- code cleaned up
[strongswan.git] / Source / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa.h"
24
25 #include <types.h>
26 #include <daemon.h>
27 #include <definitions.h>
28 #include <utils/allocator.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <transforms/diffie_hellman.h>
33 #include <transforms/prf_plus.h>
34 #include <transforms/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/transform_substructure.h>
39 #include <encoding/payloads/transform_attribute.h>
40 #include <sa/states/initiator_init.h>
41 #include <sa/states/responder_init.h>
42 #include <queues/jobs/retransmit_request_job.h>
43 #include <queues/jobs/delete_established_ike_sa_job.h>
44
45
46
47
48 typedef struct private_ike_sa_t private_ike_sa_t;
49
50 /**
51 * Private data of an ike_sa_t object.
52 */
53 struct private_ike_sa_t {
54
55 /**
56 * Protected part of a ike_sa_t object.
57 */
58 protected_ike_sa_t protected;
59
60 /**
61 * Resends the last sent reply.
62 *
63 * @param this calling object
64 */
65 status_t (*resend_last_reply) (private_ike_sa_t *this);
66
67 /* private values */
68
69 /**
70 * Identifier for the current IKE_SA.
71 */
72 ike_sa_id_t *ike_sa_id;
73
74 /**
75 * Linked List containing the child sa's of the current IKE_SA.
76 */
77 linked_list_t *child_sas;
78
79 /**
80 * Current state of the IKE_SA represented as state_t object.
81 *
82 * A state object representates one of the following states and is processing
83 * messages in the specific state:
84 * - INITIATOR_INIT
85 * - RESPONDER_INIT
86 * - IKE_SA_INIT_REQUESTED
87 * - IKE_SA_INIT_RESPONDED
88 * - IKE_AUTH_REQUESTED
89 * -IKE_SA_ESTABLISHED
90 */
91 state_t *current_state;
92
93 /**
94 * INIT configuration, needed for the IKE_SA_INIT exchange.
95 *
96 * Gets set in states:
97 * - INITATOR_INIT
98 * - RESPONDER_INIT
99 *
100 * Available in states:
101 * - IKE_SA_INIT_REQUESTED
102 * - IKE_SA_INIT_RESPONDED
103 * - IKE_AUTH_REQUESTED
104 * -IKE_SA_ESTABLISHED
105 */
106 init_config_t *init_config;
107
108 /**
109 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
110 *
111 * Gets set in states:
112 * - IKE_SA_INIT_REQUESTED
113 * - IKE_SA_INIT_RESPONDED
114 *
115 * Available in states:
116 * - IKE_AUTH_REQUESTED
117 * -IKE_SA_ESTABLISHED
118 */
119 sa_config_t *sa_config;
120
121 /**
122 * This SA's source for random data.
123 *
124 * Is available in every state.
125 */
126 randomizer_t *randomizer;
127
128 /**
129 * The last responded message.
130 */
131 message_t *last_responded_message;
132
133 /**
134 * The ast requested message.
135 */
136 message_t *last_requested_message;
137
138 /**
139 * Informations of this host.
140 */
141 struct {
142 host_t *host;
143 } me;
144
145 /**
146 * Informations of the other host.
147 */
148 struct {
149 host_t *host;
150 } other;
151
152 /**
153 * Crypter object for initiator.
154 *
155 * Gets set in states:
156 * - IKE_SA_INIT_REQUESTED
157 * - RESPONDER_INIT
158 *
159 * Available in states:
160 * - IKE_SA_INIT_RESPONDED
161 * - IKE_AUTH_REQUESTED
162 * -IKE_SA_ESTABLISHED
163 */
164 crypter_t *crypter_initiator;
165
166 /**
167 * Crypter object for responder.
168 *
169 * Gets set in states:
170 * - IKE_SA_INIT_REQUESTED
171 * - RESPONDER_INIT
172 *
173 * Available in states:
174 * - IKE_SA_INIT_RESPONDED
175 * - IKE_AUTH_REQUESTED
176 * -IKE_SA_ESTABLISHED
177 */
178 crypter_t *crypter_responder;
179
180 /**
181 * Signer object for initiator.
182 *
183 * Gets set in states:
184 * - IKE_SA_INIT_REQUESTED
185 * - RESPONDER_INIT
186 *
187 * Available in states:
188 * - IKE_SA_INIT_RESPONDED
189 * - IKE_AUTH_REQUESTED
190 * -IKE_SA_ESTABLISHED
191 */
192 signer_t *signer_initiator;
193
194 /**
195 * Signer object for responder.
196 *
197 * Gets set in states:
198 * - IKE_SA_INIT_REQUESTED
199 * - RESPONDER_INIT
200 *
201 * Available in states:
202 * - IKE_SA_INIT_RESPONDED
203 * - IKE_AUTH_REQUESTED
204 * -IKE_SA_ESTABLISHED
205 */
206 signer_t *signer_responder;
207
208 /**
209 * Prf function.
210 *
211 * Gets set in states:
212 * - IKE_SA_INIT_REQUESTED
213 * - RESPONDER_INIT
214 *
215 * Available in states:
216 * - IKE_SA_INIT_RESPONDED
217 * - IKE_AUTH_REQUESTED
218 * -IKE_SA_ESTABLISHED
219 */
220 prf_t *prf;
221
222 /**
223 * Shared secrets which have to be stored.
224 *
225 * Are getting set in states:
226 * - IKE_SA_INIT_REQUESTED
227 * - RESPONDER_INIT
228 *
229 * Available in states:
230 * - IKE_SA_INIT_RESPONDED
231 * - IKE_AUTH_REQUESTED
232 * -IKE_SA_ESTABLISHED
233 */
234 struct {
235 /**
236 * Key used for deriving other keys
237 */
238 chunk_t d_key;
239
240 /**
241 * Key for generating auth payload (initiator)
242 */
243 chunk_t pi_key;
244
245 /**
246 * Key for generating auth payload (responder)
247 */
248 chunk_t pr_key;
249
250 } secrets;
251
252 /**
253 * Next message id to receive.
254 */
255 u_int32_t message_id_in;
256
257 /**
258 * Next message id to send.
259 */
260 u_int32_t message_id_out;
261
262 /**
263 * Last reply id which was successfully received.
264 */
265 int32_t last_replied_message_id;
266
267 /**
268 * A logger for this IKE_SA.
269 */
270 logger_t *logger;
271 };
272
273 /**
274 * Implementation of ike_sa_t.process_message.
275 */
276 static status_t process_message (private_ike_sa_t *this, message_t *message)
277 {
278 u_int32_t message_id;
279 exchange_type_t exchange_type;
280 bool is_request;
281
282 /* We must process each request or response from remote host */
283
284 /* Find out type of message (request or response) */
285 is_request = message->get_request(message);
286 exchange_type = message->get_exchange_type(message);
287
288 this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",(is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
289
290 message_id = message->get_message_id(message);
291
292 /*
293 * It has to be checked, if the message has to be resent cause of lost packets!
294 */
295 if (is_request && (message_id == (this->message_id_in - 1)))
296 {
297 /* Message can be resent ! */
298 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
299 return (this->resend_last_reply(this));
300 }
301
302 /* Now, the message id is checked for request AND reply */
303 if (is_request)
304 {
305 /* In a request, the message has to be this->message_id_in (other case is already handled) */
306 if (message_id != this->message_id_in)
307 {
308 this->logger->log(this->logger, ERROR | LEVEL1, "Message request with message id %d received, but %d expected",message_id,this->message_id_in);
309 return FAILED;
310 }
311 }
312 else
313 {
314 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
315 if (message_id != (this->message_id_out - 1))
316 {
317 this->logger->log(this->logger, ERROR | LEVEL1, "Message reply with message id %d received, but %d expected",message_id,this->message_id_in);
318 return FAILED;
319 }
320 }
321
322 /* now the message is processed by the current state object.
323 * The specific state object is responsible to check if a message can be received in
324 * the state it represents.
325 * The current state is also responsible to change the state object to the next state
326 * by calling protected_ike_sa_t.set_new_state*/
327 return this->current_state->process_message(this->current_state,message);
328 }
329
330 /**
331 * Implementation of protected_ike_sa_t.build_message.
332 */
333 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
334 {
335 message_t *new_message;
336
337 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
338 new_message = message_create();
339 new_message->set_source(new_message, this->me.host->clone(this->me.host));
340 new_message->set_destination(new_message, this->other.host->clone(this->other.host));
341 new_message->set_exchange_type(new_message, type);
342 new_message->set_request(new_message, request);
343 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
344 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
345
346 *message = new_message;
347 }
348
349 /**
350 * Implementation of protected_ike_sa_t.process_configuration.
351 */
352 static status_t initialize_connection(private_ike_sa_t *this, char *name)
353 {
354 initiator_init_t *current_state;
355 status_t status;
356
357 /* Work is done in state object of type INITIATOR_INIT. All other states are not
358 * initial states and so don't have a initialize_connection function */
359
360 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
361 {
362 return FAILED;
363 }
364
365 current_state = (initiator_init_t *) this->current_state;
366
367 status = current_state->initiate_connection(current_state,name);
368 return status;
369 }
370
371 /**
372 * Implementation of protected_ike_sa_t.get_id.
373 */
374 static ike_sa_id_t* get_id(private_ike_sa_t *this)
375 {
376 return this->ike_sa_id;
377 }
378
379 /**
380 * Implementation of protected_ike_sa_t.compute_secrets.
381 */
382 static void compute_secrets(private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
383 {
384 u_int8_t ei_buffer[this->crypter_initiator->get_block_size(this->crypter_initiator)];
385 chunk_t ei_key = {ptr: ei_buffer, len: sizeof(ei_buffer)};
386 u_int8_t er_buffer[this->crypter_responder->get_block_size(this->crypter_responder)];
387 chunk_t er_key = {ptr: er_buffer, len: sizeof(er_buffer)};
388 u_int8_t ai_buffer[this->signer_initiator->get_key_size(this->signer_initiator)];
389 chunk_t ai_key = {ptr: ai_buffer, len: sizeof(ai_buffer)};
390 u_int8_t ar_buffer[this->signer_responder->get_key_size(this->signer_responder)];
391 chunk_t ar_key = {ptr: ar_buffer, len: sizeof(ar_buffer)};
392 u_int8_t concatenated_nonces_buffer[initiator_nonce.len + responder_nonce.len];
393 chunk_t concatenated_nonces = {ptr: concatenated_nonces_buffer, len : sizeof(concatenated_nonces_buffer)};
394 u_int8_t skeyseed_buffer[this->prf->get_block_size(this->prf)];
395 chunk_t skeyseed = {ptr: skeyseed_buffer, len: sizeof(skeyseed_buffer)};
396 u_int64_t initiator_spi;
397 u_int64_t responder_spi;
398 chunk_t prf_plus_seed;
399 prf_plus_t *prf_plus;
400
401 /* first is initiator */
402 memcpy(concatenated_nonces.ptr,initiator_nonce.ptr,initiator_nonce.len);
403 /* second is responder */
404 memcpy(concatenated_nonces.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
405
406 this->logger->log_chunk(this->logger, RAW | LEVEL2, "Nonce data", &concatenated_nonces);
407
408 /* Status of set_key is not checked */
409 this->prf->set_key(this->prf,concatenated_nonces);
410
411 this->prf->get_bytes(this->prf,dh_shared_secret,skeyseed_buffer);
412
413 prf_plus_seed.len = (initiator_nonce.len + responder_nonce.len + 16);
414 prf_plus_seed.ptr = allocator_alloc(prf_plus_seed.len);
415
416 /* first is initiator */
417 memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
418 /* second is responder */
419 memcpy(prf_plus_seed.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
420 /* third is initiator spi */
421 initiator_spi = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
422 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len,&initiator_spi,8);
423 /* fourth is responder spi */
424 responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
425 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
426
427 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "Keyseed", &skeyseed);
428 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "PRF+ Seed", &prf_plus_seed);
429
430 this->logger->log(this->logger, CONTROL | LEVEL2, "Set new key of prf object");
431 this->prf->set_key(this->prf,skeyseed);
432
433 this->logger->log(this->logger, CONTROL | LEVEL2, "Create new prf+ object");
434 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
435 allocator_free_chunk(&prf_plus_seed);
436
437
438 prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
439 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
440
441 prf_plus->get_bytes(prf_plus,ai_key.len,ai_buffer);
442 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(ai_key));
443 this->signer_initiator->set_key(this->signer_initiator,ai_key);
444
445 prf_plus->get_bytes(prf_plus,ar_key.len,ar_buffer);
446 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(ar_key));
447 this->signer_responder->set_key(this->signer_responder,ar_key);
448
449 prf_plus->get_bytes(prf_plus,ei_key.len,ei_buffer);
450 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(ei_key));
451 this->crypter_initiator->set_key(this->crypter_initiator,ei_key);
452
453 prf_plus->get_bytes(prf_plus,er_key.len,er_buffer);
454 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(er_key));
455 this->crypter_responder->set_key(this->crypter_responder,er_key);
456
457 prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key));
458 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
459
460 prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key));
461 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
462
463 prf_plus->destroy(prf_plus);
464 }
465
466 /**
467 * Implementation of private_ike_sa_t.resend_last_reply.
468 */
469 static status_t resend_last_reply(private_ike_sa_t *this)
470 {
471 packet_t *packet;
472
473 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
474 packet = this->last_responded_message->get_packet(this->last_responded_message);
475 charon->send_queue->add(charon->send_queue, packet);
476
477 return SUCCESS;
478 }
479
480 /**
481 * Implementation of ike_sa_t.retransmit_request.
482 */
483 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
484 {
485 packet_t *packet;
486
487 if (this->last_requested_message == NULL)
488 {
489 return NOT_FOUND;
490 }
491
492 if (message_id == this->last_replied_message_id)
493 {
494 return NOT_FOUND;
495 }
496
497 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
498 {
499 return NOT_FOUND;
500 }
501
502 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
503 packet = this->last_requested_message->get_packet(this->last_requested_message);
504 charon->send_queue->add(charon->send_queue, packet);
505
506 return SUCCESS;
507 }
508
509 /**
510 * Implementation of protected_ike_sa_t.set_new_state.
511 */
512 static void set_new_state (private_ike_sa_t *this, state_t *state)
513 {
514 this->logger->log(this->logger, CONTROL, "Change current state %s to %s",
515 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
516 mapping_find(ike_sa_state_m,state->get_state(state)));
517 this->current_state = state;
518 }
519
520 /**
521 * Implementation of protected_ike_sa_t.get_logger.
522 */
523 static logger_t *get_logger (private_ike_sa_t *this)
524 {
525 return this->logger;
526 }
527
528 /**
529 * Implementation of protected_ike_sa_t.get_my_host.
530 */
531 static host_t *get_my_host (private_ike_sa_t *this)
532 {
533 return this->me.host;
534 }
535
536 /**
537 * Implementation of protected_ike_sa_t.get_other_host.
538 */
539 static host_t *get_other_host (private_ike_sa_t *this)
540 {
541 return this->other.host;
542 }
543
544 /**
545 * Implementation of protected_ike_sa_t.get_init_config.
546 */
547 static init_config_t *get_init_config (private_ike_sa_t *this)
548 {
549 return this->init_config;
550 }
551
552 /**
553 * Implementation of protected_ike_sa_t.set_init_config.
554 */
555 static void set_init_config (private_ike_sa_t *this,init_config_t * init_config)
556 {
557 this->init_config = init_config;
558 }
559
560 /**
561 * Implementation of protected_ike_sa_t.get_sa_config.
562 */
563 static sa_config_t *get_sa_config (private_ike_sa_t *this)
564 {
565 return this->sa_config;
566 }
567
568 /**
569 * Implementation of protected_ike_sa_t.set_sa_config.
570 */
571 static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config)
572 {
573 this->sa_config = sa_config;
574 }
575
576 /**
577 * Implementation of protected_ike_sa_t.set_my_host.
578 */
579 static void set_my_host (private_ike_sa_t *this, host_t *my_host)
580 {
581 this->me.host = my_host;
582 }
583
584 /**
585 * Implementation of protected_ike_sa_t.set_other_host.
586 */
587 static void set_other_host (private_ike_sa_t *this, host_t *other_host)
588 {
589 this->other.host = other_host;
590 }
591
592 /**
593 * Implementation of protected_ike_sa_t.get_prf.
594 */
595 static prf_t *get_prf (private_ike_sa_t *this)
596 {
597 return this->prf;
598 }
599
600 /**
601 * Implementation of protected_ike_sa_t.get_key_pr.
602 */
603 static chunk_t get_key_pr (private_ike_sa_t *this)
604 {
605 return this->secrets.pr_key;
606 }
607
608
609 /**
610 * Implementation of protected_ike_sa_t.get_key_pi.
611 */
612 static chunk_t get_key_pi (private_ike_sa_t *this)
613 {
614 return this->secrets.pi_key;
615 }
616
617 /**
618 * Implementation of protected_ike_sa_t.set_prf.
619 */
620 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
621 {
622 this->logger->log(this->logger, CONTROL|LEVEL1, "Going to create transform objects for proposal");
623
624 this->logger->log(this->logger, CONTROL|LEVEL1, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),proposal->encryption_algorithm_key_length);
625 this->logger->log(this->logger, CONTROL|LEVEL1, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),proposal->integrity_algorithm_key_length);
626 this->logger->log(this->logger, CONTROL|LEVEL1, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),proposal->pseudo_random_function_key_length);
627
628 if (this->prf != NULL)
629 {
630 this->prf->destroy(this->prf);
631 }
632 this->prf = prf_create(proposal->pseudo_random_function);
633 if (this->prf == NULL)
634 {
635 this->logger->log(this->logger, ERROR|LEVEL1, "prf not supported!");
636 return FAILED;
637 }
638
639 if (this->crypter_initiator != NULL)
640 {
641 this->crypter_initiator->destroy(this->crypter_initiator);
642 }
643 this->crypter_initiator = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length);
644 if (this->crypter_initiator == NULL)
645 {
646 this->logger->log(this->logger, ERROR|LEVEL1, "encryption algorithm %s not supported!",
647 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm));
648 return FAILED;
649 }
650
651 if (this->crypter_responder != NULL)
652 {
653 this->crypter_responder->destroy(this->crypter_responder);
654 }
655 this->crypter_responder = crypter_create(proposal->encryption_algorithm,proposal->encryption_algorithm_key_length);
656 /* check must not be done again */
657
658 if (this->signer_initiator != NULL)
659 {
660 this->signer_initiator->destroy(this->signer_initiator);
661 }
662 this->signer_initiator = signer_create(proposal->integrity_algorithm);
663 if (this->signer_initiator == NULL)
664 {
665 this->logger->log(this->logger, ERROR|LEVEL1, "integrity algorithm not supported!");
666 return FAILED;
667 }
668
669 if (this->signer_responder != NULL)
670 {
671 this->signer_responder->destroy(this->signer_responder);
672 }
673 this->signer_responder = signer_create(proposal->integrity_algorithm);
674
675 return SUCCESS;
676 }
677
678 /**
679 * Implementation of protected_ike_sa_t.get_randomizer.
680 */
681 static randomizer_t *get_randomizer (private_ike_sa_t *this)
682 {
683 return this->randomizer;
684 }
685
686 /**
687 * Implementation of protected_ike_sa_t.get_crypter_initiator.
688 */
689 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
690 {
691 return this->crypter_initiator;
692 }
693
694 /**
695 * Implementation of protected_ike_sa_t.get_signer_initiator.
696 */
697 static signer_t *get_signer_initiator (private_ike_sa_t *this)
698 {
699 return this->signer_initiator;
700 }
701
702 /**
703 * Implementation of protected_ike_sa_t.get_crypter_responder.
704 */
705 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
706 {
707 return this->crypter_responder;
708 }
709
710 /**
711 * Implementation of protected_ike_sa_t.get_signer_responder.
712 */
713 static signer_t *get_signer_responder (private_ike_sa_t *this)
714 {
715 return this->signer_responder;
716 }
717
718 /**
719 * Implementation of protected_ike_sa_t.send_request.
720 */
721 static status_t send_request (private_ike_sa_t *this,message_t * message)
722 {
723 retransmit_request_job_t *retransmit_job;
724 u_int32_t timeout;
725 packet_t *packet;
726 status_t status;
727
728 if (message->get_message_id(message) != this->message_id_out)
729 {
730 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
731 message->get_message_id(message),this->message_id_out);
732 return FAILED;
733 }
734
735 /* generate packet */
736 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
737
738 status = message->generate(message, this->crypter_initiator,this->signer_initiator, &packet);
739 if (status != SUCCESS)
740 {
741 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
742 return FAILED;
743 }
744
745 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
746 charon->send_queue->add(charon->send_queue, packet);
747
748 if (this->last_requested_message != NULL)
749 {
750 /* destroy message */
751 this->last_requested_message->destroy(this->last_requested_message);
752 }
753
754 this->logger->log(this->logger, CONTROL|LEVEL2, "replace last requested message with new one");
755 this->last_requested_message = message;
756
757 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
758
759 status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,retransmit_job->get_retransmit_count(retransmit_job),&timeout);
760
761 if (status != SUCCESS)
762 {
763 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
764 retransmit_job->destroy(retransmit_job);
765 }
766 else
767 {
768 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
769 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
770 }
771
772 /* message counter can now be increased */
773 this->logger->log(this->logger, CONTROL|LEVEL2, "Increase message counter for outgoing messages from %d",this->message_id_out);
774 this->message_id_out++;
775 return SUCCESS;
776 }
777
778 /**
779 * Implementation of protected_ike_sa_t.send_response.
780 */
781 static status_t send_response (private_ike_sa_t *this,message_t * message)
782 {
783 packet_t *packet;
784 status_t status;
785
786 if (message->get_message_id(message) != this->message_id_in)
787 {
788 this->logger->log(this->logger, CONTROL|LEVEL2, "Message could not be sent cause id was not as expected");
789 return FAILED;
790 }
791
792 status = message->generate(message, this->crypter_responder,this->signer_responder, &packet);
793 if (status != SUCCESS)
794 {
795 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
796 return FAILED;
797 }
798
799 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
800 charon->send_queue->add(charon->send_queue, packet);
801
802 if (this->last_responded_message != NULL)
803 {
804 /* destroy message */
805 this->last_responded_message->destroy(this->last_responded_message);
806 }
807
808 this->logger->log(this->logger, CONTROL|LEVEL2, "replace last responded message with new one");
809 this->last_responded_message = message;
810
811 /* message counter can now be increased */
812 this->logger->log(this->logger, CONTROL|LEVEL2, "Increase message counter for incoming messages");
813 this->message_id_in++;
814
815 return SUCCESS;
816 }
817
818 /**
819 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
820 */
821 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
822 {
823 this->last_replied_message_id = message_id;
824 }
825
826 /**
827 * Implementation of protected_ike_sa_t.get_last_responded_message.
828 */
829 static message_t * get_last_responded_message (private_ike_sa_t *this)
830 {
831 return this->last_responded_message;
832 }
833
834 /**
835 * Implementation of protected_ike_sa_t.get_last_requested_message.
836 */
837 static message_t * get_last_requested_message (private_ike_sa_t *this)
838 {
839 return this->last_requested_message;
840 }
841
842 static ike_sa_state_t get_state (private_ike_sa_t *this)
843 {
844 return this->current_state->get_state(this->current_state);
845 }
846
847 /**
848 * Implementation of protected_ike_sa_t.reset_message_buffers.
849 */
850 static void reset_message_buffers (private_ike_sa_t *this)
851 {
852 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
853 /* destroy stored requested message */
854 if (this->last_requested_message != NULL)
855 {
856 this->last_requested_message->destroy(this->last_requested_message);
857 this->last_requested_message = NULL;
858 }
859
860 /* destroy stored responded messages */
861 if (this->last_responded_message != NULL)
862 {
863 this->last_responded_message->destroy(this->last_responded_message);
864 this->last_responded_message = NULL;
865 }
866
867 this->message_id_out = 0;
868 this->message_id_in = 0;
869 this->last_replied_message_id = -1;
870 }
871
872 static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout)
873 {
874 job_t *delete_job;
875
876 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to create job to delete established IKE_SA in %d ms", timeout);
877
878 delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id);
879 charon->event_queue->add_relative(charon->event_queue,delete_job, timeout);
880 }
881
882 /**
883 * Implementation of protected_ike_sa_t.destroy.
884 */
885 static void destroy (private_ike_sa_t *this)
886 {
887 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
888 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
889 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
890 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
891
892 /* destroy child sa's */
893 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy all child_sa's");
894 while (this->child_sas->get_count(this->child_sas) > 0)
895 {
896 void *child_sa;
897 if (this->child_sas->remove_first(this->child_sas, &child_sa) != SUCCESS)
898 {
899 break;
900 }
901 /* destroy child sa */
902 }
903 this->child_sas->destroy(this->child_sas);
904
905 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy secrets");
906 allocator_free(this->secrets.d_key.ptr);
907 allocator_free(this->secrets.pi_key.ptr);
908 allocator_free(this->secrets.pr_key.ptr);
909
910 if (this->crypter_initiator != NULL)
911 {
912 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy initiator crypter_t object");
913 this->crypter_initiator->destroy(this->crypter_initiator);
914 }
915
916 if (this->crypter_responder != NULL)
917 {
918 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy responder crypter_t object");
919 this->crypter_responder->destroy(this->crypter_responder);
920 }
921
922 if (this->signer_initiator != NULL)
923 {
924 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy initiator signer_t object");
925 this->signer_initiator->destroy(this->signer_initiator);
926 }
927
928 if (this->signer_responder != NULL)
929 {
930 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy responder signer_t object");
931 this->signer_responder->destroy(this->signer_responder);
932 }
933
934 if (this->prf != NULL)
935 {
936 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy prf_t object");
937 this->prf->destroy(this->prf);
938 }
939
940 /* destroy ike_sa_id */
941 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy ike_sa_id object");
942 this->ike_sa_id->destroy(this->ike_sa_id);
943
944 /* destroy stored requested message */
945 if (this->last_requested_message != NULL)
946 {
947 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy last requested message");
948 this->last_requested_message->destroy(this->last_requested_message);
949 }
950
951 /* destroy stored responded messages */
952 if (this->last_responded_message != NULL)
953 {
954 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy last responded message");
955 this->last_responded_message->destroy(this->last_responded_message);
956 }
957
958 /* destroy stored host_t objects */
959 if (this->me.host != NULL)
960 {
961 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy my host_t object");
962 this->me.host->destroy(this->me.host);
963 }
964
965 /* destroy stored host_t objects */
966 if (this->other.host != NULL)
967 {
968 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy other host_t object");
969 this->other.host->destroy(this->other.host);
970 }
971
972 this->randomizer->destroy(this->randomizer);
973
974 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy current state object");
975 this->current_state->destroy(this->current_state);
976
977 this->logger->log(this->logger, CONTROL | LEVEL2, "Destroy logger of IKE_SA");
978 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
979
980 allocator_free(this);
981 }
982
983 /*
984 * Described in Header
985 */
986 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
987 {
988 private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
989
990 /* Public functions */
991 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
992 this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
993 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
994 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
995 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
996 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
997
998 /* protected functions */
999 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1000 this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
1001 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1002 this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;
1003 this->protected.get_key_pi = (chunk_t (*) (protected_ike_sa_t *)) get_key_pi;
1004 this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
1005 this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
1006 this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
1007 this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
1008 this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config;
1009 this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
1010 this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
1011 this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
1012 this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
1013 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1014 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1015 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1016 this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal;
1017 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1018 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1019 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1020 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1021 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1022 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1023 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
1024 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
1025 this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job;
1026
1027 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1028
1029 /* private functions */
1030 this->resend_last_reply = resend_last_reply;
1031
1032 /* initialize private fields */
1033 this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
1034
1035 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1036 this->child_sas = linked_list_create();
1037 this->randomizer = randomizer_create();
1038
1039 this->me.host = NULL;
1040 this->other.host = NULL;
1041 this->last_requested_message = NULL;
1042 this->last_responded_message = NULL;
1043 this->message_id_out = 0;
1044 this->message_id_in = 0;
1045 this->last_replied_message_id = -1;
1046 this->secrets.d_key = CHUNK_INITIALIZER;
1047 this->secrets.pi_key = CHUNK_INITIALIZER;
1048 this->secrets.pr_key = CHUNK_INITIALIZER;
1049 this->crypter_initiator = NULL;
1050 this->crypter_responder = NULL;
1051 this->signer_initiator = NULL;
1052 this->signer_responder = NULL;
1053 this->prf = NULL;
1054 this->init_config = NULL;
1055 this->sa_config = NULL;
1056
1057 /* at creation time, IKE_SA is in a initiator state */
1058 if (ike_sa_id->is_initiator(ike_sa_id))
1059 {
1060 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1061 }
1062 else
1063 {
1064 this->current_state = (state_t *) responder_init_create(&(this->protected));
1065 }
1066 return &(this->protected.public);
1067 }