96dc67ee897c39770e2ff95a22c5ad131282d1d9
[strongswan.git] / src / charon / sa / transactions / delete_child_sa.c
1 /**
2 * @file delete_child_sa.c
3 *
4 * @brief Implementation of the delete_child_sa transaction.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "delete_child_sa.h"
24
25 #include <daemon.h>
26 #include <encoding/payloads/delete_payload.h>
27 #include <sa/transactions/create_child_sa.h>
28
29
30 typedef struct private_delete_child_sa_t private_delete_child_sa_t;
31
32 /**
33 * Private members of a delete_child_sa_t object..
34 */
35 struct private_delete_child_sa_t {
36
37 /**
38 * Public methods and transaction_t interface.
39 */
40 delete_child_sa_t public;
41
42 /**
43 * Assigned IKE_SA.
44 */
45 ike_sa_t *ike_sa;
46
47 /**
48 * Message sent by our peer, if already generated
49 */
50 message_t *message;
51
52 /**
53 * Message ID this transaction uses
54 */
55 u_int32_t message_id;
56
57 /**
58 * Times we did send the request
59 */
60 u_int32_t requested;
61
62 /**
63 * CHILD SA to delete
64 */
65 child_sa_t *child_sa;
66 };
67
68 /**
69 * Implementation of transaction_t.get_message_id.
70 */
71 static u_int32_t get_message_id(private_delete_child_sa_t *this)
72 {
73 return this->message_id;
74 }
75
76 /**
77 * Implementation of transaction_t.requested.
78 */
79 static u_int32_t requested(private_delete_child_sa_t *this)
80 {
81 return this->requested++;
82 }
83
84 /**
85 * Implementation of delete_child_sa_t.set_child_sa.
86 */
87 static void set_child_sa(private_delete_child_sa_t *this, child_sa_t *child_sa)
88 {
89 this->child_sa = child_sa;
90 }
91
92 /**
93 * Implementation of transaction_t.get_request.
94 */
95 static status_t get_request(private_delete_child_sa_t *this, message_t **result)
96 {
97 message_t *request;
98 host_t *me, *other;
99
100 /* check if we already have built a message (retransmission) */
101 if (this->message)
102 {
103 *result = this->message;
104 return SUCCESS;
105 }
106
107 me = this->ike_sa->get_my_host(this->ike_sa);
108 other = this->ike_sa->get_other_host(this->ike_sa);
109
110 /* build the request */
111 request = message_create();
112 request->set_source(request, me->clone(me));
113 request->set_destination(request, other->clone(other));
114 request->set_exchange_type(request, INFORMATIONAL);
115 request->set_request(request, TRUE);
116 this->message_id = this->ike_sa->get_next_message_id(this->ike_sa);
117 request->set_message_id(request, this->message_id);
118 request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa));
119 *result = request;
120 this->message = request;
121
122 { /* add delete payload */
123 delete_payload_t *delete_payload;
124 protocol_id_t protocol;
125 u_int32_t spi;
126
127 protocol = this->child_sa->get_protocol(this->child_sa);
128 spi = this->child_sa->get_spi(this->child_sa, TRUE);
129 delete_payload = delete_payload_create(protocol);
130
131 DBG1(SIG_DBG_IKE, "created DELETE payload for %N CHILD_SA with SPI 0x%x",
132 protocol_id_names, protocol, htonl(spi));
133 delete_payload->add_spi(delete_payload, spi);
134 request->add_payload(request, (payload_t*)delete_payload);
135 }
136
137 this->child_sa->set_state(this->child_sa, CHILD_DELETING);
138
139 return SUCCESS;
140 }
141
142 /**
143 * process a delete payload
144 */
145 static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t *delete_request, message_t *response)
146 {
147 protocol_id_t protocol;
148 u_int32_t spi;
149 iterator_t *iterator;
150 delete_payload_t *delete_response = NULL;
151
152 /* get requested CHILD */
153 protocol = delete_request->get_protocol_id(delete_request);
154 if (protocol != PROTO_ESP && protocol != PROTO_AH)
155 {
156 DBG1(SIG_DBG_IKE, "CHILD_SA delete response contained unexpected protocol");
157 return FAILED;
158 }
159
160 /* prepare response payload */
161 if (response)
162 {
163 delete_response = delete_payload_create(protocol);
164 response->add_payload(response, (payload_t*)delete_response);
165 }
166
167 iterator = delete_request->create_spi_iterator(delete_request);
168 while (iterator->iterate(iterator, (void**)&spi))
169 {
170 child_sa_t *child_sa;
171
172 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
173
174 if (child_sa != NULL)
175 {
176 create_child_sa_t *rekey;
177
178 child_sa->set_state(child_sa, CHILD_DELETING);
179
180 DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting",
181 protocol_id_names, protocol, ntohl(spi));
182
183 rekey = child_sa->get_rekeying_transaction(child_sa);
184 if (rekey)
185 {
186 /* we have received a delete for an SA which we are still rekeying.
187 * this means we have lost the nonce comparison, and the rekeying
188 * will fail. We set a flag in the transaction for this special case.
189 */
190 rekey->cancel(rekey);
191 }
192 /* delete it, with inbound spi */
193 spi = child_sa->get_spi(child_sa, TRUE);
194 this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
195 /* add delete response to message, if we are responding */
196 if (response)
197 {
198 delete_response->add_spi(delete_response, spi);
199 }
200 }
201 else
202 {
203 DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, but no such SA",
204 protocol_id_names, protocol, ntohl(spi));
205 }
206 }
207 iterator->destroy(iterator);
208 return SUCCESS;
209 }
210
211 /**
212 * Implementation of transaction_t.get_response.
213 */
214 static status_t get_response(private_delete_child_sa_t *this, message_t *request,
215 message_t **result, transaction_t **next)
216 {
217 host_t *me, *other;
218 message_t *response;
219 iterator_t *payloads;
220
221 /* check if we already have built a response (retransmission) */
222 if (this->message)
223 {
224 *result = this->message;
225 return SUCCESS;
226 }
227
228 me = this->ike_sa->get_my_host(this->ike_sa);
229 other = this->ike_sa->get_other_host(this->ike_sa);
230 this->message_id = request->get_message_id(request);
231
232 /* set up response */
233 response = message_create();
234 response->set_source(response, me->clone(me));
235 response->set_destination(response, other->clone(other));
236 response->set_exchange_type(response, INFORMATIONAL);
237 response->set_request(response, FALSE);
238 response->set_message_id(response, this->message_id);
239 response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa));
240 this->message = response;
241 *result = response;
242
243 if (request->get_exchange_type(request) != INFORMATIONAL)
244 {
245 DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
246 return FAILED;
247 }
248
249 /* we can't handle a delete for a CHILD when we are rekeying. There
250 * is no proper solution for this. We send a empty informational response,
251 * as described in ikev2-clarifications draft */
252 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
253 this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
254 {
255 DBG1(SIG_DBG_IKE, "unable to delete CHILD_SA, as rekeying in progress");
256 return FAILED;
257 }
258
259 /* iterate over all payloads */
260 payloads = request->get_payload_iterator(request);
261 while (payloads->has_next(payloads))
262 {
263 payload_t *payload;
264 payloads->current(payloads, (void**)&payload);
265
266 switch (payload->get_type(payload))
267 {
268 case DELETE:
269 {
270 process_delete(this, (delete_payload_t*)payload, response);
271 break;
272 }
273 default:
274 {
275 DBG2(SIG_DBG_IKE, "ignoring payload %N",
276 payload_type_names, payload->get_type(payload));
277 break;
278 }
279 }
280 }
281 payloads->destroy(payloads);
282 return SUCCESS;
283 }
284
285 /**
286 * Implementation of transaction_t.conclude
287 */
288 static status_t conclude(private_delete_child_sa_t *this, message_t *response,
289 transaction_t **transaction)
290 {
291 iterator_t *payloads;
292
293 /* check message type */
294 if (response->get_exchange_type(response) != INFORMATIONAL)
295 {
296 DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
297 return FAILED;
298 }
299
300 /* iterate over all payloads */
301 payloads = response->get_payload_iterator(response);
302 while (payloads->has_next(payloads))
303 {
304 payload_t *payload;
305 payloads->current(payloads, (void**)&payload);
306
307 switch (payload->get_type(payload))
308 {
309 case DELETE:
310 {
311 process_delete(this, (delete_payload_t*)payload, NULL);
312 break;
313 }
314 default:
315 {
316 DBG1(SIG_DBG_IKE, "ignoring payload %N",
317 payload_type_names, payload->get_type(payload));
318 break;
319 }
320 }
321 }
322 payloads->destroy(payloads);
323 return SUCCESS;
324 }
325
326 /**
327 * implements transaction_t.destroy
328 */
329 static void destroy(private_delete_child_sa_t *this)
330 {
331 DESTROY_IF(this->message);
332 free(this);
333 }
334
335 /*
336 * Described in header.
337 */
338 delete_child_sa_t *delete_child_sa_create(ike_sa_t *ike_sa)
339 {
340 private_delete_child_sa_t *this = malloc_thing(private_delete_child_sa_t);
341
342 /* transaction interface functions */
343 this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
344 this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
345 this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude;
346 this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id;
347 this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested;
348 this->public.transaction.destroy = (void(*)(transaction_t*))destroy;
349
350 /* publics */
351 this->public.set_child_sa = (void(*)(delete_child_sa_t*,child_sa_t*))set_child_sa;
352
353 /* private data */
354 this->ike_sa = ike_sa;
355 this->message_id = 0;
356 this->message = NULL;
357 this->requested = 0;
358
359 return &this->public;
360 }