113c0e94bf7012035d00d2483a711d7f11148ec8
[strongswan.git] / Source / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa.h"
24
25 #include <types.h>
26 #include <daemon.h>
27 #include <definitions.h>
28 #include <utils/allocator.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <transforms/diffie_hellman.h>
33 #include <transforms/prf_plus.h>
34 #include <transforms/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/transform_substructure.h>
39 #include <encoding/payloads/transform_attribute.h>
40 #include <sa/states/initiator_init.h>
41 #include <sa/states/responder_init.h>
42 #include <queues/jobs/retransmit_request_job.h>
43 #include <queues/jobs/delete_established_ike_sa_job.h>
44
45
46
47
48 typedef struct private_ike_sa_t private_ike_sa_t;
49
50 /**
51 * Private data of an ike_sa_t object.
52 */
53 struct private_ike_sa_t {
54
55 /**
56 * Protected part of a ike_sa_t object.
57 */
58 protected_ike_sa_t protected;
59
60 /**
61 * Resends the last sent reply.
62 *
63 * @param this calling object
64 */
65 status_t (*resend_last_reply) (private_ike_sa_t *this);
66
67 /* private values */
68
69 /**
70 * Identifier for the current IKE_SA.
71 */
72 ike_sa_id_t *ike_sa_id;
73
74 /**
75 * Linked List containing the child sa's of the current IKE_SA.
76 */
77 linked_list_t *child_sas;
78
79 /**
80 * Current state of the IKE_SA represented as state_t object.
81 *
82 * A state object representates one of the following states and is processing
83 * messages in the specific state:
84 * - INITIATOR_INIT
85 * - RESPONDER_INIT
86 * - IKE_SA_INIT_REQUESTED
87 * - IKE_SA_INIT_RESPONDED
88 * - IKE_AUTH_REQUESTED
89 * -IKE_SA_ESTABLISHED
90 */
91 state_t *current_state;
92
93 /**
94 * INIT configuration, needed for the IKE_SA_INIT exchange.
95 *
96 * Gets set in states:
97 * - INITATOR_INIT
98 * - RESPONDER_INIT
99 *
100 * Available in states:
101 * - IKE_SA_INIT_REQUESTED
102 * - IKE_SA_INIT_RESPONDED
103 * - IKE_AUTH_REQUESTED
104 * -IKE_SA_ESTABLISHED
105 */
106 init_config_t *init_config;
107
108 /**
109 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
110 *
111 * Gets set in states:
112 * - IKE_SA_INIT_REQUESTED
113 * - IKE_SA_INIT_RESPONDED
114 *
115 * Available in states:
116 * - IKE_AUTH_REQUESTED
117 * -IKE_SA_ESTABLISHED
118 */
119 sa_config_t *sa_config;
120
121 /**
122 * This SA's source for random data.
123 *
124 * Is available in every state.
125 */
126 randomizer_t *randomizer;
127
128 /**
129 * The last responded message.
130 */
131 message_t *last_responded_message;
132
133 /**
134 * The ast requested message.
135 */
136 message_t *last_requested_message;
137
138 /**
139 * Informations of this host.
140 */
141 struct {
142 host_t *host;
143 } me;
144
145 /**
146 * Informations of the other host.
147 */
148 struct {
149 host_t *host;
150 } other;
151
152 /**
153 * Crypter object for initiator.
154 *
155 * Gets set in states:
156 * - IKE_SA_INIT_REQUESTED
157 * - RESPONDER_INIT
158 *
159 * Available in states:
160 * - IKE_SA_INIT_RESPONDED
161 * - IKE_AUTH_REQUESTED
162 * -IKE_SA_ESTABLISHED
163 */
164 crypter_t *crypter_initiator;
165
166 /**
167 * Crypter object for responder.
168 *
169 * Gets set in states:
170 * - IKE_SA_INIT_REQUESTED
171 * - RESPONDER_INIT
172 *
173 * Available in states:
174 * - IKE_SA_INIT_RESPONDED
175 * - IKE_AUTH_REQUESTED
176 * -IKE_SA_ESTABLISHED
177 */
178 crypter_t *crypter_responder;
179
180 /**
181 * Signer object for initiator.
182 *
183 * Gets set in states:
184 * - IKE_SA_INIT_REQUESTED
185 * - RESPONDER_INIT
186 *
187 * Available in states:
188 * - IKE_SA_INIT_RESPONDED
189 * - IKE_AUTH_REQUESTED
190 * -IKE_SA_ESTABLISHED
191 */
192 signer_t *signer_initiator;
193
194 /**
195 * Signer object for responder.
196 *
197 * Gets set in states:
198 * - IKE_SA_INIT_REQUESTED
199 * - RESPONDER_INIT
200 *
201 * Available in states:
202 * - IKE_SA_INIT_RESPONDED
203 * - IKE_AUTH_REQUESTED
204 * -IKE_SA_ESTABLISHED
205 */
206 signer_t *signer_responder;
207
208 /**
209 * Prf function.
210 *
211 * Gets set in states:
212 * - IKE_SA_INIT_REQUESTED
213 * - RESPONDER_INIT
214 *
215 * Available in states:
216 * - IKE_SA_INIT_RESPONDED
217 * - IKE_AUTH_REQUESTED
218 * -IKE_SA_ESTABLISHED
219 */
220 prf_t *prf;
221
222 /**
223 * Shared secrets which have to be stored.
224 *
225 * Are getting set in states:
226 * - IKE_SA_INIT_REQUESTED
227 * - RESPONDER_INIT
228 *
229 * Available in states:
230 * - IKE_SA_INIT_RESPONDED
231 * - IKE_AUTH_REQUESTED
232 * -IKE_SA_ESTABLISHED
233 */
234 struct {
235 /**
236 * Key used for deriving other keys
237 */
238 chunk_t d_key;
239
240 /**
241 * Key for generating auth payload (initiator)
242 */
243 chunk_t pi_key;
244
245 /**
246 * Key for generating auth payload (responder)
247 */
248 chunk_t pr_key;
249
250 } secrets;
251
252 /**
253 * Next message id to receive.
254 */
255 u_int32_t message_id_in;
256
257 /**
258 * Next message id to send.
259 */
260 u_int32_t message_id_out;
261
262 /**
263 * Last reply id which was successfully received.
264 */
265 int32_t last_replied_message_id;
266
267 /**
268 * A logger for this IKE_SA.
269 */
270 logger_t *logger;
271 };
272
273 /**
274 * Implementation of ike_sa_t.process_message.
275 */
276 static status_t process_message (private_ike_sa_t *this, message_t *message)
277 {
278 u_int32_t message_id;
279 exchange_type_t exchange_type;
280 bool is_request;
281
282 /* We must process each request or response from remote host */
283
284 /* Find out type of message (request or response) */
285 is_request = message->get_request(message);
286 exchange_type = message->get_exchange_type(message);
287
288 this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",(is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
289
290 message_id = message->get_message_id(message);
291
292 /*
293 * It has to be checked, if the message has to be resent cause of lost packets!
294 */
295 if (is_request && (message_id == (this->message_id_in - 1)))
296 {
297 /* Message can be resent ! */
298 this->logger->log(this->logger, CONTROL|MORE, "Resent request detected. Send stored reply.");
299 return (this->resend_last_reply(this));
300 }
301
302 /* Now, the message id is checked for request AND reply */
303 if (is_request)
304 {
305 /* In a request, the message has to be this->message_id_in (other case is already handled) */
306 if (message_id != this->message_id_in)
307 {
308 this->logger->log(this->logger, ERROR | MORE, "Message request with message id %d received, but %d expected",message_id,this->message_id_in);
309 return FAILED;
310 }
311 }
312 else
313 {
314 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
315 if (message_id != (this->message_id_out - 1))
316 {
317 this->logger->log(this->logger, ERROR | MORE, "Message reply with message id %d received, but %d expected",message_id,this->message_id_in);
318 return FAILED;
319 }
320 }
321
322 /* now the message is processed by the current state object.
323 * The specific state object is responsible to check if a message can be received in
324 * the state it represents.
325 * The current state is also responsible to change the state object to the next state
326 * by calling protected_ike_sa_t.set_new_state*/
327 return this->current_state->process_message(this->current_state,message);
328 }
329
330 /**
331 * Implementation of protected_ike_sa_t.build_message.
332 */
333 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
334 {
335 message_t *new_message;
336
337 this->logger->log(this->logger, CONTROL|MOST, "Build empty message");
338 new_message = message_create();
339 new_message->set_source(new_message, this->me.host->clone(this->me.host));
340 new_message->set_destination(new_message, this->other.host->clone(this->other.host));
341 new_message->set_exchange_type(new_message, type);
342 new_message->set_request(new_message, request);
343 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
344 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
345
346 *message = new_message;
347 }
348
349 /**
350 * Implementation of protected_ike_sa_t.process_configuration.
351 */
352 static status_t initialize_connection(private_ike_sa_t *this, char *name)
353 {
354 initiator_init_t *current_state;
355 status_t status;
356
357 /* Work is done in state object of type INITIATOR_INIT. All other states are not
358 * initial states and so don't have a initialize_connection function */
359
360 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
361 {
362 return FAILED;
363 }
364
365 current_state = (initiator_init_t *) this->current_state;
366
367 status = current_state->initiate_connection(current_state,name);
368 return status;
369 }
370
371 /**
372 * Implementation of protected_ike_sa_t.get_id.
373 */
374 static ike_sa_id_t* get_id(private_ike_sa_t *this)
375 {
376 return this->ike_sa_id;
377 }
378
379 /**
380 * Implementation of protected_ike_sa_t.compute_secrets.
381 */
382 static void compute_secrets(private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
383 {
384 u_int8_t ei_buffer[this->crypter_initiator->get_block_size(this->crypter_initiator)];
385 chunk_t ei_key = {ptr: ei_buffer, len: sizeof(ei_buffer)};
386 u_int8_t er_buffer[this->crypter_responder->get_block_size(this->crypter_responder)];
387 chunk_t er_key = {ptr: er_buffer, len: sizeof(er_buffer)};
388 u_int8_t ai_buffer[this->signer_initiator->get_key_size(this->signer_initiator)];
389 chunk_t ai_key = {ptr: ai_buffer, len: sizeof(ai_buffer)};
390 u_int8_t ar_buffer[this->signer_responder->get_key_size(this->signer_responder)];
391 chunk_t ar_key = {ptr: ar_buffer, len: sizeof(ar_buffer)};
392 u_int8_t concatenated_nonces_buffer[initiator_nonce.len + responder_nonce.len];
393 chunk_t concatenated_nonces = {ptr: concatenated_nonces_buffer, len : sizeof(concatenated_nonces_buffer)};
394 u_int8_t skeyseed_buffer[this->prf->get_block_size(this->prf)];
395 chunk_t skeyseed = {ptr: skeyseed_buffer, len: sizeof(skeyseed_buffer)};
396 u_int64_t initiator_spi;
397 u_int64_t responder_spi;
398 chunk_t prf_plus_seed;
399 prf_plus_t *prf_plus;
400
401
402 /**
403 * TODO check length fo specific prfs
404 */
405
406 /* first is initiator */
407 memcpy(concatenated_nonces.ptr,initiator_nonce.ptr,initiator_nonce.len);
408 /* second is responder */
409 memcpy(concatenated_nonces.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
410
411 this->logger->log_chunk(this->logger, RAW | MOST, "Nonce data", &concatenated_nonces);
412
413 /* Status of set_key is not checked */
414 this->prf->set_key(this->prf,concatenated_nonces);
415
416 this->prf->get_bytes(this->prf,dh_shared_secret,skeyseed_buffer);
417
418 prf_plus_seed.len = (initiator_nonce.len + responder_nonce.len + 16);
419 prf_plus_seed.ptr = allocator_alloc(prf_plus_seed.len);
420
421 /* first is initiator */
422 memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
423 /* second is responder */
424 memcpy(prf_plus_seed.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
425 /* third is initiator spi */
426 initiator_spi = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
427 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len,&initiator_spi,8);
428 /* fourth is responder spi */
429 responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
430 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
431
432 this->logger->log_chunk(this->logger, PRIVATE | MORE, "Keyseed", &skeyseed);
433 this->logger->log_chunk(this->logger, PRIVATE | MORE, "PRF+ Seed", &prf_plus_seed);
434
435 this->logger->log(this->logger, CONTROL | MOST, "Set new key of prf object");
436 this->prf->set_key(this->prf,skeyseed);
437
438 this->logger->log(this->logger, CONTROL | MOST, "Create new prf+ object");
439 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
440 allocator_free_chunk(&prf_plus_seed);
441
442
443 prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
444 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
445
446 prf_plus->get_bytes(prf_plus,ai_key.len,ai_buffer);
447 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(ai_key));
448 this->signer_initiator->set_key(this->signer_initiator,ai_key);
449
450 prf_plus->get_bytes(prf_plus,ar_key.len,ar_buffer);
451 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(ar_key));
452 this->signer_responder->set_key(this->signer_responder,ar_key);
453
454 prf_plus->get_bytes(prf_plus,ei_key.len,ei_buffer);
455 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(ei_key));
456 this->crypter_initiator->set_key(this->crypter_initiator,ei_key);
457
458 prf_plus->get_bytes(prf_plus,er_key.len,er_buffer);
459 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(er_key));
460 this->crypter_responder->set_key(this->crypter_responder,er_key);
461
462 prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key));
463 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
464
465 prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key));
466 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
467
468 prf_plus->destroy(prf_plus);
469 }
470
471 /**
472 * Implementation of private_ike_sa_t.resend_last_reply.
473 */
474 static status_t resend_last_reply(private_ike_sa_t *this)
475 {
476 packet_t *packet;
477
478 this->logger->log(this->logger, CONTROL | MORE, "Going to retransmit last reply");
479 packet = this->last_responded_message->get_packet(this->last_responded_message);
480 charon->send_queue->add(charon->send_queue, packet);
481
482 return SUCCESS;
483 }
484
485 /**
486 * Implementation of ike_sa_t.retransmit_request.
487 */
488 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
489 {
490 packet_t *packet;
491
492 if (this->last_requested_message == NULL)
493 {
494 return NOT_FOUND;
495 }
496
497 if (message_id == this->last_replied_message_id)
498 {
499 return NOT_FOUND;
500 }
501
502 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
503 {
504 return NOT_FOUND;
505 }
506
507 this->logger->log(this->logger, CONTROL | MORE, "Going to retransmit message with id %d",message_id);
508 packet = this->last_requested_message->get_packet(this->last_requested_message);
509 charon->send_queue->add(charon->send_queue, packet);
510
511 return SUCCESS;
512 }
513
514 /**
515 * Implementation of protected_ike_sa_t.set_new_state.
516 */
517 static void set_new_state (private_ike_sa_t *this, state_t *state)
518 {
519 this->logger->log(this->logger, CONTROL, "Change current state %s to %s",
520 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
521 mapping_find(ike_sa_state_m,state->get_state(state)));
522 this->current_state = state;
523 }
524
525 /**
526 * Implementation of protected_ike_sa_t.get_logger.
527 */
528 static logger_t *get_logger (private_ike_sa_t *this)
529 {
530 return this->logger;
531 }
532
533 /**
534 * Implementation of protected_ike_sa_t.get_my_host.
535 */
536 static host_t *get_my_host (private_ike_sa_t *this)
537 {
538 return this->me.host;
539 }
540
541 /**
542 * Implementation of protected_ike_sa_t.get_other_host.
543 */
544 static host_t *get_other_host (private_ike_sa_t *this)
545 {
546 return this->other.host;
547 }
548
549 /**
550 * Implementation of protected_ike_sa_t.get_init_config.
551 */
552 static init_config_t *get_init_config (private_ike_sa_t *this)
553 {
554 return this->init_config;
555 }
556
557 /**
558 * Implementation of protected_ike_sa_t.set_init_config.
559 */
560 static void set_init_config (private_ike_sa_t *this,init_config_t * init_config)
561 {
562 this->init_config = init_config;
563 }
564
565 /**
566 * Implementation of protected_ike_sa_t.get_sa_config.
567 */
568 static sa_config_t *get_sa_config (private_ike_sa_t *this)
569 {
570 return this->sa_config;
571 }
572
573 /**
574 * Implementation of protected_ike_sa_t.set_sa_config.
575 */
576 static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config)
577 {
578 this->sa_config = sa_config;
579 }
580
581 /**
582 * Implementation of protected_ike_sa_t.set_my_host.
583 */
584 static void set_my_host (private_ike_sa_t *this, host_t *my_host)
585 {
586 this->me.host = my_host;
587 }
588
589 /**
590 * Implementation of protected_ike_sa_t.set_other_host.
591 */
592 static void set_other_host (private_ike_sa_t *this, host_t *other_host)
593 {
594 this->other.host = other_host;
595 }
596
597 /**
598 * Implementation of protected_ike_sa_t.get_prf.
599 */
600 static prf_t *get_prf (private_ike_sa_t *this)
601 {
602 return this->prf;
603 }
604
605 /**
606 * Implementation of protected_ike_sa_t.get_key_pr.
607 */
608 static chunk_t get_key_pr (private_ike_sa_t *this)
609 {
610 return this->secrets.pr_key;
611 }
612
613
614 /**
615 * Implementation of protected_ike_sa_t.get_key_pi.
616 */
617 static chunk_t get_key_pi (private_ike_sa_t *this)
618 {
619 return this->secrets.pi_key;
620 }
621
622 /**
623 * Implementation of protected_ike_sa_t.set_prf.
624 */
625 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
626 {
627 this->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal");
628
629 this->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),proposal->encryption_algorithm_key_length);
630 this->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),proposal->integrity_algorithm_key_length);
631 this->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),proposal->pseudo_random_function_key_length);
632
633 if (this->prf != NULL)
634 {
635 this->prf->destroy(this->prf);
636 }
637 this->prf = prf_create(proposal->pseudo_random_function);
638 if (this->prf == NULL)
639 {
640 this->logger->log(this->logger, ERROR|MORE, "prf not supported!");
641 return FAILED;
642 }
643
644 if (this->crypter_initiator != NULL)
645 {
646 this->crypter_initiator->destroy(this->crypter_initiator);
647 }
648 this->crypter_initiator = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length);
649 if (this->crypter_initiator == NULL)
650 {
651 this->logger->log(this->logger, ERROR|MORE, "encryption algorithm %s not supported!",
652 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm));
653 return FAILED;
654 }
655
656 if (this->crypter_responder != NULL)
657 {
658 this->crypter_responder->destroy(this->crypter_responder);
659 }
660 this->crypter_responder = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length);
661 /* check must not be done again */
662
663 if (this->signer_initiator != NULL)
664 {
665 this->signer_initiator->destroy(this->signer_initiator);
666 }
667 this->signer_initiator = signer_create(proposal->integrity_algorithm);
668 if (this->signer_initiator == NULL)
669 {
670 this->logger->log(this->logger, ERROR|MORE, "integrity algorithm not supported!");
671 return FAILED;
672 }
673
674 if (this->signer_responder != NULL)
675 {
676 this->signer_responder->destroy(this->signer_responder);
677 }
678 this->signer_responder = signer_create(proposal->integrity_algorithm);
679
680 return SUCCESS;
681 }
682
683 /**
684 * Implementation of protected_ike_sa_t.get_randomizer.
685 */
686 static randomizer_t *get_randomizer (private_ike_sa_t *this)
687 {
688 return this->randomizer;
689 }
690
691 /**
692 * Implementation of protected_ike_sa_t.get_crypter_initiator.
693 */
694 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
695 {
696 return this->crypter_initiator;
697 }
698
699 /**
700 * Implementation of protected_ike_sa_t.get_signer_initiator.
701 */
702 static signer_t *get_signer_initiator (private_ike_sa_t *this)
703 {
704 return this->signer_initiator;
705 }
706
707 /**
708 * Implementation of protected_ike_sa_t.get_crypter_responder.
709 */
710 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
711 {
712 return this->crypter_responder;
713 }
714
715 /**
716 * Implementation of protected_ike_sa_t.get_signer_responder.
717 */
718 static signer_t *get_signer_responder (private_ike_sa_t *this)
719 {
720 return this->signer_responder;
721 }
722
723 /**
724 * Implementation of protected_ike_sa_t.send_request.
725 */
726 static status_t send_request (private_ike_sa_t *this,message_t * message)
727 {
728 retransmit_request_job_t *retransmit_job;
729 u_int32_t timeout;
730 packet_t *packet;
731 status_t status;
732
733 if (message->get_message_id(message) != this->message_id_out)
734 {
735 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
736 message->get_message_id(message),this->message_id_out);
737 return FAILED;
738 }
739
740 /* generate packet */
741 this->logger->log(this->logger, CONTROL|MOST, "Generate packet from message");
742
743 status = message->generate(message, this->crypter_initiator,this->signer_initiator, &packet);
744 if (status != SUCCESS)
745 {
746 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
747 return FAILED;
748 }
749
750 this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
751 charon->send_queue->add(charon->send_queue, packet);
752
753 if (this->last_requested_message != NULL)
754 {
755 /* destroy message */
756 this->last_requested_message->destroy(this->last_requested_message);
757 }
758
759 this->logger->log(this->logger, CONTROL|MOST, "replace last requested message with new one");
760 this->last_requested_message = message;
761
762 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
763
764 status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,retransmit_job->get_retransmit_count(retransmit_job),&timeout);
765
766 if (status != SUCCESS)
767 {
768 this->logger->log(this->logger, CONTROL|MOST, "No retransmit job for message created!");
769 retransmit_job->destroy(retransmit_job);
770 }
771 else
772 {
773 this->logger->log(this->logger, CONTROL|MOST, "Request will be retransmitted in %d ms.",timeout);
774 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
775 }
776
777 /* message counter can now be increased */
778 this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for outgoing messages from %d",this->message_id_out);
779 this->message_id_out++;
780 return SUCCESS;
781 }
782
783 /**
784 * Implementation of protected_ike_sa_t.send_response.
785 */
786 static status_t send_response (private_ike_sa_t *this,message_t * message)
787 {
788 packet_t *packet;
789 status_t status;
790
791 if (message->get_message_id(message) != this->message_id_in)
792 {
793 this->logger->log(this->logger, CONTROL|MOST, "Message could not be sent cause id was not as expected");
794 return FAILED;
795 }
796
797 status = message->generate(message, this->crypter_responder,this->signer_responder, &packet);
798 if (status != SUCCESS)
799 {
800 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
801 return FAILED;
802 }
803
804 this->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
805 charon->send_queue->add(charon->send_queue, packet);
806
807 if (this->last_responded_message != NULL)
808 {
809 /* destroy message */
810 this->last_responded_message->destroy(this->last_responded_message);
811 }
812
813 this->logger->log(this->logger, CONTROL|MOST, "replace last responded message with new one");
814 this->last_responded_message = message;
815
816 /* message counter can now be increased */
817 this->logger->log(this->logger, CONTROL|MOST, "Increase message counter for incoming messages");
818 this->message_id_in++;
819
820 return SUCCESS;
821 }
822
823 /**
824 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
825 */
826 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
827 {
828 this->last_replied_message_id = message_id;
829 }
830
831 /**
832 * Implementation of protected_ike_sa_t.get_last_responded_message.
833 */
834 static message_t * get_last_responded_message (private_ike_sa_t *this)
835 {
836 return this->last_responded_message;
837 }
838
839 /**
840 * Implementation of protected_ike_sa_t.get_last_requested_message.
841 */
842 static message_t * get_last_requested_message (private_ike_sa_t *this)
843 {
844 return this->last_requested_message;
845 }
846
847 static ike_sa_state_t get_state (private_ike_sa_t *this)
848 {
849 return this->current_state->get_state(this->current_state);
850 }
851
852 /**
853 * Implementation of protected_ike_sa_t.reset_message_buffers.
854 */
855 static void reset_message_buffers (private_ike_sa_t *this)
856 {
857 this->logger->log(this->logger, CONTROL|MOST, "Reset message counters and destroy stored messages");
858 /* destroy stored requested message */
859 if (this->last_requested_message != NULL)
860 {
861 this->last_requested_message->destroy(this->last_requested_message);
862 this->last_requested_message = NULL;
863 }
864
865 /* destroy stored responded messages */
866 if (this->last_responded_message != NULL)
867 {
868 this->last_responded_message->destroy(this->last_responded_message);
869 this->last_responded_message = NULL;
870 }
871
872 this->message_id_out = 0;
873 this->message_id_in = 0;
874 this->last_replied_message_id = -1;
875 }
876
877 static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout)
878 {
879 job_t *delete_job;
880
881 this->logger->log(this->logger, CONTROL | MORE, "Going to create job to delete established IKE_SA in %d ms", timeout);
882
883 delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id);
884 charon->event_queue->add_relative(charon->event_queue,delete_job, timeout);
885 }
886
887 /**
888 * Implementation of protected_ike_sa_t.destroy.
889 */
890 static void destroy (private_ike_sa_t *this)
891 {
892 this->logger->log(this->logger, CONTROL|MOST, "Going to destroy IKE SA %llu:%llu, role %s",
893 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
894 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
895 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
896
897 /* destroy child sa's */
898 this->logger->log(this->logger, CONTROL | MOST, "Destroy all child_sa's");
899 while (this->child_sas->get_count(this->child_sas) > 0)
900 {
901 void *child_sa;
902 if (this->child_sas->remove_first(this->child_sas, &child_sa) != SUCCESS)
903 {
904 break;
905 }
906 /* destroy child sa */
907 }
908 this->child_sas->destroy(this->child_sas);
909
910 this->logger->log(this->logger, CONTROL | MOST, "Destroy secrets");
911 allocator_free(this->secrets.d_key.ptr);
912 allocator_free(this->secrets.pi_key.ptr);
913 allocator_free(this->secrets.pr_key.ptr);
914
915 if (this->crypter_initiator != NULL)
916 {
917 this->logger->log(this->logger, CONTROL | MOST, "Destroy initiator crypter_t object");
918 this->crypter_initiator->destroy(this->crypter_initiator);
919 }
920
921 if (this->crypter_responder != NULL)
922 {
923 this->logger->log(this->logger, CONTROL | MOST, "Destroy responder crypter_t object");
924 this->crypter_responder->destroy(this->crypter_responder);
925 }
926
927 if (this->signer_initiator != NULL)
928 {
929 this->logger->log(this->logger, CONTROL | MOST, "Destroy initiator signer_t object");
930 this->signer_initiator->destroy(this->signer_initiator);
931 }
932
933 if (this->signer_responder != NULL)
934 {
935 this->logger->log(this->logger, CONTROL | MOST, "Destroy responder signer_t object");
936 this->signer_responder->destroy(this->signer_responder);
937 }
938
939 if (this->prf != NULL)
940 {
941 this->logger->log(this->logger, CONTROL | MOST, "Destroy prf_t object");
942 this->prf->destroy(this->prf);
943 }
944
945 /* destroy ike_sa_id */
946 this->logger->log(this->logger, CONTROL | MOST, "Destroy ike_sa_id object");
947 this->ike_sa_id->destroy(this->ike_sa_id);
948
949 /* destroy stored requested message */
950 if (this->last_requested_message != NULL)
951 {
952 this->logger->log(this->logger, CONTROL | MOST, "Destroy last requested message");
953 this->last_requested_message->destroy(this->last_requested_message);
954 }
955
956 /* destroy stored responded messages */
957 if (this->last_responded_message != NULL)
958 {
959 this->logger->log(this->logger, CONTROL | MOST, "Destroy last responded message");
960 this->last_responded_message->destroy(this->last_responded_message);
961 }
962
963 /* destroy stored host_t objects */
964 if (this->me.host != NULL)
965 {
966 this->logger->log(this->logger, CONTROL | MOST, "Destroy my host_t object");
967 this->me.host->destroy(this->me.host);
968 }
969
970 /* destroy stored host_t objects */
971 if (this->other.host != NULL)
972 {
973 this->logger->log(this->logger, CONTROL | MOST, "Destroy other host_t object");
974 this->other.host->destroy(this->other.host);
975 }
976
977 this->randomizer->destroy(this->randomizer);
978
979 this->logger->log(this->logger, CONTROL | MOST, "Destroy current state object");
980 this->current_state->destroy(this->current_state);
981
982 this->logger->log(this->logger, CONTROL | MOST, "Destroy logger of IKE_SA");
983 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
984
985 allocator_free(this);
986 }
987
988 /*
989 * Described in Header
990 */
991 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
992 {
993 private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
994
995 /* Public functions */
996 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
997 this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
998 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
999 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1000 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1001 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1002
1003 /* protected functions */
1004 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1005 this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
1006 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1007 this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;
1008 this->protected.get_key_pi = (chunk_t (*) (protected_ike_sa_t *)) get_key_pi;
1009 this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
1010 this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
1011 this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
1012 this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
1013 this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config;
1014 this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
1015 this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
1016 this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
1017 this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
1018 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1019 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1020 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1021 this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal;
1022 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1023 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1024 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1025 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1026 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1027 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1028 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
1029 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
1030 this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job;
1031
1032 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1033
1034 /* private functions */
1035 this->resend_last_reply = resend_last_reply;
1036
1037 /* initialize private fields */
1038 this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
1039
1040 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1041 this->child_sas = linked_list_create();
1042 this->randomizer = randomizer_create();
1043
1044 this->me.host = NULL;
1045 this->other.host = NULL;
1046 this->last_requested_message = NULL;
1047 this->last_responded_message = NULL;
1048 this->message_id_out = 0;
1049 this->message_id_in = 0;
1050 this->last_replied_message_id = -1;
1051 this->secrets.d_key = CHUNK_INITIALIZER;
1052 this->secrets.pi_key = CHUNK_INITIALIZER;
1053 this->secrets.pr_key = CHUNK_INITIALIZER;
1054 this->crypter_initiator = NULL;
1055 this->crypter_responder = NULL;
1056 this->signer_initiator = NULL;
1057 this->signer_responder = NULL;
1058 this->prf = NULL;
1059 this->init_config = NULL;
1060 this->sa_config = NULL;
1061
1062 /* at creation time, IKE_SA is in a initiator state */
1063 if (ike_sa_id->is_initiator(ike_sa_id))
1064 {
1065 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1066 }
1067 else
1068 {
1069 this->current_state = (state_t *) responder_init_create(&(this->protected));
1070 }
1071 return &(this->protected.public);
1072 }