bae5ea70c6dedcd4a657106000a7277f5a5a6e3d
[strongswan.git] / Source / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_sa.h"
24
25 #include <types.h>
26 #include <daemon.h>
27 #include <definitions.h>
28 #include <utils/allocator.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <transforms/diffie_hellman.h>
33 #include <transforms/prf_plus.h>
34 #include <transforms/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <sa/states/initiator_init.h>
42 #include <sa/states/responder_init.h>
43 #include <queues/jobs/retransmit_request_job.h>
44 #include <queues/jobs/delete_established_ike_sa_job.h>
45
46
47
48
49 typedef struct private_ike_sa_t private_ike_sa_t;
50
51 /**
52 * Private data of an ike_sa_t object.
53 */
54 struct private_ike_sa_t {
55
56 /**
57 * Protected part of a ike_sa_t object.
58 */
59 protected_ike_sa_t protected;
60
61 /**
62 * Resends the last sent reply.
63 *
64 * @param this calling object
65 */
66 status_t (*resend_last_reply) (private_ike_sa_t *this);
67
68 /* private values */
69
70 /**
71 * Identifier for the current IKE_SA.
72 */
73 ike_sa_id_t *ike_sa_id;
74
75 /**
76 * Linked List containing the child sa's of the current IKE_SA.
77 */
78 linked_list_t *child_sas;
79
80 /**
81 * Current state of the IKE_SA represented as state_t object.
82 *
83 * A state object representates one of the following states and is processing
84 * messages in the specific state:
85 * - INITIATOR_INIT
86 * - RESPONDER_INIT
87 * - IKE_SA_INIT_REQUESTED
88 * - IKE_SA_INIT_RESPONDED
89 * - IKE_AUTH_REQUESTED
90 * -IKE_SA_ESTABLISHED
91 */
92 state_t *current_state;
93
94 /**
95 * INIT configuration, needed for the IKE_SA_INIT exchange.
96 *
97 * Gets set in states:
98 * - INITATOR_INIT
99 * - RESPONDER_INIT
100 *
101 * Available in states:
102 * - IKE_SA_INIT_REQUESTED
103 * - IKE_SA_INIT_RESPONDED
104 * - IKE_AUTH_REQUESTED
105 * -IKE_SA_ESTABLISHED
106 */
107 init_config_t *init_config;
108
109 /**
110 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
111 *
112 * Gets set in states:
113 * - IKE_SA_INIT_REQUESTED
114 * - IKE_SA_INIT_RESPONDED
115 *
116 * Available in states:
117 * - IKE_AUTH_REQUESTED
118 * -IKE_SA_ESTABLISHED
119 */
120 sa_config_t *sa_config;
121
122 /**
123 * This SA's source for random data.
124 *
125 * Is available in every state.
126 */
127 randomizer_t *randomizer;
128
129 /**
130 * The last responded message.
131 */
132 message_t *last_responded_message;
133
134 /**
135 * The ast requested message.
136 */
137 message_t *last_requested_message;
138
139 /**
140 * Informations of this host.
141 */
142 struct {
143 host_t *host;
144 } me;
145
146 /**
147 * Informations of the other host.
148 */
149 struct {
150 host_t *host;
151 } other;
152
153 /**
154 * Crypter object for initiator.
155 *
156 * Gets set in states:
157 * - IKE_SA_INIT_REQUESTED
158 * - RESPONDER_INIT
159 *
160 * Available in states:
161 * - IKE_SA_INIT_RESPONDED
162 * - IKE_AUTH_REQUESTED
163 * -IKE_SA_ESTABLISHED
164 */
165 crypter_t *crypter_initiator;
166
167 /**
168 * Crypter object for responder.
169 *
170 * Gets set in states:
171 * - IKE_SA_INIT_REQUESTED
172 * - RESPONDER_INIT
173 *
174 * Available in states:
175 * - IKE_SA_INIT_RESPONDED
176 * - IKE_AUTH_REQUESTED
177 * -IKE_SA_ESTABLISHED
178 */
179 crypter_t *crypter_responder;
180
181 /**
182 * Signer object for initiator.
183 *
184 * Gets set in states:
185 * - IKE_SA_INIT_REQUESTED
186 * - RESPONDER_INIT
187 *
188 * Available in states:
189 * - IKE_SA_INIT_RESPONDED
190 * - IKE_AUTH_REQUESTED
191 * -IKE_SA_ESTABLISHED
192 */
193 signer_t *signer_initiator;
194
195 /**
196 * Signer object for responder.
197 *
198 * Gets set in states:
199 * - IKE_SA_INIT_REQUESTED
200 * - RESPONDER_INIT
201 *
202 * Available in states:
203 * - IKE_SA_INIT_RESPONDED
204 * - IKE_AUTH_REQUESTED
205 * -IKE_SA_ESTABLISHED
206 */
207 signer_t *signer_responder;
208
209 /**
210 * Prf function.
211 *
212 * Gets set in states:
213 * - IKE_SA_INIT_REQUESTED
214 * - RESPONDER_INIT
215 *
216 * Available in states:
217 * - IKE_SA_INIT_RESPONDED
218 * - IKE_AUTH_REQUESTED
219 * -IKE_SA_ESTABLISHED
220 */
221 prf_t *prf;
222
223 /**
224 * Shared secrets which have to be stored.
225 *
226 * Are getting set in states:
227 * - IKE_SA_INIT_REQUESTED
228 * - RESPONDER_INIT
229 *
230 * Available in states:
231 * - IKE_SA_INIT_RESPONDED
232 * - IKE_AUTH_REQUESTED
233 * -IKE_SA_ESTABLISHED
234 */
235 struct {
236 /**
237 * Key used for deriving other keys
238 */
239 chunk_t d_key;
240
241 /**
242 * Key for generating auth payload (initiator)
243 */
244 chunk_t pi_key;
245
246 /**
247 * Key for generating auth payload (responder)
248 */
249 chunk_t pr_key;
250
251 } secrets;
252
253 /**
254 * Next message id to receive.
255 */
256 u_int32_t message_id_in;
257
258 /**
259 * Next message id to send.
260 */
261 u_int32_t message_id_out;
262
263 /**
264 * Last reply id which was successfully received.
265 */
266 int32_t last_replied_message_id;
267
268 /**
269 * A logger for this IKE_SA.
270 */
271 logger_t *logger;
272 };
273
274 /**
275 * Implementation of ike_sa_t.process_message.
276 */
277 static status_t process_message (private_ike_sa_t *this, message_t *message)
278 {
279 u_int32_t message_id;
280 exchange_type_t exchange_type;
281 bool is_request;
282
283 /* We must process each request or response from remote host */
284
285 /* Find out type of message (request or response) */
286 is_request = message->get_request(message);
287 exchange_type = message->get_exchange_type(message);
288
289 this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
290 (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
291
292 message_id = message->get_message_id(message);
293
294 /*
295 * It has to be checked, if the message has to be resent cause of lost packets!
296 */
297 if (is_request && (message_id == (this->message_id_in - 1)))
298 {
299 /* Message can be resent ! */
300 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
301 return (this->resend_last_reply(this));
302 }
303
304 /* Now, the message id is checked for request AND reply */
305 if (is_request)
306 {
307 /* In a request, the message has to be this->message_id_in (other case is already handled) */
308 if (message_id != this->message_id_in)
309 {
310 this->logger->log(this->logger, ERROR | LEVEL1,
311 "Message request with message id %d received, but %d expected",
312 message_id,this->message_id_in);
313 return FAILED;
314 }
315 }
316 else
317 {
318 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
319 if (message_id != (this->message_id_out - 1))
320 {
321 this->logger->log(this->logger, ERROR | LEVEL1,
322 "Message reply with message id %d received, but %d expected",
323 message_id,this->message_id_in);
324 return FAILED;
325 }
326 }
327
328 /* now the message is processed by the current state object.
329 * The specific state object is responsible to check if a message can be received in
330 * the state it represents.
331 * The current state is also responsible to change the state object to the next state
332 * by calling protected_ike_sa_t.set_new_state*/
333 return this->current_state->process_message(this->current_state,message);
334 }
335
336 /**
337 * Implementation of protected_ike_sa_t.build_message.
338 */
339 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
340 {
341 message_t *new_message;
342
343 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
344 new_message = message_create();
345 new_message->set_source(new_message, this->me.host->clone(this->me.host));
346 new_message->set_destination(new_message, this->other.host->clone(this->other.host));
347 new_message->set_exchange_type(new_message, type);
348 new_message->set_request(new_message, request);
349 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
350 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
351
352 *message = new_message;
353 }
354
355 /**
356 * Implementation of protected_ike_sa_t.process_configuration.
357 */
358 static status_t initialize_connection(private_ike_sa_t *this, char *name)
359 {
360 initiator_init_t *current_state;
361 status_t status;
362
363 /* Work is done in state object of type INITIATOR_INIT. All other states are not
364 * initial states and so don't have a initialize_connection function */
365
366 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
367 {
368 return FAILED;
369 }
370
371 current_state = (initiator_init_t *) this->current_state;
372
373 status = current_state->initiate_connection(current_state,name);
374 return status;
375 }
376
377 /**
378 * Implementation of ike_sa_t.send_delete_ike_sa_request.
379 */
380 static void send_delete_ike_sa_request (private_ike_sa_t *this)
381 {
382 message_t *informational_request;
383 delete_payload_t *delete_payload;
384 status_t status;
385
386 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
387 {
388 return;
389 }
390
391 /* build empty INFORMATIONAL message */
392 this->protected.build_message(&(this->protected), INFORMATIONAL, TRUE, &informational_request);
393
394 delete_payload = delete_payload_create();
395 delete_payload->set_protocol_id(delete_payload,IKE);
396
397 informational_request->add_payload(informational_request,(payload_t *)delete_payload);
398
399 status = this->protected.send_request(&(this->protected), informational_request);
400 if (status != SUCCESS)
401 {
402 this->logger->log(this->logger, AUDIT, "Unable to send INFORMATIONAL DELETE request");
403 informational_request->destroy(informational_request);
404 }
405 }
406
407 /**
408 * Implementation of protected_ike_sa_t.get_id.
409 */
410 static ike_sa_id_t* get_id(private_ike_sa_t *this)
411 {
412 return this->ike_sa_id;
413 }
414
415 /**
416 * Implementation of protected_ike_sa_t.compute_secrets.
417 */
418 static void compute_secrets(private_ike_sa_t *this,
419 chunk_t dh_shared_secret,
420 chunk_t initiator_nonce,
421 chunk_t responder_nonce)
422 {
423 u_int8_t ei_buffer[this->crypter_initiator->get_block_size(this->crypter_initiator)];
424 chunk_t ei_key = {ptr: ei_buffer, len: sizeof(ei_buffer)};
425 u_int8_t er_buffer[this->crypter_responder->get_block_size(this->crypter_responder)];
426 chunk_t er_key = {ptr: er_buffer, len: sizeof(er_buffer)};
427 u_int8_t ai_buffer[this->signer_initiator->get_key_size(this->signer_initiator)];
428 chunk_t ai_key = {ptr: ai_buffer, len: sizeof(ai_buffer)};
429 u_int8_t ar_buffer[this->signer_responder->get_key_size(this->signer_responder)];
430 chunk_t ar_key = {ptr: ar_buffer, len: sizeof(ar_buffer)};
431 u_int8_t concatenated_nonces_buffer[initiator_nonce.len + responder_nonce.len];
432 chunk_t concatenated_nonces = {ptr: concatenated_nonces_buffer, len : sizeof(concatenated_nonces_buffer)};
433 u_int8_t skeyseed_buffer[this->prf->get_block_size(this->prf)];
434 chunk_t skeyseed = {ptr: skeyseed_buffer, len: sizeof(skeyseed_buffer)};
435 u_int64_t initiator_spi;
436 u_int64_t responder_spi;
437 chunk_t prf_plus_seed;
438 prf_plus_t *prf_plus;
439
440 /* first is initiator */
441 memcpy(concatenated_nonces.ptr,initiator_nonce.ptr,initiator_nonce.len);
442 /* second is responder */
443 memcpy(concatenated_nonces.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
444
445 this->logger->log_chunk(this->logger, RAW | LEVEL2, "Nonce data", &concatenated_nonces);
446
447 /* Status of set_key is not checked */
448 this->prf->set_key(this->prf,concatenated_nonces);
449
450 this->prf->get_bytes(this->prf,dh_shared_secret,skeyseed_buffer);
451
452 prf_plus_seed.len = (initiator_nonce.len + responder_nonce.len + 16);
453 prf_plus_seed.ptr = allocator_alloc(prf_plus_seed.len);
454
455 /* first is initiator */
456 memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
457 /* second is responder */
458 memcpy(prf_plus_seed.ptr + initiator_nonce.len,responder_nonce.ptr,responder_nonce.len);
459 /* third is initiator spi */
460 initiator_spi = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
461 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len,&initiator_spi,8);
462 /* fourth is responder spi */
463 responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
464 memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
465
466 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "Keyseed", &skeyseed);
467 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "PRF+ Seed", &prf_plus_seed);
468
469 this->logger->log(this->logger, CONTROL | LEVEL2, "Set new key of prf object");
470 this->prf->set_key(this->prf,skeyseed);
471
472 this->logger->log(this->logger, CONTROL | LEVEL2, "Create new prf+ object");
473 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
474 allocator_free_chunk(&prf_plus_seed);
475
476
477 prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
478 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
479
480 prf_plus->get_bytes(prf_plus,ai_key.len,ai_buffer);
481 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(ai_key));
482 this->signer_initiator->set_key(this->signer_initiator,ai_key);
483
484 prf_plus->get_bytes(prf_plus,ar_key.len,ar_buffer);
485 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(ar_key));
486 this->signer_responder->set_key(this->signer_responder,ar_key);
487
488 prf_plus->get_bytes(prf_plus,ei_key.len,ei_buffer);
489 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(ei_key));
490 this->crypter_initiator->set_key(this->crypter_initiator,ei_key);
491
492 prf_plus->get_bytes(prf_plus,er_key.len,er_buffer);
493 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(er_key));
494 this->crypter_responder->set_key(this->crypter_responder,er_key);
495
496 prf_plus->allocate_bytes(prf_plus,
497 this->crypter_responder->get_block_size(this->crypter_responder),
498 &(this->secrets.pi_key));
499 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
500
501 prf_plus->allocate_bytes(prf_plus,
502 this->crypter_responder->get_block_size(this->crypter_responder),
503 &(this->secrets.pr_key));
504 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
505
506 prf_plus->destroy(prf_plus);
507 }
508
509 /**
510 * Implementation of private_ike_sa_t.resend_last_reply.
511 */
512 static status_t resend_last_reply(private_ike_sa_t *this)
513 {
514 packet_t *packet;
515
516 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
517 packet = this->last_responded_message->get_packet(this->last_responded_message);
518 charon->send_queue->add(charon->send_queue, packet);
519
520 return SUCCESS;
521 }
522
523 /**
524 * Implementation of ike_sa_t.retransmit_request.
525 */
526 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
527 {
528 packet_t *packet;
529
530 if (this->last_requested_message == NULL)
531 {
532 return NOT_FOUND;
533 }
534
535 if (message_id == this->last_replied_message_id)
536 {
537 return NOT_FOUND;
538 }
539
540 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
541 {
542 return NOT_FOUND;
543 }
544
545 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
546 packet = this->last_requested_message->get_packet(this->last_requested_message);
547 charon->send_queue->add(charon->send_queue, packet);
548
549 return SUCCESS;
550 }
551
552 /**
553 * Implementation of protected_ike_sa_t.set_new_state.
554 */
555 static void set_new_state (private_ike_sa_t *this, state_t *state)
556 {
557 this->logger->log(this->logger, CONTROL, "Change current state %s to %s",
558 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
559 mapping_find(ike_sa_state_m,state->get_state(state)));
560 this->current_state = state;
561 }
562
563 /**
564 * Implementation of protected_ike_sa_t.get_logger.
565 */
566 static logger_t *get_logger (private_ike_sa_t *this)
567 {
568 return this->logger;
569 }
570
571 /**
572 * Implementation of protected_ike_sa_t.get_my_host.
573 */
574 static host_t *get_my_host (private_ike_sa_t *this)
575 {
576 return this->me.host;
577 }
578
579 /**
580 * Implementation of protected_ike_sa_t.get_other_host.
581 */
582 static host_t *get_other_host (private_ike_sa_t *this)
583 {
584 return this->other.host;
585 }
586
587 /**
588 * Implementation of protected_ike_sa_t.get_init_config.
589 */
590 static init_config_t *get_init_config (private_ike_sa_t *this)
591 {
592 return this->init_config;
593 }
594
595 /**
596 * Implementation of protected_ike_sa_t.set_init_config.
597 */
598 static void set_init_config (private_ike_sa_t *this,init_config_t * init_config)
599 {
600 this->init_config = init_config;
601 }
602
603 /**
604 * Implementation of protected_ike_sa_t.get_sa_config.
605 */
606 static sa_config_t *get_sa_config (private_ike_sa_t *this)
607 {
608 return this->sa_config;
609 }
610
611 /**
612 * Implementation of protected_ike_sa_t.set_sa_config.
613 */
614 static void set_sa_config (private_ike_sa_t *this,sa_config_t * sa_config)
615 {
616 this->sa_config = sa_config;
617 }
618
619 /**
620 * Implementation of protected_ike_sa_t.set_my_host.
621 */
622 static void set_my_host (private_ike_sa_t *this, host_t *my_host)
623 {
624 this->me.host = my_host;
625 }
626
627 /**
628 * Implementation of protected_ike_sa_t.set_other_host.
629 */
630 static void set_other_host (private_ike_sa_t *this, host_t *other_host)
631 {
632 this->other.host = other_host;
633 }
634
635 /**
636 * Implementation of protected_ike_sa_t.get_prf.
637 */
638 static prf_t *get_prf (private_ike_sa_t *this)
639 {
640 return this->prf;
641 }
642
643 /**
644 * Implementation of protected_ike_sa_t.get_key_pr.
645 */
646 static chunk_t get_key_pr (private_ike_sa_t *this)
647 {
648 return this->secrets.pr_key;
649 }
650
651
652 /**
653 * Implementation of protected_ike_sa_t.get_key_pi.
654 */
655 static chunk_t get_key_pi (private_ike_sa_t *this)
656 {
657 return this->secrets.pi_key;
658 }
659
660 /**
661 * Implementation of protected_ike_sa_t.set_prf.
662 */
663 static status_t create_transforms_from_proposal (private_ike_sa_t *this,ike_proposal_t *proposal)
664 {
665 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to create transform objects for proposal");
666
667 this->logger->log(this->logger, CONTROL|LEVEL2, "Encryption algorithm: %s with keylength %d",
668 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm),
669 proposal->encryption_algorithm_key_length);
670 this->logger->log(this->logger, CONTROL|LEVEL2, "Integrity algorithm: %s with keylength %d",
671 mapping_find(integrity_algorithm_m,proposal->integrity_algorithm),
672 proposal->integrity_algorithm_key_length);
673 this->logger->log(this->logger, CONTROL|LEVEL2, "PRF: %s with keylength %d",
674 mapping_find(pseudo_random_function_m,proposal->pseudo_random_function),
675 proposal->pseudo_random_function_key_length);
676
677 if (this->prf != NULL)
678 {
679 this->prf->destroy(this->prf);
680 }
681 this->prf = prf_create(proposal->pseudo_random_function);
682 if (this->prf == NULL)
683 {
684 this->logger->log(this->logger, ERROR|LEVEL1, "PRF %s not supported!",
685 mapping_find(pseudo_random_function_m,proposal->pseudo_random_function));
686 return FAILED;
687 }
688
689 if (this->crypter_initiator != NULL)
690 {
691 this->crypter_initiator->destroy(this->crypter_initiator);
692 }
693 this->crypter_initiator = crypter_create(proposal->encryption_algorithm,
694 proposal->encryption_algorithm_key_length);
695 if (this->crypter_initiator == NULL)
696 {
697 this->logger->log(this->logger, ERROR|LEVEL1, "Encryption algorithm %s not supported!",
698 mapping_find(encryption_algorithm_m,proposal->encryption_algorithm));
699 return FAILED;
700 }
701
702 if (this->crypter_responder != NULL)
703 {
704 this->crypter_responder->destroy(this->crypter_responder);
705 }
706 this->crypter_responder = crypter_create(proposal->encryption_algorithm,
707 proposal->encryption_algorithm_key_length);
708 /* check must not be done again */
709
710 if (this->signer_initiator != NULL)
711 {
712 this->signer_initiator->destroy(this->signer_initiator);
713 }
714 this->signer_initiator = signer_create(proposal->integrity_algorithm);
715 if (this->signer_initiator == NULL)
716 {
717 this->logger->log(this->logger, ERROR|LEVEL1, "Integrity algorithm %s not supported!",
718 mapping_find(integrity_algorithm_m,proposal->integrity_algorithm));
719 return FAILED;
720 }
721
722 if (this->signer_responder != NULL)
723 {
724 this->signer_responder->destroy(this->signer_responder);
725 }
726 this->signer_responder = signer_create(proposal->integrity_algorithm);
727
728 return SUCCESS;
729 }
730
731 /**
732 * Implementation of protected_ike_sa_t.get_randomizer.
733 */
734 static randomizer_t *get_randomizer (private_ike_sa_t *this)
735 {
736 return this->randomizer;
737 }
738
739 /**
740 * Implementation of protected_ike_sa_t.get_crypter_initiator.
741 */
742 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
743 {
744 return this->crypter_initiator;
745 }
746
747 /**
748 * Implementation of protected_ike_sa_t.get_signer_initiator.
749 */
750 static signer_t *get_signer_initiator (private_ike_sa_t *this)
751 {
752 return this->signer_initiator;
753 }
754
755 /**
756 * Implementation of protected_ike_sa_t.get_crypter_responder.
757 */
758 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
759 {
760 return this->crypter_responder;
761 }
762
763 /**
764 * Implementation of protected_ike_sa_t.get_signer_responder.
765 */
766 static signer_t *get_signer_responder (private_ike_sa_t *this)
767 {
768 return this->signer_responder;
769 }
770
771 /**
772 * Implementation of protected_ike_sa_t.send_request.
773 */
774 static status_t send_request (private_ike_sa_t *this,message_t * message)
775 {
776 retransmit_request_job_t *retransmit_job;
777 u_int32_t timeout;
778 packet_t *packet;
779 status_t status;
780
781 if (message->get_message_id(message) != this->message_id_out)
782 {
783 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
784 message->get_message_id(message),this->message_id_out);
785 return FAILED;
786 }
787
788 /* generate packet */
789 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
790
791 status = message->generate(message, this->crypter_initiator,this->signer_initiator, &packet);
792 if (status != SUCCESS)
793 {
794 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
795 return FAILED;
796 }
797
798 this->logger->log(this->logger, CONTROL|LEVEL3,
799 "Add request packet with message id %d to global send queue",
800 this->message_id_out);
801 charon->send_queue->add(charon->send_queue, packet);
802
803 if (this->last_requested_message != NULL)
804 {
805 /* destroy message */
806 this->last_requested_message->destroy(this->last_requested_message);
807 }
808
809 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
810 this->last_requested_message = message;
811
812 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
813
814 status = charon->configuration_manager->get_retransmit_timeout (charon->configuration_manager,
815 retransmit_job->get_retransmit_count(retransmit_job),&timeout);
816
817 if (status != SUCCESS)
818 {
819 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
820 retransmit_job->destroy(retransmit_job);
821 }
822 else
823 {
824 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
825 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
826 }
827
828 /* message counter can now be increased */
829 this->logger->log(this->logger, CONTROL|LEVEL3,
830 "Increase message counter for outgoing messages from %d",
831 this->message_id_out);
832 this->message_id_out++;
833 return SUCCESS;
834 }
835
836 /**
837 * Implementation of protected_ike_sa_t.send_response.
838 */
839 static status_t send_response (private_ike_sa_t *this,message_t * message)
840 {
841 packet_t *packet;
842 status_t status;
843
844 if (message->get_message_id(message) != this->message_id_in)
845 {
846 this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected");
847 return FAILED;
848 }
849
850 status = message->generate(message, this->crypter_responder,this->signer_responder, &packet);
851 if (status != SUCCESS)
852 {
853 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
854 return FAILED;
855 }
856
857 this->logger->log(this->logger, CONTROL|LEVEL3,
858 "Add response packet with message id %d to global send queue",
859 this->message_id_in);
860 charon->send_queue->add(charon->send_queue, packet);
861
862 if (this->last_responded_message != NULL)
863 {
864 /* destroy message */
865 this->last_responded_message->destroy(this->last_responded_message);
866 }
867
868 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
869 this->last_responded_message = message;
870
871 /* message counter can now be increased */
872 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
873 this->message_id_in++;
874
875 return SUCCESS;
876 }
877
878 /**
879 * Implementation of of private_responder_init_t.send_notify_reply.
880 */
881 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
882 {
883 notify_payload_t *payload;
884 message_t *response;
885 packet_t *packet;
886 status_t status;
887
888 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
889 /* set up the reply */
890 this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
891 payload = notify_payload_create_from_protocol_and_type(IKE,type);
892 if ((data.ptr != NULL) && (data.len > 0))
893 {
894 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
895 payload->set_notification_data(payload,data);
896 }
897
898 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
899 response->add_payload(response,(payload_t *) payload);
900
901 /* generate packet */
902 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
903 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
904 if (status != SUCCESS)
905 {
906 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
907 response->destroy(response);
908 return;
909 }
910
911 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
912 charon->send_queue->add(charon->send_queue, packet);
913 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
914 response->destroy(response);
915 }
916
917 /**
918 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
919 */
920 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
921 {
922 this->last_replied_message_id = message_id;
923 }
924
925 /**
926 * Implementation of protected_ike_sa_t.get_last_responded_message.
927 */
928 static message_t * get_last_responded_message (private_ike_sa_t *this)
929 {
930 return this->last_responded_message;
931 }
932
933 /**
934 * Implementation of protected_ike_sa_t.get_last_requested_message.
935 */
936 static message_t * get_last_requested_message (private_ike_sa_t *this)
937 {
938 return this->last_requested_message;
939 }
940
941 /**
942 * Implementation of protected_ike_sa_t.get_state.
943 */
944 static ike_sa_state_t get_state (private_ike_sa_t *this)
945 {
946 return this->current_state->get_state(this->current_state);
947 }
948
949 /**
950 * Implementation of protected_ike_sa_t.reset_message_buffers.
951 */
952 static void reset_message_buffers (private_ike_sa_t *this)
953 {
954 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
955 /* destroy stored requested message */
956 if (this->last_requested_message != NULL)
957 {
958 this->last_requested_message->destroy(this->last_requested_message);
959 this->last_requested_message = NULL;
960 }
961
962 /* destroy stored responded messages */
963 if (this->last_responded_message != NULL)
964 {
965 this->last_responded_message->destroy(this->last_responded_message);
966 this->last_responded_message = NULL;
967 }
968
969 this->message_id_out = 0;
970 this->message_id_in = 0;
971 this->last_replied_message_id = -1;
972 }
973
974 /**
975 * Implementation of protected_ike_sa_t.create_delete_established_ike_sa_job.
976 */
977 static void create_delete_established_ike_sa_job (private_ike_sa_t *this,u_int32_t timeout)
978 {
979 job_t *delete_job;
980
981 this->logger->log(this->logger, CONTROL | LEVEL1,
982 "Going to create job to delete established IKE_SA in %d ms",
983 timeout);
984
985 delete_job = (job_t *) delete_established_ike_sa_job_create(this->ike_sa_id);
986 charon->event_queue->add_relative(charon->event_queue,delete_job, timeout);
987 }
988
989 /**
990 * Implementation of protected_ike_sa_t.destroy.
991 */
992 static void destroy (private_ike_sa_t *this)
993 {
994 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
995 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
996 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
997 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
998
999 /* destroy child sa's */
1000 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy all child_sa's");
1001 while (this->child_sas->get_count(this->child_sas) > 0)
1002 {
1003 void *child_sa;
1004 if (this->child_sas->remove_first(this->child_sas, &child_sa) != SUCCESS)
1005 {
1006 break;
1007 }
1008 /* destroy child sa */
1009 }
1010 this->child_sas->destroy(this->child_sas);
1011
1012 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy secrets");
1013 allocator_free(this->secrets.d_key.ptr);
1014 allocator_free(this->secrets.pi_key.ptr);
1015 allocator_free(this->secrets.pr_key.ptr);
1016
1017 if (this->crypter_initiator != NULL)
1018 {
1019 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator crypter_t object");
1020 this->crypter_initiator->destroy(this->crypter_initiator);
1021 }
1022
1023 if (this->crypter_responder != NULL)
1024 {
1025 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder crypter_t object");
1026 this->crypter_responder->destroy(this->crypter_responder);
1027 }
1028
1029 if (this->signer_initiator != NULL)
1030 {
1031 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy initiator signer_t object");
1032 this->signer_initiator->destroy(this->signer_initiator);
1033 }
1034
1035 if (this->signer_responder != NULL)
1036 {
1037 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy responder signer_t object");
1038 this->signer_responder->destroy(this->signer_responder);
1039 }
1040
1041 if (this->prf != NULL)
1042 {
1043 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy prf_t object");
1044 this->prf->destroy(this->prf);
1045 }
1046
1047 /* destroy ike_sa_id */
1048 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy ike_sa_id object");
1049 this->ike_sa_id->destroy(this->ike_sa_id);
1050
1051 /* destroy stored requested message */
1052 if (this->last_requested_message != NULL)
1053 {
1054 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last requested message");
1055 this->last_requested_message->destroy(this->last_requested_message);
1056 }
1057
1058 /* destroy stored responded messages */
1059 if (this->last_responded_message != NULL)
1060 {
1061 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy last responded message");
1062 this->last_responded_message->destroy(this->last_responded_message);
1063 }
1064
1065 /* destroy stored host_t objects */
1066 if (this->me.host != NULL)
1067 {
1068 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy my host_t object");
1069 this->me.host->destroy(this->me.host);
1070 }
1071
1072 /* destroy stored host_t objects */
1073 if (this->other.host != NULL)
1074 {
1075 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy other host_t object");
1076 this->other.host->destroy(this->other.host);
1077 }
1078
1079 this->randomizer->destroy(this->randomizer);
1080
1081 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy current state object");
1082 this->current_state->destroy(this->current_state);
1083
1084 this->logger->log(this->logger, CONTROL | LEVEL3, "Destroy logger of IKE_SA");
1085 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
1086
1087 allocator_free(this);
1088 }
1089
1090 /*
1091 * Described in header.
1092 */
1093 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1094 {
1095 private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
1096
1097 /* Public functions */
1098 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1099 this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
1100 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1101 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1102 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1103 this->protected.public.send_delete_ike_sa_request = (void (*)(ike_sa_t*)) send_delete_ike_sa_request;
1104 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1105
1106 /* protected functions */
1107 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1108 this->protected.compute_secrets = (void (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
1109 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1110 this->protected.get_key_pr = (chunk_t (*) (protected_ike_sa_t *)) get_key_pr;
1111 this->protected.get_key_pi = (chunk_t (*) (protected_ike_sa_t *)) get_key_pi;
1112 this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;
1113 this->protected.set_init_config = (void (*) (protected_ike_sa_t *,init_config_t *)) set_init_config;
1114 this->protected.get_init_config = (init_config_t *(*) (protected_ike_sa_t *)) get_init_config;
1115 this->protected.set_sa_config = (void (*) (protected_ike_sa_t *,sa_config_t *)) set_sa_config;
1116 this->protected.get_sa_config = (sa_config_t *(*) (protected_ike_sa_t *)) get_sa_config;
1117 this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
1118 this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
1119 this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
1120 this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
1121 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1122 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1123 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1124 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1125 this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,ike_proposal_t *)) create_transforms_from_proposal;
1126 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1127 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1128 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1129 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1130 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1131 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1132 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_responded_message;
1133 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *this)) get_last_requested_message;
1134 this->protected.create_delete_established_ike_sa_job = (void (*) (protected_ike_sa_t *this,u_int32_t)) create_delete_established_ike_sa_job;
1135
1136 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1137
1138 /* private functions */
1139 this->resend_last_reply = resend_last_reply;
1140
1141 /* initialize private fields */
1142 this->logger = charon->logger_manager->create_logger(charon->logger_manager, IKE_SA, NULL);
1143
1144 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1145 this->child_sas = linked_list_create();
1146 this->randomizer = randomizer_create();
1147
1148 this->me.host = NULL;
1149 this->other.host = NULL;
1150 this->last_requested_message = NULL;
1151 this->last_responded_message = NULL;
1152 this->message_id_out = 0;
1153 this->message_id_in = 0;
1154 this->last_replied_message_id = -1;
1155 this->secrets.d_key = CHUNK_INITIALIZER;
1156 this->secrets.pi_key = CHUNK_INITIALIZER;
1157 this->secrets.pr_key = CHUNK_INITIALIZER;
1158 this->crypter_initiator = NULL;
1159 this->crypter_responder = NULL;
1160 this->signer_initiator = NULL;
1161 this->signer_responder = NULL;
1162 this->prf = NULL;
1163 this->init_config = NULL;
1164 this->sa_config = NULL;
1165
1166 /* at creation time, IKE_SA is in a initiator state */
1167 if (ike_sa_id->is_initiator(ike_sa_id))
1168 {
1169 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1170 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1171 }
1172 else
1173 {
1174 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1175 this->current_state = (state_t *) responder_init_create(&(this->protected));
1176 }
1177 return &(this->protected.public);
1178 }