5 files changed, 69 insertions, 36 deletions

diff --git a/Source/charon/sa/authenticator.c b/Source/charon/sa/authenticator.c
index d735b633e..8b96246ac 100644
--- a/Source/charon/sa/authenticator.c
+++ b/Source/charon/sa/authenticator.c
@@ -206,9 +206,9 @@ static status_t verify_auth_data (private_authenticator_t *this,
 			status = charon->credentials->get_shared_secret(charon->credentials,
 															other_id,
 															&preshared_secret);
-			other_id->destroy(other_id);
 			if (status != SUCCESS)
 			{
+				other_id->destroy(other_id);
 				return status;	
 			}
 			
@@ -218,20 +218,26 @@ static status_t verify_auth_data (private_authenticator_t *this,
 																				  other_id_payload,
 																				  initiator,
 																				  preshared_secret);
+			allocator_free_chunk(&preshared_secret);
 			
 			if (auth_data.len != my_auth_data.len)
 			{
 				allocator_free_chunk(&my_auth_data);
-				return FAILED;
+				status = FAILED;
 			}
-			if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0)
+			else if (memcmp(auth_data.ptr,my_auth_data.ptr, my_auth_data.len) == 0)
 			{
+				this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret successful",
+										other_id->get_string(other_id));
 				status = SUCCESS;
 			}
 			else
 			{
+				this->logger->log(this->logger, CONTROL, "Authentication of %s with preshared secret failed",
+										other_id->get_string(other_id));
 				status = FAILED;
 			}
+			other_id->destroy(other_id);
 			allocator_free_chunk(&my_auth_data);
 			return status;
 		}
@@ -247,16 +253,28 @@ static status_t verify_auth_data (private_authenticator_t *this,
 			status = charon->credentials->get_rsa_public_key(charon->credentials,
 															other_id,
 															&public_key);
-			other_id->destroy(other_id);
 			if (status != SUCCESS)
 			{
+				other_id->destroy(other_id);
 				return status;	
 			}
 			
 			octets = this->allocate_octets(this,last_received_packet, my_nonce,other_id_payload, initiator);
 			
 			status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+			if (status == SUCCESS)
+			{
+				this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA successful",
+										other_id->get_string(other_id));
+			}
+			else
+			{
+				this->logger->log(this->logger, CONTROL, "Authentication of %s with RSA failed",
+										other_id->get_string(other_id));
+			}
 			
+			public_key->destroy(public_key);
+			other_id->destroy(other_id);
 			allocator_free_chunk(&octets);
 			return status;
 		}
@@ -300,6 +318,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
 			
 			auth_data = this->build_preshared_secret_signature(this, last_sent_packet, other_nonce,
 															   my_id_payload, initiator, preshared_secret);
+			allocator_free_chunk(&preshared_secret);
 			*auth_payload = auth_payload_create();
 			(*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE);
 			(*auth_payload)->set_data(*auth_payload, auth_data);
@@ -334,6 +353,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
 			(*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
 			(*auth_payload)->set_data(*auth_payload, auth_data);
 
+			private_key->destroy(private_key);
 			allocator_free_chunk(&auth_data);
 			return SUCCESS;
 		}
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 6517c388c..c990e1dac 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -210,8 +210,8 @@ static status_t process_message (private_ike_sa_t *this, message_t *message)
 	is_request = message->get_request(message);
 	exchange_type = message->get_exchange_type(message);
 
-	this->logger->log(this->logger, CONTROL, "Process %s message of exchange type %s",
-					  (is_request) ? "REQUEST" : "RESPONSE",mapping_find(exchange_type_m,exchange_type));
+	this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
+					  (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type));
 
 	message_id = message->get_message_id(message);
 
@@ -966,53 +966,61 @@ static void destroy (private_ike_sa_t *this)
 
 	/* inform other peer of delete */
 	send_delete_ike_sa_request(this);
-	
 	while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
 	{
 		child_sa->destroy(child_sa);
 	}
 	this->child_sas->destroy(this->child_sas);
-	if (this->crypter_initiator != NULL)
+	
+	if (this->crypter_initiator)
 	{
 		this->crypter_initiator->destroy(this->crypter_initiator);
 	}
-	if (this->crypter_responder != NULL)
+	if (this->crypter_responder)
 	{
 		this->crypter_responder->destroy(this->crypter_responder);
 	}
-	if (this->signer_initiator != NULL)
+	if (this->signer_initiator)
 	{
 		this->signer_initiator->destroy(this->signer_initiator);
 	}
-	if (this->signer_responder != NULL)
+	if (this->signer_responder)
 	{
 		this->signer_responder->destroy(this->signer_responder);
 	}
-	if (this->prf != NULL)
+	if (this->prf)
 	{
 		this->prf->destroy(this->prf);
 	}
-	if (this->child_prf != NULL)
+	if (this->child_prf)
 	{
 		this->child_prf->destroy(this->child_prf);
 	}
-	if (this->prf_auth_i != NULL)
+	if (this->prf_auth_i)
 	{
 		this->prf_auth_i->destroy(this->prf_auth_i);
 	}
-	if (this->prf_auth_r != NULL)
+	if (this->prf_auth_r)
 	{
 		this->prf_auth_r->destroy(this->prf_auth_r);
 	}
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	if (this->last_requested_message != NULL)
+	if (this->connection)
+	{
+		this->connection->destroy(this->connection);
+	}
+	if (this->policy)
+	{
+		this->policy->destroy(this->policy);
+	}
+	if (this->last_requested_message)
 	{
 		this->last_requested_message->destroy(this->last_requested_message);
 	}
-	if (this->last_responded_message != NULL)
+	if (this->last_responded_message)
 	{
 		this->last_responded_message->destroy(this->last_responded_message);
 	}
+	this->ike_sa_id->destroy(this->ike_sa_id);
 	this->randomizer->destroy(this->randomizer);
 	this->current_state->destroy(this->current_state);
 	charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index c80b7f72a..3fedf431c 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -352,16 +352,17 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
 	}
 	
 	this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_auth_reply->get_message_id(ike_auth_reply));
+	
 	/* create new state */
+	this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+	this->destroy_after_state_change(this);
+	
 	connection = this->ike_sa->get_connection(this->ike_sa);
 	my_host = connection->get_my_host(connection);
 	other_host = connection->get_other_host(connection);
-	this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", 
-						my_host->get_address(my_host), other_host->get_address(other_host),
-						mapping_find(auth_method_m, auth_payload->get_auth_method(auth_payload)));
-						
-	this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
-	this->destroy_after_state_change(this);
+	this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", 
+					  my_host->get_address(my_host), other_host->get_address(other_host));
+	
 	return SUCCESS;
 }
 
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index 5e641f9b3..0c4b6b690 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -215,6 +215,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 	iterator_t *payloads;
 	host_t *me;
 	connection_t *connection;
+	policy_t *policy;
 
 	message_t *request;
 	status_t status;
@@ -344,6 +345,8 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 	connection = this->ike_sa->get_connection(this->ike_sa);
 	me = ike_sa_init_reply->get_destination(ike_sa_init_reply);
 	connection->update_my_host(connection, me->clone(me));
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	policy->update_my_ts(policy, me);
 	
 	/*  build empty message */
 	this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 8c93e3275..751f13517 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -247,10 +247,9 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
 				sa_request = (sa_payload_t*)payload;
 				break;
 			}
-
 			case TRAFFIC_SELECTOR_INITIATOR:
 			{
-				tsi_request = (ts_payload_t*)payload;				
+				tsi_request = (ts_payload_t*)payload;
 				break;	
 			}
 			case TRAFFIC_SELECTOR_RESPONDER:
@@ -360,16 +359,15 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
 		this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
 	}
 	
-	/* create new state */
+	/* create new state */						
+	this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
+	this->destroy_after_state_change(this);
+	
 	connection = this->ike_sa->get_connection(this->ike_sa);
 	my_host = connection->get_my_host(connection);
 	other_host = connection->get_other_host(connection);
-	this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s, authenticated peer with %s", 
-						my_host->get_address(my_host), other_host->get_address(other_host),
-						mapping_find(auth_method_m, auth_request->get_auth_method(auth_request)));
-						
-	this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
-	this->destroy_after_state_change(this);
+	this->logger->log(this->logger, AUDIT, "IKE_SA established between %s - %s", 
+					  my_host->get_address(my_host), other_host->get_address(other_host));
 
 	return SUCCESS;
 }
@@ -396,13 +394,13 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
 	{	
 		if (my_id)
 		{
-			this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses IDs %s to %s, which we have no policy for", 
+			this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", 
 							other_id->get_string(other_id),my_id->get_string(my_id));
 			my_id->destroy(my_id);	
 		}
 		else
 		{
-			this->logger->log(this->logger, AUDIT, "IKE_AUTH request uses ID %s, which we have no policy for", 
+			this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA", 
 							other_id->get_string(other_id));
 		}
 		other_id->destroy(other_id);
@@ -416,7 +414,10 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
 	other_id->destroy(other_id);
 	
 	/* get my id, if not requested */
-	my_id = this->policy->get_my_id(this->policy);	
+	my_id = this->policy->get_my_id(this->policy);
+	
+	/* update others traffic selectors with actually used address */
+	this->policy->update_other_ts(this->policy, response->get_destination(response));
 	
 	/* set policy in ike_sa for other states */
 	this->ike_sa->set_policy(this->ike_sa, this->policy);