*/
ike_sa_t public;
+ /**
+ * Builds an empty IKEv2-Message
+ *
+ * Depending on the type of message (request or response), the message id is
+ * either message_id_out or message_id_in.
+ *
+ *
+ * @param this calling object
+ * @param type exchange type of new message
+ * @param request TRUE, if message has to be a request
+ * @param message new message is stored at this location
+ * @return
+ * - SUCCESS
+ * - OUT_OF_RES
+ */
+ status_t (*build_message) (private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message);
+
status_t (*build_sa_payload) (private_ike_sa_t *this, sa_payload_t **payload);
status_t (*build_ke_payload) (private_ike_sa_t *this, ke_payload_t **payload);
status_t (*build_nonce_payload) (private_ike_sa_t *this, nonce_payload_t **payload);
- status_t (*build_message) (private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message);
+ status_t (*create_delete_job) (private_ike_sa_t *this);
+ status_t (*resend_last_reply) (private_ike_sa_t *this);
status_t (*transto_ike_sa_init_requested) (private_ike_sa_t *this, char *name);
* Diffie Hellman object used to compute shared secret
*/
diffie_hellman_t *diffie_hellman;
+
/**
* Diffie Hellman group number
*/
* selected proposals
*/
linked_list_t *proposals;
+
/**
* Sent nonce value
*/
chunk_t sent_nonce;
+
/**
* received nonce value
*/
{
u_int32_t message_id;
bool is_request;
+ exchange_type_t exchange_type;
+ /* we must process each request or response from remote host
+ * the check if a given message is possible for a given state is done in here
+ */
+
+ /* find out type of message (request or response) */
is_request = message->get_request(message);
+ exchange_type = message->get_exchange_type(message);
+
this->logger->log(this->logger, CONTROL|MORE, "Process %s message of exchange type %s",(is_request) ? "REQUEST" : "RESPONSE",
- mapping_find(exchange_type_m,message->get_exchange_type(message)));
-
+ mapping_find(exchange_type_m,exchange_type));
+
+ message_id = message->get_message_id(message);
- //message->get_exchange_type(message);
+ /*
+ * It has to be checked, if the message has to be resent cause of lost packets!
+ */
+ if (is_request && ( message_id == (this->message_id_in - 1)))
+ {
+ /* message can be resent ! */
+ this->logger->log(this->logger, CONTROL|MORE, "Resent message detected. Send stored reply");
+ return (this->resend_last_reply(this));
+ }
+ /* Now, the message id is checked for request AND reply */
+ if (is_request)
+ {
+ /* In a request, the message has to be this->message_id_in (other case is already handled) */
+ if (message_id != this->message_id_in)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Message request with message id %d received, but %d expected",message_id,this->message_id_in);
+ return FAILED;
+ }
+ }
+ else
+ {
+ /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
+ if (message_id != (this->message_id_out - 1))
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Message reply with message id %d received, but %d expected",message_id,this->message_id_in);
+ return FAILED;
+ }
+ }
+ /* Now, the exchange type is checked and the appropriate transition handler is called*/
switch (message->get_exchange_type(message))
{
case IKE_SA_INIT:
{
+
if (message->get_request(message)) {
if (this->state == NO_STATE)
{
}
case IKE_AUTH:
{
- /* break; */
+ if (this->state <= IKE_SA_INIT_REQUESTED)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Current state %s of IKE_SA does not allow IKE_AUTH message",mapping_find(ike_sa_state_m,this->state));
+ return FAILED;
+ }
+ break;
}
case CREATE_CHILD_SA:
{
- /* break; */
+ if (this->state < IKE_SA_INITIALIZED)
+ {
+ this->logger->log(this->logger, ERROR | MORE, "Current state %s of IKE_SA does not allow CREATE_CHILD_SA message",mapping_find(ike_sa_state_m,this->state));
+ return FAILED;
+ }
+ break;
}
case INFORMATIONAL:
{
- /* break; */
+ break;
}
default:
{
return NOT_SUPPORTED;
}
}
- this->logger->log(this->logger, ERROR, "received %s-message in state %s, rejected.",
+ this->logger->log(this->logger, CONTROL, "received %s-message in state %s, not handled.",
mapping_find(exchange_type_m, message->get_exchange_type(message)),
mapping_find(ike_sa_state_m, this->state));
return INVALID_STATE;
}
-
+/**
+ * @brief Implements function build_message of private_ike_sa_t.
+ */
static status_t build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
{
status_t status;
message_t *new_message;
host_t *source, *destination;
-
+
+ this ->logger->log(this->logger, CONTROL|MORE, "build empty message");
new_message = message_create();
if (new_message == NULL)
{
+ this->logger->log(this->logger, ERROR, "Fatal error: could not create empty message object");
return OUT_OF_RES;
}
status = this->me.host->clone(this->me.host, &source);
- status |= this->other.host->clone(this->other.host, &destination);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "Fatal error: could not clone my host information");
+ new_message->destroy(new_message);
+ return status;
+ }
+ status = this->other.host->clone(this->other.host, &destination);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Fatal error: could not clone other host information");
+ source->destroy(source);
new_message->destroy(new_message);
return status;
}
+
new_message->set_source(new_message, source);
new_message->set_destination(new_message, destination);
new_message->set_exchange_type(new_message, type);
new_message->set_request(new_message, request);
- if (request)
- {
- new_message->set_message_id(new_message, this->message_id_out);
- }else
+ new_message->set_message_id(new_message, (request) ? this->message_id_out : this->message_id_in);
+
+ status = new_message->set_ike_sa_id(new_message, this->ike_sa_id);
+ if (status != SUCCESS)
{
- new_message->set_message_id(new_message, this->message_id_in);
+ this->logger->log(this->logger, ERROR, "Fatal error: could not set ike_sa_id of message");
+ new_message->destroy(new_message);
+ return status;
}
- new_message->set_ike_sa_id(new_message, this->ike_sa_id);
-
*message = new_message;
return SUCCESS;
}
-
+/**
+ * @brief Implements function transto_ike_sa_init_requested of private_ike_sa_t.
+ */
static status_t transto_ike_sa_init_requested(private_ike_sa_t *this, char *name)
{
message_t *message;
packet_t *packet;
status_t status;
- this->logger->log(this->logger, CONTROL, "initializing connection");
-
+ this->logger->log(this->logger, CONTROL, "Initializing connection %s",name);
+
status = global_configuration_manager->get_local_host(global_configuration_manager, name, &(this->me.host));
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR | MORE, "Could not retrieve local host configuration information for %s",name);
return INVALID_ARG;
}
status = global_configuration_manager->get_remote_host(global_configuration_manager, name, &(this->other.host));
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR | MORE, "Could not retrieve remote host configuration information for %s",name);
return INVALID_ARG;
}
status = global_configuration_manager->get_dh_group_number(global_configuration_manager, name, &(this->ike_sa_init_data.dh_group_number), this->ike_sa_init_data.dh_group_priority);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR | MORE, "Could not retrieve DH group number for %s",name);
return INVALID_ARG;
}
- this ->logger->log(this->logger, CONTROL|MORE, "create diffie hellman object");
if (this->ike_sa_init_data.diffie_hellman != NULL)
{
- this->logger->log(this->logger, ERROR, "Object of type diffie_hellman_t already existing!");
+ this->logger->log(this->logger, ERROR, "Object of type diffie_hellman_t already existing!");
return FAILED;
}
+ this ->logger->log(this->logger, CONTROL|MOST, "create diffie hellman object");
this->ike_sa_init_data.diffie_hellman = diffie_hellman_create(this->ike_sa_init_data.dh_group_number);
if (this->ike_sa_init_data.diffie_hellman == NULL)
{
/* going to build message */
-
status = this->build_message(this, IKE_SA_INIT, TRUE, &message);
if (status != SUCCESS)
{
message->destroy(message);
return status;
}
- message->add_payload(message, payload);
+
+ this ->logger->log(this->logger, CONTROL|MOST, "add SA payload to message");
+ status = message->add_payload(message, payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not add SA payload to message");
+ message->destroy(message);
+ return status;
+ }
+
/* build KE payload */
status = this->build_ke_payload(this,(ke_payload_t **) &payload);
message->destroy(message);
return status;
}
- message->add_payload(message, payload);
+
+ this ->logger->log(this->logger, CONTROL|MOST, "add KE payload to message");
+ status = message->add_payload(message, payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not add KE payload to message");
+ message->destroy(message);
+ return status;
+ }
/* build Nonce payload */
status = this->build_nonce_payload(this, (nonce_payload_t**)&payload);
message->destroy(message);
return status;
}
- message->add_payload(message, payload);
-
+
+ this ->logger->log(this->logger, CONTROL|MOST, "add nonce payload to message");
+ status = message->add_payload(message, payload);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not add nonce payload to message");
+ message->destroy(message);
+ return status;
+ }
+ this ->logger->log(this->logger, CONTROL|MOST, "generate packet from message");
status = message->generate(message, &packet);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR, "Could not generate message");
+ this->logger->log(this->logger, ERROR, "Fatal error: could not generate packet from message");
message->destroy(message);
return status;
}
+ this ->logger->log(this->logger, CONTROL|MOST, "Add packet to global send queue");
status = global_send_queue->add(global_send_queue, packet);
if (status != SUCCESS)
{
if ( this->last_requested_message != NULL)
{
/* destroy message */
+ this ->logger->log(this->logger, CONTROL|MOST, "Destroy stored last requested message");
this->last_requested_message->destroy(this->last_requested_message);
}
this->message_id_out++;
/* states has NOW changed :-) */
+ this ->logger->log(this->logger, CONTROL|MORE, "Change state of IKE_SA from %s to %s",mapping_find(ike_sa_state_m,this->state),mapping_find(ike_sa_state_m,IKE_SA_INIT_REQUESTED) );
this->state = IKE_SA_INIT_REQUESTED;
return SUCCESS;
status = request->parse_body(request);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR, "Could not parse body");
+ this->logger->log(this->logger, ERROR | MORE, "Could not parse body of request message");
+ this->create_delete_job(this);
return status;
}
- /* iterate over incoming payloads */
+
+ /* iterate over incoming payloads. We can be sure, the message contains only accepted payloads! */
status = request->get_payload_iterator(request, &payloads);
if (status != SUCCESS)
{
- request->destroy(request);
- return status;
+ this->logger->log(this->logger, ERROR, "Fatal error: Could not get payload interator");
+ this->create_delete_job(this);
+ return status;
}
+
while (payloads->has_next(payloads))
{
payload_t *payload;
+
+ /* get current payload */
payloads->current(payloads, (void**)&payload);
- this->logger->log(this->logger, CONTROL|MORE, "Processing payload %s", mapping_find(payload_type_m, payload->get_type(payload)));
+ this->logger->log(this->logger, CONTROL|MORE, "Processing payload of type %s", mapping_find(payload_type_m, payload->get_type(payload)));
switch (payload->get_type(payload))
{
case SECURITY_ASSOCIATION:
{
sa_payload_t *sa_payload = (sa_payload_t*)payload;
linked_list_iterator_t *suggested_proposals, *accepted_proposals;
+
/* create a list for accepted proposals */
- if (this->ike_sa_init_data.proposals == NULL) {
+ if (this->ike_sa_init_data.proposals == NULL)
+ {
this->ike_sa_init_data.proposals = linked_list_create();
}
else
{
- /** @todo destroy list contents */
+ /* delete stored proposals */
+ while (this->ike_sa_init_data.proposals->get_count(this->ike_sa_init_data.proposals) > 0)
+ {
+ proposal_substructure_t *current_proposal;
+ this->ike_sa_init_data.proposals->remove_first(this->ike_sa_init_data.proposals,(void **)¤t_proposal);
+ current_proposal->destroy(current_proposal);
+ }
}
if (this->ike_sa_init_data.proposals == NULL)
{
+ /* destroy iterator and leave */
+ this->logger->log(this->logger, ERROR, "Fatal error: Could not create list for proposals");
payloads->destroy(payloads);
+ this->create_delete_job(this);
return OUT_OF_RES;
}
status = this->ike_sa_init_data.proposals->create_iterator(this->ike_sa_init_data.proposals, &accepted_proposals, FALSE);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "Fatal error: Could not create iterator on list for proposals");
payloads->destroy(payloads);
+ this->create_delete_job(this);
return status;
}
status = sa_payload->create_proposal_substructure_iterator(sa_payload, &suggested_proposals, TRUE);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "Fatal error: Could not create iterator on suggested proposals");
accepted_proposals->destroy(accepted_proposals);
payloads->destroy(payloads);
+ this->create_delete_job(this);
return status;
}
this->other.host, suggested_proposals, accepted_proposals);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, CONTROL | MORE, "No proposal of suggested proposals selected");
suggested_proposals->destroy(suggested_proposals);
accepted_proposals->destroy(accepted_proposals);
payloads->destroy(payloads);
+ this->create_delete_job(this);
return status;
}
-
+
+ /* iterators are not needed anymore */
suggested_proposals->destroy(suggested_proposals);
accepted_proposals->destroy(accepted_proposals);
- /* ok, we have what we need for sa_payload */
+ /* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
break;
}
case KEY_EXCHANGE:
{
ke_payload_t *ke_payload = (ke_payload_t*)payload;
- diffie_hellman_t *dh;
diffie_hellman_group_t group;
+ diffie_hellman_t *dh;
bool allowed_group;
group = ke_payload->get_dh_group_number(ke_payload);
status = global_configuration_manager->is_dh_group_allowed_for_host(global_configuration_manager,
this->other.host, group, &allowed_group);
+
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR | MORE, "Could not get informations about DH group");
payloads->destroy(payloads);
+ this->create_delete_job(this);
return status;
}
if (!allowed_group)
{
- /** @todo info reply */
+ /** @todo Send info reply */
}
+ /* create diffie hellman object to handle DH exchange */
dh = diffie_hellman_create(group);
if (dh == NULL)
{
+ this->logger->log(this->logger, ERROR, "Could not generate DH object");
payloads->destroy(payloads);
+ this->create_delete_job(this);
return OUT_OF_RES;
}
+
+ this->logger->log(this->logger, CONTROL | MORE, "Set other DH public value");
status = dh->set_other_public_value(dh, ke_payload->get_key_exchange_data(ke_payload));
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "Could not set other DH public value");
dh->destroy(dh);
payloads->destroy(payloads);
+ this->create_delete_job(this);
return OUT_OF_RES;
}
/** @todo destroy if there is already one */
{
nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
chunk_t nonce;
-
+
+ this->logger->log(this->logger, CONTROL | MORE, "Get nonce value and store it");
nonce_payload->get_nonce(nonce_payload, &nonce);
/** @todo free if there is already one */
this->ike_sa_init_data.received_nonce.ptr = allocator_clone_bytes(nonce.ptr, nonce.len);
if (this->ike_sa_init_data.received_nonce.ptr == NULL)
{
payloads->destroy(payloads);
+ this->create_delete_job(this);
return OUT_OF_RES;
}
break;
}
}
+ /* iterator can be destroyed */
payloads->destroy(payloads);
- printf("done.\n");
+ this->logger->log(this->logger, CONTROL | MORE, "Request successfully handled. Going to create reply.");
/* set up the reply */
status = this->build_message(this, IKE_SA_INIT, FALSE, &response);
if (status != SUCCESS)
{
+ this->logger->log(this->logger, ERROR, "Could not create empty message");
+ this->create_delete_job(this);
return status;
}
+ /* leaks */
+ response->destroy(response);
-
- /*
- job_t *delete_job;
- delete_job = (job_t *) delete_ike_sa_job_create(this->ike_sa_id);
- if (delete_job == NULL)
- {
- this->logger->log(this->logger, ERROR, "Job to delete IKE SA could not be created");
- }
-
- status = global_job_queue->add(global_job_queue,delete_job);
- if (status != SUCCESS)
- {
- this->logger->log(this->logger, ERROR, "%s Job to delete IKE SA could not be added to job queue",mapping_find(status_m,status));
- delete_job->destroy_all(delete_job);
- }*/
return SUCCESS;
}
status = this->build_message(this, IKE_SA_INIT, FALSE, &response);
if (status != SUCCESS)
{
+ this->create_delete_job(this);
return status;
}
+
+ response->destroy(response);
+ return SUCCESS;
}
}
/**
+ * @brief implements function resend_last_reply of private_ike_sa_t
+ */
+status_t resend_last_reply (private_ike_sa_t *this)
+{
+ packet_t *packet;
+ status_t status;
+
+ status = this->last_responded_message->generate(this->last_responded_message, &packet);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not generate message to resent");
+ return status;
+ }
+
+ status = global_send_queue->add(global_send_queue, packet);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "Could not add packet to send queue");
+ packet->destroy(packet);
+ return status;
+ }
+ return SUCCESS;
+}
+
+status_t create_delete_job (private_ike_sa_t *this)
+{
+ job_t *delete_job;
+ status_t status;
+
+ this->logger->log(this->logger, CONTROL | MORE, "Going to create job to delete this IKE_SA");
+
+ delete_job = (job_t *) delete_ike_sa_job_create(this->ike_sa_id);
+ if (delete_job == NULL)
+ {
+ this->logger->log(this->logger, ERROR, "Job to delete IKE SA could not be created");
+ return FAILED;
+ }
+
+ status = global_job_queue->add(global_job_queue,delete_job);
+ if (status != SUCCESS)
+ {
+ this->logger->log(this->logger, ERROR, "%s Job to delete IKE SA could not be added to job queue",mapping_find(status_m,status));
+ delete_job->destroy_all(delete_job);
+ return status;
+ }
+ return SUCCESS;
+}
+
+/**
* @brief implements function destroy of private_ike_sa_t
*/
static status_t destroy (private_ike_sa_t *this)
this->last_responded_message->destroy(this->last_responded_message);
}
+ /* destroy stored proposal */
+ if (this->ike_sa_init_data.proposals != NULL)
+ {
+ this->logger->log(this->logger, CONTROL | MOST, "Destroy stored proposals");
+ while (this->ike_sa_init_data.proposals->get_count(this->ike_sa_init_data.proposals) > 0)
+ {
+ proposal_substructure_t *current_proposal;
+ this->ike_sa_init_data.proposals->remove_first(this->ike_sa_init_data.proposals,(void **)¤t_proposal);
+ current_proposal->destroy(current_proposal);
+ }
+ this->ike_sa_init_data.proposals->destroy(this->ike_sa_init_data.proposals);
+ }
+
this->logger->log(this->logger, CONTROL | MOST, "Destroy randomizer");
this->randomizer->destroy(this->randomizer);
+
+ /* destroy ike_sa_init data */
this->logger->log(this->logger, CONTROL | MOST, "Going to destroy ike_sa_init data");
if (this->ike_sa_init_data.diffie_hellman != NULL)
{
allocator_free_chunk(this->ike_sa_init_data.received_nonce);
}
+ if (this->me.host != NULL)
+ {
+ this->logger->log(this->logger, CONTROL | MOST, "Destroy host informations of me");
+ this->me.host->destroy(this->me.host);
+ }
+
+ if (this->other.host != NULL)
+ {
+ this->logger->log(this->logger, CONTROL | MOST, "Destroy host informations of other");
+ this->other.host->destroy(this->other.host);
+ }
+
+
this->logger->log(this->logger, CONTROL | MOST, "Destroy logger of IKE_SA");
global_logger_manager->destroy_logger(global_logger_manager, this->logger);
allocator_free(this);
-
return SUCCESS;
}
return NULL;
}
-
/* Public functions */
this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
this->public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
this->transto_ike_sa_init_requested = transto_ike_sa_init_requested;
this->transto_ike_sa_init_responded = transto_ike_sa_init_responded;
this->transto_ike_auth_requested = transto_ike_auth_requested;
+ this->resend_last_reply = resend_last_reply;
+ this->create_delete_job = create_delete_job;
-
/* initialize private fields */
this->logger = global_logger_manager->create_logger(global_logger_manager, IKE_SA, NULL);