- added compution of all needed keys and also creation of needed

transform objects

13 files changed, 390 insertions, 158 deletions

diff --git a/Source/charon/config/configuration_manager.c b/Source/charon/config/configuration_manager.c
index a26409b58..7468222e8 100644
--- a/Source/charon/config/configuration_manager.c
+++ b/Source/charon/config/configuration_manager.c
@@ -237,7 +237,7 @@ static status_t get_proposals_for_host(private_configuration_manager_t *this, ho
 		proposal->destroy(proposal);
 		return OUT_OF_RES;
 	}
-	transform->set_transform_type(transform, INTEGRITIY_ALGORITHM);
+	transform->set_transform_type(transform, INTEGRITY_ALGORITHM);
 	transform->set_transform_id(transform, AUTH_HMAC_MD5_96);
 	
 	attribute = transform_attribute_create();
@@ -320,102 +320,17 @@ static status_t select_proposals_for_host(private_configuration_manager_t *this,
 }
 
 /**
- * Implements function configuration_manager_t.get_transforms_for_host_and_proposals.
+ * Implements function configuration_manager_t.check_selected_proposals_for_host.
  */
-static status_t get_transforms_for_host_and_proposals (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm)
+static status_t check_selected_proposals_for_host (private_configuration_manager_t *this, host_t *host, iterator_t *proposals,bool *valid)
 {
 	/*
 	 * Currently the given proposals are not checked if they are valid for specific host!
 	 * 
-	 * The first proposal is taken and the appropriate transform objects are created (only if they are supported)
+	 * The first proposal is taken
 	 */
 
-	encryption_algorithm_t		selected_encryption_algorithm = ENCR_UNDEFINED;
-	pseudo_random_function_t		selected_pseudo_random_function = PRF_UNDEFINED;
-	integrity_algorithm_t		selected_integrity_algorithm = AUTH_UNDEFINED;
-	proposal_substructure_t *proposal;
-	iterator_t *transforms;
-	status_t status;
-
-	this->logger->log(this->logger,CONTROL|MORE, "Going to get transforms for given proposal");
-
-	if (!proposals->has_next(proposals))
-	{
-		this->logger->log(this->logger,ERROR | MORE, "No proposal available");
-		return FAILED;
-	}
-	
-	status = proposals->current(proposals,(void **) &(proposal));
-	if (status != SUCCESS)
-	{
-		this->logger->log(this->logger,ERROR, "Fatal error: could not get first proposal from iterator");
-		return status;	
-	}
-	
-	status = proposal->create_transform_substructure_iterator(proposal,&transforms,TRUE);
-	if (status != SUCCESS)
-	{
-		this->logger->log(this->logger,ERROR, "Fatal error: could not create iterator of transforms");
-		return status;	
-	}
-	
-	while (transforms->has_next(transforms))
-	{
-		transform_substructure_t *current_transform;
-		transform_type_t transform_type;
-		u_int16_t transform_id;
-		
-		status = transforms->current(transforms,(void **) &(current_transform));
-		if (status != SUCCESS)
-		{
-			this->logger->log(this->logger,ERROR, "Fatal error: could not get current transform substructure object");
-			transforms->destroy(transforms);	
-			return status;	
-		}
-		
-		transform_type = current_transform->get_transform_type(current_transform);
-		transform_id = current_transform->get_transform_id(current_transform);
-		
-		this->logger->log(this->logger,CONTROL | MOST, "Going to process transform of type %s",mapping_find(transform_type_m,transform_type));
-		switch (transform_type)
-		{
-			case ENCRYPTION_ALGORITHM:
-			{
-				this->logger->log(this->logger,CONTROL | MORE, "Encryption algorithm: %s",mapping_find(encryption_algorithm_m,transform_id));	
-				selected_encryption_algorithm = transform_id;
-				break;
-			}
-			case	 PSEUDO_RANDOM_FUNCTION:
-			{
-				this->logger->log(this->logger,CONTROL | MORE, "Create transform object for PRF of type %s",mapping_find(pseudo_random_function_m,transform_id));
-				selected_pseudo_random_function = transform_id;
-				break;
-			}
-			case INTEGRITIY_ALGORITHM:
-			{
-				this->logger->log(this->logger,CONTROL | MORE, "Integrity algorithm: %s",mapping_find(integrity_algorithm_m,transform_id));
-				selected_integrity_algorithm = transform_id;
-				break;
-			}
-			case DIFFIE_HELLMAN_GROUP:
-			{
-				this->logger->log(this->logger,CONTROL | MORE, "DH Group: %s",mapping_find(diffie_hellman_group_m,transform_id));
-				break;
-			}
-			default:
-			{
-				this->logger->log(this->logger,ERROR  | MORE, "Transform type not supported!");
-				transforms->destroy(transforms);	
-				return FAILED;
-			}	
-		}
-	}
-	
-	transforms->destroy(transforms);
-
-	*encryption_algorithm = selected_encryption_algorithm;
-	*pseudo_random_function = selected_pseudo_random_function;
-	*integrity_algorithm = selected_integrity_algorithm;
+	this->logger->log(this->logger,CONTROL|MORE, "Going to check selected proposals");
 	return SUCCESS;
 }
 
@@ -472,7 +387,7 @@ configuration_manager_t *configuration_manager_create()
 	this->public.get_dh_group_number = (status_t(*)(configuration_manager_t*,char*,u_int16_t *, u_int16_t))get_dh_group_number;
 	this->public.get_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*))get_proposals_for_host;
 	this->public.select_proposals_for_host = (status_t(*)(configuration_manager_t*,host_t*,iterator_t*,iterator_t*))select_proposals_for_host;
-	this->public.get_transforms_for_host_and_proposals =  (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,encryption_algorithm_t *,pseudo_random_function_t *, integrity_algorithm_t *)) get_transforms_for_host_and_proposals;
+	this->public.check_selected_proposals_for_host =  (status_t (*) (configuration_manager_t *, host_t *, iterator_t *,bool *)) check_selected_proposals_for_host;
 	this->public.is_dh_group_allowed_for_host = (status_t(*)(configuration_manager_t*,host_t*,diffie_hellman_group_t,bool*)) is_dh_group_allowed_for_host;
 
 	/* private variables */
diff --git a/Source/charon/config/configuration_manager.h b/Source/charon/config/configuration_manager.h
index fe0e5cc43..74be771f3 100644
--- a/Source/charon/config/configuration_manager.h
+++ b/Source/charon/config/configuration_manager.h
@@ -137,23 +137,24 @@ struct configuration_manager_t {
 	status_t (*select_proposals_for_host) (configuration_manager_t *this, host_t *host, iterator_t *in, iterator_t *out);
 	
 	/**
-	 * Returns the transforms of type crypter_t, signer_t and prf_t as specified in given proposal.
+	 * Checks if the selected proposals of a remote hosts are valid.
 	 * 
 	 * 
-	 * @param this							calling object
-	 * @param host							host information
-	 * @param proposals						iterator with selected proposals
-	 * @param[out] encryption_algorithm		
-	 * @param[out] pseudo_random_function	
-	 * @param[out] integrity_algorithm		
-	 * 
-	 * @return		
-	 * 										- OUT_OF_RES
-	 * 										- FAILED
-	 * 										- NOT_FOUND (not yet implemented)
-	 * 										- SUCCESS
+	 * @param this				calling object
+	 * @param host				host information
+	 * @param proposals			iterator with selected proposals
+	 * @param[out] valid			TRUE if selected proposals are accepted
+	 * 
+	 * @return			
+	 * 												- OUT_OF_RES
+	 * 												- FAILED
+	 * 												- NOT_FOUND (not yet implemented)
+	 * 												- SUCCESS
 	 */
-	status_t (*get_transforms_for_host_and_proposals) (configuration_manager_t *this, host_t *host, iterator_t *proposals,encryption_algorithm_t *encryption_algorithm,pseudo_random_function_t *pseudo_random_function, integrity_algorithm_t *integrity_algorithm);
+	status_t (*check_selected_proposals_for_host) (configuration_manager_t *this,
+												   host_t *host, 
+												   iterator_t *proposals,
+												   bool *valid);
 	
 	/**
 	 * Checks if a given dh_group number is allowed for a specific host
diff --git a/Source/charon/encoding/payloads/proposal_substructure.c b/Source/charon/encoding/payloads/proposal_substructure.c
index ab575d425..b16fb9a85 100644
--- a/Source/charon/encoding/payloads/proposal_substructure.c
+++ b/Source/charon/encoding/payloads/proposal_substructure.c
@@ -327,6 +327,41 @@ static chunk_t get_spi (private_proposal_substructure_t *this)
 	return spi;
 }
 
+static status_t get_info_for_transform_type (private_proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length)
+{
+	iterator_t *iterator;
+	status_t status;
+	u_int16_t found_transform_id;
+	u_int16_t found_key_length;
+
+	status = this->transforms->create_iterator(this->transforms,&iterator,TRUE);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	while (iterator->has_next(iterator))
+	{
+		transform_substructure_t *current_transform;
+		status = iterator->current(iterator,(void **) &current_transform);
+		if (status != SUCCESS)
+		{
+			break;
+		}
+		if (current_transform->get_transform_type(current_transform) == type)
+		{
+			/* now get data for specific type */
+			found_transform_id = current_transform->get_transform_id(current_transform);
+			status = current_transform->get_key_length(current_transform,&found_key_length);
+			*transform_id = found_transform_id;
+			*key_length = found_key_length;
+			iterator->destroy(iterator);
+			return status;
+		}		
+	}
+	iterator->destroy(iterator);
+	return FAILED;
+}
+
 /**
  * Implements private_proposal_substructure_t's compute_length function.
  * See #private_proposal_substructure_s.compute_length for description.
@@ -483,11 +518,13 @@ proposal_substructure_t *proposal_substructure_create()
 	this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
 	this->public.set_protocol_id = (status_t (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
 	this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
+	this->public.get_info_for_transform_type = 	(status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type;
 	this->public.set_spi = (status_t (*) (proposal_substructure_t *,chunk_t))set_spi;
 	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
 	this->public.clone = (status_t (*) (proposal_substructure_t *, proposal_substructure_t **)) clone;
 	this->public.destroy = (status_t (*) (proposal_substructure_t *)) destroy;
 	
+	
 	/* private functions */
 	this->compute_length = compute_length;
 	
diff --git a/Source/charon/encoding/payloads/proposal_substructure.h b/Source/charon/encoding/payloads/proposal_substructure.h
index d6f90e403..ae54ef1d1 100644
--- a/Source/charon/encoding/payloads/proposal_substructure.h
+++ b/Source/charon/encoding/payloads/proposal_substructure.h
@@ -125,6 +125,21 @@ struct proposal_substructure_t {
 	 * @return 			protocol id of current proposal substructure.
 	 */
 	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
+	
+	/**
+	 * @brief Get informations for a specific transform type. 
+	 * 
+	 * @param this 			calling proposal_substructure_t object
+	 * @param type			type to get informations for
+	 * @param transform_id 	transform id of the specific type
+	 * @param key_length 	key length of the specific key length transform attribute
+	 * @return 			
+	 * 						- SUCCESS if transform type is part of this proposal and 
+	 * 					 	 all data (incl. key length) could be fetched
+	 * 						- FAILED if transform type is not part of this proposal
+	 * 						- OUT_OF_RES
+	 */
+	status_t (*get_info_for_transform_type) (proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length);
 
 
 	/**
diff --git a/Source/charon/encoding/payloads/transform_substructure.c b/Source/charon/encoding/payloads/transform_substructure.c
index 586ce2867..ff08f6c00 100644
--- a/Source/charon/encoding/payloads/transform_substructure.c
+++ b/Source/charon/encoding/payloads/transform_substructure.c
@@ -91,7 +91,7 @@ mapping_t transform_type_m[] = {
 	{UNDEFINED_TRANSFORM_TYPE, "UNDEFINED_TRANSFORM_TYPE"},
 	{ENCRYPTION_ALGORITHM, "ENCRYPTION_ALGORITHM"},
 	{PSEUDO_RANDOM_FUNCTION, "PSEUDO_RANDOM_FUNCTION"},
-	{INTEGRITIY_ALGORITHM, "INTEGRITIY_ALGORITHM"},
+	{INTEGRITY_ALGORITHM, "INTEGRITY_ALGORITHM"},
 	{DIFFIE_HELLMAN_GROUP, "DIFFIE_HELLMAN_GROUP"},
 	{EXTENDED_SEQUENCE_NUNBERS, "EXTENDED_SEQUENCE_NUNBERS"},
 	{MAPPING_END, NULL}
@@ -177,7 +177,7 @@ static status_t verify(private_transform_substructure_t *this)
 			}
 			break;
 		}
-		case INTEGRITIY_ALGORITHM:
+		case INTEGRITY_ALGORITHM:
 		{
 			if ((this->transform_id < AUTH_HMAC_MD5_96) || (this->transform_id > AUTH_AES_XCBC_96))
 			{
@@ -443,6 +443,43 @@ static status_t clone(private_transform_substructure_t *this,transform_substruct
 
 
 /**
+ * Implementation of transform_substructure_t.get_key_length.
+ */
+static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
+{
+	iterator_t *attributes;
+	status_t status;
+	
+	status = this->attributes->create_iterator(this->attributes,&attributes,TRUE);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	
+	while (attributes->has_next(attributes))
+	{
+		transform_attribute_t *current_attribute;
+		status = attributes->current(attributes,(void **) &current_attribute);
+		if (status != SUCCESS)
+		{
+			attributes->destroy(attributes);
+			return status;
+		}
+		if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
+		{
+			*key_length = current_attribute->get_value(current_attribute);
+			attributes->destroy(attributes);	
+			return SUCCESS;
+		}
+		
+	}
+	attributes->destroy(attributes);
+	
+	return FAILED;
+}
+
+
+/**
  * Implements payload_t's and transform_substructure_t's destroy function.
  * See #payload_s.destroy or transform_substructure_s.destroy for description.
  */
@@ -494,6 +531,7 @@ transform_substructure_t *transform_substructure_create()
 	this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
 	this->public.set_transform_id = (status_t (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
 	this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
+	this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
 	this->public.clone = (status_t (*) (transform_substructure_t *,transform_substructure_t **)) clone;
 	this->public.destroy = (status_t (*) (transform_substructure_t *)) destroy;
 	
diff --git a/Source/charon/encoding/payloads/transform_substructure.h b/Source/charon/encoding/payloads/transform_substructure.h
index 8d49874db..51119d275 100644
--- a/Source/charon/encoding/payloads/transform_substructure.h
+++ b/Source/charon/encoding/payloads/transform_substructure.h
@@ -56,7 +56,7 @@ enum transform_type_t {
 	UNDEFINED_TRANSFORM_TYPE = 241,
 	ENCRYPTION_ALGORITHM = 1,
 	PSEUDO_RANDOM_FUNCTION = 2,
-	INTEGRITIY_ALGORITHM = 3,
+	INTEGRITY_ALGORITHM = 3,
 	DIFFIE_HELLMAN_GROUP = 4,
 	EXTENDED_SEQUENCE_NUNBERS = 5
 };
@@ -180,6 +180,19 @@ struct transform_substructure_t {
 	 * @return 			Transform id of current transform substructure.
 	 */
 	u_int16_t (*get_transform_id) (transform_substructure_t *this);
+	
+	/**
+	 * @brief get transform id of the current transform.
+	 * 
+	 * @param this 			calling transform_substructure_t object
+	 * @param key_length		The key length is written to this location	
+	 * @return 			
+	 * 						- SUCCESS if a key length attribute is contained
+	 * 						- FAILED if no key length attribute is part of this 
+	 * 						  transform or key length uses more then 16 bit!
+	 * 						- OUT_OF_RES
+	 */
+	status_t (*get_key_length) (transform_substructure_t *this,u_int16_t *key_length);
 
 	/**
 	 * @brief Clones an transform_substructure_t object.
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 79620f29c..914da1e74 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -32,6 +32,7 @@
 #include <utils/randomizer.h>
 #include <transforms/diffie_hellman.h>
 #include <transforms/prf_plus.h>
+#include <transforms/crypters/crypter.h>
 #include <encoding/payloads/sa_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/ke_payload.h>
@@ -348,6 +349,9 @@ static ike_sa_id_t* get_id(private_ike_sa_t *this)
 	return this->ike_sa_id;
 }
 
+/**
+ * @brief implements function protected_ike_sa_t.compute_secrets
+ */
 static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret,chunk_t initiator_nonce, chunk_t responder_nonce)
 {
 	chunk_t concatenated_nonces;
@@ -357,8 +361,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
 	u_int64_t initiator_spi;
 	u_int64_t responder_spi;
 	prf_plus_t *prf_plus;
-	chunk_t secrets_raw;
-
+	
+	
 	/*
 	 * TODO check length for specific prf's 
 	 */
@@ -398,6 +402,7 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
 		return FAILED;
 	}
 	
+	
 	/* first is initiator */
 	memcpy(prf_plus_seed.ptr,initiator_nonce.ptr,initiator_nonce.len);
 	/* second is responder */
@@ -409,8 +414,8 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
 	responder_spi = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
 	memcpy(prf_plus_seed.ptr + initiator_nonce.len + responder_nonce.len + 8,&responder_spi,8);
 	
-	this->logger->log_chunk(this->logger, PRIVATE, "Keyseed", &skeyseed);
-	this->logger->log_chunk(this->logger, PRIVATE, "PRF+ Seed", &prf_plus_seed);
+	this->logger->log_chunk(this->logger, PRIVATE | MORE, "Keyseed", &skeyseed);
+	this->logger->log_chunk(this->logger, PRIVATE | MORE, "PRF+ Seed", &prf_plus_seed);
 
 	this->logger->log(this->logger, CONTROL | MOST, "Set new key of prf object");
 	status = this->prf->set_key(this->prf,skeyseed);
@@ -431,11 +436,85 @@ static status_t compute_secrets (private_ike_sa_t *this,chunk_t dh_shared_secret
 		return FAILED;
 	}
 	
-	prf_plus->allocate_bytes(prf_plus,100,&secrets_raw);
-	
-	this->logger->log_chunk(this->logger, PRIVATE, "Secrets", &secrets_raw);
+	status = prf_plus->allocate_bytes(prf_plus,this->prf->get_block_size(this->prf),&(this->secrets.d_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_d");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", &(this->secrets.d_key));
+
+	status = prf_plus->allocate_bytes(prf_plus,this->crypter_initiator->get_block_size(this->crypter_initiator),&(this->secrets.ei_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ei");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", &(this->secrets.ei_key));
+	status = this->crypter_initiator->set_key(this->crypter_initiator,this->secrets.ei_key);
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key initiator crypter");
+		return status;
+	}
+
+	status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.er_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_er");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", &(this->secrets.er_key));
+	status = this->crypter_responder->set_key(this->crypter_responder,this->secrets.er_key);
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not set encryption key responder crypter");
+		return status;
+	}
+
+	status = prf_plus->allocate_bytes(prf_plus,this->signer_initiator->get_block_size(this->signer_initiator),&(this->secrets.ai_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ai");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", &(this->secrets.ai_key));
+	status = this->signer_initiator->set_key(this->signer_initiator,this->secrets.ai_key);
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not set key for initiator signer");
+		return status;
+	}
+
+	status = prf_plus->allocate_bytes(prf_plus,this->signer_responder->get_block_size(this->signer_responder),&(this->secrets.ar_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_ar");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", &(this->secrets.ar_key));
+	status = this->signer_responder->set_key(this->signer_responder,this->secrets.ar_key);
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not set key for responder signer");
+		return status;
+	}	
+
+	status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pi_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pi");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", &(this->secrets.pi_key));
 	
-	allocator_free_chunk(&secrets_raw);
+	status = prf_plus->allocate_bytes(prf_plus,this->crypter_responder->get_block_size(this->crypter_responder),&(this->secrets.pr_key));
+	if (status != SUCCESS)
+	{
+		this->logger->log(this->logger, ERROR | MORE, "Could not allocate bytes from prf+ for Sk_pr");
+		return status;
+	}
+	this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", &(this->secrets.pr_key));
 	
 	prf_plus->destroy(prf_plus);
 
@@ -496,6 +575,7 @@ status_t create_delete_job (private_ike_sa_t *this)
  */
 static void set_new_state (private_ike_sa_t *this, state_t *state)
 {
+	this->logger->log(this->logger, ERROR, "Change current state %s to %s",mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),mapping_find(ike_sa_state_m,state->get_state(state)));
 	this->current_state = state;
 }
 
@@ -530,6 +610,7 @@ static void set_my_host (private_ike_sa_t *this, host_t *my_host)
 {
 	if (this->me.host != NULL)
 	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing my host object");
 		this->me.host->destroy(this->me.host);
 	}
 	this->me.host = my_host;
@@ -542,6 +623,7 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
 {
 	if (this->other.host != NULL)
 	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing other host object");
 		this->other.host->destroy(this->other.host);
 	}
 	this->other.host = other_host;
@@ -550,13 +632,110 @@ static void set_other_host (private_ike_sa_t *this, host_t *other_host)
 /**
  * Implementation of protected_ike_sa_t.set_prf.
  */
-static void set_prf (private_ike_sa_t *this,prf_t *prf)
+static status_t create_transforms_from_proposal (private_ike_sa_t *this,proposal_substructure_t *proposal)
 {
+	status_t status;
+	u_int16_t encryption_algorithm;
+	u_int16_t encryption_algorithm_key_length;
+	u_int16_t integrity_algorithm;
+	u_int16_t integrity_algorithm_key_length;
+	u_int16_t pseudo_random_function;
+	u_int16_t pseudo_random_function_key_length;
+	
+	this	->logger->log(this->logger, CONTROL|MORE, "Going to create transform objects for proposal");
+	
+	this	->logger->log(this->logger, CONTROL|MOST, "Get encryption transform type");
+	status = proposal->get_info_for_transform_type(proposal,ENCRYPTION_ALGORITHM,&(encryption_algorithm),&(encryption_algorithm_key_length));
+	if (status != SUCCESS)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "Could not get encryption transform type");
+		return status;
+	}
+	this	->logger->log(this->logger, CONTROL|MORE, "Encryption algorithm: %s with keylength %d",mapping_find(encryption_algorithm_m,encryption_algorithm),encryption_algorithm_key_length);
+	
+	this	->logger->log(this->logger, CONTROL|MOST, "Get integrity transform type");
+	status = proposal->get_info_for_transform_type(proposal,INTEGRITY_ALGORITHM,&(integrity_algorithm),&(integrity_algorithm_key_length));
+	if (status != SUCCESS)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "Could not get integrity transform type");
+		return status;
+	}
+	this	->logger->log(this->logger, CONTROL|MORE, "integrity algorithm: %s with keylength %d",mapping_find(integrity_algorithm_m,integrity_algorithm),integrity_algorithm_key_length);
+	
+	this	->logger->log(this->logger, CONTROL|MOST, "Get prf transform type");
+	status = proposal->get_info_for_transform_type(proposal,PSEUDO_RANDOM_FUNCTION,&(pseudo_random_function),&(pseudo_random_function_key_length));
+	if (status != SUCCESS)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "Could not prf transform type");
+		return status;
+	}
+	this	->logger->log(this->logger, CONTROL|MORE, "prf: %s with keylength %d",mapping_find(pseudo_random_function_m,pseudo_random_function),pseudo_random_function_key_length);
+
+
+	
+
 	if (this->prf != NULL)
 	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing prf_t object");
 		this->prf->destroy(this->prf);
 	}
-	this->prf = prf;
+	this->prf = prf_create(pseudo_random_function);
+	if (this->prf == NULL)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "prf does not seem to be supported!");
+		return FAILED;
+	}
+	
+	if (this->crypter_initiator != NULL)
+	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator crypter_t object");
+		this->crypter_initiator->destroy(this->crypter_initiator);
+	}
+	this->crypter_initiator = crypter_create(encryption_algorithm,encryption_algorithm_key_length);
+	if (this->crypter_initiator == NULL)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!");
+		return FAILED;
+	}
+
+	if (this->crypter_responder != NULL)
+	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder crypter_t object");
+		this->crypter_responder->destroy(this->crypter_responder);
+	}
+	this->crypter_responder = crypter_create(encryption_algorithm,encryption_algorithm_key_length);
+	if (this->crypter_responder == NULL)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "encryption algorithm does not seem to be supported!");
+		return FAILED;
+	}
+	
+	if (this->signer_initiator != NULL)
+	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing initiator signer_t object");
+		this->signer_initiator->destroy(this->signer_initiator);
+	}
+	this->signer_initiator = signer_create(integrity_algorithm);
+	if (this->signer_initiator == NULL)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!");
+		return FAILED;
+	}
+	
+	
+	if (this->signer_responder != NULL)
+	{
+		this	->logger->log(this->logger, CONTROL|MOST, "Destroy existing responder signer_t object");
+		this->signer_responder->destroy(this->signer_responder);
+	}
+	this->signer_responder = signer_create(integrity_algorithm);
+	if (this->signer_responder == NULL)
+	{
+		this	->logger->log(this->logger, ERROR|MORE, "integrity algorithm does not seem to be supported!");
+		return FAILED;
+	}
+
+	return SUCCESS;
 }
 
 /**
@@ -775,7 +954,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->protected.get_randomizer = (randomizer_t *(*) (protected_ike_sa_t *)) get_randomizer;
 	this->protected.set_last_requested_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_requested_message;
 	this->protected.set_last_responded_message = (status_t (*) (protected_ike_sa_t *,message_t *)) set_last_responded_message;
-	this->protected.set_prf = (void (*) (protected_ike_sa_t *,prf_t *)) set_prf;
+	this->protected.create_transforms_from_proposal = (status_t (*) (protected_ike_sa_t *,proposal_substructure_t *)) create_transforms_from_proposal;
 	this->protected.set_new_state = (void (*) (protected_ike_sa_t *,state_t *)) set_new_state;
 
 	/* private functions */
diff --git a/Source/charon/sa/ike_sa.h b/Source/charon/sa/ike_sa.h
index aa6c0d50f..8ea445b4e 100644
--- a/Source/charon/sa/ike_sa.h
+++ b/Source/charon/sa/ike_sa.h
@@ -26,6 +26,7 @@
 
 #include <types.h>
 #include <encoding/message.h>
+#include <encoding/payloads/proposal_substructure.h>
 #include <sa/ike_sa_id.h>
 #include <utils/logger.h>
 #include <utils/randomizer.h>
@@ -171,14 +172,16 @@ struct protected_ike_sa_t {
 	void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host);
 	
 	/**
-	 * Sets the internal stored prf_t object.
+	 * Creates all needed transform objects for given ike_sa_t using 
+	 * the informations stored in a proposal_substructure_t object
 	 * 
-	 * Allready existing object gets destroyed. object gets not cloned!
+	 * Allready existing objects get destroyed.
 	 * 
 	 * @param this 				calling object
-	 * @param prf				pointer to the new prf_t object
+	 * @param proposal			proposal used to get informations for transform
+	 * 							objects (algorithms, key lengths, etc.)
 	 */
-	void (*set_prf) (protected_ike_sa_t *this,prf_t *prf);
+	status_t (*create_transforms_from_proposal) (protected_ike_sa_t *this,proposal_substructure_t *proposal);
 	
 	/**
 	 * Sets the last requested message.
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 510697720..fd8032695 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -136,12 +136,10 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 		{
 			case SECURITY_ASSOCIATION:
 			{
-				sa_payload_t 				*sa_payload = (sa_payload_t*)payload;
-				iterator_t 		*suggested_proposals;
-				encryption_algorithm_t		encryption_algorithm = ENCR_UNDEFINED;
-				pseudo_random_function_t		pseudo_random_function = PRF_UNDEFINED;
-				integrity_algorithm_t		integrity_algorithm = AUTH_UNDEFINED;
-				prf_t *prf;
+				sa_payload_t *sa_payload = (sa_payload_t*)payload;
+				iterator_t 	*suggested_proposals;
+				proposal_substructure_t *suggested_proposal;			
+				bool valid;
 				
 				
 				/* get the list of suggested proposals */ 
@@ -153,27 +151,46 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 					return status;
 				}
 				
-				/* now let the configuration-manager return the transforms for the given proposal*/
-				this->logger->log(this->logger, CONTROL | MOST, "Get transforms for suggested proposal");
-				status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
-									this->ike_sa->get_other_host(this->ike_sa), suggested_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
+				/* now let the configuration-manager check the selected proposals*/
+				this->logger->log(this->logger, CONTROL | MOST, "Check suggested proposals");
+				status = global_configuration_manager->check_selected_proposals_for_host(global_configuration_manager,
+									this->ike_sa->get_other_host(this->ike_sa), suggested_proposals,&valid);
 				if (status != SUCCESS)
 				{
-					this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not supported!");
+					this->logger->log(this->logger, ERROR | MORE, "Could not check suggested proposals!");
 					suggested_proposals->destroy(suggested_proposals);
 					payloads->destroy(payloads);
 					return status;
 				}
+
+				if (!valid)
+				{
+					this->logger->log(this->logger, ERROR | MORE, "Suggested proposals not accepted!");
+					payloads->destroy(payloads);
+					return status;
+				}
+
+
+				/* let the ike_sa create their own transforms from proposal informations */
+				suggested_proposals->reset(suggested_proposals);
+				/* TODO check for true*/
+				suggested_proposals->has_next(suggested_proposals);
+				status = suggested_proposals->current(suggested_proposals,(void **)&suggested_proposal);
 				suggested_proposals->destroy(suggested_proposals);
-				
-				prf = prf_create(pseudo_random_function);
-				if (prf == NULL)
+				if (status != SUCCESS)
+				{
+					this->logger->log(this->logger, ERROR | MORE, "Could not get first proposal");
+					payloads->destroy(payloads);
+					return status;
+				}
+								
+				status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,suggested_proposal);	
+				if (status != SUCCESS)
 				{
-					this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
+					this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal");
 					payloads->destroy(payloads);
-					return FAILED;
+					return status;
 				}
-				this->ike_sa->set_prf(this->ike_sa,prf);
 				
 
 				/* ok, we have what we need for sa_payload */
diff --git a/Source/charon/sa/states/responder_init.c b/Source/charon/sa/states/responder_init.c
index 9c6067faa..8a8e0c6fc 100644
--- a/Source/charon/sa/states/responder_init.c
+++ b/Source/charon/sa/states/responder_init.c
@@ -223,10 +223,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 			{
 				sa_payload_t *sa_payload = (sa_payload_t*)payload;
 				iterator_t *suggested_proposals, *accepted_proposals;
-				encryption_algorithm_t encryption_algorithm = ENCR_UNDEFINED;
-				pseudo_random_function_t	 pseudo_random_function = PRF_UNDEFINED;
-				integrity_algorithm_t integrity_algorithm = AUTH_UNDEFINED;
-				prf_t *prf;
+				proposal_substructure_t *accepted_proposal;
 
 				status = this->proposals->create_iterator(this->proposals, &accepted_proposals, FALSE);
 				if (status != SUCCESS)
@@ -260,12 +257,13 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 				
 				/* iterators are not needed anymore */			
 				suggested_proposals->destroy(suggested_proposals);
-					
 				
-				/* now let the configuration-manager return the transforms for the given proposal*/
-				this->logger->log(this->logger, CONTROL | MOST, "Get transforms for accepted proposal");
-				status = global_configuration_manager->get_transforms_for_host_and_proposals(global_configuration_manager,
-									this->ike_sa->get_other_host(this->ike_sa), accepted_proposals, &encryption_algorithm,&pseudo_random_function,&integrity_algorithm);
+				
+				/* let the ike_sa create their own transforms from proposal informations */
+				accepted_proposals->reset(accepted_proposals);
+				/* TODO check for true*/
+				accepted_proposals->has_next(accepted_proposals);
+				status = accepted_proposals->current(accepted_proposals,(void **)&accepted_proposal);
 				if (status != SUCCESS)
 				{
 					this->logger->log(this->logger, ERROR | MORE, "Accepted proposals not supported?!");
@@ -273,16 +271,15 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 					payloads->destroy(payloads);
 					return status;
 				}
-				accepted_proposals->destroy(accepted_proposals);
 				
-				prf = prf_create(pseudo_random_function);
-				if (prf == NULL)
+				status = this->ike_sa->create_transforms_from_proposal(this->ike_sa,accepted_proposal);	
+				accepted_proposals->destroy(accepted_proposals);
+				if (status != SUCCESS)
 				{
-					this->logger->log(this->logger, ERROR | MORE, "PRF type not supported");
+					this->logger->log(this->logger, ERROR | MORE, "Transform objects could not be created from selected proposal");
 					payloads->destroy(payloads);
-					return FAILED;
+					return status;
 				}
-				this->ike_sa->set_prf(this->ike_sa,prf);
 				
 				this->logger->log(this->logger, CONTROL | MORE, "SA Payload processed");
 				/* ok, we have what we need for sa_payload (proposals are stored in this->proposals)*/
@@ -397,8 +394,6 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
 		this->logger->log(this->logger, ERROR | MORE, "Secrets could not be computed!");
 		return status;
 	}
-	
-		
 
 	/* set up the reply */
 	status = this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, FALSE, &response);
diff --git a/Source/charon/transforms/crypters/crypter.c b/Source/charon/transforms/crypters/crypter.c
index 8a9f590d3..1a0f859eb 100644
--- a/Source/charon/transforms/crypters/crypter.c
+++ b/Source/charon/transforms/crypters/crypter.c
@@ -45,3 +45,20 @@ mapping_t encryption_algorithm_m[] = {
 {ENCR_AES_CTR, "ENCR_AES_CTR"},
 {MAPPING_END, NULL}
 };
+
+/* 
+ * Described in header.
+ */
+crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm,size_t blocksize)
+{
+	switch (encryption_algorithm)
+	{
+		case ENCR_AES_CBC:
+		{
+			return (crypter_t*)aes_cbc_crypter_create(blocksize);
+			
+		}
+		default:
+			return NULL;
+	}
+}
diff --git a/Source/charon/transforms/crypters/crypter.h b/Source/charon/transforms/crypters/crypter.h
index 1d2b2b35c..878ea5ef4 100644
--- a/Source/charon/transforms/crypters/crypter.h
+++ b/Source/charon/transforms/crypters/crypter.h
@@ -118,10 +118,11 @@ struct crypter_t {
  * @brief Generic constructor for crypter_t objects.
  * 
  * @param encryption_algorithm	Algorithm to use for crypter
+ * @param blocksize 				block size in bytes
  * @return
  * 								- crypter_t if successfully
  * 								- NULL if out of ressources or crypter not supported
  */
-crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm);
+crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t blocksize);
 
 #endif /*CRYPTER_H_*/
diff --git a/Source/charon/utils/logger_manager.c b/Source/charon/utils/logger_manager.c
index 021eeb2e4..005e6948b 100644
--- a/Source/charon/utils/logger_manager.c
+++ b/Source/charon/utils/logger_manager.c
@@ -148,6 +148,7 @@ static logger_t *create_logger(private_logger_manager_t *this, logger_context_t
 			logger_level |= FULL;
 			break;
 		case IKE_SA:
+			logger_level |= FULL;
 		case IKE_SA_MANAGER:
 		case MESSAGE:
 			logger_level |= ALL;