further work done for simultaneous rekeying/delete
[strongswan.git] / src / charon / sa / transactions / create_child_sa.c
1 /**
2 * @file create_child_sa.c
3 *
4 * @brief Implementation of create_child_sa_t transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "create_child_sa.h"
24
25 #include <string.h>
26
27 #include <daemon.h>
28 #include <encoding/payloads/sa_payload.h>
29 #include <encoding/payloads/nonce_payload.h>
30 #include <encoding/payloads/ts_payload.h>
31 #include <sa/transactions/delete_child_sa.h>
32 #include <utils/randomizer.h>
33
34
35 typedef struct private_create_child_sa_t private_create_child_sa_t;
36
37 /**
38 * Private members of a create_child_sa_t object..
39 */
40 struct private_create_child_sa_t {
41
42 /**
43 * Public methods and transaction_t interface.
44 */
45 create_child_sa_t public;
46
47 /**
48 * Assigned IKE_SA.
49 */
50 ike_sa_t *ike_sa;
51
52 /**
53 * Message sent by our peer, if already generated
54 */
55 message_t *message;
56
57 /**
58 * Message ID this transaction uses
59 */
60 u_int32_t message_id;
61
62 /**
63 * Times we did send the request
64 */
65 u_int32_t requested;
66
67 /**
68 * initiators inbound SPI of the CHILD_SA which gets rekeyed
69 */
70 u_int32_t rekey_spi;
71
72 /**
73 * connection of IKE_SA
74 */
75 connection_t *connection;
76
77 /**
78 * policy definition used
79 */
80 policy_t *policy;
81
82 /**
83 * Negotiated proposal used for CHILD_SA
84 */
85 proposal_t *proposal;
86
87 /**
88 * initiator chosen nonce
89 */
90 chunk_t nonce_i;
91
92 /**
93 * responder chosen nonce
94 */
95 chunk_t nonce_r;
96
97 /**
98 * Negotiated traffic selectors for initiator
99 */
100 linked_list_t *tsi;
101
102 /**
103 * Negotiated traffic selectors for responder
104 */
105 linked_list_t *tsr;
106
107 /**
108 * CHILD_SA created by this transaction
109 */
110 child_sa_t *child_sa;
111
112 /**
113 * CHILD_SA rekeyed if we are rekeying
114 */
115 child_sa_t *rekeyed_sa;
116
117 /**
118 * Have we lost the simultaneous rekeying nonce compare?
119 */
120 bool lost;
121
122 /**
123 * source of randomness
124 */
125 randomizer_t *randomizer;
126
127 /**
128 * Assigned logger.
129 */
130 logger_t *logger;
131 };
132
133 /**
134 * Implementation of transaction_t.get_message_id.
135 */
136 static u_int32_t get_message_id(private_create_child_sa_t *this)
137 {
138 return this->message_id;
139 }
140
141 /**
142 * Implementation of transaction_t.requested.
143 */
144 static u_int32_t requested(private_create_child_sa_t *this)
145 {
146 return this->requested++;
147 }
148
149 /**
150 * Implementation of create_child_sa_t.rekeys_child.
151 */
152 static void rekeys_child(private_create_child_sa_t *this, child_sa_t *child_sa)
153 {
154 this->rekeyed_sa = child_sa;
155 }
156
157 /**
158 * Implementation of create_child_sa_t.cancel.
159 */
160 static void cancel(private_create_child_sa_t *this)
161 {
162 this->rekeyed_sa = NULL;
163 this->lost = TRUE;
164 }
165
166 /**
167 * Implementation of transaction_t.get_request.
168 */
169 static status_t get_request(private_create_child_sa_t *this, message_t **result)
170 {
171 message_t *request;
172 host_t *me, *other;
173
174 /* check if we are not already rekeying */
175 if (this->rekeyed_sa &&
176 this->rekeyed_sa->is_rekeying(this->rekeyed_sa))
177 {
178 this->logger->log(this->logger, ERROR,
179 "rekeying a CHILD_SA which is already rekeying, aborted");
180 return FAILED;
181 }
182
183 /* check if we already have built a message (retransmission) */
184 if (this->message)
185 {
186 *result = this->message;
187 return SUCCESS;
188 }
189
190 this->connection = this->ike_sa->get_connection(this->ike_sa);
191 me = this->connection->get_my_host(this->connection);
192 other = this->connection->get_other_host(this->connection);
193 this->policy = this->ike_sa->get_policy(this->ike_sa);
194
195 /* build the request */
196 request = message_create();
197 request->set_source(request, me->clone(me));
198 request->set_destination(request, other->clone(other));
199 request->set_exchange_type(request, CREATE_CHILD_SA);
200 request->set_request(request, TRUE);
201 request->set_message_id(request, this->message_id);
202 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
203 *result = request;
204 this->message = request;
205
206 { /* build SA payload */
207 sa_payload_t *sa_payload;
208 linked_list_t *proposals;
209 bool use_natt;
210 u_int32_t reqid = 0;
211
212 if (this->rekeyed_sa)
213 {
214 reqid = this->rekeyed_sa->get_reqid(this->rekeyed_sa);
215 }
216
217 proposals = this->policy->get_proposals(this->policy);
218 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
219 this->child_sa = child_sa_create(reqid, me, other,
220 this->policy->get_soft_lifetime(this->policy),
221 this->policy->get_hard_lifetime(this->policy),
222 use_natt);
223 if (this->child_sa->alloc(this->child_sa, proposals) != SUCCESS)
224 {
225 this->logger->log(this->logger, ERROR,
226 "could not install CHILD_SA, CHILD_SA creation aborted");
227 return FAILED;
228 }
229 sa_payload = sa_payload_create_from_proposal_list(proposals);
230 request->add_payload(request, (payload_t*)sa_payload);
231 }
232
233 { /* build the NONCE payload for us (initiator) */
234 nonce_payload_t *nonce_payload;
235
236 if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
237 NONCE_SIZE, &this->nonce_i) != SUCCESS)
238 {
239 return FAILED;
240 }
241 nonce_payload = nonce_payload_create();
242 nonce_payload->set_nonce(nonce_payload, this->nonce_i);
243 request->add_payload(request, (payload_t*)nonce_payload);
244 }
245
246 { /* build TSi payload */
247 linked_list_t *ts_list;
248 ts_payload_t *ts_payload;
249
250 ts_list = this->policy->get_my_traffic_selectors(this->policy);
251 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, ts_list);
252 request->add_payload(request, (payload_t*)ts_payload);
253 }
254
255 { /* build TSr payload */
256 linked_list_t *ts_list;
257 ts_payload_t *ts_payload;
258
259 ts_list = this->policy->get_other_traffic_selectors(this->policy);
260 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, ts_list);
261 request->add_payload(request, (payload_t*)ts_payload);
262 }
263
264 if (this->rekeyed_sa)
265 { /* add REKEY_SA notify if we are rekeying */
266 notify_payload_t *notify;
267 protocol_id_t protocol;
268
269 protocol = this->rekeyed_sa->get_protocol(this->rekeyed_sa);
270 notify = notify_payload_create_from_protocol_and_type(protocol, REKEY_SA);
271 notify->set_spi(notify, this->rekeyed_sa->get_spi(this->rekeyed_sa, TRUE));
272 request->add_payload(request, (payload_t*)notify);
273
274 /* register us as rekeying to detect multiple rekeying */
275 this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
276 }
277
278 return SUCCESS;
279 }
280
281 /**
282 * Handle all kind of notifys
283 */
284 static status_t process_notifys(private_create_child_sa_t *this, notify_payload_t *notify_payload)
285 {
286 notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
287
288 this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
289 mapping_find(notify_type_m, notify_type));
290
291 switch (notify_type)
292 {
293 case SINGLE_PAIR_REQUIRED:
294 {
295 this->logger->log(this->logger, AUDIT,
296 "received a SINGLE_PAIR_REQUIRED notify");
297 return FAILED;
298 }
299 case TS_UNACCEPTABLE:
300 {
301 this->logger->log(this->logger, CONTROL,
302 "received TS_UNACCEPTABLE notify");
303 return FAILED;
304 }
305 case NO_PROPOSAL_CHOSEN:
306 {
307 this->logger->log(this->logger, CONTROL,
308 "received NO_PROPOSAL_CHOSEN notify");
309 return FAILED;
310 }
311 case REKEY_SA:
312 {
313 u_int32_t spi;
314 protocol_id_t protocol;
315
316 protocol = notify_payload->get_protocol_id(notify_payload);
317 switch (protocol)
318 {
319 case PROTO_AH:
320 case PROTO_ESP:
321 spi = notify_payload->get_spi(notify_payload);
322 this->rekeyed_sa = this->ike_sa->get_child_sa(this->ike_sa,
323 protocol, spi,
324 FALSE);
325 break;
326 default:
327 break;
328 }
329 return SUCCESS;
330 }
331 default:
332 {
333 if (notify_type < 16383)
334 {
335 this->logger->log(this->logger, AUDIT,
336 "received %s notify error (%d), deleting IKE_SA",
337 mapping_find(notify_type_m, notify_type),
338 notify_type);
339 return FAILED;
340 }
341 else
342 {
343 this->logger->log(this->logger, CONTROL,
344 "received %s notify (%d), ignored",
345 mapping_find(notify_type_m, notify_type),
346 notify_type);
347 return SUCCESS;
348 }
349 }
350 }
351 }
352
353 /**
354 * Build a notify message.
355 */
356 static void build_notify(notify_type_t type, message_t *message, bool flush_message)
357 {
358 notify_payload_t *notify;
359
360 if (flush_message)
361 {
362 payload_t *payload;
363 iterator_t *iterator = message->get_payload_iterator(message);
364 while (iterator->iterate(iterator, (void**)&payload))
365 {
366 payload->destroy(payload);
367 iterator->remove(iterator);
368 }
369 iterator->destroy(iterator);
370 }
371
372 notify = notify_payload_create();
373 notify->set_notify_type(notify, type);
374 message->add_payload(message, (payload_t*)notify);
375 }
376
377 /**
378 * Install a CHILD_SA for usage
379 */
380 static status_t install_child_sa(private_create_child_sa_t *this, bool initiator)
381 {
382 prf_plus_t *prf_plus;
383 chunk_t seed;
384 status_t status;
385
386 seed = chunk_alloc(this->nonce_i.len + this->nonce_r.len);
387 memcpy(seed.ptr, this->nonce_i.ptr, this->nonce_i.len);
388 memcpy(seed.ptr + this->nonce_i.len, this->nonce_r.ptr, this->nonce_r.len);
389 prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
390 chunk_free(&seed);
391
392 if (initiator)
393 {
394 status = this->child_sa->update(this->child_sa, this->proposal, prf_plus);
395 }
396 else
397 {
398 status = this->child_sa->add(this->child_sa, this->proposal, prf_plus);
399 }
400 prf_plus->destroy(prf_plus);
401 if (status != SUCCESS)
402 {
403 return DESTROY_ME;
404 }
405 if (initiator)
406 {
407 status = this->child_sa->add_policies(this->child_sa, this->tsi, this->tsr);
408 }
409 else
410 {
411 status = this->child_sa->add_policies(this->child_sa, this->tsr, this->tsi);
412 }
413 if (status != SUCCESS)
414 {
415 return DESTROY_ME;
416 }
417 /* add to IKE_SA, and remove from transaction */
418 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
419 this->child_sa = NULL;
420 return SUCCESS;
421 }
422
423 /**
424 * destroy a list of traffic selectors
425 */
426 static void destroy_ts_list(linked_list_t *list)
427 {
428 if (list)
429 {
430 traffic_selector_t *ts;
431 while (list->remove_last(list, (void**)&ts) == SUCCESS)
432 {
433 ts->destroy(ts);
434 }
435 list->destroy(list);
436 }
437 }
438
439 /**
440 * Implementation of transaction_t.get_response.
441 */
442 static status_t get_response(private_create_child_sa_t *this, message_t *request,
443 message_t **result, transaction_t **next)
444 {
445 host_t *me, *other;
446 message_t *response;
447 status_t status;
448 iterator_t *payloads;
449 sa_payload_t *sa_request = NULL;
450 nonce_payload_t *nonce_request = NULL;
451 ts_payload_t *tsi_request = NULL;
452 ts_payload_t *tsr_request = NULL;
453
454 /* check if we already have built a response (retransmission) */
455 if (this->message)
456 {
457 *result = this->message;
458 return SUCCESS;
459 }
460
461 this->connection = this->ike_sa->get_connection(this->ike_sa);
462 me = this->connection->get_my_host(this->connection);
463 other = this->connection->get_other_host(this->connection);
464 this->policy = this->ike_sa->get_policy(this->ike_sa);
465
466 /* set up response */
467 response = message_create();
468 response->set_source(response, me->clone(me));
469 response->set_destination(response, other->clone(other));
470 response->set_exchange_type(response, CREATE_CHILD_SA);
471 response->set_request(response, FALSE);
472 response->set_message_id(response, this->message_id);
473 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
474 this->message = response;
475 *result = response;
476
477 /* check message type */
478 if (request->get_exchange_type(request) != CREATE_CHILD_SA)
479 {
480 this->logger->log(this->logger, ERROR,
481 "CREATE_CHILD_SA response of invalid type, aborted");
482 return FAILED;
483 }
484
485 /* Iterate over all payloads. */
486 payloads = request->get_payload_iterator(request);
487 while (payloads->has_next(payloads))
488 {
489 payload_t *payload;
490 payloads->current(payloads, (void**)&payload);
491 switch (payload->get_type(payload))
492 {
493 case SECURITY_ASSOCIATION:
494 sa_request = (sa_payload_t*)payload;
495 break;
496 case NONCE:
497 nonce_request = (nonce_payload_t*)payload;
498 break;
499 case TRAFFIC_SELECTOR_INITIATOR:
500 tsi_request = (ts_payload_t*)payload;
501 break;
502 case TRAFFIC_SELECTOR_RESPONDER:
503 tsr_request = (ts_payload_t*)payload;
504 break;
505 case NOTIFY:
506 {
507 status = process_notifys(this, (notify_payload_t*)payload);
508 if (status != SUCCESS)
509 {
510 payloads->destroy(payloads);
511 return status;
512 }
513 break;
514 }
515 default:
516 {
517 this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
518 mapping_find(payload_type_m, payload->get_type(payload)),
519 payload->get_type(payload));
520 break;
521 }
522 }
523 }
524 payloads->destroy(payloads);
525
526 /* check if we have all payloads */
527 if (!(sa_request && nonce_request && tsi_request && tsr_request))
528 {
529 build_notify(INVALID_SYNTAX, response, TRUE);
530 this->logger->log(this->logger, AUDIT,
531 "request message incomplete, no CHILD_SA created");
532 return FAILED;
533 }
534
535 { /* process nonce payload */
536 nonce_payload_t *nonce_response;
537
538 this->nonce_i = nonce_request->get_nonce(nonce_request);
539 if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
540 NONCE_SIZE, &this->nonce_r) != SUCCESS)
541 {
542 build_notify(NO_PROPOSAL_CHOSEN, response, TRUE);
543 return FAILED;
544 }
545 nonce_response = nonce_payload_create();
546 nonce_response->set_nonce(nonce_response, this->nonce_r);
547 response->add_payload(response, (payload_t *)nonce_response);
548 }
549
550 { /* process traffic selectors for other */
551 linked_list_t *ts_received = tsi_request->get_traffic_selectors(tsi_request);
552 this->tsi = this->policy->select_other_traffic_selectors(this->policy, ts_received);
553 destroy_ts_list(ts_received);
554 }
555
556 { /* process traffic selectors for us */
557 linked_list_t *ts_received = ts_received = tsr_request->get_traffic_selectors(tsr_request);
558 this->tsr = this->policy->select_my_traffic_selectors(this->policy, ts_received);
559 destroy_ts_list(ts_received);
560 }
561
562 { /* process SA payload */
563 proposal_t *proposal;
564 linked_list_t *proposal_list;
565 sa_payload_t *sa_response;
566 ts_payload_t *ts_response;
567 bool use_natt;
568 u_int32_t soft_lifetime, hard_lifetime;
569
570 sa_response = sa_payload_create();
571 /* get proposals from request, and select one with ours */
572 proposal_list = sa_request->get_proposals(sa_request);
573 this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
574 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
575 /* list is not needed anymore */
576 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
577 {
578 proposal->destroy(proposal);
579 }
580 proposal_list->destroy(proposal_list);
581
582 /* do we have a proposal? */
583 if (this->proposal == NULL)
584 {
585 this->logger->log(this->logger, AUDIT,
586 "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
587 build_notify(NO_PROPOSAL_CHOSEN, response, TRUE);
588 return FAILED;
589 }
590 /* do we have traffic selectors? */
591 else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
592 {
593 this->logger->log(this->logger, AUDIT,
594 "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
595 build_notify(TS_UNACCEPTABLE, response, TRUE);
596 return FAILED;
597 }
598 else
599 { /* create child sa */
600 u_int32_t reqid = 0;
601
602 if (this->rekeyed_sa)
603 {
604 reqid = this->rekeyed_sa->get_reqid(this->rekeyed_sa);
605 }
606 soft_lifetime = this->policy->get_soft_lifetime(this->policy);
607 hard_lifetime = this->policy->get_hard_lifetime(this->policy);
608 use_natt = this->ike_sa->is_natt_enabled(this->ike_sa);
609 this->child_sa = child_sa_create(reqid, me, other,
610 soft_lifetime, hard_lifetime,
611 use_natt);
612 if (install_child_sa(this, FALSE) != SUCCESS)
613 {
614 this->logger->log(this->logger, ERROR,
615 "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
616 build_notify(NO_PROPOSAL_CHOSEN, response, TRUE);
617 return FAILED;
618 }
619 /* add proposal to sa payload */
620 sa_response->add_proposal(sa_response, this->proposal);
621 }
622 response->add_payload(response, (payload_t*)sa_response);
623
624 /* add ts payload after sa payload */
625 ts_response = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
626 response->add_payload(response, (payload_t*)ts_response);
627 ts_response = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
628 response->add_payload(response, (payload_t*)ts_response);
629 }
630 /* CHILD_SA successfully created. We set us as the rekeying transaction of
631 * this SA. If we already initiated rekeying of the same SA, we will detect
632 * this later in the conclude() call. */
633 if (this->rekeyed_sa)
634 {
635 if (this->rekeyed_sa->is_rekeying(this->rekeyed_sa))
636 {
637 /* rekeying already in progress, register us, too */
638 this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
639 }
640 else
641 {
642 /* no rekeying in progress. mark SA as rekeyed, but not conflicted */
643 this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, NULL);
644 }
645 }
646 return SUCCESS;
647 }
648
649 /**
650 * Implementation of transaction_t.conclude
651 */
652 static status_t conclude(private_create_child_sa_t *this, message_t *response,
653 transaction_t **next)
654 {
655 iterator_t *payloads;
656 host_t *me, *other;
657 sa_payload_t *sa_payload = NULL;
658 nonce_payload_t *nonce_payload = NULL;
659 ts_payload_t *tsi_payload = NULL;
660 ts_payload_t *tsr_payload = NULL;
661 status_t status;
662 child_sa_t *new_child = NULL;
663 delete_child_sa_t *delete_child_sa;
664
665 /* check message type */
666 if (response->get_exchange_type(response) != CREATE_CHILD_SA)
667 {
668 this->logger->log(this->logger, ERROR,
669 "CREATE_CHILD_SA response of invalid type, aborting");
670 return FAILED;
671 }
672
673 me = this->connection->get_my_host(this->connection);
674 other = this->connection->get_other_host(this->connection);
675
676 /* Iterate over all payloads to collect them */
677 payloads = response->get_payload_iterator(response);
678 while (payloads->has_next(payloads))
679 {
680 payload_t *payload;
681 payloads->current(payloads, (void**)&payload);
682 switch (payload->get_type(payload))
683 {
684 case SECURITY_ASSOCIATION:
685 sa_payload = (sa_payload_t*)payload;
686 break;
687 case NONCE:
688 nonce_payload = (nonce_payload_t*)payload;
689 break;
690 case TRAFFIC_SELECTOR_INITIATOR:
691 tsi_payload = (ts_payload_t*)payload;
692 break;
693 case TRAFFIC_SELECTOR_RESPONDER:
694 tsr_payload = (ts_payload_t*)payload;
695 break;
696 case NOTIFY:
697 {
698 status = process_notifys(this, (notify_payload_t*)payload);
699 if (status != SUCCESS)
700 {
701 payloads->destroy(payloads);
702 return status;
703 }
704 break;
705 }
706 default:
707 {
708 this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
709 mapping_find(payload_type_m, payload->get_type(payload)),
710 payload->get_type(payload));
711 break;
712 }
713 }
714 }
715 payloads->destroy(payloads);
716
717 if (!(sa_payload && nonce_payload && tsi_payload && tsr_payload))
718 {
719 this->logger->log(this->logger, AUDIT, "response message incomplete, no CHILD_SA built");
720 return FAILED;
721 }
722
723 { /* process NONCE payload */
724 this->nonce_r = nonce_payload->get_nonce(nonce_payload);
725 }
726
727 { /* process traffic selectors for us */
728 linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
729 this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received);
730 destroy_ts_list(ts_received);
731 }
732
733 { /* process traffic selectors for other */
734 linked_list_t *ts_received = tsr_payload->get_traffic_selectors(tsr_payload);
735 this->tsr = this->policy->select_other_traffic_selectors(this->policy, ts_received);
736 destroy_ts_list(ts_received);
737 }
738
739 { /* process sa payload */
740 proposal_t *proposal;
741 linked_list_t *proposal_list;
742
743 proposal_list = sa_payload->get_proposals(sa_payload);
744 /* we have to re-check here if other's selection is valid */
745 this->proposal = this->policy->select_proposal(this->policy, proposal_list);
746 /* list not needed anymore */
747 while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
748 {
749 proposal->destroy(proposal);
750 }
751 proposal_list->destroy(proposal_list);
752
753 /* everything fine to create CHILD? */
754 if (this->proposal == NULL ||
755 this->tsi->get_count(this->tsi) == 0 ||
756 this->tsr->get_count(this->tsr) == 0)
757 {
758 this->logger->log(this->logger, AUDIT,
759 "CHILD_SA creation failed");
760 return FAILED;
761 }
762 new_child = this->child_sa;
763 if (install_child_sa(this, TRUE) != SUCCESS)
764 {
765 this->logger->log(this->logger, ERROR,
766 "installing CHILD_SA failed, no CHILD_SA built");
767 return FAILED;
768 }
769 }
770 /* CHILD_SA successfully created. If the other peer initiated rekeying
771 * in the meantime, we detect this by comparing the rekeying_transaction
772 * of the SA. If it changed, we are not alone. Then we must compare the nonces.
773 * If no simultaneous rekeying is going on, we just initiate the delete of
774 * the superseded SA. */
775 if (this->rekeyed_sa)
776 {
777 private_create_child_sa_t *other;
778
779 other = (private_create_child_sa_t*)
780 this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa);
781
782 /* we are not rekeying anymore, unregister us */
783 this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, NULL);
784
785 if (other != this)
786 { /* simlutaneous rekeying is going on, not so good */
787 chunk_t this_lowest, other_lowest;
788
789 /* check if this has a lower nonce the other */
790 if (memcmp(this->nonce_i.ptr, this->nonce_r.ptr,
791 min(this->nonce_i.len, this->nonce_r.len)) < 0)
792 {
793 this_lowest = this->nonce_i;
794 }
795 else
796 {
797 this_lowest = this->nonce_r;
798 }
799 if (memcmp(other->nonce_i.ptr, other->nonce_r.ptr,
800 min(other->nonce_i.len, other->nonce_r.len)) < 0)
801 {
802 other_lowest = other->nonce_i;
803 }
804 else
805 {
806 other_lowest = other->nonce_r;
807 }
808 if (memcmp(this_lowest.ptr, other_lowest.ptr,
809 min(this_lowest.len, other_lowest.len)) < 0)
810 {
811 this->logger->log(this->logger, ERROR,
812 "detected simultaneous CHILD_SA rekeying, but ours is preferred");
813 }
814 else
815 {
816
817 this->logger->log(this->logger, ERROR,
818 "detected simultaneous CHILD_SA rekeying, deleting ours");
819 this->lost = TRUE;
820 }
821 }
822 /* delete the old SA if we have won the rekeying nonce compare*/
823 if (!this->lost)
824 {
825 other->rekeyed_sa->set_rekeying_transaction(other->rekeyed_sa, NULL);
826 delete_child_sa = delete_child_sa_create(this->ike_sa, this->message_id + 1);
827 delete_child_sa->set_child_sa(delete_child_sa, this->rekeyed_sa);
828 *next = (transaction_t*)delete_child_sa;
829 }
830 }
831 if (this->lost)
832 {
833 /* we have lost simlutaneous rekeying, delete the CHILD_SA we just have created */
834 delete_child_sa = delete_child_sa_create(this->ike_sa, this->message_id + 1);
835 new_child->set_rekeying_transaction(new_child, NULL);
836 delete_child_sa->set_child_sa(delete_child_sa, new_child);
837 *next = (transaction_t*)delete_child_sa;
838 }
839 return SUCCESS;
840 }
841
842 /**
843 * implements transaction_t.destroy
844 */
845 static void destroy(private_create_child_sa_t *this)
846 {
847 if (this->message)
848 {
849 this->message->destroy(this->message);
850 }
851 if (this->proposal)
852 {
853 this->proposal->destroy(this->proposal);
854 }
855 if (this->child_sa)
856 {
857 this->child_sa->destroy(this->child_sa);
858 }
859 destroy_ts_list(this->tsi);
860 destroy_ts_list(this->tsr);
861 chunk_free(&this->nonce_i);
862 chunk_free(&this->nonce_r);
863 this->randomizer->destroy(this->randomizer);
864 free(this);
865 }
866
867 /*
868 * Described in header.
869 */
870 create_child_sa_t *create_child_sa_create(ike_sa_t *ike_sa, u_int32_t message_id)
871 {
872 private_create_child_sa_t *this = malloc_thing(private_create_child_sa_t);
873
874 /* transaction interface functions */
875 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
876 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
877 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
878 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
879 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
880 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
881
882 /* public functions */
883 this->public.rekeys_child = (void(*)(create_child_sa_t*,child_sa_t*))rekeys_child;
884 this->public.cancel = (void(*)(create_child_sa_t*))cancel;
885
886 /* private data */
887 this->ike_sa = ike_sa;
888 this->message_id = message_id;
889 this->message = NULL;
890 this->requested = 0;
891 this->rekey_spi = 0;
892 this->nonce_i = CHUNK_INITIALIZER;
893 this->nonce_r = CHUNK_INITIALIZER;
894 this->child_sa = NULL;
895 this->rekeyed_sa = NULL;
896 this->lost = FALSE;
897 this->proposal = NULL;
898 this->tsi = NULL;
899 this->tsr = NULL;
900 this->randomizer = randomizer_create();
901 this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
902
903 return &this->public;
904 }