ha: Add DH group to CHILD_ADD message
[strongswan.git] / src / libcharon / plugins / ha / ha_child.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ha_child.h"
17
18 typedef struct private_ha_child_t private_ha_child_t;
19
20 /**
21 * Private data of an ha_child_t object.
22 */
23 struct private_ha_child_t {
24
25 /**
26 * Public ha_child_t interface.
27 */
28 ha_child_t public;
29
30 /**
31 * socket we use for syncing
32 */
33 ha_socket_t *socket;
34
35 /**
36 * tunnel securing sync messages
37 */
38 ha_tunnel_t *tunnel;
39
40 /**
41 * Segment handling
42 */
43 ha_segments_t *segments;
44
45 /**
46 * Kernel helper
47 */
48 ha_kernel_t *kernel;
49 };
50
51 METHOD(listener_t, child_keys, bool,
52 private_ha_child_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
53 bool initiator, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
54 {
55 ha_message_t *m;
56 chunk_t secret;
57 proposal_t *proposal;
58 u_int16_t alg, len;
59 linked_list_t *local_ts, *remote_ts;
60 enumerator_t *enumerator;
61 traffic_selector_t *ts;
62 u_int seg_i, seg_o;
63
64 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
65 { /* do not sync SA between nodes */
66 return TRUE;
67 }
68
69 m = ha_message_create(HA_CHILD_ADD);
70
71 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
72 m->add_attribute(m, HA_INITIATOR, (u_int8_t)initiator);
73 m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
74 m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
75 m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
76 m->add_attribute(m, HA_OUTBOUND_CPI, child_sa->get_cpi(child_sa, FALSE));
77 m->add_attribute(m, HA_IPSEC_MODE, child_sa->get_mode(child_sa));
78 m->add_attribute(m, HA_IPCOMP, child_sa->get_ipcomp(child_sa));
79 m->add_attribute(m, HA_CONFIG_NAME, child_sa->get_name(child_sa));
80
81 proposal = child_sa->get_proposal(child_sa);
82 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
83 {
84 m->add_attribute(m, HA_ALG_ENCR, alg);
85 if (len)
86 {
87 m->add_attribute(m, HA_ALG_ENCR_LEN, len);
88 }
89 }
90 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
91 {
92 m->add_attribute(m, HA_ALG_INTEG, alg);
93 }
94 if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
95 {
96 m->add_attribute(m, HA_ALG_DH, alg);
97 }
98 if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, &alg, NULL))
99 {
100 m->add_attribute(m, HA_ESN, alg);
101 }
102 m->add_attribute(m, HA_NONCE_I, nonce_i);
103 m->add_attribute(m, HA_NONCE_R, nonce_r);
104 if (dh && dh->get_shared_secret(dh, &secret))
105 {
106 m->add_attribute(m, HA_SECRET, secret);
107 chunk_clear(&secret);
108 }
109
110 local_ts = linked_list_create();
111 remote_ts = linked_list_create();
112
113 enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
114 while (enumerator->enumerate(enumerator, &ts))
115 {
116 m->add_attribute(m, HA_LOCAL_TS, ts);
117 local_ts->insert_last(local_ts, ts);
118 }
119 enumerator->destroy(enumerator);
120
121 enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
122 while (enumerator->enumerate(enumerator, &ts))
123 {
124 m->add_attribute(m, HA_REMOTE_TS, ts);
125 remote_ts->insert_last(remote_ts, ts);
126 }
127 enumerator->destroy(enumerator);
128
129 seg_i = this->kernel->get_segment_spi(this->kernel,
130 ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE));
131 seg_o = this->kernel->get_segment_spi(this->kernel,
132 ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
133 DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R === %#R "
134 "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
135 child_sa->get_unique_id(child_sa), local_ts, remote_ts,
136 seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
137 seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
138
139 local_ts->destroy(local_ts);
140 remote_ts->destroy(remote_ts);
141
142 this->socket->push(this->socket, m);
143 m->destroy(m);
144
145 return TRUE;
146 }
147
148 METHOD(listener_t, child_state_change, bool,
149 private_ha_child_t *this, ike_sa_t *ike_sa,
150 child_sa_t *child_sa, child_sa_state_t state)
151 {
152 if (!ike_sa ||
153 ike_sa->get_state(ike_sa) == IKE_PASSIVE ||
154 ike_sa->get_state(ike_sa) == IKE_DESTROYING)
155 { /* only sync active IKE_SAs */
156 return TRUE;
157 }
158 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
159 { /* do not sync SA between nodes */
160 return TRUE;
161 }
162
163
164 if (state == CHILD_DESTROYING)
165 {
166 ha_message_t *m;
167
168 m = ha_message_create(HA_CHILD_DELETE);
169
170 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
171 m->add_attribute(m, HA_INBOUND_SPI,
172 child_sa->get_spi(child_sa, TRUE));
173 this->socket->push(this->socket, m);
174 m->destroy(m);
175 }
176 return TRUE;
177 }
178
179 METHOD(ha_child_t, destroy, void,
180 private_ha_child_t *this)
181 {
182 free(this);
183 }
184
185 /**
186 * See header
187 */
188 ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
189 ha_segments_t *segments, ha_kernel_t *kernel)
190 {
191 private_ha_child_t *this;
192
193 INIT(this,
194 .public = {
195 .listener = {
196 .child_keys = _child_keys,
197 .child_state_change = _child_state_change,
198 },
199 .destroy = _destroy,
200 },
201 .socket = socket,
202 .tunnel = tunnel,
203 .segments = segments,
204 .kernel = kernel,
205 );
206
207 return &this->public;
208 }