support of cert payloads
[strongswan.git] / src / charon / sa / states / ike_auth_requested.c
1 /**
2 * @file ike_auth_requested.c
3 *
4 * @brief Implementation of ike_auth_requested_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <string.h>
25
26 #include "ike_auth_requested.h"
27
28 #include <daemon.h>
29 #include <encoding/payloads/ts_payload.h>
30 #include <encoding/payloads/sa_payload.h>
31 #include <encoding/payloads/id_payload.h>
32 #include <encoding/payloads/cert_payload.h>
33 #include <encoding/payloads/auth_payload.h>
34 #include <encoding/payloads/notify_payload.h>
35 #include <crypto/signers/signer.h>
36 #include <crypto/crypters/crypter.h>
37 #include <sa/states/ike_sa_established.h>
38 #include <sa/authenticator.h>
39 #include <sa/child_sa.h>
40
41 typedef struct private_ike_auth_requested_t private_ike_auth_requested_t;
42
43 /**
44 * Private data of a ike_auth_requested_t object.
45 *
46 */
47 struct private_ike_auth_requested_t {
48 /**
49 * Public interface of ike_auth_requested_t.
50 */
51 ike_auth_requested_t public;
52
53 /**
54 * Assigned IKE_SA.
55 */
56 protected_ike_sa_t *ike_sa;
57
58 /**
59 * SA config, just a copy of the one stored in the ike_sa.
60 */
61 policy_t *policy;
62
63 /**
64 * Received nonce from responder.
65 */
66 chunk_t received_nonce;
67
68 /**
69 * Sent nonce in IKE_SA_INIT request.
70 */
71 chunk_t sent_nonce;
72
73 /**
74 * IKE_SA_INIT-Request in binary form.
75 */
76 chunk_t ike_sa_init_reply_data;
77
78 /**
79 * Proposal to setup CHILD_SA
80 */
81 proposal_t *proposal;
82
83 /**
84 * Traffic selectors applicable at our site
85 */
86 linked_list_t *my_ts;
87
88 /**
89 * Traffic selectors applicable at remote site
90 */
91 linked_list_t *other_ts;
92
93 /**
94 * Child sa created in ike_sa_init_requested
95 */
96 child_sa_t *child_sa;
97
98 /**
99 * Assigned Logger.
100 *
101 * Is logger of ike_sa!
102 */
103 logger_t *logger;
104
105 /**
106 * Process the IDr payload (check if other id is valid)
107 *
108 * @param this calling object
109 * @param idr_payload ID payload of responder
110 * @return
111 * - SUCCESS
112 * - DESTROY_ME
113 */
114 status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
115
116 /**
117 * Process received CERT payload
118 *
119 * @param this calling object
120 * @param cert_payload payload to process
121 * @return
122 * - DESTROY_ME if IKE_SA should be deleted
123 * - SUCCSS if processed successful
124 */
125 status_t (*process_cert_payload) (private_ike_auth_requested_t *this, cert_payload_t *cert_payload);
126
127 /**
128 * Process the SA payload (check if selected proposals are valid, setup child sa)
129 *
130 * @param this calling object
131 * @param sa_payload SA payload of responder
132 *
133 * - SUCCESS
134 * - DESTROY_ME
135 */
136 status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
137
138 /**
139 * Process the AUTH payload (check authenticity of message)
140 *
141 * @param this calling object
142 * @param auth_payload AUTH payload of responder
143 * @param other_id_payload ID payload of responder
144 *
145 * - SUCCESS
146 * - DESTROY_ME
147 */
148 status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
149
150 /**
151 * Process the TS payload (check if selected traffic selectors are valid)
152 *
153 * @param this calling object
154 * @param ts_initiator TRUE if TS payload is TSi, FALSE for TSr
155 * @param ts_payload TS payload of responder
156 *
157 * - SUCCESS
158 * - DESTROY_ME
159 */
160 status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
161
162 /**
163 * Process a notify payload
164 *
165 * @param this calling object
166 * @param notify_payload notify payload
167 *
168 * - SUCCESS
169 * - FAILED
170 * - DESTROY_ME
171 */
172 status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
173
174 /**
175 * Destroy function called internally of this class after state change to
176 * state IKE_SA_ESTABLISHED succeeded.
177 *
178 * This destroy function does not destroy objects which were passed to the new state.
179 *
180 * @param this calling object
181 */
182 void (*destroy_after_state_change) (private_ike_auth_requested_t *this);
183 };
184
185
186 /**
187 * Implements state_t.process_message
188 */
189 static status_t process_message(private_ike_auth_requested_t *this, message_t *ike_auth_reply)
190 {
191 ts_payload_t *tsi_payload = NULL;
192 ts_payload_t *tsr_payload = NULL;
193 id_payload_t *idr_payload = NULL;
194 cert_payload_t *cert_payload = NULL;
195 auth_payload_t *auth_payload = NULL;
196 sa_payload_t *sa_payload = NULL;
197 iterator_t *payloads = NULL;
198 crypter_t *crypter = NULL;
199 signer_t *signer = NULL;
200 status_t status;
201 host_t *my_host, *other_host;
202 identification_t *my_id, *other_id;
203 chunk_t seed;
204 prf_plus_t *prf_plus;
205 connection_t *connection;
206 policy_t *policy;
207
208 if (ike_auth_reply->get_exchange_type(ike_auth_reply) != IKE_AUTH)
209 {
210 this->logger->log(this->logger, ERROR | LEVEL1, "message of type %s not supported in state ike_auth_requested",
211 mapping_find(exchange_type_m,ike_auth_reply->get_exchange_type(ike_auth_reply)));
212 return FAILED;
213 }
214
215 if (ike_auth_reply->get_request(ike_auth_reply))
216 {
217 this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH requests not allowed state ike_sa_init_responded");
218 return FAILED;
219 }
220
221 /* get signer for verification and crypter for decryption */
222 signer = this->ike_sa->get_signer_responder(this->ike_sa);
223 crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
224
225 /* parse incoming message */
226 status = ike_auth_reply->parse_body(ike_auth_reply, crypter, signer);
227 if (status != SUCCESS)
228 {
229 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply decryption failed. Ignoring message");
230 return status;
231 }
232
233 this->policy = this->ike_sa->get_policy(this->ike_sa);
234
235 /* we collect all payloads, which are processed later. Notify's are processed
236 * in place, since we don't know how may are there.
237 */
238 payloads = ike_auth_reply->get_payload_iterator(ike_auth_reply);
239 while (payloads->has_next(payloads))
240 {
241 payload_t *payload;
242 payloads->current(payloads, (void**)&payload);
243
244 switch (payload->get_type(payload))
245 {
246 case AUTHENTICATION:
247 auth_payload = (auth_payload_t*)payload;
248 break;
249 case CERTIFICATE:
250 cert_payload = (cert_payload_t*)payload;
251 status = this->process_cert_payload(this, cert_payload);
252 if (status != SUCCESS)
253 {
254 payloads->destroy(payloads);
255 return status;
256
257 }
258 break;
259 case ID_RESPONDER:
260 idr_payload = (id_payload_t*)payload;
261 break;
262 case SECURITY_ASSOCIATION:
263 sa_payload = (sa_payload_t*)payload;
264 break;
265 case TRAFFIC_SELECTOR_INITIATOR:
266 tsi_payload = (ts_payload_t*)payload;
267 break;
268 case TRAFFIC_SELECTOR_RESPONDER:
269 tsr_payload = (ts_payload_t*)payload;
270 break;
271 case NOTIFY:
272 {
273 notify_payload_t *notify_payload = (notify_payload_t *) payload;
274
275 /* handle the notify directly, abort if no further processing required */
276 status = this->process_notify_payload(this, notify_payload);
277 if (status != SUCCESS)
278 {
279 payloads->destroy(payloads);
280 return status;
281 }
282 }
283 default:
284 this->logger->log(this->logger, ERROR|LEVEL1, "ignoring Payload %s (%d)",
285 mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
286 break;
287 }
288 }
289 /* iterator can be destroyed */
290 payloads->destroy(payloads);
291
292 /* check if we have all payloads */
293 if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload))
294 {
295 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
296 return DESTROY_ME;
297 }
298
299 status = this->ike_sa->update_connection_hosts(this->ike_sa,
300 ike_auth_reply->get_destination(ike_auth_reply),
301 ike_auth_reply->get_source(ike_auth_reply));
302 if (status != SUCCESS)
303 return status;
304
305 /* process all payloads */
306 status = this->process_idr_payload(this, idr_payload);
307 if (status != SUCCESS)
308 return status;
309
310 status = this->process_auth_payload(this, auth_payload,idr_payload);
311 if (status != SUCCESS)
312 return status;
313
314 status = this->process_sa_payload(this, sa_payload);
315 if (status != SUCCESS)
316 return status;
317
318 status = this->process_ts_payload(this, TRUE, tsi_payload);
319 if (status != SUCCESS)
320 return status;
321
322 status = this->process_ts_payload(this, FALSE, tsr_payload);
323 if (status != SUCCESS)
324 return status;
325
326 /* install child SAs for AH and esp */
327 if (!this->child_sa)
328 {
329 this->logger->log(this->logger, CONTROL, "no CHILD_SA requested, no CHILD_SA built");
330 }
331 else if (!this->proposal)
332 {
333 this->logger->log(this->logger, CONTROL, "proposal negotiation failed, no CHILD_SA built");
334 this->child_sa->destroy(this->child_sa);
335 this->child_sa = NULL;
336 }
337 else if (this->my_ts->get_count(this->my_ts) == 0 || this->other_ts->get_count(this->other_ts) == 0)
338 {
339 this->logger->log(this->logger, CONTROL, "traffic selector negotiation failed, no CHILD_SA built");
340 this->child_sa->destroy(this->child_sa);
341 this->child_sa = NULL;
342 }
343 else
344 {
345 seed = chunk_alloc(this->sent_nonce.len + this->received_nonce.len);
346 memcpy(seed.ptr, this->sent_nonce.ptr, this->sent_nonce.len);
347 memcpy(seed.ptr + this->sent_nonce.len, this->received_nonce.ptr, this->received_nonce.len);
348 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
349 chunk_free(&seed);
350
351 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
352 prf_plus->destroy(prf_plus);
353 if (status != SUCCESS)
354 {
355 this->logger->log(this->logger, AUDIT, "could not install CHILD_SA! Deleting IKE_SA");
356 return DESTROY_ME;
357 }
358 status = this->child_sa->add_policies(this->child_sa, this->my_ts, this->other_ts);
359 if (status != SUCCESS)
360 {
361 this->logger->log(this->logger, AUDIT, "could not install CHILD_SA policy! Deleting IKE_SA");
362 return DESTROY_ME;
363 }
364 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
365 }
366
367 this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
368
369 /* create new state */
370 this->ike_sa->establish(this->ike_sa);
371 this->destroy_after_state_change(this);
372 return SUCCESS;
373 }
374
375 /**
376 * Implements private_ike_auth_requested_t.process_idr_payload
377 */
378 static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
379 {
380 identification_t *other_id, *configured_other_id;
381
382 other_id = idr_payload->get_identification(idr_payload);
383 configured_other_id = this->policy->get_other_id(this->policy);
384
385 this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
386 configured_other_id->get_string(configured_other_id),
387 other_id->get_string(other_id));
388
389 if (!other_id->belongs_to(other_id, configured_other_id))
390 {
391 other_id->destroy(other_id);
392 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not acceptable ID. Deleting IKE_SA");
393 return DESTROY_ME;
394 }
395
396 this->policy->update_other_id(this->policy, other_id);
397 return SUCCESS;
398 }
399
400 /**
401 * Implements private_ike_auth_requested_t.process_cert_payload
402 */
403 static status_t process_cert_payload(private_ike_auth_requested_t *this, cert_payload_t * cert_payload)
404 {
405 bool found;
406 x509_t *cert;
407
408 if (cert_payload->get_cert_encoding(cert_payload) != CERT_X509_SIGNATURE)
409 {
410 this->logger->log(this->logger, CONTROL, "certificate encoding is %s, ignored",
411 enum_name(&cert_encoding_names, cert_payload->get_cert_encoding(cert_payload)));
412 return SUCCESS;
413 }
414 cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
415
416 if (charon->credentials->verify(charon->credentials, cert, &found))
417 {
418 this->logger->log(this->logger, CONTROL, "end entity certificate is trusted");
419 if (!found)
420 {
421 cert = charon->credentials->add_end_certificate(charon->credentials, cert);
422 }
423 }
424 else
425 {
426 this->logger->log(this->logger, ERROR, "end entity certificate is not trusted");
427 }
428 return SUCCESS;
429 }
430
431
432 /**
433 * Implements private_ike_auth_requested_t.process_sa_payload
434 */
435 static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payload_t *sa_payload)
436 {
437 proposal_t *proposal, *proposal_tmp;
438 linked_list_t *proposal_list;
439
440 /* get his selected proposal */
441 proposal_list = sa_payload->get_proposals(sa_payload);
442 /* check count of proposals */
443 if (proposal_list->get_count(proposal_list) == 0)
444 {
445 /* no proposal? we accept this, but no child sa is built */
446 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD didn't contain any proposals. No CHILD_SA created",
447 proposal_list->get_count(proposal_list));
448 proposal_list->destroy(proposal_list);
449 return SUCCESS;
450 }
451 if (proposal_list->get_count(proposal_list) > 1)
452 {
453 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply's SA_PAYLOAD contained %d proposal. Deleting IKE_SA",
454 proposal_list->get_count(proposal_list));
455 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
456 {
457 proposal->destroy(proposal);
458 }
459 proposal_list->destroy(proposal_list);
460 return DESTROY_ME;
461 }
462
463 /* we have to re-check here if other's selection is valid */
464 proposal = this->policy->select_proposal(this->policy, proposal_list);
465 /* list not needed anymore */
466 while (proposal_list->remove_last(proposal_list, (void**)&proposal_tmp) == SUCCESS)
467 {
468 proposal_tmp->destroy(proposal_tmp);
469 }
470 proposal_list->destroy(proposal_list);
471 /* got a match? */
472 if (proposal == NULL)
473 {
474 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
475 return DESTROY_ME;
476 }
477
478 /* apply proposal */
479 this->proposal = proposal;
480
481 return SUCCESS;
482 }
483
484 /**
485 * Implements private_ike_auth_requested_t.process_auth_payload
486 */
487 static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload)
488 {
489 authenticator_t *authenticator;
490 status_t status;
491
492 authenticator = authenticator_create(this->ike_sa);
493 status = authenticator->verify_auth_data(authenticator,auth_payload,this->ike_sa_init_reply_data,this->sent_nonce,other_id_payload,FALSE);
494 authenticator->destroy(authenticator);
495 if (status != SUCCESS)
496 {
497 this->logger->log(this->logger, AUDIT, "verification of IKE_AUTH reply failed. Deleting IKE_SA");
498 return DESTROY_ME;
499 }
500
501 this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully");
502 return SUCCESS;
503 }
504
505 /**
506 * Implements private_ike_auth_requested_t.process_ts_payload
507 */
508 static status_t process_ts_payload(private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload)
509 {
510 linked_list_t *ts_received, *ts_selected;
511 traffic_selector_t *ts;
512
513 /* get ts form payload */
514 ts_received = ts_payload->get_traffic_selectors(ts_payload);
515 /* select ts depending on payload type */
516 if (ts_initiator)
517 {
518 ts_selected = this->policy->select_my_traffic_selectors(this->policy, ts_received);
519 this->my_ts = ts_selected;
520 }
521 else
522 {
523 ts_selected = this->policy->select_other_traffic_selectors(this->policy, ts_received);
524 this->other_ts = ts_selected;
525 }
526 /* check if the responder selected valid proposals */
527 if (ts_selected->get_count(ts_selected) != ts_received->get_count(ts_received))
528 {
529 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained not offered traffic selectors.");
530 }
531
532 /* cleanup */
533 while (ts_received->remove_last(ts_received, (void**)&ts) == SUCCESS)
534 {
535 ts->destroy(ts);
536 }
537 ts_received->destroy(ts_received);
538
539 return SUCCESS;
540 }
541
542 /**
543 * Implements private_ike_auth_requested_t.process_notify_payload
544 */
545 static status_t process_notify_payload(private_ike_auth_requested_t *this, notify_payload_t *notify_payload)
546 {
547 notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
548
549 this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
550 mapping_find(notify_message_type_m, notify_message_type));
551
552 switch (notify_message_type)
553 {
554 case INVALID_SYNTAX:
555 {
556 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA");
557 return DESTROY_ME;
558
559 }
560 case AUTHENTICATION_FAILED:
561 {
562 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA");
563 return DESTROY_ME;
564
565 }
566 case SINGLE_PAIR_REQUIRED:
567 {
568 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA");
569 return DESTROY_ME;
570 }
571 case TS_UNACCEPTABLE:
572 {
573 /* TODO: We currently check only the replied TS payloads, which should be empty. Should
574 * we interpret the notify additionaly? */
575 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained a TS_UNACCEPTABLE notify. Ignored");
576 return SUCCESS;
577 }
578 case NO_PROPOSAL_CHOSEN:
579 {
580 /* TODO: We currently check only the replied SA payload, which should be empty. Should
581 * we interpret the notify additionaly? */
582 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained a NO_PROPOSAL_CHOSEN notify. Ignored");
583 return SUCCESS;
584 }
585 default:
586 {
587 /*
588 * - In case of unknown error: IKE_SA gets destroyed.
589 * - In case of unknown status: logging
590 */
591
592 if (notify_message_type < 16383)
593 {
594 this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA",
595 notify_message_type);
596 return DESTROY_ME;
597
598 }
599 else
600 {
601 this->logger->log(this->logger, CONTROL, "IKE_AUTH reply contained an unknown notify (%d), ignored.",
602 notify_message_type);
603 return SUCCESS;
604 }
605 }
606 }
607 }
608
609 /**
610 * Implements state_t.get_state
611 */
612 static ike_sa_state_t get_state(private_ike_auth_requested_t *this)
613 {
614 return IKE_AUTH_REQUESTED;
615 }
616
617 /**
618 * Implements state_t.get_state
619 */
620 static void destroy(private_ike_auth_requested_t *this)
621 {
622 chunk_free(&(this->received_nonce));
623 chunk_free(&(this->sent_nonce));
624 chunk_free(&(this->ike_sa_init_reply_data));
625 if (this->child_sa)
626 {
627 this->child_sa->destroy(this->child_sa);
628 }
629 if (this->my_ts)
630 {
631 traffic_selector_t *ts;
632 while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS)
633 {
634 ts->destroy(ts);
635 }
636 this->my_ts->destroy(this->my_ts);
637 }
638 if (this->other_ts)
639 {
640 traffic_selector_t *ts;
641 while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS)
642 {
643 ts->destroy(ts);
644 }
645 this->other_ts->destroy(this->other_ts);
646 }
647 if (this->proposal)
648 {
649 this->proposal->destroy(this->proposal);
650 }
651 free(this);
652 }
653 /**
654 * Implements protected_ike_sa_t.destroy_after_state_change
655 */
656 static void destroy_after_state_change(private_ike_auth_requested_t *this)
657 {
658 chunk_free(&(this->received_nonce));
659 chunk_free(&(this->sent_nonce));
660 chunk_free(&(this->ike_sa_init_reply_data));
661 if (this->my_ts)
662 {
663 traffic_selector_t *ts;
664 while (this->my_ts->remove_last(this->my_ts, (void**)&ts) == SUCCESS)
665 {
666 ts->destroy(ts);
667 }
668 this->my_ts->destroy(this->my_ts);
669 }
670 if (this->other_ts)
671 {
672 traffic_selector_t *ts;
673 while (this->other_ts->remove_last(this->other_ts, (void**)&ts) == SUCCESS)
674 {
675 ts->destroy(ts);
676 }
677 this->other_ts->destroy(this->other_ts);
678 }
679 if (this->proposal)
680 {
681 this->proposal->destroy(this->proposal);
682 }
683 free(this);
684 }
685
686 /*
687 * Described in header.
688 */
689 ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa,chunk_t sent_nonce,chunk_t received_nonce,chunk_t ike_sa_init_reply_data, child_sa_t *child_sa)
690 {
691 private_ike_auth_requested_t *this = malloc_thing(private_ike_auth_requested_t);
692
693 /* interface functions */
694 this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
695 this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
696 this->public.state_interface.destroy = (void (*) (state_t *)) destroy;
697
698 /* private functions */
699 this->process_idr_payload = process_idr_payload;
700 this->process_cert_payload = process_cert_payload;
701 this->process_sa_payload = process_sa_payload;
702 this->process_auth_payload = process_auth_payload;
703 this->process_ts_payload = process_ts_payload;
704 this->process_notify_payload = process_notify_payload;
705 this->destroy_after_state_change = destroy_after_state_change;
706
707 /* private data */
708 this->ike_sa = ike_sa;
709 this->received_nonce = received_nonce;
710 this->sent_nonce = sent_nonce;
711 this->ike_sa_init_reply_data = ike_sa_init_reply_data;
712 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
713 this->my_ts = NULL;
714 this->other_ts = NULL;
715 this->proposal = NULL;
716 this->child_sa = child_sa;
717
718 return &(this->public);
719 }