Refactored main mode HASH payload processing
[strongswan.git] / src / libcharon / sa / tasks / main_mode.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2011 Martin Willi
6 * Copyright (C) 2011 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "main_mode.h"
20
21 #include <string.h>
22
23 #include <daemon.h>
24 #include <sa/keymat_v1.h>
25 #include <crypto/diffie_hellman.h>
26 #include <encoding/payloads/sa_payload.h>
27 #include <encoding/payloads/ke_payload.h>
28 #include <encoding/payloads/nonce_payload.h>
29 #include <encoding/payloads/id_payload.h>
30 #include <encoding/payloads/hash_payload.h>
31
32 typedef struct private_main_mode_t private_main_mode_t;
33
34 /**
35 * Private members of a main_mode_t task.
36 */
37 struct private_main_mode_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 main_mode_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * IKE config to establish
56 */
57 ike_cfg_t *ike_cfg;
58
59 /**
60 * Peer config to use
61 */
62 peer_cfg_t *peer_cfg;
63
64 /**
65 * Local authentication configuration
66 */
67 auth_cfg_t *my_auth;
68
69 /**
70 * Remote authentication configuration
71 */
72 auth_cfg_t *other_auth;
73
74 /**
75 * selected IKE proposal
76 */
77 proposal_t *proposal;
78
79 /**
80 * DH exchange
81 */
82 diffie_hellman_t *dh;
83
84 /**
85 * Keymat derivation (from SA)
86 */
87 keymat_v1_t *keymat;
88
89 /**
90 * Received public DH value from peer
91 */
92 chunk_t dh_value;
93
94 /**
95 * Initiators nonce
96 */
97 chunk_t nonce_i;
98
99 /**
100 * Responder nonce
101 */
102 chunk_t nonce_r;
103
104 /**
105 * Encoded SA initiator payload used for authentication
106 */
107 chunk_t sa_payload;
108
109 /** states of main mode */
110 enum {
111 MM_INIT,
112 MM_SA,
113 MM_KE,
114 MM_AUTH,
115 } state;
116 };
117
118 /**
119 * Get the first authentcation config from peer config
120 */
121 static auth_cfg_t *get_auth_cfg(private_main_mode_t *this, bool local)
122 {
123 enumerator_t *enumerator;
124 auth_cfg_t *cfg = NULL;
125
126 enumerator = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg,
127 local);
128 enumerator->enumerate(enumerator, &cfg);
129 enumerator->destroy(enumerator);
130 return cfg;
131 }
132
133 /**
134 * Save the encoded SA payload of a message
135 */
136 static bool save_sa_payload(private_main_mode_t *this, message_t *message)
137 {
138 enumerator_t *enumerator;
139 payload_t *payload, *sa = NULL;
140 chunk_t data;
141 size_t offset = IKE_HEADER_LENGTH;
142
143 enumerator = message->create_payload_enumerator(message);
144 while (enumerator->enumerate(enumerator, &payload))
145 {
146 if (payload->get_type(payload) == SECURITY_ASSOCIATION_V1)
147 {
148 sa = payload;
149 break;
150 }
151 else
152 {
153 offset += payload->get_length(payload);
154 }
155 }
156 enumerator->destroy(enumerator);
157
158 data = message->get_packet_data(message);
159 if (sa && data.len >= offset + sa->get_length(sa))
160 {
161 /* Get SA payload without 4 byte fixed header */
162 data = chunk_skip(data, offset);
163 data.len = sa->get_length(sa);
164 data = chunk_skip(data, 4);
165 this->sa_payload = chunk_clone(data);
166 return TRUE;
167 }
168 return FALSE;
169 }
170
171 /**
172 * Build main mode hash payloads
173 */
174 static void build_hash(private_main_mode_t *this, bool initiator,
175 message_t *message, identification_t *id)
176 {
177 hash_payload_t *hash_payload;
178 chunk_t hash, dh;
179
180 this->dh->get_my_public_value(this->dh, &dh);
181 hash = this->keymat->get_hash(this->keymat, initiator, dh, this->dh_value,
182 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
183 free(dh.ptr);
184
185 hash_payload = hash_payload_create();
186 hash_payload->set_hash(hash_payload, hash);
187 free(hash.ptr);
188
189 message->add_payload(message, &hash_payload->payload_interface);
190 }
191
192 /**
193 * Verify main mode hash payload
194 */
195 static bool verify_hash(private_main_mode_t *this, bool initiator,
196 message_t *message, identification_t *id)
197 {
198 hash_payload_t *hash_payload;
199 chunk_t hash, dh;
200 bool equal;
201
202 hash_payload = (hash_payload_t*)message->get_payload(message,
203 HASH_V1);
204 if (!hash_payload)
205 {
206 DBG1(DBG_IKE, "HASH payload missing in message");
207 return FALSE;
208 }
209 hash = hash_payload->get_hash(hash_payload);
210 this->dh->get_my_public_value(this->dh, &dh);
211 hash = this->keymat->get_hash(this->keymat, initiator, this->dh_value, dh,
212 this->ike_sa->get_id(this->ike_sa), this->sa_payload, id);
213 free(dh.ptr);
214 equal = chunk_equals(hash, hash_payload->get_hash(hash_payload));
215 free(hash.ptr);
216 if (!equal)
217 {
218 DBG1(DBG_IKE, "calculated HASH does not match HASH payload");
219 }
220 return equal;
221 }
222
223 METHOD(task_t, build_i, status_t,
224 private_main_mode_t *this, message_t *message)
225 {
226 switch (this->state)
227 {
228 case MM_INIT:
229 {
230 sa_payload_t *sa_payload;
231 linked_list_t *proposals;
232 packet_t *packet;
233
234 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
235 DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
236 this->ike_sa->get_name(this->ike_sa),
237 this->ike_sa->get_unique_id(this->ike_sa),
238 this->ike_sa->get_other_host(this->ike_sa));
239 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
240
241 proposals = this->ike_cfg->get_proposals(this->ike_cfg);
242
243 sa_payload = sa_payload_create_from_proposal_list(
244 SECURITY_ASSOCIATION_V1, proposals);
245 proposals->destroy_offset(proposals, offsetof(proposal_t, destroy));
246
247 message->add_payload(message, &sa_payload->payload_interface);
248
249 /* pregenerate message to store SA payload */
250 if (this->ike_sa->generate_message(this->ike_sa, message,
251 &packet) != SUCCESS)
252 {
253 DBG1(DBG_IKE, "pregenerating SA payload failed");
254 return FAILED;
255 }
256 packet->destroy(packet);
257 if (!save_sa_payload(this, message))
258 {
259 DBG1(DBG_IKE, "SA payload invalid");
260 return FAILED;
261 }
262
263 this->state = MM_SA;
264 return NEED_MORE;
265 }
266 case MM_SA:
267 {
268 ke_payload_t *ke_payload;
269 nonce_payload_t *nonce_payload;
270 u_int16_t group;
271 rng_t *rng;
272
273 if (!this->proposal->get_algorithm(this->proposal,
274 DIFFIE_HELLMAN_GROUP, &group, NULL))
275 {
276 DBG1(DBG_IKE, "DH group selection failed");
277 return FAILED;
278 }
279 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
280 group);
281 if (!this->dh)
282 {
283 DBG1(DBG_IKE, "negotiated DH group not supported");
284 return FAILED;
285 }
286 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
287 this->dh);
288 message->add_payload(message, &ke_payload->payload_interface);
289
290 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
291 if (!rng)
292 {
293 DBG1(DBG_IKE, "no RNG found to create nonce");
294 return FAILED;
295 }
296 rng->allocate_bytes(rng, NONCE_SIZE, &this->nonce_i);
297 rng->destroy(rng);
298
299 nonce_payload = nonce_payload_create(NONCE_V1);
300 nonce_payload->set_nonce(nonce_payload, this->nonce_i);
301 message->add_payload(message, &nonce_payload->payload_interface);
302
303 this->state = MM_KE;
304 return NEED_MORE;
305 }
306 case MM_KE:
307 {
308 id_payload_t *id_payload;
309 identification_t *id;
310
311 this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
312 this->peer_cfg->get_ref(this->peer_cfg);
313
314 this->my_auth = get_auth_cfg(this, TRUE);
315 this->other_auth = get_auth_cfg(this, FALSE);
316 if (!this->my_auth || !this->other_auth)
317 {
318 DBG1(DBG_CFG, "no auth config found");
319 return FAILED;
320 }
321 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
322 if (!id)
323 {
324 DBG1(DBG_CFG, "own identity not known");
325 return FAILED;
326 }
327
328 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
329
330 id_payload = id_payload_create_from_identification(ID_V1, id);
331 message->add_payload(message, &id_payload->payload_interface);
332
333 build_hash(this, TRUE, message, id);
334
335 this->state = MM_AUTH;
336 return NEED_MORE;
337 }
338 default:
339 return FAILED;
340 }
341 }
342
343 METHOD(task_t, process_r, status_t,
344 private_main_mode_t *this, message_t *message)
345 {
346 switch (this->state)
347 {
348 case MM_INIT:
349 {
350 linked_list_t *list;
351 sa_payload_t *sa_payload;
352
353 this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
354 DBG0(DBG_IKE, "%H is initiating a Main Mode",
355 message->get_source(message));
356 this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
357
358 this->ike_sa->update_hosts(this->ike_sa,
359 message->get_destination(message),
360 message->get_source(message), TRUE);
361
362 sa_payload = (sa_payload_t*)message->get_payload(message,
363 SECURITY_ASSOCIATION_V1);
364 if (!sa_payload || !save_sa_payload(this, message))
365 {
366 DBG1(DBG_IKE, "SA payload missing or invalid");
367 return FAILED;
368 }
369
370 list = sa_payload->get_proposals(sa_payload);
371 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
372 list, FALSE);
373 list->destroy_offset(list, offsetof(proposal_t, destroy));
374 if (!this->proposal)
375 {
376 DBG1(DBG_IKE, "no proposal found");
377 return FAILED;
378 }
379 this->state = MM_SA;
380 return NEED_MORE;
381 }
382 case MM_SA:
383 {
384 ke_payload_t *ke_payload;
385 nonce_payload_t *nonce_payload;
386 u_int16_t group;
387
388 ke_payload = (ke_payload_t*)message->get_payload(message,
389 KEY_EXCHANGE_V1);
390 if (!ke_payload)
391 {
392 DBG1(DBG_IKE, "KE payload missing");
393 return FAILED;
394 }
395 this->dh_value = ke_payload->get_key_exchange_data(ke_payload);
396 this->dh_value = chunk_clone(this->dh_value);
397
398 if (!this->proposal->get_algorithm(this->proposal,
399 DIFFIE_HELLMAN_GROUP, &group, NULL))
400 {
401 DBG1(DBG_IKE, "DH group selection failed");
402 return FAILED;
403 }
404 this->dh = lib->crypto->create_dh(lib->crypto, group);
405 if (!this->dh)
406 {
407 DBG1(DBG_IKE, "negotiated DH group not supported");
408 return FAILED;
409 }
410 this->dh->set_other_public_value(this->dh, this->dh_value);
411
412 nonce_payload = (nonce_payload_t*)message->get_payload(message,
413 NONCE_V1);
414 if (!nonce_payload)
415 {
416 DBG1(DBG_IKE, "Nonce payload missing");
417 return FAILED;
418 }
419 this->nonce_i = nonce_payload->get_nonce(nonce_payload);
420
421 this->state = MM_KE;
422 return NEED_MORE;
423 }
424 case MM_KE:
425 {
426 enumerator_t *enumerator;
427 id_payload_t *id_payload;
428 identification_t *id, *any;
429
430 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
431 if (!id_payload)
432 {
433 DBG1(DBG_IKE, "IDii payload missing");
434 return FAILED;
435 }
436
437 id = id_payload->get_identification(id_payload);
438 any = identification_create_from_encoding(ID_ANY, chunk_empty);
439 enumerator = charon->backends->create_peer_cfg_enumerator(
440 charon->backends,
441 this->ike_sa->get_my_host(this->ike_sa),
442 this->ike_sa->get_other_host(this->ike_sa),
443 any, id);
444 if (!enumerator->enumerate(enumerator, &this->peer_cfg))
445 {
446 DBG1(DBG_IKE, "no peer config found");
447 id->destroy(id);
448 any->destroy(any);
449 enumerator->destroy(enumerator);
450 return FAILED;
451 }
452 this->peer_cfg->get_ref(this->peer_cfg);
453 enumerator->destroy(enumerator);
454 any->destroy(any);
455
456 this->ike_sa->set_other_id(this->ike_sa, id);
457
458 this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
459
460 this->my_auth = get_auth_cfg(this, TRUE);
461 this->other_auth = get_auth_cfg(this, FALSE);
462 if (!this->my_auth || !this->other_auth)
463 {
464 DBG1(DBG_IKE, "auth config missing");
465 return FAILED;
466 }
467
468 if (!verify_hash(this, TRUE, message, id))
469 {
470 return FAILED;
471 }
472
473 this->state = MM_AUTH;
474 return NEED_MORE;
475 }
476 default:
477 return FAILED;
478 }
479 }
480
481 /**
482 * Lookup a shared secret for this IKE_SA
483 */
484 static shared_key_t *lookup_shared_key(private_main_mode_t *this)
485 {
486 host_t *me, *other;
487 identification_t *my_id, *other_id;
488 shared_key_t *shared_key;
489
490 me = this->ike_sa->get_my_host(this->ike_sa);
491 other = this->ike_sa->get_other_host(this->ike_sa);
492 my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
493 other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
494 if (!my_id || !other_id)
495 {
496 DESTROY_IF(my_id);
497 DESTROY_IF(other_id);
498 return NULL;
499 }
500 shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id,
501 other_id);
502 if (!shared_key)
503 {
504 DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
505 }
506 my_id->destroy(my_id);
507 other_id->destroy(other_id);
508 return shared_key;
509 }
510
511 /**
512 * Derive key material for this IKE_SA
513 */
514 static bool derive_keys(private_main_mode_t *this, chunk_t nonce_i,
515 chunk_t nonce_r)
516 {
517 ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
518 shared_key_t *shared_key = NULL;
519 auth_class_t auth;
520
521 /* TODO-IKEv1: support other authentication classes */
522 auth = AUTH_CLASS_PSK;
523 switch (auth)
524 {
525 case AUTH_CLASS_PSK:
526 shared_key = lookup_shared_key(this);
527 break;
528 default:
529 break;
530 }
531 if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
532 this->dh_value, nonce_i, nonce_r, id, auth, shared_key))
533 {
534 DESTROY_IF(shared_key);
535 return FALSE;
536 }
537 DESTROY_IF(shared_key);
538 charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, nonce_i, nonce_r,
539 NULL);
540 return TRUE;
541 }
542
543 METHOD(task_t, build_r, status_t,
544 private_main_mode_t *this, message_t *message)
545 {
546 switch (this->state)
547 {
548 case MM_SA:
549 {
550 sa_payload_t *sa_payload;
551
552 sa_payload = sa_payload_create_from_proposal(SECURITY_ASSOCIATION_V1,
553 this->proposal);
554 message->add_payload(message, &sa_payload->payload_interface);
555
556 return NEED_MORE;
557 }
558 case MM_KE:
559 {
560 ke_payload_t *ke_payload;
561 nonce_payload_t *nonce_payload;
562 rng_t *rng;
563
564 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE_V1,
565 this->dh);
566 message->add_payload(message, &ke_payload->payload_interface);
567
568 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
569 if (!rng)
570 {
571 DBG1(DBG_IKE, "no RNG found to create nonce");
572 return FAILED;
573 }
574 rng->allocate_bytes(rng, NONCE_SIZE, &this->nonce_r);
575 rng->destroy(rng);
576
577 if (!derive_keys(this, this->nonce_i, this->nonce_r))
578 {
579 DBG1(DBG_IKE, "key derivation failed");
580 return FAILED;
581 }
582
583 nonce_payload = nonce_payload_create(NONCE_V1);
584 nonce_payload->set_nonce(nonce_payload, this->nonce_r);
585 message->add_payload(message, &nonce_payload->payload_interface);
586 return NEED_MORE;
587 }
588 case MM_AUTH:
589 {
590 id_payload_t *id_payload;
591 identification_t *id;
592
593 id = this->my_auth->get(this->my_auth, AUTH_RULE_IDENTITY);
594 if (!id)
595 {
596 DBG1(DBG_CFG, "own identity not known");
597 return FAILED;
598 }
599
600 this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
601
602 id_payload = id_payload_create_from_identification(ID_V1, id);
603 message->add_payload(message, &id_payload->payload_interface);
604
605 build_hash(this, FALSE, message, id);
606
607 /* TODO-IKEv1: check for XAUTH rounds, queue them */
608 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
609 this->ike_sa->get_name(this->ike_sa),
610 this->ike_sa->get_unique_id(this->ike_sa),
611 this->ike_sa->get_my_host(this->ike_sa),
612 this->ike_sa->get_my_id(this->ike_sa),
613 this->ike_sa->get_other_host(this->ike_sa),
614 this->ike_sa->get_other_id(this->ike_sa));
615 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
616 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
617 return SUCCESS;
618 }
619 default:
620 return FAILED;
621 }
622 }
623
624 METHOD(task_t, process_i, status_t,
625 private_main_mode_t *this, message_t *message)
626 {
627 switch (this->state)
628 {
629 case MM_SA:
630 {
631 linked_list_t *list;
632 sa_payload_t *sa_payload;
633
634 sa_payload = (sa_payload_t*)message->get_payload(message,
635 SECURITY_ASSOCIATION_V1);
636 if (!sa_payload)
637 {
638 DBG1(DBG_IKE, "SA payload missing");
639 return FAILED;
640 }
641 list = sa_payload->get_proposals(sa_payload);
642 this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
643 list, FALSE);
644 list->destroy_offset(list, offsetof(proposal_t, destroy));
645 if (!this->proposal)
646 {
647 DBG1(DBG_IKE, "no proposal found");
648 return FAILED;
649 }
650 return NEED_MORE;
651 }
652 case MM_KE:
653 {
654 ke_payload_t *ke_payload;
655 nonce_payload_t *nonce_payload;
656
657 ke_payload = (ke_payload_t*)message->get_payload(message,
658 KEY_EXCHANGE_V1);
659 if (!ke_payload)
660 {
661 DBG1(DBG_IKE, "KE payload missing");
662 return FAILED;
663 }
664 this->dh_value = ke_payload->get_key_exchange_data(ke_payload);
665 this->dh_value = chunk_clone(this->dh_value);
666 this->dh->set_other_public_value(this->dh, this->dh_value);
667
668 nonce_payload = (nonce_payload_t*)message->get_payload(message,
669 NONCE_V1);
670 if (!nonce_payload)
671 {
672 DBG1(DBG_IKE, "Nonce payload missing");
673 return FAILED;
674 }
675 this->nonce_r = nonce_payload->get_nonce(nonce_payload);
676
677 if (!derive_keys(this, this->nonce_i, this->nonce_r))
678 {
679 DBG1(DBG_IKE, "key derivation failed");
680 return FAILED;
681 }
682
683 return NEED_MORE;
684 }
685 case MM_AUTH:
686 {
687 id_payload_t *id_payload;
688 identification_t *id;
689
690 id_payload = (id_payload_t*)message->get_payload(message, ID_V1);
691 if (!id_payload)
692 {
693 DBG1(DBG_IKE, "IDir payload missing");
694 return FAILED;
695 }
696 id = id_payload->get_identification(id_payload);
697 if (!id->matches(id, this->other_auth->get(this->other_auth,
698 AUTH_RULE_IDENTITY)))
699 {
700 DBG1(DBG_IKE, "IDir does not match");
701 id->destroy(id);
702 return FAILED;
703 }
704 this->ike_sa->set_other_id(this->ike_sa, id);
705
706 if (!verify_hash(this, FALSE, message, id))
707 {
708 return FAILED;
709 }
710
711 /* TODO-IKEv1: check for XAUTH rounds, queue them */
712 DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
713 this->ike_sa->get_name(this->ike_sa),
714 this->ike_sa->get_unique_id(this->ike_sa),
715 this->ike_sa->get_my_host(this->ike_sa),
716 this->ike_sa->get_my_id(this->ike_sa),
717 this->ike_sa->get_other_host(this->ike_sa),
718 this->ike_sa->get_other_id(this->ike_sa));
719 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
720 charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
721 return SUCCESS;
722 }
723 default:
724 return FAILED;
725 }
726 }
727
728 METHOD(task_t, get_type, task_type_t,
729 private_main_mode_t *this)
730 {
731 return TASK_MAIN_MODE;
732 }
733
734 METHOD(task_t, migrate, void,
735 private_main_mode_t *this, ike_sa_t *ike_sa)
736 {
737 this->ike_sa = ike_sa;
738 }
739
740 METHOD(task_t, destroy, void,
741 private_main_mode_t *this)
742 {
743 DESTROY_IF(this->peer_cfg);
744 DESTROY_IF(this->proposal);
745 DESTROY_IF(this->dh);
746 free(this->dh_value.ptr);
747 free(this->nonce_i.ptr);
748 free(this->nonce_r.ptr);
749 free(this->sa_payload.ptr);
750 free(this);
751 }
752
753 /*
754 * Described in header.
755 */
756 main_mode_t *main_mode_create(ike_sa_t *ike_sa, bool initiator)
757 {
758 private_main_mode_t *this;
759
760 INIT(this,
761 .public = {
762 .task = {
763 .get_type = _get_type,
764 .migrate = _migrate,
765 .destroy = _destroy,
766 },
767 },
768 .ike_sa = ike_sa,
769 .keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
770 .initiator = initiator,
771 .state = MM_INIT,
772 );
773
774 if (initiator)
775 {
776 this->public.task.build = _build_i;
777 this->public.task.process = _process_i;
778 }
779 else
780 {
781 this->public.task.build = _build_r;
782 this->public.task.process = _process_r;
783 }
784
785 return &this->public;
786 }