063b1ec4e0f47f3c003e8a98143a732b6e1f4fc4
[strongswan.git] / Source / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa.h"
24
25 #include <types.h>
26 #include <daemon.h>
27 #include <definitions.h>
28 #include <utils/allocator.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <transforms/diffie_hellman.h>
33 #include <transforms/prf_plus.h>
34 #include <transforms/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/transform_substructure.h>
39 #include <encoding/payloads/transform_attribute.h>
40 #include <sa/states/initiator_init.h>
41 #include <sa/states/responder_init.h>
42 #include <queues/jobs/retransmit_request_job.h>
43 #include <queues/jobs/delete_established_ike_sa_job.h>
44
45
46
47
48 typedef struct private_ike_sa_t private_ike_sa_t;
49
50 /**
51 * Private data of an ike_sa_t object.
52 */
53 struct private_ike_sa_t {
54
55 /**
56 * Protected part of a ike_sa_t object.
57 */
58 protected_ike_sa_t protected;
59
60 /**
61 * Resends the last sent reply.
62 *
63 * @param this calling object
64 */
65 status_t (*resend_last_reply) (private_ike_sa_t *this);
66
67 /* private values */
68
69 /**
70 * Identifier for the current IKE_SA.
71 */
72 ike_sa_id_t *ike_sa_id;
73
74 /**
75 * Linked List containing the child sa's of the current IKE_SA.
76 */
77 linked_list_t *child_sas;
78
79 /**
80 * Current state of the IKE_SA represented as state_t object.
81 *
82 * A state object representates one of the following states and is processing
83 * messages in the specific state:
84 * - INITIATOR_INIT
85 * - RESPONDER_INIT
86 * - IKE_SA_INIT_REQUESTED
87 * - IKE_SA_INIT_RESPONDED
88 * - IKE_AUTH_REQUESTED
89 * -IKE_SA_ESTABLISHED
90 */
91 state_t *current_state;
92
93 /**
94 * INIT configuration, needed for the IKE_SA_INIT exchange.
95 *
96 * Gets set in states:
97 * - INITATOR_INIT
98 * - RESPONDER_INIT
99 *
100 * Available in states:
101 * - IKE_SA_INIT_REQUESTED
102 * - IKE_SA_INIT_RESPONDED
103 * - IKE_AUTH_REQUESTED
104 * -IKE_SA_ESTABLISHED
105 */
106 init_config_t *init_config;
107
108 /**
109 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
110 *
111 * Gets set in states:
112 * - IKE_SA_INIT_REQUESTED
113 * - IKE_SA_INIT_RESPONDED
114 *
115 * Available in states:
116 * - IKE_AUTH_REQUESTED
117 * -IKE_SA_ESTABLISHED
118 */
119 sa_config_t *sa_config;
120
121 /**
122 * This SA's source for random data.
123 *
124 * Is available in every state.
125 */
126 randomizer_t *randomizer;
127
128 /**
129 * The last responded message.
130 */
131 message_t *last_responded_message;
132
133 /**
134 * The ast requested message.
135 */
136 message_t *last_requested_message;
137
138 /**
139 * Informations of this host.
140 */
141 struct {
142 host_t *host;
143 } me;
144
145 /**
146 * Informations of the other host.
147 */
148 struct {
149 host_t *host;
150 } other;
151
152 /**
153 * Crypter object for initiator.
154 *
155 * Gets set in states:
156 * - IKE_SA_INIT_REQUESTED
157 * - RESPONDER_INIT
158 *
159 * Available in states:
160 * - IKE_SA_INIT_RESPONDED
161 * - IKE_AUTH_REQUESTED
162 * -IKE_SA_ESTABLISHED
163 */
164 crypter_t *crypter_initiator;
165
166 /**
167 * Crypter object for responder.
168 *
169 * Gets set in states:
170 * - IKE_SA_INIT_REQUESTED
171 * - RESPONDER_INIT
172 *
173 * Available in states:
174 * - IKE_SA_INIT_RESPONDED
175 * - IKE_AUTH_REQUESTED
176 * -IKE_SA_ESTABLISHED
177 */
178 crypter_t *crypter_responder;
179
180 /**
181 * Signer object for initiator.
182 *
183 * Gets set in states:
184 * - IKE_SA_INIT_REQUESTED
185 * - RESPONDER_INIT
186 *
187 * Available in states:
188 * - IKE_SA_INIT_RESPONDED
189 * - IKE_AUTH_REQUESTED
190 * -IKE_SA_ESTABLISHED
191 */
192 signer_t *signer_initiator;
193
194 /**
195 * Signer object for responder.
196 *
197 * Gets set in states:
198 * - IKE_SA_INIT_REQUESTED
199 * - RESPONDER_INIT
200 *
201 * Available in states:
202 * - IKE_SA_INIT_RESPONDED
203 * - IKE_AUTH_REQUESTED
204 * -IKE_SA_ESTABLISHED
205 */
206 signer_t *signer_responder;
207
208 /**
209 * Prf function.
210 *
211 * Gets set in states:
212 * - IKE_SA_INIT_REQUESTED
213 * - RESPONDER_INIT
214 *
215 * Available in states:
216 * - IKE_SA_INIT_RESPONDED
217 * - IKE_AUTH_REQUESTED
218 * -IKE_SA_ESTABLISHED
219 */
220 prf_t *prf;
221
222 /**
223 * Shared secrets which have to be stored.
224 *
225 * Are getting set in states:
226 * - IKE_SA_INIT_REQUESTED
227 * - RESPONDER_INIT
228 *
229 * Available in states:
230 * - IKE_SA_INIT_RESPONDED
231 * - IKE_AUTH_REQUESTED
232 * -IKE_SA_ESTABLISHED
233 */
234 struct {
235 /**
236 * Key used for deriving other keys
237 */
238 chunk_t d_key;
239
240 /**
241 * Key for generating auth payload (initiator)
242 */
243 chunk_t pi_key;
244
245 /**
246 * Key for generating auth payload (responder)
247 */
248 chunk_t pr_key;
249
250 } secrets;
251
252 /**
253 * Next message id to receive.
254 */
255 u_int32_t message_id_in;
256
257 /**
258 * Next message id to send.
259 */
260 u_int32_t message_id_out;
261
262 /**
263 * Last reply id which was successfully received.
264 */
265 int32_t last_replied_message_id;
266
267 /**
268 * A logger for this IKE_SA.
269 */
270 logger_t *logger;
271 };
272
273 /**
274 * Implementation of ike_sa_t.process_message.
275 */
276 static status_t process_message (private_ike_sa_t *this, message_t *message)
277 {
278 u_int32_t message_id;
279 exchange_type_t exchange_type;
280 bool is_request;
281
282 /* We must process each request or response from remote host */
283
284 /* Find out type of message (request or response) */
285 is_request = message->get_request(message);
286 exchange_type = message->get_exchange_type(message);
287
288 this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
289 (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
290
291 message_id = message->get_message_id(message);
292
293 /*
294 * It has to be checked, if the message has to be resent cause of lost packets!
295 */
296 if (is_request && (message_id == (this->message_id_in - 1)))
297 {
298 /* Message can be resent ! */
299 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
300 return (this->resend_last_reply(this));
301 }
302
303 /* Now, the message id is checked for request AND reply */
304 if (is_request)
305 {
306 /* In a request, the message has to be this->message_id_in (other case is already handled) */
307 if (message_id != this->message_id_in)
308 {
309 this->logger->log(this->logger, ERROR | LEVEL1,
310 "Message request with message id %d received, but %d expected",
311 message_id,this->message_id_in);
312 return FAILED;
313 }
314 }
315 else
316 {
317 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
318 if (message_id != (this->message_id_out - 1))
319 {
320 this->logger->log(this->logger, ERROR | LEVEL1,
321 "Message reply with message id %d received, but %d expected",
322 message_id,this->message_id_in);
323 return FAILED;
324 }
325 }
326
327 /* now the message is processed by the current state object.
328 * The specific state object is responsible to check if a message can be received in
329 * the state it represents.
330 * The current state is also responsible to change the state object to the next state
331 * by calling protected_ike_sa_t.set_new_state*/
332 return this->current_state->process_message(this->current_state,message);
333 }
334
335 /**
336 * Implementation of protected_ike_sa_t.build_message.
337 */
338 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
339 {
340 message_t *new_message;
341
342 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
343 new_message = message_create();
344 new_message->set_source(new_message, this->me.host->clone(this->me.host));
345 new_message->set_destination(new_message, this->other.host->clone(this->other.host));
346 new_message->set_exchange_type(new_message, type);
347 new_message->set_request(new_message, request);
348 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
349 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
350
351 *message = new_message;
352 }
353
354 /**
355 * Implementation of protected_ike_sa_t.process_configuration.
356 */
357 static status_t initialize_connection(private_ike_sa_t *this, char *name)
358 {
359 initiator_init_t *current_state;
360 status_t status;
361
362 /* Work is done in state object of type INITIATOR_INIT. All other states are not
363 * initial states and so don't have a initialize_connection function */
364
365 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
366 {
367 return FAILED;
368 }
369
370 current_state = (initiator_init_t *) this->current_state;
371
372 status = current_state->initiate_connection(current_state,name);
373 return status;
374 }
375
376 /**
377 * Implementation of protected_ike_sa_t.get_id.
378 */
379 static ike_sa_id_t* get_id(private_ike_sa_t *this)
380 {
381 return this->ike_sa_id;
382 }
383
384 /**
385 * Implementation of protected_ike_sa_t.compute_secrets.
386 */
387 static void compute_secrets(private_ike_sa_t *this,
388 chunk_t dh_shared_secret,
389 chunk_t initiator_nonce,
390 chunk_t responder_nonce)
391 {
392 u_int8_t ei_buffer[this->crypter_initiator->get_block_size(this->crypter_initiator)];
393 chunk_t ei_key = {ptr: ei_buffer, len: sizeof(ei_buffer)};
394 u_int8_t er_buffer[this->crypter_responder->get_block_size(this->crypter_responder)];
395 chunk_t er_key = {ptr: er_buffer, len: sizeof(er_buffer)};
396 u_int8_t ai_buffer[this->signer_initiator->get_key_size(this->signer_initiator)];
397 chunk_t ai_key = {ptr: ai_buffer, len: sizeof(ai_buffer)};
398 u_int8_t ar_buffer[this->signer_responder->get_key_size(this->signer_responder)];
399 chunk_t ar_key = {ptr: ar_buffer, len: sizeof(ar_buffer)};
400 u_int8_t concatenated_nonces_buffer[initiator_nonce.len + responder_nonce.len];
401 chunk_t concatenated_nonces = {ptr: concatenated_nonces_buffer, len : sizeof(concatenated_nonces_buffer)};
402 u_int8_t skeyseed_buffer[this->prf->get_block_size(this->prf)];
403 chunk_t skeyseed = {ptr: skeyseed_buffer, len: sizeof(skeyseed_buffer)};
404 u_int64_t initiator_spi;
405 u_int64_t responder_spi;
406 chunk_t prf_plus_seed;
407 prf_plus_t *prf_plus;
408
409 /* first is initiator */
410 memcpy(concatenated_nonces.ptr,initiator_nonce.ptr,initiator_nonce.len);
411 /* second is responder */
412 memcpy(concatenated_nonces.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
413
414 this->logger->log_chunk(this->logger, RAW | LEVEL2, "Nonce data", &concatenated_nonces);
415
416 /* Status of set_key is not checked */
417 this->prf->set_key(this->prf,concatenated_nonces);
418
419 this->prf->get_bytes(this->prf,dh_shared_secret,skeyseed_buffer);
420
421 prf_plus_seed.len = (initiator_nonce.len + responder_nonce.len + 16);
422 prf_plus_seed.ptr = allocator_alloc(prf_plus_seed.len);
423
424 /* first is initiator */
425 memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
426 /* second is responder */
427 memcpy(prf_plus_seed.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
428 /* third is initiator spi */
429 initiator_spi = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
430 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len,&initiator_spi,8);
431 /* fourth is responder spi */
432 responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
433 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
434
435 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "Keyseed", &skeyseed);
436 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "PRF+ Seed", &prf_plus_seed);
437
438 this->logger->log(this->logger, CONTROL | LEVEL2, "Set new key of prf object");
439 this->prf->set_key(this->prf,skeyseed);
440
441 this->logger->log(this->logger, CONTROL | LEVEL2, "Create new prf+ object");
442 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
443 allocator_free_chunk(&prf_plus_seed);
444
445
446 prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
447 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
448
449 prf_plus->get_bytes(prf_plus,ai_key.len,ai_buffer);
450 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(ai_key));
451 this->signer_initiator->set_key(this->signer_initiator,ai_key);
452
453 prf_plus->get_bytes(prf_plus,ar_key.len,ar_buffer);
454 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(ar_key));
455 this->signer_responder->set_key(this->signer_responder,ar_key);
456
457 prf_plus->get_bytes(prf_plus,ei_key.len,ei_buffer);
458 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(ei_key));
459 this->crypter_initiator->set_key(this->crypter_initiator,ei_key);
460
461 prf_plus->get_bytes(prf_plus,er_key.len,er_buffer);
462 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(er_key));
463 this->crypter_responder->set_key(this->crypter_responder,er_key);
464
465 prf_plus->allocate_bytes(prf_plus,
466 this->crypter_responder->get_block_size(this->crypter_responder),
467 &(this->secrets.pi_key));
468 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
469
470 prf_plus->allocate_bytes(prf_plus,
471 this->crypter_responder->get_block_size(this->crypter_responder),
472 &(this->secrets.pr_key));
473 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
474
475 prf_plus->destroy(prf_plus);
476 }
477
478 /**
479 * Implementation of private_ike_sa_t.resend_last_reply.
480 */
481 static status_t resend_last_reply(private_ike_sa_t *this)
482 {
483 packet_t *packet;
484
485 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
486 packet = this->last_responded_message->get_packet(this->last_responded_message);
487 charon->send_queue->add(charon->send_queue, packet);
488
489 return SUCCESS;
490 }
491
492 /**
493 * Implementation of ike_sa_t.retransmit_request.
494 */
495 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
496 {
497 packet_t *packet;
498
499 if (this->last_requested_message == NULL)
500 {
501 return NOT_FOUND;
502 }
503
504 if (message_id == this->last_replied_message_id)
505 {
506 return NOT_FOUND;
507 }
508
509 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
510 {
511 return NOT_FOUND;
512 }
513
514 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
515 packet = this->last_requested_message->get_packet(this->last_requested_message);
516 charon->send_queue->add(charon->send_queue, packet);
517
518 return SUCCESS;
519 }
520
521 /**
522 * Implementation of protected_ike_sa_t.set_new_state.
523 */
524 static void set_new_state (private_ike_sa_t *this, state_t *state)
525 {
526 this->logger->log(this->logger, CONTROL, "Change current state %s to %s",
527 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
528 mapping_find(ike_sa_state_m,state->get_state(state)));
529 this->current_state = state;
530 }
531
532 /**
533 * Implementation of protected_ike_sa_t.get_logger.
534 */
535 static logger_t *get_logger (private_ike_sa_t *this)
536 {
537 return this->logger;
538 }
539
540 /**
541 * Implementation of protected_ike_sa_t.get_my_host.
542 */
543 static host_t *get_my_host (private_ike_sa_t *this)
544 {
545 return this->me.host;
546 }
547
548 /**
549 * Implementation of protected_ike_sa_t.get_other_host.
550 */
551 static host_t *get_other_host (private_ike_sa_t *this)
552 {
553 return this->other.host;
554 }
555
556 /**
557 * Implementation of protected_ike_sa_t.get_init_config.
558 */
559 static init_config_t *get_init_config (private_ike_sa_t *this)
560 {
561 return this->init_config;
562 }
563
564 /**
565 * Implementation of protected_ike_sa_t.set_init_config.
566 */
567 static void set_init_config (private_ike_sa_t *this,init_config_t * init_config)
568 {
569 this->init_config = init_config;
570 }
571
572 /**
573 * Implementation of protected_ike_sa_t.get_sa_config.
574 */
575 static sa_config_t *get_sa_config (private_ike_sa_t *this)
576 {
577 return this->sa_config;
578 }
579
580 /**
581 * Implementation of protected_ike_sa_t.set_sa_config.
582 */
583 static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config)
584 {
585 this->sa_config = sa_config;
586 }
587
588 /**
589 * Implementation of protected_ike_sa_t.set_my_host.
590 */
591 static void set_my_host (private_ike_sa_t *this, host_t *my_host)
592 {
593 this->me.host = my_host;
594 }
595
596 /**
597 * Implementation of protected_ike_sa_t.set_other_host.
598 */
599 static void set_other_host (private_ike_sa_t *this, host_t *other_host)
600 {
601 this->other.host = other_host;
602 }
603
604 /**
605 * Implementation of protected_ike_sa_t.get_prf.
606 */
607 static prf_t *get_prf (private_ike_sa_t *this)
608 {
609 return this->prf;
610 }
611
612 /**
613 * Implementation of protected_ike_sa_t.get_key_pr.
614 */
615 static chunk_t get_key_pr (private_ike_sa_t *this)
616 {
617 return this->secrets.pr_key;
618 }
619
620
621 /**
622 * Implementation of protected_ike_sa_t.get_key_pi.
623 */
624 static chunk_t get_key_pi (private_ike_sa_t *this)
625 {
626 return this->secrets.pi_key;
627 }
628
629 /**
630 * Implementation of protected_ike_sa_t.set_prf.
631 */
632 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
633 {
634 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to create transform objects for proposal");
635
636 this->logger->log(this->logger, CONTROL|LEVEL2, "Encryption algorithm: %s with keylength %d",
637 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),
638 proposal->encryption_algorithm_key_length);
639 this->logger->log(this->logger, CONTROL|LEVEL2, "Integrity algorithm: %s with keylength %d",
640 mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),
641 proposal->integrity_algorithm_key_length);
642 this->logger->log(this->logger, CONTROL|LEVEL2, "PRF: %s with keylength %d",
643 mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),
644 proposal->pseudo_random_function_key_length);
645
646 if (this->prf != NULL)
647 {
648 this->prf->destroy(this->prf);
649 }
650 this->prf = prf_create(proposal->pseudo_random_function);
651 if (this->prf == NULL)
652 {
653 this->logger->log(this->logger, ERROR|LEVEL1, "PRF %s not supported!",
654 mapping_find(pseudo_random_function_m,proposal->pseudo_random_function));
655 return FAILED;
656 }
657
658 if (this->crypter_initiator != NULL)
659 {
660 this->crypter_initiator->destroy(this->crypter_initiator);
661 }
662 this->crypter_initiator = crypter_create(proposal->encryption_algorithm,
663 proposal->encryption_algorithm_key_length);
664 if (this->crypter_initiator == NULL)
665 {
666 this->logger->log(this->logger, ERROR|LEVEL1, "Encryption algorithm %s not supported!",
667 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm));
668 return FAILED;
669 }
670
671 if (this->crypter_responder != NULL)
672 {
673 this->crypter_responder->destroy(this->crypter_responder);
674 }
675 this->crypter_responder = crypter_create(proposal->encryption_algorithm,
676 proposal->encryption_algorithm_key_length);
677 /* check must not be done again */
678
679 if (this->signer_initiator != NULL)
680 {
681 this->signer_initiator->destroy(this->signer_initiator);
682 }
683 this->signer_initiator = signer_create(proposal->integrity_algorithm);
684 if (this->signer_initiator == NULL)
685 {
686 this->logger->log(this->logger, ERROR|LEVEL1, "Integrity algorithm %s not supported!",
687 mapping_find(integrity_algorithm_m,proposal->integrity_algorithm));
688 return FAILED;
689 }
690
691 if (this->signer_responder != NULL)
692 {
693 this->signer_responder->destroy(this->signer_responder);
694 }
695 this->signer_responder = signer_create(proposal->integrity_algorithm);
696
697 return SUCCESS;
698 }
699
700 /**
701 * Implementation of protected_ike_sa_t.get_randomizer.
702 */
703 static randomizer_t *get_randomizer (private_ike_sa_t *this)
704 {
705 return this->randomizer;
706 }
707
708 /**
709 * Implementation of protected_ike_sa_t.get_crypter_initiator.
710 */
711 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
712 {
713 return this->crypter_initiator;
714 }
715
716 /**
717 * Implementation of protected_ike_sa_t.get_signer_initiator.
718 */
719 static signer_t *get_signer_initiator (private_ike_sa_t *this)
720 {
721 return this->signer_initiator;
722 }
723
724 /**
725 * Implementation of protected_ike_sa_t.get_crypter_responder.
726 */
727 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
728 {
729 return this->crypter_responder;
730 }
731
732 /**
733 * Implementation of protected_ike_sa_t.get_signer_responder.
734 */
735 static signer_t *get_signer_responder (private_ike_sa_t *this)
736 {
737 return this->signer_responder;
738 }
739
740 /**
741 * Implementation of protected_ike_sa_t.send_request.
742 */
743 static status_t send_request (private_ike_sa_t *this,message_t * message)
744 {
745 retransmit_request_job_t *retransmit_job;
746 u_int32_t timeout;
747 packet_t *packet;
748 status_t status;
749
750 if (message->get_message_id(message) != this->message_id_out)
751 {
752 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
753 message->get_message_id(message),this->message_id_out);
754 return FAILED;
755 }
756
757 /* generate packet */
758 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
759
760 status = message->generate(message, this->crypter_initiator,this->signer_initiator, &packet);
761 if (status != SUCCESS)
762 {
763 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
764 return FAILED;
765 }
766
767 this->logger->log(this->logger, CONTROL|LEVEL3,
768 "Add request packet with message id %d to global send queue",
769 this->message_id_out);
770 charon->send_queue->add(charon->send_queue, packet);
771
772 if (this->last_requested_message != NULL)
773 {
774 /* destroy message */
775 this->last_requested_message->destroy(this->last_requested_message);
776 }
777
778 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
779 this->last_requested_message = message;
780
781 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
782
783 status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,
784 retransmit_job->get_retransmit_count(retransmit_job),&timeout);
785
786 if (status != SUCCESS)
787 {
788 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
789 retransmit_job->destroy(retransmit_job);
790 }
791 else
792 {
793 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
794 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
795 }
796
797 /* message counter can now be increased */
798 this->logger->log(this->logger, CONTROL|LEVEL3,
799 "Increase message counter for outgoing messages from %d",
800 this->message_id_out);
801 this->message_id_out++;
802 return SUCCESS;
803 }
804
805 /**
806 * Implementation of protected_ike_sa_t.send_response.
807 */
808 static status_t send_response (private_ike_sa_t *this,message_t * message)
809 {
810 packet_t *packet;
811 status_t status;
812
813 if (message->get_message_id(message) != this->message_id_in)
814 {
815 this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected");
816 return FAILED;
817 }
818
819 status = message->generate(message, this->crypter_responder,this->signer_responder, &packet);
820 if (status != SUCCESS)
821 {
822 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
823 return FAILED;
824 }
825
826 this->logger->log(this->logger, CONTROL|LEVEL3,
827 "Add response packet with message id %d to global send queue",
828 this->message_id_in);
829 charon->send_queue->add(charon->send_queue, packet);
830
831 if (this->last_responded_message != NULL)
832 {
833 /* destroy message */
834 this->last_responded_message->destroy(this->last_responded_message);
835 }
836
837 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
838 this->last_responded_message = message;
839
840 /* message counter can now be increased */
841 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
842 this->message_id_in++;
843
844 return SUCCESS;
845 }
846
847 /**
848 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
849 */
850 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
851 {
852 this->last_replied_message_id = message_id;
853 }
854
855 /**
856 * Implementation of protected_ike_sa_t.get_last_responded_message.
857 */
858 static message_t * get_last_responded_message (private_ike_sa_t *this)
859 {
860 return this->last_responded_message;
861 }
862
863 /**
864 * Implementation of protected_ike_sa_t.get_last_requested_message.
865 */
866 static message_t * get_last_requested_message (private_ike_sa_t *this)
867 {
868 return this->last_requested_message;
869 }
870
871 /**
872 * Implementation of protected_ike_sa_t.get_state.
873 */
874 static ike_sa_state_t get_state (private_ike_sa_t *this)
875 {
876 return this->current_state->get_state(this->current_state);
877 }
878
879 /**
880 * Implementation of protected_ike_sa_t.reset_message_buffers.
881 */
882 static void reset_message_buffers (private_ike_sa_t *this)
883 {
884 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
885 /* destroy stored requested message */
886 if (this->last_requested_message != NULL)
887 {
888 this->last_requested_message->destroy(this->last_requested_message);
889 this->last_requested_message = NULL;
890 }
891
892 /* destroy stored responded messages */
893 if (this->last_responded_message != NULL)
894 {
895 this->last_responded_message->destroy(this->last_responded_message);
896 this->last_responded_message = NULL;
897 }
898
899 this->message_id_out = 0;
900 this->message_id_in = 0;
901 this->last_replied_message_id = -1;
902 }
903
904 /**
905 * Implementation of protected_ike_sa_t.create_delete_established_ike_sa_job.
906 */
907 static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout)
908 {
909 job_t *delete_job;
910
911 this->logger->log(this->logger, CONTROL | LEVEL1,
912 "Going to create job to delete established IKE_SA in %d ms",
913 timeout);
914
915 delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id);
916 charon->event_queue->add_relative(charon->event_queue,delete_job, timeout);
917 }
918
919 /**
920 * Implementation of protected_ike_sa_t.destroy.
921 */
922 static void destroy (private_ike_sa_t *this)
923 {
924 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
925 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
926 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
927 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
928
929 /* destroy child sa's */
930 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy all child_sa's");
931 while (this->child_sas->get_count(this->child_sas) > 0)
932 {
933 void *child_sa;
934 if (this->child_sas->remove_first(this->child_sas, &child_sa) != SUCCESS)
935 {
936 break;
937 }
938 /* destroy child sa */
939 }
940 this->child_sas->destroy(this->child_sas);
941
942 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy secrets");
943 allocator_free(this->secrets.d_key.ptr);
944 allocator_free(this->secrets.pi_key.ptr);
945 allocator_free(this->secrets.pr_key.ptr);
946
947 if (this->crypter_initiator != NULL)
948 {
949 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator crypter_t object");
950 this->crypter_initiator->destroy(this->crypter_initiator);
951 }
952
953 if (this->crypter_responder != NULL)
954 {
955 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder crypter_t object");
956 this->crypter_responder->destroy(this->crypter_responder);
957 }
958
959 if (this->signer_initiator != NULL)
960 {
961 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator signer_t object");
962 this->signer_initiator->destroy(this->signer_initiator);
963 }
964
965 if (this->signer_responder != NULL)
966 {
967 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder signer_t object");
968 this->signer_responder->destroy(this->signer_responder);
969 }
970
971 if (this->prf != NULL)
972 {
973 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy prf_t object");
974 this->prf->destroy(this->prf);
975 }
976
977 /* destroy ike_sa_id */
978 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_id object");
979 this->ike_sa_id->destroy(this->ike_sa_id);
980
981 /* destroy stored requested message */
982 if (this->last_requested_message != NULL)
983 {
984 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last requested message");
985 this->last_requested_message->destroy(this->last_requested_message);
986 }
987
988 /* destroy stored responded messages */
989 if (this->last_responded_message != NULL)
990 {
991 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last responded message");
992 this->last_responded_message->destroy(this->last_responded_message);
993 }
994
995 /* destroy stored host_t objects */
996 if (this->me.host != NULL)
997 {
998 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy my host_t object");
999 this->me.host->destroy(this->me.host);
1000 }
1001
1002 /* destroy stored host_t objects */
1003 if (this->other.host != NULL)
1004 {
1005 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy other host_t object");
1006 this->other.host->destroy(this->other.host);
1007 }
1008
1009 this->randomizer->destroy(this->randomizer);
1010
1011 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy current state object");
1012 this->current_state->destroy(this->current_state);
1013
1014 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy logger of IKE_SA");
1015 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1016
1017 allocator_free(this);
1018 }
1019
1020 /*
1021 * Described in header.
1022 */
1023 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1024 {
1025 private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
1026
1027 /* Public functions */
1028 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1029 this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
1030 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1031 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1032 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1033 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1034
1035 /* protected functions */
1036 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1037 this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
1038 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1039 this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;
1040 this->protected.get_key_pi = (chunk_t (*) (protected_ike_sa_t *)) get_key_pi;
1041 this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
1042 this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
1043 this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
1044 this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
1045 this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config;
1046 this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
1047 this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
1048 this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
1049 this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
1050 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1051 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1052 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1053 this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal;
1054 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1055 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1056 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1057 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1058 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1059 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1060 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
1061 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
1062 this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job;
1063
1064 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1065
1066 /* private functions */
1067 this->resend_last_reply = resend_last_reply;
1068
1069 /* initialize private fields */
1070 this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
1071
1072 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1073 this->child_sas = linked_list_create();
1074 this->randomizer = randomizer_create();
1075
1076 this->me.host = NULL;
1077 this->other.host = NULL;
1078 this->last_requested_message = NULL;
1079 this->last_responded_message = NULL;
1080 this->message_id_out = 0;
1081 this->message_id_in = 0;
1082 this->last_replied_message_id = -1;
1083 this->secrets.d_key = CHUNK_INITIALIZER;
1084 this->secrets.pi_key = CHUNK_INITIALIZER;
1085 this->secrets.pr_key = CHUNK_INITIALIZER;
1086 this->crypter_initiator = NULL;
1087 this->crypter_responder = NULL;
1088 this->signer_initiator = NULL;
1089 this->signer_responder = NULL;
1090 this->prf = NULL;
1091 this->init_config = NULL;
1092 this->sa_config = NULL;
1093
1094 /* at creation time, IKE_SA is in a initiator state */
1095 if (ike_sa_id->is_initiator(ike_sa_id))
1096 {
1097 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1098 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1099 }
1100 else
1101 {
1102 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1103 this->current_state = (state_t *) responder_init_create(&(this->protected));
1104 }
1105 return &(this->protected.public);
1106 }