- better management of unknown_payload, with critical check
- message code cleanup
This commit is contained in:
parent
9affa65c79
commit
668f9fcba9
|
@ -35,6 +35,7 @@
|
|||
#include <encoding/payloads/encodings.h>
|
||||
#include <encoding/payloads/payload.h>
|
||||
#include <encoding/payloads/encryption_payload.h>
|
||||
#include <encoding/payloads/unknown_payload.h>
|
||||
|
||||
/**
|
||||
* Max number of notify payloads per IKEv2 Message
|
||||
|
@ -42,13 +43,15 @@
|
|||
#define MAX_NOTIFY_PAYLOADS 10
|
||||
|
||||
|
||||
typedef struct supported_payload_entry_t supported_payload_entry_t;
|
||||
typedef struct payload_rule_t payload_rule_t;
|
||||
|
||||
/**
|
||||
* Supported payload entry used in message_rule_t.
|
||||
*
|
||||
* A payload rule defines the rules for a payload
|
||||
* in a specific message rule. It defines if and how
|
||||
* many times a payload must/can occur in a message
|
||||
* and if it must be encrypted.
|
||||
*/
|
||||
struct supported_payload_entry_t {
|
||||
struct payload_rule_t {
|
||||
/**
|
||||
* Payload type.
|
||||
*/
|
||||
|
@ -65,21 +68,24 @@ struct supported_payload_entry_t {
|
|||
size_t max_occurence;
|
||||
|
||||
/**
|
||||
* TRUE if payload has to get encrypted
|
||||
* TRUE if payload must be encrypted
|
||||
*/
|
||||
bool encrypted;
|
||||
|
||||
/**
|
||||
* Verifying can stop after checking this payload.
|
||||
* If this payload occurs, the message rule is
|
||||
* fullfilled in any case. This applies e.g. to
|
||||
* notify_payloads.
|
||||
*/
|
||||
bool can_be_last;
|
||||
bool sufficient;
|
||||
};
|
||||
|
||||
typedef struct message_rule_t message_rule_t;
|
||||
|
||||
/**
|
||||
* Message Rule used to find out which payloads
|
||||
* are supported by each message type.
|
||||
* A message rule defines the kind of a message,
|
||||
* if it has encrypted contents and a list
|
||||
* of payload rules.
|
||||
*
|
||||
*/
|
||||
struct message_rule_t {
|
||||
|
@ -98,22 +104,21 @@ struct message_rule_t {
|
|||
*/
|
||||
bool encrypted_content;
|
||||
|
||||
/**
|
||||
* Number of supported payloads.
|
||||
*/
|
||||
size_t supported_payloads_count;
|
||||
/**
|
||||
* Number of payload rules which will follow
|
||||
*/
|
||||
size_t payload_rule_count;
|
||||
|
||||
/**
|
||||
* Pointer to first supported payload entry.
|
||||
* Pointer to first payload rule
|
||||
*/
|
||||
supported_payload_entry_t *supported_payloads;
|
||||
payload_rule_t *payload_rules;
|
||||
};
|
||||
|
||||
/**
|
||||
* Message rule for IKE_SA_INIT from initiator.
|
||||
*/
|
||||
static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
|
||||
{
|
||||
static payload_rule_t ike_sa_init_i_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
|
||||
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
|
||||
{KEY_EXCHANGE,1,1,FALSE,FALSE},
|
||||
|
@ -123,8 +128,7 @@ static supported_payload_entry_t supported_ike_sa_init_i_payloads[] =
|
|||
/**
|
||||
* Message rule for IKE_SA_INIT from responder.
|
||||
*/
|
||||
static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
|
||||
{
|
||||
static payload_rule_t ike_sa_init_r_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
|
||||
{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
|
||||
{KEY_EXCHANGE,1,1,FALSE,FALSE},
|
||||
|
@ -134,8 +138,7 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
|
|||
/**
|
||||
* Message rule for IKE_AUTH from initiator.
|
||||
*/
|
||||
static supported_payload_entry_t supported_ike_auth_i_payloads[] =
|
||||
{
|
||||
static payload_rule_t ike_auth_i_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
|
||||
{ID_INITIATOR,1,1,TRUE,FALSE},
|
||||
{CERTIFICATE,0,1,TRUE,FALSE},
|
||||
|
@ -145,13 +148,13 @@ static supported_payload_entry_t supported_ike_auth_i_payloads[] =
|
|||
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
* Message rule for IKE_AUTH from responder.
|
||||
*/
|
||||
static supported_payload_entry_t supported_ike_auth_r_payloads[] =
|
||||
{
|
||||
static payload_rule_t ike_auth_r_payload_rules[] = {
|
||||
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
|
||||
{CERTIFICATE,0,1,TRUE,FALSE},
|
||||
{ID_RESPONDER,1,1,TRUE,FALSE},
|
||||
|
@ -159,33 +162,17 @@ static supported_payload_entry_t supported_ike_auth_r_payloads[] =
|
|||
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
|
||||
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
|
||||
{CONFIGURATION,0,1,TRUE,FALSE},
|
||||
};
|
||||
|
||||
/**
|
||||
* Message rules, defines allowed payloads.
|
||||
*/
|
||||
static message_rule_t message_rules[] = {
|
||||
{IKE_SA_INIT,TRUE,FALSE,(sizeof(supported_ike_sa_init_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_i_payloads},
|
||||
{IKE_SA_INIT,FALSE,FALSE,(sizeof(supported_ike_sa_init_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_sa_init_r_payloads},
|
||||
{IKE_AUTH,TRUE,TRUE,(sizeof(supported_ike_auth_i_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_i_payloads},
|
||||
{IKE_AUTH,FALSE,TRUE,(sizeof(supported_ike_auth_r_payloads)/sizeof(supported_payload_entry_t)),supported_ike_auth_r_payloads}
|
||||
};
|
||||
|
||||
typedef struct payload_entry_t payload_entry_t;
|
||||
|
||||
/**
|
||||
* Entry for a payload in the internal used linked list.
|
||||
*
|
||||
*/
|
||||
struct payload_entry_t {
|
||||
/**
|
||||
* Type of payload.
|
||||
*/
|
||||
payload_type_t payload_type;
|
||||
/**
|
||||
* Data struct holding the data of given payload.
|
||||
*/
|
||||
void *data_struct;
|
||||
{IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
|
||||
{IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
|
||||
{IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
|
||||
{IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules}
|
||||
};
|
||||
|
||||
|
||||
|
@ -222,8 +209,7 @@ struct private_message_t {
|
|||
exchange_type_t exchange_type;
|
||||
|
||||
/**
|
||||
* TRUE if message is request.
|
||||
* FALSE if message is reply.
|
||||
* TRUE if message is a request, FALSE if a reply.
|
||||
*/
|
||||
bool is_request;
|
||||
|
||||
|
@ -238,9 +224,7 @@ struct private_message_t {
|
|||
ike_sa_id_t *ike_sa_id;
|
||||
|
||||
/**
|
||||
* Assigned UDP packet.
|
||||
*
|
||||
* Stores incoming packet or last generated one.
|
||||
* Assigned UDP packet, stores incoming packet or last generated one.
|
||||
*/
|
||||
packet_t *packet;
|
||||
|
||||
|
@ -254,39 +238,39 @@ struct private_message_t {
|
|||
*/
|
||||
parser_t *parser;
|
||||
|
||||
/**
|
||||
* The message rule for this message instance
|
||||
*/
|
||||
message_rule_t *message_rule;
|
||||
|
||||
/**
|
||||
* Assigned logger.
|
||||
*/
|
||||
logger_t *logger;
|
||||
|
||||
/**
|
||||
* Gets a list of supported payloads of this message type.
|
||||
* Sets the private message_rule member to the rule which
|
||||
* applies to this message. Must be called before get_payload_rule().
|
||||
*
|
||||
* @param this calling object
|
||||
* @param[out] message_rule pointer is set to the message_rule
|
||||
* of current message type
|
||||
*
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - NOT_FOUND if no message rule
|
||||
* for specific message type could be found
|
||||
* - NOT_FOUND if no message rule applies to this message.
|
||||
*/
|
||||
status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
|
||||
status_t (*set_message_rule) (private_message_t *this);
|
||||
|
||||
/**
|
||||
* Gets the supported_payload_entry_t for a specific message_rule_t and payload type.
|
||||
* Gets the payload_rule_t for a specific message_rule_t and payload type.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param message_rule message rule
|
||||
* @param payload_type payload type
|
||||
* @param[out] payload_entry returned payload_entry_t
|
||||
*
|
||||
* @param[out] payload_rule returned payload_rule_t
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - NOT_FOUND if no message rule
|
||||
* for specific message type could be found
|
||||
* - NOT_FOUND if payload not defined in current message rule
|
||||
* - INVALID_STATE if message rule is not set via set_message_rule()
|
||||
*/
|
||||
status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
|
||||
status_t (*get_payload_rule) (private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule);
|
||||
|
||||
/**
|
||||
* Encrypts all payloads which has to get encrypted.
|
||||
|
@ -296,24 +280,40 @@ struct private_message_t {
|
|||
* @param this calling object
|
||||
* @param crypter crypter_t object
|
||||
* @param signer signer_t object
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - INVALID_STATE if no crypter/signer supplied but needed
|
||||
*/
|
||||
status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
|
||||
|
||||
/**
|
||||
* Decrypts encrypted contents and also verifies all payloads.
|
||||
* Decrypts encrypted contents, and checks if a payload is encrypted if it has to be.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param crypter crypter_t object
|
||||
* @param signer signer_t object
|
||||
* @return
|
||||
* - SUCCESS
|
||||
* - FAILED if decryption not successfull
|
||||
* - INVALID_STATE if no crypter/signer supplied but needed
|
||||
*/
|
||||
status_t (*decrypt_and_verify_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
|
||||
status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
|
||||
|
||||
/**
|
||||
* Verifies the message. Checks for payloads count.
|
||||
*
|
||||
* @param calling object
|
||||
* @return
|
||||
* - SUCCESS if message valid, or
|
||||
* - FAILED if message does not align with message rules.
|
||||
*/
|
||||
status_t (*verify) (private_message_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Implementation of private_message_t.get_supported_payloads.
|
||||
* Implementation of private_message_t.set_message_rule.
|
||||
*/
|
||||
|
||||
static status_t get_message_rule (private_message_t *this, message_rule_t **message_rule)
|
||||
static status_t set_message_rule(private_message_t *this)
|
||||
{
|
||||
int i;
|
||||
|
||||
|
@ -323,31 +323,31 @@ static status_t get_message_rule (private_message_t *this, message_rule_t **mes
|
|||
(this->is_request == message_rules[i].is_request))
|
||||
{
|
||||
/* found rule for given exchange_type*/
|
||||
*message_rule = &(message_rules[i]);
|
||||
this->message_rule = &(message_rules[i]);
|
||||
return SUCCESS;
|
||||
}
|
||||
}
|
||||
*message_rule = NULL;
|
||||
this->message_rule = NULL;
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of private_message_t.get_supported_payload_entry.
|
||||
* Implementation of private_message_t.get_payload_rule.
|
||||
*/
|
||||
static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
|
||||
static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < message_rule->supported_payloads_count;i++)
|
||||
for (i = 0; i < this->message_rule->payload_rule_count;i++)
|
||||
{
|
||||
if (message_rule->supported_payloads[i].payload_type == payload_type)
|
||||
if (this->message_rule->payload_rules[i].payload_type == payload_type)
|
||||
{
|
||||
*payload_entry = &(message_rule->supported_payloads[i]);
|
||||
*payload_rule = &(this->message_rule->payload_rules[i]);
|
||||
return SUCCESS;
|
||||
}
|
||||
}
|
||||
|
||||
*payload_entry = NULL;
|
||||
*payload_rule = NULL;
|
||||
return NOT_FOUND;
|
||||
}
|
||||
|
||||
|
@ -541,7 +541,6 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|||
ike_header_t *ike_header;
|
||||
payload_t *payload, *next_payload;
|
||||
iterator_t *iterator;
|
||||
message_rule_t *message_rule;
|
||||
status_t status;
|
||||
|
||||
this->logger->log(this->logger, CONTROL, "Generating message of type %s, contains %d payloads",
|
||||
|
@ -550,27 +549,32 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|||
|
||||
if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",mapping_find(exchange_type_m,this->exchange_type));
|
||||
this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",
|
||||
mapping_find(exchange_type_m,this->exchange_type));
|
||||
return INVALID_STATE;
|
||||
}
|
||||
|
||||
status = this->get_message_rule(this, &message_rule);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
||||
mapping_find(exchange_type_m,this->exchange_type));
|
||||
return status;
|
||||
}
|
||||
|
||||
if (this->packet->source == NULL ||
|
||||
this->packet->destination == NULL)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Source/destination not defined");
|
||||
this->logger->log(this->logger, ERROR|MORE, "%s not defined",
|
||||
!this->packet->source ? "source" : "destination");
|
||||
return INVALID_STATE;
|
||||
}
|
||||
|
||||
/* set the rules for this messge */
|
||||
status = this->set_message_rule(this);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
|
||||
mapping_find(exchange_type_m,this->exchange_type),
|
||||
this->is_request ? "request" : "response");
|
||||
return NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
|
||||
/* going to encrypt all content which have to be encrypted */
|
||||
status = this->encrypt_payloads(this,crypter,signer);
|
||||
status = this->encrypt_payloads(this, crypter, signer);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Could not encrypt payloads");
|
||||
|
@ -591,9 +595,9 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|||
|
||||
payload = (payload_t*)ike_header;
|
||||
|
||||
iterator = this->payloads->create_iterator(this->payloads, TRUE);
|
||||
|
||||
/* generate every payload expect last one*/
|
||||
/* generate every payload expect last one, this is doen later*/
|
||||
iterator = this->payloads->create_iterator(this->payloads, TRUE);
|
||||
while(iterator->has_next(iterator))
|
||||
{
|
||||
iterator->current(iterator, (void**)&next_payload);
|
||||
|
@ -634,7 +638,8 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|||
/* clone packet for caller */
|
||||
*packet = this->packet->clone(this->packet);
|
||||
|
||||
this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",mapping_find(exchange_type_m,this->exchange_type));
|
||||
this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",
|
||||
mapping_find(exchange_type_m,this->exchange_type));
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -699,11 +704,22 @@ static status_t parse_header(private_message_t *this)
|
|||
this->minor_version = ike_header->get_min_version(ike_header);
|
||||
this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
|
||||
|
||||
this->logger->log(this->logger, CONTROL, "Parsed a %s %s", mapping_find(exchange_type_m, this->exchange_type),
|
||||
this->logger->log(this->logger, CONTROL, "Parsed a %s %s",
|
||||
mapping_find(exchange_type_m, this->exchange_type),
|
||||
this->is_request ? "request" : "response");
|
||||
|
||||
ike_header->destroy(ike_header);
|
||||
return SUCCESS;
|
||||
ike_header->destroy(ike_header);
|
||||
|
||||
/* get the rules for this messge */
|
||||
status = this->set_message_rule(this);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "No message rules specified for a %s %s",
|
||||
mapping_find(exchange_type_m,this->exchange_type),
|
||||
this->is_request ? "request" : "response");
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -712,11 +728,14 @@ static status_t parse_header(private_message_t *this)
|
|||
static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
|
||||
{
|
||||
status_t status = SUCCESS;
|
||||
payload_type_t current_payload_type = this->first_payload;
|
||||
payload_type_t current_payload_type;
|
||||
|
||||
current_payload_type = this->first_payload;
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Parsing body of message, first payload %s",
|
||||
mapping_find(payload_type_m, current_payload_type));
|
||||
|
||||
/* parse payload for payload, while there are more available */
|
||||
while ((current_payload_type != NO_PAYLOAD))
|
||||
{
|
||||
payload_t *current_payload;
|
||||
|
@ -724,6 +743,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
|
|||
this->logger->log(this->logger, CONTROL|MOST, "Start parsing payload of type %s",
|
||||
mapping_find(payload_type_m, current_payload_type));
|
||||
|
||||
/* parse current payload */
|
||||
status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) ¤t_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
|
@ -734,6 +754,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
|
|||
this->logger->log(this->logger, CONTROL|MOST, "Verify payload of type %s",
|
||||
mapping_find(payload_type_m, current_payload_type));
|
||||
|
||||
/* verify it, stop parsig if its invalid */
|
||||
status = current_payload->verify(current_payload);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
|
@ -747,7 +768,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
|
|||
mapping_find(payload_type_m, current_payload_type));
|
||||
this->payloads->insert_last(this->payloads,current_payload);
|
||||
|
||||
/* stop if an encryption payload found */
|
||||
/* an encryption payload is the last one, so STOP here. decryption is done later */
|
||||
if (current_payload_type == ENCRYPTED)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Payload of type encrypted found. Stop parsing.",
|
||||
|
@ -764,78 +785,91 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
|
|||
this->is_request ? "request" : "response",
|
||||
this->payloads->get_count(this->payloads));
|
||||
|
||||
status = this->decrypt_and_verify_payloads(this,crypter,signer);
|
||||
/* */
|
||||
if (current_payload_type == ENCRYPTED)
|
||||
status = this->decrypt_payloads(this,crypter,signer);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Could not decrypt and verify payloads");
|
||||
this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
|
||||
return status;
|
||||
}
|
||||
|
||||
return SUCCESS;
|
||||
|
||||
status = this->verify(this);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Verification of message failed");
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of message_t.verify.
|
||||
* Implementation of private_message_t.verify.
|
||||
*/
|
||||
static status_t verify(private_message_t *this)
|
||||
{
|
||||
int i;
|
||||
status_t status;
|
||||
iterator_t *iterator;
|
||||
message_rule_t *message_rule;
|
||||
size_t total_found_payloads = 0;
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MORE, "Verifying message structure");
|
||||
|
||||
status = this->get_message_rule(this, &message_rule);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
||||
mapping_find(exchange_type_m,this->exchange_type));
|
||||
return status;
|
||||
}
|
||||
|
||||
iterator = this->payloads->create_iterator(this->payloads,TRUE);
|
||||
/* check for payloads with wrong count*/
|
||||
for (i = 0; i < message_rule->supported_payloads_count;i++)
|
||||
for (i = 0; i < this->message_rule->payload_rule_count;i++)
|
||||
{
|
||||
size_t found_payloads = 0;
|
||||
|
||||
/* check all payloads for specific rule */
|
||||
iterator->reset(iterator);
|
||||
|
||||
while(iterator->has_next(iterator))
|
||||
{
|
||||
payload_t *current_payload;
|
||||
iterator->current(iterator,(void **)¤t_payload);
|
||||
payload_type_t current_payload_type;
|
||||
|
||||
if (current_payload->get_type(current_payload) == message_rule->supported_payloads[i].payload_type)
|
||||
iterator->current(iterator,(void **)¤t_payload);
|
||||
current_payload_type = current_payload->get_type(current_payload);
|
||||
|
||||
if (current_payload_type == UNKNOWN_PAYLOAD)
|
||||
{
|
||||
/* unknown payloads are ignored, IF they are not critical */
|
||||
unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
|
||||
if (unknown_payload->is_critical(unknown_payload))
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "%s (%d) is not supported, but its critical!",
|
||||
mapping_find(payload_type_m, current_payload_type), current_payload_type);
|
||||
iterator->destroy(iterator);
|
||||
return NOT_SUPPORTED;
|
||||
}
|
||||
}
|
||||
else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
|
||||
{
|
||||
found_payloads++;
|
||||
total_found_payloads++;
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Found payload of type %s",
|
||||
mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type));
|
||||
|
||||
mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type));
|
||||
|
||||
/* as soon as ohe payload occures more then specified, the verification fails */
|
||||
if (found_payloads > message_rule->supported_payloads[i].max_occurence)
|
||||
if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
|
||||
mapping_find(payload_type_m,current_payload->get_type(current_payload)),
|
||||
message_rule->supported_payloads[i].max_occurence,found_payloads);
|
||||
mapping_find(payload_type_m, current_payload_type),
|
||||
this->message_rule->payload_rules[i].max_occurence, found_payloads);
|
||||
iterator->destroy(iterator);
|
||||
return NOT_SUPPORTED;
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (found_payloads < message_rule->supported_payloads[i].min_occurence)
|
||||
|
||||
if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times (%d)",
|
||||
mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type),
|
||||
message_rule->supported_payloads[i].min_occurence,found_payloads);
|
||||
mapping_find(payload_type_m, this->message_rule->payload_rules[i].payload_type),
|
||||
this->message_rule->payload_rules[i].min_occurence, found_payloads);
|
||||
iterator->destroy(iterator);
|
||||
return NOT_SUPPORTED;
|
||||
return FAILED;
|
||||
}
|
||||
if ((message_rule->supported_payloads[i].can_be_last) && (this->payloads->get_count(this->payloads) == total_found_payloads))
|
||||
if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
|
||||
{
|
||||
iterator->destroy(iterator);
|
||||
return SUCCESS;
|
||||
|
@ -849,29 +883,20 @@ static status_t verify(private_message_t *this)
|
|||
/**
|
||||
* Implementation of private_message_t.decrypt_and_verify_payloads.
|
||||
*/
|
||||
static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
|
||||
static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
|
||||
{
|
||||
bool current_payload_was_encrypted = FALSE;
|
||||
payload_t *last_payload = NULL;
|
||||
message_rule_t *message_rule;
|
||||
payload_t *previous_payload = NULL;
|
||||
int payload_number = 1;
|
||||
iterator_t *iterator;
|
||||
status_t status;
|
||||
|
||||
status = this->get_message_rule(this, &message_rule);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
||||
mapping_find(exchange_type_m,this->exchange_type));
|
||||
return status;
|
||||
}
|
||||
|
||||
iterator = this->payloads->create_iterator(this->payloads,TRUE);
|
||||
|
||||
/* process each payload and decrypt a encryption payload */
|
||||
while(iterator->has_next(iterator))
|
||||
{
|
||||
supported_payload_entry_t *supported_payload_entry;
|
||||
payload_rule_t *payload_rule;
|
||||
payload_type_t current_payload_type;
|
||||
payload_t *current_payload;
|
||||
|
||||
|
@ -888,28 +913,18 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
|
|||
encryption_payload_t *encryption_payload;
|
||||
payload_t *current_encrypted_payload;
|
||||
|
||||
encryption_payload = (encryption_payload_t*)current_payload;
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Found an encryption payload");
|
||||
|
||||
if (!message_rule->encrypted_content)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Encrypted payload not allowed for this message type");
|
||||
iterator->destroy(iterator);
|
||||
/* encrypted payload is not last one */
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
|
||||
if (payload_number != this->payloads->get_count(this->payloads))
|
||||
{
|
||||
/* encrypted payload is not last one */
|
||||
this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last payload");
|
||||
iterator->destroy(iterator);
|
||||
/* encrypted payload is not last one */
|
||||
return FAILED;
|
||||
}
|
||||
|
||||
iterator->current(iterator,(void **)&encryption_payload);
|
||||
|
||||
/* encrypt payload */
|
||||
/* decrypt */
|
||||
encryption_payload->set_transforms(encryption_payload, crypter, signer);
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Verify signature of encryption payload");
|
||||
status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
|
||||
|
@ -929,54 +944,37 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
|
|||
return status;
|
||||
}
|
||||
|
||||
/* needed to later find out if a payload has to be encrypted or not */
|
||||
/* needed later to find out if a payload was encrypted */
|
||||
current_payload_was_encrypted = TRUE;
|
||||
|
||||
|
||||
/* check if there are payloads contained in the encryption payload */
|
||||
if (encryption_payload->get_payload_count(encryption_payload) == 0)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is empty");
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Encrypted payload is empty");
|
||||
/* remove the encryption payload, is not needed anymore */
|
||||
iterator->remove(iterator);
|
||||
encryption_payload->destroy(encryption_payload);
|
||||
/* encrypted payload contains no other payload */
|
||||
current_payload_type = NO_PAYLOAD;
|
||||
if (last_payload == NULL)
|
||||
{
|
||||
/* encrypted content was the only payload in IKEv2-Message
|
||||
* Set the first payload to the first payload of encrypted ones */
|
||||
this->first_payload = current_payload_type;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* another payload was here before the encrypted content
|
||||
* Set the next payload of proceeding payload
|
||||
* to the first payload of encrypted ones */
|
||||
last_payload->set_next_type(last_payload,current_payload_type);
|
||||
}
|
||||
break;
|
||||
|
||||
}
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Encrypted payload is not empty");
|
||||
|
||||
/* encryption_payload is replaced with first encrypted payload*/
|
||||
encryption_payload->remove_first_payload(encryption_payload, ¤t_encrypted_payload);
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Replace encrypted payload with payload of type %s.",
|
||||
mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
|
||||
iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
|
||||
current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
|
||||
if (last_payload == NULL)
|
||||
else
|
||||
{
|
||||
/* encrypted content was the only payload in IKEv2-Message
|
||||
* Set the first payload to the first payload of encrypted ones */
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Encrypted payload is not empty");
|
||||
/* encryption_payload is replaced with first payload contained in encryption_payload */
|
||||
encryption_payload->remove_first_payload(encryption_payload, ¤t_encrypted_payload);
|
||||
iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
|
||||
current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
|
||||
}
|
||||
|
||||
/* is the current paylad the first in the message? */
|
||||
if (previous_payload == NULL)
|
||||
{
|
||||
/* yes, set the first payload type of the message to the current type */
|
||||
this->first_payload = current_payload_type;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* another payload was here before the encrypted content
|
||||
* Set the next payload of proceeding payload
|
||||
* to the first payload of encrypted ones */
|
||||
last_payload->set_next_type(last_payload,current_payload_type);
|
||||
/* no, set the next_type of the previous payload to the current type */
|
||||
previous_payload->set_next_type(previous_payload, current_payload_type);
|
||||
}
|
||||
|
||||
/* all encrypted payloads are added to the payload list */
|
||||
|
@ -987,37 +985,41 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
|
|||
this->payloads->insert_last(this->payloads,current_encrypted_payload);
|
||||
}
|
||||
|
||||
/* encryption payload is not needed anymore cause all payloads are
|
||||
* moved to internal payload list */
|
||||
encryption_payload->destroy(encryption_payload);
|
||||
|
||||
|
||||
/* encryption payload is processed, payloads are moved. Destroy it. */
|
||||
encryption_payload->destroy(encryption_payload);
|
||||
}
|
||||
|
||||
status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&supported_payload_entry);
|
||||
if (status != SUCCESS)
|
||||
/* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
|
||||
if (current_payload_type != UNKNOWN_PAYLOAD)
|
||||
{
|
||||
/* payload type not supported */
|
||||
this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
|
||||
iterator->destroy(iterator);
|
||||
return status;
|
||||
}
|
||||
|
||||
if (supported_payload_entry->encrypted != current_payload_was_encrypted)
|
||||
{
|
||||
/* payload type not supported */
|
||||
this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
|
||||
mapping_find(payload_type_m,current_payload_type),
|
||||
(supported_payload_entry->encrypted) ? "encrypted": "not encrypted");
|
||||
iterator->destroy(iterator);
|
||||
return status;
|
||||
/* get the ruleset for found payload */
|
||||
status = this->get_payload_rule(this, current_payload_type, &payload_rule);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
/* payload is not allowed */
|
||||
this->logger->log(this->logger, ERROR | MORE, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
|
||||
iterator->destroy(iterator);
|
||||
return status;
|
||||
}
|
||||
|
||||
/* check if the payload was encrypted, and if it should been have encrypted */
|
||||
if (payload_rule->encrypted != current_payload_was_encrypted)
|
||||
{
|
||||
/* payload was not encrypted, but should have been. or vice-versa */
|
||||
this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
|
||||
mapping_find(payload_type_m,current_payload_type),
|
||||
(payload_rule->encrypted) ? "encrypted": "not encrypted");
|
||||
iterator->destroy(iterator);
|
||||
return FAILED;
|
||||
}
|
||||
}
|
||||
/* advance to the next payload */
|
||||
payload_number++;
|
||||
/* is stored to set next payload in case of found encryption payload */
|
||||
last_payload = current_payload;
|
||||
previous_payload = current_payload;
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
return this->public.verify(&(this->public));
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1026,19 +1028,10 @@ static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *
|
|||
static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
|
||||
{
|
||||
encryption_payload_t *encryption_payload = NULL;
|
||||
message_rule_t *message_rule;
|
||||
status_t status;
|
||||
linked_list_t *all_payloads;
|
||||
|
||||
status = this->get_message_rule(this, &message_rule);
|
||||
if (status != SUCCESS)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
||||
mapping_find(exchange_type_m,this->exchange_type));
|
||||
return status;
|
||||
}
|
||||
|
||||
if (!message_rule->encrypted_content)
|
||||
if (!this->message_rule->encrypted_content)
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL | MORE, "Message doesn't have to be encrypted");
|
||||
/* message contains no content to encrypt */
|
||||
|
@ -1059,17 +1052,17 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|||
this->logger->log(this->logger, CONTROL | MOST, "Check each payloads if they have to get encrypted");
|
||||
while (all_payloads->get_count(all_payloads) > 0)
|
||||
{
|
||||
supported_payload_entry_t *supported_payload_entry;
|
||||
payload_rule_t *payload_rule;
|
||||
payload_t *current_payload;
|
||||
bool to_encrypt = FALSE;
|
||||
|
||||
all_payloads->remove_first(all_payloads,(void **)¤t_payload);
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Get rule for payload %s", mapping_find(payload_type_m,current_payload->get_type(current_payload)));
|
||||
|
||||
status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
|
||||
status = this->get_payload_rule(this,current_payload->get_type(current_payload),&payload_rule);
|
||||
/* for payload types which are not found in supported payload list, it is presumed
|
||||
* that they don't have to be encrypted */
|
||||
if ((status == SUCCESS) && (supported_payload_entry->encrypted))
|
||||
if ((status == SUCCESS) && (payload_rule->encrypted))
|
||||
{
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Payload %s has to get encrypted",
|
||||
mapping_find(payload_type_m,current_payload->get_type(current_payload)));
|
||||
|
@ -1125,7 +1118,7 @@ static void destroy (private_message_t *this)
|
|||
{
|
||||
iterator_t *iterator;
|
||||
|
||||
this->logger->log(this->logger, CONTROL | MOST, "Going to destroy message_t object");
|
||||
this->logger->log(this->logger, CONTROL|ALL, "Going to destroy message_t object");
|
||||
|
||||
this->packet->destroy(this->packet);
|
||||
|
||||
|
@ -1139,7 +1132,7 @@ static void destroy (private_message_t *this)
|
|||
{
|
||||
payload_t *payload;
|
||||
iterator->current(iterator, (void**)&payload);
|
||||
this->logger->log(this->logger, CONTROL|MOST, "Destroying payload of type %s",
|
||||
this->logger->log(this->logger, CONTROL|ALL, "Destroying payload of type %s",
|
||||
mapping_find(payload_type_m, payload->get_type(payload)));
|
||||
payload->destroy(payload);
|
||||
}
|
||||
|
@ -1181,7 +1174,6 @@ message_t *message_create_from_packet(packet_t *packet)
|
|||
this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
|
||||
this->public.parse_header = (status_t (*) (message_t *)) parse_header;
|
||||
this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
|
||||
this->public.verify = (status_t (*) (message_t*)) verify;
|
||||
this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
|
||||
this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
|
||||
this->public.destroy = (void(*)(message_t*))destroy;
|
||||
|
@ -1194,16 +1186,18 @@ message_t *message_create_from_packet(packet_t *packet)
|
|||
this->message_id = 0;
|
||||
|
||||
/* private functions */
|
||||
this->get_message_rule = get_message_rule;
|
||||
this->get_supported_payload_entry = get_supported_payload_entry;
|
||||
this->set_message_rule = set_message_rule;
|
||||
this->get_payload_rule = get_payload_rule;
|
||||
this->encrypt_payloads = encrypt_payloads;
|
||||
this->decrypt_and_verify_payloads = decrypt_and_verify_payloads;
|
||||
this->decrypt_payloads = decrypt_payloads;
|
||||
this->verify = verify;
|
||||
|
||||
/* private values */
|
||||
if (packet == NULL)
|
||||
{
|
||||
packet = packet_create();
|
||||
}
|
||||
this->message_rule = NULL;
|
||||
this->packet = packet;
|
||||
this->payloads = linked_list_create();
|
||||
|
||||
|
|
|
@ -38,7 +38,15 @@ typedef struct message_t message_t;
|
|||
/**
|
||||
* @brief This class is used to represent an IKEv2-Message.
|
||||
*
|
||||
* An IKEv2-Message is either a request or response.
|
||||
* The message handles parsing and generation of payloads
|
||||
* via parser_t/generator_t. Encryption is done transparently
|
||||
* via the encryption_payload_t. A set of rules for messages
|
||||
* and payloads does check parsed messages.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - message_create()
|
||||
* - message_create_from_packet()
|
||||
* - message_create_notify_reply()
|
||||
*
|
||||
* @ingroup encoding
|
||||
*/
|
||||
|
@ -159,6 +167,12 @@ struct message_t {
|
|||
|
||||
/**
|
||||
* @brief Append a payload to the message.
|
||||
*
|
||||
* If the payload must be encrypted is not specified here. Encryption
|
||||
* of payloads is evaluated via internal rules for the messages and
|
||||
* is done before generation. The order of payloads may change, since
|
||||
* all payloads to encrypt are added to the encryption payload, which is
|
||||
* always the last one.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @param payload payload to append
|
||||
|
@ -166,7 +180,11 @@ struct message_t {
|
|||
void (*add_payload) (message_t *this, payload_t *payload);
|
||||
|
||||
/**
|
||||
* @brief Parses header of message
|
||||
* @brief Parses header of message.
|
||||
*
|
||||
* Begins parisng of a message created via message_create_from_packet().
|
||||
* The parsing context is stored, so a subsequent call to parse_body()
|
||||
* will continue the parsing process.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @return
|
||||
|
@ -181,42 +199,53 @@ struct message_t {
|
|||
*
|
||||
* The body gets not only parsed, but rather it gets verified.
|
||||
* All payloads are verified if they are allowed to exist in the message
|
||||
* of this type and if their own structure is ok.
|
||||
* of this type and if their own structure is ok.
|
||||
* If there are encrypted payloads, they get decrypted via the supplied
|
||||
* crypter. Also the message integrity gets verified with the supplied
|
||||
* signer.
|
||||
* Crypter/signer can be omitted (by passing NULL) when no encryption
|
||||
* payload is expected.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @param crypter crypter to decrypt encryption payloads
|
||||
* @param signer signer to verifiy a message with an encryption payload
|
||||
* @return
|
||||
* - SUCCESS if header could be parsed
|
||||
* - NOT_SUPPORTED if unsupported payload are contained in body
|
||||
* - NOT_SUPPORTED if ciritcal unknown payloads found
|
||||
* - FAILED if message type is not suppported!
|
||||
* - PARSE_ERROR if corrupted/invalid data found
|
||||
* - VERIFY_ERROR if verification of some payload failed
|
||||
* - INVALID_STATE if crypter/signer not supplied, but needed
|
||||
*/
|
||||
status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
|
||||
|
||||
/**
|
||||
* @brief Generates the UDP packet of specific message
|
||||
* @brief Generates the UDP packet of specific message.
|
||||
*
|
||||
* Payloads which must be encrypted are generated first and added to
|
||||
* an encryption payload. This encryption payload will get encrypted via
|
||||
* the supplied crypter. Then all other payloads and the header get generated.
|
||||
* After that, the checksum is added to the encryption payload over the full
|
||||
* message.
|
||||
* Crypter/signer can be omitted (by passing NULL) when no encryption
|
||||
* payload is expected.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @param crypter crypter to use when a payload must be encrypted
|
||||
* @param signer signer to build a mac
|
||||
* @return
|
||||
* - SUCCESS if packet could be generated
|
||||
* - EXCHANGE_TYPE_NOT_SET if exchange type is currently not set
|
||||
* ....
|
||||
* - INVALID_STATE if exchange type is currently not set
|
||||
* - NOT_FOUND if no rules found for message generation
|
||||
* - INVALID_STATE if crypter/signer not supplied but needed.
|
||||
*/
|
||||
status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
|
||||
|
||||
|
||||
/**
|
||||
* Verifies the structure of the message_t object.
|
||||
* @brief Gets the source host informations.
|
||||
*
|
||||
* The payloads are checked for the correct occurence count.
|
||||
*
|
||||
* @param this message_t object
|
||||
*/
|
||||
status_t (*verify) (message_t *this);
|
||||
|
||||
/**
|
||||
* Gets the source host informations.
|
||||
*
|
||||
* @warning Returned host_t object is not getting cloned.
|
||||
* @warning Returned host_t object is not getting cloned,
|
||||
* do not destroy nor modify.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @return host_t object representing source host
|
||||
|
@ -224,7 +253,7 @@ struct message_t {
|
|||
host_t * (*get_source) (message_t *this);
|
||||
|
||||
/**
|
||||
* Sets the source host informations.
|
||||
* @brief Sets the source host informations.
|
||||
*
|
||||
* @warning host_t object is not getting cloned and gets destroyed by
|
||||
* message_t.destroy or next call of message_t.set_source.
|
||||
|
@ -235,9 +264,10 @@ struct message_t {
|
|||
void (*set_source) (message_t *this, host_t *host);
|
||||
|
||||
/**
|
||||
* Gets the destination host informations.
|
||||
* @brief Gets the destination host informations.
|
||||
*
|
||||
* @warning Returned host_t object is not getting cloned.
|
||||
* @warning Returned host_t object is not getting cloned,
|
||||
* do not destroy nor modify.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @return host_t object representing destination host
|
||||
|
@ -245,7 +275,7 @@ struct message_t {
|
|||
host_t * (*get_destination) (message_t *this);
|
||||
|
||||
/**
|
||||
* Sets the destination host informations.
|
||||
* @brief Sets the destination host informations.
|
||||
*
|
||||
* @warning host_t object is not getting cloned and gets destroyed by
|
||||
* message_t.destroy or next call of message_t.set_destination.
|
||||
|
@ -256,10 +286,10 @@ struct message_t {
|
|||
void (*set_destination) (message_t *this, host_t *host);
|
||||
|
||||
/**
|
||||
* Returns an iterator on all stored payloads.
|
||||
* @brief Returns an iterator on all stored payloads.
|
||||
*
|
||||
* @warning Don't insert payloads over this iterator.
|
||||
* Use message_t.add_payload instead.
|
||||
* Use add_payload() instead.
|
||||
*
|
||||
* @param this message_t object
|
||||
* @return iterator_t object which has to get destroyd by the caller
|
||||
|
@ -292,7 +322,7 @@ struct message_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* Creates an message_t object from a incoming UDP Packet.
|
||||
* @brief Creates an message_t object from a incoming UDP Packet.
|
||||
*
|
||||
* @warning the given packet_t object is not copied and gets
|
||||
* destroyed in message_t's destroy call.
|
||||
|
@ -302,9 +332,9 @@ struct message_t {
|
|||
* - exchange_type is set to NOT_SET
|
||||
* - original_initiator is set to TRUE
|
||||
* - is_request is set to TRUE
|
||||
* Call message_t.parse_header afterwards.
|
||||
*
|
||||
* @param packet packet_t object which is assigned to message
|
||||
*
|
||||
* @param packet packet_t object which is assigned to message
|
||||
* @return created message_t object
|
||||
*
|
||||
* @ingroup encoding
|
||||
|
@ -313,7 +343,7 @@ message_t * message_create_from_packet(packet_t *packet);
|
|||
|
||||
|
||||
/**
|
||||
* Creates an empty message_t object.
|
||||
* @brief Creates an empty message_t object.
|
||||
*
|
||||
* - exchange_type is set to NOT_SET
|
||||
* - original_initiator is set to TRUE
|
||||
|
@ -326,7 +356,7 @@ message_t * message_create_from_packet(packet_t *packet);
|
|||
message_t * message_create();
|
||||
|
||||
/**
|
||||
* Creates an message_t object of type reply containing a notify payload.
|
||||
* @brief Creates an message_t object of type reply containing a notify payload.
|
||||
*
|
||||
* @return created message_t object
|
||||
*
|
||||
|
|
|
@ -51,6 +51,7 @@
|
|||
#include <encoding/payloads/cp_payload.h>
|
||||
#include <encoding/payloads/configuration_attribute.h>
|
||||
#include <encoding/payloads/eap_payload.h>
|
||||
#include <encoding/payloads/unknown_payload.h>
|
||||
|
||||
|
||||
typedef struct private_parser_t private_parser_t;
|
||||
|
@ -587,6 +588,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
|
|||
int rule_number;
|
||||
encoding_rule_t *rule;
|
||||
|
||||
/* create instance of the payload to parse */
|
||||
pld = payload_create(payload_type);
|
||||
|
||||
this->logger->log(this->logger, CONTROL|MORE, "parsing %s payload, %d bytes left",
|
||||
mapping_find(payload_type_m, payload_type),
|
||||
this->input_roof-this->byte_pos);
|
||||
|
@ -594,18 +598,17 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
|
|||
this->logger->log_bytes(this->logger, RAW, "parsing payload from", this->byte_pos,
|
||||
this->input_roof-this->byte_pos);
|
||||
|
||||
/* ok, do the parsing */
|
||||
pld = payload_create(payload_type);
|
||||
if (pld == NULL)
|
||||
if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, " payload %s not supported", mapping_find(payload_type_m, payload_type));
|
||||
return NOT_SUPPORTED;
|
||||
this->logger->log(this->logger, ERROR|MORE, " payload type %d is unknown, handling as %s",
|
||||
payload_type, mapping_find(payload_type_m, UNKNOWN_PAYLOAD));
|
||||
}
|
||||
|
||||
/* base pointer for output, avoids casting in every rule */
|
||||
output = pld;
|
||||
|
||||
/* parse the payload with its own rulse */
|
||||
pld->get_encoding_rules(pld, &(this->rules), &rule_count);
|
||||
|
||||
for (rule_number = 0; rule_number < rule_count; rule_number++)
|
||||
{
|
||||
rule = &(this->rules[rule_number]);
|
||||
|
@ -974,6 +977,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
|
|||
}
|
||||
break;
|
||||
}
|
||||
case UNKNOWN_PAYLOAD:
|
||||
{
|
||||
size_t unknown_payload_data_length = payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH;
|
||||
if (this->parse_chunk(this, rule_number, output + rule->offset, unknown_payload_data_length) != SUCCESS)
|
||||
{
|
||||
pld->destroy(pld);
|
||||
return PARSE_ERROR;
|
||||
}
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
this->logger->log(this->logger, ERROR, " no rule to parse rule %d %s (%d)", rule_number, mapping_find(encoding_type_m, rule->type), rule->type);
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/**
|
||||
* @file payload.c
|
||||
*
|
||||
* @brief Generic payload interface
|
||||
* @brief Generic constructor to the payload_t interface.
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
@ -122,12 +122,10 @@ payload_t *payload_create(payload_type_t type)
|
|||
return (payload_t*)configuration_attribute_create();
|
||||
case EXTENSIBLE_AUTHENTICATION:
|
||||
return (payload_t*)eap_payload_create();
|
||||
case UNKNOWN_PAYLOAD:
|
||||
return (payload_t*)unknown_payload_create();
|
||||
case ENCRYPTED:
|
||||
return (payload_t*)encryption_payload_create();
|
||||
default:
|
||||
return NULL;
|
||||
return (payload_t*)unknown_payload_create();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/**
|
||||
* @file payload.h
|
||||
*
|
||||
* @brief Generic payload interface.
|
||||
* @brief Interface payload_t.
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
@ -32,8 +32,7 @@
|
|||
typedef enum payload_type_t payload_type_t;
|
||||
|
||||
/**
|
||||
* Payload-Types of a IKEv2-Message.
|
||||
*
|
||||
* @brief Payload-Types of a IKEv2-Message.
|
||||
*
|
||||
* Header and substructures are also defined as
|
||||
* payload types with values from PRIVATE USE space.
|
||||
|
@ -43,87 +42,87 @@ typedef enum payload_type_t payload_type_t;
|
|||
enum payload_type_t{
|
||||
|
||||
/**
|
||||
* NO_PAYLOAD
|
||||
* End of payload list in next_payload
|
||||
*/
|
||||
NO_PAYLOAD = 0,
|
||||
|
||||
/**
|
||||
* SA
|
||||
* The security association (SA) payload containing proposals.
|
||||
*/
|
||||
SECURITY_ASSOCIATION = 33,
|
||||
|
||||
/**
|
||||
* KE
|
||||
* The key exchange (KE) payload containing diffie-hellman values.
|
||||
*/
|
||||
KEY_EXCHANGE = 34,
|
||||
|
||||
/**
|
||||
* IDi
|
||||
* Identification for the original initiator (IDi).
|
||||
*/
|
||||
ID_INITIATOR = 35,
|
||||
|
||||
/**
|
||||
* IDr
|
||||
* Identification for the original responder (IDr).
|
||||
*/
|
||||
ID_RESPONDER = 36,
|
||||
|
||||
/**
|
||||
* CERT
|
||||
* Certificate payload with certificates (CERT).
|
||||
*/
|
||||
CERTIFICATE = 37,
|
||||
|
||||
/**
|
||||
* CERTREQ
|
||||
* Certificate request payload (CERTREQ).
|
||||
*/
|
||||
CERTIFICATE_REQUEST = 38,
|
||||
|
||||
/**
|
||||
* AUTH
|
||||
* Authentication payload contains auth data (AUTH).
|
||||
*/
|
||||
AUTHENTICATION = 39,
|
||||
|
||||
/**
|
||||
* Ni, Nr
|
||||
* Nonces, for initator and responder (Ni, Nr, N)
|
||||
*/
|
||||
NONCE = 40,
|
||||
|
||||
/**
|
||||
* N
|
||||
* Notif paylaod (N).
|
||||
*/
|
||||
NOTIFY = 41,
|
||||
|
||||
/**
|
||||
* D
|
||||
* Delete payload (D)
|
||||
*/
|
||||
DELETE = 42,
|
||||
|
||||
/**
|
||||
* V
|
||||
* Vendor id paylpoad (V).
|
||||
*/
|
||||
VENDOR_ID = 43,
|
||||
|
||||
/**
|
||||
* TSi
|
||||
* Traffic selector for the original initiator (TSi).
|
||||
*/
|
||||
TRAFFIC_SELECTOR_INITIATOR = 44,
|
||||
|
||||
/**
|
||||
* TSr
|
||||
* Traffic selector for the original responser (TSr).
|
||||
*/
|
||||
TRAFFIC_SELECTOR_RESPONDER = 45,
|
||||
|
||||
/**
|
||||
* E
|
||||
* Encryption payload, contains other payloads (E).
|
||||
*/
|
||||
ENCRYPTED = 46,
|
||||
|
||||
/**
|
||||
* CP
|
||||
* Configuration payload (CP).
|
||||
*/
|
||||
CONFIGURATION = 47,
|
||||
|
||||
/**
|
||||
* EAP
|
||||
* Extensible authentication payload (EAP).
|
||||
*/
|
||||
EXTENSIBLE_AUTHENTICATION = 48,
|
||||
|
||||
|
@ -185,8 +184,8 @@ enum payload_type_t{
|
|||
};
|
||||
|
||||
|
||||
/*
|
||||
* Build string mapping array for payload_type_t.
|
||||
/**
|
||||
* String mappings for payload_type_t.
|
||||
*/
|
||||
extern mapping_t payload_type_m[];
|
||||
|
||||
|
@ -194,21 +193,21 @@ extern mapping_t payload_type_m[];
|
|||
typedef struct payload_t payload_t;
|
||||
|
||||
/**
|
||||
* @brief Generic interface for all payload types (inclusive
|
||||
* header and substructures).
|
||||
* @brief Generic interface for all payload types (incl.header and substructures).
|
||||
*
|
||||
* To handle all kinds of payloads on a generic way, this interface must
|
||||
* be implemented by every payload. This allows parser_t/generator_t a simple
|
||||
* handling of all payloads.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - payload_create() with the payload to instanciate.
|
||||
*
|
||||
* @ingroup payloads
|
||||
*/
|
||||
struct payload_t {
|
||||
/**
|
||||
* @brief Destroys a payload and all included substructures.
|
||||
*
|
||||
* @param this payload to destroy
|
||||
*/
|
||||
void (*destroy) (payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get encoding rules for this payload
|
||||
* @brief Get encoding rules for this payload.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param[out] rules location to store pointer of first rule
|
||||
|
@ -217,7 +216,7 @@ struct payload_t {
|
|||
void (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules, size_t *rule_count);
|
||||
|
||||
/**
|
||||
* @brief get type of payload
|
||||
* @brief Get type of payload.
|
||||
*
|
||||
* @param this calling object
|
||||
* @return type of this payload
|
||||
|
@ -225,7 +224,7 @@ struct payload_t {
|
|||
payload_type_t (*get_type) (payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief get type of next payload or zero if this is the last one
|
||||
* @brief Get type of next payload or NO_PAYLOAD (0) if this is the last one.
|
||||
*
|
||||
* @param this calling object
|
||||
* @return type of next payload
|
||||
|
@ -233,7 +232,7 @@ struct payload_t {
|
|||
payload_type_t (*get_next_type) (payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief set type of next payload
|
||||
* @brief Set type of next payload.
|
||||
*
|
||||
* @param this calling object
|
||||
* @param type type of next payload
|
||||
|
@ -241,7 +240,7 @@ struct payload_t {
|
|||
void (*set_next_type) (payload_t *this,payload_type_t type);
|
||||
|
||||
/**
|
||||
* @brief get length of payload
|
||||
* @brief Get length of payload.
|
||||
*
|
||||
* @param this calling object
|
||||
* @return length of this payload
|
||||
|
@ -249,7 +248,7 @@ struct payload_t {
|
|||
size_t (*get_length) (payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Verifies payload structure and makes consistence check
|
||||
* @brief Verifies payload structure and makes consistence check.
|
||||
*
|
||||
* @param this calling object
|
||||
* @return
|
||||
|
@ -257,18 +256,25 @@ struct payload_t {
|
|||
* - FAILED if consistence not given
|
||||
*/
|
||||
status_t (*verify) (payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Destroys a payload and all included substructures.
|
||||
*
|
||||
* @param this payload to destroy
|
||||
*/
|
||||
void (*destroy) (payload_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Create an empty payload.
|
||||
*
|
||||
* Useful for the parser, who wants a generic constructor for all payloads.
|
||||
* It supports all payload_t methods.
|
||||
* It supports all payload_t methods. If a payload type is not known,
|
||||
* an unknwon_paylod is created with the chunk of data in it.
|
||||
*
|
||||
* @param type type of the payload to create
|
||||
* @return created payload
|
||||
*/
|
||||
|
||||
payload_t *payload_create(payload_type_t type);
|
||||
|
||||
#endif /*PAYLOAD_H_*/
|
||||
|
|
|
@ -29,9 +29,9 @@ typedef struct private_unknown_payload_t private_unknown_payload_t;
|
|||
|
||||
/**
|
||||
* Private data of an unknown_payload_t object.
|
||||
*
|
||||
*/
|
||||
struct private_unknown_payload_t {
|
||||
|
||||
/**
|
||||
* Public unknown_payload_t interface.
|
||||
*/
|
||||
|
@ -40,7 +40,7 @@ struct private_unknown_payload_t {
|
|||
/**
|
||||
* Next payload type.
|
||||
*/
|
||||
u_int8_t next_payload;
|
||||
u_int8_t next_payload;
|
||||
|
||||
/**
|
||||
* Critical flag.
|
||||
|
@ -52,11 +52,6 @@ struct private_unknown_payload_t {
|
|||
*/
|
||||
u_int16_t payload_length;
|
||||
|
||||
/**
|
||||
* Type of this payload.
|
||||
*/
|
||||
payload_type_t payload_type;
|
||||
|
||||
/**
|
||||
* The contained data.
|
||||
*/
|
||||
|
@ -64,7 +59,7 @@ struct private_unknown_payload_t {
|
|||
};
|
||||
|
||||
/**
|
||||
* Encoding rules to parse or generate a EAP payload.
|
||||
* Encoding rules to parse an payload which is not further specified.
|
||||
*
|
||||
* The defined offsets are the positions in a object of type
|
||||
* private_unknown_payload_t.
|
||||
|
@ -86,7 +81,7 @@ encoding_rule_t unknown_payload_encodings[] = {
|
|||
/* Length of the whole payload*/
|
||||
{ PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length)},
|
||||
/* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
|
||||
{ UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) }
|
||||
{ UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) }
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -110,7 +105,7 @@ static status_t verify(private_unknown_payload_t *this)
|
|||
}
|
||||
|
||||
/**
|
||||
* Implementation of unknown_payload_t.get_encoding_rules.
|
||||
* Implementation of payload_t.get_encoding_rules.
|
||||
*/
|
||||
static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
|
||||
{
|
||||
|
@ -142,22 +137,6 @@ static void set_next_type(private_unknown_payload_t *this,payload_type_t type)
|
|||
this->next_payload = type;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of unknown_payload_t.set_real_type.
|
||||
*/
|
||||
static void set_real_type(private_unknown_payload_t *this,payload_type_t type)
|
||||
{
|
||||
this->payload_type = type;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of unknown_payload_t.get_real_type.
|
||||
*/
|
||||
static payload_type_t get_real_type(private_unknown_payload_t *this)
|
||||
{
|
||||
return this->payload_type;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.get_length.
|
||||
*/
|
||||
|
@ -167,17 +146,11 @@ static size_t get_length(private_unknown_payload_t *this)
|
|||
}
|
||||
|
||||
/**
|
||||
* Implementation of unknown_payload_t.set_data.
|
||||
* Implementation of unknown_payload_t.get_data.
|
||||
*/
|
||||
static void set_data (private_unknown_payload_t *this, chunk_t data)
|
||||
static bool is_critical(private_unknown_payload_t *this)
|
||||
{
|
||||
if (this->data.ptr != NULL)
|
||||
{
|
||||
allocator_free_chunk(&(this->data));
|
||||
}
|
||||
this->data.ptr = allocator_clone_bytes(data.ptr,data.len);
|
||||
this->data.len = data.len;
|
||||
this->payload_length = DEFAULT_PAYLOAD_HEADER_LENGTH + this->data.len;
|
||||
return this->critical;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -188,21 +161,6 @@ static chunk_t get_data (private_unknown_payload_t *this)
|
|||
return (this->data);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of unknown_payload_t.get_data_clone.
|
||||
*/
|
||||
static chunk_t get_data_clone (private_unknown_payload_t *this)
|
||||
{
|
||||
chunk_t cloned_data;
|
||||
if (this->data.ptr == NULL)
|
||||
{
|
||||
return (this->data);
|
||||
}
|
||||
cloned_data.ptr = allocator_clone_bytes(this->data.ptr,this->data.len);
|
||||
cloned_data.len = this->data.len;
|
||||
return cloned_data;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of payload_t.destroy and unknown_payload_t.destroy.
|
||||
*/
|
||||
|
@ -234,17 +192,13 @@ unknown_payload_t *unknown_payload_create()
|
|||
|
||||
/* public functions */
|
||||
this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
|
||||
this->public.set_real_type = (void (*) (unknown_payload_t *,payload_type_t)) set_real_type;
|
||||
this->public.get_real_type = (payload_type_t (*) (unknown_payload_t *)) get_real_type;
|
||||
this->public.set_data = (void (*) (unknown_payload_t *,chunk_t)) set_data;
|
||||
this->public.get_data_clone = (chunk_t (*) (unknown_payload_t *)) get_data_clone;
|
||||
this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
|
||||
this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
|
||||
|
||||
/* private variables */
|
||||
this->critical = FALSE;
|
||||
this->next_payload = NO_PAYLOAD;
|
||||
this->payload_type = NO_PAYLOAD;
|
||||
this->payload_length = DEFAULT_PAYLOAD_HEADER_LENGTH;
|
||||
this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH;
|
||||
this->data = CHUNK_INITIALIZER;
|
||||
|
||||
return (&(this->public));
|
||||
|
|
|
@ -27,73 +27,52 @@
|
|||
#include <encoding/payloads/payload.h>
|
||||
|
||||
/**
|
||||
* Length of a default payload header.
|
||||
* Header length of the unknown payload.
|
||||
*
|
||||
* @ingroup payloads
|
||||
*/
|
||||
#define DEFAULT_PAYLOAD_HEADER_LENGTH 4
|
||||
#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
|
||||
|
||||
|
||||
typedef struct unknown_payload_t unknown_payload_t;
|
||||
|
||||
/**
|
||||
* Object representing an unknown IKEv2 payload.
|
||||
* @brief Payload which can't be processed further.
|
||||
*
|
||||
* When the parser finds an unknown payload, he builds an instance of
|
||||
* this class. This allows further processing of this payload, such as
|
||||
* a check for the critical bit in the header.
|
||||
*
|
||||
* @b Constructors:
|
||||
* - unknown_payload_create()
|
||||
*
|
||||
* @ingroup payloads
|
||||
*
|
||||
*/
|
||||
struct unknown_payload_t {
|
||||
|
||||
/**
|
||||
* The payload_t interface.
|
||||
*/
|
||||
payload_t payload_interface;
|
||||
|
||||
/**
|
||||
* @brief Set the Data of the unknown payload.
|
||||
* @brief Get the raw data of this payload, without
|
||||
* the generic payload header.
|
||||
*
|
||||
* Data are getting cloned.
|
||||
*
|
||||
* @param this calling unknown_payload_t object
|
||||
* @param data data following the header as chunk_t
|
||||
*/
|
||||
void (*set_data) (unknown_payload_t *this, chunk_t data);
|
||||
|
||||
/**
|
||||
* @brief Get the data of the message.
|
||||
*
|
||||
* Returned data are a copy of the internal one.
|
||||
*
|
||||
* @param this calling unknown_payload_t object
|
||||
* @return data as chunk_t
|
||||
*/
|
||||
chunk_t (*get_data_clone) (unknown_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Get the data of the message.
|
||||
*
|
||||
* Returned data are NOT copied.
|
||||
* Returned data are NOT copied and must not be freed.
|
||||
*
|
||||
* @param this calling unknown_payload_t object
|
||||
* @return data as chunk_t
|
||||
*/
|
||||
chunk_t (*get_data) (unknown_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Set the real Type of this payload.
|
||||
*
|
||||
* @param this calling unknown_payload_t object
|
||||
* @param type real type of this payload.
|
||||
*/
|
||||
|
||||
void (*set_real_type) (unknown_payload_t *this,payload_type_t type);
|
||||
|
||||
/**
|
||||
* @brief Get the real Type of this payload.
|
||||
* @brief Get the critical flag.
|
||||
*
|
||||
* @param this calling unknown_payload_t object
|
||||
* @return real type of this payload.
|
||||
* @param this calling unknown_payload_t object
|
||||
* @return TRUE if payload is critical, FALSE if not
|
||||
*/
|
||||
payload_type_t (*get_real_type) (unknown_payload_t *this);
|
||||
bool (*is_critical) (unknown_payload_t *this);
|
||||
|
||||
/**
|
||||
* @brief Destroys an unknown_payload_t object.
|
||||
|
|
Loading…
Reference in New Issue