- changed interface of ike_sa

- states can access ike_sa fields now just with functions

10 files changed, 500 insertions, 220 deletions

diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 7e7a4f730..9eb15e7be 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -44,16 +44,175 @@
 
 
 
+typedef struct private_ike_sa_t private_ike_sa_t;
+
+/**
+ * Private data of an ike_sa_t object.
+ */
+struct private_ike_sa_t {
+
+	/**
+	 * Protected part of a ike_sa_t object.
+	 */
+	protected_ike_sa_t protected;
+
+
+	/**
+	 * Creates a job to delete the given IKE_SA.
+	 * 
+	 * @param this 				calling object
+	 */
+	status_t (*create_delete_job) (private_ike_sa_t *this);
+
+	/**
+	 * Resends the last sent reply.
+	 * 
+	 * @param this 				calling object
+	 */
+	status_t (*resend_last_reply) (private_ike_sa_t *this);
+
+	/* private values */
+	
+	/**
+	 * Identifier for the current IKE_SA
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * Linked List containing the child sa's of the current IKE_SA
+	 */
+	linked_list_t *child_sas;
+
+	/**
+	 * Current state of the IKE_SA
+	 */
+	state_t *current_state;
+	
+	/**
+	 * this SA's source for random data
+	 */
+	randomizer_t *randomizer;
+	
+	/**
+	 * contains the last responded message
+	 * 
+	 */
+	message_t *last_responded_message;
+
+	/**
+	 * contains the last requested message
+	 * 
+	 */
+	message_t *last_requested_message;
+	
+	/**
+	 * Informations of this host
+	 */
+	struct {
+		host_t *host;
+	} me;
+
+	/**
+	 * Informations of the other host
+	 */	
+	struct {
+		host_t *host;
+	} other;
+	
+	/**
+	 * Crypter object for initiator
+	 */
+	crypter_t *crypter_initiator;
+	
+	/**
+	 * Crypter object for responder
+	 */
+	crypter_t *crypter_responder;
+	
+	/**
+	 * Signer object for initiator
+	 */
+	signer_t *signer_initiator;
+	
+	/**
+	 * Signer object for responder
+	 */
+	signer_t *signer_responder;
+	
+	/**
+	 * prf function
+	 */
+	prf_t *prf;
+	
+	
+	
+	/**
+	 * Shared secrets
+	 */
+	struct {
+		/**
+		 * Key used for deriving other keys
+		 */
+		chunk_t d_key;
+		
+		/**
+		 * Key for authenticate (initiator)
+		 */
+		chunk_t ai_key;
+		
+		/**
+		 * Key for authenticate (responder)
+		 */
+		chunk_t ar_key;
+
+		/**
+		 * Key for encryption (initiator)
+		 */
+		chunk_t ei_key;	
+
+		/**
+		 * Key for encryption (responder)
+		 */
+		chunk_t er_key;	
+
+		/**
+		 * Key for generating auth payload (initiator)
+		 */
+		chunk_t pi_key;	
+
+		/**
+		 * Key for generating auth payload (responder)
+		 */
+		chunk_t pr_key;	
+
+	} secrets;
+
+	/**
+	 * next message id to receive
+	 */
+	u_int32_t message_id_in;
+	
+	/**
+	 * next message id to send
+	 */
+	u_int32_t message_id_out;
+	
+	/**
+	 * a logger for this IKE_SA
+	 */
+	logger_t *logger;
+};
+
+
 /**
  * @brief implements function process_message of protected_ike_sa_t
  */
-static status_t process_message (protected_ike_sa_t *this, message_t *message)
+static status_t process_message (private_ike_sa_t *this, message_t *message)
 {	
 	u_int32_t message_id;
 	exchange_type_t exchange_type;
 	bool is_request;
 	status_t status;
-	state_t *new_state;
 	
 	/* we must process each request or response from remote host */
 
@@ -96,19 +255,16 @@ static status_t process_message (protected_ike_sa_t *this, message_t *message)
 	}
 	
 	/* now the message is processed by the current state object */
-	status = this->current_state->process_message(this->current_state,message,&new_state);
+	/* the current state does change the current change to the next one*/
+	status = this->current_state->process_message(this->current_state,message);
 
-	if (status == SUCCESS)
-	{
-		this->current_state = new_state;
-	}
 	return status;
 }
 
 /**
  * @brief Implements function build_message of protected_ike_sa_t.
  */
-static status_t build_message(protected_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
+static status_t build_message(private_ike_sa_t *this, exchange_type_t type, bool request, message_t **message)
 {
 	status_t status;
 	message_t *new_message; 
@@ -162,12 +318,11 @@ static status_t build_message(protected_ike_sa_t *this, exchange_type_t type, bo
 /**
  * @brief implements function process_configuration of protected_ike_sa_t
  */
-static status_t initialize_connection(protected_ike_sa_t *this, char *name)
+static status_t initialize_connection(private_ike_sa_t *this, char *name)
 {
 	/* work is done in state object of type INITIATOR_INIT */
 	initiator_init_t *current_state;
 	status_t status;
-	state_t *new_state;
 	
 	if (this->current_state->get_state(this->current_state) != INITIATOR_INIT)
 	{
@@ -176,13 +331,9 @@ static status_t initialize_connection(protected_ike_sa_t *this, char *name)
 	
 	current_state = (initiator_init_t *) this->current_state;
 	
-	status = current_state->initiate_connection(current_state,name,&new_state);
+	status = current_state->initiate_connection(current_state,name);
 	
-	if (status == SUCCESS)
-	{
-		this->current_state = new_state;
-	}
-	else
+	if (status != SUCCESS)
 	{
 		this->create_delete_job(this);
 	}
@@ -192,12 +343,12 @@ static status_t initialize_connection(protected_ike_sa_t *this, char *name)
 /**
  * @brief implements function protected_ike_sa_t.get_id
  */
-static ike_sa_id_t* get_id(protected_ike_sa_t *this)
+static ike_sa_id_t* get_id(private_ike_sa_t *this)
 {
 	return this->ike_sa_id;
 }
 
-static status_t compute_secrets (protected_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
+static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
 {
 	chunk_t concatenated_nonces;
 	chunk_t skeyseed;
@@ -294,7 +445,7 @@ static status_t compute_secrets (protected_ike_sa_t *this,chunk_t dh_shared_secr
 /**
  * @brief implements function resend_last_reply of protected_ike_sa_t
  */
-status_t resend_last_reply (protected_ike_sa_t *this)
+status_t resend_last_reply (private_ike_sa_t *this)
 {
 	packet_t *packet;
 	status_t status;
@@ -316,7 +467,7 @@ status_t resend_last_reply (protected_ike_sa_t *this)
 	return SUCCESS;
 }
 
-status_t create_delete_job (protected_ike_sa_t *this)
+status_t create_delete_job (private_ike_sa_t *this)
 {
 	job_t *delete_job;
 	status_t status;
@@ -341,9 +492,140 @@ status_t create_delete_job (protected_ike_sa_t *this)
 }
 
 /**
+ * Implementation of protected_ike_sa_t.set_new_state.
+ */
+static void set_new_state (private_ike_sa_t *this, state_t *state)
+{
+	this->current_state = state;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_logger.
+ */
+static logger_t *get_logger (private_ike_sa_t *this)
+{
+	return this->logger;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_my_host.
+ */
+static host_t *get_my_host (private_ike_sa_t *this)
+{
+	return this->me.host;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_other_host.
+ */
+static host_t *get_other_host (private_ike_sa_t *this)
+{
+	return this->other.host;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.set_my_host.
+ */
+static void set_my_host (private_ike_sa_t *this, host_t *my_host)
+{
+	if (this->me.host != NULL)
+	{
+		this->me.host->destroy(this->me.host);
+	}
+	this->me.host = my_host;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.set_other_host.
+ */
+static void set_other_host (private_ike_sa_t *this, host_t *other_host)
+{
+	if (this->other.host != NULL)
+	{
+		this->other.host->destroy(this->other.host);
+	}
+	this->other.host = other_host;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.set_prf.
+ */
+static void set_prf (private_ike_sa_t *this,prf_t *prf)
+{
+	if (this->prf != NULL)
+	{
+		this->prf->destroy(this->prf);
+	}
+	this->prf = prf;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.get_randomizer.
+ */
+static randomizer_t *get_randomizer (private_ike_sa_t *this)
+{
+	return this->randomizer;
+}
+
+/**
+ * Implementation of protected_ike_sa_t.set_last_requested_message.
+ */
+static status_t set_last_requested_message (private_ike_sa_t *this,message_t * message)
+{
+	if (	this->last_requested_message != NULL)
+	{
+		/* destroy message */
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy stored last requested message");
+		this->last_requested_message->destroy(this->last_requested_message);
+	}
+
+	if (message->get_message_id(message) != this->message_id_out)
+	{
+		this	->logger->log(this->logger, CONTROL|MOST, "last requested message could not be set cause id was not as expected");
+		return FAILED;
+	}
+	this	->logger->log(this->logger, CONTROL|MOST, "replace last requested message with new one");
+	this->last_requested_message	 = message;
+
+	/* message counter can now be increased */
+	this	->logger->log(this->logger, CONTROL|MOST, "Increate message counter for outgoing messages");
+	this->message_id_out++;
+	return SUCCESS;	
+}
+
+
+/**
+ * Implementation of protected_ike_sa_t.set_last_responded_message.
+ */
+static status_t set_last_responded_message (private_ike_sa_t *this,message_t * message)
+{
+	if (	this->last_responded_message != NULL)
+	{
+		/* destroy message */
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy stored last responded message");
+		this->last_responded_message->destroy(this->last_responded_message);
+	}
+	if (message->get_message_id(message) != this->message_id_in)
+	{
+		this	->logger->log(this->logger, CONTROL|MOST, "last responded message could not be set cause id was not as expected");
+		return FAILED;
+		
+	}
+	this	->logger->log(this->logger, CONTROL|MOST, "replace last responded message with new one");
+	this->last_responded_message	 = message;
+
+	/* message counter can now be increased */
+	this	->logger->log(this->logger, CONTROL|MOST, "Increate message counter for incoming messages");
+	this->message_id_in++;
+
+	return SUCCESS;
+}
+
+
+/**
  * @brief implements function destroy of protected_ike_sa_t
  */
-static status_t destroy (protected_ike_sa_t *this)
+static status_t destroy (private_ike_sa_t *this)
 {
 	
 	this->logger->log(this->logger, CONTROL | MORE, "Going to destroy IKE_SA");
@@ -470,23 +752,36 @@ static status_t destroy (protected_ike_sa_t *this)
  */
 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 {
-	protected_ike_sa_t *this = allocator_alloc_thing(protected_ike_sa_t);
+	private_ike_sa_t *this = allocator_alloc_thing(private_ike_sa_t);
 	if (this == NULL)
 	{
 		return NULL;
 	}
 
 	/* Public functions */
-	this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
-	this->public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
-	this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
-	this->public.destroy = (status_t(*)(ike_sa_t*))destroy;
-	
+	this->protected.public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
+	this->protected.public.initialize_connection = (status_t(*)(ike_sa_t*, char*)) initialize_connection;
+	this->protected.public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
+	this->protected.public.destroy = (status_t(*)(ike_sa_t*))destroy;
+	
+	/* protected functions */
+	this->protected.build_message = (status_t (*) (protected_ike_sa_t *, exchange_type_t , bool , message_t **)) build_message;
+	this->protected.compute_secrets = (status_t (*) (protected_ike_sa_t *,chunk_t ,chunk_t , chunk_t )) compute_secrets;
+	this->protected.get_logger = (logger_t *(*) (protected_ike_sa_t *)) get_logger;		
+	this->protected.get_my_host = (host_t *(*) (protected_ike_sa_t *)) get_my_host;
+	this->protected.get_other_host = (host_t *(*) (protected_ike_sa_t *)) get_other_host;
+	this->protected.set_my_host = (void(*) (protected_ike_sa_t *,host_t *)) set_my_host;
+	this->protected.set_other_host = (void(*) (protected_ike_sa_t *, host_t *)) set_other_host;
+	this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
+	this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message;
+	this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message;
+	this->protected.set_prf = (void (*) (protected_ike_sa_t *,prf_t *)) set_prf;
+	this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
+
 	/* private functions */
-	this->build_message = build_message;
 	this->resend_last_reply = resend_last_reply;
 	this->create_delete_job = create_delete_job;
-	this->compute_secrets = compute_secrets;
+
 
 	/* initialize private fields */
 	this->logger = global_logger_manager->create_logger(global_logger_manager, IKE_SA, NULL);
@@ -553,11 +848,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	/* at creation time, IKE_SA is in a initiator state */
 	if (ike_sa_id->is_initiator(ike_sa_id))
 	{
-		this->current_state = (state_t *) initiator_init_create(this);
+		this->current_state = (state_t *) initiator_init_create(&(this->protected));
 	}
 	else
 	{
-		this->current_state = (state_t *) responder_init_create(this);
+		this->current_state = (state_t *) responder_init_create(&(this->protected));
 	}
 	
 	if (this->current_state == NULL)
@@ -571,5 +866,5 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	}
 
 
-	return &(this->public);
+	return &(this->protected.public);
 }
diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h
index 8a1ed0000..aa6c0d50f 100644
--- a/Source/charon/sa/ike_sa.h
+++ b/Source/charon/sa/ike_sa.h
@@ -124,148 +124,106 @@ struct protected_ike_sa_t {
 	 * @return					TODO
 	 */
 	status_t (*compute_secrets) (protected_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce);
-
-	/**
-	 * Creates a job to delete the given IKE_SA
-	 */
-	status_t (*create_delete_job) (protected_ike_sa_t *this);
-
-	/**
-	 * Resends the last sent reply
-	 */
-	status_t (*resend_last_reply) (protected_ike_sa_t *this);
-	
-	
-	/* protected values */
-	
-	/**
-	 * Identifier for the current IKE_SA
-	 */
-	ike_sa_id_t *ike_sa_id;
-
-	/**
-	 * Linked List containing the child sa's of the current IKE_SA
-	 */
-	linked_list_t *child_sas;
-
-	/**
-	 * Current state of the IKE_SA
-	 */
-	state_t *current_state;
 	
 	/**
-	 * this SA's source for random data
+	 * Gets the internal stored logger_t object for given ike_sa_t object.
+	 * 
+	 * @param this 				calling object
+	 * @return					pointer to the internal stored logger_t object
 	 */
-	randomizer_t *randomizer;
+	logger_t *(*get_logger) (protected_ike_sa_t *this);
 	
+
 	/**
-	 * contains the last responded message
+	 * Gets the internal stored host_t object for my host.
 	 * 
+	 * @param this 				calling object
+	 * @return					pointer to the internal stored host_t object
 	 */
-	message_t *last_responded_message;
+	host_t *(*get_my_host) (protected_ike_sa_t *this);
 
 	/**
-	 * contains the last requested message
+	 * Gets the internal stored host_t object for other host.
 	 * 
+	 * @param this 				calling object
+	 * @return					pointer to the internal stored host_t object
 	 */
-	message_t *last_requested_message;
+	host_t *(*get_other_host) (protected_ike_sa_t *this);
 	
 	/**
-	 * Informations of this host
+	 * Sets the internal stored host_t object for my host.
+	 * 
+	 * Allready existing object gets destroyed. object gets not cloned!
+	 * 
+	 * @param this 				calling object
+	 * @param my_host			pointer to the new host_t object
 	 */
-	struct {
-		host_t *host;
-	} me;
+	void (*set_my_host) (protected_ike_sa_t *this,host_t * my_host);
 
 	/**
-	 * Informations of the other host
-	 */	
-	struct {
-		host_t *host;
-	} other;
-	
-	/**
-	 * Crypter object for initiator
-	 */
-	crypter_t *crypter_initiator;
-	
-	/**
-	 * Crypter object for responder
-	 */
-	crypter_t *crypter_responder;
-	
-	/**
-	 * Signer object for initiator
-	 */
-	signer_t *signer_initiator;
-	
-	/**
-	 * Signer object for responder
+	 * Sets the internal stored host_t object for other host.
+	 * 
+	 * Allready existing object gets destroyed. object gets not cloned!
+	 * 
+	 * @param this 				calling object
+	 * @param other_host			pointer to the new host_t object
 	 */
-	signer_t *signer_responder;
+	void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host);
 	
 	/**
-	 * prf function
+	 * Sets the internal stored prf_t object.
+	 * 
+	 * Allready existing object gets destroyed. object gets not cloned!
+	 * 
+	 * @param this 				calling object
+	 * @param prf				pointer to the new prf_t object
 	 */
-	prf_t *prf;
-	
-	
+	void (*set_prf) (protected_ike_sa_t *this,prf_t *prf);
 	
 	/**
-	 * Shared secrets
+	 * Sets the last requested message.
+	 * 
+	 * Allready set last requested message gets destroyed. object gets not cloned!
+	 * 
+	 * @param this 				calling object
+	 * @param message			pointer to the new last requested message
+	 * @return
+	 * 							- SUCCESS
+	 * 							- FAILED if message id is not next expected one
 	 */
-	struct {
-		/**
-		 * Key used for deriving other keys
-		 */
-		chunk_t d_key;
-		
-		/**
-		 * Key for authenticate (initiator)
-		 */
-		chunk_t ai_key;
-		
-		/**
-		 * Key for authenticate (responder)
-		 */
-		chunk_t ar_key;
-
-		/**
-		 * Key for encryption (initiator)
-		 */
-		chunk_t ei_key;	
-
-		/**
-		 * Key for encryption (responder)
-		 */
-		chunk_t er_key;	
-
-		/**
-		 * Key for generating auth payload (initiator)
-		 */
-		chunk_t pi_key;	
-
-		/**
-		 * Key for generating auth payload (responder)
-		 */
-		chunk_t pr_key;	
-
-	} secrets;
+	status_t (*set_last_requested_message) (protected_ike_sa_t *this,message_t * message);
 
 	/**
-	 * next message id to receive
+	 * Sets the last responded message.
+	 * 
+	 * Allready set last requested message gets destroyed. object gets not cloned!
+	 * 
+	 * @param this 				calling object
+	 * @param message			pointer to the new last responded message
+	 * return					
+	 * 							- SUCCESS
+	 * 							- FAILED if message id is not next expected one
 	 */
-	u_int32_t message_id_in;
+	status_t (*set_last_responded_message) (protected_ike_sa_t *this,message_t * message);
 	
 	/**
-	 * next message id to send
+	 * Gets the internal stored randomizer_t object.
+	 * 
+	 * @param this 				calling object
+	 * @return					pointer to the internal randomizer_t object
 	 */
-	u_int32_t message_id_out;
+	randomizer_t *(*get_randomizer) (protected_ike_sa_t *this);
 	
 	/**
-	 * a logger for this IKE_SA
+	 * Sets the new state_t object of the IKE_SA object.
+	 * 
+	 * The old state_t object gets not destroyed. It's the callers duty to 
+	 * make sure old state is destroyed (Normally the old state is the caller ).
+	 * 
+	 * @param this 				calling object
+	 * @param state				pointer to the new state_t object
 	 */
-	logger_t *logger;
+	void (*set_new_state) (protected_ike_sa_t *this,state_t *state);
 };
 
 
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 4681b64b0..43af215c2 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -47,9 +47,8 @@ struct private_ike_auth_requested_t {
 /**
  * Implements state_t.get_state
  */
-static status_t process_message(private_ike_auth_requested_t *this, message_t *message, state_t **new_state)
+static status_t process_message(private_ike_auth_requested_t *this, message_t *message)
 {
-	*new_state = (state_t *) this;
 	return SUCCESS;
 }
 
@@ -83,7 +82,7 @@ ike_auth_requested_t *ike_auth_requested_create(protected_ike_sa_t *ike_sa)
 	}
 
 	/* interface functions */
-	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *,state_t **)) process_message;
+	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
 	this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
 	this->public.state_interface.destroy  = (status_t (*) (state_t *)) destroy;
 	
diff --git a/Source/charon/sa/states/ike_sa_established.c b/Source/charon/sa/states/ike_sa_established.c
index 769ac8c4c..f9c68f162 100644
--- a/Source/charon/sa/states/ike_sa_established.c
+++ b/Source/charon/sa/states/ike_sa_established.c
@@ -47,9 +47,8 @@ struct private_ike_sa_established_t {
 /**
  * Implements state_t.get_state
  */
-static status_t process_message(private_ike_sa_established_t *this, message_t *message, state_t **new_state)
+static status_t process_message(private_ike_sa_established_t *this, message_t *message)
 {
-	*new_state = (state_t *) this;
 	return SUCCESS;
 }
 
@@ -83,7 +82,7 @@ ike_sa_established_t *ike_sa_established_create(protected_ike_sa_t *ike_sa)
 	}
 
 	/* interface functions */
-	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *,state_t **)) process_message;
+	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
 	this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
 	this->public.state_interface.destroy  = (status_t (*) (state_t *)) destroy;
 	
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 040942aee..510697720 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -85,12 +85,14 @@ struct private_ike_sa_init_requested_t {
 /**
  * Implements state_t.get_state
  */
-static status_t process_message(private_ike_sa_init_requested_t *this, message_t *message, state_t **new_state)
+static status_t process_message(private_ike_sa_init_requested_t *this, message_t *message)
 {
-	status_t 				status;
-	iterator_t 	*payloads;
-	exchange_type_t			exchange_type;
-	u_int64_t 				responder_spi;
+	status_t status;
+	iterator_t *payloads;
+	exchange_type_t	exchange_type;
+	u_int64_t responder_spi;
+	ike_sa_id_t *ike_sa_id;
+	
 
 	exchange_type = message->get_exchange_type(message);
 	if (exchange_type != IKE_SA_INIT)
@@ -114,7 +116,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 	}
 	
 	responder_spi = message->get_responder_spi(message);
-	this->ike_sa->ike_sa_id->set_responder_spi(this->ike_sa->ike_sa_id,responder_spi);
+	ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
+	ike_sa_id->set_responder_spi(ike_sa_id,responder_spi);
 	
 	/* iterate over incoming payloads */
 	status = message->get_payload_iterator(message, &payloads);
@@ -138,7 +141,9 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 				encryption_algorithm_t		encryption_algorithm = ENCR_UNDEFINED;
 				pseudo_random_function_t		pseudo_random_function = PRF_UNDEFINED;
 				integrity_algorithm_t		integrity_algorithm = AUTH_UNDEFINED;
-
+				prf_t *prf;
+				
+				
 				/* get the list of suggested proposals */ 
 				status = sa_payload->create_proposal_substructure_iterator(sa_payload, &suggested_proposals, TRUE);
 				if (status != SUCCESS)
@@ -151,7 +156,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 				/* now let the configuration-manager return the transforms for the given proposal*/
 				this->logger->log(this->logger, CONTROL | MOST, "Get transforms for suggested proposal");
 				status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
-									this->ike_sa->other.host, suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
+									this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
 				if (status != SUCCESS)
 				{
 					this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not supported!");
@@ -161,13 +166,14 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 				}
 				suggested_proposals->destroy(suggested_proposals);
 				
-				this->ike_sa->prf = prf_create(pseudo_random_function);
-				if (this->ike_sa->prf == NULL)
+				prf = prf_create(pseudo_random_function);
+				if (prf == NULL)
 				{
 					this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
 					payloads->destroy(payloads);
 					return FAILED;
 				}
+				this->ike_sa->set_prf(this->ike_sa,prf);
 				
 
 				/* ok, we have what we need for sa_payload */
@@ -251,12 +257,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 	 * 
 	 *  TODO
 	 * 
-	 * Create PRF+ object
-	 * 
-	 * Create Keys for next process
-	 * 
 	 * Send IKE_SA_AUTH request
 	 * 
+	 * Make state change
+	 * 
 	 ****************************/
 
 
@@ -269,7 +273,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 
 //	response->destroy(response);
 
-	*new_state = (state_t *) this;
+
 	
 	return SUCCESS;
 }
@@ -325,7 +329,7 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
 	}
 
 	/* interface functions */
-	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *,state_t **)) process_message;
+	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
 	this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
 	this->public.state_interface.destroy  = (status_t (*) (state_t *)) destroy;
 	
@@ -335,7 +339,7 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
 	this->received_nonce.len = 0;
 	this->shared_secret.ptr = NULL;
 	this->shared_secret.len = 0;
-	this->logger = this->ike_sa->logger;
+	this->logger = this->ike_sa->get_logger(this->ike_sa);
 	this->diffie_hellman = diffie_hellman;
 	this->sent_nonce = sent_nonce;
 	this->dh_group_priority = dh_group_priority;
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 5c7ba0927..7bc3ee4ea 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -71,9 +71,8 @@ struct private_ike_sa_init_responded_t {
 /**
  * Implements state_t.get_state
  */
-static status_t process_message(private_ike_sa_init_responded_t *this, message_t *message, state_t **new_state)
+static status_t process_message(private_ike_sa_init_responded_t *this, message_t *message)
 {
-	*new_state = (state_t *) this;
 	return SUCCESS;
 }
 
@@ -119,13 +118,13 @@ ike_sa_init_responded_t *ike_sa_init_responded_create(protected_ike_sa_t *ike_sa
 	}
 
 	/* interface functions */
-	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *,state_t **)) process_message;
+	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
 	this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
 	this->public.state_interface.destroy  = (status_t (*) (state_t *)) destroy;
 	
 	/* private data */
 	this->ike_sa = ike_sa;
-	this->logger = this->ike_sa->logger;
+	this->logger = this->ike_sa->get_logger(this->ike_sa);
 	this->shared_secret = shared_secret;
 	this->received_nonce = received_nonce;
 	this->sent_nonce = sent_nonce;
diff --git a/Source/charon/sa/states/initiator_init.c b/Source/charon/sa/states/initiator_init.c
index c5acbd1e3..133d24097 100644
--- a/Source/charon/sa/states/initiator_init.c
+++ b/Source/charon/sa/states/initiator_init.c
@@ -146,29 +146,35 @@ struct private_initiator_init_t {
 /**
  * Implements function initiator_init_t.initiate_connection.
  */
-static status_t initiate_connection (private_initiator_init_t *this, char *name, state_t **new_state)
+static status_t initiate_connection (private_initiator_init_t *this, char *name)
 {
 	iterator_t 	*proposal_iterator;
 	ike_sa_init_requested_t 	*next_state;
 	message_t 				*message;
 	packet_t 				*packet;
 	status_t 				status;
+	host_t 					*my_host;
+	host_t 					*other_host;
+	randomizer_t				*randomizer;
+	
 
 	this->logger->log(this->logger, CONTROL, "Initializing connection %s",name);
 	
-	status = global_configuration_manager->get_local_host(global_configuration_manager, name, &(this->ike_sa->me.host));
+	status = global_configuration_manager->get_local_host(global_configuration_manager, name, &my_host);
 	if (status != SUCCESS)
 	{	
 		this->logger->log(this->logger, ERROR | MORE, "Could not retrieve local host configuration information for %s",name);
 		return INVALID_ARG;
 	}
+	this->ike_sa->set_my_host(this->ike_sa,my_host);
 	
-	status = global_configuration_manager->get_remote_host(global_configuration_manager, name, &(this->ike_sa->other.host));
+	status = global_configuration_manager->get_remote_host(global_configuration_manager, name, &other_host);
 	if (status != SUCCESS)
 	{	
 		this->logger->log(this->logger, ERROR | MORE, "Could not retrieve remote host configuration information for %s",name);
 		return INVALID_ARG;
 	}
+	this->ike_sa->set_other_host(this->ike_sa,other_host);
 	
 	status = global_configuration_manager->get_dh_group_number(global_configuration_manager, name, &(this->dh_group_number), this->dh_group_priority);
 	if (status != SUCCESS)
@@ -184,7 +190,7 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name,
 		return status;	
 	}
 	
-	status = global_configuration_manager->get_proposals_for_host(global_configuration_manager, this->ike_sa->other.host, proposal_iterator);
+	status = global_configuration_manager->get_proposals_for_host(global_configuration_manager, this->ike_sa->get_other_host(this->ike_sa), proposal_iterator);
 	/* not needed anymore */
 	proposal_iterator->destroy(proposal_iterator);
 	if (status != SUCCESS)
@@ -214,7 +220,8 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name,
 	}
 
 	this	->logger->log(this->logger, CONTROL|MOST, "Get pseudo random bytes for nonce");
-	if (this->ike_sa->randomizer->allocate_pseudo_random_bytes(this->ike_sa->randomizer, NONCE_SIZE, &(this->sent_nonce)) != SUCCESS)
+	randomizer = this->ike_sa->get_randomizer(this->ike_sa);
+	if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE, &(this->sent_nonce)) != SUCCESS)
 	{
 		this->logger->log(this->logger, ERROR, "Could not create nonce!");
 		return OUT_OF_RES;
@@ -253,29 +260,27 @@ static status_t initiate_connection (private_initiator_init_t *this, char *name,
 	/* state can now be changed */
 	this	->logger->log(this->logger, CONTROL|MOST, "Create next state object");
 	next_state = ike_sa_init_requested_create(this->ike_sa, this->dh_group_number, this->diffie_hellman, this->sent_nonce);
-
 	if (next_state == NULL)
 	{
 		this	->logger->log(this->logger, ERROR, "Fatal error: could not create next state object of type ike_sa_init_requested_t");
+		message->destroy(message);
 		return FAILED;
 	}
 
-	if (	this->ike_sa->last_requested_message != NULL)
+	/* last message can now be set */
+	status = this->ike_sa->set_last_requested_message(this->ike_sa, message);
+
+	if (status != SUCCESS)
 	{
-		/* destroy message */
-		this	->logger->log(this->logger, CONTROL|MOST, "Destroy stored last requested message");
-		this->ike_sa->last_requested_message->destroy(this->ike_sa->last_requested_message);
+		this->logger->log(this->logger, ERROR, "Could not set last requested message");
+		(next_state->state_interface).destroy(&(next_state->state_interface));
+		message->destroy(message);
+		return status;
 	}
 
-	/* message is set after state create */
-	this	->logger->log(this->logger, CONTROL|MOST, "replace last requested message with current one");
-	this->ike_sa->last_requested_message	 = message;
-
-	/* message counter can now be increased */
-	this	->logger->log(this->logger, CONTROL|MOST, "Increate message counter for outgoing messages");
-	this->ike_sa->message_id_out++;
+	/* state can now be changed */ 
+	this->ike_sa->set_new_state(this->ike_sa,(state_t *) next_state);
 
-	*new_state = (state_t *) next_state;
 	/* state has NOW changed :-) */
 	this	->logger->log(this->logger, CONTROL|MORE, "Changed state of IKE_SA from %s to %s",mapping_find(ike_sa_state_m,INITIATOR_INIT),mapping_find(ike_sa_state_m,IKE_SA_INIT_REQUESTED) );
 
@@ -589,12 +594,12 @@ initiator_init_t *initiator_init_create(protected_ike_sa_t *ike_sa)
 	}
 
 	/* interface functions */
-	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *,state_t **)) process_message;
+	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
 	this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
 	this->public.state_interface.destroy  = (status_t (*) (state_t *)) destroy;
 	
 	/* public functions */
-	this->public.initiate_connection = (status_t (*)(initiator_init_t *, char *, state_t **)) initiate_connection;
+	this->public.initiate_connection = (status_t (*)(initiator_init_t *, char *)) initiate_connection;
 	
 	/* private functions */
 	this->destroy_after_state_change = destroy_after_state_change;
@@ -606,7 +611,7 @@ initiator_init_t *initiator_init_create(protected_ike_sa_t *ike_sa)
 	/* private data */
 	this->ike_sa = ike_sa;
 	this->dh_group_priority = 1;
-	this->logger = this->ike_sa->logger;
+	this->logger = this->ike_sa->get_logger(this->ike_sa);
 	this->proposals = linked_list_create();
 	this->sent_nonce = CHUNK_INITIALIZER;
 	if (this->proposals == NULL)
diff --git a/Source/charon/sa/states/initiator_init.h b/Source/charon/sa/states/initiator_init.h
index c61c137d1..c150eb6b1 100644
--- a/Source/charon/sa/states/initiator_init.h
+++ b/Source/charon/sa/states/initiator_init.h
@@ -46,10 +46,9 @@ struct initiator_init_t {
 	 * 
 	 * @param this 			calling object
 	 * @param name 			name of the configuration
-	 * @param new_state		new state if call succeeded
 	 * @return				TODO
 	 */
-	status_t (*initiate_connection) (initiator_init_t *this, char *name, state_t **new_state);	
+	status_t (*initiate_connection) (initiator_init_t *this, char *name);	
 };
 
 /**
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index d68bfc62c..9c6067faa 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -142,7 +142,7 @@ struct private_responder_init_t {
 /**
  * Implements state_t.get_state
  */
-static status_t process_message(private_responder_init_t *this, message_t *message, state_t **new_state)
+static status_t process_message(private_responder_init_t *this, message_t *message)
 {
 	iterator_t *payloads;
 	host_t *source, *destination;
@@ -153,6 +153,9 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 	chunk_t shared_secret;
 	exchange_type_t	exchange_type;
 	ike_sa_init_responded_t *next_state;
+	host_t *my_host;
+	host_t *other_host;
+	randomizer_t *randomizer;
 
 	exchange_type = message->get_exchange_type(message);
 	if (exchange_type != IKE_SA_INIT)
@@ -172,8 +175,23 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 	message->get_destination(message, &destination);
 	
 	/* we need to clone them, since we destroy the message later */
-	destination->clone(destination, &(this->ike_sa->me.host));
-	source->clone(source, &(this->ike_sa->other.host));
+	status = destination->clone(destination, &my_host);
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR, "Fatal error: could not clone my host informations");
+		return status;	
+	}
+	status = source->clone(source, &other_host);
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR, "Fatal error: could not clone other host informations");
+		my_host->destroy(my_host);
+		return status;	
+	}
+
+	
+	this->ike_sa->set_my_host(this->ike_sa, my_host);
+	this->ike_sa->set_other_host(this->ike_sa, other_host);
 	
 	/* parse incoming message */
 	status = message->parse_body(message);
@@ -205,9 +223,10 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				iterator_t *suggested_proposals, *accepted_proposals;
-				encryption_algorithm_t		encryption_algorithm = ENCR_UNDEFINED;
-				pseudo_random_function_t		pseudo_random_function = PRF_UNDEFINED;
-				integrity_algorithm_t		integrity_algorithm = AUTH_UNDEFINED;
+				encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED;
+				pseudo_random_function_t	 pseudo_random_function = PRF_UNDEFINED;
+				integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED;
+				prf_t *prf;
 
 				status = this->proposals->create_iterator(this->proposals, &accepted_proposals, FALSE);
 				if (status != SUCCESS)
@@ -229,7 +248,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 				
 				/* now let the configuration-manager select a subset of the proposals */
 				status = global_configuration_manager->select_proposals_for_host(global_configuration_manager,
-									this->ike_sa->other.host, suggested_proposals, accepted_proposals);
+									this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, accepted_proposals);
 				if (status != SUCCESS)
 				{
 					this->logger->log(this->logger, CONTROL | MORE, "No proposal of suggested proposals selected");
@@ -246,7 +265,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 				/* now let the configuration-manager return the transforms for the given proposal*/
 				this->logger->log(this->logger, CONTROL | MOST, "Get transforms for accepted proposal");
 				status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
-									this->ike_sa->other.host, accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
+									this->ike_sa->get_other_host(this->ike_sa), accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
 				if (status != SUCCESS)
 				{
 					this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!");
@@ -256,13 +275,14 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 				}
 				accepted_proposals->destroy(accepted_proposals);
 				
-				this->ike_sa->prf = prf_create(pseudo_random_function);
-				if (this->ike_sa->prf == NULL)
+				prf = prf_create(pseudo_random_function);
+				if (prf == NULL)
 				{
 					this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
 					payloads->destroy(payloads);
 					return FAILED;
 				}
+				this->ike_sa->set_prf(this->ike_sa,prf);
 				
 				this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
 				/* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
@@ -278,7 +298,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 				group = ke_payload->get_dh_group_number(ke_payload);
 				
 				status = global_configuration_manager->is_dh_group_allowed_for_host(global_configuration_manager,
-								this->ike_sa->other.host, group, &allowed_group);
+								this->ike_sa->get_other_host(this->ike_sa), group, &allowed_group);
 
 				if (status != SUCCESS)
 				{
@@ -355,8 +375,11 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 	
 	this->logger->log(this->logger, CONTROL | MORE, "Request successfully handled. Going to create reply.");
 
-	this->logger->log(this->logger, CONTROL | MOST, "Going to create nonce.");		
-	if (this->ike_sa->randomizer->allocate_pseudo_random_bytes(this->ike_sa->randomizer, NONCE_SIZE, &(this->sent_nonce)) != SUCCESS)
+	this->logger->log(this->logger, CONTROL | MOST, "Going to create nonce.");	
+	
+	randomizer = this->ike_sa->get_randomizer(this->ike_sa);
+	
+	if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE, &(this->sent_nonce)) != SUCCESS)
 	{
 		this->logger->log(this->logger, ERROR, "Could not create nonce!");
 		return OUT_OF_RES;
@@ -447,6 +470,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 	if (status != SUCCESS)
 	{
 		this->logger->log(this->logger, ERROR, "Could not add packet to send queue");
+		packet->destroy(packet);
 		return status;
 	}
 
@@ -462,19 +486,19 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 		return FAILED;
 	}
 	
-	if (	this->ike_sa->last_responded_message != NULL)
+	/* last message can now be set */
+	status = this->ike_sa->set_last_responded_message(this->ike_sa, response);
+
+	if (status != SUCCESS)
 	{
-		/* destroy message */
-		this	->logger->log(this->logger, CONTROL|MOST, "Destroy stored last responded message");
-		this->ike_sa->last_responded_message->destroy(this->ike_sa->last_responded_message);
+		this->logger->log(this->logger, ERROR, "Could not set last responded message");
+		response->destroy(response);
+		(next_state->state_interface).destroy(&(next_state->state_interface));
+		return status;
 	}
-	this->ike_sa->last_responded_message	 = response;
 
-	/* message counter can now be increased */
-	this	->logger->log(this->logger, CONTROL|MOST, "Increate message counter for incoming messages");
-	this->ike_sa->message_id_in++;
-
-	*new_state = (state_t *) next_state;
+	/* state can now be changed */
+	this->ike_sa->set_new_state(this->ike_sa, (state_t *) next_state);
 	/* state has NOW changed :-) */
 	this	->logger->log(this->logger, CONTROL|MORE, "Changed state of IKE_SA from %s to %s",mapping_find(ike_sa_state_m,RESPONDER_INIT),mapping_find(ike_sa_state_m,IKE_SA_INIT_RESPONDED) );
 
@@ -717,7 +741,7 @@ responder_init_t *responder_init_create(protected_ike_sa_t *ike_sa)
 	}
 
 	/* interface functions */
-	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *,state_t **)) process_message;
+	this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
 	this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
 	this->public.state_interface.destroy  = (status_t (*) (state_t *)) destroy;
 	
@@ -729,7 +753,7 @@ responder_init_t *responder_init_create(protected_ike_sa_t *ike_sa)
 	
 	/* private data */
 	this->ike_sa = ike_sa;
-	this->logger = this->ike_sa->logger;
+	this->logger = this->ike_sa->get_logger(this->ike_sa);
 	this->sent_nonce.ptr = NULL;
 	this->sent_nonce.len = 0;
 	this->received_nonce.ptr = NULL;
diff --git a/Source/charon/sa/states/state.h b/Source/charon/sa/states/state.h
index e888eaf31..7a8f8430c 100644
--- a/Source/charon/sa/states/state.h
+++ b/Source/charon/sa/states/state.h
@@ -87,13 +87,11 @@ struct state_t {
 	 *
 	 * @param this 			state_t object
  	 * @param[in] 			message message_t object to process
-	 * @param this 			state_t pointer to the new state_t object
 	 * @return 				
 	 * 						- SUCCESSFUL if succeeded
 	 * 						- FAILED otherwise
 	 */
-	status_t (*process_message) (state_t *this,message_t *message,state_t **new_state);
-
+	status_t (*process_message) (state_t *this,message_t *message);
 
 	/**
 	 * @brief Get the current state