- fixed bug
[strongswan.git] / Source / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa.h"
24
25 #include <types.h>
26 #include <daemon.h>
27 #include <definitions.h>
28 #include <utils/allocator.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <transforms/diffie_hellman.h>
33 #include <transforms/prf_plus.h>
34 #include <transforms/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <sa/states/initiator_init.h>
42 #include <sa/states/responder_init.h>
43 #include <queues/jobs/retransmit_request_job.h>
44 #include <queues/jobs/delete_established_ike_sa_job.h>
45
46
47
48
49 typedef struct private_ike_sa_t private_ike_sa_t;
50
51 /**
52 * Private data of an ike_sa_t object.
53 */
54 struct private_ike_sa_t {
55
56 /**
57 * Protected part of a ike_sa_t object.
58 */
59 protected_ike_sa_t protected;
60
61 /**
62 * Resends the last sent reply.
63 *
64 * @param this calling object
65 */
66 status_t (*resend_last_reply) (private_ike_sa_t *this);
67
68 /* private values */
69
70 /**
71 * Identifier for the current IKE_SA.
72 */
73 ike_sa_id_t *ike_sa_id;
74
75 /**
76 * Linked List containing the child sa's of the current IKE_SA.
77 */
78 linked_list_t *child_sas;
79
80 /**
81 * Current state of the IKE_SA represented as state_t object.
82 *
83 * A state object representates one of the following states and is processing
84 * messages in the specific state:
85 * - INITIATOR_INIT
86 * - RESPONDER_INIT
87 * - IKE_SA_INIT_REQUESTED
88 * - IKE_SA_INIT_RESPONDED
89 * - IKE_AUTH_REQUESTED
90 * -IKE_SA_ESTABLISHED
91 */
92 state_t *current_state;
93
94 /**
95 * INIT configuration, needed for the IKE_SA_INIT exchange.
96 *
97 * Gets set in states:
98 * - INITATOR_INIT
99 * - RESPONDER_INIT
100 *
101 * Available in states:
102 * - IKE_SA_INIT_REQUESTED
103 * - IKE_SA_INIT_RESPONDED
104 * - IKE_AUTH_REQUESTED
105 * -IKE_SA_ESTABLISHED
106 */
107 init_config_t *init_config;
108
109 /**
110 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
111 *
112 * Gets set in states:
113 * - IKE_SA_INIT_REQUESTED
114 * - IKE_SA_INIT_RESPONDED
115 *
116 * Available in states:
117 * - IKE_AUTH_REQUESTED
118 * -IKE_SA_ESTABLISHED
119 */
120 sa_config_t *sa_config;
121
122 /**
123 * This SA's source for random data.
124 *
125 * Is available in every state.
126 */
127 randomizer_t *randomizer;
128
129 /**
130 * The last responded message.
131 */
132 message_t *last_responded_message;
133
134 /**
135 * The ast requested message.
136 */
137 message_t *last_requested_message;
138
139 /**
140 * Informations of this host.
141 */
142 struct {
143 host_t *host;
144 } me;
145
146 /**
147 * Informations of the other host.
148 */
149 struct {
150 host_t *host;
151 } other;
152
153 /**
154 * Crypter object for initiator.
155 *
156 * Gets set in states:
157 * - IKE_SA_INIT_REQUESTED
158 * - RESPONDER_INIT
159 *
160 * Available in states:
161 * - IKE_SA_INIT_RESPONDED
162 * - IKE_AUTH_REQUESTED
163 * -IKE_SA_ESTABLISHED
164 */
165 crypter_t *crypter_initiator;
166
167 /**
168 * Crypter object for responder.
169 *
170 * Gets set in states:
171 * - IKE_SA_INIT_REQUESTED
172 * - RESPONDER_INIT
173 *
174 * Available in states:
175 * - IKE_SA_INIT_RESPONDED
176 * - IKE_AUTH_REQUESTED
177 * -IKE_SA_ESTABLISHED
178 */
179 crypter_t *crypter_responder;
180
181 /**
182 * Signer object for initiator.
183 *
184 * Gets set in states:
185 * - IKE_SA_INIT_REQUESTED
186 * - RESPONDER_INIT
187 *
188 * Available in states:
189 * - IKE_SA_INIT_RESPONDED
190 * - IKE_AUTH_REQUESTED
191 * -IKE_SA_ESTABLISHED
192 */
193 signer_t *signer_initiator;
194
195 /**
196 * Signer object for responder.
197 *
198 * Gets set in states:
199 * - IKE_SA_INIT_REQUESTED
200 * - RESPONDER_INIT
201 *
202 * Available in states:
203 * - IKE_SA_INIT_RESPONDED
204 * - IKE_AUTH_REQUESTED
205 * -IKE_SA_ESTABLISHED
206 */
207 signer_t *signer_responder;
208
209 /**
210 * Prf function.
211 *
212 * Gets set in states:
213 * - IKE_SA_INIT_REQUESTED
214 * - RESPONDER_INIT
215 *
216 * Available in states:
217 * - IKE_SA_INIT_RESPONDED
218 * - IKE_AUTH_REQUESTED
219 * -IKE_SA_ESTABLISHED
220 */
221 prf_t *prf;
222
223 /**
224 * Shared secrets which have to be stored.
225 *
226 * Are getting set in states:
227 * - IKE_SA_INIT_REQUESTED
228 * - RESPONDER_INIT
229 *
230 * Available in states:
231 * - IKE_SA_INIT_RESPONDED
232 * - IKE_AUTH_REQUESTED
233 * -IKE_SA_ESTABLISHED
234 */
235 struct {
236 /**
237 * Key used for deriving other keys
238 */
239 chunk_t d_key;
240
241 /**
242 * Key for generating auth payload (initiator)
243 */
244 chunk_t pi_key;
245
246 /**
247 * Key for generating auth payload (responder)
248 */
249 chunk_t pr_key;
250
251 } secrets;
252
253 /**
254 * Next message id to receive.
255 */
256 u_int32_t message_id_in;
257
258 /**
259 * Next message id to send.
260 */
261 u_int32_t message_id_out;
262
263 /**
264 * Last reply id which was successfully received.
265 */
266 int32_t last_replied_message_id;
267
268 /**
269 * A logger for this IKE_SA.
270 */
271 logger_t *logger;
272 };
273
274 /**
275 * Implementation of ike_sa_t.process_message.
276 */
277 static status_t process_message (private_ike_sa_t *this, message_t *message)
278 {
279 u_int32_t message_id;
280 exchange_type_t exchange_type;
281 bool is_request;
282
283 /* We must process each request or response from remote host */
284
285 /* Find out type of message (request or response) */
286 is_request = message->get_request(message);
287 exchange_type = message->get_exchange_type(message);
288
289 this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
290 (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
291
292 message_id = message->get_message_id(message);
293
294 /*
295 * It has to be checked, if the message has to be resent cause of lost packets!
296 */
297 if (is_request && (message_id == (this->message_id_in - 1)))
298 {
299 /* Message can be resent ! */
300 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
301 return (this->resend_last_reply(this));
302 }
303
304 /* Now, the message id is checked for request AND reply */
305 if (is_request)
306 {
307 /* In a request, the message has to be this->message_id_in (other case is already handled) */
308 if (message_id != this->message_id_in)
309 {
310 this->logger->log(this->logger, ERROR | LEVEL1,
311 "Message request with message id %d received, but %d expected",
312 message_id,this->message_id_in);
313 return FAILED;
314 }
315 }
316 else
317 {
318 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
319 if (message_id != (this->message_id_out - 1))
320 {
321 this->logger->log(this->logger, ERROR | LEVEL1,
322 "Message reply with message id %d received, but %d expected",
323 message_id,this->message_id_in);
324 return FAILED;
325 }
326 }
327
328 /* now the message is processed by the current state object.
329 * The specific state object is responsible to check if a message can be received in
330 * the state it represents.
331 * The current state is also responsible to change the state object to the next state
332 * by calling protected_ike_sa_t.set_new_state*/
333 return this->current_state->process_message(this->current_state,message);
334 }
335
336 /**
337 * Implementation of protected_ike_sa_t.build_message.
338 */
339 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
340 {
341 message_t *new_message;
342
343 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
344 new_message = message_create();
345 new_message->set_source(new_message, this->me.host->clone(this->me.host));
346 new_message->set_destination(new_message, this->other.host->clone(this->other.host));
347 new_message->set_exchange_type(new_message, type);
348 new_message->set_request(new_message, request);
349 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
350 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
351
352 *message = new_message;
353 }
354
355 /**
356 * Implementation of protected_ike_sa_t.process_configuration.
357 */
358 static status_t initialize_connection(private_ike_sa_t *this, char *name)
359 {
360 initiator_init_t *current_state;
361 status_t status;
362
363 /* Work is done in state object of type INITIATOR_INIT. All other states are not
364 * initial states and so don't have a initialize_connection function */
365
366 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
367 {
368 return FAILED;
369 }
370
371 current_state = (initiator_init_t *) this->current_state;
372
373 status = current_state->initiate_connection(current_state,name);
374 return status;
375 }
376
377 /**
378 * Implementation of ike_sa_t.send_delete_ike_sa_request.
379 */
380 static void send_delete_ike_sa_request (private_ike_sa_t *this)
381 {
382 message_t *informational_request;
383 delete_payload_t *delete_payload;
384 crypter_t *crypter;
385 signer_t *signer;
386 packet_t *packet;
387 status_t status;
388
389 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
390 {
391 return;
392 }
393
394 /* build empty INFORMATIONAL message */
395 this->protected.build_message(&(this->protected), INFORMATIONAL, TRUE, &informational_request);
396
397 delete_payload = delete_payload_create();
398 delete_payload->set_protocol_id(delete_payload,IKE);
399
400 informational_request->add_payload(informational_request,(payload_t *)delete_payload);
401
402 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
403 {
404 crypter = this->crypter_initiator;
405 signer = this->signer_initiator;
406 }
407 else
408 {
409 crypter = this->crypter_responder;
410 signer = this->signer_responder;
411 }
412
413 status = informational_request->generate(informational_request,
414 crypter,
415 signer, &packet);
416 informational_request->destroy(informational_request);
417 if (status != SUCCESS)
418 {
419 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
420 return ;
421 }
422
423 charon->send_queue->add(charon->send_queue,packet);
424 }
425
426 /**
427 * Implementation of protected_ike_sa_t.get_id.
428 */
429 static ike_sa_id_t* get_id(private_ike_sa_t *this)
430 {
431 return this->ike_sa_id;
432 }
433
434 /**
435 * Implementation of protected_ike_sa_t.compute_secrets.
436 */
437 static void compute_secrets(private_ike_sa_t *this,
438 chunk_t dh_shared_secret,
439 chunk_t initiator_nonce,
440 chunk_t responder_nonce)
441 {
442 u_int8_t ei_buffer[this->crypter_initiator->get_block_size(this->crypter_initiator)];
443 chunk_t ei_key = {ptr: ei_buffer, len: sizeof(ei_buffer)};
444 u_int8_t er_buffer[this->crypter_responder->get_block_size(this->crypter_responder)];
445 chunk_t er_key = {ptr: er_buffer, len: sizeof(er_buffer)};
446 u_int8_t ai_buffer[this->signer_initiator->get_key_size(this->signer_initiator)];
447 chunk_t ai_key = {ptr: ai_buffer, len: sizeof(ai_buffer)};
448 u_int8_t ar_buffer[this->signer_responder->get_key_size(this->signer_responder)];
449 chunk_t ar_key = {ptr: ar_buffer, len: sizeof(ar_buffer)};
450 u_int8_t concatenated_nonces_buffer[initiator_nonce.len + responder_nonce.len];
451 chunk_t concatenated_nonces = {ptr: concatenated_nonces_buffer, len : sizeof(concatenated_nonces_buffer)};
452 u_int8_t skeyseed_buffer[this->prf->get_block_size(this->prf)];
453 chunk_t skeyseed = {ptr: skeyseed_buffer, len: sizeof(skeyseed_buffer)};
454 u_int64_t initiator_spi;
455 u_int64_t responder_spi;
456 chunk_t prf_plus_seed;
457 prf_plus_t *prf_plus;
458
459 /* first is initiator */
460 memcpy(concatenated_nonces.ptr,initiator_nonce.ptr,initiator_nonce.len);
461 /* second is responder */
462 memcpy(concatenated_nonces.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
463
464 this->logger->log_chunk(this->logger, RAW | LEVEL2, "Nonce data", &concatenated_nonces);
465
466 /* Status of set_key is not checked */
467 this->prf->set_key(this->prf,concatenated_nonces);
468
469 this->prf->get_bytes(this->prf,dh_shared_secret,skeyseed_buffer);
470
471 prf_plus_seed.len = (initiator_nonce.len + responder_nonce.len + 16);
472 prf_plus_seed.ptr = allocator_alloc(prf_plus_seed.len);
473
474 /* first is initiator */
475 memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
476 /* second is responder */
477 memcpy(prf_plus_seed.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
478 /* third is initiator spi */
479 initiator_spi = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
480 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len,&initiator_spi,8);
481 /* fourth is responder spi */
482 responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
483 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
484
485 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "Keyseed", &skeyseed);
486 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "PRF+ Seed", &prf_plus_seed);
487
488 this->logger->log(this->logger, CONTROL | LEVEL2, "Set new key of prf object");
489 this->prf->set_key(this->prf,skeyseed);
490
491 this->logger->log(this->logger, CONTROL | LEVEL2, "Create new prf+ object");
492 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
493 allocator_free_chunk(&prf_plus_seed);
494
495
496 prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
497 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
498
499 prf_plus->get_bytes(prf_plus,ai_key.len,ai_buffer);
500 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(ai_key));
501 this->signer_initiator->set_key(this->signer_initiator,ai_key);
502
503 prf_plus->get_bytes(prf_plus,ar_key.len,ar_buffer);
504 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(ar_key));
505 this->signer_responder->set_key(this->signer_responder,ar_key);
506
507 prf_plus->get_bytes(prf_plus,ei_key.len,ei_buffer);
508 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(ei_key));
509 this->crypter_initiator->set_key(this->crypter_initiator,ei_key);
510
511 prf_plus->get_bytes(prf_plus,er_key.len,er_buffer);
512 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(er_key));
513 this->crypter_responder->set_key(this->crypter_responder,er_key);
514
515 prf_plus->allocate_bytes(prf_plus,
516 this->crypter_responder->get_block_size(this->crypter_responder),
517 &(this->secrets.pi_key));
518 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
519
520 prf_plus->allocate_bytes(prf_plus,
521 this->crypter_responder->get_block_size(this->crypter_responder),
522 &(this->secrets.pr_key));
523 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
524
525 prf_plus->destroy(prf_plus);
526 }
527
528 /**
529 * Implementation of private_ike_sa_t.resend_last_reply.
530 */
531 static status_t resend_last_reply(private_ike_sa_t *this)
532 {
533 packet_t *packet;
534
535 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
536 packet = this->last_responded_message->get_packet(this->last_responded_message);
537 charon->send_queue->add(charon->send_queue, packet);
538
539 return SUCCESS;
540 }
541
542 /**
543 * Implementation of ike_sa_t.retransmit_request.
544 */
545 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
546 {
547 packet_t *packet;
548
549 if (this->last_requested_message == NULL)
550 {
551 return NOT_FOUND;
552 }
553
554 if (message_id == this->last_replied_message_id)
555 {
556 return NOT_FOUND;
557 }
558
559 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
560 {
561 return NOT_FOUND;
562 }
563
564 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
565 packet = this->last_requested_message->get_packet(this->last_requested_message);
566 charon->send_queue->add(charon->send_queue, packet);
567
568 return SUCCESS;
569 }
570
571 /**
572 * Implementation of protected_ike_sa_t.set_new_state.
573 */
574 static void set_new_state (private_ike_sa_t *this, state_t *state)
575 {
576 this->logger->log(this->logger, CONTROL, "Change current state %s to %s",
577 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
578 mapping_find(ike_sa_state_m,state->get_state(state)));
579 this->current_state = state;
580 }
581
582 /**
583 * Implementation of protected_ike_sa_t.get_logger.
584 */
585 static logger_t *get_logger (private_ike_sa_t *this)
586 {
587 return this->logger;
588 }
589
590 /**
591 * Implementation of protected_ike_sa_t.get_my_host.
592 */
593 static host_t *get_my_host (private_ike_sa_t *this)
594 {
595 return this->me.host;
596 }
597
598 /**
599 * Implementation of protected_ike_sa_t.get_other_host.
600 */
601 static host_t *get_other_host (private_ike_sa_t *this)
602 {
603 return this->other.host;
604 }
605
606 /**
607 * Implementation of protected_ike_sa_t.get_init_config.
608 */
609 static init_config_t *get_init_config (private_ike_sa_t *this)
610 {
611 return this->init_config;
612 }
613
614 /**
615 * Implementation of protected_ike_sa_t.set_init_config.
616 */
617 static void set_init_config (private_ike_sa_t *this,init_config_t * init_config)
618 {
619 this->init_config = init_config;
620 }
621
622 /**
623 * Implementation of protected_ike_sa_t.get_sa_config.
624 */
625 static sa_config_t *get_sa_config (private_ike_sa_t *this)
626 {
627 return this->sa_config;
628 }
629
630 /**
631 * Implementation of protected_ike_sa_t.set_sa_config.
632 */
633 static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config)
634 {
635 this->sa_config = sa_config;
636 }
637
638 /**
639 * Implementation of protected_ike_sa_t.set_my_host.
640 */
641 static void set_my_host (private_ike_sa_t *this, host_t *my_host)
642 {
643 this->me.host = my_host;
644 }
645
646 /**
647 * Implementation of protected_ike_sa_t.set_other_host.
648 */
649 static void set_other_host (private_ike_sa_t *this, host_t *other_host)
650 {
651 this->other.host = other_host;
652 }
653
654 /**
655 * Implementation of protected_ike_sa_t.get_prf.
656 */
657 static prf_t *get_prf (private_ike_sa_t *this)
658 {
659 return this->prf;
660 }
661
662 /**
663 * Implementation of protected_ike_sa_t.get_key_pr.
664 */
665 static chunk_t get_key_pr (private_ike_sa_t *this)
666 {
667 return this->secrets.pr_key;
668 }
669
670
671 /**
672 * Implementation of protected_ike_sa_t.get_key_pi.
673 */
674 static chunk_t get_key_pi (private_ike_sa_t *this)
675 {
676 return this->secrets.pi_key;
677 }
678
679 /**
680 * Implementation of protected_ike_sa_t.set_prf.
681 */
682 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
683 {
684 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to create transform objects for proposal");
685
686 this->logger->log(this->logger, CONTROL|LEVEL2, "Encryption algorithm: %s with keylength %d",
687 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),
688 proposal->encryption_algorithm_key_length);
689 this->logger->log(this->logger, CONTROL|LEVEL2, "Integrity algorithm: %s with keylength %d",
690 mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),
691 proposal->integrity_algorithm_key_length);
692 this->logger->log(this->logger, CONTROL|LEVEL2, "PRF: %s with keylength %d",
693 mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),
694 proposal->pseudo_random_function_key_length);
695
696 if (this->prf != NULL)
697 {
698 this->prf->destroy(this->prf);
699 }
700 this->prf = prf_create(proposal->pseudo_random_function);
701 if (this->prf == NULL)
702 {
703 this->logger->log(this->logger, ERROR|LEVEL1, "PRF %s not supported!",
704 mapping_find(pseudo_random_function_m,proposal->pseudo_random_function));
705 return FAILED;
706 }
707
708 if (this->crypter_initiator != NULL)
709 {
710 this->crypter_initiator->destroy(this->crypter_initiator);
711 }
712 this->crypter_initiator = crypter_create(proposal->encryption_algorithm,
713 proposal->encryption_algorithm_key_length);
714 if (this->crypter_initiator == NULL)
715 {
716 this->logger->log(this->logger, ERROR|LEVEL1, "Encryption algorithm %s not supported!",
717 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm));
718 return FAILED;
719 }
720
721 if (this->crypter_responder != NULL)
722 {
723 this->crypter_responder->destroy(this->crypter_responder);
724 }
725 this->crypter_responder = crypter_create(proposal->encryption_algorithm,
726 proposal->encryption_algorithm_key_length);
727 /* check must not be done again */
728
729 if (this->signer_initiator != NULL)
730 {
731 this->signer_initiator->destroy(this->signer_initiator);
732 }
733 this->signer_initiator = signer_create(proposal->integrity_algorithm);
734 if (this->signer_initiator == NULL)
735 {
736 this->logger->log(this->logger, ERROR|LEVEL1, "Integrity algorithm %s not supported!",
737 mapping_find(integrity_algorithm_m,proposal->integrity_algorithm));
738 return FAILED;
739 }
740
741 if (this->signer_responder != NULL)
742 {
743 this->signer_responder->destroy(this->signer_responder);
744 }
745 this->signer_responder = signer_create(proposal->integrity_algorithm);
746
747 return SUCCESS;
748 }
749
750 /**
751 * Implementation of protected_ike_sa_t.get_randomizer.
752 */
753 static randomizer_t *get_randomizer (private_ike_sa_t *this)
754 {
755 return this->randomizer;
756 }
757
758 /**
759 * Implementation of protected_ike_sa_t.get_crypter_initiator.
760 */
761 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
762 {
763 return this->crypter_initiator;
764 }
765
766 /**
767 * Implementation of protected_ike_sa_t.get_signer_initiator.
768 */
769 static signer_t *get_signer_initiator (private_ike_sa_t *this)
770 {
771 return this->signer_initiator;
772 }
773
774 /**
775 * Implementation of protected_ike_sa_t.get_crypter_responder.
776 */
777 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
778 {
779 return this->crypter_responder;
780 }
781
782 /**
783 * Implementation of protected_ike_sa_t.get_signer_responder.
784 */
785 static signer_t *get_signer_responder (private_ike_sa_t *this)
786 {
787 return this->signer_responder;
788 }
789
790 /**
791 * Implementation of protected_ike_sa_t.send_request.
792 */
793 static status_t send_request (private_ike_sa_t *this,message_t * message)
794 {
795 retransmit_request_job_t *retransmit_job;
796 u_int32_t timeout;
797 packet_t *packet;
798 status_t status;
799
800 if (message->get_message_id(message) != this->message_id_out)
801 {
802 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
803 message->get_message_id(message),this->message_id_out);
804 return FAILED;
805 }
806
807 /* generate packet */
808 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
809
810 status = message->generate(message, this->crypter_initiator,this->signer_initiator, &packet);
811 if (status != SUCCESS)
812 {
813 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
814 return FAILED;
815 }
816
817 this->logger->log(this->logger, CONTROL|LEVEL3,
818 "Add request packet with message id %d to global send queue",
819 this->message_id_out);
820 charon->send_queue->add(charon->send_queue, packet);
821
822 if (this->last_requested_message != NULL)
823 {
824 /* destroy message */
825 this->last_requested_message->destroy(this->last_requested_message);
826 }
827
828 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
829 this->last_requested_message = message;
830
831 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
832
833 status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,
834 retransmit_job->get_retransmit_count(retransmit_job),&timeout);
835
836 if (status != SUCCESS)
837 {
838 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
839 retransmit_job->destroy(retransmit_job);
840 }
841 else
842 {
843 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
844 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
845 }
846
847 /* message counter can now be increased */
848 this->logger->log(this->logger, CONTROL|LEVEL3,
849 "Increase message counter for outgoing messages from %d",
850 this->message_id_out);
851 this->message_id_out++;
852 return SUCCESS;
853 }
854
855 /**
856 * Implementation of protected_ike_sa_t.send_response.
857 */
858 static status_t send_response (private_ike_sa_t *this,message_t * message)
859 {
860 packet_t *packet;
861 status_t status;
862
863 if (message->get_message_id(message) != this->message_id_in)
864 {
865 this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected");
866 return FAILED;
867 }
868
869 status = message->generate(message, this->crypter_responder,this->signer_responder, &packet);
870 if (status != SUCCESS)
871 {
872 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
873 return FAILED;
874 }
875
876 this->logger->log(this->logger, CONTROL|LEVEL3,
877 "Add response packet with message id %d to global send queue",
878 this->message_id_in);
879 charon->send_queue->add(charon->send_queue, packet);
880
881 if (this->last_responded_message != NULL)
882 {
883 /* destroy message */
884 this->last_responded_message->destroy(this->last_responded_message);
885 }
886
887 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
888 this->last_responded_message = message;
889
890 /* message counter can now be increased */
891 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
892 this->message_id_in++;
893
894 return SUCCESS;
895 }
896
897 /**
898 * Implementation of of private_responder_init_t.send_notify_reply.
899 */
900 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
901 {
902 notify_payload_t *payload;
903 message_t *response;
904 packet_t *packet;
905 status_t status;
906
907 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
908 /* set up the reply */
909 this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
910 payload = notify_payload_create_from_protocol_and_type(IKE,type);
911 if ((data.ptr != NULL) && (data.len > 0))
912 {
913 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
914 payload->set_notification_data(payload,data);
915 }
916
917 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
918 response->add_payload(response,(payload_t *) payload);
919
920 /* generate packet */
921 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
922 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
923 if (status != SUCCESS)
924 {
925 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
926 response->destroy(response);
927 return;
928 }
929
930 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
931 charon->send_queue->add(charon->send_queue, packet);
932 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
933 response->destroy(response);
934 }
935
936 /**
937 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
938 */
939 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
940 {
941 this->last_replied_message_id = message_id;
942 }
943
944 /**
945 * Implementation of protected_ike_sa_t.get_last_responded_message.
946 */
947 static message_t * get_last_responded_message (private_ike_sa_t *this)
948 {
949 return this->last_responded_message;
950 }
951
952 /**
953 * Implementation of protected_ike_sa_t.get_last_requested_message.
954 */
955 static message_t * get_last_requested_message (private_ike_sa_t *this)
956 {
957 return this->last_requested_message;
958 }
959
960 /**
961 * Implementation of protected_ike_sa_t.get_state.
962 */
963 static ike_sa_state_t get_state (private_ike_sa_t *this)
964 {
965 return this->current_state->get_state(this->current_state);
966 }
967
968 /**
969 * Implementation of protected_ike_sa_t.reset_message_buffers.
970 */
971 static void reset_message_buffers (private_ike_sa_t *this)
972 {
973 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
974 /* destroy stored requested message */
975 if (this->last_requested_message != NULL)
976 {
977 this->last_requested_message->destroy(this->last_requested_message);
978 this->last_requested_message = NULL;
979 }
980
981 /* destroy stored responded messages */
982 if (this->last_responded_message != NULL)
983 {
984 this->last_responded_message->destroy(this->last_responded_message);
985 this->last_responded_message = NULL;
986 }
987
988 this->message_id_out = 0;
989 this->message_id_in = 0;
990 this->last_replied_message_id = -1;
991 }
992
993 /**
994 * Implementation of protected_ike_sa_t.create_delete_established_ike_sa_job.
995 */
996 static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout)
997 {
998 job_t *delete_job;
999
1000 this->logger->log(this->logger, CONTROL | LEVEL1,
1001 "Going to create job to delete established IKE_SA in %d ms",
1002 timeout);
1003
1004 delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id);
1005 charon->event_queue->add_relative(charon->event_queue,delete_job, timeout);
1006 }
1007
1008 /**
1009 * Implementation of protected_ike_sa_t.destroy.
1010 */
1011 static void destroy (private_ike_sa_t *this)
1012 {
1013 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
1014 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1015 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
1016 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
1017
1018 /* destroy child sa's */
1019 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy all child_sa's");
1020 while (this->child_sas->get_count(this->child_sas) > 0)
1021 {
1022 void *child_sa;
1023 if (this->child_sas->remove_first(this->child_sas, &child_sa) != SUCCESS)
1024 {
1025 break;
1026 }
1027 /* destroy child sa */
1028 }
1029 this->child_sas->destroy(this->child_sas);
1030
1031 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy secrets");
1032 allocator_free(this->secrets.d_key.ptr);
1033 allocator_free(this->secrets.pi_key.ptr);
1034 allocator_free(this->secrets.pr_key.ptr);
1035
1036 if (this->crypter_initiator != NULL)
1037 {
1038 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator crypter_t object");
1039 this->crypter_initiator->destroy(this->crypter_initiator);
1040 }
1041
1042 if (this->crypter_responder != NULL)
1043 {
1044 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder crypter_t object");
1045 this->crypter_responder->destroy(this->crypter_responder);
1046 }
1047
1048 if (this->signer_initiator != NULL)
1049 {
1050 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator signer_t object");
1051 this->signer_initiator->destroy(this->signer_initiator);
1052 }
1053
1054 if (this->signer_responder != NULL)
1055 {
1056 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder signer_t object");
1057 this->signer_responder->destroy(this->signer_responder);
1058 }
1059
1060 if (this->prf != NULL)
1061 {
1062 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy prf_t object");
1063 this->prf->destroy(this->prf);
1064 }
1065
1066 /* destroy ike_sa_id */
1067 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_id object");
1068 this->ike_sa_id->destroy(this->ike_sa_id);
1069
1070 /* destroy stored requested message */
1071 if (this->last_requested_message != NULL)
1072 {
1073 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last requested message");
1074 this->last_requested_message->destroy(this->last_requested_message);
1075 }
1076
1077 /* destroy stored responded messages */
1078 if (this->last_responded_message != NULL)
1079 {
1080 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last responded message");
1081 this->last_responded_message->destroy(this->last_responded_message);
1082 }
1083
1084 /* destroy stored host_t objects */
1085 if (this->me.host != NULL)
1086 {
1087 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy my host_t object");
1088 this->me.host->destroy(this->me.host);
1089 }
1090
1091 /* destroy stored host_t objects */
1092 if (this->other.host != NULL)
1093 {
1094 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy other host_t object");
1095 this->other.host->destroy(this->other.host);
1096 }
1097
1098 this->randomizer->destroy(this->randomizer);
1099
1100 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy current state object");
1101 this->current_state->destroy(this->current_state);
1102
1103 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy logger of IKE_SA");
1104 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1105
1106 allocator_free(this);
1107 }
1108
1109 /*
1110 * Described in header.
1111 */
1112 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1113 {
1114 private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
1115
1116 /* Public functions */
1117 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1118 this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
1119 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1120 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1121 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1122 this->protected.public.send_delete_ike_sa_request = (void (*)(ike_sa_t*)) send_delete_ike_sa_request;
1123 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1124
1125 /* protected functions */
1126 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1127 this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
1128 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1129 this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;
1130 this->protected.get_key_pi = (chunk_t (*) (protected_ike_sa_t *)) get_key_pi;
1131 this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
1132 this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
1133 this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
1134 this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
1135 this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config;
1136 this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
1137 this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
1138 this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
1139 this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
1140 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1141 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1142 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1143 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1144 this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal;
1145 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1146 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1147 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1148 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1149 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1150 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1151 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
1152 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
1153 this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job;
1154
1155 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1156
1157 /* private functions */
1158 this->resend_last_reply = resend_last_reply;
1159
1160 /* initialize private fields */
1161 this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
1162
1163 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1164 this->child_sas = linked_list_create();
1165 this->randomizer = randomizer_create();
1166
1167 this->me.host = NULL;
1168 this->other.host = NULL;
1169 this->last_requested_message = NULL;
1170 this->last_responded_message = NULL;
1171 this->message_id_out = 0;
1172 this->message_id_in = 0;
1173 this->last_replied_message_id = -1;
1174 this->secrets.d_key = CHUNK_INITIALIZER;
1175 this->secrets.pi_key = CHUNK_INITIALIZER;
1176 this->secrets.pr_key = CHUNK_INITIALIZER;
1177 this->crypter_initiator = NULL;
1178 this->crypter_responder = NULL;
1179 this->signer_initiator = NULL;
1180 this->signer_responder = NULL;
1181 this->prf = NULL;
1182 this->init_config = NULL;
1183 this->sa_config = NULL;
1184
1185 /* at creation time, IKE_SA is in a initiator state */
1186 if (ike_sa_id->is_initiator(ike_sa_id))
1187 {
1188 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1189 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1190 }
1191 else
1192 {
1193 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1194 this->current_state = (state_t *) responder_init_create(&(this->protected));
1195 }
1196 return &(this->protected.public);
1197 }