corrected captions
[strongswan.git] / src / charon / sa / tasks / child_create.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 #include "child_create.h"
21
22 #include <daemon.h>
23 #include <crypto/diffie_hellman.h>
24 #include <encoding/payloads/sa_payload.h>
25 #include <encoding/payloads/ke_payload.h>
26 #include <encoding/payloads/ts_payload.h>
27 #include <encoding/payloads/nonce_payload.h>
28 #include <encoding/payloads/notify_payload.h>
29 #include <processing/jobs/delete_ike_sa_job.h>
30
31
32 typedef struct private_child_create_t private_child_create_t;
33
34 /**
35 * Private members of a child_create_t task.
36 */
37 struct private_child_create_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 child_create_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * nonce chosen by us
56 */
57 chunk_t my_nonce;
58
59 /**
60 * nonce chosen by peer
61 */
62 chunk_t other_nonce;
63
64 /**
65 * config to create the CHILD_SA from
66 */
67 child_cfg_t *config;
68
69 /**
70 * list of proposal candidates
71 */
72 linked_list_t *proposals;
73
74 /**
75 * selected proposal to use for CHILD_SA
76 */
77 proposal_t *proposal;
78
79 /**
80 * traffic selectors for initiators side
81 */
82 linked_list_t *tsi;
83
84 /**
85 * traffic selectors for responders side
86 */
87 linked_list_t *tsr;
88
89 /**
90 * optional diffie hellman exchange
91 */
92 diffie_hellman_t *dh;
93
94 /**
95 * group used for DH exchange
96 */
97 diffie_hellman_group_t dh_group;
98
99 /**
100 * IKE_SAs keymat
101 */
102 keymat_t *keymat;
103
104 /**
105 * mode the new CHILD_SA uses (transport/tunnel/beet)
106 */
107 ipsec_mode_t mode;
108
109 /**
110 * IPComp transform to use
111 */
112 ipcomp_transform_t ipcomp;
113
114 /**
115 * IPComp transform proposed or accepted by the other peer
116 */
117 ipcomp_transform_t ipcomp_received;
118
119 /**
120 * Other Compression Parameter Index (CPI)
121 */
122 u_int16_t other_cpi;
123
124 /**
125 * reqid to use if we are rekeying
126 */
127 u_int32_t reqid;
128
129 /**
130 * CHILD_SA which gets established
131 */
132 child_sa_t *child_sa;
133
134 /**
135 * successfully established the CHILD?
136 */
137 bool established;
138 };
139
140 /**
141 * get the nonce from a message
142 */
143 static status_t get_nonce(message_t *message, chunk_t *nonce)
144 {
145 nonce_payload_t *payload;
146
147 payload = (nonce_payload_t*)message->get_payload(message, NONCE);
148 if (payload == NULL)
149 {
150 return FAILED;
151 }
152 *nonce = payload->get_nonce(payload);
153 return NEED_MORE;
154 }
155
156 /**
157 * generate a new nonce to include in a CREATE_CHILD_SA message
158 */
159 static status_t generate_nonce(chunk_t *nonce)
160 {
161 rng_t *rng;
162
163 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
164 if (!rng)
165 {
166 DBG1(DBG_IKE, "error generating nonce value, no RNG found");
167 return FAILED;
168 }
169 rng->allocate_bytes(rng, NONCE_SIZE, nonce);
170 rng->destroy(rng);
171 return SUCCESS;
172 }
173
174 /**
175 * Check a list of traffic selectors if any selector belongs to host
176 */
177 static bool ts_list_is_host(linked_list_t *list, host_t *host)
178 {
179 traffic_selector_t *ts;
180 bool is_host = TRUE;
181 iterator_t *iterator = list->create_iterator(list, TRUE);
182
183 while (is_host && iterator->iterate(iterator, (void**)&ts))
184 {
185 is_host = is_host && ts->is_host(ts, host);
186 }
187 iterator->destroy(iterator);
188 return is_host;
189 }
190
191 /**
192 * Install a CHILD_SA for usage, return value:
193 * - FAILED: no acceptable proposal
194 * - INVALID_ARG: diffie hellman group inacceptable
195 * - NOT_FOUND: TS inacceptable
196 */
197 static status_t select_and_install(private_child_create_t *this, bool no_dh)
198 {
199 status_t status;
200 chunk_t nonce_i, nonce_r, encr_i, integ_i, encr_r, integ_r;
201 linked_list_t *my_ts, *other_ts;
202 host_t *me, *other, *other_vip, *my_vip;
203
204 if (this->proposals == NULL)
205 {
206 DBG1(DBG_IKE, "SA payload missing in message");
207 return FAILED;
208 }
209 if (this->tsi == NULL || this->tsr == NULL)
210 {
211 DBG1(DBG_IKE, "TS payloads missing in message");
212 return NOT_FOUND;
213 }
214
215 me = this->ike_sa->get_my_host(this->ike_sa);
216 other = this->ike_sa->get_other_host(this->ike_sa);
217 my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
218 other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
219
220 this->proposal = this->config->select_proposal(this->config, this->proposals,
221 no_dh);
222 if (this->proposal == NULL)
223 {
224 DBG1(DBG_IKE, "no acceptable proposal found");
225 return FAILED;
226 }
227
228 if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
229 {
230 u_int16_t group;
231
232 if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
233 &group, NULL))
234 {
235 DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
236 diffie_hellman_group_names, this->dh_group,
237 diffie_hellman_group_names, group);
238 this->dh_group = group;
239 return INVALID_ARG;
240 }
241 else
242 {
243 DBG1(DBG_IKE, "no acceptable proposal found");
244 return FAILED;
245 }
246 }
247
248 if (my_vip == NULL)
249 {
250 my_vip = me;
251 }
252 if (other_vip == NULL)
253 {
254 other_vip = other;
255 }
256
257 if (this->initiator)
258 {
259 nonce_i = this->my_nonce;
260 nonce_r = this->other_nonce;
261 my_ts = this->tsi;
262 other_ts = this->tsr;
263 }
264 else
265 {
266 nonce_r = this->my_nonce;
267 nonce_i = this->other_nonce;
268 my_ts = this->tsr;
269 other_ts = this->tsi;
270 }
271 my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
272 my_vip);
273 other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
274 other_vip);
275
276 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
277 {
278 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
279 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
280 DBG1(DBG_IKE, "no acceptable traffic selectors found");
281 return NOT_FOUND;
282 }
283
284 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
285 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
286 if (this->initiator)
287 {
288 this->tsi = my_ts;
289 this->tsr = other_ts;
290 }
291 else
292 {
293 this->tsr = my_ts;
294 this->tsi = other_ts;
295 }
296
297 if (!this->initiator)
298 {
299 /* check if requested mode is acceptable, downgrade if required */
300 switch (this->mode)
301 {
302 case MODE_TRANSPORT:
303 if (!ts_list_is_host(this->tsi, other) ||
304 !ts_list_is_host(this->tsr, me))
305 {
306 this->mode = MODE_TUNNEL;
307 DBG1(DBG_IKE, "not using tranport mode, not host-to-host");
308 }
309 else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
310 {
311 this->mode = MODE_TUNNEL;
312 DBG1(DBG_IKE, "not using tranport mode, connection NATed");
313 }
314 break;
315 case MODE_BEET:
316 if (!ts_list_is_host(this->tsi, NULL) ||
317 !ts_list_is_host(this->tsr, NULL))
318 {
319 this->mode = MODE_TUNNEL;
320 DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
321 }
322 break;
323 default:
324 break;
325 }
326 }
327
328 if (this->ipcomp != IPCOMP_NONE)
329 {
330 this->child_sa->activate_ipcomp(this->child_sa, this->ipcomp,
331 this->other_cpi);
332 }
333
334 status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
335 this->mode, this->proposal->get_protocol(this->proposal));
336 if (status != SUCCESS)
337 {
338 DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
339 return NOT_FOUND;
340 }
341
342 status = FAILED;
343 if (this->keymat->derive_child_keys(this->keymat, this->proposal,
344 this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
345 {
346 if (this->initiator)
347 {
348 status = this->child_sa->update(this->child_sa, this->proposal,
349 this->mode, integ_r, integ_i, encr_r, encr_i);
350 }
351 else
352 {
353 status = this->child_sa->add(this->child_sa, this->proposal,
354 this->mode, integ_i, integ_r, encr_i, encr_r);
355 }
356 }
357 chunk_clear(&integ_i);
358 chunk_clear(&integ_r);
359 chunk_clear(&encr_i);
360 chunk_clear(&encr_r);
361
362 if (status != SUCCESS)
363 {
364 DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel");
365 return FAILED;
366 }
367
368 charon->bus->child_keys(charon->bus, this->child_sa, this->dh,
369 nonce_i, nonce_r);
370
371 /* add to IKE_SA, and remove from task */
372 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
373 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
374 this->established = TRUE;
375 return SUCCESS;
376 }
377
378 /**
379 * build the payloads for the message
380 */
381 static void build_payloads(private_child_create_t *this, message_t *message)
382 {
383 sa_payload_t *sa_payload;
384 nonce_payload_t *nonce_payload;
385 ke_payload_t *ke_payload;
386 ts_payload_t *ts_payload;
387
388 /* add SA payload */
389 if (this->initiator)
390 {
391 sa_payload = sa_payload_create_from_proposal_list(this->proposals);
392 }
393 else
394 {
395 sa_payload = sa_payload_create_from_proposal(this->proposal);
396 }
397 message->add_payload(message, (payload_t*)sa_payload);
398
399 /* add nonce payload if not in IKE_AUTH */
400 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
401 {
402 nonce_payload = nonce_payload_create();
403 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
404 message->add_payload(message, (payload_t*)nonce_payload);
405 }
406
407 /* diffie hellman exchange, if PFS enabled */
408 if (this->dh)
409 {
410 ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
411 message->add_payload(message, (payload_t*)ke_payload);
412 }
413
414 /* add TSi/TSr payloads */
415 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
416 message->add_payload(message, (payload_t*)ts_payload);
417 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
418 message->add_payload(message, (payload_t*)ts_payload);
419
420 /* add a notify if we are not in tunnel mode */
421 switch (this->mode)
422 {
423 case MODE_TRANSPORT:
424 message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
425 break;
426 case MODE_BEET:
427 message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
428 break;
429 default:
430 break;
431 }
432 }
433
434 /**
435 * Adds an IPCOMP_SUPPORTED notify to the message, if possible
436 */
437 static void build_ipcomp_supported_notify(private_child_create_t *this,
438 message_t *message)
439 {
440 u_int16_t cpi;
441 u_int8_t tid;
442
443 if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
444 {
445 DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
446 "IPComp disabled");
447 this->ipcomp = IPCOMP_NONE;
448 return;
449 }
450
451 cpi = this->child_sa->allocate_cpi(this->child_sa);
452 tid = this->ipcomp;
453 if (cpi)
454 {
455 message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
456 chunk_cata("cc", chunk_from_thing(cpi), chunk_from_thing(tid)));
457 }
458 else
459 {
460 DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
461 this->ipcomp = IPCOMP_NONE;
462 }
463 }
464
465 /**
466 * Read payloads from message
467 */
468 static void process_payloads(private_child_create_t *this, message_t *message)
469 {
470 iterator_t *iterator;
471 payload_t *payload;
472 sa_payload_t *sa_payload;
473 ke_payload_t *ke_payload;
474 ts_payload_t *ts_payload;
475 notify_payload_t *notify_payload;
476
477 /* defaults to TUNNEL mode */
478 this->mode = MODE_TUNNEL;
479
480 iterator = message->get_payload_iterator(message);
481 while (iterator->iterate(iterator, (void**)&payload))
482 {
483 switch (payload->get_type(payload))
484 {
485 case SECURITY_ASSOCIATION:
486 sa_payload = (sa_payload_t*)payload;
487 this->proposals = sa_payload->get_proposals(sa_payload);
488 break;
489 case KEY_EXCHANGE:
490 ke_payload = (ke_payload_t*)payload;
491 if (!this->initiator)
492 {
493 this->dh_group = ke_payload->get_dh_group_number(ke_payload);
494 this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
495 }
496 if (this->dh)
497 {
498 this->dh->set_other_public_value(this->dh,
499 ke_payload->get_key_exchange_data(ke_payload));
500 }
501 break;
502 case TRAFFIC_SELECTOR_INITIATOR:
503 ts_payload = (ts_payload_t*)payload;
504 this->tsi = ts_payload->get_traffic_selectors(ts_payload);
505 break;
506 case TRAFFIC_SELECTOR_RESPONDER:
507 ts_payload = (ts_payload_t*)payload;
508 this->tsr = ts_payload->get_traffic_selectors(ts_payload);
509 break;
510 case NOTIFY:
511 notify_payload = (notify_payload_t*)payload;
512 switch (notify_payload ->get_notify_type(notify_payload ))
513 {
514 case USE_TRANSPORT_MODE:
515 this->mode = MODE_TRANSPORT;
516 break;
517 case USE_BEET_MODE:
518 this->mode = MODE_BEET;
519 break;
520 case IPCOMP_SUPPORTED:
521 {
522 chunk_t data = notify_payload->get_notification_data(notify_payload);
523 u_int16_t cpi = *(u_int16_t*)data.ptr;
524 ipcomp_transform_t ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
525 switch(ipcomp)
526 {
527 case IPCOMP_DEFLATE:
528 this->other_cpi = cpi;
529 this->ipcomp_received = ipcomp;
530 break;
531 case IPCOMP_LZS:
532 case IPCOMP_LZJH:
533 default:
534 DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a transform"
535 " ID we don't support %N", ipcomp_transform_names, ipcomp);
536 break;
537 }
538 }
539 default:
540 break;
541 }
542 break;
543 default:
544 break;
545 }
546 }
547 iterator->destroy(iterator);
548 }
549
550 /**
551 * Implementation of task_t.build for initiator
552 */
553 static status_t build_i(private_child_create_t *this, message_t *message)
554 {
555 host_t *me, *other, *vip;
556 bool propose_all = FALSE;
557 peer_cfg_t *peer_cfg;
558
559 switch (message->get_exchange_type(message))
560 {
561 case IKE_SA_INIT:
562 return get_nonce(message, &this->my_nonce);
563 case CREATE_CHILD_SA:
564 if (generate_nonce(&this->my_nonce) != SUCCESS)
565 {
566 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
567 return SUCCESS;
568 }
569 if (this->dh_group == MODP_NONE)
570 {
571 this->dh_group = this->config->get_dh_group(this->config);
572 }
573 break;
574 case IKE_AUTH:
575 if (!message->get_payload(message, ID_INITIATOR))
576 {
577 /* send only in the first request, not in subsequent EAP */
578 return NEED_MORE;
579 }
580 break;
581 default:
582 break;
583 }
584
585 if (this->reqid)
586 {
587 DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
588 this->config->get_name(this->config), this->reqid);
589 }
590 else
591 {
592 DBG0(DBG_IKE, "establishing CHILD_SA %s",
593 this->config->get_name(this->config));
594 }
595
596 /* reuse virtual IP if we already have one */
597 me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
598 if (me == NULL)
599 {
600 me = this->ike_sa->get_my_host(this->ike_sa);
601 }
602 other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
603 if (other == NULL)
604 {
605 other = this->ike_sa->get_other_host(this->ike_sa);
606 }
607
608 /* check if we want a virtual IP, but don't have one */
609 if (!this->reqid)
610 {
611 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
612 vip = peer_cfg->get_virtual_ip(peer_cfg);
613 if (vip)
614 {
615 propose_all = TRUE;
616 }
617 }
618
619 if (propose_all)
620 { /* propose a 0.0.0.0/0 subnet when we use virtual ip */
621 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
622 NULL, NULL);
623 }
624 else
625 { /* but shorten a 0.0.0.0/0 subnet for host2host/we already have a vip */
626 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
627 NULL, me);
628 }
629 this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
630 NULL, other);
631
632 this->proposals = this->config->get_proposals(this->config,
633 this->dh_group == MODP_NONE);
634 this->mode = this->config->get_mode(this->config);
635
636 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
637 this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
638 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
639
640 if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
641 {
642 DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
643 return FAILED;
644 }
645
646 if (this->dh_group != MODP_NONE)
647 {
648 this->dh = this->keymat->create_dh(this->keymat, this->dh_group);
649 }
650
651 if (this->config->use_ipcomp(this->config)) {
652 /* IPCOMP_DEFLATE is the only transform we support at the moment */
653 this->ipcomp = IPCOMP_DEFLATE;
654 build_ipcomp_supported_notify(this, message);
655 }
656
657 build_payloads(this, message);
658
659 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
660 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
661 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
662 this->tsi = NULL;
663 this->tsr = NULL;
664 this->proposals = NULL;
665
666 return NEED_MORE;
667 }
668
669 /**
670 * Implementation of task_t.process for responder
671 */
672 static status_t process_r(private_child_create_t *this, message_t *message)
673 {
674 peer_cfg_t *peer_cfg;
675
676 switch (message->get_exchange_type(message))
677 {
678 case IKE_SA_INIT:
679 return get_nonce(message, &this->other_nonce);
680 case CREATE_CHILD_SA:
681 get_nonce(message, &this->other_nonce);
682 break;
683 case IKE_AUTH:
684 if (message->get_payload(message, ID_INITIATOR) == NULL)
685 {
686 /* wait until extensible authentication completed, if used */
687 return NEED_MORE;
688 }
689 default:
690 break;
691 }
692
693 process_payloads(this, message);
694
695 if (this->tsi == NULL || this->tsr == NULL)
696 {
697 DBG1(DBG_IKE, "TS payload missing in message");
698 return NEED_MORE;
699 }
700
701 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
702 if (peer_cfg)
703 {
704 host_t *me, *other;
705
706 me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
707 if (me == NULL)
708 {
709 me = this->ike_sa->get_my_host(this->ike_sa);
710 }
711 other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
712 if (other == NULL)
713 {
714 other = this->ike_sa->get_other_host(this->ike_sa);
715 }
716
717 this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
718 this->tsi, me, other);
719 }
720 return NEED_MORE;
721 }
722
723 /**
724 * handle CHILD_SA setup failure
725 */
726 static void handle_child_sa_failure(private_child_create_t *this,
727 message_t *message)
728 {
729 if (message->get_exchange_type(message) == IKE_AUTH &&
730 lib->settings->get_bool(lib->settings,
731 "charon.close_ike_on_child_failure", FALSE))
732 {
733 /* we delay the delete for 100ms, as the IKE_AUTH response must arrive
734 * first */
735 DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
736 charon->scheduler->schedule_job(charon->scheduler, (job_t*)
737 delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
738 100);
739 }
740 }
741
742 /**
743 * Implementation of task_t.build for responder
744 */
745 static status_t build_r(private_child_create_t *this, message_t *message)
746 {
747 payload_t *payload;
748 iterator_t *iterator;
749 bool no_dh = TRUE;
750
751 switch (message->get_exchange_type(message))
752 {
753 case IKE_SA_INIT:
754 return get_nonce(message, &this->my_nonce);
755 case CREATE_CHILD_SA:
756 if (generate_nonce(&this->my_nonce) != SUCCESS)
757 {
758 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
759 chunk_empty);
760 return SUCCESS;
761 }
762 no_dh = FALSE;
763 break;
764 case IKE_AUTH:
765 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
766 {
767 /* wait until extensible authentication completed, if used */
768 return NEED_MORE;
769 }
770 default:
771 break;
772 }
773
774 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
775 {
776 DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
777 message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
778 return SUCCESS;
779 }
780
781 if (this->config == NULL)
782 {
783 DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
784 this->tsr, this->tsi);
785 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
786 handle_child_sa_failure(this, message);
787 return SUCCESS;
788 }
789
790 /* check if ike_config_t included non-critical error notifies */
791 iterator = message->get_payload_iterator(message);
792 while (iterator->iterate(iterator, (void**)&payload))
793 {
794 if (payload->get_type(payload) == NOTIFY)
795 {
796 notify_payload_t *notify = (notify_payload_t*)payload;
797
798 switch (notify->get_notify_type(notify))
799 {
800 case INTERNAL_ADDRESS_FAILURE:
801 case FAILED_CP_REQUIRED:
802 {
803 DBG1(DBG_IKE,"configuration payload negotation "
804 "failed, no CHILD_SA built");
805 iterator->destroy(iterator);
806 handle_child_sa_failure(this, message);
807 return SUCCESS;
808 }
809 default:
810 break;
811 }
812 }
813 }
814 iterator->destroy(iterator);
815
816 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
817 this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
818 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
819
820 if (this->config->use_ipcomp(this->config) &&
821 this->ipcomp_received != IPCOMP_NONE)
822 {
823 this->ipcomp = this->ipcomp_received;
824 build_ipcomp_supported_notify(this, message);
825 }
826 else if (this->ipcomp_received != IPCOMP_NONE)
827 {
828 DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
829 notify_type_names, IPCOMP_SUPPORTED);
830 }
831
832 switch (select_and_install(this, no_dh))
833 {
834 case SUCCESS:
835 break;
836 case NOT_FOUND:
837 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
838 handle_child_sa_failure(this, message);
839 return SUCCESS;
840 case INVALID_ARG:
841 {
842 u_int16_t group = htons(this->dh_group);
843 message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
844 chunk_from_thing(group));
845 handle_child_sa_failure(this, message);
846 return SUCCESS;
847 }
848 case FAILED:
849 default:
850 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
851 handle_child_sa_failure(this, message);
852 return SUCCESS;
853 }
854
855 build_payloads(this, message);
856
857 DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
858 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
859 this->child_sa->get_name(this->child_sa),
860 this->child_sa->get_reqid(this->child_sa),
861 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
862 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
863 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
864 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
865
866 return SUCCESS;
867 }
868
869 /**
870 * Implementation of task_t.process for initiator
871 */
872 static status_t process_i(private_child_create_t *this, message_t *message)
873 {
874 iterator_t *iterator;
875 payload_t *payload;
876 bool no_dh = TRUE;
877
878 switch (message->get_exchange_type(message))
879 {
880 case IKE_SA_INIT:
881 return get_nonce(message, &this->other_nonce);
882 case CREATE_CHILD_SA:
883 get_nonce(message, &this->other_nonce);
884 no_dh = FALSE;
885 break;
886 case IKE_AUTH:
887 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
888 {
889 /* wait until extensible authentication completed, if used */
890 return NEED_MORE;
891 }
892 default:
893 break;
894 }
895
896 /* check for erronous notifies */
897 iterator = message->get_payload_iterator(message);
898 while (iterator->iterate(iterator, (void**)&payload))
899 {
900 if (payload->get_type(payload) == NOTIFY)
901 {
902 notify_payload_t *notify = (notify_payload_t*)payload;
903 notify_type_t type = notify->get_notify_type(notify);
904
905 switch (type)
906 {
907 /* handle notify errors related to CHILD_SA only */
908 case NO_PROPOSAL_CHOSEN:
909 case SINGLE_PAIR_REQUIRED:
910 case NO_ADDITIONAL_SAS:
911 case INTERNAL_ADDRESS_FAILURE:
912 case FAILED_CP_REQUIRED:
913 case TS_UNACCEPTABLE:
914 case INVALID_SELECTORS:
915 {
916 DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
917 notify_type_names, type);
918 iterator->destroy(iterator);
919 handle_child_sa_failure(this, message);
920 /* an error in CHILD_SA creation is not critical */
921 return SUCCESS;
922 }
923 case INVALID_KE_PAYLOAD:
924 {
925 chunk_t data;
926 diffie_hellman_group_t bad_group;
927
928 bad_group = this->dh_group;
929 data = notify->get_notification_data(notify);
930 this->dh_group = ntohs(*((u_int16_t*)data.ptr));
931 DBG1(DBG_IKE, "peer didn't accept DH group %N, "
932 "it requested %N", diffie_hellman_group_names,
933 bad_group, diffie_hellman_group_names, this->dh_group);
934
935 this->public.task.migrate(&this->public.task, this->ike_sa);
936 iterator->destroy(iterator);
937 return NEED_MORE;
938 }
939 default:
940 break;
941 }
942 }
943 }
944 iterator->destroy(iterator);
945
946 process_payloads(this, message);
947
948 if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
949 {
950 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
951 " one, no CHILD_SA built");
952 handle_child_sa_failure(this, message);
953 return SUCCESS;
954 }
955 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
956 {
957 DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
958 "IPComp is disabled");
959 this->ipcomp = IPCOMP_NONE;
960 }
961 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
962 {
963 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
964 "no CHILD_SA built");
965 handle_child_sa_failure(this, message);
966 return SUCCESS;
967 }
968
969 if (select_and_install(this, no_dh) == SUCCESS)
970 {
971 DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
972 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
973 this->child_sa->get_name(this->child_sa),
974 this->child_sa->get_reqid(this->child_sa),
975 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
976 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
977 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
978 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
979 }
980 else
981 {
982 handle_child_sa_failure(this, message);
983 }
984 return SUCCESS;
985 }
986
987 /**
988 * Implementation of task_t.get_type
989 */
990 static task_type_t get_type(private_child_create_t *this)
991 {
992 return CHILD_CREATE;
993 }
994
995 /**
996 * Implementation of child_create_t.use_reqid
997 */
998 static void use_reqid(private_child_create_t *this, u_int32_t reqid)
999 {
1000 this->reqid = reqid;
1001 }
1002
1003 /**
1004 * Implementation of child_create_t.get_child
1005 */
1006 static child_sa_t* get_child(private_child_create_t *this)
1007 {
1008 return this->child_sa;
1009 }
1010
1011 /**
1012 * Implementation of child_create_t.get_lower_nonce
1013 */
1014 static chunk_t get_lower_nonce(private_child_create_t *this)
1015 {
1016 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
1017 min(this->my_nonce.len, this->other_nonce.len)) < 0)
1018 {
1019 return this->my_nonce;
1020 }
1021 else
1022 {
1023 return this->other_nonce;
1024 }
1025 }
1026
1027 /**
1028 * Implementation of task_t.migrate
1029 */
1030 static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
1031 {
1032 chunk_free(&this->my_nonce);
1033 chunk_free(&this->other_nonce);
1034 if (this->tsi)
1035 {
1036 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1037 }
1038 if (this->tsr)
1039 {
1040 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1041 }
1042 DESTROY_IF(this->child_sa);
1043 DESTROY_IF(this->proposal);
1044 DESTROY_IF(this->dh);
1045 if (this->proposals)
1046 {
1047 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1048 }
1049
1050 this->ike_sa = ike_sa;
1051 this->proposals = NULL;
1052 this->tsi = NULL;
1053 this->tsr = NULL;
1054 this->dh = NULL;
1055 this->child_sa = NULL;
1056 this->mode = MODE_TUNNEL;
1057 this->ipcomp = IPCOMP_NONE;
1058 this->ipcomp_received = IPCOMP_NONE;
1059 this->other_cpi = 0;
1060 this->reqid = 0;
1061 this->established = FALSE;
1062 }
1063
1064 /**
1065 * Implementation of task_t.destroy
1066 */
1067 static void destroy(private_child_create_t *this)
1068 {
1069 chunk_free(&this->my_nonce);
1070 chunk_free(&this->other_nonce);
1071 if (this->tsi)
1072 {
1073 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1074 }
1075 if (this->tsr)
1076 {
1077 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1078 }
1079 if (!this->established)
1080 {
1081 DESTROY_IF(this->child_sa);
1082 }
1083 DESTROY_IF(this->proposal);
1084 DESTROY_IF(this->dh);
1085 if (this->proposals)
1086 {
1087 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1088 }
1089
1090 DESTROY_IF(this->config);
1091 free(this);
1092 }
1093
1094 /*
1095 * Described in header.
1096 */
1097 child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
1098 {
1099 private_child_create_t *this = malloc_thing(private_child_create_t);
1100
1101 this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
1102 this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
1103 this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
1104 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
1105 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
1106 this->public.task.destroy = (void(*)(task_t*))destroy;
1107 if (config)
1108 {
1109 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
1110 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
1111 this->initiator = TRUE;
1112 config->get_ref(config);
1113 }
1114 else
1115 {
1116 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
1117 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
1118 this->initiator = FALSE;
1119 }
1120
1121 this->ike_sa = ike_sa;
1122 this->config = config;
1123 this->my_nonce = chunk_empty;
1124 this->other_nonce = chunk_empty;
1125 this->proposals = NULL;
1126 this->proposal = NULL;
1127 this->tsi = NULL;
1128 this->tsr = NULL;
1129 this->dh = NULL;
1130 this->dh_group = MODP_NONE;
1131 this->keymat = ike_sa->get_keymat(ike_sa);
1132 this->child_sa = NULL;
1133 this->mode = MODE_TUNNEL;
1134 this->ipcomp = IPCOMP_NONE;
1135 this->ipcomp_received = IPCOMP_NONE;
1136 this->other_cpi = 0;
1137 this->reqid = 0;
1138 this->established = FALSE;
1139
1140 return &this->public;
1141 }