projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
support for virtual IP definition on client side:
[strongswan.git] / src / charon / sa / tasks / child_create.c
1 /**
2 * @file child_create.c
3 *
4 * @brief Implementation of the child_create task.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include "child_create.h"
25
26 #include <daemon.h>
27 #include <crypto/diffie_hellman.h>
28 #include <encoding/payloads/sa_payload.h>
29 #include <encoding/payloads/ke_payload.h>
30 #include <encoding/payloads/ts_payload.h>
31 #include <encoding/payloads/nonce_payload.h>
32 #include <encoding/payloads/notify_payload.h>
33
34
35 typedef struct private_child_create_t private_child_create_t;
36
37 /**
38 * Private members of a child_create_t task.
39 */
40 struct private_child_create_t {
41
42 /**
43 * Public methods and task_t interface.
44 */
45 child_create_t public;
46
47 /**
48 * Assigned IKE_SA.
49 */
50 ike_sa_t *ike_sa;
51
52 /**
53 * Are we the initiator?
54 */
55 bool initiator;
56
57 /**
58 * nonce chosen by us
59 */
60 chunk_t my_nonce;
61
62 /**
63 * nonce chosen by peer
64 */
65 chunk_t other_nonce;
66
67 /**
68 * config to create the CHILD_SA from
69 */
70 child_cfg_t *config;
71
72 /**
73 * list of proposal candidates
74 */
75 linked_list_t *proposals;
76
77 /**
78 * selected proposal to use for CHILD_SA
79 */
80 proposal_t *proposal;
81
82 /**
83 * traffic selectors for initiators side
84 */
85 linked_list_t *tsi;
86
87 /**
88 * traffic selectors for responders side
89 */
90 linked_list_t *tsr;
91
92 /**
93 * optional diffie hellman exchange
94 */
95 diffie_hellman_t *dh;
96
97 /**
98 * group used for DH exchange
99 */
100 diffie_hellman_group_t dh_group;
101
102 /**
103 * mode the new CHILD_SA uses (transport/tunnel/beet)
104 */
105 mode_t mode;
106
107 /**
108 * reqid to use if we are rekeying
109 */
110 u_int32_t reqid;
111
112 /**
113 * CHILD_SA which gets established
114 */
115 child_sa_t *child_sa;
116
117 /**
118 * successfully established the CHILD?
119 */
120 bool established;
121 };
122
123 /**
124 * get the nonce from a message
125 */
126 static status_t get_nonce(message_t *message, chunk_t *nonce)
127 {
128 nonce_payload_t *payload;
129
130 payload = (nonce_payload_t*)message->get_payload(message, NONCE);
131 if (payload == NULL)
132 {
133 return FAILED;
134 }
135 *nonce = payload->get_nonce(payload);
136 return NEED_MORE;
137 }
138
139 /**
140 * generate a new nonce to include in a CREATE_CHILD_SA message
141 */
142 static status_t generate_nonce(chunk_t *nonce)
143 {
144 status_t status;
145 randomizer_t *randomizer = randomizer_create();
146
147 status = randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
148 nonce);
149 randomizer->destroy(randomizer);
150 if (status != SUCCESS)
151 {
152 DBG1(DBG_IKE, "error generating random nonce value");
153 return FAILED;
154 }
155 return SUCCESS;
156 }
157
158 /**
159 * Check a list of traffic selectors if any selector belongs to host
160 */
161 static bool ts_list_is_host(linked_list_t *list, host_t *host)
162 {
163 traffic_selector_t *ts;
164 bool is_host = TRUE;
165 iterator_t *iterator = list->create_iterator(list, TRUE);
166
167 while (is_host && iterator->iterate(iterator, (void**)&ts))
168 {
169 is_host = is_host && ts->is_host(ts, host);
170 }
171 iterator->destroy(iterator);
172 return is_host;
173 }
174
175 /**
176 * Install a CHILD_SA for usage, return value:
177 * - FAILED: no acceptable proposal
178 * - INVALID_ARG: diffie hellman group inacceptable
179 * - NOT_FOUND: TS inacceptable
180 */
181 static status_t select_and_install(private_child_create_t *this, bool no_dh)
182 {
183 prf_plus_t *prf_plus;
184 status_t status;
185 chunk_t nonce_i, nonce_r, secret, seed;
186 linked_list_t *my_ts, *other_ts;
187 host_t *me, *other, *other_vip, *my_vip;
188
189 if (this->proposals == NULL)
190 {
191 SIG(CHILD_UP_FAILED, "SA payload missing in message");
192 return FAILED;
193 }
194 if (this->tsi == NULL || this->tsr == NULL)
195 {
196 SIG(CHILD_UP_FAILED, "TS payloads missing in message");
197 return NOT_FOUND;
198 }
199
200 if (this->initiator)
201 {
202 nonce_i = this->my_nonce;
203 nonce_r = this->other_nonce;
204 my_ts = this->tsi;
205 other_ts = this->tsr;
206 }
207 else
208 {
209 nonce_r = this->my_nonce;
210 nonce_i = this->other_nonce;
211 my_ts = this->tsr;
212 other_ts = this->tsi;
213 }
214
215 me = this->ike_sa->get_my_host(this->ike_sa);
216 other = this->ike_sa->get_other_host(this->ike_sa);
217 my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
218 other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
219
220 this->proposal = this->config->select_proposal(this->config, this->proposals,
221 no_dh);
222 if (this->proposal == NULL)
223 {
224 SIG(CHILD_UP_FAILED, "no acceptable proposal found");
225 return FAILED;
226 }
227
228 if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
229 {
230 algorithm_t *algo;
231 if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
232 &algo))
233 {
234 u_int16_t group = algo->algorithm;
235 SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
236 diffie_hellman_group_names, this->dh_group,
237 diffie_hellman_group_names, group);
238 this->dh_group = group;
239 return INVALID_ARG;
240 }
241 else
242 {
243 SIG(CHILD_UP_FAILED, "no acceptable proposal found");
244 return FAILED;
245 }
246 }
247
248 if (my_vip == NULL)
249 {
250 my_vip = me;
251 }
252 else if (this->initiator)
253 {
254 /* to setup firewall rules correctly, CHILD_SA needs the virtual IP */
255 this->child_sa->set_virtual_ip(this->child_sa, my_vip);
256 }
257 if (other_vip == NULL)
258 {
259 other_vip = other;
260 }
261
262 my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
263 my_vip);
264 other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
265 other_vip);
266
267 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
268 {
269 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
270 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
271 SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
272 return NOT_FOUND;
273 }
274
275 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
276 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
277 if (this->initiator)
278 {
279 this->tsi = my_ts;
280 this->tsr = other_ts;
281 }
282 else
283 {
284 this->tsr = my_ts;
285 this->tsi = other_ts;
286 }
287
288 if (!this->initiator)
289 {
290 /* check if requested mode is acceptable, downgrade if required */
291 switch (this->mode)
292 {
293 case MODE_TRANSPORT:
294 if (!ts_list_is_host(this->tsi, other) ||
295 !ts_list_is_host(this->tsr, me))
296 {
297 this->mode = MODE_TUNNEL;
298 DBG1(DBG_IKE, "not using tranport mode, not host-to-host");
299 }
300 else if (this->ike_sa->is_natt_enabled(this->ike_sa))
301 {
302 this->mode = MODE_TUNNEL;
303 DBG1(DBG_IKE, "not using tranport mode, connection NATed");
304 }
305 break;
306 case MODE_BEET:
307 if (!ts_list_is_host(this->tsi, NULL) ||
308 !ts_list_is_host(this->tsr, NULL))
309 {
310 this->mode = MODE_TUNNEL;
311 DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
312 }
313 break;
314 default:
315 break;
316 }
317 }
318
319 if (this->dh)
320 {
321 if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
322 {
323 SIG(CHILD_UP_FAILED, "DH exchange incomplete");
324 return FAILED;
325 }
326 DBG3(DBG_IKE, "DH secret %B", &secret);
327 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
328 }
329 else
330 {
331 seed = chunk_cata("cc", nonce_i, nonce_r);
332 }
333 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
334
335 if (this->initiator)
336 {
337 status = this->child_sa->update(this->child_sa, this->proposal,
338 this->mode, prf_plus);
339 }
340 else
341 {
342 status = this->child_sa->add(this->child_sa, this->proposal,
343 this->mode, prf_plus);
344 }
345 prf_plus->destroy(prf_plus);
346
347 if (status != SUCCESS)
348 {
349 SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
350 return FAILED;
351 }
352
353 status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
354 this->mode);
355
356 if (status != SUCCESS)
357 {
358 SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
359 return NOT_FOUND;
360 }
361 /* add to IKE_SA, and remove from task */
362 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
363 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
364 this->established = TRUE;
365 return SUCCESS;
366 }
367
368 /**
369 * build the payloads for the message
370 */
371 static void build_payloads(private_child_create_t *this, message_t *message)
372 {
373 sa_payload_t *sa_payload;
374 nonce_payload_t *nonce_payload;
375 ke_payload_t *ke_payload;
376 ts_payload_t *ts_payload;
377
378 /* add SA payload */
379 if (this->initiator)
380 {
381 sa_payload = sa_payload_create_from_proposal_list(this->proposals);
382 }
383 else
384 {
385 sa_payload = sa_payload_create_from_proposal(this->proposal);
386 }
387 message->add_payload(message, (payload_t*)sa_payload);
388
389 /* add nonce payload if not in IKE_AUTH */
390 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
391 {
392 nonce_payload = nonce_payload_create();
393 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
394 message->add_payload(message, (payload_t*)nonce_payload);
395 }
396
397 /* diffie hellman exchange, if PFS enabled */
398 if (this->dh)
399 {
400 ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
401 message->add_payload(message, (payload_t*)ke_payload);
402 }
403
404 /* add TSi/TSr payloads */
405 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
406 message->add_payload(message, (payload_t*)ts_payload);
407 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
408 message->add_payload(message, (payload_t*)ts_payload);
409
410 /* add a notify if we are not in tunnel mode */
411 switch (this->mode)
412 {
413 case MODE_TRANSPORT:
414 message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
415 break;
416 case MODE_BEET:
417 message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
418 break;
419 default:
420 break;
421 }
422 }
423
424 /**
425 * Read payloads from message
426 */
427 static void process_payloads(private_child_create_t *this, message_t *message)
428 {
429 iterator_t *iterator;
430 payload_t *payload;
431 sa_payload_t *sa_payload;
432 ke_payload_t *ke_payload;
433 ts_payload_t *ts_payload;
434 notify_payload_t *notify_payload;
435
436 /* defaults to TUNNEL mode */
437 this->mode = MODE_TUNNEL;
438
439 iterator = message->get_payload_iterator(message);
440 while (iterator->iterate(iterator, (void**)&payload))
441 {
442 switch (payload->get_type(payload))
443 {
444 case SECURITY_ASSOCIATION:
445 sa_payload = (sa_payload_t*)payload;
446 this->proposals = sa_payload->get_proposals(sa_payload);
447 break;
448 case KEY_EXCHANGE:
449 ke_payload = (ke_payload_t*)payload;
450 if (!this->initiator)
451 {
452 this->dh_group = ke_payload->get_dh_group_number(ke_payload);
453 this->dh = diffie_hellman_create(this->dh_group);
454 }
455 if (this->dh)
456 {
457 this->dh->set_other_public_value(this->dh,
458 ke_payload->get_key_exchange_data(ke_payload));
459 }
460 break;
461 case TRAFFIC_SELECTOR_INITIATOR:
462 ts_payload = (ts_payload_t*)payload;
463 this->tsi = ts_payload->get_traffic_selectors(ts_payload);
464 break;
465 case TRAFFIC_SELECTOR_RESPONDER:
466 ts_payload = (ts_payload_t*)payload;
467 this->tsr = ts_payload->get_traffic_selectors(ts_payload);
468 break;
469 case NOTIFY:
470 notify_payload = (notify_payload_t*)payload;
471 switch (notify_payload ->get_notify_type(notify_payload ))
472 {
473 case USE_TRANSPORT_MODE:
474 this->mode = MODE_TRANSPORT;
475 break;
476 case USE_BEET_MODE:
477 this->mode = MODE_BEET;
478 break;
479 default:
480 break;
481 }
482 break;
483 default:
484 break;
485 }
486 }
487 iterator->destroy(iterator);
488 }
489
490 /**
491 * Implementation of task_t.build for initiator
492 */
493 static status_t build_i(private_child_create_t *this, message_t *message)
494 {
495 host_t *me, *other, *vip;
496 peer_cfg_t *peer_cfg;
497
498 switch (message->get_exchange_type(message))
499 {
500 case IKE_SA_INIT:
501 return get_nonce(message, &this->my_nonce);
502 case CREATE_CHILD_SA:
503 if (generate_nonce(&this->my_nonce) != SUCCESS)
504 {
505 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
506 return SUCCESS;
507 }
508 if (this->dh_group == MODP_NONE)
509 {
510 this->dh_group = this->config->get_dh_group(this->config);
511 }
512 break;
513 case IKE_AUTH:
514 if (!message->get_payload(message, ID_INITIATOR))
515 {
516 /* send only in the first request, not in subsequent EAP */
517 return NEED_MORE;
518 }
519 break;
520 default:
521 break;
522 }
523
524 SIG(CHILD_UP_START, "establishing CHILD_SA");
525
526 me = this->ike_sa->get_my_host(this->ike_sa);
527 other = this->ike_sa->get_other_host(this->ike_sa);
528 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
529 vip = peer_cfg->get_my_virtual_ip(peer_cfg);
530
531 if (vip)
532 { /* propose a 0.0.0.0/0 subnet when we use virtual ip */
533 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
534 NULL, NULL);
535 vip->destroy(vip);
536 }
537 else
538 { /* but shorten a 0.0.0.0/0 subnet to the actual address if host2host */
539 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
540 NULL, me);
541 }
542 this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
543 NULL, other);
544 this->proposals = this->config->get_proposals(this->config,
545 this->dh_group == MODP_NONE);
546 this->mode = this->config->get_mode(this->config);
547
548 this->child_sa = child_sa_create(me, other,
549 this->ike_sa->get_my_id(this->ike_sa),
550 this->ike_sa->get_other_id(this->ike_sa),
551 this->config, this->reqid,
552 this->ike_sa->is_natt_enabled(this->ike_sa));
553
554 if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
555 {
556 SIG(CHILD_UP_FAILED, "unable to allocate SPIs from kernel");
557 return FAILED;
558 }
559
560 if (this->dh_group != MODP_NONE)
561 {
562 this->dh = diffie_hellman_create(this->dh_group);
563 }
564
565 build_payloads(this, message);
566
567 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
568 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
569 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
570 this->tsi = NULL;
571 this->tsr = NULL;
572 this->proposals = NULL;
573
574 return NEED_MORE;
575 }
576
577 /**
578 * Implementation of task_t.process for initiator
579 */
580 static status_t process_r(private_child_create_t *this, message_t *message)
581 {
582 peer_cfg_t *peer_cfg;
583
584 switch (message->get_exchange_type(message))
585 {
586 case IKE_SA_INIT:
587 return get_nonce(message, &this->other_nonce);
588 case CREATE_CHILD_SA:
589 get_nonce(message, &this->other_nonce);
590 break;
591 case IKE_AUTH:
592 if (message->get_payload(message, ID_INITIATOR) == NULL)
593 {
594 /* wait until extensible authentication completed, if used */
595 return NEED_MORE;
596 }
597 default:
598 break;
599 }
600
601 process_payloads(this, message);
602
603 if (this->tsi == NULL || this->tsr == NULL)
604 {
605 DBG1(DBG_IKE, "TS payload missing in message");
606 return NEED_MORE;
607 }
608
609 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
610 if (peer_cfg)
611 {
612 this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr, this->tsi,
613 this->ike_sa->get_my_host(this->ike_sa),
614 this->ike_sa->get_other_host(this->ike_sa));
615 }
616 return NEED_MORE;
617 }
618
619 /**
620 * Implementation of task_t.build for responder
621 */
622 static status_t build_r(private_child_create_t *this, message_t *message)
623 {
624 bool no_dh = TRUE;
625
626 switch (message->get_exchange_type(message))
627 {
628 case IKE_SA_INIT:
629 return get_nonce(message, &this->my_nonce);
630 case CREATE_CHILD_SA:
631 if (generate_nonce(&this->my_nonce) != SUCCESS)
632 {
633 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
634 return SUCCESS;
635 }
636 no_dh = FALSE;
637 break;
638 case IKE_AUTH:
639 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
640 {
641 /* wait until extensible authentication completed, if used */
642 return NEED_MORE;
643 }
644 default:
645 break;
646 }
647
648 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
649 {
650 SIG(CHILD_UP_FAILED, "unable to create CHILD_SA while rekeying IKE_SA");
651 message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
652 return SUCCESS;
653 }
654
655 if (this->config == NULL)
656 {
657 SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable",
658 this->tsr, this->tsi);
659 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
660 return SUCCESS;
661 }
662
663 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
664 this->ike_sa->get_other_host(this->ike_sa),
665 this->ike_sa->get_my_id(this->ike_sa),
666 this->ike_sa->get_other_id(this->ike_sa),
667 this->config, this->reqid,
668 this->ike_sa->is_natt_enabled(this->ike_sa));
669
670 switch (select_and_install(this, no_dh))
671 {
672 case SUCCESS:
673 break;
674 case NOT_FOUND:
675 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
676 return SUCCESS;
677 case INVALID_ARG:
678 {
679 u_int16_t group = htons(this->dh_group);
680 message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
681 chunk_from_thing(group));
682 return SUCCESS;
683 }
684 case FAILED:
685 default:
686 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
687 return SUCCESS;
688 }
689
690 build_payloads(this, message);
691
692 SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
693
694 return SUCCESS;
695 }
696
697 /**
698 * Implementation of task_t.process for initiator
699 */
700 static status_t process_i(private_child_create_t *this, message_t *message)
701 {
702 iterator_t *iterator;
703 payload_t *payload;
704 bool no_dh = TRUE;
705
706 switch (message->get_exchange_type(message))
707 {
708 case IKE_SA_INIT:
709 return get_nonce(message, &this->other_nonce);
710 case CREATE_CHILD_SA:
711 get_nonce(message, &this->other_nonce);
712 no_dh = FALSE;
713 break;
714 case IKE_AUTH:
715 if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
716 {
717 /* wait until extensible authentication completed, if used */
718 return NEED_MORE;
719 }
720 default:
721 break;
722 }
723
724 /* check for erronous notifies */
725 iterator = message->get_payload_iterator(message);
726 while (iterator->iterate(iterator, (void**)&payload))
727 {
728 if (payload->get_type(payload) == NOTIFY)
729 {
730 notify_payload_t *notify = (notify_payload_t*)payload;
731 notify_type_t type = notify->get_notify_type(notify);
732
733 switch (type)
734 {
735 /* handle notify errors related to CHILD_SA only */
736 case NO_PROPOSAL_CHOSEN:
737 case SINGLE_PAIR_REQUIRED:
738 case NO_ADDITIONAL_SAS:
739 case INTERNAL_ADDRESS_FAILURE:
740 case FAILED_CP_REQUIRED:
741 case TS_UNACCEPTABLE:
742 case INVALID_SELECTORS:
743 {
744 SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
745 notify_type_names, type);
746 iterator->destroy(iterator);
747 /* an error in CHILD_SA creation is not critical */
748 return SUCCESS;
749 }
750 case INVALID_KE_PAYLOAD:
751 {
752 chunk_t data;
753 diffie_hellman_group_t bad_group;
754
755 bad_group = this->dh_group;
756 data = notify->get_notification_data(notify);
757 this->dh_group = ntohs(*((u_int16_t*)data.ptr));
758 DBG1(DBG_IKE, "peer didn't accept DH group %N, "
759 "it requested %N", diffie_hellman_group_names,
760 bad_group, diffie_hellman_group_names, this->dh_group);
761
762 this->public.task.migrate(&this->public.task, this->ike_sa);
763 iterator->destroy(iterator);
764 return NEED_MORE;
765 }
766 default:
767 break;
768 }
769 }
770 }
771 iterator->destroy(iterator);
772
773 process_payloads(this, message);
774
775 if (select_and_install(this, no_dh) == SUCCESS)
776 {
777 SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
778 }
779 return SUCCESS;
780 }
781
782 /**
783 * Implementation of task_t.get_type
784 */
785 static task_type_t get_type(private_child_create_t *this)
786 {
787 return CHILD_CREATE;
788 }
789
790 /**
791 * Implementation of child_create_t.use_reqid
792 */
793 static void use_reqid(private_child_create_t *this, u_int32_t reqid)
794 {
795 this->reqid = reqid;
796 }
797
798 /**
799 * Implementation of child_create_t.get_child
800 */
801 static child_sa_t* get_child(private_child_create_t *this)
802 {
803 return this->child_sa;
804 }
805
806 /**
807 * Implementation of child_create_t.get_lower_nonce
808 */
809 static chunk_t get_lower_nonce(private_child_create_t *this)
810 {
811 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
812 min(this->my_nonce.len, this->other_nonce.len)) < 0)
813 {
814 return this->my_nonce;
815 }
816 else
817 {
818 return this->other_nonce;
819 }
820 }
821
822 /**
823 * Implementation of task_t.migrate
824 */
825 static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
826 {
827 chunk_free(&this->my_nonce);
828 chunk_free(&this->other_nonce);
829 if (this->tsi)
830 {
831 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
832 }
833 if (this->tsr)
834 {
835 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
836 }
837 DESTROY_IF(this->child_sa);
838 DESTROY_IF(this->proposal);
839 DESTROY_IF(this->dh);
840 if (this->proposals)
841 {
842 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
843 }
844
845 this->ike_sa = ike_sa;
846 this->proposals = NULL;
847 this->tsi = NULL;
848 this->tsr = NULL;
849 this->dh = NULL;
850 this->child_sa = NULL;
851 this->mode = MODE_TUNNEL;
852 this->reqid = 0;
853 this->established = FALSE;
854 }
855
856 /**
857 * Implementation of task_t.destroy
858 */
859 static void destroy(private_child_create_t *this)
860 {
861 chunk_free(&this->my_nonce);
862 chunk_free(&this->other_nonce);
863 if (this->tsi)
864 {
865 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
866 }
867 if (this->tsr)
868 {
869 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
870 }
871 if (!this->established)
872 {
873 DESTROY_IF(this->child_sa);
874 }
875 DESTROY_IF(this->proposal);
876 DESTROY_IF(this->dh);
877 if (this->proposals)
878 {
879 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
880 }
881
882 DESTROY_IF(this->config);
883 free(this);
884 }
885
886 /*
887 * Described in header.
888 */
889 child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
890 {
891 private_child_create_t *this = malloc_thing(private_child_create_t);
892
893 this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
894 this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
895 this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
896 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
897 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
898 this->public.task.destroy = (void(*)(task_t*))destroy;
899 if (config)
900 {
901 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
902 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
903 this->initiator = TRUE;
904 config->get_ref(config);
905 }
906 else
907 {
908 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
909 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
910 this->initiator = FALSE;
911 }
912
913 this->ike_sa = ike_sa;
914 this->config = config;
915 this->my_nonce = chunk_empty;
916 this->other_nonce = chunk_empty;
917 this->proposals = NULL;
918 this->proposal = NULL;
919 this->tsi = NULL;
920 this->tsr = NULL;
921 this->dh = NULL;
922 this->dh_group = MODP_NONE;
923 this->child_sa = NULL;
924 this->mode = MODE_TUNNEL;
925 this->reqid = 0;
926 this->established = FALSE;
927
928 return &this->public;
929 }
strongSwan - IPsec VPN