projects / strongswan.git / blob
? search:


ac03a33feb19578c7d0b2d25b06bf39926a08ffa
[strongswan.git] / src / charon / sa / tasks / child_create.c
1 /**
2 * @file child_create.c
3 *
4 * @brief Implementation of the child_create task.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "child_create.h"
25
26 #include <daemon.h>
27 #include <crypto/diffie_hellman.h>
28 #include <encoding/payloads/sa_payload.h>
29 #include <encoding/payloads/ke_payload.h>
30 #include <encoding/payloads/ts_payload.h>
31 #include <encoding/payloads/nonce_payload.h>
32 #include <encoding/payloads/notify_payload.h>
33
34
35 typedef struct private_child_create_t private_child_create_t;
36
37 /**
38 * Private members of a child_create_t task.
39 */
40 struct private_child_create_t {
41
42 /**
43 * Public methods and task_t interface.
44 */
45 child_create_t public;
46
47 /**
48 * Assigned IKE_SA.
49 */
50 ike_sa_t *ike_sa;
51
52 /**
53 * Are we the initiator?
54 */
55 bool initiator;
56
57 /**
58 * nonce chosen by us
59 */
60 chunk_t my_nonce;
61
62 /**
63 * nonce chosen by peer
64 */
65 chunk_t other_nonce;
66
67 /**
68 * config to create the CHILD_SA from
69 */
70 child_cfg_t *config;
71
72 /**
73 * list of proposal candidates
74 */
75 linked_list_t *proposals;
76
77 /**
78 * selected proposal to use for CHILD_SA
79 */
80 proposal_t *proposal;
81
82 /**
83 * traffic selectors for initiators side
84 */
85 linked_list_t *tsi;
86
87 /**
88 * traffic selectors for responders side
89 */
90 linked_list_t *tsr;
91
92 /**
93 * optional diffie hellman exchange
94 */
95 diffie_hellman_t *dh;
96
97 /**
98 * group used for DH exchange
99 */
100 diffie_hellman_group_t dh_group;
101
102 /**
103 * mode the new CHILD_SA uses (transport/tunnel/beet)
104 */
105 mode_t mode;
106
107 /**
108 * reqid to use if we are rekeying
109 */
110 u_int32_t reqid;
111
112 /**
113 * CHILD_SA which gets established
114 */
115 child_sa_t *child_sa;
116
117 /**
118 * successfully established the CHILD?
119 */
120 bool established;
121 };
122
123 /**
124 * get the nonce from a message
125 */
126 static status_t get_nonce(message_t *message, chunk_t *nonce)
127 {
128 nonce_payload_t *payload;
129
130 payload = (nonce_payload_t*)message->get_payload(message, NONCE);
131 if (payload == NULL)
132 {
133 return FAILED;
134 }
135 *nonce = payload->get_nonce(payload);
136 return NEED_MORE;
137 }
138
139 /**
140 * generate a new nonce to include in a CREATE_CHILD_SA message
141 */
142 static status_t generate_nonce(chunk_t *nonce)
143 {
144 status_t status;
145 randomizer_t *randomizer = randomizer_create();
146
147 status = randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
148 nonce);
149 randomizer->destroy(randomizer);
150 if (status != SUCCESS)
151 {
152 DBG1(DBG_IKE, "error generating random nonce value");
153 return FAILED;
154 }
155 return SUCCESS;
156 }
157
158 /**
159 * Check a list of traffic selectors if any selector belongs to host
160 */
161 static bool ts_list_is_host(linked_list_t *list, host_t *host)
162 {
163 traffic_selector_t *ts;
164 bool is_host = TRUE;
165 iterator_t *iterator = list->create_iterator(list, TRUE);
166
167 while (is_host && iterator->iterate(iterator, (void**)&ts))
168 {
169 is_host = is_host && ts->is_host(ts, host);
170 }
171 iterator->destroy(iterator);
172 return is_host;
173 }
174
175 /**
176 * Install a CHILD_SA for usage, return value:
177 * - FAILED: no acceptable proposal
178 * - INVALID_ARG: diffie hellman group inacceptable
179 * - NOT_FOUND: TS inacceptable
180 */
181 static status_t select_and_install(private_child_create_t *this, bool no_dh)
182 {
183 prf_plus_t *prf_plus;
184 status_t status;
185 chunk_t nonce_i, nonce_r, secret, seed;
186 linked_list_t *my_ts, *other_ts;
187 host_t *me, *other, *other_vip, *my_vip;
188
189 if (this->proposals == NULL)
190 {
191 SIG(CHILD_UP_FAILED, "SA payload missing in message");
192 return FAILED;
193 }
194 if (this->tsi == NULL || this->tsr == NULL)
195 {
196 SIG(CHILD_UP_FAILED, "TS payloads missing in message");
197 return NOT_FOUND;
198 }
199
200 if (this->initiator)
201 {
202 nonce_i = this->my_nonce;
203 nonce_r = this->other_nonce;
204 my_ts = this->tsi;
205 other_ts = this->tsr;
206 }
207 else
208 {
209 nonce_r = this->my_nonce;
210 nonce_i = this->other_nonce;
211 my_ts = this->tsr;
212 other_ts = this->tsi;
213 }
214
215 me = this->ike_sa->get_my_host(this->ike_sa);
216 other = this->ike_sa->get_other_host(this->ike_sa);
217 my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
218 other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
219
220 this->proposal = this->config->select_proposal(this->config, this->proposals,
221 no_dh);
222 if (this->proposal == NULL)
223 {
224 SIG(CHILD_UP_FAILED, "no acceptable proposal found");
225 return FAILED;
226 }
227
228 if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
229 {
230 algorithm_t *algo;
231 if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
232 &algo))
233 {
234 u_int16_t group = algo->algorithm;
235 SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
236 diffie_hellman_group_names, this->dh_group,
237 diffie_hellman_group_names, group);
238 this->dh_group = group;
239 return INVALID_ARG;
240 }
241 else
242 {
243 SIG(CHILD_UP_FAILED, "no acceptable proposal found");
244 return FAILED;
245 }
246 }
247
248 if (my_vip == NULL)
249 {
250 my_vip = me;
251 }
252 else if (this->initiator)
253 {
254 /* to setup firewall rules correctly, CHILD_SA needs the virtual IP */
255 this->child_sa->set_virtual_ip(this->child_sa, my_vip);
256 }
257 if (other_vip == NULL)
258 {
259 other_vip = other;
260 }
261
262 my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
263 my_vip);
264 other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
265 other_vip);
266
267 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
268 {
269 SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
270 return NOT_FOUND;
271 }
272
273 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
274 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
275 if (this->initiator)
276 {
277 this->tsi = my_ts;
278 this->tsr = other_ts;
279 }
280 else
281 {
282 this->tsr = my_ts;
283 this->tsi = other_ts;
284 }
285
286 if (!this->initiator)
287 {
288 /* check if requested mode is acceptable, downgrade if required */
289 switch (this->mode)
290 {
291 case MODE_TRANSPORT:
292 if (!ts_list_is_host(this->tsi, other) ||
293 !ts_list_is_host(this->tsr, me))
294 {
295 this->mode = MODE_TUNNEL;
296 DBG1(DBG_IKE, "not using tranport mode, not host-to-host");
297 }
298 else if (this->ike_sa->is_natt_enabled(this->ike_sa))
299 {
300 this->mode = MODE_TUNNEL;
301 DBG1(DBG_IKE, "not using tranport mode, connection NATed");
302 }
303 break;
304 case MODE_BEET:
305 if (!ts_list_is_host(this->tsi, NULL) ||
306 !ts_list_is_host(this->tsr, NULL))
307 {
308 this->mode = MODE_TUNNEL;
309 DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
310 }
311 break;
312 default:
313 break;
314 }
315 }
316
317 if (this->dh)
318 {
319 if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
320 {
321 SIG(CHILD_UP_FAILED, "DH exchange incomplete");
322 return FAILED;
323 }
324 DBG3(DBG_IKE, "DH secret %B", &secret);
325 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
326 }
327 else
328 {
329 seed = chunk_cata("cc", nonce_i, nonce_r);
330 }
331 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
332
333 if (this->initiator)
334 {
335 status = this->child_sa->update(this->child_sa, this->proposal,
336 this->mode, prf_plus);
337 }
338 else
339 {
340 status = this->child_sa->add(this->child_sa, this->proposal,
341 this->mode, prf_plus);
342 }
343 prf_plus->destroy(prf_plus);
344
345 if (status != SUCCESS)
346 {
347 SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
348 return FAILED;
349 }
350
351 status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
352 this->mode);
353
354 if (status != SUCCESS)
355 {
356 SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
357 return NOT_FOUND;
358 }
359 /* add to IKE_SA, and remove from task */
360 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
361 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
362 this->established = TRUE;
363 return SUCCESS;
364 }
365
366 /**
367 * build the payloads for the message
368 */
369 static void build_payloads(private_child_create_t *this, message_t *message)
370 {
371 sa_payload_t *sa_payload;
372 nonce_payload_t *nonce_payload;
373 ke_payload_t *ke_payload;
374 ts_payload_t *ts_payload;
375
376 /* add SA payload */
377 if (this->initiator)
378 {
379 sa_payload = sa_payload_create_from_proposal_list(this->proposals);
380 }
381 else
382 {
383 sa_payload = sa_payload_create_from_proposal(this->proposal);
384 }
385 message->add_payload(message, (payload_t*)sa_payload);
386
387 /* add nonce payload if not in IKE_AUTH */
388 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
389 {
390 nonce_payload = nonce_payload_create();
391 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
392 message->add_payload(message, (payload_t*)nonce_payload);
393 }
394
395 /* diffie hellman exchange, if PFS enabled */
396 if (this->dh)
397 {
398 ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
399 message->add_payload(message, (payload_t*)ke_payload);
400 }
401
402 /* add TSi/TSr payloads */
403 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
404 message->add_payload(message, (payload_t*)ts_payload);
405 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
406 message->add_payload(message, (payload_t*)ts_payload);
407
408 /* add a notify if we are not in tunnel mode */
409 switch (this->mode)
410 {
411 case MODE_TRANSPORT:
412 message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
413 break;
414 case MODE_BEET:
415 message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
416 break;
417 default:
418 break;
419 }
420 }
421
422 /**
423 * Read payloads from message
424 */
425 static void process_payloads(private_child_create_t *this, message_t *message)
426 {
427 iterator_t *iterator;
428 payload_t *payload;
429 sa_payload_t *sa_payload;
430 ke_payload_t *ke_payload;
431 ts_payload_t *ts_payload;
432 notify_payload_t *notify_payload;
433
434 /* defaults to TUNNEL mode */
435 this->mode = MODE_TUNNEL;
436
437 iterator = message->get_payload_iterator(message);
438 while (iterator->iterate(iterator, (void**)&payload))
439 {
440 switch (payload->get_type(payload))
441 {
442 case SECURITY_ASSOCIATION:
443 sa_payload = (sa_payload_t*)payload;
444 this->proposals = sa_payload->get_proposals(sa_payload);
445 break;
446 case KEY_EXCHANGE:
447 ke_payload = (ke_payload_t*)payload;
448 if (!this->initiator)
449 {
450 this->dh_group = ke_payload->get_dh_group_number(ke_payload);
451 this->dh = diffie_hellman_create(this->dh_group);
452 }
453 if (this->dh)
454 {
455 this->dh->set_other_public_value(this->dh,
456 ke_payload->get_key_exchange_data(ke_payload));
457 }
458 break;
459 case TRAFFIC_SELECTOR_INITIATOR:
460 ts_payload = (ts_payload_t*)payload;
461 this->tsi = ts_payload->get_traffic_selectors(ts_payload);
462 break;
463 case TRAFFIC_SELECTOR_RESPONDER:
464 ts_payload = (ts_payload_t*)payload;
465 this->tsr = ts_payload->get_traffic_selectors(ts_payload);
466 break;
467 case NOTIFY:
468 notify_payload = (notify_payload_t*)payload;
469 switch (notify_payload ->get_notify_type(notify_payload ))
470 {
471 case USE_TRANSPORT_MODE:
472 this->mode = MODE_TRANSPORT;
473 break;
474 case USE_BEET_MODE:
475 this->mode = MODE_BEET;
476 break;
477 default:
478 break;
479 }
480 break;
481 default:
482 break;
483 }
484 }
485 iterator->destroy(iterator);
486 }
487
488 /**
489 * Implementation of task_t.build for initiator
490 */
491 static status_t build_i(private_child_create_t *this, message_t *message)
492 {
493 host_t *me, *other, *vip;
494 peer_cfg_t *peer_cfg;
495
496 switch (message->get_exchange_type(message))
497 {
498 case IKE_SA_INIT:
499 return get_nonce(message, &this->my_nonce);
500 case CREATE_CHILD_SA:
501 if (generate_nonce(&this->my_nonce) != SUCCESS)
502 {
503 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
504 return SUCCESS;
505 }
506 if (this->dh_group == MODP_NONE)
507 {
508 this->dh_group = this->config->get_dh_group(this->config);
509 }
510 break;
511 case IKE_AUTH:
512 if (!message->get_payload(message, ID_INITIATOR))
513 {
514 /* send only in the first request, not in subsequent EAP */
515 return NEED_MORE;
516 }
517 break;
518 default:
519 break;
520 }
521
522 SIG(CHILD_UP_START, "establishing CHILD_SA");
523
524 me = this->ike_sa->get_my_host(this->ike_sa);
525 other = this->ike_sa->get_other_host(this->ike_sa);
526 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
527 vip = peer_cfg->get_virtual_ip(peer_cfg, NULL);
528
529 if (vip)
530 { /* propose a 0.0.0.0/0 subnet when we use virtual ip */
531 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
532 NULL, NULL);
533 vip->destroy(vip);
534 }
535 else
536 { /* but shorten a 0.0.0.0/0 subnet to the actual address if host2host */
537 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
538 NULL, me);
539 }
540 this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
541 NULL, other);
542 this->proposals = this->config->get_proposals(this->config,
543 this->dh_group == MODP_NONE);
544 this->mode = this->config->get_mode(this->config);
545
546 this->child_sa = child_sa_create(me, other,
547 this->ike_sa->get_my_id(this->ike_sa),
548 this->ike_sa->get_other_id(this->ike_sa),
549 this->config, this->reqid,
550 this->ike_sa->is_natt_enabled(this->ike_sa));
551
552 if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
553 {
554 SIG(CHILD_UP_FAILED, "unable to allocate SPIs from kernel");
555 return FAILED;
556 }
557
558 if (this->dh_group != MODP_NONE)
559 {
560 this->dh = diffie_hellman_create(this->dh_group);
561 }
562
563 build_payloads(this, message);
564
565 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
566 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
567 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
568 this->tsi = NULL;
569 this->tsr = NULL;
570 this->proposals = NULL;
571
572 return NEED_MORE;
573 }
574
575 /**
576 * Implementation of task_t.process for initiator
577 */
578 static status_t process_r(private_child_create_t *this, message_t *message)
579 {
580 peer_cfg_t *peer_cfg;
581
582 switch (message->get_exchange_type(message))
583 {
584 case IKE_SA_INIT:
585 return get_nonce(message, &this->other_nonce);
586 case CREATE_CHILD_SA:
587 get_nonce(message, &this->other_nonce);
588 break;
589 case IKE_AUTH:
590 if (message->get_payload(message, ID_INITIATOR) == NULL)
591 {
592 /* wait until extensible authentication completed, if used */
593 return NEED_MORE;
594 }
595 default:
596 break;
597 }
598
599 process_payloads(this, message);
600
601 if (this->tsi == NULL || this->tsr == NULL)
602 {
603 DBG1(DBG_IKE, "TS payload missing in message");
604 return NEED_MORE;
605 }
606
607 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
608 if (peer_cfg)
609 {
610 this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr, this->tsi,
611 this->ike_sa->get_my_host(this->ike_sa),
612 this->ike_sa->get_other_host(this->ike_sa));
613 }
614 return NEED_MORE;
615 }
616
617 /**
618 * Implementation of task_t.build for responder
619 */
620 static status_t build_r(private_child_create_t *this, message_t *message)
621 {
622 bool no_dh = TRUE;
623
624 switch (message->get_exchange_type(message))
625 {
626 case IKE_SA_INIT:
627 return get_nonce(message, &this->my_nonce);
628 case CREATE_CHILD_SA:
629 if (generate_nonce(&this->my_nonce) != SUCCESS)
630 {
631 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
632 return SUCCESS;
633 }
634 no_dh = FALSE;
635 break;
636 case IKE_AUTH:
637 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
638 {
639 /* wait until extensible authentication completed, if used */
640 return NEED_MORE;
641 }
642 default:
643 break;
644 }
645
646 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
647 {
648 SIG(CHILD_UP_FAILED, "unable to create CHILD_SA while rekeying IKE_SA");
649 message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
650 return SUCCESS;
651 }
652
653 if (this->config == NULL)
654 {
655 SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable",
656 this->tsr, this->tsi);
657 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
658 return SUCCESS;
659 }
660
661 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
662 this->ike_sa->get_other_host(this->ike_sa),
663 this->ike_sa->get_my_id(this->ike_sa),
664 this->ike_sa->get_other_id(this->ike_sa),
665 this->config, this->reqid,
666 this->ike_sa->is_natt_enabled(this->ike_sa));
667
668 switch (select_and_install(this, no_dh))
669 {
670 case SUCCESS:
671 break;
672 case NOT_FOUND:
673 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
674 return SUCCESS;
675 case INVALID_ARG:
676 {
677 u_int16_t group = htons(this->dh_group);
678 message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
679 chunk_from_thing(group));
680 return SUCCESS;
681 }
682 case FAILED:
683 default:
684 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
685 return SUCCESS;
686 }
687
688 build_payloads(this, message);
689
690 SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
691
692 return SUCCESS;
693 }
694
695 /**
696 * Implementation of task_t.process for initiator
697 */
698 static status_t process_i(private_child_create_t *this, message_t *message)
699 {
700 iterator_t *iterator;
701 payload_t *payload;
702 bool no_dh = TRUE;
703
704 switch (message->get_exchange_type(message))
705 {
706 case IKE_SA_INIT:
707 return get_nonce(message, &this->other_nonce);
708 case CREATE_CHILD_SA:
709 get_nonce(message, &this->other_nonce);
710 no_dh = FALSE;
711 break;
712 case IKE_AUTH:
713 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
714 {
715 /* wait until extensible authentication completed, if used */
716 return NEED_MORE;
717 }
718 default:
719 break;
720 }
721
722 /* check for erronous notifies */
723 iterator = message->get_payload_iterator(message);
724 while (iterator->iterate(iterator, (void**)&payload))
725 {
726 if (payload->get_type(payload) == NOTIFY)
727 {
728 notify_payload_t *notify = (notify_payload_t*)payload;
729 notify_type_t type = notify->get_notify_type(notify);
730
731 switch (type)
732 {
733 /* handle notify errors related to CHILD_SA only */
734 case NO_PROPOSAL_CHOSEN:
735 case SINGLE_PAIR_REQUIRED:
736 case NO_ADDITIONAL_SAS:
737 case INTERNAL_ADDRESS_FAILURE:
738 case FAILED_CP_REQUIRED:
739 case TS_UNACCEPTABLE:
740 case INVALID_SELECTORS:
741 {
742 SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
743 notify_type_names, type);
744 iterator->destroy(iterator);
745 /* an error in CHILD_SA creation is not critical */
746 return SUCCESS;
747 }
748 case INVALID_KE_PAYLOAD:
749 {
750 chunk_t data;
751 diffie_hellman_group_t bad_group;
752
753 bad_group = this->dh_group;
754 data = notify->get_notification_data(notify);
755 this->dh_group = ntohs(*((u_int16_t*)data.ptr));
756 DBG1(DBG_IKE, "peer didn't accept DH group %N, "
757 "it requested %N", diffie_hellman_group_names,
758 bad_group, diffie_hellman_group_names, this->dh_group);
759
760 this->public.task.migrate(&this->public.task, this->ike_sa);
761 iterator->destroy(iterator);
762 return NEED_MORE;
763 }
764 default:
765 break;
766 }
767 }
768 }
769 iterator->destroy(iterator);
770
771 process_payloads(this, message);
772
773 if (select_and_install(this, no_dh) == SUCCESS)
774 {
775 SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
776 }
777 return SUCCESS;
778 }
779
780 /**
781 * Implementation of task_t.get_type
782 */
783 static task_type_t get_type(private_child_create_t *this)
784 {
785 return CHILD_CREATE;
786 }
787
788 /**
789 * Implementation of child_create_t.use_reqid
790 */
791 static void use_reqid(private_child_create_t *this, u_int32_t reqid)
792 {
793 this->reqid = reqid;
794 }
795
796 /**
797 * Implementation of child_create_t.get_child
798 */
799 static child_sa_t* get_child(private_child_create_t *this)
800 {
801 return this->child_sa;
802 }
803
804 /**
805 * Implementation of child_create_t.get_lower_nonce
806 */
807 static chunk_t get_lower_nonce(private_child_create_t *this)
808 {
809 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
810 min(this->my_nonce.len, this->other_nonce.len)) < 0)
811 {
812 return this->my_nonce;
813 }
814 else
815 {
816 return this->other_nonce;
817 }
818 }
819
820 /**
821 * Implementation of task_t.migrate
822 */
823 static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
824 {
825 chunk_free(&this->my_nonce);
826 chunk_free(&this->other_nonce);
827 if (this->tsi)
828 {
829 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
830 }
831 if (this->tsr)
832 {
833 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
834 }
835 DESTROY_IF(this->child_sa);
836 DESTROY_IF(this->proposal);
837 DESTROY_IF(this->dh);
838 if (this->proposals)
839 {
840 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
841 }
842
843 this->ike_sa = ike_sa;
844 this->proposals = NULL;
845 this->tsi = NULL;
846 this->tsr = NULL;
847 this->dh = NULL;
848 this->child_sa = NULL;
849 this->mode = MODE_TUNNEL;
850 this->reqid = 0;
851 this->established = FALSE;
852 }
853
854 /**
855 * Implementation of task_t.destroy
856 */
857 static void destroy(private_child_create_t *this)
858 {
859 chunk_free(&this->my_nonce);
860 chunk_free(&this->other_nonce);
861 if (this->tsi)
862 {
863 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
864 }
865 if (this->tsr)
866 {
867 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
868 }
869 if (!this->established)
870 {
871 DESTROY_IF(this->child_sa);
872 }
873 DESTROY_IF(this->proposal);
874 DESTROY_IF(this->dh);
875 if (this->proposals)
876 {
877 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
878 }
879
880 DESTROY_IF(this->config);
881 free(this);
882 }
883
884 /*
885 * Described in header.
886 */
887 child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
888 {
889 private_child_create_t *this = malloc_thing(private_child_create_t);
890
891 this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
892 this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
893 this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
894 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
895 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
896 this->public.task.destroy = (void(*)(task_t*))destroy;
897 if (config)
898 {
899 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
900 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
901 this->initiator = TRUE;
902 config->get_ref(config);
903 }
904 else
905 {
906 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
907 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
908 this->initiator = FALSE;
909 }
910
911 this->ike_sa = ike_sa;
912 this->config = config;
913 this->my_nonce = chunk_empty;
914 this->other_nonce = chunk_empty;
915 this->proposals = NULL;
916 this->proposal = NULL;
917 this->tsi = NULL;
918 this->tsr = NULL;
919 this->dh = NULL;
920 this->dh_group = MODP_NONE;
921 this->child_sa = NULL;
922 this->mode = MODE_TUNNEL;
923 this->reqid = 0;
924 this->established = FALSE;
925
926 return &this->public;
927 }
strongSwan - IPsec VPN