363e2264d8029ddcb11c8d81d9b8e636aa68597b
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22 #include <string.h>
23
24 #include "ike_sa.h"
25
26 #include <types.h>
27 #include <daemon.h>
28 #include <definitions.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <crypto/diffie_hellman.h>
33 #include <crypto/prf_plus.h>
34 #include <crypto/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <encoding/payloads/ts_payload.h>
42 #include <sa/states/initiator_init.h>
43 #include <sa/states/responder_init.h>
44 #include <sa/states/create_child_sa_requested.h>
45 #include <queues/jobs/retransmit_request_job.h>
46 #include <queues/jobs/delete_established_ike_sa_job.h>
47 #include <queues/jobs/delete_half_open_ike_sa_job.h>
48
49
50
51
52 typedef struct private_ike_sa_t private_ike_sa_t;
53
54 /**
55 * Private data of an ike_sa_t object.
56 */
57 struct private_ike_sa_t {
58
59 /**
60 * Protected part of a ike_sa_t object.
61 */
62 protected_ike_sa_t protected;
63
64 /**
65 * Identifier for the current IKE_SA.
66 */
67 ike_sa_id_t *ike_sa_id;
68
69 /**
70 * Linked List containing the child sa's of the current IKE_SA.
71 */
72 linked_list_t *child_sas;
73
74 /**
75 * Current state of the IKE_SA represented as state_t object.
76 *
77 * A state object representates one of the following states and is processing
78 * messages in the specific state:
79 * - INITIATOR_INIT
80 * - RESPONDER_INIT
81 * - IKE_SA_INIT_REQUESTED
82 * - IKE_SA_INIT_RESPONDED
83 * - IKE_AUTH_REQUESTED
84 * -IKE_SA_ESTABLISHED
85 */
86 state_t *current_state;
87
88 /**
89 * Connection definition used for this IKE_SA
90 */
91 connection_t *connection;
92
93 /**
94 * Policy definition used for this IKE_SA
95 */
96 policy_t *policy;
97
98 /**
99 * This SA's source for random data.
100 *
101 * Is available in every state.
102 */
103 randomizer_t *randomizer;
104
105 /**
106 * The last responded message.
107 */
108 message_t *last_responded_message;
109
110 /**
111 * The ast requested message.
112 */
113 message_t *last_requested_message;
114
115 /**
116 * Crypter object for initiator.
117 */
118 crypter_t *crypter_initiator;
119
120 /**
121 * Crypter object for responder.
122 */
123 crypter_t *crypter_responder;
124
125 /**
126 * Signer object for initiator.
127 */
128 signer_t *signer_initiator;
129
130 /**
131 * Signer object for responder.
132 */
133 signer_t *signer_responder;
134
135 /**
136 * Multi purpose prf, set key, use it, forget it
137 */
138 prf_t *prf;
139
140 /**
141 * Prf function for derivating keymat child SAs
142 */
143 prf_t *child_prf;
144
145 /**
146 * PRF, with key set to pi_key, used for authentication
147 */
148 prf_t *prf_auth_i;
149
150 /**
151 * PRF, with key set to pr_key, used for authentication
152 */
153 prf_t *prf_auth_r;
154
155 /**
156 * Next message id to receive.
157 */
158 u_int32_t message_id_in;
159
160 /**
161 * Next message id to send.
162 */
163 u_int32_t message_id_out;
164
165 /**
166 * Last reply id which was successfully received.
167 */
168 int32_t last_replied_message_id;
169
170 /**
171 * A logger for this IKE_SA.
172 */
173 logger_t *logger;
174 };
175
176 /**
177 * Implementation of protected_ike_sa_t.build_message.
178 */
179 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
180 {
181 message_t *new_message;
182 host_t *me, *other;
183
184 me = this->connection->get_my_host(this->connection);
185 other = this->connection->get_other_host(this->connection);
186
187 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
188 new_message = message_create();
189 new_message->set_source(new_message, me->clone(me));
190 new_message->set_destination(new_message, other->clone(other));
191 new_message->set_exchange_type(new_message, type);
192 new_message->set_request(new_message, request);
193 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
194 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
195
196 *message = new_message;
197 }
198
199 /**
200 * Implementation of ike_sa_t.get_state.
201 */
202 static ike_sa_state_t get_state(private_ike_sa_t *this)
203 {
204 return this->current_state->get_state(this->current_state);
205 }
206
207 /**
208 * Implementation of protected_ike_sa_t.set_new_state.
209 */
210 static void set_new_state(private_ike_sa_t *this, state_t *state)
211 {
212 this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
213 mapping_find(ike_sa_state_m, get_state(this)),
214 mapping_find(ike_sa_state_m, state->get_state(state)));
215 this->current_state = state;
216 }
217
218 /**
219 * Implementation of protected_ike_sa_t.get_connection.
220 */
221 static connection_t *get_connection(private_ike_sa_t *this)
222 {
223 return this->connection;
224 }
225
226 /**
227 * Implementation of protected_ike_sa_t.set_connection.
228 */
229 static void set_connection(private_ike_sa_t *this,connection_t * connection)
230 {
231 this->connection = connection;
232 }
233
234 /**
235 * Implementation of protected_ike_sa_t.get_policy.
236 */
237 static policy_t *get_policy(private_ike_sa_t *this)
238 {
239 return this->policy;
240 }
241
242 /**
243 * Implementation of protected_ike_sa_t.set_policy.
244 */
245 static void set_policy(private_ike_sa_t *this,policy_t * policy)
246 {
247 this->policy = policy;
248 }
249
250 /**
251 * Implementation of protected_ike_sa_t.get_prf.
252 */
253 static prf_t *get_prf(private_ike_sa_t *this)
254 {
255 return this->prf;
256 }
257
258 /**
259 * Implementation of protected_ike_sa_t.get_prf.
260 */
261 static prf_t *get_child_prf(private_ike_sa_t *this)
262 {
263 return this->child_prf;
264 }
265
266 /**
267 * Implementation of protected_ike_sa_t.get_prf_auth_i.
268 */
269 static prf_t *get_prf_auth_i(private_ike_sa_t *this)
270 {
271 return this->prf_auth_i;
272 }
273
274 /**
275 * Implementation of protected_ike_sa_t.get_prf_auth_r.
276 */
277 static prf_t *get_prf_auth_r(private_ike_sa_t *this)
278 {
279 return this->prf_auth_r;
280 }
281 /**
282 * Implementation of ike_sa_t.get_id.
283 */
284 static ike_sa_id_t* get_id(private_ike_sa_t *this)
285 {
286 return this->ike_sa_id;
287 }
288
289 /**
290 * Implementation of ike_sa_t.get_my_host.
291 */
292 static host_t* get_my_host(private_ike_sa_t *this)
293 {
294 return this->connection->get_my_host(this->connection);;
295 }
296
297 /**
298 * Implementation of ike_sa_t.get_other_host.
299 */
300 static host_t* get_other_host(private_ike_sa_t *this)
301 {
302 return this->connection->get_other_host(this->connection);;
303 }
304
305 /**
306 * Implementation of ike_sa_t.get_my_id.
307 */
308 static identification_t* get_my_id(private_ike_sa_t *this)
309 {
310 return this->policy->get_my_id(this->policy);;
311 }
312
313 /**
314 * Implementation of ike_sa_t.get_other_id.
315 */
316 static identification_t* get_other_id(private_ike_sa_t *this)
317 {
318 return this->policy->get_other_id(this->policy);;
319 }
320
321 /**
322 * Implementation of ike_sa_t.retransmit_request.
323 */
324 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
325 {
326 packet_t *packet;
327
328 if (this->last_requested_message == NULL)
329 {
330 return NOT_FOUND;
331 }
332
333 if (message_id == this->last_replied_message_id)
334 {
335 return NOT_FOUND;
336 }
337
338 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
339 {
340 return NOT_FOUND;
341 }
342
343 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
344 packet = this->last_requested_message->get_packet(this->last_requested_message);
345 charon->send_queue->add(charon->send_queue, packet);
346
347 return SUCCESS;
348 }
349
350
351 /**
352 * Implementation of protected_ike_sa_t.build_transforms.
353 */
354 static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
355 {
356 chunk_t nonces, nonces_spis, skeyseed, key, secret;
357 u_int64_t spi_i, spi_r;
358 prf_plus_t *prf_plus;
359 algorithm_t *algo;
360 size_t key_size;
361
362 /*
363 * Build the PRF+ instance for deriving keys
364 */
365 if (this->prf != NULL)
366 {
367 this->prf->destroy(this->prf);
368 }
369 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
370 if (algo == NULL)
371 {
372 this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
373 return FAILED;
374 }
375 this->prf = prf_create(algo->algorithm);
376 if (this->prf == NULL)
377 {
378 this->logger->log(this->logger, ERROR|LEVEL1,
379 "PSEUDO_RANDOM_FUNCTION %s not supported!",
380 mapping_find(pseudo_random_function_m, algo->algorithm));
381 return FAILED;
382 }
383
384 /* concatenate nonces = nonce_i | nonce_r */
385 nonces = chunk_alloc(nonce_i.len + nonce_r.len);
386 memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
387 memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
388
389 /* concatenate prf_seed = nonce_i | nonce_r | spi_i | spi_r */
390 nonces_spis = chunk_alloc(nonces.len + 16);
391 memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
392 spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
393 spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
394 memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
395 memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
396
397 /* SKEYSEED = prf(Ni | Nr, g^ir) */
398 dh->get_shared_secret(dh, &secret);
399 this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", secret);
400 this->prf->set_key(this->prf, nonces);
401 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
402 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", skeyseed);
403 chunk_free(&secret);
404
405 /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
406 * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
407 *
408 * we use the prf directly for prf+
409 */
410 this->prf->set_key(this->prf, skeyseed);
411 prf_plus = prf_plus_create(this->prf, nonces_spis);
412
413 /* clean up unused stuff */
414 chunk_free(&nonces);
415 chunk_free(&nonces_spis);
416 chunk_free(&skeyseed);
417
418
419 /*
420 * We now can derive all of our key. We build the transforms
421 * directly.
422 */
423
424
425 /* SK_d used for prf+ to derive keys for child SAs */
426 this->child_prf = prf_create(algo->algorithm);
427 key_size = this->child_prf->get_key_size(this->child_prf);
428 prf_plus->allocate_bytes(prf_plus, key_size, &key);
429 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key);
430 this->child_prf->set_key(this->child_prf, key);
431 chunk_free(&key);
432
433
434 /* SK_ai/SK_ar used for integrity protection */
435 proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo);
436 if (algo == NULL)
437 {
438 this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!");
439 return FAILED;
440 }
441 if (this->signer_initiator != NULL)
442 {
443 this->signer_initiator->destroy(this->signer_initiator);
444 }
445 if (this->signer_responder != NULL)
446 {
447 this->signer_responder->destroy(this->signer_responder);
448 }
449
450 this->signer_initiator = signer_create(algo->algorithm);
451 this->signer_responder = signer_create(algo->algorithm);
452 if (this->signer_initiator == NULL || this->signer_responder == NULL)
453 {
454 this->logger->log(this->logger, ERROR|LEVEL1,
455 "INTEGRITY_ALGORITHM %s not supported!",
456 mapping_find(integrity_algorithm_m,algo->algorithm));
457 return FAILED;
458 }
459 key_size = this->signer_initiator->get_key_size(this->signer_initiator);
460
461 prf_plus->allocate_bytes(prf_plus, key_size, &key);
462 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", key);
463 this->signer_initiator->set_key(this->signer_initiator, key);
464 chunk_free(&key);
465
466 prf_plus->allocate_bytes(prf_plus, key_size, &key);
467 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", key);
468 this->signer_responder->set_key(this->signer_responder, key);
469 chunk_free(&key);
470
471
472 /* SK_ei/SK_er used for encryption */
473 proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo);
474 if (algo == NULL)
475 {
476 this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?");
477 return FAILED;
478 }
479 if (this->crypter_initiator != NULL)
480 {
481 this->crypter_initiator->destroy(this->crypter_initiator);
482 }
483 if (this->crypter_responder != NULL)
484 {
485 this->crypter_responder->destroy(this->crypter_responder);
486 }
487
488 this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size);
489 this->crypter_responder = crypter_create(algo->algorithm, algo->key_size);
490 if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
491 {
492 this->logger->log(this->logger, ERROR|LEVEL1,
493 "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
494 mapping_find(encryption_algorithm_m, algo->algorithm),
495 algo->key_size);
496 return FAILED;
497 }
498 key_size = this->crypter_initiator->get_key_size(this->crypter_initiator);
499
500 prf_plus->allocate_bytes(prf_plus, key_size, &key);
501 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key);
502 this->crypter_initiator->set_key(this->crypter_initiator, key);
503 chunk_free(&key);
504
505 prf_plus->allocate_bytes(prf_plus, key_size, &key);
506 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key);
507 this->crypter_responder->set_key(this->crypter_responder, key);
508 chunk_free(&key);
509
510 /* SK_pi/SK_pr used for authentication */
511 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
512 if (this->prf_auth_i != NULL)
513 {
514 this->prf_auth_i->destroy(this->prf_auth_i);
515 }
516 if (this->prf_auth_r != NULL)
517 {
518 this->prf_auth_r->destroy(this->prf_auth_r);
519 }
520
521 this->prf_auth_i = prf_create(algo->algorithm);
522 this->prf_auth_r = prf_create(algo->algorithm);
523
524 key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
525 prf_plus->allocate_bytes(prf_plus, key_size, &key);
526 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key);
527 this->prf_auth_i->set_key(this->prf_auth_i, key);
528 chunk_free(&key);
529
530 prf_plus->allocate_bytes(prf_plus, key_size, &key);
531 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key);
532 this->prf_auth_r->set_key(this->prf_auth_r, key);
533 chunk_free(&key);
534
535 /* all done, prf_plus not needed anymore */
536 prf_plus->destroy(prf_plus);
537
538 return SUCCESS;
539 }
540
541 /**
542 * Implementation of protected_ike_sa_t.get_randomizer.
543 */
544 static randomizer_t *get_randomizer(private_ike_sa_t *this)
545 {
546 return this->randomizer;
547 }
548
549 /**
550 * Implementation of protected_ike_sa_t.get_crypter_initiator.
551 */
552 static crypter_t *get_crypter_initiator(private_ike_sa_t *this)
553 {
554 return this->crypter_initiator;
555 }
556
557 /**
558 * Implementation of protected_ike_sa_t.get_signer_initiator.
559 */
560 static signer_t *get_signer_initiator(private_ike_sa_t *this)
561 {
562 return this->signer_initiator;
563 }
564
565 /**
566 * Implementation of protected_ike_sa_t.get_crypter_responder.
567 */
568 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
569 {
570 return this->crypter_responder;
571 }
572
573 /**
574 * Implementation of protected_ike_sa_t.get_signer_responder.
575 */
576 static signer_t *get_signer_responder(private_ike_sa_t *this)
577 {
578 return this->signer_responder;
579 }
580
581 /**
582 * Implementation of protected_ike_sa_t.send_request.
583 */
584 static status_t send_request(private_ike_sa_t *this, message_t *message)
585 {
586 retransmit_request_job_t *retransmit_job;
587 u_int32_t timeout;
588 crypter_t *crypter;
589 signer_t *signer;
590 packet_t *packet;
591 status_t status;
592
593 if (message->get_message_id(message) != this->message_id_out)
594 {
595 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
596 message->get_message_id(message),this->message_id_out);
597 return FAILED;
598 }
599
600 /* generate packet */
601 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
602
603 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
604 {
605 crypter = this->crypter_initiator;
606 signer = this->signer_initiator;
607 }
608 else
609 {
610 crypter = this->crypter_responder;
611 signer =this->signer_responder;
612 }
613
614 status = message->generate(message, crypter,signer, &packet);
615 if (status != SUCCESS)
616 {
617 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
618 return FAILED;
619 }
620
621 this->logger->log(this->logger, CONTROL|LEVEL3,
622 "Add request packet with message id %d to global send queue",
623 this->message_id_out);
624 charon->send_queue->add(charon->send_queue, packet);
625
626 /* replace last message for retransmit with current */
627 if (this->last_requested_message != NULL)
628 {
629 this->last_requested_message->destroy(this->last_requested_message);
630 }
631 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
632 this->last_requested_message = message;
633
634 /* schedule a job for retransmission */
635 status = charon->configuration->get_retransmit_timeout(charon->configuration, 0, &timeout);
636 if (status != SUCCESS)
637 {
638 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
639 }
640 else
641 {
642 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.", timeout);
643 retransmit_job = retransmit_request_job_create(this->message_id_out, this->ike_sa_id);
644 charon->event_queue->add_relative(charon->event_queue, (job_t *)retransmit_job, timeout);
645 }
646
647 /* message counter can now be increased */
648 this->logger->log(this->logger, CONTROL|LEVEL3,
649 "Increase message counter for outgoing messages from %d",
650 this->message_id_out);
651 this->message_id_out++;
652 return SUCCESS;
653 }
654
655 /**
656 * Implementation of protected_ike_sa_t.send_response.
657 */
658 static status_t send_response(private_ike_sa_t *this, message_t *message)
659 {
660 crypter_t *crypter;
661 signer_t *signer;
662 packet_t *packet;
663 status_t status;
664
665 if (message->get_message_id(message) != this->message_id_in)
666 {
667 this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected");
668 return FAILED;
669 }
670
671 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
672 {
673 crypter = this->crypter_initiator;
674 signer = this->signer_initiator;
675 }
676 else
677 {
678 crypter = this->crypter_responder;
679 signer =this->signer_responder;
680 }
681
682 status = message->generate(message, crypter,signer, &packet);
683 if (status != SUCCESS)
684 {
685 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
686 return FAILED;
687 }
688
689 this->logger->log(this->logger, CONTROL|LEVEL3,
690 "Add response packet with message id %d to global send queue",
691 this->message_id_in);
692 charon->send_queue->add(charon->send_queue, packet);
693
694 if (this->last_responded_message != NULL)
695 {
696 /* destroy message */
697 this->last_responded_message->destroy(this->last_responded_message);
698 }
699
700 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
701 this->last_responded_message = message;
702
703 /* message counter can now be increased */
704 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
705 this->message_id_in++;
706
707 return SUCCESS;
708 }
709
710 /**
711 * Implementation of of private_responder_init_t.send_notify_reply.
712 */
713 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
714 {
715 notify_payload_t *payload;
716 message_t *response;
717 packet_t *packet;
718 status_t status;
719
720 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
721 /* set up the reply */
722 build_message(this, exchange_type, FALSE, &response);
723 payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, type);
724 if ((data.ptr != NULL) && (data.len > 0))
725 {
726 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
727 payload->set_notification_data(payload,data);
728 }
729
730 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
731 response->add_payload(response,(payload_t *) payload);
732
733 /* generate packet */
734 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
735 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
736 if (status != SUCCESS)
737 {
738 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
739 response->destroy(response);
740 return;
741 }
742
743 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
744 charon->send_queue->add(charon->send_queue, packet);
745 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
746 response->destroy(response);
747 }
748
749 /**
750 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
751 */
752 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
753 {
754 this->last_replied_message_id = message_id;
755 }
756
757 /**
758 * Implementation of protected_ike_sa_t.get_last_responded_message.
759 */
760 static message_t *get_last_responded_message (private_ike_sa_t *this)
761 {
762 return this->last_responded_message;
763 }
764
765 /**
766 * Implementation of protected_ike_sa_t.get_last_requested_message.
767 */
768 static message_t *get_last_requested_message(private_ike_sa_t *this)
769 {
770 return this->last_requested_message;
771 }
772
773 /**
774 * Implementation of protected_ike_sa_t.add_child_sa.
775 */
776 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
777 {
778 this->child_sas->insert_last(this->child_sas, child_sa);
779 }
780
781 /**
782 * Process an informational request
783 */
784 static status_t process_informational(private_ike_sa_t *this, message_t *request)
785 {
786 delete_payload_t *delete_request = NULL;
787 message_t *response;
788 iterator_t *payloads;
789 state_t *old_state;
790
791 build_message(this, INFORMATIONAL, FALSE, &response);
792
793 payloads = request->get_payload_iterator(request);
794 while (payloads->has_next(payloads))
795 {
796 payload_t *payload;
797 payloads->current(payloads, (void**)&payload);
798
799 switch (payload->get_type(payload))
800 {
801 case DELETE:
802 {
803 delete_request = (delete_payload_t *) payload;
804 break;
805 }
806 default:
807 {
808 this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)",
809 mapping_find(payload_type_m, payload->get_type(payload)),
810 payload->get_type(payload));
811 break;
812 }
813 }
814 }
815 /* iterator can be destroyed */
816 payloads->destroy(payloads);
817
818 if (delete_request)
819 {
820 if (delete_request->get_protocol_id(delete_request) == PROTO_IKE)
821 {
822 this->logger->log(this->logger, CONTROL, "DELETE request for IKE_SA received");
823 if (send_response(this, response) != SUCCESS)
824 {
825 /* something is seriously wrong, kill connection */
826 this->logger->log(this->logger, AUDIT, "Unable to send reply. Deleting IKE_SA");
827 response->destroy(response);
828 }
829 /* switch to delete_requested. This is not absolutly correct, but we
830 * allow the clean destruction of an SA only in this state. */
831 old_state = this->current_state;
832 set_new_state(this, (state_t*)delete_requested_create(this));
833 old_state->destroy(old_state);
834 return DESTROY_ME;
835 }
836 else
837 {
838 this->logger->log(this->logger, CONTROL, "DELETE request for CHILD_SA received. Ignored");
839 response->destroy(response);
840 return FAILED;
841 }
842 }
843 return SUCCESS;
844 }
845
846
847 /**
848 * Process an informational request
849 */
850 static status_t process_create_child_sa(private_ike_sa_t *this, message_t *request)
851 {
852
853 }
854
855 /**
856 * Implementation of ike_sa_t.process_message.
857 */
858 static status_t process_message(private_ike_sa_t *this, message_t *message)
859 {
860 u_int32_t message_id;
861 exchange_type_t exchange_type;
862 bool is_request;
863 status_t status;
864 crypter_t *crypter;
865 signer_t *signer;
866
867 /* Find out type of message (request or response) */
868 is_request = message->get_request(message);
869 exchange_type = message->get_exchange_type(message);
870
871 this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
872 (is_request) ? "request" : "response",
873 mapping_find(exchange_type_m, exchange_type));
874
875 message_id = message->get_message_id(message);
876
877 /* check if message already received, and retransmit its reply */
878 if (is_request && (message_id == (this->message_id_in - 1)))
879 {
880 /* resend last message, if any */
881 if (this->last_responded_message)
882 {
883 packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message);
884 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
885 charon->send_queue->add(charon->send_queue, packet);
886 return SUCCESS;
887 }
888 else
889 {
890 /* somebody does something nasty here... */
891 return FAILED;
892 }
893 }
894
895 /* Now, the message id is checked for request AND reply */
896 if (is_request)
897 {
898 /* In a request, the message has to be this->message_id_in (other case is already handled) */
899 if (message_id != this->message_id_in)
900 {
901 this->logger->log(this->logger, ERROR | LEVEL1,
902 "Message request with message id %d received, but %d expected",
903 message_id,this->message_id_in);
904 return FAILED;
905 }
906 }
907 else
908 {
909 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
910 if (message_id != (this->message_id_out - 1))
911 {
912 this->logger->log(this->logger, ERROR | LEVEL1,
913 "Message reply with message id %d received, but %d expected",
914 message_id,this->message_id_in);
915 return FAILED;
916 }
917 }
918
919 if (this->current_state->get_state(this->current_state) == IKE_SA_ESTABLISHED)
920 {
921 if (is_request)
922 {
923 /* get signer for verification and crypter for decryption */
924 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
925 {
926 crypter = this->crypter_initiator;
927 signer = this->signer_initiator;
928 }
929 else
930 {
931 crypter = this->crypter_responder;
932 signer = this->signer_responder;
933 }
934
935 /* parse incoming message */
936 status = message->parse_body(message, crypter, signer);
937 if (status != SUCCESS)
938 {
939 this->logger->log(this->logger, AUDIT, "%s request decryption failed. Ignoring message",
940 mapping_find(exchange_type_m, message->get_exchange_type(message)));
941 return status;
942 }
943 switch (message->get_exchange_type(message))
944 {
945 case CREATE_CHILD_SA:
946 return process_create_child_sa(this, message);
947 case INFORMATIONAL:
948 return process_informational(this, message);
949 default:
950 this->logger->log(this->logger, CONTROL,
951 "Received a %s request, ignored",
952 mapping_find(exchange_type_m, exchange_type));
953 }
954 }
955 else
956 {
957 this->logger->log(this->logger, ERROR|LEVEL1,
958 "Received an unexpected %s response, ignored",
959 mapping_find(exchange_type_m, exchange_type));
960 }
961 return FAILED;
962 }
963 else
964 {
965 /* now the message is processed by the current state object.
966 * The specific state object is responsible to check if a message can be received in
967 * the state it represents.
968 * The current state is also responsible to change the state object to the next state
969 * by calling protected_ike_sa_t.set_new_state
970 */
971 return this->current_state->process_message(this->current_state, message);
972 }
973 }
974
975 /**
976 * Implementation of protected_ike_sa_t.initiate_connection.
977 */
978 static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection)
979 {
980 initiator_init_t *current_state;
981
982 /* Work is done in state object of type INITIATOR_INIT. All other states are not
983 * initial states and so don't have a initiate_connection function */
984
985 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
986 {
987 return FAILED;
988 }
989
990 current_state = (initiator_init_t *) this->current_state;
991
992 return current_state->initiate_connection(current_state, connection);
993 }
994
995 /**
996 * Implementation of ike_sa_t.get_child_sa.
997 */
998 static child_sa_t *get_child_sa(private_ike_sa_t *this, u_int32_t reqid)
999 {
1000 iterator_t *iterator;
1001 child_sa_t *current, *found = NULL;
1002
1003 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1004 while (iterator->has_next(iterator))
1005 {
1006 iterator->current(iterator, (void**)&current);
1007 if (current->get_reqid(current) == reqid)
1008 {
1009 found = current;
1010 break;
1011 }
1012 }
1013 iterator->destroy(iterator);
1014 return found;
1015 }
1016
1017 /**
1018 * Implementation of ike_sa_t.delete_child_sa.
1019 */
1020 static status_t delete_child_sa(private_ike_sa_t *this, u_int32_t reqid)
1021 {
1022 return NOT_FOUND;
1023 }
1024
1025 /**
1026 * Implementation of ike_sa_t.rekey_child_sa.
1027 */
1028 static status_t rekey_child_sa(private_ike_sa_t *this, u_int32_t reqid)
1029 {
1030 message_t *request;
1031 child_sa_t *child_sa;
1032 notify_payload_t *notify;
1033 sa_payload_t *sa_payload;
1034 ts_payload_t *tsi_payload, *tsr_payload;
1035 nonce_payload_t *nonce_payload;
1036 policy_t *policy;
1037 randomizer_t *randomizer;
1038 linked_list_t *proposals;
1039 chunk_t nonce;
1040 linked_list_t *my_ts, *other_ts;
1041 state_t *old_state;
1042
1043 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
1044 {
1045 this->logger->log(this->logger, ERROR|LEVEL1,
1046 "Rekeying of an IKE_SA not in state IKE_SA_ESTABLISHED, aborting", reqid);
1047 return FAILED;
1048 }
1049
1050 child_sa = get_child_sa(this, reqid);
1051 if (child_sa == NULL)
1052 {
1053 this->logger->log(this->logger, ERROR|LEVEL1,
1054 "IKE_SA does not contain a CHILD_SA with reqid %d", reqid);
1055 return FAILED;
1056 }
1057
1058 build_message(this, CREATE_CHILD_SA, TRUE, &request);
1059 notify = notify_payload_create_from_protocol_and_type(
1060 child_sa->get_protocol(child_sa), REKEY_SA);
1061 notify->set_spi(notify, child_sa->get_spi(child_sa, TRUE));
1062 request->add_payload(request, (payload_t*)notify);
1063
1064 proposals = this->policy->get_proposals(this->policy);
1065 sa_payload = sa_payload_create_from_proposal_list(proposals);
1066 request->add_payload(request, (payload_t*)sa_payload);
1067
1068 nonce_payload = nonce_payload_create();
1069 if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
1070 NONCE_SIZE, &nonce))
1071 {
1072 request->destroy(request);
1073 return FAILED;
1074 }
1075 nonce_payload->set_nonce(nonce_payload, nonce);
1076 request->add_payload(request, (payload_t*)nonce_payload);
1077
1078 my_ts = this->policy->get_my_traffic_selectors(this->policy);
1079 other_ts = this->policy->get_my_traffic_selectors(this->policy);
1080 tsi_payload = ts_payload_create_from_traffic_selectors(TRUE, my_ts);
1081 tsr_payload = ts_payload_create_from_traffic_selectors(FALSE, other_ts);
1082 request->add_payload(request, (payload_t*)tsi_payload);
1083 request->add_payload(request, (payload_t*)tsr_payload);
1084
1085 send_request(this, request);
1086
1087 old_state = this->current_state;
1088 set_new_state(this, (state_t*)create_child_sa_requested_create(&this->protected, nonce));
1089 old_state->destroy(old_state);
1090
1091 return SUCCESS;
1092 }
1093
1094 /**
1095 * Implementation of protected_ike_sa_t.reset_message_buffers.
1096 */
1097 static void reset_message_buffers(private_ike_sa_t *this)
1098 {
1099 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
1100 /* destroy stored requested message */
1101 if (this->last_requested_message != NULL)
1102 {
1103 this->last_requested_message->destroy(this->last_requested_message);
1104 this->last_requested_message = NULL;
1105 }
1106
1107 /* destroy stored responded messages */
1108 if (this->last_responded_message != NULL)
1109 {
1110 this->last_responded_message->destroy(this->last_responded_message);
1111 this->last_responded_message = NULL;
1112 }
1113
1114 this->message_id_out = 0;
1115 this->message_id_in = 0;
1116 this->last_replied_message_id = -1;
1117 }
1118
1119 /**
1120 * Implementation of protected_ike_sa_t.log_status.
1121 */
1122 static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
1123 {
1124 iterator_t *iterator;
1125 child_sa_t *child_sa;
1126 host_t *my_host, *other_host;
1127 identification_t *my_id = NULL, *other_id = NULL;
1128
1129 /* only log if name == NULL or name == connection_name */
1130 if (name)
1131 {
1132 if (streq(this->connection->get_name(this->connection), name))
1133 {
1134 return;
1135 }
1136 }
1137 my_host = this->connection->get_my_host(this->connection);
1138 other_host = this->connection->get_other_host(this->connection);
1139
1140 /* use policy information, if available */
1141 if (this->policy)
1142 {
1143 my_id = this->policy->get_my_id(this->policy);
1144 other_id = this->policy->get_other_id(this->policy);
1145 name = this->policy->get_name(this->policy);
1146 }
1147 else
1148 {
1149 name = this->connection->get_name(this->connection);
1150 }
1151
1152 if (logger == NULL)
1153 {
1154 logger = this->logger;
1155 }
1156 logger->log(logger, CONTROL|LEVEL1, " \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
1157 name,
1158 mapping_find(ike_sa_state_m, this->current_state->get_state(this->current_state)),
1159 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1160 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1161 logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]",
1162 name,
1163 my_host->get_address(my_host),
1164 my_id ? my_id->get_string(my_id) : "(unknown)",
1165 other_host->get_address(other_host),
1166 other_id ? other_id->get_string(other_id) : "(unknown)");
1167
1168 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1169 while (iterator->has_next(iterator))
1170 {
1171 iterator->current(iterator, (void**)&child_sa);
1172 child_sa->log_status(child_sa, logger, name);
1173 }
1174 iterator->destroy(iterator);
1175 }
1176
1177 /**
1178 * Implementation of public_ike_sa_t.delete.
1179 */
1180 static status_t delete_(private_ike_sa_t *this)
1181 {
1182 message_t *informational_request;
1183 delete_payload_t *delete_payload;
1184 u_int32_t timeout;
1185 delete_half_open_ike_sa_job_t *job;
1186 state_t *old_state;
1187
1188 if (get_state(this) != IKE_SA_ESTABLISHED)
1189 {
1190 this->logger->log(this->logger, ERROR, "Closing a not established IKE SA not allowed, aborting!");
1191 return INVALID_STATE;
1192 }
1193
1194 build_message(this, INFORMATIONAL, TRUE, &informational_request);
1195 /* delete for the full IKE_SA, this deletes all child_sa's implicit */
1196 delete_payload = delete_payload_create();
1197 delete_payload->set_protocol_id(delete_payload, PROTO_IKE);
1198
1199 informational_request->add_payload(informational_request, (payload_t*)delete_payload);
1200
1201 if (send_request(this, informational_request) != SUCCESS)
1202 {
1203 /* send failed, but we ignore this, SA will get deleted anyway later */
1204 informational_request->destroy(informational_request);
1205 }
1206
1207 /* transit to state delete_requested */
1208 old_state = this->current_state;
1209 set_new_state(this, (state_t*)delete_requested_create(this));
1210 old_state->destroy(old_state);
1211
1212 /* there is no guarantee that the other peer will acknowledge the delete,
1213 * so we have to set a timeout where we destroy the SA... This is done with
1214 * the delete_half_open_ike_sa_job as used in IKE SA setup.
1215 */
1216 timeout = charon->configuration->get_half_open_ike_sa_timeout(charon->configuration);
1217 job = delete_half_open_ike_sa_job_create(this->ike_sa_id);
1218 charon->event_queue->add_relative(charon->event_queue, (job_t*)job, timeout);
1219 return SUCCESS;
1220 }
1221
1222 /**
1223 * Implementation of protected_ike_sa_t.destroy.
1224 */
1225 static void destroy(private_ike_sa_t *this)
1226 {
1227 child_sa_t *child_sa;
1228
1229 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
1230 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1231 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
1232 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
1233
1234 if (get_state(this) == IKE_SA_ESTABLISHED)
1235 {
1236 this->logger->log(this->logger, ERROR, "Destroying an established IKE SA without knowledge from remote peer!");
1237 }
1238
1239 while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
1240 {
1241 child_sa->destroy(child_sa);
1242 }
1243 this->child_sas->destroy(this->child_sas);
1244
1245 if (this->crypter_initiator)
1246 {
1247 this->crypter_initiator->destroy(this->crypter_initiator);
1248 }
1249 if (this->crypter_responder)
1250 {
1251 this->crypter_responder->destroy(this->crypter_responder);
1252 }
1253 if (this->signer_initiator)
1254 {
1255 this->signer_initiator->destroy(this->signer_initiator);
1256 }
1257 if (this->signer_responder)
1258 {
1259 this->signer_responder->destroy(this->signer_responder);
1260 }
1261 if (this->prf)
1262 {
1263 this->prf->destroy(this->prf);
1264 }
1265 if (this->child_prf)
1266 {
1267 this->child_prf->destroy(this->child_prf);
1268 }
1269 if (this->prf_auth_i)
1270 {
1271 this->prf_auth_i->destroy(this->prf_auth_i);
1272 }
1273 if (this->prf_auth_r)
1274 {
1275 this->prf_auth_r->destroy(this->prf_auth_r);
1276 }
1277 if (this->connection)
1278 {
1279 host_t *my_host, *other_host;
1280 identification_t *my_id = NULL, *other_id = NULL;
1281 my_host = this->connection->get_my_host(this->connection);
1282 other_host = this->connection->get_other_host(this->connection);
1283 if (this->policy)
1284 {
1285 my_id = this->policy->get_my_id(this->policy);
1286 other_id = this->policy->get_other_id(this->policy);
1287 }
1288
1289 this->logger->log(this->logger, AUDIT, "IKE_SA deleted between %s[%s]...%s[%s]",
1290 my_host->get_address(my_host),
1291 my_id ? my_id->get_string(my_id) : "(unknown)",
1292 other_host->get_address(other_host),
1293 other_id ? other_id->get_string(other_id) : "(unknown)");
1294 this->connection->destroy(this->connection);
1295 }
1296 if (this->policy)
1297 {
1298 this->policy->destroy(this->policy);
1299 }
1300 if (this->last_requested_message)
1301 {
1302 this->last_requested_message->destroy(this->last_requested_message);
1303 }
1304 if (this->last_responded_message)
1305 {
1306 this->last_responded_message->destroy(this->last_responded_message);
1307 }
1308 this->ike_sa_id->destroy(this->ike_sa_id);
1309 this->randomizer->destroy(this->randomizer);
1310 this->current_state->destroy(this->current_state);
1311 free(this);
1312 }
1313
1314 /*
1315 * Described in header.
1316 */
1317 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1318 {
1319 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
1320
1321 /* Public functions */
1322 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1323 this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection;
1324 this->protected.public.delete_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) delete_child_sa;
1325 this->protected.public.rekey_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) rekey_child_sa;
1326 this->protected.public.get_child_sa = (child_sa_t*(*)(ike_sa_t*,u_int32_t))get_child_sa;
1327 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1328 this->protected.public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
1329 this->protected.public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
1330 this->protected.public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
1331 this->protected.public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
1332 this->protected.public.get_connection = (connection_t*(*)(ike_sa_t*)) get_connection;
1333 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1334 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1335 this->protected.public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
1336 this->protected.public.delete = (status_t(*)(ike_sa_t*))delete_;
1337 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1338
1339 /* protected functions */
1340 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t,bool,message_t**)) build_message;
1341 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1342 this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
1343 this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
1344 this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r;
1345 this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa;
1346 this->protected.set_connection = (void (*) (protected_ike_sa_t *,connection_t *)) set_connection;
1347 this->protected.get_connection = (connection_t *(*) (protected_ike_sa_t *)) get_connection;
1348 this->protected.set_policy = (void (*) (protected_ike_sa_t *,policy_t *)) set_policy;
1349 this->protected.get_policy = (policy_t *(*) (protected_ike_sa_t *)) get_policy;
1350 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1351 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1352 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1353 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1354 this->protected.build_transforms = (status_t (*) (protected_ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t)) build_transforms;
1355 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1356 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1357 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1358 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1359 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1360 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1361 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *)) get_last_responded_message;
1362 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *)) get_last_requested_message;
1363
1364 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1365
1366 /* initialize private fields */
1367 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
1368
1369 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1370 this->child_sas = linked_list_create();
1371 this->randomizer = randomizer_create();
1372
1373 this->last_requested_message = NULL;
1374 this->last_responded_message = NULL;
1375 this->message_id_out = 0;
1376 this->message_id_in = 0;
1377 this->last_replied_message_id = -1;
1378 this->crypter_initiator = NULL;
1379 this->crypter_responder = NULL;
1380 this->signer_initiator = NULL;
1381 this->signer_responder = NULL;
1382 this->prf = NULL;
1383 this->prf_auth_i = NULL;
1384 this->prf_auth_r = NULL;
1385 this->child_prf = NULL;
1386 this->connection = NULL;
1387 this->policy = NULL;
1388
1389 /* at creation time, IKE_SA is in a initiator state */
1390 if (ike_sa_id->is_initiator(ike_sa_id))
1391 {
1392 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1393 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1394 }
1395 else
1396 {
1397 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1398 this->current_state = (state_t *) responder_init_create(&(this->protected));
1399 }
1400 return &(this->protected.public);
1401 }