- applied patch from the NAT-T team fixing several typos
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22 #include <string.h>
23
24 #include "ike_sa.h"
25
26 #include <types.h>
27 #include <daemon.h>
28 #include <definitions.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <crypto/diffie_hellman.h>
33 #include <crypto/prf_plus.h>
34 #include <crypto/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <sa/states/initiator_init.h>
42 #include <sa/states/responder_init.h>
43 #include <queues/jobs/retransmit_request_job.h>
44 #include <queues/jobs/delete_established_ike_sa_job.h>
45
46
47
48
49 typedef struct private_ike_sa_t private_ike_sa_t;
50
51 /**
52 * Private data of an ike_sa_t object.
53 */
54 struct private_ike_sa_t {
55
56 /**
57 * Protected part of a ike_sa_t object.
58 */
59 protected_ike_sa_t protected;
60
61 /**
62 * Identifier for the current IKE_SA.
63 */
64 ike_sa_id_t *ike_sa_id;
65
66 /**
67 * Linked List containing the child sa's of the current IKE_SA.
68 */
69 linked_list_t *child_sas;
70
71 /**
72 * Current state of the IKE_SA represented as state_t object.
73 *
74 * A state object representates one of the following states and is processing
75 * messages in the specific state:
76 * - INITIATOR_INIT
77 * - RESPONDER_INIT
78 * - IKE_SA_INIT_REQUESTED
79 * - IKE_SA_INIT_RESPONDED
80 * - IKE_AUTH_REQUESTED
81 * -IKE_SA_ESTABLISHED
82 */
83 state_t *current_state;
84
85 /**
86 * INIT configuration, needed for the IKE_SA_INIT exchange.
87 *
88 * Gets set in states:
89 * - INITATOR_INIT
90 * - RESPONDER_INIT
91 *
92 * Available in states:
93 * - IKE_SA_INIT_REQUESTED
94 * - IKE_SA_INIT_RESPONDED
95 * - IKE_AUTH_REQUESTED
96 * -IKE_SA_ESTABLISHED
97 */
98 connection_t *connection;
99
100 /**
101 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
102 *
103 * Gets set in states:
104 * - IKE_SA_INIT_REQUESTED
105 * - IKE_SA_INIT_RESPONDED
106 *
107 * Available in states:
108 * - IKE_AUTH_REQUESTED
109 * -IKE_SA_ESTABLISHED
110 */
111 policy_t *policy;
112
113 /**
114 * This SA's source for random data.
115 *
116 * Is available in every state.
117 */
118 randomizer_t *randomizer;
119
120 /**
121 * The last responded message.
122 */
123 message_t *last_responded_message;
124
125 /**
126 * The ast requested message.
127 */
128 message_t *last_requested_message;
129
130 /**
131 * Crypter object for initiator.
132 */
133 crypter_t *crypter_initiator;
134
135 /**
136 * Crypter object for responder.
137 */
138 crypter_t *crypter_responder;
139
140 /**
141 * Signer object for initiator.
142 */
143 signer_t *signer_initiator;
144
145 /**
146 * Signer object for responder.
147 */
148 signer_t *signer_responder;
149
150 /**
151 * Multi purpose prf, set key, use it, forget it
152 */
153 prf_t *prf;
154
155 /**
156 * Prf function for derivating keymat child SAs
157 */
158 prf_t *child_prf;
159
160 /**
161 * PRF, with key set to pi_key, used for authentication
162 */
163 prf_t *prf_auth_i;
164
165 /**
166 * PRF, with key set to pr_key, used for authentication
167 */
168 prf_t *prf_auth_r;
169
170 /**
171 * Next message id to receive.
172 */
173 u_int32_t message_id_in;
174
175 /**
176 * Next message id to send.
177 */
178 u_int32_t message_id_out;
179
180 /**
181 * Last reply id which was successfully received.
182 */
183 int32_t last_replied_message_id;
184
185 /**
186 * A logger for this IKE_SA.
187 */
188 logger_t *logger;
189
190 /**
191 * Resends the last sent reply.
192 *
193 * @param this calling object
194 */
195 status_t (*resend_last_reply) (private_ike_sa_t *this);
196 };
197
198 /**
199 * Implementation of ike_sa_t.process_message.
200 */
201 static status_t process_message (private_ike_sa_t *this, message_t *message)
202 {
203 u_int32_t message_id;
204 exchange_type_t exchange_type;
205 bool is_request;
206
207 /* We must process each request or response from remote host */
208
209 /* Find out type of message (request or response) */
210 is_request = message->get_request(message);
211 exchange_type = message->get_exchange_type(message);
212
213 this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
214 (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type));
215
216 message_id = message->get_message_id(message);
217
218 /*
219 * It has to be checked, if the message has to be resent cause of lost packets!
220 */
221 if (is_request && (message_id == (this->message_id_in - 1)))
222 {
223 /* Message can be resent ! */
224 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
225 return (this->resend_last_reply(this));
226 }
227
228 /* Now, the message id is checked for request AND reply */
229 if (is_request)
230 {
231 /* In a request, the message has to be this->message_id_in (other case is already handled) */
232 if (message_id != this->message_id_in)
233 {
234 this->logger->log(this->logger, ERROR | LEVEL1,
235 "Message request with message id %d received, but %d expected",
236 message_id,this->message_id_in);
237 return FAILED;
238 }
239 }
240 else
241 {
242 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
243 if (message_id != (this->message_id_out - 1))
244 {
245 this->logger->log(this->logger, ERROR | LEVEL1,
246 "Message reply with message id %d received, but %d expected",
247 message_id,this->message_id_in);
248 return FAILED;
249 }
250 }
251
252 /* now the message is processed by the current state object.
253 * The specific state object is responsible to check if a message can be received in
254 * the state it represents.
255 * The current state is also responsible to change the state object to the next state
256 * by calling protected_ike_sa_t.set_new_state*/
257 return this->current_state->process_message(this->current_state,message);
258 }
259
260 /**
261 * Implementation of protected_ike_sa_t.build_message.
262 */
263 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
264 {
265 message_t *new_message;
266 host_t *me, *other;
267
268 me = this->connection->get_my_host(this->connection);
269 other = this->connection->get_other_host(this->connection);
270
271 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
272 new_message = message_create();
273 new_message->set_source(new_message, me->clone(me));
274 new_message->set_destination(new_message, other->clone(other));
275 new_message->set_exchange_type(new_message, type);
276 new_message->set_request(new_message, request);
277 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
278 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
279
280 *message = new_message;
281 }
282
283 /**
284 * Implementation of protected_ike_sa_t.initiate_connection.
285 */
286 static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection)
287 {
288 initiator_init_t *current_state;
289
290 /* Work is done in state object of type INITIATOR_INIT. All other states are not
291 * initial states and so don't have a initiate_connection function */
292
293 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
294 {
295 return FAILED;
296 }
297
298 current_state = (initiator_init_t *) this->current_state;
299
300 return current_state->initiate_connection(current_state, connection);
301 }
302
303 /**
304 * Implementation of ike_sa_t.send_delete_ike_sa_request.
305 */
306 static void send_delete_ike_sa_request (private_ike_sa_t *this)
307 {
308 message_t *informational_request;
309 delete_payload_t *delete_payload;
310 crypter_t *crypter;
311 signer_t *signer;
312 packet_t *packet;
313 status_t status;
314
315 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
316 {
317 return;
318 }
319
320 /* build empty INFORMATIONAL message */
321 this->protected.build_message(&(this->protected), INFORMATIONAL, TRUE, &informational_request);
322
323 delete_payload = delete_payload_create();
324 delete_payload->set_protocol_id(delete_payload, PROTO_IKE);
325
326 informational_request->add_payload(informational_request,(payload_t *)delete_payload);
327
328 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
329 {
330 crypter = this->crypter_initiator;
331 signer = this->signer_initiator;
332 }
333 else
334 {
335 crypter = this->crypter_responder;
336 signer = this->signer_responder;
337 }
338
339 status = informational_request->generate(informational_request,
340 crypter,
341 signer, &packet);
342 informational_request->destroy(informational_request);
343 if (status != SUCCESS)
344 {
345 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
346 return ;
347 }
348
349 charon->send_queue->add(charon->send_queue,packet);
350 }
351
352 /**
353 * Implementation of ike_sa_t.get_id.
354 */
355 static ike_sa_id_t* get_id(private_ike_sa_t *this)
356 {
357 return this->ike_sa_id;
358 }
359
360 /**
361 * Implementation of ike_sa_t.get_my_host.
362 */
363 static host_t* get_my_host(private_ike_sa_t *this)
364 {
365 return this->connection->get_my_host(this->connection);;
366 }
367
368 /**
369 * Implementation of ike_sa_t.get_other_host.
370 */
371 static host_t* get_other_host(private_ike_sa_t *this)
372 {
373 return this->connection->get_other_host(this->connection);;
374 }
375
376 /**
377 * Implementation of ike_sa_t.get_my_id.
378 */
379 static identification_t* get_my_id(private_ike_sa_t *this)
380 {
381 return this->connection->get_my_id(this->connection);;
382 }
383
384 /**
385 * Implementation of ike_sa_t.get_other_id.
386 */
387 static identification_t* get_other_id(private_ike_sa_t *this)
388 {
389 return this->connection->get_other_id(this->connection);;
390 }
391
392 /**
393 * Implementation of private_ike_sa_t.resend_last_reply.
394 */
395 static status_t resend_last_reply(private_ike_sa_t *this)
396 {
397 packet_t *packet;
398
399 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
400 packet = this->last_responded_message->get_packet(this->last_responded_message);
401 charon->send_queue->add(charon->send_queue, packet);
402
403 return SUCCESS;
404 }
405
406 /**
407 * Implementation of ike_sa_t.retransmit_request.
408 */
409 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
410 {
411 packet_t *packet;
412
413 if (this->last_requested_message == NULL)
414 {
415 return NOT_FOUND;
416 }
417
418 if (message_id == this->last_replied_message_id)
419 {
420 return NOT_FOUND;
421 }
422
423 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
424 {
425 return NOT_FOUND;
426 }
427
428 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
429 packet = this->last_requested_message->get_packet(this->last_requested_message);
430 charon->send_queue->add(charon->send_queue, packet);
431
432 return SUCCESS;
433 }
434
435 /**
436 * Implementation of protected_ike_sa_t.set_new_state.
437 */
438 static void set_new_state (private_ike_sa_t *this, state_t *state)
439 {
440 this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
441 mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
442 mapping_find(ike_sa_state_m,state->get_state(state)));
443 this->current_state = state;
444 }
445
446 /**
447 * Implementation of protected_ike_sa_t.get_connection.
448 */
449 static connection_t *get_connection (private_ike_sa_t *this)
450 {
451 return this->connection;
452 }
453
454 /**
455 * Implementation of protected_ike_sa_t.set_connection.
456 */
457 static void set_connection (private_ike_sa_t *this,connection_t * connection)
458 {
459 this->connection = connection;
460 }
461
462 /**
463 * Implementation of protected_ike_sa_t.get_policy.
464 */
465 static policy_t *get_policy (private_ike_sa_t *this)
466 {
467 return this->policy;
468 }
469
470 /**
471 * Implementation of protected_ike_sa_t.set_policy.
472 */
473 static void set_policy (private_ike_sa_t *this,policy_t * policy)
474 {
475 this->policy = policy;
476 }
477
478 /**
479 * Implementation of protected_ike_sa_t.get_prf.
480 */
481 static prf_t *get_prf (private_ike_sa_t *this)
482 {
483 return this->prf;
484 }
485
486 /**
487 * Implementation of protected_ike_sa_t.get_prf.
488 */
489 static prf_t *get_child_prf (private_ike_sa_t *this)
490 {
491 return this->child_prf;
492 }
493
494 /**
495 * Implementation of protected_ike_sa_t.get_prf_auth_i.
496 */
497 static prf_t *get_prf_auth_i (private_ike_sa_t *this)
498 {
499 return this->prf_auth_i;
500 }
501
502 /**
503 * Implementation of protected_ike_sa_t.get_prf_auth_r.
504 */
505 static prf_t *get_prf_auth_r (private_ike_sa_t *this)
506 {
507 return this->prf_auth_r;
508 }
509
510
511 /**
512 * Implementation of protected_ike_sa_t.build_transforms.
513 */
514 static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
515 {
516 chunk_t nonces, nonces_spis, skeyseed, key, secret;
517 u_int64_t spi_i, spi_r;
518 prf_plus_t *prf_plus;
519 algorithm_t *algo;
520 size_t key_size;
521
522 /*
523 * Build the PRF+ instance for deriving keys
524 */
525 if (this->prf != NULL)
526 {
527 this->prf->destroy(this->prf);
528 }
529 proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo);
530 if (algo == NULL)
531 {
532 this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
533 return FAILED;
534 }
535 this->prf = prf_create(algo->algorithm);
536 if (this->prf == NULL)
537 {
538 this->logger->log(this->logger, ERROR|LEVEL1,
539 "PSEUDO_RANDOM_FUNCTION %s not supported!",
540 mapping_find(pseudo_random_function_m, algo->algorithm));
541 return FAILED;
542 }
543
544 /* concatenate nonces = nonce_i | nonce_r */
545 nonces = chunk_alloc(nonce_i.len + nonce_r.len);
546 memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
547 memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
548
549 /* concatenate prf_seed = nonce_i | nonce_r | spi_i | spi_r */
550 nonces_spis = chunk_alloc(nonces.len + 16);
551 memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
552 spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
553 spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
554 memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
555 memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
556
557 /* SKEYSEED = prf(Ni | Nr, g^ir) */
558 dh->get_shared_secret(dh, &secret);
559 this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", secret);
560 this->prf->set_key(this->prf, nonces);
561 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
562 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", skeyseed);
563 chunk_free(&secret);
564
565 /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
566 * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
567 *
568 * we use the prf directly for prf+
569 */
570 this->prf->set_key(this->prf, skeyseed);
571 prf_plus = prf_plus_create(this->prf, nonces_spis);
572
573 /* clean up unused stuff */
574 chunk_free(&nonces);
575 chunk_free(&nonces_spis);
576 chunk_free(&skeyseed);
577
578
579 /*
580 * We now can derive all of our key. We build the transforms
581 * directly.
582 */
583
584
585 /* SK_d used for prf+ to derive keys for child SAs */
586 this->child_prf = prf_create(algo->algorithm);
587 key_size = this->child_prf->get_key_size(this->child_prf);
588 prf_plus->allocate_bytes(prf_plus, key_size, &key);
589 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key);
590 this->child_prf->set_key(this->child_prf, key);
591 chunk_free(&key);
592
593
594 /* SK_ai/SK_ar used for integrity protection */
595 proposal->get_algorithm(proposal, PROTO_IKE, INTEGRITY_ALGORITHM, &algo);
596 if (algo == NULL)
597 {
598 this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!");
599 return FAILED;
600 }
601 if (this->signer_initiator != NULL)
602 {
603 this->signer_initiator->destroy(this->signer_initiator);
604 }
605 if (this->signer_responder != NULL)
606 {
607 this->signer_responder->destroy(this->signer_responder);
608 }
609
610 this->signer_initiator = signer_create(algo->algorithm);
611 this->signer_responder = signer_create(algo->algorithm);
612 if (this->signer_initiator == NULL || this->signer_responder == NULL)
613 {
614 this->logger->log(this->logger, ERROR|LEVEL1,
615 "INTEGRITY_ALGORITHM %s not supported!",
616 mapping_find(integrity_algorithm_m,algo->algorithm));
617 return FAILED;
618 }
619 key_size = this->signer_initiator->get_key_size(this->signer_initiator);
620
621 prf_plus->allocate_bytes(prf_plus, key_size, &key);
622 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", key);
623 this->signer_initiator->set_key(this->signer_initiator, key);
624 chunk_free(&key);
625
626 prf_plus->allocate_bytes(prf_plus, key_size, &key);
627 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", key);
628 this->signer_responder->set_key(this->signer_responder, key);
629 chunk_free(&key);
630
631
632 /* SK_ei/SK_er used for encryption */
633 proposal->get_algorithm(proposal, PROTO_IKE, ENCRYPTION_ALGORITHM, &algo);
634 if (algo == NULL)
635 {
636 this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?");
637 return FAILED;
638 }
639 if (this->crypter_initiator != NULL)
640 {
641 this->crypter_initiator->destroy(this->crypter_initiator);
642 }
643 if (this->crypter_responder != NULL)
644 {
645 this->crypter_responder->destroy(this->crypter_responder);
646 }
647
648 this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size);
649 this->crypter_responder = crypter_create(algo->algorithm, algo->key_size);
650 if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
651 {
652 this->logger->log(this->logger, ERROR|LEVEL1,
653 "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
654 mapping_find(encryption_algorithm_m, algo->algorithm),
655 algo->key_size);
656 return FAILED;
657 }
658 key_size = this->crypter_initiator->get_key_size(this->crypter_initiator);
659
660 prf_plus->allocate_bytes(prf_plus, key_size, &key);
661 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key);
662 this->crypter_initiator->set_key(this->crypter_initiator, key);
663 chunk_free(&key);
664
665 prf_plus->allocate_bytes(prf_plus, key_size, &key);
666 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key);
667 this->crypter_responder->set_key(this->crypter_responder, key);
668 chunk_free(&key);
669
670 /* SK_pi/SK_pr used for authentication */
671 proposal->get_algorithm(proposal, PROTO_IKE, PSEUDO_RANDOM_FUNCTION, &algo);
672 if (this->prf_auth_i != NULL)
673 {
674 this->prf_auth_i->destroy(this->prf_auth_i);
675 }
676 if (this->prf_auth_r != NULL)
677 {
678 this->prf_auth_r->destroy(this->prf_auth_r);
679 }
680
681 this->prf_auth_i = prf_create(algo->algorithm);
682 this->prf_auth_r = prf_create(algo->algorithm);
683
684 key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
685 prf_plus->allocate_bytes(prf_plus, key_size, &key);
686 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key);
687 this->prf_auth_i->set_key(this->prf_auth_i, key);
688 chunk_free(&key);
689
690 prf_plus->allocate_bytes(prf_plus, key_size, &key);
691 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key);
692 this->prf_auth_r->set_key(this->prf_auth_r, key);
693 chunk_free(&key);
694
695 /* all done, prf_plus not needed anymore */
696 prf_plus->destroy(prf_plus);
697
698 return SUCCESS;
699 }
700
701 /**
702 * Implementation of protected_ike_sa_t.get_randomizer.
703 */
704 static randomizer_t *get_randomizer (private_ike_sa_t *this)
705 {
706 return this->randomizer;
707 }
708
709 /**
710 * Implementation of protected_ike_sa_t.get_crypter_initiator.
711 */
712 static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
713 {
714 return this->crypter_initiator;
715 }
716
717 /**
718 * Implementation of protected_ike_sa_t.get_signer_initiator.
719 */
720 static signer_t *get_signer_initiator (private_ike_sa_t *this)
721 {
722 return this->signer_initiator;
723 }
724
725 /**
726 * Implementation of protected_ike_sa_t.get_crypter_responder.
727 */
728 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
729 {
730 return this->crypter_responder;
731 }
732
733 /**
734 * Implementation of protected_ike_sa_t.get_signer_responder.
735 */
736 static signer_t *get_signer_responder (private_ike_sa_t *this)
737 {
738 return this->signer_responder;
739 }
740
741 /**
742 * Implementation of protected_ike_sa_t.send_request.
743 */
744 static status_t send_request (private_ike_sa_t *this,message_t * message)
745 {
746 retransmit_request_job_t *retransmit_job;
747 u_int32_t timeout;
748 crypter_t *crypter;
749 signer_t *signer;
750 packet_t *packet;
751 status_t status;
752
753 if (message->get_message_id(message) != this->message_id_out)
754 {
755 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
756 message->get_message_id(message),this->message_id_out);
757 return FAILED;
758 }
759
760 /* generate packet */
761 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
762
763 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
764 {
765 crypter = this->crypter_initiator;
766 signer = this->signer_initiator;
767 }
768 else
769 {
770 crypter = this->crypter_responder;
771 signer =this->signer_responder;
772 }
773
774 status = message->generate(message, crypter,signer, &packet);
775 if (status != SUCCESS)
776 {
777 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
778 return FAILED;
779 }
780
781 this->logger->log(this->logger, CONTROL|LEVEL3,
782 "Add request packet with message id %d to global send queue",
783 this->message_id_out);
784 charon->send_queue->add(charon->send_queue, packet);
785
786 if (this->last_requested_message != NULL)
787 {
788 /* destroy message */
789 this->last_requested_message->destroy(this->last_requested_message);
790 }
791
792 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
793 this->last_requested_message = message;
794
795 retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
796
797 status = charon->configuration->get_retransmit_timeout (charon->configuration,
798 retransmit_job->get_retransmit_count(retransmit_job),&timeout);
799
800 if (status != SUCCESS)
801 {
802 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
803 retransmit_job->destroy(retransmit_job);
804 }
805 else
806 {
807 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
808 charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
809 }
810
811 /* message counter can now be increased */
812 this->logger->log(this->logger, CONTROL|LEVEL3,
813 "Increase message counter for outgoing messages from %d",
814 this->message_id_out);
815 this->message_id_out++;
816 return SUCCESS;
817 }
818
819 /**
820 * Implementation of protected_ike_sa_t.send_response.
821 */
822 static status_t send_response (private_ike_sa_t *this,message_t * message)
823 {
824 crypter_t *crypter;
825 signer_t *signer;
826 packet_t *packet;
827 status_t status;
828
829 if (message->get_message_id(message) != this->message_id_in)
830 {
831 this->logger->log(this->logger, ERROR, "Message could not be sent cause id was not as expected");
832 return FAILED;
833 }
834
835
836 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
837 {
838 crypter = this->crypter_initiator;
839 signer = this->signer_initiator;
840 }
841 else
842 {
843 crypter = this->crypter_responder;
844 signer =this->signer_responder;
845 }
846
847 status = message->generate(message, crypter,signer, &packet);
848 if (status != SUCCESS)
849 {
850 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
851 return FAILED;
852 }
853
854 this->logger->log(this->logger, CONTROL|LEVEL3,
855 "Add response packet with message id %d to global send queue",
856 this->message_id_in);
857 charon->send_queue->add(charon->send_queue, packet);
858
859 if (this->last_responded_message != NULL)
860 {
861 /* destroy message */
862 this->last_responded_message->destroy(this->last_responded_message);
863 }
864
865 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
866 this->last_responded_message = message;
867
868 /* message counter can now be increased */
869 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
870 this->message_id_in++;
871
872 return SUCCESS;
873 }
874
875 /**
876 * Implementation of of private_responder_init_t.send_notify_reply.
877 */
878 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
879 {
880 notify_payload_t *payload;
881 message_t *response;
882 packet_t *packet;
883 status_t status;
884
885 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
886 /* set up the reply */
887 this->protected.build_message(&(this->protected), exchange_type, FALSE, &response);
888 payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, type);
889 if ((data.ptr != NULL) && (data.len > 0))
890 {
891 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
892 payload->set_notification_data(payload,data);
893 }
894
895 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
896 response->add_payload(response,(payload_t *) payload);
897
898 /* generate packet */
899 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
900 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
901 if (status != SUCCESS)
902 {
903 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
904 response->destroy(response);
905 return;
906 }
907
908 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
909 charon->send_queue->add(charon->send_queue, packet);
910 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
911 response->destroy(response);
912 }
913
914 /**
915 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
916 */
917 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
918 {
919 this->last_replied_message_id = message_id;
920 }
921
922 /**
923 * Implementation of protected_ike_sa_t.get_last_responded_message.
924 */
925 static message_t * get_last_responded_message (private_ike_sa_t *this)
926 {
927 return this->last_responded_message;
928 }
929
930 /**
931 * Implementation of protected_ike_sa_t.get_last_requested_message.
932 */
933 static message_t * get_last_requested_message (private_ike_sa_t *this)
934 {
935 return this->last_requested_message;
936 }
937
938 /**
939 * Implementation of ike_sa_t.get_state.
940 */
941 static ike_sa_state_t get_state (private_ike_sa_t *this)
942 {
943 return this->current_state->get_state(this->current_state);
944 }
945
946 /**
947 * Implementation of protected_ike_sa_t.add_child_sa.
948 */
949 static void add_child_sa (private_ike_sa_t *this, child_sa_t *child_sa)
950 {
951 this->child_sas->insert_last(this->child_sas, child_sa);
952 }
953
954 /**
955 * Implementation of protected_ike_sa_t.reset_message_buffers.
956 */
957 static void reset_message_buffers (private_ike_sa_t *this)
958 {
959 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
960 /* destroy stored requested message */
961 if (this->last_requested_message != NULL)
962 {
963 this->last_requested_message->destroy(this->last_requested_message);
964 this->last_requested_message = NULL;
965 }
966
967 /* destroy stored responded messages */
968 if (this->last_responded_message != NULL)
969 {
970 this->last_responded_message->destroy(this->last_responded_message);
971 this->last_responded_message = NULL;
972 }
973
974 this->message_id_out = 0;
975 this->message_id_in = 0;
976 this->last_replied_message_id = -1;
977 }
978
979 /**
980 * Implementation of protected_ike_sa_t.log_status.
981 */
982 static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
983 {
984 iterator_t *iterator;
985 child_sa_t *child_sa;
986
987 /* only log if name == NULL or name == connection_name */
988 if (name)
989 {
990 if (strcmp(this->connection->get_name(this->connection), name) != 0)
991 {
992 return;
993 }
994 }
995 else
996 {
997 name = this->connection->get_name(this->connection);
998 }
999
1000 host_t *my_host = this->connection->get_my_host(this->connection);
1001 host_t *other_host = this->connection->get_other_host(this->connection);
1002
1003 identification_t *my_id = this->connection->get_my_id(this->connection);
1004 identification_t *other_id = this->connection->get_other_id(this->connection);
1005
1006 if (logger == NULL)
1007 {
1008 logger = this->logger;
1009 }
1010 logger->log(logger, CONTROL|LEVEL1, "\"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
1011 name,
1012 mapping_find(ike_sa_state_m, this->current_state->get_state(this->current_state)),
1013 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1014 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1015 logger->log(logger, CONTROL, "\"%s\": %s[%s]...%s[%s]",
1016 name,
1017 my_host->get_address(my_host),
1018 my_id->get_string(my_id),
1019 other_host->get_address(other_host),
1020 other_id->get_string(other_id));
1021
1022 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1023 while (iterator->has_next(iterator))
1024 {
1025 iterator->current(iterator, (void**)&child_sa);
1026 child_sa->log_status(child_sa, logger, name);
1027 }
1028 iterator->destroy(iterator);
1029 }
1030
1031 /**
1032 * Implementation of protected_ike_sa_t.destroy.
1033 */
1034 static void destroy (private_ike_sa_t *this)
1035 {
1036 child_sa_t *child_sa;
1037
1038 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
1039 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1040 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
1041 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
1042
1043 /* inform other peer of delete */
1044 send_delete_ike_sa_request(this);
1045 while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
1046 {
1047 child_sa->destroy(child_sa);
1048 }
1049 this->child_sas->destroy(this->child_sas);
1050
1051 if (this->crypter_initiator)
1052 {
1053 this->crypter_initiator->destroy(this->crypter_initiator);
1054 }
1055 if (this->crypter_responder)
1056 {
1057 this->crypter_responder->destroy(this->crypter_responder);
1058 }
1059 if (this->signer_initiator)
1060 {
1061 this->signer_initiator->destroy(this->signer_initiator);
1062 }
1063 if (this->signer_responder)
1064 {
1065 this->signer_responder->destroy(this->signer_responder);
1066 }
1067 if (this->prf)
1068 {
1069 this->prf->destroy(this->prf);
1070 }
1071 if (this->child_prf)
1072 {
1073 this->child_prf->destroy(this->child_prf);
1074 }
1075 if (this->prf_auth_i)
1076 {
1077 this->prf_auth_i->destroy(this->prf_auth_i);
1078 }
1079 if (this->prf_auth_r)
1080 {
1081 this->prf_auth_r->destroy(this->prf_auth_r);
1082 }
1083 if (this->connection)
1084 {
1085 host_t *me, *other;
1086 me = this->connection->get_my_host(this->connection);
1087 other = this->connection->get_other_host(this->connection);
1088
1089 this->logger->log(this->logger, AUDIT, "IKE_SA deleted between %s - %s",
1090 me->get_address(me), other->get_address(other));
1091 this->connection->destroy(this->connection);
1092 }
1093 if (this->policy)
1094 {
1095 this->policy->destroy(this->policy);
1096 }
1097 if (this->last_requested_message)
1098 {
1099 this->last_requested_message->destroy(this->last_requested_message);
1100 }
1101 if (this->last_responded_message)
1102 {
1103 this->last_responded_message->destroy(this->last_responded_message);
1104 }
1105 this->ike_sa_id->destroy(this->ike_sa_id);
1106 this->randomizer->destroy(this->randomizer);
1107 this->current_state->destroy(this->current_state);
1108
1109 free(this);
1110 }
1111
1112 /*
1113 * Described in header.
1114 */
1115 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1116 {
1117 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
1118
1119 /* Public functions */
1120 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1121 this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection;
1122 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1123 this->protected.public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
1124 this->protected.public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
1125 this->protected.public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
1126 this->protected.public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
1127 this->protected.public.get_connection = (connection_t*(*)(ike_sa_t*)) get_connection;
1128 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1129 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1130 this->protected.public.send_delete_ike_sa_request = (void (*)(ike_sa_t*)) send_delete_ike_sa_request;
1131 this->protected.public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
1132 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1133
1134 /* protected functions */
1135 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
1136 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1137 this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
1138 this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
1139 this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r;
1140 this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa;
1141 this->protected.set_connection = (void (*) (protected_ike_sa_t *,connection_t *)) set_connection;
1142 this->protected.get_connection = (connection_t *(*) (protected_ike_sa_t *)) get_connection;
1143 this->protected.set_policy = (void (*) (protected_ike_sa_t *,policy_t *)) set_policy;
1144 this->protected.get_policy = (policy_t *(*) (protected_ike_sa_t *)) get_policy;
1145 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1146 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1147 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1148 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1149 this->protected.build_transforms = (status_t (*) (protected_ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t)) build_transforms;
1150 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1151 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1152 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1153 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1154 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1155 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1156 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *)) get_last_responded_message;
1157 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *)) get_last_requested_message;
1158
1159 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1160
1161 /* private functions */
1162 this->resend_last_reply = resend_last_reply;
1163
1164 /* initialize private fields */
1165 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
1166
1167 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1168 this->child_sas = linked_list_create();
1169 this->randomizer = randomizer_create();
1170
1171 this->last_requested_message = NULL;
1172 this->last_responded_message = NULL;
1173 this->message_id_out = 0;
1174 this->message_id_in = 0;
1175 this->last_replied_message_id = -1;
1176 this->crypter_initiator = NULL;
1177 this->crypter_responder = NULL;
1178 this->signer_initiator = NULL;
1179 this->signer_responder = NULL;
1180 this->prf = NULL;
1181 this->prf_auth_i = NULL;
1182 this->prf_auth_r = NULL;
1183 this->child_prf = NULL;
1184 this->connection = NULL;
1185 this->policy = NULL;
1186
1187 /* at creation time, IKE_SA is in a initiator state */
1188 if (ike_sa_id->is_initiator(ike_sa_id))
1189 {
1190 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1191 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1192 }
1193 else
1194 {
1195 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1196 this->current_state = (state_t *) responder_init_create(&(this->protected));
1197 }
1198 return &(this->protected.public);
1199 }