implemented clean spi allocation behavior when using multiple proposals
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22 #include <string.h>
23
24 #include "ike_sa.h"
25
26 #include <types.h>
27 #include <daemon.h>
28 #include <definitions.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <crypto/diffie_hellman.h>
33 #include <crypto/prf_plus.h>
34 #include <crypto/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <encoding/payloads/ts_payload.h>
42 #include <sa/states/initiator_init.h>
43 #include <sa/states/responder_init.h>
44 #include <sa/states/create_child_sa_requested.h>
45 #include <sa/states/delete_child_sa_requested.h>
46 #include <sa/states/delete_ike_sa_requested.h>
47 #include <queues/jobs/retransmit_request_job.h>
48 #include <queues/jobs/delete_established_ike_sa_job.h>
49 #include <queues/jobs/delete_half_open_ike_sa_job.h>
50
51
52
53
54 typedef struct private_ike_sa_t private_ike_sa_t;
55
56 /**
57 * Private data of an ike_sa_t object.
58 */
59 struct private_ike_sa_t {
60
61 /**
62 * Protected part of a ike_sa_t object.
63 */
64 protected_ike_sa_t protected;
65
66 /**
67 * Identifier for the current IKE_SA.
68 */
69 ike_sa_id_t *ike_sa_id;
70
71 /**
72 * Linked List containing the child sa's of the current IKE_SA.
73 */
74 linked_list_t *child_sas;
75
76 /**
77 * Current state of the IKE_SA represented as state_t object.
78 *
79 * A state object representates one of the following states and is processing
80 * messages in the specific state:
81 * - INITIATOR_INIT
82 * - RESPONDER_INIT
83 * - IKE_SA_INIT_REQUESTED
84 * - IKE_SA_INIT_RESPONDED
85 * - IKE_AUTH_REQUESTED
86 * -IKE_SA_ESTABLISHED
87 */
88 state_t *current_state;
89
90 /**
91 * Connection definition used for this IKE_SA
92 */
93 connection_t *connection;
94
95 /**
96 * Policy definition used for this IKE_SA
97 */
98 policy_t *policy;
99
100 /**
101 * This SA's source for random data.
102 *
103 * Is available in every state.
104 */
105 randomizer_t *randomizer;
106
107 /**
108 * The last responded message.
109 */
110 message_t *last_responded_message;
111
112 /**
113 * The ast requested message.
114 */
115 message_t *last_requested_message;
116
117 /**
118 * Crypter object for initiator.
119 */
120 crypter_t *crypter_initiator;
121
122 /**
123 * Crypter object for responder.
124 */
125 crypter_t *crypter_responder;
126
127 /**
128 * Signer object for initiator.
129 */
130 signer_t *signer_initiator;
131
132 /**
133 * Signer object for responder.
134 */
135 signer_t *signer_responder;
136
137 /**
138 * Multi purpose prf, set key, use it, forget it
139 */
140 prf_t *prf;
141
142 /**
143 * Prf function for derivating keymat child SAs
144 */
145 prf_t *child_prf;
146
147 /**
148 * PRF, with key set to pi_key, used for authentication
149 */
150 prf_t *prf_auth_i;
151
152 /**
153 * PRF, with key set to pr_key, used for authentication
154 */
155 prf_t *prf_auth_r;
156
157 /**
158 * Next message id to receive.
159 */
160 u_int32_t message_id_in;
161
162 /**
163 * Next message id to send.
164 */
165 u_int32_t message_id_out;
166
167 /**
168 * Last reply id which was successfully received.
169 */
170 int32_t last_replied_message_id;
171
172 /**
173 * A logger for this IKE_SA.
174 */
175 logger_t *logger;
176 };
177
178 /**
179 * Implementation of protected_ike_sa_t.build_message.
180 */
181 static void build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
182 {
183 message_t *new_message;
184 host_t *me, *other;
185
186 me = this->connection->get_my_host(this->connection);
187 other = this->connection->get_other_host(this->connection);
188
189 this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
190 new_message = message_create();
191 new_message->set_source(new_message, me->clone(me));
192 new_message->set_destination(new_message, other->clone(other));
193 new_message->set_exchange_type(new_message, type);
194 new_message->set_request(new_message, request);
195 new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
196 new_message->set_ike_sa_id(new_message, this->ike_sa_id);
197
198 *message = new_message;
199 }
200
201 /**
202 * Implementation of ike_sa_t.get_state.
203 */
204 static ike_sa_state_t get_state(private_ike_sa_t *this)
205 {
206 return this->current_state->get_state(this->current_state);
207 }
208
209 /**
210 * Implementation of protected_ike_sa_t.set_new_state.
211 */
212 static void set_new_state(private_ike_sa_t *this, state_t *state)
213 {
214 this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
215 mapping_find(ike_sa_state_m, get_state(this)),
216 mapping_find(ike_sa_state_m, state->get_state(state)));
217 this->current_state = state;
218 }
219
220 /**
221 * Implementation of protected_ike_sa_t.get_connection.
222 */
223 static connection_t *get_connection(private_ike_sa_t *this)
224 {
225 return this->connection;
226 }
227
228 /**
229 * Implementation of protected_ike_sa_t.set_connection.
230 */
231 static void set_connection(private_ike_sa_t *this,connection_t * connection)
232 {
233 this->connection = connection;
234 }
235
236 /**
237 * Implementation of protected_ike_sa_t.get_policy.
238 */
239 static policy_t *get_policy(private_ike_sa_t *this)
240 {
241 return this->policy;
242 }
243
244 /**
245 * Implementation of protected_ike_sa_t.set_policy.
246 */
247 static void set_policy(private_ike_sa_t *this,policy_t * policy)
248 {
249 this->policy = policy;
250 }
251
252 /**
253 * Implementation of protected_ike_sa_t.get_prf.
254 */
255 static prf_t *get_prf(private_ike_sa_t *this)
256 {
257 return this->prf;
258 }
259
260 /**
261 * Implementation of protected_ike_sa_t.get_prf.
262 */
263 static prf_t *get_child_prf(private_ike_sa_t *this)
264 {
265 return this->child_prf;
266 }
267
268 /**
269 * Implementation of protected_ike_sa_t.get_prf_auth_i.
270 */
271 static prf_t *get_prf_auth_i(private_ike_sa_t *this)
272 {
273 return this->prf_auth_i;
274 }
275
276 /**
277 * Implementation of protected_ike_sa_t.get_prf_auth_r.
278 */
279 static prf_t *get_prf_auth_r(private_ike_sa_t *this)
280 {
281 return this->prf_auth_r;
282 }
283 /**
284 * Implementation of ike_sa_t.get_id.
285 */
286 static ike_sa_id_t* get_id(private_ike_sa_t *this)
287 {
288 return this->ike_sa_id;
289 }
290
291 /**
292 * Implementation of ike_sa_t.get_my_host.
293 */
294 static host_t* get_my_host(private_ike_sa_t *this)
295 {
296 return this->connection->get_my_host(this->connection);;
297 }
298
299 /**
300 * Implementation of ike_sa_t.get_other_host.
301 */
302 static host_t* get_other_host(private_ike_sa_t *this)
303 {
304 return this->connection->get_other_host(this->connection);;
305 }
306
307 /**
308 * Implementation of ike_sa_t.get_my_id.
309 */
310 static identification_t* get_my_id(private_ike_sa_t *this)
311 {
312 return this->policy->get_my_id(this->policy);;
313 }
314
315 /**
316 * Implementation of ike_sa_t.get_other_id.
317 */
318 static identification_t* get_other_id(private_ike_sa_t *this)
319 {
320 return this->policy->get_other_id(this->policy);;
321 }
322
323 /**
324 * Implementation of ike_sa_t.retransmit_request.
325 */
326 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
327 {
328 packet_t *packet;
329
330 if (this->last_requested_message == NULL)
331 {
332 return NOT_FOUND;
333 }
334
335 if (message_id == this->last_replied_message_id)
336 {
337 return NOT_FOUND;
338 }
339
340 if ((this->last_requested_message->get_message_id(this->last_requested_message)) != message_id)
341 {
342 return NOT_FOUND;
343 }
344
345 this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit message with id %d",message_id);
346 packet = this->last_requested_message->get_packet(this->last_requested_message);
347 charon->send_queue->add(charon->send_queue, packet);
348
349 return SUCCESS;
350 }
351
352
353 /**
354 * Implementation of protected_ike_sa_t.build_transforms.
355 */
356 static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
357 {
358 chunk_t nonces, nonces_spis, skeyseed, key, secret;
359 u_int64_t spi_i, spi_r;
360 prf_plus_t *prf_plus;
361 algorithm_t *algo;
362 size_t key_size;
363
364 /*
365 * Build the PRF+ instance for deriving keys
366 */
367 if (this->prf != NULL)
368 {
369 this->prf->destroy(this->prf);
370 }
371 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
372 if (algo == NULL)
373 {
374 this->logger->log(this->logger, ERROR|LEVEL2, "No PRF algoithm selected!?");
375 return FAILED;
376 }
377 this->prf = prf_create(algo->algorithm);
378 if (this->prf == NULL)
379 {
380 this->logger->log(this->logger, ERROR|LEVEL1,
381 "PSEUDO_RANDOM_FUNCTION %s not supported!",
382 mapping_find(pseudo_random_function_m, algo->algorithm));
383 return FAILED;
384 }
385
386 /* concatenate nonces = nonce_i | nonce_r */
387 nonces = chunk_alloc(nonce_i.len + nonce_r.len);
388 memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
389 memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
390
391 /* concatenate prf_seed = nonce_i | nonce_r | spi_i | spi_r */
392 nonces_spis = chunk_alloc(nonces.len + 16);
393 memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
394 spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
395 spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
396 memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
397 memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
398
399 /* SKEYSEED = prf(Ni | Nr, g^ir) */
400 dh->get_shared_secret(dh, &secret);
401 this->logger->log_chunk(this->logger, PRIVATE, "Shared Diffie Hellman secret", secret);
402 this->prf->set_key(this->prf, nonces);
403 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
404 this->logger->log_chunk(this->logger, PRIVATE | LEVEL1, "SKEYSEED", skeyseed);
405 chunk_free(&secret);
406
407 /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
408 * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
409 *
410 * we use the prf directly for prf+
411 */
412 this->prf->set_key(this->prf, skeyseed);
413 prf_plus = prf_plus_create(this->prf, nonces_spis);
414
415 /* clean up unused stuff */
416 chunk_free(&nonces);
417 chunk_free(&nonces_spis);
418 chunk_free(&skeyseed);
419
420
421 /*
422 * We now can derive all of our key. We build the transforms
423 * directly.
424 */
425
426
427 /* SK_d used for prf+ to derive keys for child SAs */
428 this->child_prf = prf_create(algo->algorithm);
429 key_size = this->child_prf->get_key_size(this->child_prf);
430 prf_plus->allocate_bytes(prf_plus, key_size, &key);
431 this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key);
432 this->child_prf->set_key(this->child_prf, key);
433 chunk_free(&key);
434
435
436 /* SK_ai/SK_ar used for integrity protection */
437 proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo);
438 if (algo == NULL)
439 {
440 this->logger->log(this->logger, ERROR|LEVEL2, "No integrity algoithm selected?!");
441 return FAILED;
442 }
443 if (this->signer_initiator != NULL)
444 {
445 this->signer_initiator->destroy(this->signer_initiator);
446 }
447 if (this->signer_responder != NULL)
448 {
449 this->signer_responder->destroy(this->signer_responder);
450 }
451
452 this->signer_initiator = signer_create(algo->algorithm);
453 this->signer_responder = signer_create(algo->algorithm);
454 if (this->signer_initiator == NULL || this->signer_responder == NULL)
455 {
456 this->logger->log(this->logger, ERROR|LEVEL1,
457 "INTEGRITY_ALGORITHM %s not supported!",
458 mapping_find(integrity_algorithm_m,algo->algorithm));
459 return FAILED;
460 }
461 key_size = this->signer_initiator->get_key_size(this->signer_initiator);
462
463 prf_plus->allocate_bytes(prf_plus, key_size, &key);
464 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", key);
465 this->signer_initiator->set_key(this->signer_initiator, key);
466 chunk_free(&key);
467
468 prf_plus->allocate_bytes(prf_plus, key_size, &key);
469 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", key);
470 this->signer_responder->set_key(this->signer_responder, key);
471 chunk_free(&key);
472
473
474 /* SK_ei/SK_er used for encryption */
475 proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo);
476 if (algo == NULL)
477 {
478 this->logger->log(this->logger, ERROR|LEVEL2, "No encryption algoithm selected!?");
479 return FAILED;
480 }
481 if (this->crypter_initiator != NULL)
482 {
483 this->crypter_initiator->destroy(this->crypter_initiator);
484 }
485 if (this->crypter_responder != NULL)
486 {
487 this->crypter_responder->destroy(this->crypter_responder);
488 }
489
490 this->crypter_initiator = crypter_create(algo->algorithm, algo->key_size / 8);
491 this->crypter_responder = crypter_create(algo->algorithm, algo->key_size / 8);
492 if (this->crypter_initiator == NULL || this->crypter_responder == NULL)
493 {
494 this->logger->log(this->logger, ERROR|LEVEL1,
495 "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
496 mapping_find(encryption_algorithm_m, algo->algorithm),
497 algo->key_size);
498 return FAILED;
499 }
500 key_size = this->crypter_initiator->get_key_size(this->crypter_initiator);
501
502 prf_plus->allocate_bytes(prf_plus, key_size, &key);
503 this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key);
504 this->crypter_initiator->set_key(this->crypter_initiator, key);
505 chunk_free(&key);
506
507 prf_plus->allocate_bytes(prf_plus, key_size, &key);
508 this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key);
509 this->crypter_responder->set_key(this->crypter_responder, key);
510 chunk_free(&key);
511
512 /* SK_pi/SK_pr used for authentication */
513 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
514 if (this->prf_auth_i != NULL)
515 {
516 this->prf_auth_i->destroy(this->prf_auth_i);
517 }
518 if (this->prf_auth_r != NULL)
519 {
520 this->prf_auth_r->destroy(this->prf_auth_r);
521 }
522
523 this->prf_auth_i = prf_create(algo->algorithm);
524 this->prf_auth_r = prf_create(algo->algorithm);
525
526 key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
527 prf_plus->allocate_bytes(prf_plus, key_size, &key);
528 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key);
529 this->prf_auth_i->set_key(this->prf_auth_i, key);
530 chunk_free(&key);
531
532 prf_plus->allocate_bytes(prf_plus, key_size, &key);
533 this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key);
534 this->prf_auth_r->set_key(this->prf_auth_r, key);
535 chunk_free(&key);
536
537 /* all done, prf_plus not needed anymore */
538 prf_plus->destroy(prf_plus);
539
540 return SUCCESS;
541 }
542
543 /**
544 * Implementation of protected_ike_sa_t.get_randomizer.
545 */
546 static randomizer_t *get_randomizer(private_ike_sa_t *this)
547 {
548 return this->randomizer;
549 }
550
551 /**
552 * Implementation of protected_ike_sa_t.get_crypter_initiator.
553 */
554 static crypter_t *get_crypter_initiator(private_ike_sa_t *this)
555 {
556 return this->crypter_initiator;
557 }
558
559 /**
560 * Implementation of protected_ike_sa_t.get_signer_initiator.
561 */
562 static signer_t *get_signer_initiator(private_ike_sa_t *this)
563 {
564 return this->signer_initiator;
565 }
566
567 /**
568 * Implementation of protected_ike_sa_t.get_crypter_responder.
569 */
570 static crypter_t *get_crypter_responder(private_ike_sa_t *this)
571 {
572 return this->crypter_responder;
573 }
574
575 /**
576 * Implementation of protected_ike_sa_t.get_signer_responder.
577 */
578 static signer_t *get_signer_responder(private_ike_sa_t *this)
579 {
580 return this->signer_responder;
581 }
582
583 /**
584 * Implementation of protected_ike_sa_t.send_request.
585 */
586 static status_t send_request(private_ike_sa_t *this, message_t *message)
587 {
588 retransmit_request_job_t *retransmit_job;
589 u_int32_t timeout;
590 crypter_t *crypter;
591 signer_t *signer;
592 packet_t *packet;
593 status_t status;
594
595 if (message->get_message_id(message) != this->message_id_out)
596 {
597 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
598 message->get_message_id(message),this->message_id_out);
599 return FAILED;
600 }
601
602 /* generate packet */
603 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
604
605 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
606 {
607 crypter = this->crypter_initiator;
608 signer = this->signer_initiator;
609 }
610 else
611 {
612 crypter = this->crypter_responder;
613 signer =this->signer_responder;
614 }
615
616 status = message->generate(message, crypter,signer, &packet);
617 if (status != SUCCESS)
618 {
619 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
620 return FAILED;
621 }
622
623 this->logger->log(this->logger, CONTROL|LEVEL3,
624 "Add request packet with message id %d to global send queue",
625 this->message_id_out);
626 charon->send_queue->add(charon->send_queue, packet);
627
628 /* replace last message for retransmit with current */
629 if (this->last_requested_message != NULL)
630 {
631 this->last_requested_message->destroy(this->last_requested_message);
632 }
633 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
634 this->last_requested_message = message;
635
636 /* schedule a job for retransmission */
637 status = charon->configuration->get_retransmit_timeout(charon->configuration, 0, &timeout);
638 if (status != SUCCESS)
639 {
640 this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
641 }
642 else
643 {
644 this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.", timeout);
645 retransmit_job = retransmit_request_job_create(this->message_id_out, this->ike_sa_id);
646 charon->event_queue->add_relative(charon->event_queue, (job_t *)retransmit_job, timeout);
647 }
648
649 /* message counter can now be increased */
650 this->logger->log(this->logger, CONTROL|LEVEL3,
651 "Increase message counter for outgoing messages from %d",
652 this->message_id_out);
653 this->message_id_out++;
654 return SUCCESS;
655 }
656
657 /**
658 * Implementation of protected_ike_sa_t.send_response.
659 */
660 static status_t send_response(private_ike_sa_t *this, message_t *message)
661 {
662 crypter_t *crypter;
663 signer_t *signer;
664 packet_t *packet;
665 status_t status;
666
667 if (message->get_message_id(message) != this->message_id_in)
668 {
669
670 this->logger->log(this->logger, ERROR, "Message could not be sent cause id (%d) was not as expected (%d)",
671 message->get_message_id(message),this->message_id_in);
672 return FAILED;
673 }
674
675 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
676 {
677 crypter = this->crypter_initiator;
678 signer = this->signer_initiator;
679 }
680 else
681 {
682 crypter = this->crypter_responder;
683 signer =this->signer_responder;
684 }
685
686 status = message->generate(message, crypter,signer, &packet);
687 if (status != SUCCESS)
688 {
689 this->logger->log(this->logger, ERROR, "Could not generate packet from message");
690 return FAILED;
691 }
692
693 this->logger->log(this->logger, CONTROL|LEVEL3,
694 "Add response packet with message id %d to global send queue",
695 this->message_id_in);
696 charon->send_queue->add(charon->send_queue, packet);
697
698 if (this->last_responded_message != NULL)
699 {
700 /* destroy message */
701 this->last_responded_message->destroy(this->last_responded_message);
702 }
703
704 this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last responded message with new one");
705 this->last_responded_message = message;
706
707 /* message counter can now be increased */
708 this->logger->log(this->logger, CONTROL|LEVEL3, "Increase message counter for incoming messages");
709 this->message_id_in++;
710
711 return SUCCESS;
712 }
713
714 /**
715 * Implementation of of private_responder_init_t.send_notify_reply.
716 */
717 static void send_notify(private_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data)
718 {
719 notify_payload_t *payload;
720 message_t *response;
721 packet_t *packet;
722 status_t status;
723
724 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to build message with notify payload");
725 /* set up the reply */
726 build_message(this, exchange_type, FALSE, &response);
727 payload = notify_payload_create_from_protocol_and_type(PROTO_IKE, type);
728 if ((data.ptr != NULL) && (data.len > 0))
729 {
730 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Data to notify payload");
731 payload->set_notification_data(payload,data);
732 }
733
734 this->logger->log(this->logger, CONTROL|LEVEL2, "Add Notify payload to message");
735 response->add_payload(response,(payload_t *) payload);
736
737 /* generate packet */
738 this->logger->log(this->logger, CONTROL|LEVEL2, "Generate packet from message");
739 status = response->generate(response, this->crypter_responder, this->signer_responder, &packet);
740 if (status != SUCCESS)
741 {
742 this->logger->log(this->logger, ERROR|LEVEL1, "Could not generate notify message");
743 response->destroy(response);
744 return;
745 }
746
747 this->logger->log(this->logger, CONTROL|LEVEL2, "Add packet to global send queue");
748 charon->send_queue->add(charon->send_queue, packet);
749 this->logger->log(this->logger, CONTROL|LEVEL2, "Destroy message");
750 response->destroy(response);
751 }
752
753 /**
754 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
755 */
756 static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t message_id)
757 {
758 this->last_replied_message_id = message_id;
759 }
760
761 /**
762 * Implementation of protected_ike_sa_t.get_last_responded_message.
763 */
764 static message_t *get_last_responded_message (private_ike_sa_t *this)
765 {
766 return this->last_responded_message;
767 }
768
769 /**
770 * Implementation of protected_ike_sa_t.get_last_requested_message.
771 */
772 static message_t *get_last_requested_message(private_ike_sa_t *this)
773 {
774 return this->last_requested_message;
775 }
776
777 /**
778 * Implementation of protected_ike_sa_t.add_child_sa.
779 */
780 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
781 {
782 this->child_sas->insert_last(this->child_sas, child_sa);
783 }
784
785 /**
786 * Implementation of ike_sa_t.process_message.
787 */
788 static status_t process_message(private_ike_sa_t *this, message_t *message)
789 {
790 u_int32_t message_id;
791 exchange_type_t exchange_type;
792 bool is_request;
793
794 /* Find out type of message (request or response) */
795 is_request = message->get_request(message);
796 exchange_type = message->get_exchange_type(message);
797
798 this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
799 (is_request) ? "request" : "response",
800 mapping_find(exchange_type_m, exchange_type));
801
802 message_id = message->get_message_id(message);
803
804 /* check if message already received, and retransmit its reply */
805 if (is_request && (message_id == (this->message_id_in - 1)))
806 {
807 /* resend last message, if any */
808 if (this->last_responded_message)
809 {
810 packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message);
811 this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
812 charon->send_queue->add(charon->send_queue, packet);
813 return SUCCESS;
814 }
815 else
816 {
817 /* somebody does something nasty here... */
818 return FAILED;
819 }
820 }
821
822 /* Now, the message id is checked for request AND reply */
823 if (is_request)
824 {
825 /* In a request, the message has to be this->message_id_in (other case is already handled) */
826 if (message_id != this->message_id_in)
827 {
828 this->logger->log(this->logger, ERROR | LEVEL1,
829 "Message request with message id %d received, but %d expected",
830 message_id,this->message_id_in);
831 return FAILED;
832 }
833 }
834 else
835 {
836 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
837 if (message_id != (this->message_id_out - 1))
838 {
839 this->logger->log(this->logger, ERROR | LEVEL1,
840 "Message reply with message id %d received, but %d expected",
841 message_id,this->message_id_in);
842 return FAILED;
843 }
844 }
845
846 /* now the message is processed by the current state object.
847 * The specific state object is responsible to check if a message can be received in
848 * the state it represents.
849 * The current state is also responsible to change the state object to the next state
850 * by calling protected_ike_sa_t.set_new_state
851 */
852 return this->current_state->process_message(this->current_state, message);
853 }
854
855 /**
856 * Implementation of protected_ike_sa_t.initiate_connection.
857 */
858 static status_t initiate_connection(private_ike_sa_t *this, connection_t *connection)
859 {
860 initiator_init_t *current_state;
861
862 /* Work is done in state object of type INITIATOR_INIT. All other states are not
863 * initial states and so don't have a initiate_connection function */
864
865 if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
866 {
867 return FAILED;
868 }
869
870 current_state = (initiator_init_t *) this->current_state;
871
872 return current_state->initiate_connection(current_state, connection);
873 }
874
875 /**
876 * Implementation of ike_sa_t.get_child_sa.
877 */
878 static child_sa_t *get_child_sa(private_ike_sa_t *this, u_int32_t reqid)
879 {
880 iterator_t *iterator;
881 child_sa_t *current, *found = NULL;
882
883 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
884 while (iterator->has_next(iterator))
885 {
886 iterator->current(iterator, (void**)&current);
887 if (current->get_reqid(current) == reqid)
888 {
889 found = current;
890 break;
891 }
892 }
893 iterator->destroy(iterator);
894 return found;
895 }
896
897 /**
898 * Implementation of ike_sa_t.delete_child_sa.
899 */
900 static status_t delete_child_sa(private_ike_sa_t *this, u_int32_t reqid)
901 {
902 message_t *request;
903 child_sa_t *child_sa;
904 delete_payload_t *delete_payload;
905 state_t *old_state;
906
907 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
908 {
909 this->logger->log(this->logger, ERROR|LEVEL1,
910 "Delete of a CHILD_SA whose IKE_SA not in state IKE_SA_ESTABLISHED, aborting");
911 return FAILED;
912 }
913
914 child_sa = get_child_sa(this, reqid);
915 if (child_sa == NULL)
916 {
917 this->logger->log(this->logger, ERROR|LEVEL1,
918 "IKE_SA does not contain a CHILD_SA with reqid %d", reqid);
919 return FAILED;
920 }
921 build_message(this, INFORMATIONAL, TRUE, &request);
922 delete_payload = delete_payload_create(child_sa->get_protocol(child_sa));
923 delete_payload->add_spi(delete_payload, child_sa->get_spi(child_sa, FALSE));
924 request->add_payload(request, (payload_t*)delete_payload);
925
926 send_request(this, request);
927
928 old_state = this->current_state;
929 set_new_state(this, (state_t*)delete_child_sa_requested_create(&this->protected));
930 old_state->destroy(old_state);
931 return SUCCESS;
932 }
933
934 /**
935 * Implementation of protected_ike_sa_t.destroy_child_sa.
936 */
937 static u_int32_t destroy_child_sa(private_ike_sa_t *this, u_int32_t spi)
938 {
939 iterator_t *iterator;
940 child_sa_t *child_sa;
941
942 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
943 while (iterator->has_next(iterator))
944 {
945 iterator->current(iterator, (void**)&child_sa);
946 if (child_sa->get_spi(child_sa, TRUE) == spi)
947 {
948 iterator->remove(iterator);
949 break;
950 }
951 else
952 {
953 child_sa = NULL;
954 }
955 }
956 iterator->destroy(iterator);
957 if (child_sa == NULL)
958 {
959 this->logger->log(this->logger, ERROR,
960 "IKE_SA does not contain a CHILD_SA with spi 0x%x", spi);
961 return 0;
962 }
963
964 spi = child_sa->get_spi(child_sa, FALSE);
965 child_sa->destroy(child_sa);
966 return spi;
967 }
968
969 /**
970 * Implementation of protected_ike_sa_t.get_child_sa.
971 */
972 static child_sa_t* get_child_sa_by_spi(private_ike_sa_t *this, u_int32_t spi)
973 {
974 iterator_t *iterator;
975 child_sa_t *current, *found = NULL;
976
977 iterator = this->child_sas->create_iterator(this->child_sas, FALSE);
978 while (iterator->has_next(iterator))
979 {
980 iterator->current(iterator, (void**)&current);
981 if (current->get_spi(current, TRUE) == spi)
982 {
983 found = current;
984 }
985 }
986 iterator->destroy(iterator);
987 return found;
988 }
989
990 /**
991 * Implementation of ike_sa_t.rekey_child_sa.
992 */
993 static status_t rekey_child_sa(private_ike_sa_t *this, u_int32_t reqid)
994 {
995 message_t *request;
996 child_sa_t *child_sa;
997 notify_payload_t *notify;
998 sa_payload_t *sa_payload;
999 ts_payload_t *tsi_payload, *tsr_payload;
1000 nonce_payload_t *nonce_payload;
1001 linked_list_t *proposals;
1002 chunk_t nonce;
1003 linked_list_t *my_ts, *other_ts;
1004 state_t *old_state;
1005
1006 if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
1007 {
1008 this->logger->log(this->logger, ERROR|LEVEL1,
1009 "Rekeying of an CHILD_SA whose IKE_SA not in state IKE_SA_ESTABLISHED, aborting");
1010 return FAILED;
1011 }
1012
1013 child_sa = get_child_sa(this, reqid);
1014 if (child_sa == NULL)
1015 {
1016 this->logger->log(this->logger, ERROR|LEVEL1,
1017 "IKE_SA does not contain a CHILD_SA with reqid %d", reqid);
1018 return FAILED;
1019 }
1020
1021 build_message(this, CREATE_CHILD_SA, TRUE, &request);
1022 notify = notify_payload_create_from_protocol_and_type(
1023 child_sa->get_protocol(child_sa), REKEY_SA);
1024 notify->set_spi(notify, child_sa->get_spi(child_sa, FALSE));
1025 request->add_payload(request, (payload_t*)notify);
1026
1027 proposals = this->policy->get_proposals(this->policy);
1028 child_sa = child_sa_create(reqid,
1029 this->connection->get_my_host(this->connection),
1030 this->connection->get_other_host(this->connection),
1031 this->policy->get_soft_lifetime(this->policy),
1032 this->policy->get_hard_lifetime(this->policy));
1033 child_sa->alloc(child_sa, proposals);
1034 sa_payload = sa_payload_create_from_proposal_list(proposals);
1035 request->add_payload(request, (payload_t*)sa_payload);
1036
1037 nonce_payload = nonce_payload_create();
1038 if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
1039 NONCE_SIZE, &nonce))
1040 {
1041 request->destroy(request);
1042 return FAILED;
1043 }
1044 nonce_payload->set_nonce(nonce_payload, nonce);
1045 request->add_payload(request, (payload_t*)nonce_payload);
1046
1047 my_ts = this->policy->get_my_traffic_selectors(this->policy);
1048 other_ts = this->policy->get_other_traffic_selectors(this->policy);
1049 tsi_payload = ts_payload_create_from_traffic_selectors(TRUE, my_ts);
1050 tsr_payload = ts_payload_create_from_traffic_selectors(FALSE, other_ts);
1051 request->add_payload(request, (payload_t*)tsi_payload);
1052 request->add_payload(request, (payload_t*)tsr_payload);
1053
1054 send_request(this, request);
1055
1056 old_state = this->current_state;
1057 set_new_state(this, (state_t*)create_child_sa_requested_create(&this->protected, child_sa, nonce, reqid));
1058 old_state->destroy(old_state);
1059
1060 return SUCCESS;
1061 }
1062
1063 /**
1064 * Implementation of protected_ike_sa_t.reset_message_buffers.
1065 */
1066 static void reset_message_buffers(private_ike_sa_t *this)
1067 {
1068 this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
1069 /* destroy stored requested message */
1070 if (this->last_requested_message != NULL)
1071 {
1072 this->last_requested_message->destroy(this->last_requested_message);
1073 this->last_requested_message = NULL;
1074 }
1075
1076 /* destroy stored responded messages */
1077 if (this->last_responded_message != NULL)
1078 {
1079 this->last_responded_message->destroy(this->last_responded_message);
1080 this->last_responded_message = NULL;
1081 }
1082
1083 this->message_id_out = 0;
1084 this->message_id_in = 0;
1085 this->last_replied_message_id = -1;
1086 }
1087
1088 /**
1089 * Implementation of protected_ike_sa_t.log_status.
1090 */
1091 static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
1092 {
1093 iterator_t *iterator;
1094 child_sa_t *child_sa;
1095 host_t *my_host, *other_host;
1096 identification_t *my_id = NULL, *other_id = NULL;
1097
1098 /* only log if name == NULL or name == connection_name */
1099 if (name)
1100 {
1101 if (streq(this->connection->get_name(this->connection), name))
1102 {
1103 return;
1104 }
1105 }
1106 my_host = this->connection->get_my_host(this->connection);
1107 other_host = this->connection->get_other_host(this->connection);
1108
1109 /* use policy information, if available */
1110 if (this->policy)
1111 {
1112 my_id = this->policy->get_my_id(this->policy);
1113 other_id = this->policy->get_other_id(this->policy);
1114 name = this->policy->get_name(this->policy);
1115 }
1116 else
1117 {
1118 name = this->connection->get_name(this->connection);
1119 }
1120
1121 if (logger == NULL)
1122 {
1123 logger = this->logger;
1124 }
1125 logger->log(logger, CONTROL|LEVEL1, " \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
1126 name,
1127 mapping_find(ike_sa_state_m, this->current_state->get_state(this->current_state)),
1128 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1129 this->ike_sa_id->get_responder_spi(this->ike_sa_id));
1130 logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]",
1131 name,
1132 my_host->get_address(my_host),
1133 my_id ? my_id->get_string(my_id) : "(unknown)",
1134 other_host->get_address(other_host),
1135 other_id ? other_id->get_string(other_id) : "(unknown)");
1136
1137 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1138 while (iterator->has_next(iterator))
1139 {
1140 iterator->current(iterator, (void**)&child_sa);
1141 child_sa->log_status(child_sa, logger, name);
1142 }
1143 iterator->destroy(iterator);
1144 }
1145
1146 /**
1147 * Implementation of public_ike_sa_t.delete.
1148 */
1149 static status_t delete_(private_ike_sa_t *this)
1150 {
1151 message_t *informational_request;
1152 delete_payload_t *delete_payload;
1153 u_int32_t timeout;
1154 delete_half_open_ike_sa_job_t *job;
1155 state_t *old_state;
1156
1157 if (get_state(this) != IKE_SA_ESTABLISHED)
1158 {
1159 return INVALID_STATE;
1160 }
1161
1162 build_message(this, INFORMATIONAL, TRUE, &informational_request);
1163 /* delete for the full IKE_SA, this deletes all child_sa's implicit */
1164 delete_payload = delete_payload_create(PROTO_IKE);
1165
1166 informational_request->add_payload(informational_request, (payload_t*)delete_payload);
1167
1168 if (send_request(this, informational_request) != SUCCESS)
1169 {
1170 /* send failed, but we ignore this, SA will get deleted anyway later */
1171 informational_request->destroy(informational_request);
1172 }
1173
1174 /* transit to state delete_ike_sa_requested */
1175 old_state = this->current_state;
1176 set_new_state(this, (state_t*)delete_ike_sa_requested_create(&this->protected));
1177 old_state->destroy(old_state);
1178
1179 /* there is no guarantee that the other peer will acknowledge the delete,
1180 * so we have to set a timeout where we destroy the SA... This is done with
1181 * the delete_half_open_ike_sa_job as used in IKE SA setup.
1182 */
1183 timeout = charon->configuration->get_half_open_ike_sa_timeout(charon->configuration);
1184 job = delete_half_open_ike_sa_job_create(this->ike_sa_id);
1185 charon->event_queue->add_relative(charon->event_queue, (job_t*)job, timeout);
1186 return SUCCESS;
1187 }
1188
1189 /**
1190 * Implementation of protected_ike_sa_t.destroy.
1191 */
1192 static void destroy(private_ike_sa_t *this)
1193 {
1194 child_sa_t *child_sa;
1195
1196 this->logger->log(this->logger, CONTROL|LEVEL2, "Going to destroy IKE SA %llu:%llu, role %s",
1197 this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
1198 this->ike_sa_id->get_responder_spi(this->ike_sa_id),
1199 this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
1200
1201 if (get_state(this) == IKE_SA_ESTABLISHED)
1202 {
1203 this->logger->log(this->logger, ERROR, "Destroying an established IKE SA without knowledge from remote peer!");
1204 }
1205
1206 while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
1207 {
1208 child_sa->destroy(child_sa);
1209 }
1210 this->child_sas->destroy(this->child_sas);
1211
1212 if (this->crypter_initiator)
1213 {
1214 this->crypter_initiator->destroy(this->crypter_initiator);
1215 }
1216 if (this->crypter_responder)
1217 {
1218 this->crypter_responder->destroy(this->crypter_responder);
1219 }
1220 if (this->signer_initiator)
1221 {
1222 this->signer_initiator->destroy(this->signer_initiator);
1223 }
1224 if (this->signer_responder)
1225 {
1226 this->signer_responder->destroy(this->signer_responder);
1227 }
1228 if (this->prf)
1229 {
1230 this->prf->destroy(this->prf);
1231 }
1232 if (this->child_prf)
1233 {
1234 this->child_prf->destroy(this->child_prf);
1235 }
1236 if (this->prf_auth_i)
1237 {
1238 this->prf_auth_i->destroy(this->prf_auth_i);
1239 }
1240 if (this->prf_auth_r)
1241 {
1242 this->prf_auth_r->destroy(this->prf_auth_r);
1243 }
1244 if (this->connection)
1245 {
1246 host_t *my_host, *other_host;
1247 identification_t *my_id = NULL, *other_id = NULL;
1248 my_host = this->connection->get_my_host(this->connection);
1249 other_host = this->connection->get_other_host(this->connection);
1250 if (this->policy)
1251 {
1252 my_id = this->policy->get_my_id(this->policy);
1253 other_id = this->policy->get_other_id(this->policy);
1254 }
1255
1256 this->logger->log(this->logger, AUDIT, "IKE_SA deleted between %s[%s]...%s[%s]",
1257 my_host->get_address(my_host),
1258 my_id ? my_id->get_string(my_id) : "(unknown)",
1259 other_host->get_address(other_host),
1260 other_id ? other_id->get_string(other_id) : "(unknown)");
1261 this->connection->destroy(this->connection);
1262 }
1263 if (this->policy)
1264 {
1265 this->policy->destroy(this->policy);
1266 }
1267 if (this->last_requested_message)
1268 {
1269 this->last_requested_message->destroy(this->last_requested_message);
1270 }
1271 if (this->last_responded_message)
1272 {
1273 this->last_responded_message->destroy(this->last_responded_message);
1274 }
1275 this->ike_sa_id->destroy(this->ike_sa_id);
1276 this->randomizer->destroy(this->randomizer);
1277 this->current_state->destroy(this->current_state);
1278 free(this);
1279 }
1280
1281 /*
1282 * Described in header.
1283 */
1284 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1285 {
1286 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
1287
1288 /* Public functions */
1289 this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1290 this->protected.public.initiate_connection = (status_t(*)(ike_sa_t*,connection_t*)) initiate_connection;
1291 this->protected.public.delete_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) delete_child_sa;
1292 this->protected.public.rekey_child_sa = (status_t(*)(ike_sa_t*,u_int32_t)) rekey_child_sa;
1293 this->protected.public.get_child_sa = (child_sa_t*(*)(ike_sa_t*,u_int32_t))get_child_sa;
1294 this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1295 this->protected.public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
1296 this->protected.public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
1297 this->protected.public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
1298 this->protected.public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
1299 this->protected.public.get_connection = (connection_t*(*)(ike_sa_t*)) get_connection;
1300 this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
1301 this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
1302 this->protected.public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
1303 this->protected.public.delete = (status_t(*)(ike_sa_t*))delete_;
1304 this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
1305
1306 /* protected functions */
1307 this->protected.build_message = (void (*) (protected_ike_sa_t *, exchange_type_t,bool,message_t**)) build_message;
1308 this->protected.get_prf = (prf_t *(*) (protected_ike_sa_t *)) get_prf;
1309 this->protected.get_child_prf = (prf_t *(*) (protected_ike_sa_t *)) get_child_prf;
1310 this->protected.get_prf_auth_i = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_i;
1311 this->protected.get_prf_auth_r = (prf_t *(*) (protected_ike_sa_t *)) get_prf_auth_r;
1312 this->protected.add_child_sa = (void (*) (protected_ike_sa_t*,child_sa_t*)) add_child_sa;
1313 this->protected.set_connection = (void (*) (protected_ike_sa_t *,connection_t *)) set_connection;
1314 this->protected.get_connection = (connection_t *(*) (protected_ike_sa_t *)) get_connection;
1315 this->protected.set_policy = (void (*) (protected_ike_sa_t *,policy_t *)) set_policy;
1316 this->protected.get_policy = (policy_t *(*) (protected_ike_sa_t *)) get_policy;
1317 this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
1318 this->protected.send_request = (status_t (*) (protected_ike_sa_t *,message_t *)) send_request;
1319 this->protected.send_response = (status_t (*) (protected_ike_sa_t *,message_t *)) send_response;
1320 this->protected.send_notify = (void (*)(protected_ike_sa_t*,exchange_type_t,notify_message_type_t,chunk_t)) send_notify;
1321 this->protected.build_transforms = (status_t (*) (protected_ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t)) build_transforms;
1322 this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
1323 this->protected.get_crypter_initiator = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_initiator;
1324 this->protected.get_signer_initiator = (signer_t *(*) (protected_ike_sa_t *)) get_signer_initiator;
1325 this->protected.get_crypter_responder = (crypter_t *(*) (protected_ike_sa_t *)) get_crypter_responder;
1326 this->protected.get_signer_responder = (signer_t *(*) (protected_ike_sa_t *)) get_signer_responder;
1327 this->protected.reset_message_buffers = (void (*) (protected_ike_sa_t *)) reset_message_buffers;
1328 this->protected.get_last_responded_message = (message_t * (*) (protected_ike_sa_t *)) get_last_responded_message;
1329 this->protected.get_last_requested_message = (message_t * (*) (protected_ike_sa_t *)) get_last_requested_message;
1330 this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
1331 this->protected.destroy_child_sa = (u_int32_t (*)(protected_ike_sa_t*,u_int32_t))destroy_child_sa;
1332 this->protected.get_child_sa = (child_sa_t* (*)(protected_ike_sa_t*,u_int32_t))get_child_sa_by_spi;
1333
1334 /* initialize private fields */
1335 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
1336
1337 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1338 this->child_sas = linked_list_create();
1339 this->randomizer = randomizer_create();
1340
1341 this->last_requested_message = NULL;
1342 this->last_responded_message = NULL;
1343 this->message_id_out = 0;
1344 this->message_id_in = 0;
1345 this->last_replied_message_id = -1;
1346 this->crypter_initiator = NULL;
1347 this->crypter_responder = NULL;
1348 this->signer_initiator = NULL;
1349 this->signer_responder = NULL;
1350 this->prf = NULL;
1351 this->prf_auth_i = NULL;
1352 this->prf_auth_r = NULL;
1353 this->child_prf = NULL;
1354 this->connection = NULL;
1355 this->policy = NULL;
1356
1357 /* at creation time, IKE_SA is in a initiator state */
1358 if (ike_sa_id->is_initiator(ike_sa_id))
1359 {
1360 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type INITIATOR_INIT");
1361 this->current_state = (state_t *) initiator_init_create(&(this->protected));
1362 }
1363 else
1364 {
1365 this->logger->log(this->logger, CONTROL | LEVEL2, "Create first state_t object of type RESPONDER_INIT");
1366 this->current_state = (state_t *) responder_init_create(&(this->protected));
1367 }
1368 return &(this->protected.public);
1369 }