4 * @brief Implementation of ike_sa_t.
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
28 #include <definitions.h>
29 #include <utils/linked_list.h>
30 #include <utils/logger_manager.h>
31 #include <utils/randomizer.h>
32 #include <crypto/diffie_hellman.h>
33 #include <crypto/prf_plus.h>
34 #include <crypto/crypters/crypter.h>
35 #include <encoding/payloads/sa_payload.h>
36 #include <encoding/payloads/nonce_payload.h>
37 #include <encoding/payloads/ke_payload.h>
38 #include <encoding/payloads/delete_payload.h>
39 #include <encoding/payloads/transform_substructure.h>
40 #include <encoding/payloads/transform_attribute.h>
41 #include <sa/states/initiator_init.h>
42 #include <sa/states/responder_init.h>
43 #include <queues/jobs/retransmit_request_job.h>
44 #include <queues/jobs/delete_established_ike_sa_job.h>
49 typedef struct private_ike_sa_t private_ike_sa_t
;
52 * Private data of an ike_sa_t object.
54 struct private_ike_sa_t
{
57 * Protected part of a ike_sa_t object.
59 protected_ike_sa_t
protected;
62 * Identifier for the current IKE_SA.
64 ike_sa_id_t
*ike_sa_id
;
67 * Linked List containing the child sa's of the current IKE_SA.
69 linked_list_t
*child_sas
;
72 * Current state of the IKE_SA represented as state_t object.
74 * A state object representates one of the following states and is processing
75 * messages in the specific state:
78 * - IKE_SA_INIT_REQUESTED
79 * - IKE_SA_INIT_RESPONDED
80 * - IKE_AUTH_REQUESTED
83 state_t
*current_state
;
86 * INIT configuration, needed for the IKE_SA_INIT exchange.
92 * Available in states:
93 * - IKE_SA_INIT_REQUESTED
94 * - IKE_SA_INIT_RESPONDED
95 * - IKE_AUTH_REQUESTED
98 connection_t
*connection
;
101 * SA configuration, needed for all other exchanges after IKE_SA_INIT exchange.
103 * Gets set in states:
104 * - IKE_SA_INIT_REQUESTED
105 * - IKE_SA_INIT_RESPONDED
107 * Available in states:
108 * - IKE_AUTH_REQUESTED
109 * -IKE_SA_ESTABLISHED
114 * This SA's source for random data.
116 * Is available in every state.
118 randomizer_t
*randomizer
;
121 * The last responded message.
123 message_t
*last_responded_message
;
126 * The ast requested message.
128 message_t
*last_requested_message
;
131 * Crypter object for initiator.
133 crypter_t
*crypter_initiator
;
136 * Crypter object for responder.
138 crypter_t
*crypter_responder
;
141 * Signer object for initiator.
143 signer_t
*signer_initiator
;
146 * Signer object for responder.
148 signer_t
*signer_responder
;
151 * Multi purpose prf, set key, use it, forget it
156 * Prf function for derivating keymat child SAs
161 * PRF, with key set to pi_key, used for authentication
166 * PRF, with key set to pr_key, used for authentication
171 * Next message id to receive.
173 u_int32_t message_id_in
;
176 * Next message id to send.
178 u_int32_t message_id_out
;
181 * Last reply id which was successfully received.
183 int32_t last_replied_message_id
;
186 * A logger for this IKE_SA.
191 * Resends the last sent reply.
193 * @param this calling object
195 status_t (*resend_last_reply
) (private_ike_sa_t
*this);
199 * Implementation of ike_sa_t.process_message.
201 static status_t
process_message (private_ike_sa_t
*this, message_t
*message
)
203 u_int32_t message_id
;
204 exchange_type_t exchange_type
;
207 /* We must process each request or response from remote host */
209 /* Find out type of message (request or response) */
210 is_request
= message
->get_request(message
);
211 exchange_type
= message
->get_exchange_type(message
);
213 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "Process %s of exchange type %s",
214 (is_request
) ? "request" : "response",mapping_find(exchange_type_m
,exchange_type
));
216 message_id
= message
->get_message_id(message
);
219 * It has to be checked, if the message has to be resent cause of lost packets!
221 if (is_request
&& (message_id
== (this->message_id_in
- 1)))
223 /* Message can be resent ! */
224 this->logger
->log(this->logger
, CONTROL
|LEVEL1
, "Resent request detected. Send stored reply.");
225 return (this->resend_last_reply(this));
228 /* Now, the message id is checked for request AND reply */
231 /* In a request, the message has to be this->message_id_in (other case is already handled) */
232 if (message_id
!= this->message_id_in
)
234 this->logger
->log(this->logger
, ERROR
| LEVEL1
,
235 "Message request with message id %d received, but %d expected",
236 message_id
,this->message_id_in
);
242 /* In a reply, the message has to be this->message_id_out -1 cause it is the reply to the last sent message*/
243 if (message_id
!= (this->message_id_out
- 1))
245 this->logger
->log(this->logger
, ERROR
| LEVEL1
,
246 "Message reply with message id %d received, but %d expected",
247 message_id
,this->message_id_in
);
252 /* now the message is processed by the current state object.
253 * The specific state object is responsible to check if a message can be received in
254 * the state it represents.
255 * The current state is also responsible to change the state object to the next state
256 * by calling protected_ike_sa_t.set_new_state*/
257 return this->current_state
->process_message(this->current_state
,message
);
261 * Implementation of protected_ike_sa_t.build_message.
263 static void build_message(private_ike_sa_t
*this, exchange_type_t type
, bool request
, message_t
**message
)
265 message_t
*new_message
;
268 me
= this->connection
->get_my_host(this->connection
);
269 other
= this->connection
->get_other_host(this->connection
);
271 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Build empty message");
272 new_message
= message_create();
273 new_message
->set_source(new_message
, me
->clone(me
));
274 new_message
->set_destination(new_message
, other
->clone(other
));
275 new_message
->set_exchange_type(new_message
, type
);
276 new_message
->set_request(new_message
, request
);
277 new_message
->set_message_id(new_message
, (request
) ? this->message_id_out
: this->message_id_in
);
278 new_message
->set_ike_sa_id(new_message
, this->ike_sa_id
);
280 *message
= new_message
;
284 * Implementation of protected_ike_sa_t.initiate_connection.
286 static status_t
initiate_connection(private_ike_sa_t
*this, connection_t
*connection
)
288 initiator_init_t
*current_state
;
290 /* Work is done in state object of type INITIATOR_INIT. All other states are not
291 * initial states and so don't have a initiate_connection function */
293 if (this->current_state
->get_state(this->current_state
) != INITIATOR_INIT
)
298 current_state
= (initiator_init_t
*) this->current_state
;
300 return current_state
->initiate_connection(current_state
, connection
);
304 * Implementation of ike_sa_t.send_delete_ike_sa_request.
306 static void send_delete_ike_sa_request (private_ike_sa_t
*this)
308 message_t
*informational_request
;
309 delete_payload_t
*delete_payload
;
315 if (this->current_state
->get_state(this->current_state
) != IKE_SA_ESTABLISHED
)
320 /* build empty INFORMATIONAL message */
321 this->protected.build_message(&(this->protected), INFORMATIONAL
, TRUE
, &informational_request
);
323 delete_payload
= delete_payload_create();
324 delete_payload
->set_protocol_id(delete_payload
, PROTO_IKE
);
326 informational_request
->add_payload(informational_request
,(payload_t
*)delete_payload
);
328 if (this->ike_sa_id
->is_initiator(this->ike_sa_id
))
330 crypter
= this->crypter_initiator
;
331 signer
= this->signer_initiator
;
335 crypter
= this->crypter_responder
;
336 signer
= this->signer_responder
;
339 status
= informational_request
->generate(informational_request
,
342 informational_request
->destroy(informational_request
);
343 if (status
!= SUCCESS
)
345 this->logger
->log(this->logger
, ERROR
, "Could not generate packet from message");
349 charon
->send_queue
->add(charon
->send_queue
,packet
);
353 * Implementation of ike_sa_t.get_id.
355 static ike_sa_id_t
* get_id(private_ike_sa_t
*this)
357 return this->ike_sa_id
;
361 * Implementation of ike_sa_t.get_my_host.
363 static host_t
* get_my_host(private_ike_sa_t
*this)
365 return this->connection
->get_my_host(this->connection
);;
369 * Implementation of ike_sa_t.get_other_host.
371 static host_t
* get_other_host(private_ike_sa_t
*this)
373 return this->connection
->get_other_host(this->connection
);;
377 * Implementation of ike_sa_t.get_my_id.
379 static identification_t
* get_my_id(private_ike_sa_t
*this)
381 return this->connection
->get_my_id(this->connection
);;
385 * Implementation of ike_sa_t.get_other_id.
387 static identification_t
* get_other_id(private_ike_sa_t
*this)
389 return this->connection
->get_other_id(this->connection
);;
393 * Implementation of private_ike_sa_t.resend_last_reply.
395 static status_t
resend_last_reply(private_ike_sa_t
*this)
399 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Going to retransmit last reply");
400 packet
= this->last_responded_message
->get_packet(this->last_responded_message
);
401 charon
->send_queue
->add(charon
->send_queue
, packet
);
407 * Implementation of ike_sa_t.retransmit_request.
409 status_t
retransmit_request (private_ike_sa_t
*this, u_int32_t message_id
)
413 if (this->last_requested_message
== NULL
)
418 if (message_id
== this->last_replied_message_id
)
423 if ((this->last_requested_message
->get_message_id(this->last_requested_message
)) != message_id
)
428 this->logger
->log(this->logger
, CONTROL
| LEVEL1
, "Going to retransmit message with id %d",message_id
);
429 packet
= this->last_requested_message
->get_packet(this->last_requested_message
);
430 charon
->send_queue
->add(charon
->send_queue
, packet
);
436 * Implementation of protected_ike_sa_t.set_new_state.
438 static void set_new_state (private_ike_sa_t
*this, state_t
*state
)
440 this->logger
->log(this->logger
, CONTROL
, "statechange: %s => %s",
441 mapping_find(ike_sa_state_m
,this->current_state
->get_state(this->current_state
)),
442 mapping_find(ike_sa_state_m
,state
->get_state(state
)));
443 this->current_state
= state
;
447 * Implementation of protected_ike_sa_t.get_connection.
449 static connection_t
*get_connection (private_ike_sa_t
*this)
451 return this->connection
;
455 * Implementation of protected_ike_sa_t.set_connection.
457 static void set_connection (private_ike_sa_t
*this,connection_t
* connection
)
459 this->connection
= connection
;
463 * Implementation of protected_ike_sa_t.get_policy.
465 static policy_t
*get_policy (private_ike_sa_t
*this)
471 * Implementation of protected_ike_sa_t.set_policy.
473 static void set_policy (private_ike_sa_t
*this,policy_t
* policy
)
475 this->policy
= policy
;
479 * Implementation of protected_ike_sa_t.get_prf.
481 static prf_t
*get_prf (private_ike_sa_t
*this)
487 * Implementation of protected_ike_sa_t.get_prf.
489 static prf_t
*get_child_prf (private_ike_sa_t
*this)
491 return this->child_prf
;
495 * Implementation of protected_ike_sa_t.get_prf_auth_i.
497 static prf_t
*get_prf_auth_i (private_ike_sa_t
*this)
499 return this->prf_auth_i
;
503 * Implementation of protected_ike_sa_t.get_prf_auth_r.
505 static prf_t
*get_prf_auth_r (private_ike_sa_t
*this)
507 return this->prf_auth_r
;
512 * Implementation of protected_ike_sa_t.build_transforms.
514 static status_t
build_transforms(private_ike_sa_t
*this, proposal_t
*proposal
, diffie_hellman_t
*dh
, chunk_t nonce_i
, chunk_t nonce_r
)
516 chunk_t nonces
, nonces_spis
, skeyseed
, key
, secret
;
517 u_int64_t spi_i
, spi_r
;
518 prf_plus_t
*prf_plus
;
523 * Build the PRF+ instance for deriving keys
525 if (this->prf
!= NULL
)
527 this->prf
->destroy(this->prf
);
529 proposal
->get_algorithm(proposal
, PROTO_IKE
, PSEUDO_RANDOM_FUNCTION
, &algo
);
532 this->logger
->log(this->logger
, ERROR
|LEVEL2
, "No PRF algoithm selected!?");
535 this->prf
= prf_create(algo
->algorithm
);
536 if (this->prf
== NULL
)
538 this->logger
->log(this->logger
, ERROR
|LEVEL1
,
539 "PSEUDO_RANDOM_FUNCTION %s not supported!",
540 mapping_find(pseudo_random_function_m
, algo
->algorithm
));
544 /* concatenate nonces = nonce_i | nonce_r */
545 nonces
= chunk_alloc(nonce_i
.len
+ nonce_r
.len
);
546 memcpy(nonces
.ptr
, nonce_i
.ptr
, nonce_i
.len
);
547 memcpy(nonces
.ptr
+ nonce_i
.len
, nonce_r
.ptr
, nonce_r
.len
);
549 /* concatenate prf_seed = nonce_i | nonce_r | spi_i | spi_r */
550 nonces_spis
= chunk_alloc(nonces
.len
+ 16);
551 memcpy(nonces_spis
.ptr
, nonces
.ptr
, nonces
.len
);
552 spi_i
= this->ike_sa_id
->get_initiator_spi(this->ike_sa_id
);
553 spi_r
= this->ike_sa_id
->get_responder_spi(this->ike_sa_id
);
554 memcpy(nonces_spis
.ptr
+ nonces
.len
, &spi_i
, 8);
555 memcpy(nonces_spis
.ptr
+ nonces
.len
+ 8, &spi_r
, 8);
557 /* SKEYSEED = prf(Ni | Nr, g^ir) */
558 dh
->get_shared_secret(dh
, &secret
);
559 this->logger
->log_chunk(this->logger
, PRIVATE
, "Shared Diffie Hellman secret", secret
);
560 this->prf
->set_key(this->prf
, nonces
);
561 this->prf
->allocate_bytes(this->prf
, secret
, &skeyseed
);
562 this->logger
->log_chunk(this->logger
, PRIVATE
| LEVEL1
, "SKEYSEED", skeyseed
);
565 /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
566 * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
568 * we use the prf directly for prf+
570 this->prf
->set_key(this->prf
, skeyseed
);
571 prf_plus
= prf_plus_create(this->prf
, nonces_spis
);
573 /* clean up unused stuff */
575 chunk_free(&nonces_spis
);
576 chunk_free(&skeyseed
);
580 * We now can derive all of our key. We build the transforms
585 /* SK_d used for prf+ to derive keys for child SAs */
586 this->child_prf
= prf_create(algo
->algorithm
);
587 key_size
= this->child_prf
->get_key_size(this->child_prf
);
588 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
589 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_d secret", key
);
590 this->child_prf
->set_key(this->child_prf
, key
);
594 /* SK_ai/SK_ar used for integrity protection */
595 proposal
->get_algorithm(proposal
, PROTO_IKE
, INTEGRITY_ALGORITHM
, &algo
);
598 this->logger
->log(this->logger
, ERROR
|LEVEL2
, "No integrity algoithm selected?!");
601 if (this->signer_initiator
!= NULL
)
603 this->signer_initiator
->destroy(this->signer_initiator
);
605 if (this->signer_responder
!= NULL
)
607 this->signer_responder
->destroy(this->signer_responder
);
610 this->signer_initiator
= signer_create(algo
->algorithm
);
611 this->signer_responder
= signer_create(algo
->algorithm
);
612 if (this->signer_initiator
== NULL
|| this->signer_responder
== NULL
)
614 this->logger
->log(this->logger
, ERROR
|LEVEL1
,
615 "INTEGRITY_ALGORITHM %s not supported!",
616 mapping_find(integrity_algorithm_m
,algo
->algorithm
));
619 key_size
= this->signer_initiator
->get_key_size(this->signer_initiator
);
621 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
622 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_ai secret", key
);
623 this->signer_initiator
->set_key(this->signer_initiator
, key
);
626 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
627 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_ar secret", key
);
628 this->signer_responder
->set_key(this->signer_responder
, key
);
632 /* SK_ei/SK_er used for encryption */
633 proposal
->get_algorithm(proposal
, PROTO_IKE
, ENCRYPTION_ALGORITHM
, &algo
);
636 this->logger
->log(this->logger
, ERROR
|LEVEL2
, "No encryption algoithm selected!?");
639 if (this->crypter_initiator
!= NULL
)
641 this->crypter_initiator
->destroy(this->crypter_initiator
);
643 if (this->crypter_responder
!= NULL
)
645 this->crypter_responder
->destroy(this->crypter_responder
);
648 this->crypter_initiator
= crypter_create(algo
->algorithm
, algo
->key_size
);
649 this->crypter_responder
= crypter_create(algo
->algorithm
, algo
->key_size
);
650 if (this->crypter_initiator
== NULL
|| this->crypter_responder
== NULL
)
652 this->logger
->log(this->logger
, ERROR
|LEVEL1
,
653 "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
654 mapping_find(encryption_algorithm_m
, algo
->algorithm
),
658 key_size
= this->crypter_initiator
->get_key_size(this->crypter_initiator
);
660 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
661 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_ei secret", key
);
662 this->crypter_initiator
->set_key(this->crypter_initiator
, key
);
665 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
666 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_er secret", key
);
667 this->crypter_responder
->set_key(this->crypter_responder
, key
);
670 /* SK_pi/SK_pr used for authentication */
671 proposal
->get_algorithm(proposal
, PROTO_IKE
, PSEUDO_RANDOM_FUNCTION
, &algo
);
672 if (this->prf_auth_i
!= NULL
)
674 this->prf_auth_i
->destroy(this->prf_auth_i
);
676 if (this->prf_auth_r
!= NULL
)
678 this->prf_auth_r
->destroy(this->prf_auth_r
);
681 this->prf_auth_i
= prf_create(algo
->algorithm
);
682 this->prf_auth_r
= prf_create(algo
->algorithm
);
684 key_size
= this->prf_auth_i
->get_key_size(this->prf_auth_i
);
685 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
686 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_pi secret", key
);
687 this->prf_auth_i
->set_key(this->prf_auth_i
, key
);
690 prf_plus
->allocate_bytes(prf_plus
, key_size
, &key
);
691 this->logger
->log_chunk(this->logger
, PRIVATE
, "Sk_pr secret", key
);
692 this->prf_auth_r
->set_key(this->prf_auth_r
, key
);
695 /* all done, prf_plus not needed anymore */
696 prf_plus
->destroy(prf_plus
);
702 * Implementation of protected_ike_sa_t.get_randomizer.
704 static randomizer_t
*get_randomizer (private_ike_sa_t
*this)
706 return this->randomizer
;
710 * Implementation of protected_ike_sa_t.get_crypter_initiator.
712 static crypter_t
*get_crypter_initiator (private_ike_sa_t
*this)
714 return this->crypter_initiator
;
718 * Implementation of protected_ike_sa_t.get_signer_initiator.
720 static signer_t
*get_signer_initiator (private_ike_sa_t
*this)
722 return this->signer_initiator
;
726 * Implementation of protected_ike_sa_t.get_crypter_responder.
728 static crypter_t
*get_crypter_responder(private_ike_sa_t
*this)
730 return this->crypter_responder
;
734 * Implementation of protected_ike_sa_t.get_signer_responder.
736 static signer_t
*get_signer_responder (private_ike_sa_t
*this)
738 return this->signer_responder
;
742 * Implementation of protected_ike_sa_t.send_request.
744 static status_t
send_request (private_ike_sa_t
*this,message_t
* message
)
746 retransmit_request_job_t
*retransmit_job
;
753 if (message
->get_message_id(message
) != this->message_id_out
)
755 this->logger
->log(this->logger
, ERROR
, "Message could not be sent cause id (%d) was not as expected (%d)",
756 message
->get_message_id(message
),this->message_id_out
);
760 /* generate packet */
761 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Generate packet from message");
763 if (this->ike_sa_id
->is_initiator(this->ike_sa_id
))
765 crypter
= this->crypter_initiator
;
766 signer
= this->signer_initiator
;
770 crypter
= this->crypter_responder
;
771 signer
=this->signer_responder
;
774 status
= message
->generate(message
, crypter
,signer
, &packet
);
775 if (status
!= SUCCESS
)
777 this->logger
->log(this->logger
, ERROR
, "Could not generate packet from message");
781 this->logger
->log(this->logger
, CONTROL
|LEVEL3
,
782 "Add request packet with message id %d to global send queue",
783 this->message_id_out
);
784 charon
->send_queue
->add(charon
->send_queue
, packet
);
786 if (this->last_requested_message
!= NULL
)
788 /* destroy message */
789 this->last_requested_message
->destroy(this->last_requested_message
);
792 this->logger
->log(this->logger
, CONTROL
|LEVEL3
, "Replace last requested message with new one");
793 this->last_requested_message
= message
;
795 retransmit_job
= retransmit_request_job_create(this->message_id_out
,this->ike_sa_id
);
797 status
= charon
->configuration
->get_retransmit_timeout (charon
->configuration
,
798 retransmit_job
->get_retransmit_count(retransmit_job
),&timeout
);
800 if (status
!= SUCCESS
)
802 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "No retransmit job for message created!");
803 retransmit_job
->destroy(retransmit_job
);
807 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Request will be retransmitted in %d ms.",timeout
);
808 charon
->event_queue
->add_relative(charon
->event_queue
,(job_t
*) retransmit_job
,timeout
);
811 /* message counter can now be increased */
812 this->logger
->log(this->logger
, CONTROL
|LEVEL3
,
813 "Increase message counter for outgoing messages from %d",
814 this->message_id_out
);
815 this->message_id_out
++;
820 * Implementation of protected_ike_sa_t.send_response.
822 static status_t
send_response (private_ike_sa_t
*this,message_t
* message
)
829 if (message
->get_message_id(message
) != this->message_id_in
)
831 this->logger
->log(this->logger
, ERROR
, "Message could not be sent cause id was not as expected");
836 if (this->ike_sa_id
->is_initiator(this->ike_sa_id
))
838 crypter
= this->crypter_initiator
;
839 signer
= this->signer_initiator
;
843 crypter
= this->crypter_responder
;
844 signer
=this->signer_responder
;
847 status
= message
->generate(message
, crypter
,signer
, &packet
);
848 if (status
!= SUCCESS
)
850 this->logger
->log(this->logger
, ERROR
, "Could not generate packet from message");
854 this->logger
->log(this->logger
, CONTROL
|LEVEL3
,
855 "Add response packet with message id %d to global send queue",
856 this->message_id_in
);
857 charon
->send_queue
->add(charon
->send_queue
, packet
);
859 if (this->last_responded_message
!= NULL
)
861 /* destroy message */
862 this->last_responded_message
->destroy(this->last_responded_message
);
865 this->logger
->log(this->logger
, CONTROL
|LEVEL3
, "Replace last responded message with new one");
866 this->last_responded_message
= message
;
868 /* message counter can now be increased */
869 this->logger
->log(this->logger
, CONTROL
|LEVEL3
, "Increase message counter for incoming messages");
870 this->message_id_in
++;
876 * Implementation of of private_responder_init_t.send_notify_reply.
878 static void send_notify(private_ike_sa_t
*this, exchange_type_t exchange_type
, notify_message_type_t type
, chunk_t data
)
880 notify_payload_t
*payload
;
885 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Going to build message with notify payload");
886 /* set up the reply */
887 this->protected.build_message(&(this->protected), exchange_type
, FALSE
, &response
);
888 payload
= notify_payload_create_from_protocol_and_type(PROTO_IKE
, type
);
889 if ((data
.ptr
!= NULL
) && (data
.len
> 0))
891 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Add Data to notify payload");
892 payload
->set_notification_data(payload
,data
);
895 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Add Notify payload to message");
896 response
->add_payload(response
,(payload_t
*) payload
);
898 /* generate packet */
899 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Generate packet from message");
900 status
= response
->generate(response
, this->crypter_responder
, this->signer_responder
, &packet
);
901 if (status
!= SUCCESS
)
903 this->logger
->log(this->logger
, ERROR
|LEVEL1
, "Could not generate notify message");
904 response
->destroy(response
);
908 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Add packet to global send queue");
909 charon
->send_queue
->add(charon
->send_queue
, packet
);
910 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Destroy message");
911 response
->destroy(response
);
915 * Implementation of protected_ike_sa_t.set_last_replied_message_id.
917 static void set_last_replied_message_id (private_ike_sa_t
*this,u_int32_t message_id
)
919 this->last_replied_message_id
= message_id
;
923 * Implementation of protected_ike_sa_t.get_last_responded_message.
925 static message_t
* get_last_responded_message (private_ike_sa_t
*this)
927 return this->last_responded_message
;
931 * Implementation of protected_ike_sa_t.get_last_requested_message.
933 static message_t
* get_last_requested_message (private_ike_sa_t
*this)
935 return this->last_requested_message
;
939 * Implementation of protected_ike_sa_t.get_state.
941 static ike_sa_state_t
get_state (private_ike_sa_t
*this)
943 return this->current_state
->get_state(this->current_state
);
947 * Implementation of protected_ike_sa_t.get_state.
949 static void add_child_sa (private_ike_sa_t
*this, child_sa_t
*child_sa
)
951 this->child_sas
->insert_last(this->child_sas
, child_sa
);
955 * Implementation of protected_ike_sa_t.reset_message_buffers.
957 static void reset_message_buffers (private_ike_sa_t
*this)
959 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Reset message counters and destroy stored messages");
960 /* destroy stored requested message */
961 if (this->last_requested_message
!= NULL
)
963 this->last_requested_message
->destroy(this->last_requested_message
);
964 this->last_requested_message
= NULL
;
967 /* destroy stored responded messages */
968 if (this->last_responded_message
!= NULL
)
970 this->last_responded_message
->destroy(this->last_responded_message
);
971 this->last_responded_message
= NULL
;
974 this->message_id_out
= 0;
975 this->message_id_in
= 0;
976 this->last_replied_message_id
= -1;
980 * Implementation of protected_ike_sa_t.log_status.
982 static void log_status(private_ike_sa_t
*this, logger_t
*logger
, char *name
)
984 iterator_t
*iterator
;
985 child_sa_t
*child_sa
;
987 /* only log if name == NULL or name == connection_name */
990 if (strcmp(this->connection
->get_name(this->connection
), name
) != 0)
997 name
= this->connection
->get_name(this->connection
);
1000 host_t
*my_host
= this->connection
->get_my_host(this->connection
);
1001 host_t
*other_host
= this->connection
->get_other_host(this->connection
);
1003 identification_t
*my_id
= this->connection
->get_my_id(this->connection
);
1004 identification_t
*other_id
= this->connection
->get_other_id(this->connection
);
1008 logger
= this->logger
;
1010 logger
->log(logger
, CONTROL
|LEVEL1
, "\"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
1012 mapping_find(ike_sa_state_m
, this->current_state
->get_state(this->current_state
)),
1013 this->ike_sa_id
->get_initiator_spi(this->ike_sa_id
),
1014 this->ike_sa_id
->get_responder_spi(this->ike_sa_id
));
1015 logger
->log(logger
, CONTROL
, "\"%s\": %s[%s]...%s[%s]",
1017 my_host
->get_address(my_host
),
1018 my_id
->get_string(my_id
),
1019 other_host
->get_address(other_host
),
1020 other_id
->get_string(other_id
));
1022 iterator
= this->child_sas
->create_iterator(this->child_sas
, TRUE
);
1023 while (iterator
->has_next(iterator
))
1025 iterator
->current(iterator
, (void**)&child_sa
);
1026 child_sa
->log_status(child_sa
, logger
, name
);
1028 iterator
->destroy(iterator
);
1032 * Implementation of protected_ike_sa_t.destroy.
1034 static void destroy (private_ike_sa_t
*this)
1036 child_sa_t
*child_sa
;
1038 this->logger
->log(this->logger
, CONTROL
|LEVEL2
, "Going to destroy IKE SA %llu:%llu, role %s",
1039 this->ike_sa_id
->get_initiator_spi(this->ike_sa_id
),
1040 this->ike_sa_id
->get_responder_spi(this->ike_sa_id
),
1041 this->ike_sa_id
->is_initiator(this->ike_sa_id
) ? "initiator" : "responder");
1043 /* inform other peer of delete */
1044 send_delete_ike_sa_request(this);
1045 while (this->child_sas
->remove_last(this->child_sas
, (void**)&child_sa
) == SUCCESS
)
1047 child_sa
->destroy(child_sa
);
1049 this->child_sas
->destroy(this->child_sas
);
1051 if (this->crypter_initiator
)
1053 this->crypter_initiator
->destroy(this->crypter_initiator
);
1055 if (this->crypter_responder
)
1057 this->crypter_responder
->destroy(this->crypter_responder
);
1059 if (this->signer_initiator
)
1061 this->signer_initiator
->destroy(this->signer_initiator
);
1063 if (this->signer_responder
)
1065 this->signer_responder
->destroy(this->signer_responder
);
1069 this->prf
->destroy(this->prf
);
1071 if (this->child_prf
)
1073 this->child_prf
->destroy(this->child_prf
);
1075 if (this->prf_auth_i
)
1077 this->prf_auth_i
->destroy(this->prf_auth_i
);
1079 if (this->prf_auth_r
)
1081 this->prf_auth_r
->destroy(this->prf_auth_r
);
1083 if (this->connection
)
1086 me
= this->connection
->get_my_host(this->connection
);
1087 other
= this->connection
->get_other_host(this->connection
);
1089 this->logger
->log(this->logger
, AUDIT
, "IKE_SA deleted between %s - %s",
1090 me
->get_address(me
), other
->get_address(other
));
1091 this->connection
->destroy(this->connection
);
1095 this->policy
->destroy(this->policy
);
1097 if (this->last_requested_message
)
1099 this->last_requested_message
->destroy(this->last_requested_message
);
1101 if (this->last_responded_message
)
1103 this->last_responded_message
->destroy(this->last_responded_message
);
1105 this->ike_sa_id
->destroy(this->ike_sa_id
);
1106 this->randomizer
->destroy(this->randomizer
);
1107 this->current_state
->destroy(this->current_state
);
1113 * Described in header.
1115 ike_sa_t
* ike_sa_create(ike_sa_id_t
*ike_sa_id
)
1117 private_ike_sa_t
*this = malloc_thing(private_ike_sa_t
);
1119 /* Public functions */
1120 this->protected.public.process_message
= (status_t(*)(ike_sa_t
*, message_t
*)) process_message
;
1121 this->protected.public.initiate_connection
= (status_t(*)(ike_sa_t
*,connection_t
*)) initiate_connection
;
1122 this->protected.public.get_id
= (ike_sa_id_t
*(*)(ike_sa_t
*)) get_id
;
1123 this->protected.public.get_my_host
= (host_t
*(*)(ike_sa_t
*)) get_my_host
;
1124 this->protected.public.get_other_host
= (host_t
*(*)(ike_sa_t
*)) get_other_host
;
1125 this->protected.public.get_my_id
= (identification_t
*(*)(ike_sa_t
*)) get_my_id
;
1126 this->protected.public.get_other_id
= (identification_t
*(*)(ike_sa_t
*)) get_other_id
;
1127 this->protected.public.get_connection
= (connection_t
*(*)(ike_sa_t
*)) get_connection
;
1128 this->protected.public.retransmit_request
= (status_t (*) (ike_sa_t
*, u_int32_t
)) retransmit_request
;
1129 this->protected.public.get_state
= (ike_sa_state_t (*) (ike_sa_t
*this)) get_state
;
1130 this->protected.public.send_delete_ike_sa_request
= (void (*)(ike_sa_t
*)) send_delete_ike_sa_request
;
1131 this->protected.public.log_status
= (void (*) (ike_sa_t
*,logger_t
*,char*))log_status
;
1132 this->protected.public.destroy
= (void(*)(ike_sa_t
*))destroy
;
1134 /* protected functions */
1135 this->protected.build_message
= (void (*) (protected_ike_sa_t
*, exchange_type_t
, bool , message_t
**)) build_message
;
1136 this->protected.get_prf
= (prf_t
*(*) (protected_ike_sa_t
*)) get_prf
;
1137 this->protected.get_child_prf
= (prf_t
*(*) (protected_ike_sa_t
*)) get_child_prf
;
1138 this->protected.get_prf_auth_i
= (prf_t
*(*) (protected_ike_sa_t
*)) get_prf_auth_i
;
1139 this->protected.get_prf_auth_r
= (prf_t
*(*) (protected_ike_sa_t
*)) get_prf_auth_r
;
1140 this->protected.add_child_sa
= (void (*) (protected_ike_sa_t
*,child_sa_t
*)) add_child_sa
;
1141 this->protected.set_connection
= (void (*) (protected_ike_sa_t
*,connection_t
*)) set_connection
;
1142 this->protected.get_connection
= (connection_t
*(*) (protected_ike_sa_t
*)) get_connection
;
1143 this->protected.set_policy
= (void (*) (protected_ike_sa_t
*,policy_t
*)) set_policy
;
1144 this->protected.get_policy
= (policy_t
*(*) (protected_ike_sa_t
*)) get_policy
;
1145 this->protected.get_randomizer
= (randomizer_t
*(*) (protected_ike_sa_t
*)) get_randomizer
;
1146 this->protected.send_request
= (status_t (*) (protected_ike_sa_t
*,message_t
*)) send_request
;
1147 this->protected.send_response
= (status_t (*) (protected_ike_sa_t
*,message_t
*)) send_response
;
1148 this->protected.send_notify
= (void (*)(protected_ike_sa_t
*,exchange_type_t
,notify_message_type_t
,chunk_t
)) send_notify
;
1149 this->protected.build_transforms
= (status_t (*) (protected_ike_sa_t
*,proposal_t
*,diffie_hellman_t
*,chunk_t
,chunk_t
)) build_transforms
;
1150 this->protected.set_new_state
= (void (*) (protected_ike_sa_t
*,state_t
*)) set_new_state
;
1151 this->protected.get_crypter_initiator
= (crypter_t
*(*) (protected_ike_sa_t
*)) get_crypter_initiator
;
1152 this->protected.get_signer_initiator
= (signer_t
*(*) (protected_ike_sa_t
*)) get_signer_initiator
;
1153 this->protected.get_crypter_responder
= (crypter_t
*(*) (protected_ike_sa_t
*)) get_crypter_responder
;
1154 this->protected.get_signer_responder
= (signer_t
*(*) (protected_ike_sa_t
*)) get_signer_responder
;
1155 this->protected.reset_message_buffers
= (void (*) (protected_ike_sa_t
*)) reset_message_buffers
;
1156 this->protected.get_last_responded_message
= (message_t
* (*) (protected_ike_sa_t
*this)) get_last_responded_message
;
1157 this->protected.get_last_requested_message
= (message_t
* (*) (protected_ike_sa_t
*this)) get_last_requested_message
;
1159 this->protected.set_last_replied_message_id
= (void (*) (protected_ike_sa_t
*,u_int32_t
)) set_last_replied_message_id
;
1161 /* private functions */
1162 this->resend_last_reply
= resend_last_reply
;
1164 /* initialize private fields */
1165 this->logger
= logger_manager
->get_logger(logger_manager
, IKE_SA
);
1167 this->ike_sa_id
= ike_sa_id
->clone(ike_sa_id
);
1168 this->child_sas
= linked_list_create();
1169 this->randomizer
= randomizer_create();
1171 this->last_requested_message
= NULL
;
1172 this->last_responded_message
= NULL
;
1173 this->message_id_out
= 0;
1174 this->message_id_in
= 0;
1175 this->last_replied_message_id
= -1;
1176 this->crypter_initiator
= NULL
;
1177 this->crypter_responder
= NULL
;
1178 this->signer_initiator
= NULL
;
1179 this->signer_responder
= NULL
;
1181 this->prf_auth_i
= NULL
;
1182 this->prf_auth_r
= NULL
;
1183 this->child_prf
= NULL
;
1184 this->connection
= NULL
;
1185 this->policy
= NULL
;
1187 /* at creation time, IKE_SA is in a initiator state */
1188 if (ike_sa_id
->is_initiator(ike_sa_id
))
1190 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Create first state_t object of type INITIATOR_INIT");
1191 this->current_state
= (state_t
*) initiator_init_create(&(this->protected));
1195 this->logger
->log(this->logger
, CONTROL
| LEVEL2
, "Create first state_t object of type RESPONDER_INIT");
1196 this->current_state
= (state_t
*) responder_init_create(&(this->protected));
1198 return &(this->protected.public);