fixed aes code, we support now aes128, aes192, aes256 in IKE
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22 #include <string.h>
23
24 #include "ike_sa.h"
25
26 #include <types.h>
27 #include <daemon.h>
28 #include <definitions.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <crypto/diffie_hellman.h>
33 #include <crypto/prf_plus.h>
34 #include <crypto/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <encoding/payloads/ts_payload.h>
42 #include <sa/states/initiator_init.h>
43 #include <sa/states/responder_init.h>
44 #include <sa/states/create_child_sa_requested.h>
45 #include <sa/states/delete_child_sa_requested.h>
46 #include <sa/states/delete_ike_sa_requested.h>
47 #include <queues/jobs/retransmit_request_job.h>
48 #include <queues/jobs/delete_established_ike_sa_job.h>
49 #include <queues/jobs/delete_half_open_ike_sa_job.h>
50
51
52
53
54 typedef struct private_ike_sa_t private_ike_sa_t;
55
56 /**
57 * Private data of an ike_sa_t object.
58 */
59 struct private_ike_sa_t {
60
61 /**
62 * Protected part of a ike_sa_t object.
63 */
64 protected_ike_sa_t protected;
65
66 /**
67 * Identifier for the current IKE_SA.
68 */
69 ike_sa_id_t *ike_sa_id;
70
71 /**
72 * Linked List containing the child sa's of the current IKE_SA.
73 */
74 linked_list_t *child_sas;
75
76 /**
77 * Current state of the IKE_SA represented as state_t object.
78 *
79 * A state object representates one of the following states and is processing
80 * messages in the specific state:
81 * - INITIATOR_INIT
82 * - RESPONDER_INIT
83 * - IKE_SA_INIT_REQUESTED
84 * - IKE_SA_INIT_RESPONDED
85 * - IKE_AUTH_REQUESTED
86 * -IKE_SA_ESTABLISHED
87 */
88 state_t *current_state;
89
90 /**
91 * Connection definition used for this IKE_SA
92 */
93 connection_t *connection;
94
95 /**
96 * Policy definition used for this IKE_SA
97 */
98 policy_t *policy;
99
100 /**
101 * This SA's source for random data.
102 *
103 * Is available in every state.
104 */
105 randomizer_t *randomizer;
106
107 /**
108 * The last responded message.
109 */
110 message_t *last_responded_message;
111
112 /**
113 * The ast requested message.
114 */
115 message_t *last_requested_message;
116
117 /**
118 * Crypter object for initiator.
119 */
120 crypter_t *crypter_initiator;
121
122 /**
123 * Crypter object for responder.
124 */
125 crypter_t *crypter_responder;
126
127 /**
128 * Signer object for initiator.
129 */
130 signer_t *signer_initiator;
131
132 /**
133 * Signer object for responder.
134 */
135 signer_t *signer_responder;
136
137 /**
138 * Multi purpose prf, set key, use it, forget it
139 */
140 prf_t *prf;
141
142 /**
143 * Prf function for derivating keymat child SAs
144 */
145 prf_t *child_prf;
146
147 /**
148 * PRF, with key set to pi_key, used for authentication
149 */
150 prf_t *prf_auth_i;
151
152 /**
153 * PRF, with key set to pr_key, used for authentication
154 */
155 prf_t *prf_auth_r;
156
157 /**
158 * Next message id to receive.
159 */
160 u_int32_t message_id_in;
161
162 /**
163 * Next message id to send.
164 */
165 u_int32_t message_id_out;
166
167 /**
168 * Last reply id which was successfully received.
169 */
170 int32_t last_replied_message_id;
171
172 /**
173 * A logger for this IKE_SA.
174 */
175 logger_t *logger;
176 };
177
178 /**
179 * Implementation of protected_ike_sa_t.build_message.
180 */
181 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
182 {
183 message_t *new_message;
184 host_t *me, *other;
185
186 me = this->connection->get_my_host(this->connection);
187 other = this->connection->get_other_host(this->connection);
188
189 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
190 new_message = message_create();
191 new_message->set_source(new_message, me->clone(me));
192 new_message->set_destination(new_message, other->clone(other));
193 new_message->set_exchange_type(new_message, type);
194 new_message->set_request(new_message, request);
195 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
196 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
197
198 *message = new_message;
199 }
200
201 /**
202 * Implementation of ike_sa_t.get_state.
203 */
204 static ike_sa_state_t get_state(private_ike_sa_t *this)
205 {
206 return this->current_state->get_state(this->current_state);
207 }
208
209 /**
210 * Implementation of protected_ike_sa_t.set_new_state.
211 */
212 static void set_new_state(private_ike_sa_t *this, state_t *state)
213 {
214 this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
215 mapping_find(ike_sa_state_m, get_state(this)),
216 mapping_find(ike_sa_state_m, state->get_state(state)));
217 this->current_state = state;
218 }
219
220 /**
221 * Implementation of protected_ike_sa_t.get_connection.
222 */
223 static connection_t *get_connection(private_ike_sa_t *this)
224 {
225 return this->connection;
226 }
227
228 /**
229 * Implementation of protected_ike_sa_t.set_connection.
230 */
231 static void set_connection(private_ike_sa_t *this,connection_t * connection)
232 {
233 this->connection = connection;
234 }
235
236 /**
237 * Implementation of protected_ike_sa_t.get_policy.
238 */
239 static policy_t *get_policy(private_ike_sa_t *this)
240 {
241 return this->policy;
242 }
243
244 /**
245 * Implementation of protected_ike_sa_t.set_policy.
246 */
247 static void set_policy(private_ike_sa_t *this,policy_t * policy)
248 {
249 this->policy = policy;
250 }
251
252 /**
253 * Implementation of protected_ike_sa_t.get_prf.
254 */
255 static prf_t *get_prf(private_ike_sa_t *this)
256 {
257 return this->prf;
258 }
259
260 /**
261 * Implementation of protected_ike_sa_t.get_prf.
262 */
263 static prf_t *get_child_prf(private_ike_sa_t *this)
264 {
265 return this->child_prf;
266 }
267
268 /**
269 * Implementation of protected_ike_sa_t.get_prf_auth_i.
270 */
271 static prf_t *get_prf_auth_i(private_ike_sa_t *this)
272 {
273 return this->prf_auth_i;
274 }
275
276 /**
277 * Implementation of protected_ike_sa_t.get_prf_auth_r.
278 */
279 static prf_t *get_prf_auth_r(private_ike_sa_t *this)
280 {
281 return this->prf_auth_r;
282 }
283 /**
284 * Implementation of ike_sa_t.get_id.
285 */
286 static ike_sa_id_t* get_id(private_ike_sa_t *this)
287 {
288 return this->ike_sa_id;
289 }
290
291 /**
292 * Implementation of ike_sa_t.get_my_host.
293 */
294 static host_t* get_my_host(private_ike_sa_t *this)
295 {
296 return this->connection->get_my_host(this->connection);;
297 }
298
299 /**
300 * Implementation of ike_sa_t.get_other_host.
301 */
302 static host_t* get_other_host(private_ike_sa_t *this)
303 {
304 return this->connection->get_other_host(this->connection);;
305 }
306
307 /**
308 * Implementation of ike_sa_t.get_my_id.
309 */
310 static identification_t* get_my_id(private_ike_sa_t *this)
311 {
312 return this->policy->get_my_id(this->policy);;
313 }
314
315 /**
316 * Implementation of ike_sa_t.get_other_id.
317 */
318 static identification_t* get_other_id(private_ike_sa_t *this)
319 {
320 return this->policy->get_other_id(this->policy);;
321 }
322
323 /**
324 * Implementation of ike_sa_t.retransmit_request.
325 */
326 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
327 {
328 packet_t *packet;
329
330 if (this->last_requested_message == NULL)
331 {
332 return NOT_FOUND;
333 }
334
335 if (message_id == this->last_replied_message_id)
336 {
337 return NOT_FOUND;
338 }
339
340 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
341 {
342 return NOT_FOUND;
343 }
344
345 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
346 packet = this->last_requested_message->get_packet(this->last_requested_message);
347 charon->send_queue->add(charon->send_queue, packet);
348
349 return SUCCESS;
350 }
351
352
353 /**
354 * Implementation of protected_ike_sa_t.build_transforms.
355 */
356 static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
357 {
358 chunk_t nonces, nonces_spis, skeyseed, key, secret;
359 u_int64_t spi_i, spi_r;
360 prf_plus_t *prf_plus;
361 algorithm_t *algo;
362 size_t key_size;
363
364 /*
365 * Build the PRF+ instance for deriving keys
366 */
367 if (this->prf != NULL)
368 {
369 this->prf->destroy(this->prf);
370 }
371 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
372 {
373 this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
374 return FAILED;
375 }
376 this->prf = prf_create(algo->algorithm);
377 if (this->prf == NULL)
378 {
379 this->logger->log(this->logger, ERROR|LEVEL1,
380 "PSEUDO_RANDOM_FUNCTION %s not supported!",
381 mapping_find(pseudo_random_function_m, algo->algorithm));
382 return FAILED;
383 }
384
385 /* concatenate nonces = nonce_i | nonce_r */
386 nonces = chunk_alloc(nonce_i.len + nonce_r.len);
387 memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
388 memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
389
390 /* concatenate prf_seed = nonce_i | nonce_r | spi_i | spi_r */
391 nonces_spis = chunk_alloc(nonces.len + 16);
392 memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
393 spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
394 spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
395 memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
396 memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
397
398 /* SKEYSEED = prf(Ni | Nr, g^ir) */
399 dh->get_shared_secret(dh, &secret);
400 this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", secret);
401 this->prf->set_key(this->prf, nonces);
402 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
403 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", skeyseed);
404 chunk_free(&secret);
405
406 /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
407 * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
408 *
409 * we use the prf directly for prf+
410 */
411 this->prf->set_key(this->prf, skeyseed);
412 prf_plus = prf_plus_create(this->prf, nonces_spis);
413
414 /* clean up unused stuff */
415 chunk_free(&nonces);
416 chunk_free(&nonces_spis);
417 chunk_free(&skeyseed);
418
419
420 /*
421 * We now can derive all of our key. We build the transforms
422 * directly.
423 */
424
425
426 /* SK_d used for prf+ to derive keys for child SAs */
427 this->child_prf = prf_create(algo->algorithm);
428 key_size = this->child_prf->get_key_size(this->child_prf);
429 prf_plus->allocate_bytes(prf_plus, key_size, &key);
430 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key);
431 this->child_prf->set_key(this->child_prf, key);
432 chunk_free(&key);
433
434
435 /* SK_ai/SK_ar used for integrity protection */
436 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
437 {
438 this->logger->log(this->logger, ERROR, "No integrity algoithm selected?!");
439 return FAILED;
440 }
441 if (this->signer_initiator != NULL)
442 {
443 this->signer_initiator->destroy(this->signer_initiator);
444 }
445 if (this->signer_responder != NULL)
446 {
447 this->signer_responder->destroy(this->signer_responder);
448 }
449
450 this->signer_initiator = signer_create(algo->algorithm);
451 this->signer_responder = signer_create(algo->algorithm);
452 if (this->signer_initiator == NULL || this->signer_responder == NULL)
453 {
454 this->logger->log(this->logger, ERROR,
455 "INTEGRITY_ALGORITHM %s not supported!",
456 mapping_find(integrity_algorithm_m,algo->algorithm));
457 return FAILED;
458 }
459 key_size = this->signer_initiator->get_key_size(this->signer_initiator);
460
461 prf_plus->allocate_bytes(prf_plus, key_size, &key);
462 this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ai secret", key);
463 this->signer_initiator->set_key(this->signer_initiator, key);
464 chunk_free(&key);
465
466 prf_plus->allocate_bytes(prf_plus, key_size, &key);
467 this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ar secret", key);
468 this->signer_responder->set_key(this->signer_responder, key);
469 chunk_free(&key);
470
471
472 /* SK_ei/SK_er used for encryption */
473 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
474 {
475 this->logger->log(this->logger, ERROR, "No encryption algoithm selected!?");
476 return FAILED;
477 }
478 if (this->crypter_initiator != NULL)
479 {
480 this->crypter_initiator->destroy(this->crypter_initiator);
481 }
482 if (this->crypter_responder != NULL)
483 {
484 this->crypter_responder->destroy(this->crypter_responder);
485 }
486
487 this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size / 8);
488 this->crypter_responder = crypter_create(algo->algorithm, algo->key_size / 8);
489 if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
490 {
491 this->logger->log(this->logger, ERROR,
492 "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
493 mapping_find(encryption_algorithm_m, algo->algorithm),
494 algo->key_size);
495 return FAILED;
496 }
497 key_size = this->crypter_initiator->get_key_size(this->crypter_initiator);
498
499 prf_plus->allocate_bytes(prf_plus, key_size, &key);
500 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key);
501 this->crypter_initiator->set_key(this->crypter_initiator, key);
502 chunk_free(&key);
503
504 prf_plus->allocate_bytes(prf_plus, key_size, &key);
505 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key);
506 this->crypter_responder->set_key(this->crypter_responder, key);
507 chunk_free(&key);
508
509 /* SK_pi/SK_pr used for authentication */
510 if (this->prf_auth_i != NULL)
511 {
512 this->prf_auth_i->destroy(this->prf_auth_i);
513 }
514 if (this->prf_auth_r != NULL)
515 {
516 this->prf_auth_r->destroy(this->prf_auth_r);
517 }
518
519 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
520 this->prf_auth_i = prf_create(algo->algorithm);
521 this->prf_auth_r = prf_create(algo->algorithm);
522
523 key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
524 prf_plus->allocate_bytes(prf_plus, key_size, &key);
525 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key);
526 this->prf_auth_i->set_key(this->prf_auth_i, key);
527 chunk_free(&key);
528
529 prf_plus->allocate_bytes(prf_plus, key_size, &key);
530 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key);
531 this->prf_auth_r->set_key(this->prf_auth_r, key);
532 chunk_free(&key);
533
534 /* all done, prf_plus not needed anymore */
535 prf_plus->destroy(prf_plus);
536
537 return SUCCESS;
538 }
539
540 /**
541 * Implementation of protected_ike_sa_t.get_randomizer.
542 */
543 static randomizer_t *get_randomizer(private_ike_sa_t *this)
544 {
545 return this->randomizer;
546 }
547
548 /**
549 * Implementation of protected_ike_sa_t.get_crypter_initiator.
550 */
551 static crypter_t *get_crypter_initiator(private_ike_sa_t *this)
552 {
553 return this->crypter_initiator;
554 }
555
556 /**
557 * Implementation of protected_ike_sa_t.get_signer_initiator.
558 */
559 static signer_t *get_signer_initiator(private_ike_sa_t *this)
560 {
561 return this->signer_initiator;
562 }
563
564 /**
565 * Implementation of protected_ike_sa_t.get_crypter_responder.
566 */
567 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
568 {
569 return this->crypter_responder;
570 }
571
572 /**
573 * Implementation of protected_ike_sa_t.get_signer_responder.
574 */
575 static signer_t *get_signer_responder(private_ike_sa_t *this)
576 {
577 return this->signer_responder;
578 }
579
580 /**
581 * Implementation of protected_ike_sa_t.send_request.
582 */
583 static status_t send_request(private_ike_sa_t *this, message_t *message)
584 {
585 retransmit_request_job_t *retransmit_job;
586 u_int32_t timeout;
587 crypter_t *crypter;
588 signer_t *signer;
589 packet_t *packet;
590 status_t status;
591
592 if (message->get_message_id(message) != this->message_id_out)
593 {
594 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
595 message->get_message_id(message),this->message_id_out);
596 return FAILED;
597 }
598
599 /* generate packet */
600 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
601
602 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
603 {
604 crypter = this->crypter_initiator;
605 signer = this->signer_initiator;
606 }
607 else
608 {
609 crypter = this->crypter_responder;
610 signer =this->signer_responder;
611 }
612
613 status = message->generate(message, crypter,signer, &packet);
614 if (status != SUCCESS)
615 {
616 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
617 return FAILED;
618 }
619
620 this->logger->log(this->logger, CONTROL|LEVEL3,
621 "Add request packet with message id %d to global send queue",
622 this->message_id_out);
623 charon->send_queue->add(charon->send_queue, packet);
624
625 /* replace last message for retransmit with current */
626 if (this->last_requested_message != NULL)
627 {
628 this->last_requested_message->destroy(this->last_requested_message);
629 }
630 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
631 this->last_requested_message = message;
632
633 /* schedule a job for retransmission */
634 status = charon->configuration->get_retransmit_timeout(charon->configuration, 0, &timeout);
635 if (status != SUCCESS)
636 {
637 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
638 }
639 else
640 {
641 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.", timeout);
642 retransmit_job = retransmit_request_job_create(this->message_id_out, this->ike_sa_id);
643 charon->event_queue->add_relative(charon->event_queue, (job_t *)retransmit_job, timeout);
644 }
645
646 /* message counter can now be increased */
647 this->logger->log(this->logger, CONTROL|LEVEL3,
648 "Increase message counter for outgoing messages from %d",
649 this->message_id_out);
650 this->message_id_out++;
651 return SUCCESS;
652 }
653
654 /**
655 * Implementation of protected_ike_sa_t.send_response.
656 */
657 static status_t send_response(private_ike_sa_t *this, message_t *message)
658 {
659 crypter_t *crypter;
660 signer_t *signer;
661 packet_t *packet;
662 status_t status;
663
664 if (message->get_message_id(message) != this->message_id_in)
665 {
666
667 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
668 message->get_message_id(message),this->message_id_in);
669 return FAILED;
670 }
671
672 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
673 {
674 crypter = this->crypter_initiator;
675 signer = this->signer_initiator;
676 }
677 else
678 {
679 crypter = this->crypter_responder;
680 signer =this->signer_responder;
681 }
682
683 status = message->generate(message, crypter,signer, &packet);
684 if (status != SUCCESS)
685 {
686 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
687 return FAILED;
688 }
689
690 this->logger->log(this->logger, CONTROL|LEVEL3,
691 "Add response packet with message id %d to global send queue",
692 this->message_id_in);
693 charon->send_queue->add(charon->send_queue, packet);
694
695 if (this->last_responded_message != NULL)
696 {
697 /* destroy message */
698 this->last_responded_message->destroy(this->last_responded_message);
699 }
700
701 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
702 this->last_responded_message = message;
703
704 /* message counter can now be increased */
705 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
706 this->message_id_in++;
707
708 return SUCCESS;
709 }
710
711 /**
712 * Implementation of of private_responder_init_t.send_notify_reply.
713 */
714 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
715 {
716 notify_payload_t *payload;
717 message_t *response;
718 packet_t *packet;
719 status_t status;
720
721 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
722 /* set up the reply */
723 build_message(this, exchange_type, FALSE, &response);
724 payload = notify_payload_create_from_protocol_and_type(PROTO_NONE, type);
725 if ((data.ptr != NULL) && (data.len > 0))
726 {
727 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
728 payload->set_notification_data(payload,data);
729 }
730
731 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
732 response->add_payload(response,(payload_t *) payload);
733
734 /* generate packet */
735 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
736 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
737 if (status != SUCCESS)
738 {
739 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
740 response->destroy(response);
741 return;
742 }
743
744 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
745 charon->send_queue->add(charon->send_queue, packet);
746 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
747 response->destroy(response);
748 }
749
750 /**
751 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
752 */
753 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
754 {
755 this->last_replied_message_id = message_id;
756 }
757
758 /**
759 * Implementation of protected_ike_sa_t.get_last_responded_message.
760 */
761 static message_t *get_last_responded_message (private_ike_sa_t *this)
762 {
763 return this->last_responded_message;
764 }
765
766 /**
767 * Implementation of protected_ike_sa_t.get_last_requested_message.
768 */
769 static message_t *get_last_requested_message(private_ike_sa_t *this)
770 {
771 return this->last_requested_message;
772 }
773
774 /**
775 * Implementation of protected_ike_sa_t.add_child_sa.
776 */
777 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
778 {
779 this->child_sas->insert_last(this->child_sas, child_sa);
780 }
781
782 /**
783 * Implementation of ike_sa_t.process_message.
784 */
785 static status_t process_message(private_ike_sa_t *this, message_t *message)
786 {
787 u_int32_t message_id;
788 exchange_type_t exchange_type;
789 bool is_request;
790
791 /* Find out type of message (request or response) */
792 is_request = message->get_request(message);
793 exchange_type = message->get_exchange_type(message);
794
795 this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
796 (is_request) ? "request" : "response",
797 mapping_find(exchange_type_m, exchange_type));
798
799 message_id = message->get_message_id(message);
800
801 /* check if message already received, and retransmit its reply */
802 if (is_request && (message_id == (this->message_id_in - 1)))
803 {
804 /* resend last message, if any */
805 if (this->last_responded_message)
806 {
807 packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message);
808 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
809 charon->send_queue->add(charon->send_queue, packet);
810 return SUCCESS;
811 }
812 else
813 {
814 /* somebody does something nasty here... */
815 return FAILED;
816 }
817 }
818
819 /* Now, the message id is checked for request AND reply */
820 if (is_request)
821 {
822 /* In a request, the message has to be this->message_id_in (other case is already handled) */
823 if (message_id != this->message_id_in)
824 {
825 this->logger->log(this->logger, ERROR | LEVEL1,
826 "Message request with message id %d received, but %d expected",
827 message_id,this->message_id_in);
828 return FAILED;
829 }
830 }
831 else
832 {
833 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
834 if (message_id != (this->message_id_out - 1))
835 {
836 this->logger->log(this->logger, ERROR | LEVEL1,
837 "Message reply with message id %d received, but %d expected",
838 message_id,this->message_id_in);
839 return FAILED;
840 }
841 }
842
843 /* now the message is processed by the current state object.
844 * The specific state object is responsible to check if a message can be received in
845 * the state it represents.
846 * The current state is also responsible to change the state object to the next state
847 * by calling protected_ike_sa_t.set_new_state
848 */
849 return this->current_state->process_message(this->current_state, message);
850 }
851
852 /**
853 * Implementation of protected_ike_sa_t.initiate_connection.
854 */
855 static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection)
856 {
857 initiator_init_t *current_state;
858
859 /* Work is done in state object of type INITIATOR_INIT. All other states are not
860 * initial states and so don't have a initiate_connection function */
861
862 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
863 {
864 return FAILED;
865 }
866
867 current_state = (initiator_init_t *) this->current_state;
868
869 return current_state->initiate_connection(current_state, connection);
870 }
871
872 /**
873 * Implementation of ike_sa_t.get_child_sa.
874 */
875 static child_sa_t *get_child_sa(private_ike_sa_t *this, u_int32_t reqid)
876 {
877 iterator_t *iterator;
878 child_sa_t *current, *found = NULL;
879
880 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
881 while (iterator->has_next(iterator))
882 {
883 iterator->current(iterator, (void**)&current);
884 if (current->get_reqid(current) == reqid)
885 {
886 found = current;
887 break;
888 }
889 }
890 iterator->destroy(iterator);
891 return found;
892 }
893
894 /**
895 * Implementation of ike_sa_t.delete_child_sa.
896 */
897 static status_t delete_child_sa(private_ike_sa_t *this, u_int32_t reqid)
898 {
899 message_t *request;
900 child_sa_t *child_sa;
901 delete_payload_t *delete_payload;
902 state_t *old_state;
903
904 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
905 {
906 this->logger->log(this->logger, ERROR|LEVEL1,
907 "Delete of a CHILD_SA whose IKE_SA not in state IKE_SA_ESTABLISHED, aborting");
908 return FAILED;
909 }
910
911 child_sa = get_child_sa(this, reqid);
912 if (child_sa == NULL)
913 {
914 this->logger->log(this->logger, ERROR|LEVEL1,
915 "IKE_SA does not contain a CHILD_SA with reqid %d", reqid);
916 return FAILED;
917 }
918 build_message(this, INFORMATIONAL, TRUE, &request);
919 delete_payload = delete_payload_create(child_sa->get_protocol(child_sa));
920 delete_payload->add_spi(delete_payload, child_sa->get_spi(child_sa, FALSE));
921 request->add_payload(request, (payload_t*)delete_payload);
922
923 send_request(this, request);
924
925 old_state = this->current_state;
926 set_new_state(this, (state_t*)delete_child_sa_requested_create(&this->protected));
927 old_state->destroy(old_state);
928 return SUCCESS;
929 }
930
931 /**
932 * Implementation of protected_ike_sa_t.destroy_child_sa.
933 */
934 static u_int32_t destroy_child_sa(private_ike_sa_t *this, u_int32_t spi)
935 {
936 iterator_t *iterator;
937 child_sa_t *child_sa;
938
939 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
940 while (iterator->has_next(iterator))
941 {
942 iterator->current(iterator, (void**)&child_sa);
943 if (child_sa->get_spi(child_sa, TRUE) == spi)
944 {
945 iterator->remove(iterator);
946 break;
947 }
948 else
949 {
950 child_sa = NULL;
951 }
952 }
953 iterator->destroy(iterator);
954 if (child_sa == NULL)
955 {
956 this->logger->log(this->logger, ERROR,
957 "IKE_SA does not contain a CHILD_SA with spi 0x%x", spi);
958 return 0;
959 }
960
961 spi = child_sa->get_spi(child_sa, FALSE);
962 child_sa->destroy(child_sa);
963 return spi;
964 }
965
966 /**
967 * Implementation of protected_ike_sa_t.get_child_sa.
968 */
969 static child_sa_t* get_child_sa_by_spi(private_ike_sa_t *this, u_int32_t spi)
970 {
971 iterator_t *iterator;
972 child_sa_t *current, *found = NULL;
973
974 iterator = this->child_sas->create_iterator(this->child_sas, FALSE);
975 while (iterator->has_next(iterator))
976 {
977 iterator->current(iterator, (void**)&current);
978 if (current->get_spi(current, TRUE) == spi)
979 {
980 found = current;
981 }
982 }
983 iterator->destroy(iterator);
984 return found;
985 }
986
987 /**
988 * Implementation of ike_sa_t.rekey_child_sa.
989 */
990 static status_t rekey_child_sa(private_ike_sa_t *this, u_int32_t reqid)
991 {
992 message_t *request;
993 child_sa_t *child_sa;
994 notify_payload_t *notify;
995 sa_payload_t *sa_payload;
996 ts_payload_t *tsi_payload, *tsr_payload;
997 nonce_payload_t *nonce_payload;
998 linked_list_t *proposals;
999 chunk_t nonce;
1000 linked_list_t *my_ts, *other_ts;
1001 state_t *old_state;
1002
1003 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
1004 {
1005 this->logger->log(this->logger, ERROR|LEVEL1,
1006 "Rekeying of an CHILD_SA whose IKE_SA not in state IKE_SA_ESTABLISHED, aborting");
1007 return FAILED;
1008 }
1009
1010 child_sa = get_child_sa(this, reqid);
1011 if (child_sa == NULL)
1012 {
1013 this->logger->log(this->logger, ERROR|LEVEL1,
1014 "IKE_SA does not contain a CHILD_SA with reqid %d", reqid);
1015 return FAILED;
1016 }
1017
1018 build_message(this, CREATE_CHILD_SA, TRUE, &request);
1019 notify = notify_payload_create_from_protocol_and_type(
1020 child_sa->get_protocol(child_sa), REKEY_SA);
1021 notify->set_spi(notify, child_sa->get_spi(child_sa, FALSE));
1022 request->add_payload(request, (payload_t*)notify);
1023
1024 proposals = this->policy->get_proposals(this->policy);
1025 child_sa = child_sa_create(reqid,
1026 this->connection->get_my_host(this->connection),
1027 this->connection->get_other_host(this->connection),
1028 this->policy->get_soft_lifetime(this->policy),
1029 this->policy->get_hard_lifetime(this->policy));
1030 child_sa->alloc(child_sa, proposals);
1031 sa_payload = sa_payload_create_from_proposal_list(proposals);
1032 request->add_payload(request, (payload_t*)sa_payload);
1033
1034 nonce_payload = nonce_payload_create();
1035 if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
1036 NONCE_SIZE, &nonce))
1037 {
1038 request->destroy(request);
1039 return FAILED;
1040 }
1041 nonce_payload->set_nonce(nonce_payload, nonce);
1042 request->add_payload(request, (payload_t*)nonce_payload);
1043
1044 my_ts = this->policy->get_my_traffic_selectors(this->policy);
1045 other_ts = this->policy->get_other_traffic_selectors(this->policy);
1046 tsi_payload = ts_payload_create_from_traffic_selectors(TRUE, my_ts);
1047 tsr_payload = ts_payload_create_from_traffic_selectors(FALSE, other_ts);
1048 request->add_payload(request, (payload_t*)tsi_payload);
1049 request->add_payload(request, (payload_t*)tsr_payload);
1050
1051 send_request(this, request);
1052
1053 old_state = this->current_state;
1054 set_new_state(this, (state_t*)create_child_sa_requested_create(&this->protected, child_sa, nonce, reqid));
1055 old_state->destroy(old_state);
1056
1057 return SUCCESS;
1058 }
1059
1060 /**
1061 * Implementation of protected_ike_sa_t.reset_message_buffers.
1062 */
1063 static void reset_message_buffers(private_ike_sa_t *this)
1064 {
1065 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
1066 /* destroy stored requested message */
1067 if (this->last_requested_message != NULL)
1068 {
1069 this->last_requested_message->destroy(this->last_requested_message);
1070 this->last_requested_message = NULL;
1071 }
1072
1073 /* destroy stored responded messages */
1074 if (this->last_responded_message != NULL)
1075 {
1076 this->last_responded_message->destroy(this->last_responded_message);
1077 this->last_responded_message = NULL;
1078 }
1079
1080 this->message_id_out = 0;
1081 this->message_id_in = 0;
1082 this->last_replied_message_id = -1;
1083 }
1084
1085 /**
1086 * Implementation of protected_ike_sa_t.log_status.
1087 */
1088 static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
1089 {
1090 iterator_t *iterator;
1091 child_sa_t *child_sa;
1092 host_t *my_host, *other_host;
1093 identification_t *my_id = NULL, *other_id = NULL;
1094
1095 /* only log if name == NULL or name == connection_name */
1096 if (name)
1097 {
1098 if (streq(this->connection->get_name(this->connection), name))
1099 {
1100 return;
1101 }
1102 }
1103 my_host = this->connection->get_my_host(this->connection);
1104 other_host = this->connection->get_other_host(this->connection);
1105
1106 /* use policy information, if available */
1107 if (this->policy)
1108 {
1109 my_id = this->policy->get_my_id(this->policy);
1110 other_id = this->policy->get_other_id(this->policy);
1111 name = this->policy->get_name(this->policy);
1112 }
1113 else
1114 {
1115 name = this->connection->get_name(this->connection);
1116 }
1117
1118 if (logger == NULL)
1119 {
1120 logger = this->logger;
1121 }
1122 logger->log(logger, CONTROL|LEVEL1, " \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
1123 name,
1124 mapping_find(ike_sa_state_m, this->current_state->get_state(this->current_state)),
1125 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1126 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1127 logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]",
1128 name,
1129 my_host->get_address(my_host),
1130 my_id ? my_id->get_string(my_id) : "(unknown)",
1131 other_host->get_address(other_host),
1132 other_id ? other_id->get_string(other_id) : "(unknown)");
1133
1134 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1135 while (iterator->has_next(iterator))
1136 {
1137 iterator->current(iterator, (void**)&child_sa);
1138 child_sa->log_status(child_sa, logger, name);
1139 }
1140 iterator->destroy(iterator);
1141 }
1142
1143 /**
1144 * Implementation of public_ike_sa_t.delete.
1145 */
1146 static status_t delete_(private_ike_sa_t *this)
1147 {
1148 message_t *informational_request;
1149 delete_payload_t *delete_payload;
1150 u_int32_t timeout;
1151 delete_half_open_ike_sa_job_t *job;
1152 state_t *old_state;
1153
1154 if (get_state(this) != IKE_SA_ESTABLISHED)
1155 {
1156 return INVALID_STATE;
1157 }
1158
1159 build_message(this, INFORMATIONAL, TRUE, &informational_request);
1160 /* delete for the full IKE_SA, this deletes all child_sa's implicit */
1161 delete_payload = delete_payload_create(PROTO_IKE);
1162
1163 informational_request->add_payload(informational_request, (payload_t*)delete_payload);
1164
1165 if (send_request(this, informational_request) != SUCCESS)
1166 {
1167 /* send failed, but we ignore this, SA will get deleted anyway later */
1168 informational_request->destroy(informational_request);
1169 }
1170
1171 /* transit to state delete_ike_sa_requested */
1172 old_state = this->current_state;
1173 set_new_state(this, (state_t*)delete_ike_sa_requested_create(&this->protected));
1174 old_state->destroy(old_state);
1175
1176 /* there is no guarantee that the other peer will acknowledge the delete,
1177 * so we have to set a timeout where we destroy the SA... This is done with
1178 * the delete_half_open_ike_sa_job as used in IKE SA setup.
1179 */
1180 timeout = charon->configuration->get_half_open_ike_sa_timeout(charon->configuration);
1181 job = delete_half_open_ike_sa_job_create(this->ike_sa_id);
1182 charon->event_queue->add_relative(charon->event_queue, (job_t*)job, timeout);
1183 return SUCCESS;
1184 }
1185
1186 /**
1187 * Implementation of protected_ike_sa_t.destroy.
1188 */
1189 static void destroy(private_ike_sa_t *this)
1190 {
1191 child_sa_t *child_sa;
1192
1193 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
1194 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1195 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
1196 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
1197
1198 if (get_state(this) == IKE_SA_ESTABLISHED)
1199 {
1200 this->logger->log(this->logger, ERROR, "Destroying an established IKE SA without knowledge from remote peer!");
1201 }
1202
1203 while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
1204 {
1205 child_sa->destroy(child_sa);
1206 }
1207 this->child_sas->destroy(this->child_sas);
1208
1209 if (this->crypter_initiator)
1210 {
1211 this->crypter_initiator->destroy(this->crypter_initiator);
1212 }
1213 if (this->crypter_responder)
1214 {
1215 this->crypter_responder->destroy(this->crypter_responder);
1216 }
1217 if (this->signer_initiator)
1218 {
1219 this->signer_initiator->destroy(this->signer_initiator);
1220 }
1221 if (this->signer_responder)
1222 {
1223 this->signer_responder->destroy(this->signer_responder);
1224 }
1225 if (this->prf)
1226 {
1227 this->prf->destroy(this->prf);
1228 }
1229 if (this->child_prf)
1230 {
1231 this->child_prf->destroy(this->child_prf);
1232 }
1233 if (this->prf_auth_i)
1234 {
1235 this->prf_auth_i->destroy(this->prf_auth_i);
1236 }
1237 if (this->prf_auth_r)
1238 {
1239 this->prf_auth_r->destroy(this->prf_auth_r);
1240 }
1241 if (this->connection)
1242 {
1243 host_t *my_host, *other_host;
1244 identification_t *my_id = NULL, *other_id = NULL;
1245 my_host = this->connection->get_my_host(this->connection);
1246 other_host = this->connection->get_other_host(this->connection);
1247 if (this->policy)
1248 {
1249 my_id = this->policy->get_my_id(this->policy);
1250 other_id = this->policy->get_other_id(this->policy);
1251 }
1252
1253 this->logger->log(this->logger, AUDIT, "IKE_SA deleted between %s[%s]...%s[%s]",
1254 my_host->get_address(my_host),
1255 my_id ? my_id->get_string(my_id) : "(unknown)",
1256 other_host->get_address(other_host),
1257 other_id ? other_id->get_string(other_id) : "(unknown)");
1258 this->connection->destroy(this->connection);
1259 }
1260 if (this->policy)
1261 {
1262 this->policy->destroy(this->policy);
1263 }
1264 if (this->last_requested_message)
1265 {
1266 this->last_requested_message->destroy(this->last_requested_message);
1267 }
1268 if (this->last_responded_message)
1269 {
1270 this->last_responded_message->destroy(this->last_responded_message);
1271 }
1272 this->ike_sa_id->destroy(this->ike_sa_id);
1273 this->randomizer->destroy(this->randomizer);
1274 this->current_state->destroy(this->current_state);
1275 free(this);
1276 }
1277
1278 /*
1279 * Described in header.
1280 */
1281 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1282 {
1283 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
1284
1285 /* Public functions */
1286 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1287 this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection;
1288 this->protected.public.delete_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) delete_child_sa;
1289 this->protected.public.rekey_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) rekey_child_sa;
1290 this->protected.public.get_child_sa = (child_sa_t*(*)(ike_sa_t*,u_int32_t))get_child_sa;
1291 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1292 this->protected.public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
1293 this->protected.public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
1294 this->protected.public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
1295 this->protected.public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
1296 this->protected.public.get_connection = (connection_t*(*)(ike_sa_t*)) get_connection;
1297 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1298 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1299 this->protected.public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
1300 this->protected.public.delete = (status_t(*)(ike_sa_t*))delete_;
1301 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1302
1303 /* protected functions */
1304 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t,bool,message_t**)) build_message;
1305 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1306 this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
1307 this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
1308 this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r;
1309 this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa;
1310 this->protected.set_connection = (void (*) (protected_ike_sa_t *,connection_t *)) set_connection;
1311 this->protected.get_connection = (connection_t *(*) (protected_ike_sa_t *)) get_connection;
1312 this->protected.set_policy = (void (*) (protected_ike_sa_t *,policy_t *)) set_policy;
1313 this->protected.get_policy = (policy_t *(*) (protected_ike_sa_t *)) get_policy;
1314 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1315 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1316 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1317 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1318 this->protected.build_transforms = (status_t (*) (protected_ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t)) build_transforms;
1319 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1320 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1321 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1322 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1323 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1324 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1325 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *)) get_last_responded_message;
1326 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *)) get_last_requested_message;
1327 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1328 this->protected.destroy_child_sa = (u_int32_t (*)(protected_ike_sa_t*,u_int32_t))destroy_child_sa;
1329 this->protected.get_child_sa = (child_sa_t* (*)(protected_ike_sa_t*,u_int32_t))get_child_sa_by_spi;
1330
1331 /* initialize private fields */
1332 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
1333
1334 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1335 this->child_sas = linked_list_create();
1336 this->randomizer = randomizer_create();
1337
1338 this->last_requested_message = NULL;
1339 this->last_responded_message = NULL;
1340 this->message_id_out = 0;
1341 this->message_id_in = 0;
1342 this->last_replied_message_id = -1;
1343 this->crypter_initiator = NULL;
1344 this->crypter_responder = NULL;
1345 this->signer_initiator = NULL;
1346 this->signer_responder = NULL;
1347 this->prf = NULL;
1348 this->prf_auth_i = NULL;
1349 this->prf_auth_r = NULL;
1350 this->child_prf = NULL;
1351 this->connection = NULL;
1352 this->policy = NULL;
1353
1354 /* at creation time, IKE_SA is in a initiator state */
1355 if (ike_sa_id->is_initiator(ike_sa_id))
1356 {
1357 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1358 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1359 }
1360 else
1361 {
1362 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1363 this->current_state = (state_t *) responder_init_create(&(this->protected));
1364 }
1365 return &(this->protected.public);
1366 }