchange type %s is not defined",
569 mapping_find(exchange_type_m,this->exchange_type));
570 return INVALID_STATE;
571 }
572
573 if (this->packet->get_source(this->packet) == NULL ||
574 this->packet->get_destination(this->packet) == NULL)
575 {
576 this->logger->log(this->logger, ERROR|LEVEL1, "%s not defined",
577 !this->packet->get_source(this->packet) ? "source" : "destination");
578 return INVALID_STATE;
579 }
580
581 /* set the rules for this messge */
582 status = this->set_message_rule(this);
583 if (status != SUCCESS)
584 {
585 this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
586 mapping_find(exchange_type_m,this->exchange_type),
587 this->is_request ? "request" : "response");
588 return NOT_SUPPORTED;
589 }
590
591
592 /* going to encrypt all content which have to be encrypted */
593 status = this->encrypt_payloads(this, crypter, signer);
594 if (status != SUCCESS)
595 {
596 this->logger->log(this->logger, ERROR | LEVEL1, "Could not encrypt payloads");
597 return status;
598 }
599
600 /* build ike header */
601 ike_header = ike_header_create();
602
603 ike_header->set_exchange_type(ike_header, this->exchange_type);
604 ike_header->set_message_id(ike_header, this->message_id);
605 ike_header->set_response_flag(ike_header, !this->is_request);
606 ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
607 ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
608 ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
609
610 generator = generator_create();
611
612 payload = (payload_t*)ike_header;
613
614
615 /* generate every payload expect last one, this is doen later*/
616 iterator = this->payloads->create_iterator(this->payloads, TRUE);
617 while(iterator->has_next(iterator))
618 {
619 iterator->current(iterator, (void**)&next_payload);
620 payload->set_next_type(payload, next_payload->get_type(next_payload));
621 generator->generate_payload(generator, payload);
622 payload = next_payload;
623 }
624 iterator->destroy(iterator);
625
626 /* last payload has no next payload*/
627 payload->set_next_type(payload, NO_PAYLOAD);
628
629 generator->generate_payload(generator, payload);
630
631 ike_header->destroy(ike_header);
632
633 /* build packet */
634 generator->write_to_chunk(generator, &packet_data);
635 generator->destroy(generator);
636
637 /* if last payload is of type encrypted, integrity checksum if necessary */
638 if (payload->get_type(payload) == ENCRYPTED)
639 {
640 this->logger->log(this->logger, CONTROL | LEVEL1, "Build signature on whole message");
641 encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
642 status = encryption_payload->build_signature(encryption_payload, packet_data);
643 if (status != SUCCESS)
644 {
645 return status;
646 }
647 }
648
649 this->packet->set_data(this->packet, packet_data);
650
651 /* clone packet for caller */
652 *packet = this->packet->clone(this->packet);
653
654 this->logger->log(this->logger, CONTROL|LEVEL1, "Message of type %s generated successfully",
655 mapping_find(exchange_type_m,this->exchange_type));
656 return SUCCESS;
657 }
658
659 /**
660 * Implementation of message_t.get_packet.
661 */
662 static packet_t *get_packet (private_message_t *this)
663 {
664 return this->packet->clone(this->packet);
665 }
666
667 /**
668 * Implementation of message_t.get_packet_data.
669 */
670 static chunk_t get_packet_data (private_message_t *this)
671 {
672 return chunk_clone(this->packet->get_data(this->packet));
673 }
674
675 /**
676 * Implementation of message_t.parse_header.
677 */
678 static status_t parse_header(private_message_t *this)
679 {
680 ike_header_t *ike_header;
681 status_t status;
682
683
684 this->logger->log(this->logger, CONTROL|LEVEL1, "parsing Header of message");
685
686 this->parser->reset_context(this->parser);
687 status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
688 if (status != SUCCESS)
689 {
690 this->logger->log(this->logger, ERROR | LEVEL1, "Header could not be parsed");
691 return status;
692
693 }
694
695 /* verify payload */
696 status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
697 if (status != SUCCESS)
698 {
699 this->logger->log(this->logger, ERROR | LEVEL1, "Header verification failed");
700 ike_header->destroy(ike_header);
701 return status;
702 }
703
704 if (this->ike_sa_id != NULL)
705 {
706 this->ike_sa_id->destroy(this->ike_sa_id);
707 }
708
709 this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
710 ike_header->get_responder_spi(ike_header),
711 ike_header->get_initiator_flag(ike_header));
712
713 this->exchange_type = ike_header->get_exchange_type(ike_header);
714 this->message_id = ike_header->get_message_id(ike_header);
715 this->is_request = (!(ike_header->get_response_flag(ike_header)));
716 this->major_version = ike_header->get_maj_version(ike_header);
717 this->minor_version = ike_header->get_min_version(ike_header);
718 this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
719
720 this->logger->log(this->logger, CONTROL, "Parsed a %s %s",
721 mapping_find(exchange_type_m, this->exchange_type),
722 this->is_request ? "request" : "response");
723
724 ike_header->destroy(ike_header);
725
726 /* get the rules for this messge */
727 status = this->set_message_rule(this);
728 if (status != SUCCESS)
729 {
730 this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
731 mapping_find(exchange_type_m,this->exchange_type),
732 this->is_request ? "request" : "response");
733 }
734
735 return status;
736 }
737
738 /**
739 * Implementation of message_t.parse_body.
740 */
741 static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
742 {
743 status_t status = SUCCESS;
744 payload_type_t current_payload_type;
745
746 current_payload_type = this->first_payload;
747
748 this->logger->log(this->logger, CONTROL|LEVEL1, "Parsing body of message, first payload is %s",
749 mapping_find(payload_type_m, current_payload_type));
750
751 /* parse payload for payload, while there are more available */
752 while ((current_payload_type != NO_PAYLOAD))
753 {
754 payload_t *current_payload;
755
756 this->logger->log(this->logger, CONTROL|LEVEL2, "Start parsing a %s payload",
757 mapping_find(payload_type_m, current_payload_type));
758
759 /* parse current payload */
760 status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
761
762 if (status != SUCCESS)
763 {
764 this->logger->log(this->logger, ERROR, "Payload type %s could not be parsed",
765 mapping_find(payload_type_m,current_payload_type));
766 return status;
767 }
768
769 this->logger->log(this->logger, CONTROL|LEVEL2, "Verify payload of type %s",
770 mapping_find(payload_type_m, current_payload_type));
771
772 /* verify it, stop parsig if its invalid */
773 status = current_payload->verify(current_payload);
774 if (status != SUCCESS)
775 {
776 this->logger->log(this->logger, ERROR, "%s payload verification failed",
777 mapping_find(payload_type_m,current_payload_type));
778 current_payload->destroy(current_payload);
779 status = VERIFY_ERROR;
780 return status;
781 }
782
783 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload verified. Adding to payload list",
784 mapping_find(payload_type_m, current_payload_type));
785 this->payloads->insert_last(this->payloads,current_payload);
786
787 /* an encryption payload is the last one, so STOP here. decryption is done later */
788 if (current_payload_type == ENCRYPTED)
789 {
790 this->logger->log(this->logger, CONTROL|LEVEL2, "%s payload found. Stop parsing",
791 mapping_find(payload_type_m, current_payload_type));
792 break;
793 }
794
795 /* get next payload type */
796 current_payload_type = current_payload->get_next_type(current_payload);
797 }
798
799 if (current_payload_type == ENCRYPTED)
800 status = this->decrypt_payloads(this,crypter,signer);
801 if (status != SUCCESS)
802 {
803 this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
804 return status;
805 }
806
807 status = this->verify(this);
808 if (status != SUCCESS)
809 {
810 this->logger->log(this->logger, ERROR, "Verification of message failed");
811 }
812
813 this->logger->log(this->logger, CONTROL, "Message %s %s contains %d payloads",
814 mapping_find(exchange_type_m, this->exchange_type),
815 this->is_request ? "request" : "response",
816 this->payloads->get_count(this->payloads));
817
818 return status;
819 }
820
821 /**
822 * Implementation of private_message_t.verify.
823 */
824 static status_t verify(private_message_t *this)
825 {
826 int i;
827 iterator_t *iterator;
828 size_t total_found_payloads = 0;
829
830 this->logger->log(this->logger, CONTROL|LEVEL1, "Verifying message structure");
831
832 iterator = this->payloads->create_iterator(this->payloads,TRUE);
833 /* check for payloads with wrong count*/
834 for (i = 0; i < this->message_rule->payload_rule_count;i++)
835 {
836 size_t found_payloads = 0;
837
838 /* check all payloads for specific rule */
839 iterator->reset(iterator);
840
841 while(iterator->has_next(iterator))
842 {
843 payload_t *current_payload;
844 payload_type_t current_payload_type;
845
846 iterator->current(iterator,(void **)&current_payload);
847 current_payload_type = current_payload->get_type(current_payload);
848
849 if (current_payload_type == UNKNOWN_PAYLOAD)
850 {
851 /* unknown payloads are ignored, IF they are not critical */
852 unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
853 if (unknown_payload->is_critical(unknown_payload))
854 {
855 this->logger->log(this->logger, ERROR|LEVEL1, "%s (%d) is not supported, but its critical!",
856 mapping_find(payload_type_m, current_payload_type), current_payload_type);
857 iterator->destroy(iterator);
858 return NOT_SUPPORTED;
859 }
860 }
861 else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
862 {
863 found_payloads++;
864 total_found_payloads++;
865 this->logger->log(this->logger, CONTROL|LEVEL2, "Found payload of type %s",
866 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
867
868 /* as soon as ohe payload occures more then specified, the verification fails */
869 if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
870 {
871 this->logger->log(this->logger, ERROR|LEVEL1, "Payload of type %s more than %d times (%d) occured in current message",
872 mapping_find(payload_type_m, current_payload_type),
873 this->message_rule->payload_rules[i].max_occurence, found_payloads);
874 iterator->destroy(iterator);
875 return FAILED;
876 }
877 }
878 }
879
880 if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
881 {
882 this->logger->log(this->logger, ERROR|LEVEL1, "Payload of type %s not occured %d times (%d)",
883 mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
884 this->message_rule->payload_rules[i].min_occurence, found_payloads);
885 iterator->destroy(iterator);
886 return FAILED;
887 }
888 if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
889 {
890 iterator->destroy(iterator);
891 return SUCCESS;
892 }
893 }
894 iterator->destroy(iterator);
895 return SUCCESS;
896 }
897
898
899 /**
900 * Implementation of private_message_t.decrypt_and_verify_payloads.
901 */
902 static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
903 {
904 bool current_payload_was_encrypted = FALSE;
905 payload_t *previous_payload = NULL;
906 int payload_number = 1;
907 iterator_t *iterator;
908 status_t status;
909
910 iterator = this->payloads->create_iterator(this->payloads,TRUE);
911
912 /* process each payload and decrypt a encryption payload */
913 while(iterator->has_next(iterator))
914 {
915 payload_rule_t *payload_rule;
916 payload_type_t current_payload_type;
917 payload_t *current_payload;
918
919 /* get current payload */
920 iterator->current(iterator,(void **)&current_payload);
921
922 /* needed to check */
923 current_payload_type = current_payload->get_type(current_payload);
924
925 this->logger->log(this->logger, CONTROL|LEVEL2, "Process payload of type %s",
926 mapping_find(payload_type_m,current_payload_type));
927
928 if (current_payload_type == ENCRYPTED)
929 {
930 encryption_payload_t *encryption_payload;
931 payload_t *current_encrypted_payload;
932
933 encryption_payload = (encryption_payload_t*)current_payload;
934
935 this->logger->log(this->logger, CONTROL | LEVEL2, "Found an encryption payload");
936
937 if (payload_number != this->payloads->get_count(this->payloads))
938 {
939 /* encrypted payload is not last one */
940 this->logger->log(this->logger, ERROR | LEVEL1, "Encrypted payload is not last payload");
941 iterator->destroy(iterator);
942 return FAILED;
943 }
944 /* decrypt */
945 encryption_payload->set_transforms(encryption_payload, crypter, signer);
946 this->logger->log(this->logger, CONTROL | LEVEL1, "Verify signature of encryption payload");
947 status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet));
948 if (status != SUCCESS)
949 {
950 this->logger->log(this->logger, ERROR | LEVEL1, "encryption payload signature invalid");
951 iterator->destroy(iterator);
952 return status;
953 }
954 this->logger->log(this->logger, CONTROL | LEVEL2, "Decrypt content of encryption payload");
955 status = encryption_payload->decrypt(encryption_payload);
956 if (status != SUCCESS)
957 {
958 this->logger->log(this->logger, ERROR | LEVEL1, "Encrypted payload could not be decrypted and parsed: %s",
959 mapping_find(status_m, status));
960 iterator->destroy(iterator);
961 return status;
962 }
963
964 /* needed later to find out if a payload was encrypted */
965 current_payload_was_encrypted = TRUE;
966
967 /* check if there are payloads contained in the encryption payload */
968 if (encryption_payload->get_payload_count(encryption_payload) == 0)
969 {
970 this->logger->log(this->logger, CONTROL|LEVEL2, "Encrypted payload is empty");
971 /* remove the encryption payload, is not needed anymore */
972 iterator->remove(iterator);
973 /* encrypted payload contains no other payload */
974 current_payload_type = NO_PAYLOAD;
975 }
976 else
977 {
978 /* encryption_payload is replaced with first payload contained in encryption_payload */
979 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
980 iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
981 current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
982 }
983
984 /* is the current paylad the first in the message? */
985 if (previous_payload == NULL)
986 {
987 /* yes, set the first payload type of the message to the current type */
988 this->first_payload = current_payload_type;
989 }
990 else
991 {
992 /* no, set the next_type of the previous payload to the current type */
993 previous_payload->set_next_type(previous_payload, current_payload_type);
994 }
995
996 /* all encrypted payloads are added to the payload list */
997 while (encryption_payload->get_payload_count(encryption_payload) > 0)
998 {
999 encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
1000 this->logger->log(this->logger, CONTROL | LEVEL1, "Insert unencrypted payload of type %s at end of list.",
1001 mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
1002 this->payloads->insert_last(this->payloads,current_encrypted_payload);
1003 }
1004
1005 /* encryption payload is processed, payloads are moved. Destroy it. */
1006 encryption_payload->destroy(encryption_payload);
1007 }
1008
1009 /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
1010 if (current_payload_type != UNKNOWN_PAYLOAD)
1011 {
1012 /* get the ruleset for found payload */
1013 status = this->get_payload_rule(this, current_payload_type, &payload_rule);
1014 if (status != SUCCESS)
1015 {
1016 /* payload is not allowed */
1017 this->logger->log(this->logger, ERROR | LEVEL1, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
1018 iterator->destroy(iterator);
1019 return status;
1020 }
1021
1022 /* check if the payload was encrypted, and if it should been have encrypted */
1023 if (payload_rule->encrypted != current_payload_was_encrypted)
1024 {
1025 /* payload was not encrypted, but should have been. or vice-versa */
1026 this->logger->log(this->logger, ERROR | LEVEL1, "Payload type %s should be %s!",
1027 mapping_find(payload_type_m,current_payload_type),
1028 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
1029 iterator->destroy(iterator);
1030 return FAILED;
1031 }
1032 }
1033 /* advance to the next payload */
1034 payload_number++;
1035 /* is stored to set next payload in case of found encryption payload */
1036 previous_payload = current_payload;
1037 }
1038 iterator->destroy(iterator);
1039 return SUCCESS;
1040 }
1041
1042 /**
1043 * Implementation of private_message_t.encrypt_payloads.
1044 */
1045 static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
1046 {
1047 encryption_payload_t *encryption_payload = NULL;
1048 status_t status;
1049 linked_list_t *all_payloads;
1050
1051 if (!this->message_rule->encrypted_content)
1052 {
1053 this->logger->log(this->logger, CONTROL | LEVEL1, "Message doesn't have to be encrypted");
1054 /* message contains no content to encrypt */
1055 return SUCCESS;
1056 }
1057
1058 this->logger->log(this->logger, CONTROL | LEVEL2, "Copy all payloads to a temporary list");
1059 all_payloads = linked_list_create();
1060
1061 /* first copy all payloads in a temporary list */
1062 while (this->payloads->get_count(this->payloads) > 0)
1063 {
1064 void *current_payload;
1065 this->payloads->remove_first(this->payloads,&current_payload);
1066 all_payloads->insert_last(all_payloads,current_payload);
1067 }
1068
1069 encryption_payload = encryption_payload_create();
1070
1071 this->logger->log(this->logger, CONTROL | LEVEL2, "Check each payloads if they have to get encrypted");
1072 while (all_payloads->get_count(all_payloads) > 0)
1073 {
1074 payload_rule_t *payload_rule;
1075 payload_t *current_payload;
1076 bool to_encrypt = FALSE;
1077
1078 all_payloads->remove_first(all_payloads,(void **)&current_payload);
1079 this->logger->log(this->logger, CONTROL | LEVEL3, "Get rule for payload %s",
1080 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1081
1082 status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
1083 /* for payload types which are not found in supported payload list, it is presumed
1084 * that they don't have to be encrypted */
1085 if ((status == SUCCESS) && (payload_rule->encrypted))
1086 {
1087 this->logger->log(this->logger, CONTROL | LEVEL2, "Payload %s has to get encrypted",
1088 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1089 to_encrypt = TRUE;
1090 }
1091 else if (status != SUCCESS)
1092 {
1093 this->logger->log(this->logger, CONTROL | LEVEL2, "Payload %s not defined for exchange type %s. Handle it anyway",
1094 mapping_find(payload_type_m,current_payload->get_type(current_payload)),
1095 mapping_find(exchange_type_m,this->exchange_type));
1096 }
1097
1098 if (to_encrypt)
1099 {
1100 this->logger->log(this->logger, CONTROL | LEVEL2, "Insert payload %s to encryption payload",
1101 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1102
1103 encryption_payload->add_payload(encryption_payload,current_payload);
1104 }
1105 else
1106 {
1107 this->logger->log(this->logger, CONTROL | LEVEL2, "Insert payload %s as payload wich does not have to be encrypted",
1108 mapping_find(payload_type_m,current_payload->get_type(current_payload)));
1109 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1110 }
1111 }
1112
1113 status = SUCCESS;
1114 this->logger->log(this->logger, CONTROL | LEVEL2, "Set transforms for encryption payload ");
1115 encryption_payload->set_transforms(encryption_payload,crypter,signer);
1116 this->logger->log(this->logger, CONTROL | LEVEL1, "Encrypt all payloads of encrypted payload");
1117 status = encryption_payload->encrypt(encryption_payload);
1118 this->logger->log(this->logger, CONTROL | LEVEL2, "Add encrypted payload to payload list");
1119 this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
1120
1121 all_payloads->destroy(all_payloads);
1122
1123 return status;
1124 }
1125
1126
1127 /**
1128 * Implementation of message_t.destroy.
1129 */
1130 static void destroy (private_message_t *this)
1131 {
1132 iterator_t *iterator;
1133
1134 this->logger->log(this->logger, CONTROL|LEVEL3, "Going to destroy message_t object");
1135
1136 this->packet->destroy(this->packet);
1137
1138 if (this->ike_sa_id != NULL)
1139 {
1140 this->ike_sa_id->destroy(this->ike_sa_id);
1141 }
1142
1143 iterator = this->payloads->create_iterator(this->payloads, TRUE);
1144 while (iterator->has_next(iterator))
1145 {
1146 payload_t *payload;
1147 iterator->current(iterator, (void**)&payload);
1148 this->logger->log(this->logger, CONTROL|LEVEL3, "Destroying payload of type %s",
1149 mapping_find(payload_type_m, payload->get_type(payload)));
1150 payload->destroy(payload);
1151 }
1152 iterator->destroy(iterator);
1153 this->payloads->destroy(this->payloads);
1154 this->parser->destroy(this->parser);
1155
1156 free(this);
1157 }
1158
1159 /*
1160 * Described in Header-File
1161 */
1162 message_t *message_create_from_packet(packet_t *packet)
1163 {
1164 private_message_t *this = malloc_thing(private_message_t);
1165
1166 /* public functions */
1167 this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
1168 this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
1169 this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
1170 this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
1171 this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
1172 this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
1173 this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
1174 this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
1175 this->public.get_ike_sa_id = (status_t(*)(message_t*, ike_sa_id_t **))get_ike_sa_id;
1176 this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
1177 this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
1178 this->public.set_request = (void(*)(message_t*, bool))set_request;
1179 this->public.get_request = (bool(*)(message_t*))get_request;
1180 this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
1181 this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
1182 this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
1183 this->public.get_source = (host_t * (*) (message_t*)) get_source;
1184 this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
1185 this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
1186 this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
1187 this->public.parse_header = (status_t (*) (message_t *)) parse_header;
1188 this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
1189 this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
1190 this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
1191 this->public.destroy = (void(*)(message_t*))destroy;
1192
1193 /* private values */
1194 this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
1195 this->is_request = TRUE;
1196 this->ike_sa_id = NULL;
1197 this->first_payload = NO_PAYLOAD;
1198 this->message_id = 0;
1199
1200 /* private functions */
1201 this->set_message_rule = set_message_rule;
1202 this->get_payload_rule = get_payload_rule;
1203 this->encrypt_payloads = encrypt_payloads;
1204 this->decrypt_payloads = decrypt_payloads;
1205 this->verify = verify;
1206
1207 /* private values */
1208 if (packet == NULL)
1209 {
1210 packet = packet_create();
1211 }
1212 this->message_rule = NULL;
1213 this->packet = packet;
1214 this->payloads = linked_list_create();
1215
1216 /* parser is created from data of packet */
1217 this->parser = parser_create(this->packet->get_data(this->packet));
1218
1219 this->logger = logger_manager->get_logger(logger_manager, MESSAGE);
1220
1221 return (&this->public);
1222 }
1223
1224 /*
1225 * Described in Header.
1226 */
1227 message_t *message_create()
1228 {
1229 return message_create_from_packet(NULL);
1230 }
1231
1232 /*
1233 * Described in Header.
1234 */
1235 message_t *message_create_notify_reply(host_t *source, host_t *destination, exchange_type_t exchange_type, bool original_initiator,ike_sa_id_t *ike_sa_id,notify_message_type_t notify_type)
1236 {
1237 message_t *message = message_create_from_packet(NULL);
1238 notify_payload_t *payload;
1239
1240 message->set_source(message, source->clone(source));
1241 message->set_destination(message, destination->clone(destination));
1242 message->set_exchange_type(message, exchange_type);
1243 message->set_request(message, FALSE);
1244 message->set_message_id(message,0);
1245 message->set_ike_sa_id(message, ike_sa_id);
1246
1247 payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, notify_type);
1248 message->add_payload(message,(payload_t *) payload);
1249
1250 return message;
1251 }
Unnamed repository; edit this file 'description' to name the repository.