|
|
|
|
@ -125,13 +125,13 @@ static supported_payload_entry_t supported_ike_sa_init_r_payloads[] =
|
|
|
|
|
static supported_payload_entry_t supported_ike_auth_i_payloads[] =
|
|
|
|
|
{
|
|
|
|
|
{ID_INITIATOR,1,1,TRUE},
|
|
|
|
|
/* {CERTIFICATE,0,1,TRUE},
|
|
|
|
|
{CERTIFICATE,0,1,TRUE},
|
|
|
|
|
{CERTIFICATE_REQUEST,0,1,TRUE},
|
|
|
|
|
{ID_RESPONDER,0,1,TRUE},*/
|
|
|
|
|
{ID_RESPONDER,0,1,TRUE},
|
|
|
|
|
{AUTHENTICATION,1,1,TRUE},
|
|
|
|
|
/* {SECURITY_ASSOCIATION,1,1,TRUE},
|
|
|
|
|
{SECURITY_ASSOCIATION,1,1,TRUE},
|
|
|
|
|
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
|
|
|
|
|
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},*/
|
|
|
|
|
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -141,10 +141,10 @@ static supported_payload_entry_t supported_ike_auth_r_payloads[] =
|
|
|
|
|
{
|
|
|
|
|
{CERTIFICATE,0,1,TRUE},
|
|
|
|
|
{ID_RESPONDER,0,1,TRUE},
|
|
|
|
|
/* {AUTHENTICATION,1,1,TRUE},
|
|
|
|
|
{AUTHENTICATION,1,1,TRUE},
|
|
|
|
|
{SECURITY_ASSOCIATION,1,1,TRUE},
|
|
|
|
|
{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE},
|
|
|
|
|
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},*/
|
|
|
|
|
{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -207,7 +207,6 @@ struct private_message_t {
|
|
|
|
|
*/
|
|
|
|
|
exchange_type_t exchange_type;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* TRUE if message is request.
|
|
|
|
|
* FALSE if message is reply.
|
|
|
|
|
@ -247,37 +246,53 @@ struct private_message_t {
|
|
|
|
|
logger_t *logger;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Gets a list of supported payloads of this message type
|
|
|
|
|
* Gets a list of supported payloads of this message type.
|
|
|
|
|
*
|
|
|
|
|
* @param this calling object
|
|
|
|
|
* @param[out] message_rule pointer is set to the message_rule of current message type
|
|
|
|
|
* @param this calling object
|
|
|
|
|
* @param[out] message_rule pointer is set to the message_rule
|
|
|
|
|
* of current message type
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* - SUCCESS
|
|
|
|
|
* - NOT_FOUND if no message rule
|
|
|
|
|
* for specific message type could be found
|
|
|
|
|
* - SUCCESS
|
|
|
|
|
* - NOT_FOUND if no message rule
|
|
|
|
|
* for specific message type could be found
|
|
|
|
|
*/
|
|
|
|
|
status_t (*get_message_rule) (private_message_t *this, message_rule_t **message_rule);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Gets the supported_payload_entry_t for a specific message_rule_t and payload type.
|
|
|
|
|
*
|
|
|
|
|
* @param this calling object
|
|
|
|
|
* @param message_rule message rule
|
|
|
|
|
* @param payload_type payload type
|
|
|
|
|
* @param[out] payload_entry returned payload_entry_t
|
|
|
|
|
*
|
|
|
|
|
* @return
|
|
|
|
|
* - SUCCESS
|
|
|
|
|
* - NOT_FOUND if no message rule
|
|
|
|
|
* for specific message type could be found
|
|
|
|
|
*/
|
|
|
|
|
status_t (*get_supported_payload_entry) (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Encrypts all payloads which has to get encrypted.
|
|
|
|
|
*
|
|
|
|
|
* @param this calling object
|
|
|
|
|
* Can also be called with messages not containing encrypted content.
|
|
|
|
|
*
|
|
|
|
|
* @param this calling object
|
|
|
|
|
* @param crypter crypter_t object
|
|
|
|
|
* @param signer signer_t object
|
|
|
|
|
*/
|
|
|
|
|
status_t (*encrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Decrypts all payloads which has to get decrypted.
|
|
|
|
|
* Decrypts encrypted contents and also verifies all payloads.
|
|
|
|
|
*
|
|
|
|
|
* @param this calling object
|
|
|
|
|
* @param crypter crypter_t object
|
|
|
|
|
* @param signer signer_t object
|
|
|
|
|
*/
|
|
|
|
|
status_t (*decrypt_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
|
|
|
|
|
status_t (*decrypt_and_verify_payloads) (private_message_t *this,crypter_t *crypter, signer_t* signer);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -302,6 +317,9 @@ static status_t get_message_rule (private_message_t *this, message_rule_t **mes
|
|
|
|
|
return NOT_FOUND;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of private_message_t.get_supported_payload_entry.
|
|
|
|
|
*/
|
|
|
|
|
static status_t get_supported_payload_entry (private_message_t *this, message_rule_t *message_rule,payload_type_t payload_type, supported_payload_entry_t **payload_entry)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
@ -447,10 +465,8 @@ static void add_payload(private_message_t *this, payload_t *payload)
|
|
|
|
|
payload->set_next_type(payload, NO_PAYLOAD);
|
|
|
|
|
this->payloads->insert_last(this->payloads, (void*)payload);
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MORE, "added payload of type %s to message",
|
|
|
|
|
mapping_find(payload_type_m, payload->get_type(payload)));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MORE, "Added payload of type %s to message",
|
|
|
|
|
mapping_find(payload_type_m, payload->get_type(payload)));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -480,17 +496,17 @@ static void set_destination(private_message_t *this, host_t *host)
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of message_t.get_source.
|
|
|
|
|
*/
|
|
|
|
|
static void get_source(private_message_t *this, host_t **host)
|
|
|
|
|
static host_t* get_source(private_message_t *this)
|
|
|
|
|
{
|
|
|
|
|
*host = this->packet->source;
|
|
|
|
|
return this->packet->source;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of message_t.get_destination.
|
|
|
|
|
*/
|
|
|
|
|
static void get_destination(private_message_t *this, host_t **host)
|
|
|
|
|
static host_t * get_destination(private_message_t *this)
|
|
|
|
|
{
|
|
|
|
|
*host = this->packet->destination;
|
|
|
|
|
return this->packet->destination;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -511,29 +527,39 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|
|
|
|
ike_header_t *ike_header;
|
|
|
|
|
payload_t *payload, *next_payload;
|
|
|
|
|
iterator_t *iterator;
|
|
|
|
|
message_rule_t *message_rule;
|
|
|
|
|
status_t status;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "generating message, contains %d payloads",
|
|
|
|
|
this->payloads->get_count(this->payloads));
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "Generating message of type %s, contains %d payloads",
|
|
|
|
|
mapping_find(exchange_type_m,this->exchange_type),
|
|
|
|
|
this->payloads->get_count(this->payloads));
|
|
|
|
|
|
|
|
|
|
if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "exchange type is not defined");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Exchange type %s is not defined",mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
return INVALID_STATE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status = this->get_message_rule(this, &message_rule);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
|
|
|
|
mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (this->packet->source == NULL ||
|
|
|
|
|
this->packet->destination == NULL)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "source/destination not defined");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Source/destination not defined");
|
|
|
|
|
return INVALID_STATE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* going to encrypt all content which have to be encrypted */
|
|
|
|
|
status = this->encrypt_payloads(this,crypter,signer);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Could not encrypt payloads");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Could not encrypt payloads");
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -547,41 +573,42 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|
|
|
|
ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
|
|
|
|
|
ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
generator = generator_create();
|
|
|
|
|
|
|
|
|
|
payload = (payload_t*)ike_header;
|
|
|
|
|
|
|
|
|
|
iterator = this->payloads->create_iterator(this->payloads, TRUE);
|
|
|
|
|
|
|
|
|
|
/* generate every payload, except last one */
|
|
|
|
|
/* generate every payload expect last one*/
|
|
|
|
|
while(iterator->has_next(iterator))
|
|
|
|
|
{
|
|
|
|
|
iterator->current(iterator, (void**)&next_payload);
|
|
|
|
|
payload->set_next_type(payload, next_payload->get_type(next_payload));
|
|
|
|
|
generator->generate_payload(generator, payload);
|
|
|
|
|
|
|
|
|
|
payload = next_payload;
|
|
|
|
|
}
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
|
|
|
|
|
/* build last payload */
|
|
|
|
|
/* last payload has no next payload*/
|
|
|
|
|
payload->set_next_type(payload, NO_PAYLOAD);
|
|
|
|
|
|
|
|
|
|
generator->generate_payload(generator, payload);
|
|
|
|
|
|
|
|
|
|
ike_header->destroy(ike_header);
|
|
|
|
|
|
|
|
|
|
/* build packet */
|
|
|
|
|
if (this->packet->data.ptr != NULL)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Replace last generated packet data");
|
|
|
|
|
allocator_free(this->packet->data.ptr);
|
|
|
|
|
}
|
|
|
|
|
generator->write_to_chunk(generator, &(this->packet->data));
|
|
|
|
|
generator->destroy(generator);
|
|
|
|
|
|
|
|
|
|
/* append integrity checksum if necessary */
|
|
|
|
|
/* if last payload is of type encrypted, integrity checksum if necessary */
|
|
|
|
|
if (payload->get_type(payload) == ENCRYPTED)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MORE, "Build signature on whole message");
|
|
|
|
|
encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
|
|
|
|
|
status = encryption_payload->build_signature(encryption_payload, this->packet->data);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
@ -593,12 +620,12 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
|
|
|
|
|
/* clone packet for caller */
|
|
|
|
|
*packet = this->packet->clone(this->packet);
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "message generated successfully");
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "Message of type %s generated successfully",mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implements message_t.parse_header.
|
|
|
|
|
* Implementation of message_t.parse_header.
|
|
|
|
|
*/
|
|
|
|
|
static status_t parse_header(private_message_t *this)
|
|
|
|
|
{
|
|
|
|
|
@ -606,13 +633,13 @@ static status_t parse_header(private_message_t *this)
|
|
|
|
|
status_t status;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "parsing header of message");
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "parsing Header of message");
|
|
|
|
|
|
|
|
|
|
this->parser->reset_context(this->parser);
|
|
|
|
|
status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Header could not be parsed");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Header could not be parsed");
|
|
|
|
|
return status;
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
@ -621,7 +648,7 @@ static status_t parse_header(private_message_t *this)
|
|
|
|
|
status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Header verification failed");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Header verification failed");
|
|
|
|
|
ike_header->destroy(ike_header);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
@ -643,63 +670,69 @@ static status_t parse_header(private_message_t *this)
|
|
|
|
|
this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "parsing header successfully");
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "Parsing and verification of header successfully");
|
|
|
|
|
|
|
|
|
|
ike_header->destroy(ike_header);
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implements message_t.parse_body.
|
|
|
|
|
* Implementation of message_t.parse_body.
|
|
|
|
|
*/
|
|
|
|
|
static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
|
|
|
|
|
{
|
|
|
|
|
status_t status = SUCCESS;
|
|
|
|
|
payload_type_t current_payload_type = this->first_payload;
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "parsing body of message, first payload %s",
|
|
|
|
|
mapping_find(payload_type_m, current_payload_type));
|
|
|
|
|
this->logger->log(this->logger, CONTROL, "Parsing body of message, first payload %s",
|
|
|
|
|
mapping_find(payload_type_m, current_payload_type));
|
|
|
|
|
|
|
|
|
|
while ((current_payload_type != NO_PAYLOAD))
|
|
|
|
|
{
|
|
|
|
|
payload_t *current_payload;
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MORE, "start parsing payload of type %s",
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MORE, "Start parsing payload of type %s",
|
|
|
|
|
mapping_find(payload_type_m, current_payload_type));
|
|
|
|
|
|
|
|
|
|
status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) ¤t_payload);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Payload type %s could not be parsed",mapping_find(payload_type_m,current_payload_type));
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MOST, "Verify payload of type %s",
|
|
|
|
|
mapping_find(payload_type_m, current_payload_type));
|
|
|
|
|
|
|
|
|
|
status = current_payload->verify(current_payload);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Payload type %s could not be verified",mapping_find(payload_type_m,current_payload_type));
|
|
|
|
|
current_payload->destroy(current_payload);
|
|
|
|
|
status = VERIFY_ERROR;
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MOST, "Payload verified. Adding to payload list",
|
|
|
|
|
mapping_find(payload_type_m, current_payload_type));
|
|
|
|
|
this->payloads->insert_last(this->payloads,current_payload);
|
|
|
|
|
|
|
|
|
|
/* stop if an encryptino payload found */
|
|
|
|
|
/* stop if an encryption payload found */
|
|
|
|
|
if (current_payload_type == ENCRYPTED)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MOST, "Payload of type encrypted found. Stop parsing.",
|
|
|
|
|
mapping_find(payload_type_m, current_payload_type));
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* get next payload type */
|
|
|
|
|
current_payload_type = current_payload->get_next_type(current_payload);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status = this->decrypt_payloads(this,crypter,signer);
|
|
|
|
|
|
|
|
|
|
status = this->decrypt_and_verify_payloads(this,crypter,signer);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Could not decrypt payloads");
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Could not decrypt and verify payloads");
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -708,7 +741,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* implements message_t.verify
|
|
|
|
|
* Implementation of message_t.verify.
|
|
|
|
|
*/
|
|
|
|
|
static status_t verify(private_message_t *this)
|
|
|
|
|
{
|
|
|
|
|
@ -717,12 +750,13 @@ static status_t verify(private_message_t *this)
|
|
|
|
|
iterator_t *iterator;
|
|
|
|
|
message_rule_t *message_rule;
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MORE, "verifying message");
|
|
|
|
|
this->logger->log(this->logger, CONTROL|MORE, "Verifying message structure");
|
|
|
|
|
|
|
|
|
|
status = this->get_message_rule(this, &message_rule);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Message rule could not be retrieved");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
|
|
|
|
mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -730,37 +764,37 @@ static status_t verify(private_message_t *this)
|
|
|
|
|
/* check for payloads with wrong count*/
|
|
|
|
|
for (i = 0; i < message_rule->supported_payloads_count;i++)
|
|
|
|
|
{
|
|
|
|
|
size_t min_occurence = message_rule->supported_payloads[i].min_occurence;
|
|
|
|
|
size_t max_occurence = message_rule->supported_payloads[i].max_occurence;
|
|
|
|
|
payload_type_t payload_type = message_rule->supported_payloads[i].payload_type;
|
|
|
|
|
size_t found_payloads = 0;
|
|
|
|
|
|
|
|
|
|
/* check all payloads for specific rule */
|
|
|
|
|
iterator->reset(iterator);
|
|
|
|
|
|
|
|
|
|
while(iterator->has_next(iterator))
|
|
|
|
|
{
|
|
|
|
|
payload_t *current_payload;
|
|
|
|
|
iterator->current(iterator,(void **)¤t_payload);
|
|
|
|
|
|
|
|
|
|
if (current_payload->get_type(current_payload) == payload_type)
|
|
|
|
|
if (current_payload->get_type(current_payload) == message_rule->supported_payloads[i].payload_type)
|
|
|
|
|
{
|
|
|
|
|
found_payloads++;
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Found payload of type %s",
|
|
|
|
|
mapping_find(payload_type_m,payload_type));
|
|
|
|
|
mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type));
|
|
|
|
|
|
|
|
|
|
if (found_payloads > max_occurence)
|
|
|
|
|
/* as soon as ohe payload occures more then specified, the verification fails */
|
|
|
|
|
if (found_payloads > message_rule->supported_payloads[i].max_occurence)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Payload of type %s more than %d times (%d) occured in current message",
|
|
|
|
|
mapping_find(payload_type_m,current_payload->get_type(current_payload)),max_occurence,found_payloads);
|
|
|
|
|
mapping_find(payload_type_m,current_payload->get_type(current_payload)),
|
|
|
|
|
message_rule->supported_payloads[i].max_occurence,found_payloads);
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
return NOT_SUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (found_payloads < min_occurence)
|
|
|
|
|
if (found_payloads < message_rule->supported_payloads[i].min_occurence)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times",
|
|
|
|
|
mapping_find(payload_type_m,payload_type),min_occurence);
|
|
|
|
|
this->logger->log(this->logger, ERROR, "Payload of type %s not occured %d times (%d)",
|
|
|
|
|
mapping_find(payload_type_m,message_rule->supported_payloads[i].payload_type),
|
|
|
|
|
message_rule->supported_payloads[i].min_occurence,found_payloads);
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
return NOT_SUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
@ -771,36 +805,42 @@ static status_t verify(private_message_t *this)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of private_message_t.decrypt_and_verify_payloads.
|
|
|
|
|
*/
|
|
|
|
|
static status_t decrypt_and_verify_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
|
|
|
|
|
{
|
|
|
|
|
bool current_payload_was_encrypted = FALSE;
|
|
|
|
|
status_t status;
|
|
|
|
|
message_rule_t *message_rule;
|
|
|
|
|
iterator_t *iterator;
|
|
|
|
|
int payload_number = 1;
|
|
|
|
|
payload_t *last_payload = NULL;
|
|
|
|
|
message_rule_t *message_rule;
|
|
|
|
|
int payload_number = 1;
|
|
|
|
|
iterator_t *iterator;
|
|
|
|
|
status_t status;
|
|
|
|
|
|
|
|
|
|
status = this->get_message_rule(this, &message_rule);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "No message rule for current message type");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
|
|
|
|
mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
iterator = this->payloads->create_iterator(this->payloads,TRUE);
|
|
|
|
|
|
|
|
|
|
/* process each payload and decrypt a encryption payload */
|
|
|
|
|
while(iterator->has_next(iterator))
|
|
|
|
|
{
|
|
|
|
|
payload_t *current_payload;
|
|
|
|
|
supported_payload_entry_t *supported_payload_entry;
|
|
|
|
|
payload_type_t current_payload_type;
|
|
|
|
|
supported_payload_entry_t *payload_entry;
|
|
|
|
|
payload_t *current_payload;
|
|
|
|
|
|
|
|
|
|
/* get current payload */
|
|
|
|
|
iterator->current(iterator,(void **)¤t_payload);
|
|
|
|
|
|
|
|
|
|
/* needed to check */
|
|
|
|
|
current_payload_type = current_payload->get_type(current_payload);
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Process payload of type %s.",mapping_find(payload_type_m,current_payload_type));
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Process payload of type %s",mapping_find(payload_type_m,current_payload_type));
|
|
|
|
|
|
|
|
|
|
if (current_payload_type == ENCRYPTED)
|
|
|
|
|
{
|
|
|
|
|
@ -820,7 +860,7 @@ static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
|
|
|
|
|
if (payload_number != this->payloads->get_count(this->payloads))
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last one");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Encrypted payload is not last payload");
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
/* encrypted payload is not last one */
|
|
|
|
|
return FAILED;
|
|
|
|
|
@ -830,39 +870,48 @@ static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
|
|
|
|
|
/* encrypt payload */
|
|
|
|
|
encryption_payload->set_transforms(encryption_payload, crypter, signer);
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MORE, "Verify signature of encryption payload");
|
|
|
|
|
status = encryption_payload->verify_signature(encryption_payload, this->packet->data);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "encryption payload signature invalid");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "encryption payload signature invalid");
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MORE, "Decrypt content of encryption payload");
|
|
|
|
|
status = encryption_payload->decrypt(encryption_payload);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR, "parsing decrypted encryption payload failed");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Encrypted payload could not be decrypted and parsed");
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* needed to later find out if a payload has to be encrypted or not */
|
|
|
|
|
current_payload_was_encrypted = TRUE;
|
|
|
|
|
|
|
|
|
|
if (encryption_payload->get_payload_count(encryption_payload) == 0)
|
|
|
|
|
{
|
|
|
|
|
iterator->remove(iterator);
|
|
|
|
|
encryption_payload->destroy(encryption_payload);
|
|
|
|
|
/* encrypted payload contains no other payload */
|
|
|
|
|
current_payload_type = NO_PAYLOAD;
|
|
|
|
|
if (last_payload == NULL)
|
|
|
|
|
{
|
|
|
|
|
/* encrypted content was the only payload in IKEv2-Message
|
|
|
|
|
* Set the first payload to the first payload of encrypted ones */
|
|
|
|
|
this->first_payload = current_payload_type;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* another payload was here before the encrypted content
|
|
|
|
|
* Set the next payload of proceeding payload
|
|
|
|
|
* to the first payload of encrypted ones */
|
|
|
|
|
last_payload->set_next_type(last_payload,current_payload_type);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* encryption_payload is replaced with first encrypted payload*/
|
|
|
|
|
encryption_payload->remove_first_payload(encryption_payload, ¤t_encrypted_payload);
|
|
|
|
|
|
|
|
|
|
@ -872,10 +921,15 @@ static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
|
|
|
|
|
if (last_payload == NULL)
|
|
|
|
|
{
|
|
|
|
|
/* encrypted content was the only payload in IKEv2-Message
|
|
|
|
|
* Set the first payload to the first payload of encrypted ones */
|
|
|
|
|
this->first_payload = current_payload_type;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* another payload was here before the encrypted content
|
|
|
|
|
* Set the next payload of proceeding payload
|
|
|
|
|
* to the first payload of encrypted ones */
|
|
|
|
|
last_payload->set_next_type(last_payload,current_payload_type);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -887,12 +941,14 @@ static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
this->payloads->insert_last(this->payloads,current_encrypted_payload);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* encryption payload is not needed anymore cause all payloads are
|
|
|
|
|
* moved to internal payload list */
|
|
|
|
|
encryption_payload->destroy(encryption_payload);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&payload_entry);
|
|
|
|
|
|
|
|
|
|
status = this->get_supported_payload_entry(this,message_rule,current_payload_type,&supported_payload_entry);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
/* payload type not supported */
|
|
|
|
|
@ -901,38 +957,41 @@ static status_t decrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (payload_entry->encrypted != current_payload_was_encrypted)
|
|
|
|
|
if (supported_payload_entry->encrypted != current_payload_was_encrypted)
|
|
|
|
|
{
|
|
|
|
|
/* payload type not supported */
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Payload type %s should be %s!",
|
|
|
|
|
mapping_find(payload_type_m,current_payload_type),
|
|
|
|
|
(payload_entry->encrypted) ? "encrypted": "not encrypted");
|
|
|
|
|
(supported_payload_entry->encrypted) ? "encrypted": "not encrypted");
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
payload_number++;
|
|
|
|
|
/* is stored to set next payload in case of found encryption payload */
|
|
|
|
|
last_payload = current_payload;
|
|
|
|
|
}
|
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
|
|
|
|
|
return this->public.verify(&(this->public));
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implementation of private_message_t.encrypt_payloads.
|
|
|
|
|
*/
|
|
|
|
|
static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
|
|
|
|
|
{
|
|
|
|
|
status_t status;
|
|
|
|
|
message_rule_t *message_rule;
|
|
|
|
|
encryption_payload_t *encryption_payload = NULL;
|
|
|
|
|
message_rule_t *message_rule;
|
|
|
|
|
status_t status;
|
|
|
|
|
linked_list_t *all_payloads;
|
|
|
|
|
|
|
|
|
|
status = this->get_message_rule(this, &message_rule);
|
|
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "No message rule for this message type");
|
|
|
|
|
this->logger->log(this->logger, ERROR | MORE, "Message rule could not be found for exchange type %s",
|
|
|
|
|
mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!message_rule->encrypted_content)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MORE, "Message doesn't have to be encrypted");
|
|
|
|
|
@ -940,6 +999,7 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Copy all payloads to a temporary list");
|
|
|
|
|
all_payloads = linked_list_create();
|
|
|
|
|
|
|
|
|
|
/* first copy all payloads in a temporary list */
|
|
|
|
|
@ -949,22 +1009,32 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
this->payloads->remove_first(this->payloads,¤t_payload);
|
|
|
|
|
all_payloads->insert_last(all_payloads,current_payload);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Check each payloads if they have to get encrypted");
|
|
|
|
|
while (all_payloads->get_count(all_payloads) > 0)
|
|
|
|
|
{
|
|
|
|
|
supported_payload_entry_t *supported_payload_entry;
|
|
|
|
|
payload_t *current_payload;
|
|
|
|
|
bool to_encrypt = FALSE;
|
|
|
|
|
supported_payload_entry_t *supported_payload_entry;
|
|
|
|
|
|
|
|
|
|
all_payloads->remove_first(all_payloads,(void **)¤t_payload);
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Get rule for payload %s", mapping_find(payload_type_m,current_payload->get_type(current_payload)));
|
|
|
|
|
|
|
|
|
|
status = this->get_supported_payload_entry(this,message_rule,current_payload->get_type(current_payload),&supported_payload_entry);
|
|
|
|
|
/* for payload types which are not found in supported payload list, it is presumed
|
|
|
|
|
* that they don't have to be encrypted */
|
|
|
|
|
if ((status == SUCCESS) && (supported_payload_entry->encrypted))
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Payload %s has to get encrypted",
|
|
|
|
|
mapping_find(payload_type_m,current_payload->get_type(current_payload)));
|
|
|
|
|
to_encrypt = TRUE;
|
|
|
|
|
}
|
|
|
|
|
else if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Payload %s not defined for exchange type %s. Handle it anyway",
|
|
|
|
|
mapping_find(payload_type_m,current_payload->get_type(current_payload)),
|
|
|
|
|
mapping_find(exchange_type_m,this->exchange_type));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (to_encrypt)
|
|
|
|
|
{
|
|
|
|
|
@ -972,10 +1042,15 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
{
|
|
|
|
|
encryption_payload = encryption_payload_create();
|
|
|
|
|
}
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Insert payload %s to encryption payload",
|
|
|
|
|
mapping_find(payload_type_m,current_payload->get_type(current_payload)));
|
|
|
|
|
|
|
|
|
|
encryption_payload->add_payload(encryption_payload,current_payload);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Insert payload %s as payload wich does not have to be encrypted",
|
|
|
|
|
mapping_find(payload_type_m,current_payload->get_type(current_payload)));
|
|
|
|
|
this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@ -983,8 +1058,11 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
status = SUCCESS;
|
|
|
|
|
if (encryption_payload != NULL)
|
|
|
|
|
{
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Set transforms for encryption payload ");
|
|
|
|
|
encryption_payload->set_transforms(encryption_payload,crypter,signer);
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MORE, "Encrypt all payloads of encrypted payload");
|
|
|
|
|
status = encryption_payload->encrypt(encryption_payload);
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Add encrypted payload to payload list");
|
|
|
|
|
this->public.add_payload(&(this->public), (payload_t*)encryption_payload);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -993,14 +1071,16 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Implements message_t's destroy function.
|
|
|
|
|
* See #message_s.destroy.
|
|
|
|
|
* Implementation of message_t.destroy.
|
|
|
|
|
*/
|
|
|
|
|
static void destroy (private_message_t *this)
|
|
|
|
|
{
|
|
|
|
|
iterator_t *iterator;
|
|
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL | MOST, "Going to destroy message_t object");
|
|
|
|
|
|
|
|
|
|
this->packet->destroy(this->packet);
|
|
|
|
|
|
|
|
|
|
if (this->ike_sa_id != NULL)
|
|
|
|
|
@ -1049,9 +1129,9 @@ message_t *message_create_from_packet(packet_t *packet)
|
|
|
|
|
this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
|
|
|
|
|
this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
|
|
|
|
|
this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
|
|
|
|
|
this->public.get_source = (void (*) (message_t*,host_t**)) get_source;
|
|
|
|
|
this->public.get_source = (host_t * (*) (message_t*)) get_source;
|
|
|
|
|
this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
|
|
|
|
|
this->public.get_destination = (void (*) (message_t*,host_t**)) get_destination;
|
|
|
|
|
this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
|
|
|
|
|
this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
|
|
|
|
|
this->public.parse_header = (status_t (*) (message_t *)) parse_header;
|
|
|
|
|
this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
|
|
|
|
|
@ -1069,7 +1149,7 @@ message_t *message_create_from_packet(packet_t *packet)
|
|
|
|
|
this->get_message_rule = get_message_rule;
|
|
|
|
|
this->get_supported_payload_entry = get_supported_payload_entry;
|
|
|
|
|
this->encrypt_payloads = encrypt_payloads;
|
|
|
|
|
this->decrypt_payloads = decrypt_payloads;
|
|
|
|
|
this->decrypt_and_verify_payloads = decrypt_and_verify_payloads;
|
|
|
|
|
|
|
|
|
|
/* private values */
|
|
|
|
|
if (packet == NULL)
|
|
|
|
|
@ -1088,7 +1168,7 @@ message_t *message_create_from_packet(packet_t *packet)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Described in Header-File
|
|
|
|
|
* Described in Header.
|
|
|
|
|
*/
|
|
|
|
|
message_t *message_create()
|
|
|
|
|
{
|
|
|
|
|
|
Jan Hutter