- installing of child sa works
[strongswan.git] / Source / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa.h"
24
25 #include <types.h>
26 #include <daemon.h>
27 #include <definitions.h>
28 #include <utils/allocator.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <transforms/diffie_hellman.h>
33 #include <transforms/prf_plus.h>
34 #include <transforms/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <sa/states/initiator_init.h>
42 #include <sa/states/responder_init.h>
43 #include <queues/jobs/retransmit_request_job.h>
44 #include <queues/jobs/delete_established_ike_sa_job.h>
45
46
47
48
49 typedef struct private_ike_sa_t private_ike_sa_t;
50
51 /**
52 * Private data of an ike_sa_t object.
53 */
54 struct private_ike_sa_t {
55
56 /**
57 * Protected part of a ike_sa_t object.
58 */
59 protected_ike_sa_t protected;
60
61 /**
62 * Identifier for the current IKE_SA.
63 */
64 ike_sa_id_t *ike_sa_id;
65
66 /**
67 * Linked List containing the child sa's of the current IKE_SA.
68 */
69 linked_list_t *child_sas;
70
71 /**
72 * Current state of the IKE_SA represented as state_t object.
73 *
74 * A state object representates one of the following states and is processing
75 * messages in the specific state:
76 * - INITIATOR_INIT
77 * - RESPONDER_INIT
78 * - IKE_SA_INIT_REQUESTED
79 * - IKE_SA_INIT_RESPONDED
80 * - IKE_AUTH_REQUESTED
81 * -IKE_SA_ESTABLISHED
82 */
83 state_t *current_state;
84
85 /**
86 * INIT configuration, needed for the IKE_SA_INIT exchange.
87 *
88 * Gets set in states:
89 * - INITATOR_INIT
90 * - RESPONDER_INIT
91 *
92 * Available in states:
93 * - IKE_SA_INIT_REQUESTED
94 * - IKE_SA_INIT_RESPONDED
95 * - IKE_AUTH_REQUESTED
96 * -IKE_SA_ESTABLISHED
97 */
98 init_config_t *init_config;
99
100 /**
101 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
102 *
103 * Gets set in states:
104 * - IKE_SA_INIT_REQUESTED
105 * - IKE_SA_INIT_RESPONDED
106 *
107 * Available in states:
108 * - IKE_AUTH_REQUESTED
109 * -IKE_SA_ESTABLISHED
110 */
111 sa_config_t *sa_config;
112
113 /**
114 * This SA's source for random data.
115 *
116 * Is available in every state.
117 */
118 randomizer_t *randomizer;
119
120 /**
121 * The last responded message.
122 */
123 message_t *last_responded_message;
124
125 /**
126 * The ast requested message.
127 */
128 message_t *last_requested_message;
129
130 /**
131 * Informations of this host.
132 */
133 struct {
134 host_t *host;
135 } me;
136
137 /**
138 * Informations of the other host.
139 */
140 struct {
141 host_t *host;
142 } other;
143
144 /**
145 * Crypter object for initiator.
146 */
147 crypter_t *crypter_initiator;
148
149 /**
150 * Crypter object for responder.
151 */
152 crypter_t *crypter_responder;
153
154 /**
155 * Signer object for initiator.
156 */
157 signer_t *signer_initiator;
158
159 /**
160 * Signer object for responder.
161 */
162 signer_t *signer_responder;
163
164 /**
165 * Multi purpose prf, set key, use it, forget it
166 */
167 prf_t *prf;
168
169 /**
170 * Prf function for derivating keymat child SAs
171 */
172 prf_t *child_prf;
173
174 /**
175 * PRF, with key set to pi_key, used for authentication
176 */
177 prf_t *prf_auth_i;
178
179 /**
180 * PRF, with key set to pr_key, used for authentication
181 */
182 prf_t *prf_auth_r;
183
184 /**
185 * Next message id to receive.
186 */
187 u_int32_t message_id_in;
188
189 /**
190 * Next message id to send.
191 */
192 u_int32_t message_id_out;
193
194 /**
195 * Last reply id which was successfully received.
196 */
197 int32_t last_replied_message_id;
198
199 /**
200 * A logger for this IKE_SA.
201 */
202 logger_t *logger;
203
204 /**
205 * Resends the last sent reply.
206 *
207 * @param this calling object
208 */
209 status_t (*resend_last_reply) (private_ike_sa_t *this);
210 };
211
212 /**
213 * Implementation of ike_sa_t.process_message.
214 */
215 static status_t process_message (private_ike_sa_t *this, message_t *message)
216 {
217 u_int32_t message_id;
218 exchange_type_t exchange_type;
219 bool is_request;
220
221 /* We must process each request or response from remote host */
222
223 /* Find out type of message (request or response) */
224 is_request = message->get_request(message);
225 exchange_type = message->get_exchange_type(message);
226
227 this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
228 (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
229
230 message_id = message->get_message_id(message);
231
232 /*
233 * It has to be checked, if the message has to be resent cause of lost packets!
234 */
235 if (is_request && (message_id == (this->message_id_in - 1)))
236 {
237 /* Message can be resent ! */
238 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
239 return (this->resend_last_reply(this));
240 }
241
242 /* Now, the message id is checked for request AND reply */
243 if (is_request)
244 {
245 /* In a request, the message has to be this->message_id_in (other case is already handled) */
246 if (message_id != this->message_id_in)
247 {
248 this->logger->log(this->logger, ERROR | LEVEL1,
249 "Message request with message id %d received, but %d expected",
250 message_id,this->message_id_in);
251 return FAILED;
252 }
253 }
254 else
255 {
256 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
257 if (message_id != (this->message_id_out - 1))
258 {
259 this->logger->log(this->logger, ERROR | LEVEL1,
260 "Message reply with message id %d received, but %d expected",
261 message_id,this->message_id_in);
262 return FAILED;
263 }
264 }
265
266 /* now the message is processed by the current state object.
267 * The specific state object is responsible to check if a message can be received in
268 * the state it represents.
269 * The current state is also responsible to change the state object to the next state
270 * by calling protected_ike_sa_t.set_new_state*/
271 return this->current_state->process_message(this->current_state,message);
272 }
273
274 /**
275 * Implementation of protected_ike_sa_t.build_message.
276 */
277 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
278 {
279 message_t *new_message;
280
281 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
282 new_message = message_create();
283 new_message->set_source(new_message, this->me.host->clone(this->me.host));
284 new_message->set_destination(new_message, this->other.host->clone(this->other.host));
285 new_message->set_exchange_type(new_message, type);
286 new_message->set_request(new_message, request);
287 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
288 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
289
290 *message = new_message;
291 }
292
293 /**
294 * Implementation of protected_ike_sa_t.process_configuration.
295 */
296 static status_t initialize_connection(private_ike_sa_t *this, char *name)
297 {
298 initiator_init_t *current_state;
299 status_t status;
300
301 /* Work is done in state object of type INITIATOR_INIT. All other states are not
302 * initial states and so don't have a initialize_connection function */
303
304 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
305 {
306 return FAILED;
307 }
308
309 current_state = (initiator_init_t *) this->current_state;
310
311 status = current_state->initiate_connection(current_state,name);
312 return status;
313 }
314
315 /**
316 * Implementation of ike_sa_t.send_delete_ike_sa_request.
317 */
318 static void send_delete_ike_sa_request (private_ike_sa_t *this)
319 {
320 message_t *informational_request;
321 delete_payload_t *delete_payload;
322 crypter_t *crypter;
323 signer_t *signer;
324 packet_t *packet;
325 status_t status;
326
327 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
328 {
329 return;
330 }
331
332 /* build empty INFORMATIONAL message */
333 this->protected.build_message(&(this->protected), INFORMATIONAL, TRUE, &informational_request);
334
335 delete_payload = delete_payload_create();
336 delete_payload->set_protocol_id(delete_payload,IKE);
337
338 informational_request->add_payload(informational_request,(payload_t *)delete_payload);
339
340 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
341 {
342 crypter = this->crypter_initiator;
343 signer = this->signer_initiator;
344 }
345 else
346 {
347 crypter = this->crypter_responder;
348 signer = this->signer_responder;
349 }
350
351 status = informational_request->generate(informational_request,
352 crypter,
353 signer, &packet);
354 informational_request->destroy(informational_request);
355 if (status != SUCCESS)
356 {
357 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
358 return ;
359 }
360
361 charon->send_queue->add(charon->send_queue,packet);
362 }
363
364 /**
365 * Implementation of protected_ike_sa_t.get_id.
366 */
367 static ike_sa_id_t* get_id(private_ike_sa_t *this)
368 {
369 return this->ike_sa_id;
370 }
371
372 /**
373 * Implementation of private_ike_sa_t.resend_last_reply.
374 */
375 static status_t resend_last_reply(private_ike_sa_t *this)
376 {
377 packet_t *packet;
378
379 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
380 packet = this->last_responded_message->get_packet(this->last_responded_message);
381 charon->send_queue->add(charon->send_queue, packet);
382
383 return SUCCESS;
384 }
385
386 /**
387 * Implementation of ike_sa_t.retransmit_request.
388 */
389 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
390 {
391 packet_t *packet;
392
393 if (this->last_requested_message == NULL)
394 {
395 return NOT_FOUND;
396 }
397
398 if (message_id == this->last_replied_message_id)
399 {
400 return NOT_FOUND;
401 }
402
403 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
404 {
405 return NOT_FOUND;
406 }
407
408 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
409 packet = this->last_requested_message->get_packet(this->last_requested_message);
410 charon->send_queue->add(charon->send_queue, packet);
411
412 return SUCCESS;
413 }
414
415 /**
416 * Implementation of protected_ike_sa_t.set_new_state.
417 */
418 static void set_new_state (private_ike_sa_t *this, state_t *state)
419 {
420 this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
421 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
422 mapping_find(ike_sa_state_m,state->get_state(state)));
423 this->current_state = state;
424 }
425
426 /**
427 * Implementation of protected_ike_sa_t.get_logger.
428 */
429 static logger_t *get_logger (private_ike_sa_t *this)
430 {
431 return this->logger;
432 }
433
434 /**
435 * Implementation of protected_ike_sa_t.get_my_host.
436 */
437 static host_t *get_my_host (private_ike_sa_t *this)
438 {
439 return this->me.host;
440 }
441
442 /**
443 * Implementation of protected_ike_sa_t.get_other_host.
444 */
445 static host_t *get_other_host (private_ike_sa_t *this)
446 {
447 return this->other.host;
448 }
449
450 /**
451 * Implementation of protected_ike_sa_t.get_init_config.
452 */
453 static init_config_t *get_init_config (private_ike_sa_t *this)
454 {
455 return this->init_config;
456 }
457
458 /**
459 * Implementation of protected_ike_sa_t.set_init_config.
460 */
461 static void set_init_config (private_ike_sa_t *this,init_config_t * init_config)
462 {
463 this->init_config = init_config;
464 }
465
466 /**
467 * Implementation of protected_ike_sa_t.get_sa_config.
468 */
469 static sa_config_t *get_sa_config (private_ike_sa_t *this)
470 {
471 return this->sa_config;
472 }
473
474 /**
475 * Implementation of protected_ike_sa_t.set_sa_config.
476 */
477 static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config)
478 {
479 this->sa_config = sa_config;
480 }
481
482 /**
483 * Implementation of protected_ike_sa_t.set_my_host.
484 */
485 static void set_my_host (private_ike_sa_t *this, host_t *my_host)
486 {
487 this->me.host = my_host;
488 }
489
490 /**
491 * Implementation of protected_ike_sa_t.set_other_host.
492 */
493 static void set_other_host (private_ike_sa_t *this, host_t *other_host)
494 {
495 this->other.host = other_host;
496 }
497
498 /**
499 * Implementation of protected_ike_sa_t.get_prf.
500 */
501 static prf_t *get_prf (private_ike_sa_t *this)
502 {
503 return this->prf;
504 }
505
506 /**
507 * Implementation of protected_ike_sa_t.get_prf.
508 */
509 static prf_t *get_child_prf (private_ike_sa_t *this)
510 {
511 return this->child_prf;
512 }
513
514 /**
515 * Implementation of protected_ike_sa_t.get_prf_auth_i.
516 */
517 static prf_t *get_prf_auth_i (private_ike_sa_t *this)
518 {
519 return this->prf_auth_i;
520 }
521
522 /**
523 * Implementation of protected_ike_sa_t.get_prf_auth_r.
524 */
525 static prf_t *get_prf_auth_r (private_ike_sa_t *this)
526 {
527 return this->prf_auth_r;
528 }
529
530
531 /**
532 * Implementation of protected_ike_sa_t.build_transforms.
533 */
534 static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
535 {
536 chunk_t nonces, nonces_spis, skeyseed, key, secret;
537 u_int64_t spi_i, spi_r;
538 prf_plus_t *prf_plus;
539 algorithm_t *algo;
540 size_t key_size;
541
542 /*
543 * Build the PRF+ instance for deriving keys
544 */
545 if (this->prf != NULL)
546 {
547 this->prf->destroy(this->prf);
548 }
549 proposal->get_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, &algo);
550 if (algo == NULL)
551 {
552 this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
553 return FAILED;
554 }
555 this->prf = prf_create(algo->algorithm);
556 if (this->prf == NULL)
557 {
558 this->logger->log(this->logger, ERROR|LEVEL1,
559 "PSEUDO_RANDOM_FUNCTION %s not supported!",
560 mapping_find(pseudo_random_function_m, algo->algorithm));
561 return FAILED;
562 }
563
564 /* concatenate nonces = nonce_i | nonce_r */
565 nonces = allocator_alloc_as_chunk(nonce_i.len + nonce_r.len);
566 memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
567 memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
568
569 /* concatenate prf_seed = nonce_i | nonce_r | spi_i | spi_r */
570 nonces_spis = allocator_alloc_as_chunk(nonces.len + 16);
571 memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
572 spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
573 spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
574 memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
575 memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
576
577 /* SKEYSEED = prf(Ni | Nr, g^ir) */
578 dh->get_shared_secret(dh, &secret);
579 this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", &secret);
580 this->prf->set_key(this->prf, nonces);
581 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
582 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", &skeyseed);
583 allocator_free_chunk(&secret);
584
585 /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
586 * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
587 *
588 * we use the prf directly for prf+
589 */
590 this->prf->set_key(this->prf, skeyseed);
591 prf_plus = prf_plus_create(this->prf, nonces_spis);
592
593 /* clean up unused stuff */
594 allocator_free_chunk(&nonces);
595 allocator_free_chunk(&nonces_spis);
596 allocator_free_chunk(&skeyseed);
597
598
599 /*
600 * We now can derive all of our key. We build the transforms
601 * directly.
602 */
603
604
605 /* SK_d used for prf+ to derive keys for child SAs */
606 this->child_prf = prf_create(algo->algorithm);
607 key_size = this->child_prf->get_key_size(this->child_prf);
608 prf_plus->allocate_bytes(prf_plus, key_size, &key);
609 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &key);
610 this->child_prf->set_key(this->child_prf, key);
611 allocator_free_chunk(&key);
612
613
614 /* SK_ai/SK_ar used for integrity protection */
615 proposal->get_algorithm(proposal, IKE, INTEGRITY_ALGORITHM, &algo);
616 if (algo == NULL)
617 {
618 this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!");
619 return FAILED;
620 }
621 if (this->signer_initiator != NULL)
622 {
623 this->signer_initiator->destroy(this->signer_initiator);
624 }
625 if (this->signer_responder != NULL)
626 {
627 this->signer_responder->destroy(this->signer_responder);
628 }
629
630 this->signer_initiator = signer_create(algo->algorithm);
631 this->signer_responder = signer_create(algo->algorithm);
632 if (this->signer_initiator == NULL || this->signer_responder == NULL)
633 {
634 this->logger->log(this->logger, ERROR|LEVEL1,
635 "INTEGRITY_ALGORITHM %s not supported!",
636 mapping_find(integrity_algorithm_m,algo->algorithm));
637 return FAILED;
638 }
639 key_size = this->signer_initiator->get_key_size(this->signer_initiator);
640
641 prf_plus->allocate_bytes(prf_plus, key_size, &key);
642 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &key);
643 this->signer_initiator->set_key(this->signer_initiator, key);
644 allocator_free_chunk(&key);
645
646 prf_plus->allocate_bytes(prf_plus, key_size, &key);
647 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &key);
648 this->signer_responder->set_key(this->signer_responder, key);
649 allocator_free_chunk(&key);
650
651
652 /* SK_ei/SK_er used for encryption */
653 proposal->get_algorithm(proposal, IKE, ENCRYPTION_ALGORITHM, &algo);
654 if (algo == NULL)
655 {
656 this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?");
657 return FAILED;
658 }
659 if (this->crypter_initiator != NULL)
660 {
661 this->crypter_initiator->destroy(this->crypter_initiator);
662 }
663 if (this->crypter_responder != NULL)
664 {
665 this->crypter_responder->destroy(this->crypter_responder);
666 }
667
668 this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size);
669 this->crypter_responder = crypter_create(algo->algorithm, algo->key_size);
670 if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
671 {
672 this->logger->log(this->logger, ERROR|LEVEL1,
673 "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
674 mapping_find(encryption_algorithm_m, algo->algorithm),
675 algo->key_size);
676 return FAILED;
677 }
678 key_size = this->crypter_initiator->get_key_size(this->crypter_initiator);
679
680 prf_plus->allocate_bytes(prf_plus, key_size, &key);
681 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &key);
682 this->crypter_initiator->set_key(this->crypter_initiator, key);
683 allocator_free_chunk(&key);
684
685 prf_plus->allocate_bytes(prf_plus, key_size, &key);
686 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &key);
687 this->crypter_responder->set_key(this->crypter_responder, key);
688 allocator_free_chunk(&key);
689
690 /* SK_pi/SK_pr used for authentication */
691 proposal->get_algorithm(proposal, IKE, PSEUDO_RANDOM_FUNCTION, &algo);
692 if (this->prf_auth_i != NULL)
693 {
694 this->prf_auth_i->destroy(this->prf_auth_i);
695 }
696 if (this->prf_auth_r != NULL)
697 {
698 this->prf_auth_r->destroy(this->prf_auth_r);
699 }
700
701 this->prf_auth_i = prf_create(algo->algorithm);
702 this->prf_auth_r = prf_create(algo->algorithm);
703
704 key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
705 prf_plus->allocate_bytes(prf_plus, key_size, &key);
706 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &key);
707 this->prf_auth_i->set_key(this->prf_auth_i, key);
708 allocator_free_chunk(&key);
709
710 prf_plus->allocate_bytes(prf_plus, key_size, &key);
711 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &key);
712 this->prf_auth_r->set_key(this->prf_auth_r, key);
713 allocator_free_chunk(&key);
714
715 /* all done, prf_plus not needed anymore */
716 prf_plus->destroy(prf_plus);
717
718 return SUCCESS;
719 }
720
721 /**
722 * Implementation of protected_ike_sa_t.get_randomizer.
723 */
724 static randomizer_t *get_randomizer (private_ike_sa_t *this)
725 {
726 return this->randomizer;
727 }
728
729 /**
730 * Implementation of protected_ike_sa_t.get_crypter_initiator.
731 */
732 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
733 {
734 return this->crypter_initiator;
735 }
736
737 /**
738 * Implementation of protected_ike_sa_t.get_signer_initiator.
739 */
740 static signer_t *get_signer_initiator (private_ike_sa_t *this)
741 {
742 return this->signer_initiator;
743 }
744
745 /**
746 * Implementation of protected_ike_sa_t.get_crypter_responder.
747 */
748 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
749 {
750 return this->crypter_responder;
751 }
752
753 /**
754 * Implementation of protected_ike_sa_t.get_signer_responder.
755 */
756 static signer_t *get_signer_responder (private_ike_sa_t *this)
757 {
758 return this->signer_responder;
759 }
760
761 /**
762 * Implementation of protected_ike_sa_t.send_request.
763 */
764 static status_t send_request (private_ike_sa_t *this,message_t * message)
765 {
766 retransmit_request_job_t *retransmit_job;
767 u_int32_t timeout;
768 crypter_t *crypter;
769 signer_t *signer;
770 packet_t *packet;
771 status_t status;
772
773 if (message->get_message_id(message) != this->message_id_out)
774 {
775 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
776 message->get_message_id(message),this->message_id_out);
777 return FAILED;
778 }
779
780 /* generate packet */
781 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
782
783 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
784 {
785 crypter = this->crypter_initiator;
786 signer = this->signer_initiator;
787 }
788 else
789 {
790 crypter = this->crypter_responder;
791 signer =this->signer_responder;
792 }
793
794 status = message->generate(message, crypter,signer, &packet);
795 if (status != SUCCESS)
796 {
797 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
798 return FAILED;
799 }
800
801 this->logger->log(this->logger, CONTROL|LEVEL3,
802 "Add request packet with message id %d to global send queue",
803 this->message_id_out);
804 charon->send_queue->add(charon->send_queue, packet);
805
806 if (this->last_requested_message != NULL)
807 {
808 /* destroy message */
809 this->last_requested_message->destroy(this->last_requested_message);
810 }
811
812 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
813 this->last_requested_message = message;
814
815 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
816
817 status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,
818 retransmit_job->get_retransmit_count(retransmit_job),&timeout);
819
820 if (status != SUCCESS)
821 {
822 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
823 retransmit_job->destroy(retransmit_job);
824 }
825 else
826 {
827 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
828 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
829 }
830
831 /* message counter can now be increased */
832 this->logger->log(this->logger, CONTROL|LEVEL3,
833 "Increase message counter for outgoing messages from %d",
834 this->message_id_out);
835 this->message_id_out++;
836 return SUCCESS;
837 }
838
839 /**
840 * Implementation of protected_ike_sa_t.send_response.
841 */
842 static status_t send_response (private_ike_sa_t *this,message_t * message)
843 {
844 crypter_t *crypter;
845 signer_t *signer;
846 packet_t *packet;
847 status_t status;
848
849 if (message->get_message_id(message) != this->message_id_in)
850 {
851 this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected");
852 return FAILED;
853 }
854
855
856 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
857 {
858 crypter = this->crypter_initiator;
859 signer = this->signer_initiator;
860 }
861 else
862 {
863 crypter = this->crypter_responder;
864 signer =this->signer_responder;
865 }
866
867 status = message->generate(message, crypter,signer, &packet);
868 if (status != SUCCESS)
869 {
870 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
871 return FAILED;
872 }
873
874 this->logger->log(this->logger, CONTROL|LEVEL3,
875 "Add response packet with message id %d to global send queue",
876 this->message_id_in);
877 charon->send_queue->add(charon->send_queue, packet);
878
879 if (this->last_responded_message != NULL)
880 {
881 /* destroy message */
882 this->last_responded_message->destroy(this->last_responded_message);
883 }
884
885 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
886 this->last_responded_message = message;
887
888 /* message counter can now be increased */
889 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
890 this->message_id_in++;
891
892 return SUCCESS;
893 }
894
895 /**
896 * Implementation of of private_responder_init_t.send_notify_reply.
897 */
898 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
899 {
900 notify_payload_t *payload;
901 message_t *response;
902 packet_t *packet;
903 status_t status;
904
905 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
906 /* set up the reply */
907 this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
908 payload = notify_payload_create_from_protocol_and_type(IKE,type);
909 if ((data.ptr != NULL) && (data.len > 0))
910 {
911 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
912 payload->set_notification_data(payload,data);
913 }
914
915 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
916 response->add_payload(response,(payload_t *) payload);
917
918 /* generate packet */
919 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
920 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
921 if (status != SUCCESS)
922 {
923 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
924 response->destroy(response);
925 return;
926 }
927
928 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
929 charon->send_queue->add(charon->send_queue, packet);
930 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
931 response->destroy(response);
932 }
933
934 /**
935 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
936 */
937 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
938 {
939 this->last_replied_message_id = message_id;
940 }
941
942 /**
943 * Implementation of protected_ike_sa_t.get_last_responded_message.
944 */
945 static message_t * get_last_responded_message (private_ike_sa_t *this)
946 {
947 return this->last_responded_message;
948 }
949
950 /**
951 * Implementation of protected_ike_sa_t.get_last_requested_message.
952 */
953 static message_t * get_last_requested_message (private_ike_sa_t *this)
954 {
955 return this->last_requested_message;
956 }
957
958 /**
959 * Implementation of protected_ike_sa_t.get_state.
960 */
961 static ike_sa_state_t get_state (private_ike_sa_t *this)
962 {
963 return this->current_state->get_state(this->current_state);
964 }
965
966 /**
967 * Implementation of protected_ike_sa_t.get_state.
968 */
969 static void add_child_sa (private_ike_sa_t *this, child_sa_t *child_sa)
970 {
971 this->child_sas->insert_last(this->child_sas, child_sa);
972 }
973
974 /**
975 * Implementation of protected_ike_sa_t.reset_message_buffers.
976 */
977 static void reset_message_buffers (private_ike_sa_t *this)
978 {
979 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
980 /* destroy stored requested message */
981 if (this->last_requested_message != NULL)
982 {
983 this->last_requested_message->destroy(this->last_requested_message);
984 this->last_requested_message = NULL;
985 }
986
987 /* destroy stored responded messages */
988 if (this->last_responded_message != NULL)
989 {
990 this->last_responded_message->destroy(this->last_responded_message);
991 this->last_responded_message = NULL;
992 }
993
994 this->message_id_out = 0;
995 this->message_id_in = 0;
996 this->last_replied_message_id = -1;
997 }
998
999 /**
1000 * Implementation of protected_ike_sa_t.create_delete_established_ike_sa_job.
1001 */
1002 static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout)
1003 {
1004 job_t *delete_job;
1005
1006 this->logger->log(this->logger, CONTROL | LEVEL1,
1007 "Going to create job to delete established IKE_SA in %d ms",
1008 timeout);
1009
1010 delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id);
1011 charon->event_queue->add_relative(charon->event_queue,delete_job, timeout);
1012 }
1013
1014 /**
1015 * Implementation of protected_ike_sa_t.destroy.
1016 */
1017 static void destroy (private_ike_sa_t *this)
1018 {
1019 child_sa_t *child_sa;
1020
1021 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
1022 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1023 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
1024 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
1025
1026 /* destroy child sa's */
1027 while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
1028 {
1029 child_sa->destroy(child_sa);
1030 }
1031 this->child_sas->destroy(this->child_sas);
1032
1033 if (this->crypter_initiator != NULL)
1034 {
1035 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator crypter_t object");
1036 this->crypter_initiator->destroy(this->crypter_initiator);
1037 }
1038
1039 if (this->crypter_responder != NULL)
1040 {
1041 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder crypter_t object");
1042 this->crypter_responder->destroy(this->crypter_responder);
1043 }
1044
1045 if (this->signer_initiator != NULL)
1046 {
1047 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator signer_t object");
1048 this->signer_initiator->destroy(this->signer_initiator);
1049 }
1050
1051 if (this->signer_responder != NULL)
1052 {
1053 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder signer_t object");
1054 this->signer_responder->destroy(this->signer_responder);
1055 }
1056
1057 if (this->prf != NULL)
1058 {
1059 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy prf_t object");
1060 this->prf->destroy(this->prf);
1061 }
1062 if (this->child_prf != NULL)
1063 {
1064 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy child_prf object");
1065 this->child_prf->destroy(this->child_prf);
1066 }
1067 if (this->prf_auth_i != NULL)
1068 {
1069 this->prf_auth_i->destroy(this->prf_auth_i);
1070 }
1071 if (this->prf_auth_r != NULL)
1072 {
1073 this->prf_auth_r->destroy(this->prf_auth_r);
1074 }
1075
1076 /* destroy ike_sa_id */
1077 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_id object");
1078 this->ike_sa_id->destroy(this->ike_sa_id);
1079
1080 /* destroy stored requested message */
1081 if (this->last_requested_message != NULL)
1082 {
1083 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last requested message");
1084 this->last_requested_message->destroy(this->last_requested_message);
1085 }
1086
1087 /* destroy stored responded messages */
1088 if (this->last_responded_message != NULL)
1089 {
1090 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last responded message");
1091 this->last_responded_message->destroy(this->last_responded_message);
1092 }
1093
1094 /* destroy stored host_t objects */
1095 if (this->me.host != NULL)
1096 {
1097 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy my host_t object");
1098 this->me.host->destroy(this->me.host);
1099 }
1100
1101 /* destroy stored host_t objects */
1102 if (this->other.host != NULL)
1103 {
1104 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy other host_t object");
1105 this->other.host->destroy(this->other.host);
1106 }
1107
1108 this->randomizer->destroy(this->randomizer);
1109
1110 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy current state object");
1111 this->current_state->destroy(this->current_state);
1112
1113 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy logger of IKE_SA");
1114 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1115
1116 allocator_free(this);
1117 }
1118
1119 /*
1120 * Described in header.
1121 */
1122 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1123 {
1124 private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
1125
1126 /* Public functions */
1127 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1128 this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
1129 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1130 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1131 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1132 this->protected.public.send_delete_ike_sa_request = (void (*)(ike_sa_t*)) send_delete_ike_sa_request;
1133 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1134
1135 /* protected functions */
1136 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1137 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1138 this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
1139 this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
1140 this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r;
1141 this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa;
1142 this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
1143 this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
1144 this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
1145 this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
1146 this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config;
1147 this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
1148 this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
1149 this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
1150 this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
1151 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1152 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1153 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1154 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1155 this->protected.build_transforms = (status_t (*) (protected_ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t)) build_transforms;
1156 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1157 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1158 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1159 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1160 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1161 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1162 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
1163 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
1164 this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job;
1165
1166 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1167
1168 /* private functions */
1169 this->resend_last_reply = resend_last_reply;
1170
1171 /* initialize private fields */
1172 this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
1173
1174 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1175 this->child_sas = linked_list_create();
1176 this->randomizer = randomizer_create();
1177
1178 this->me.host = NULL;
1179 this->other.host = NULL;
1180 this->last_requested_message = NULL;
1181 this->last_responded_message = NULL;
1182 this->message_id_out = 0;
1183 this->message_id_in = 0;
1184 this->last_replied_message_id = -1;
1185 this->crypter_initiator = NULL;
1186 this->crypter_responder = NULL;
1187 this->signer_initiator = NULL;
1188 this->signer_responder = NULL;
1189 this->prf = NULL;
1190 this->prf_auth_i = NULL;
1191 this->prf_auth_r = NULL;
1192 this->child_prf = NULL;
1193 this->init_config = NULL;
1194 this->sa_config = NULL;
1195
1196 /* at creation time, IKE_SA is in a initiator state */
1197 if (ike_sa_id->is_initiator(ike_sa_id))
1198 {
1199 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1200 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1201 }
1202 else
1203 {
1204 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1205 this->current_state = (state_t *) responder_init_create(&(this->protected));
1206 }
1207 return &(this->protected.public);
1208 }