proposal-substructure: Fix incorrect type for IKEv2 proposals
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / child_create.c
1 /*
2 * Copyright (C) 2008-2019 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "child_create.h"
19
20 #include <daemon.h>
21 #include <sa/ikev2/keymat_v2.h>
22 #include <crypto/diffie_hellman.h>
23 #include <credentials/certificates/x509.h>
24 #include <encoding/payloads/sa_payload.h>
25 #include <encoding/payloads/ke_payload.h>
26 #include <encoding/payloads/ts_payload.h>
27 #include <encoding/payloads/nonce_payload.h>
28 #include <encoding/payloads/notify_payload.h>
29 #include <encoding/payloads/delete_payload.h>
30 #include <processing/jobs/delete_ike_sa_job.h>
31 #include <processing/jobs/inactivity_job.h>
32 #include <processing/jobs/initiate_tasks_job.h>
33
34 typedef struct private_child_create_t private_child_create_t;
35
36 /**
37 * Private members of a child_create_t task.
38 */
39 struct private_child_create_t {
40
41 /**
42 * Public methods and task_t interface.
43 */
44 child_create_t public;
45
46 /**
47 * Assigned IKE_SA.
48 */
49 ike_sa_t *ike_sa;
50
51 /**
52 * Are we the initiator?
53 */
54 bool initiator;
55
56 /**
57 * nonce chosen by us
58 */
59 chunk_t my_nonce;
60
61 /**
62 * nonce chosen by peer
63 */
64 chunk_t other_nonce;
65
66 /**
67 * nonce generator
68 */
69 nonce_gen_t *nonceg;
70
71 /**
72 * config to create the CHILD_SA from
73 */
74 child_cfg_t *config;
75
76 /**
77 * list of proposal candidates
78 */
79 linked_list_t *proposals;
80
81 /**
82 * selected proposal to use for CHILD_SA
83 */
84 proposal_t *proposal;
85
86 /**
87 * traffic selectors for initiators side
88 */
89 linked_list_t *tsi;
90
91 /**
92 * traffic selectors for responders side
93 */
94 linked_list_t *tsr;
95
96 /**
97 * source of triggering packet
98 */
99 traffic_selector_t *packet_tsi;
100
101 /**
102 * destination of triggering packet
103 */
104 traffic_selector_t *packet_tsr;
105
106 /**
107 * optional diffie hellman exchange
108 */
109 diffie_hellman_t *dh;
110
111 /**
112 * Applying DH public value failed?
113 */
114 bool dh_failed;
115
116 /**
117 * group used for DH exchange
118 */
119 diffie_hellman_group_t dh_group;
120
121 /**
122 * IKE_SAs keymat
123 */
124 keymat_v2_t *keymat;
125
126 /**
127 * mode the new CHILD_SA uses (transport/tunnel/beet)
128 */
129 ipsec_mode_t mode;
130
131 /**
132 * peer accepts TFC padding for this SA
133 */
134 bool tfcv3;
135
136 /**
137 * IPComp transform to use
138 */
139 ipcomp_transform_t ipcomp;
140
141 /**
142 * IPComp transform proposed or accepted by the other peer
143 */
144 ipcomp_transform_t ipcomp_received;
145
146 /**
147 * IPsec protocol
148 */
149 protocol_id_t proto;
150
151 /**
152 * Own allocated SPI
153 */
154 uint32_t my_spi;
155
156 /**
157 * SPI received in proposal
158 */
159 uint32_t other_spi;
160
161 /**
162 * Own allocated Compression Parameter Index (CPI)
163 */
164 uint16_t my_cpi;
165
166 /**
167 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
168 */
169 uint16_t other_cpi;
170
171 /**
172 * Data collected to create the CHILD_SA
173 */
174 child_sa_create_t child;
175
176 /**
177 * CHILD_SA which gets established
178 */
179 child_sa_t *child_sa;
180
181 /**
182 * successfully established the CHILD?
183 */
184 bool established;
185
186 /**
187 * whether the CHILD_SA rekeys an existing one
188 */
189 bool rekey;
190
191 /**
192 * whether we are retrying with another DH group
193 */
194 bool retry;
195 };
196
197 /**
198 * Schedule a retry if creating the CHILD_SA temporary failed
199 */
200 static void schedule_delayed_retry(private_child_create_t *this)
201 {
202 child_create_t *task;
203 uint32_t retry;
204
205 retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
206
207 task = child_create_create(this->ike_sa,
208 this->config->get_ref(this->config), FALSE,
209 this->packet_tsi, this->packet_tsr);
210 task->use_reqid(task, this->child.reqid);
211 task->use_marks(task, this->child.mark_in, this->child.mark_out);
212 task->use_if_ids(task, this->child.if_id_in, this->child.if_id_out);
213
214 DBG1(DBG_IKE, "creating CHILD_SA failed, trying again in %d seconds",
215 retry);
216 this->ike_sa->queue_task_delayed(this->ike_sa, (task_t*)task, retry);
217 }
218
219 /**
220 * get the nonce from a message
221 */
222 static status_t get_nonce(message_t *message, chunk_t *nonce)
223 {
224 nonce_payload_t *payload;
225
226 payload = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
227 if (payload == NULL)
228 {
229 return FAILED;
230 }
231 *nonce = payload->get_nonce(payload);
232 return NEED_MORE;
233 }
234
235 /**
236 * generate a new nonce to include in a CREATE_CHILD_SA message
237 */
238 static bool generate_nonce(private_child_create_t *this)
239 {
240 this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
241 if (!this->nonceg)
242 {
243 DBG1(DBG_IKE, "no nonce generator found to create nonce");
244 return FALSE;
245 }
246 if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE,
247 &this->my_nonce))
248 {
249 DBG1(DBG_IKE, "nonce allocation failed");
250 return FALSE;
251 }
252 return TRUE;
253 }
254
255 /**
256 * Check a list of traffic selectors if any selector belongs to host
257 */
258 static bool ts_list_is_host(linked_list_t *list, host_t *host)
259 {
260 traffic_selector_t *ts;
261 bool is_host = TRUE;
262 enumerator_t *enumerator = list->create_enumerator(list);
263
264 while (is_host && enumerator->enumerate(enumerator, (void**)&ts))
265 {
266 is_host = is_host && ts->is_host(ts, host);
267 }
268 enumerator->destroy(enumerator);
269 return is_host;
270 }
271
272 /**
273 * Allocate local SPI
274 */
275 static bool allocate_spi(private_child_create_t *this)
276 {
277 proposal_t *proposal;
278
279 if (this->initiator)
280 {
281 this->proto = PROTO_ESP;
282 /* we just get a SPI for the first protocol. TODO: If we ever support
283 * proposal lists with mixed protocols, we'd need multiple SPIs */
284 if (this->proposals->get_first(this->proposals,
285 (void**)&proposal) == SUCCESS)
286 {
287 this->proto = proposal->get_protocol(proposal);
288 }
289 }
290 else
291 {
292 this->proto = this->proposal->get_protocol(this->proposal);
293 }
294 this->my_spi = this->child_sa->alloc_spi(this->child_sa, this->proto);
295 return this->my_spi != 0;
296 }
297
298 /**
299 * Update the proposals with the allocated SPIs as initiator and check the DH
300 * group and promote it if necessary
301 */
302 static bool update_and_check_proposals(private_child_create_t *this)
303 {
304 enumerator_t *enumerator;
305 proposal_t *proposal;
306 linked_list_t *other_dh_groups;
307 bool found = FALSE;
308
309 other_dh_groups = linked_list_create();
310 enumerator = this->proposals->create_enumerator(this->proposals);
311 while (enumerator->enumerate(enumerator, &proposal))
312 {
313 proposal->set_spi(proposal, this->my_spi);
314
315 /* move the selected DH group to the front, if any */
316 if (this->dh_group != MODP_NONE)
317 { /* proposals that don't contain the selected group are
318 * moved to the back */
319 if (!proposal->promote_dh_group(proposal, this->dh_group))
320 {
321 this->proposals->remove_at(this->proposals, enumerator);
322 other_dh_groups->insert_last(other_dh_groups, proposal);
323 }
324 else
325 {
326 found = TRUE;
327 }
328 }
329 }
330 enumerator->destroy(enumerator);
331 enumerator = other_dh_groups->create_enumerator(other_dh_groups);
332 while (enumerator->enumerate(enumerator, (void**)&proposal))
333 { /* no need to remove from the list as we destroy it anyway*/
334 this->proposals->insert_last(this->proposals, proposal);
335 }
336 enumerator->destroy(enumerator);
337 other_dh_groups->destroy(other_dh_groups);
338
339 return this->dh_group == MODP_NONE || found;
340 }
341
342 /**
343 * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
344 */
345 static void schedule_inactivity_timeout(private_child_create_t *this)
346 {
347 uint32_t timeout, id;
348 bool close_ike;
349
350 timeout = this->config->get_inactivity(this->config);
351 if (timeout)
352 {
353 close_ike = lib->settings->get_bool(lib->settings,
354 "%s.inactivity_close_ike", FALSE, lib->ns);
355 id = this->child_sa->get_unique_id(this->child_sa);
356 lib->scheduler->schedule_job(lib->scheduler, (job_t*)
357 inactivity_job_create(id, timeout, close_ike), timeout);
358 }
359 }
360
361 /**
362 * Check if we have a an address pool configured
363 */
364 static bool have_pool(ike_sa_t *ike_sa)
365 {
366 enumerator_t *enumerator;
367 peer_cfg_t *peer_cfg;
368 char *pool;
369 bool found = FALSE;
370
371 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
372 if (peer_cfg)
373 {
374 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
375 if (enumerator->enumerate(enumerator, &pool))
376 {
377 found = TRUE;
378 }
379 enumerator->destroy(enumerator);
380 }
381 return found;
382 }
383
384 /**
385 * Get hosts to use for dynamic traffic selectors
386 */
387 static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
388 {
389 enumerator_t *enumerator;
390 linked_list_t *list;
391 host_t *host;
392
393 list = linked_list_create();
394 enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
395 while (enumerator->enumerate(enumerator, &host))
396 {
397 list->insert_last(list, host);
398 }
399 enumerator->destroy(enumerator);
400
401 if (list->get_count(list) == 0)
402 { /* no virtual IPs assigned */
403 if (local)
404 {
405 host = ike_sa->get_my_host(ike_sa);
406 list->insert_last(list, host);
407 }
408 else if (!have_pool(ike_sa))
409 { /* use host only if we don't have a pool configured */
410 host = ike_sa->get_other_host(ike_sa);
411 list->insert_last(list, host);
412 }
413 }
414 return list;
415 }
416
417 /**
418 * Substitute any host address with NATed address in traffic selector
419 */
420 static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
421 bool local, linked_list_t *in)
422 {
423 enumerator_t *enumerator;
424 linked_list_t *out;
425 traffic_selector_t *ts;
426 host_t *ike, *first = NULL;
427 uint8_t mask;
428
429 if (local)
430 {
431 ike = this->ike_sa->get_my_host(this->ike_sa);
432 }
433 else
434 {
435 ike = this->ike_sa->get_other_host(this->ike_sa);
436 }
437
438 out = linked_list_create();
439
440 enumerator = in->create_enumerator(in);
441 while (enumerator->enumerate(enumerator, &ts))
442 {
443 /* require that all selectors match the first "host" selector */
444 if (ts->is_host(ts, first))
445 {
446 if (!first)
447 {
448 ts->to_subnet(ts, &first, &mask);
449 }
450 ts = ts->clone(ts);
451 ts->set_address(ts, ike);
452 out->insert_last(out, ts);
453 }
454 }
455 enumerator->destroy(enumerator);
456 DESTROY_IF(first);
457
458 return out;
459 }
460
461 /**
462 * Narrow received traffic selectors with configuration
463 */
464 static linked_list_t* narrow_ts(private_child_create_t *this, bool local,
465 linked_list_t *in)
466 {
467 linked_list_t *hosts, *nat, *ts;
468 ike_condition_t cond;
469
470 cond = local ? COND_NAT_HERE : COND_NAT_THERE;
471 hosts = get_dynamic_hosts(this->ike_sa, local);
472
473 if (this->mode == MODE_TRANSPORT &&
474 this->ike_sa->has_condition(this->ike_sa, cond))
475 {
476 nat = get_transport_nat_ts(this, local, in);
477 ts = this->config->get_traffic_selectors(this->config, local, nat,
478 hosts, TRUE);
479 nat->destroy_offset(nat, offsetof(traffic_selector_t, destroy));
480 }
481 else
482 {
483 ts = this->config->get_traffic_selectors(this->config, local, in,
484 hosts, TRUE);
485 }
486
487 hosts->destroy(hosts);
488
489 return ts;
490 }
491
492 /**
493 * Check if requested mode is acceptable
494 */
495 static bool check_mode(private_child_create_t *this, host_t *i, host_t *r)
496 {
497 switch (this->mode)
498 {
499 case MODE_TRANSPORT:
500 if (!this->config->has_option(this->config, OPT_PROXY_MODE) &&
501 (!ts_list_is_host(this->tsi, i) ||
502 !ts_list_is_host(this->tsr, r))
503 )
504 {
505 DBG1(DBG_IKE, "not using transport mode, not host-to-host");
506 return FALSE;
507 }
508 if (this->config->get_mode(this->config) != MODE_TRANSPORT)
509 {
510 return FALSE;
511 }
512 break;
513 case MODE_BEET:
514 if (!ts_list_is_host(this->tsi, NULL) ||
515 !ts_list_is_host(this->tsr, NULL))
516 {
517 DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
518 return FALSE;
519 }
520 if (this->config->get_mode(this->config) != MODE_BEET)
521 {
522 return FALSE;
523 }
524 break;
525 default:
526 break;
527 }
528 return TRUE;
529 }
530
531 /**
532 * Install a CHILD_SA for usage, return value:
533 * - FAILED: no acceptable proposal
534 * - INVALID_ARG: diffie hellman group unacceptable
535 * - NOT_FOUND: TS unacceptable
536 */
537 static status_t select_and_install(private_child_create_t *this,
538 bool no_dh, bool ike_auth)
539 {
540 status_t status, status_i, status_o;
541 child_sa_outbound_state_t out_state;
542 chunk_t nonce_i, nonce_r;
543 chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
544 chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
545 linked_list_t *my_ts, *other_ts;
546 host_t *me, *other;
547 bool private, prefer_configured;
548
549 if (this->proposals == NULL)
550 {
551 DBG1(DBG_IKE, "SA payload missing in message");
552 return FAILED;
553 }
554 if (this->tsi == NULL || this->tsr == NULL)
555 {
556 DBG1(DBG_IKE, "TS payloads missing in message");
557 return NOT_FOUND;
558 }
559
560 me = this->ike_sa->get_my_host(this->ike_sa);
561 other = this->ike_sa->get_other_host(this->ike_sa);
562
563 private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
564 prefer_configured = lib->settings->get_bool(lib->settings,
565 "%s.prefer_configured_proposals", TRUE, lib->ns);
566 this->proposal = this->config->select_proposal(this->config,
567 this->proposals, no_dh, private, prefer_configured);
568 if (this->proposal == NULL)
569 {
570 DBG1(DBG_IKE, "no acceptable proposal found");
571 charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD,
572 this->proposals);
573 return FAILED;
574 }
575 this->other_spi = this->proposal->get_spi(this->proposal);
576
577 if (!this->initiator)
578 {
579 if (!allocate_spi(this))
580 {
581 /* responder has no SPI allocated yet */
582 DBG1(DBG_IKE, "allocating SPI failed");
583 return FAILED;
584 }
585 this->proposal->set_spi(this->proposal, this->my_spi);
586 }
587 this->child_sa->set_proposal(this->child_sa, this->proposal);
588
589 if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
590 {
591 uint16_t group;
592
593 if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
594 &group, NULL))
595 {
596 DBG1(DBG_IKE, "DH group %N unacceptable, requesting %N",
597 diffie_hellman_group_names, this->dh_group,
598 diffie_hellman_group_names, group);
599 this->dh_group = group;
600 return INVALID_ARG;
601 }
602 /* the selected proposal does not use a DH group */
603 DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
604 DESTROY_IF(this->dh);
605 this->dh = NULL;
606 this->dh_group = MODP_NONE;
607 }
608
609 if (this->initiator)
610 {
611 nonce_i = this->my_nonce;
612 nonce_r = this->other_nonce;
613 my_ts = narrow_ts(this, TRUE, this->tsi);
614 other_ts = narrow_ts(this, FALSE, this->tsr);
615 }
616 else
617 {
618 nonce_r = this->my_nonce;
619 nonce_i = this->other_nonce;
620 my_ts = narrow_ts(this, TRUE, this->tsr);
621 other_ts = narrow_ts(this, FALSE, this->tsi);
622 }
623
624 if (this->initiator)
625 {
626 if (ike_auth)
627 {
628 charon->bus->narrow(charon->bus, this->child_sa,
629 NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
630 }
631 else
632 {
633 charon->bus->narrow(charon->bus, this->child_sa,
634 NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
635 }
636 }
637 else
638 {
639 charon->bus->narrow(charon->bus, this->child_sa,
640 NARROW_RESPONDER, my_ts, other_ts);
641 }
642
643 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
644 {
645 charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
646 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
647 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
648 DBG1(DBG_IKE, "no acceptable traffic selectors found");
649 return NOT_FOUND;
650 }
651
652 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
653 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
654 if (this->initiator)
655 {
656 this->tsi = my_ts;
657 this->tsr = other_ts;
658
659 if (!check_mode(this, me, other))
660 {
661 DBG1(DBG_IKE, "%N mode requested by responder is unacceptable",
662 ipsec_mode_names, this->mode);
663 return FAILED;
664 }
665 }
666 else
667 {
668 this->tsr = my_ts;
669 this->tsi = other_ts;
670
671 if (!check_mode(this, other, me))
672 {
673 this->mode = MODE_TUNNEL;
674 }
675 }
676
677 if (!this->initiator)
678 {
679 /* use a copy of the traffic selectors, as the POST hook should not
680 * change payloads */
681 my_ts = this->tsr->clone_offset(this->tsr,
682 offsetof(traffic_selector_t, clone));
683 other_ts = this->tsi->clone_offset(this->tsi,
684 offsetof(traffic_selector_t, clone));
685 charon->bus->narrow(charon->bus, this->child_sa,
686 NARROW_RESPONDER_POST, my_ts, other_ts);
687
688 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
689 {
690 my_ts->destroy_offset(my_ts,
691 offsetof(traffic_selector_t, destroy));
692 other_ts->destroy_offset(other_ts,
693 offsetof(traffic_selector_t, destroy));
694 return NOT_FOUND;
695 }
696 }
697
698 this->child_sa->set_policies(this->child_sa, my_ts, other_ts);
699 if (!this->initiator)
700 {
701 my_ts->destroy_offset(my_ts,
702 offsetof(traffic_selector_t, destroy));
703 other_ts->destroy_offset(other_ts,
704 offsetof(traffic_selector_t, destroy));
705 }
706
707 this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
708 this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
709 this->child_sa->set_mode(this->child_sa, this->mode);
710 this->child_sa->set_protocol(this->child_sa,
711 this->proposal->get_protocol(this->proposal));
712
713 if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
714 {
715 this->my_cpi = this->other_cpi = 0;
716 this->ipcomp = IPCOMP_NONE;
717 }
718 status_i = status_o = FAILED;
719 if (this->keymat->derive_child_keys(this->keymat, this->proposal,
720 this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
721 {
722 if (this->initiator)
723 {
724 status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
725 this->my_spi, this->my_cpi, this->initiator,
726 TRUE, this->tfcv3);
727 }
728 else
729 {
730 status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
731 this->my_spi, this->my_cpi, this->initiator,
732 TRUE, this->tfcv3);
733 }
734 if (this->rekey)
735 { /* during rekeyings we install the outbound SA and/or policies
736 * separately: as responder when we receive the delete for the old
737 * SA, as initiator pretty much immediately in the ike-rekey task,
738 * unless there was a rekey collision that we lost */
739 if (this->initiator)
740 {
741 status_o = this->child_sa->register_outbound(this->child_sa,
742 encr_i, integ_i, this->other_spi, this->other_cpi,
743 this->tfcv3);
744 }
745 else
746 {
747 status_o = this->child_sa->register_outbound(this->child_sa,
748 encr_r, integ_r, this->other_spi, this->other_cpi,
749 this->tfcv3);
750 }
751 }
752 else if (this->initiator)
753 {
754 status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
755 this->other_spi, this->other_cpi, this->initiator,
756 FALSE, this->tfcv3);
757 }
758 else
759 {
760 status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
761 this->other_spi, this->other_cpi, this->initiator,
762 FALSE, this->tfcv3);
763 }
764 }
765
766 if (status_i != SUCCESS || status_o != SUCCESS)
767 {
768 DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
769 (status_i != SUCCESS) ? "inbound " : "",
770 (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
771 (status_o != SUCCESS) ? "outbound " : "");
772 charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED,
773 this->child_sa);
774 status = FAILED;
775 }
776 else
777 {
778 status = this->child_sa->install_policies(this->child_sa);
779
780 if (status != SUCCESS)
781 {
782 DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
783 charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
784 this->child_sa);
785 status = NOT_FOUND;
786 }
787 else
788 {
789 charon->bus->child_derived_keys(charon->bus, this->child_sa,
790 this->initiator, encr_i, encr_r,
791 integ_i, integ_r);
792 }
793 }
794 chunk_clear(&integ_i);
795 chunk_clear(&integ_r);
796 chunk_clear(&encr_i);
797 chunk_clear(&encr_r);
798
799 if (status != SUCCESS)
800 {
801 return status;
802 }
803
804 charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
805 this->dh, nonce_i, nonce_r);
806
807 my_ts = linked_list_create_from_enumerator(
808 this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
809 other_ts = linked_list_create_from_enumerator(
810 this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
811 out_state = this->child_sa->get_outbound_state(this->child_sa);
812
813 DBG0(DBG_IKE, "%sCHILD_SA %s{%d} established "
814 "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
815 (out_state == CHILD_OUTBOUND_INSTALLED) ? "" : "inbound ",
816 this->child_sa->get_name(this->child_sa),
817 this->child_sa->get_unique_id(this->child_sa),
818 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
819 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
820 my_ts, other_ts);
821
822 my_ts->destroy(my_ts);
823 other_ts->destroy(other_ts);
824
825 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
826 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
827 this->established = TRUE;
828
829 schedule_inactivity_timeout(this);
830 return SUCCESS;
831 }
832
833 /**
834 * build the payloads for the message
835 */
836 static bool build_payloads(private_child_create_t *this, message_t *message)
837 {
838 sa_payload_t *sa_payload;
839 nonce_payload_t *nonce_payload;
840 ke_payload_t *ke_payload;
841 ts_payload_t *ts_payload;
842 kernel_feature_t features;
843
844 /* add SA payload */
845 if (this->initiator)
846 {
847 sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
848 }
849 else
850 {
851 sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
852 }
853 message->add_payload(message, (payload_t*)sa_payload);
854
855 /* add nonce payload if not in IKE_AUTH */
856 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
857 {
858 nonce_payload = nonce_payload_create(PLV2_NONCE);
859 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
860 message->add_payload(message, (payload_t*)nonce_payload);
861 }
862
863 /* diffie hellman exchange, if PFS enabled */
864 if (this->dh)
865 {
866 ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE,
867 this->dh);
868 if (!ke_payload)
869 {
870 DBG1(DBG_IKE, "creating KE payload failed");
871 return FALSE;
872 }
873 message->add_payload(message, (payload_t*)ke_payload);
874 }
875
876 /* add TSi/TSr payloads */
877 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
878 message->add_payload(message, (payload_t*)ts_payload);
879 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
880 message->add_payload(message, (payload_t*)ts_payload);
881
882 /* add a notify if we are not in tunnel mode */
883 switch (this->mode)
884 {
885 case MODE_TRANSPORT:
886 message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
887 break;
888 case MODE_BEET:
889 message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
890 break;
891 default:
892 break;
893 }
894
895 features = charon->kernel->get_features(charon->kernel);
896 if (!(features & KERNEL_ESP_V3_TFC))
897 {
898 message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
899 chunk_empty);
900 }
901 return TRUE;
902 }
903
904 /**
905 * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
906 */
907 static void add_ipcomp_notify(private_child_create_t *this,
908 message_t *message, uint8_t ipcomp)
909 {
910 this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
911 if (this->my_cpi)
912 {
913 this->ipcomp = ipcomp;
914 message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
915 chunk_cata("cc", chunk_from_thing(this->my_cpi),
916 chunk_from_thing(ipcomp)));
917 }
918 else
919 {
920 DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
921 }
922 }
923
924 /**
925 * handle a received notify payload
926 */
927 static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
928 {
929 switch (notify->get_notify_type(notify))
930 {
931 case USE_TRANSPORT_MODE:
932 this->mode = MODE_TRANSPORT;
933 break;
934 case USE_BEET_MODE:
935 if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
936 { /* handle private use notify only if we know its meaning */
937 this->mode = MODE_BEET;
938 }
939 else
940 {
941 DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
942 "mode, but peer implementation unknown, skipped");
943 }
944 break;
945 case IPCOMP_SUPPORTED:
946 {
947 ipcomp_transform_t ipcomp;
948 uint16_t cpi;
949 chunk_t data;
950
951 data = notify->get_notification_data(notify);
952 cpi = *(uint16_t*)data.ptr;
953 ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
954 switch (ipcomp)
955 {
956 case IPCOMP_DEFLATE:
957 this->other_cpi = cpi;
958 this->ipcomp_received = ipcomp;
959 break;
960 case IPCOMP_LZS:
961 case IPCOMP_LZJH:
962 default:
963 DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
964 "transform ID we don't support %N",
965 ipcomp_transform_names, ipcomp);
966 break;
967 }
968 break;
969 }
970 case ESP_TFC_PADDING_NOT_SUPPORTED:
971 DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
972 notify_type_names, notify->get_notify_type(notify));
973 this->tfcv3 = FALSE;
974 break;
975 default:
976 break;
977 }
978 }
979
980 /**
981 * Read payloads from message
982 */
983 static void process_payloads(private_child_create_t *this, message_t *message)
984 {
985 enumerator_t *enumerator;
986 payload_t *payload;
987 sa_payload_t *sa_payload;
988 ke_payload_t *ke_payload;
989 ts_payload_t *ts_payload;
990
991 /* defaults to TUNNEL mode */
992 this->mode = MODE_TUNNEL;
993
994 enumerator = message->create_payload_enumerator(message);
995 while (enumerator->enumerate(enumerator, &payload))
996 {
997 switch (payload->get_type(payload))
998 {
999 case PLV2_SECURITY_ASSOCIATION:
1000 sa_payload = (sa_payload_t*)payload;
1001 this->proposals = sa_payload->get_proposals(sa_payload);
1002 break;
1003 case PLV2_KEY_EXCHANGE:
1004 ke_payload = (ke_payload_t*)payload;
1005 if (!this->initiator)
1006 {
1007 this->dh_group = ke_payload->get_dh_group_number(ke_payload);
1008 this->dh = this->keymat->keymat.create_dh(
1009 &this->keymat->keymat, this->dh_group);
1010 }
1011 else if (this->dh)
1012 {
1013 this->dh_failed = this->dh->get_dh_group(this->dh) !=
1014 ke_payload->get_dh_group_number(ke_payload);
1015 }
1016 if (this->dh && !this->dh_failed)
1017 {
1018 this->dh_failed = !this->dh->set_other_public_value(this->dh,
1019 ke_payload->get_key_exchange_data(ke_payload));
1020 }
1021 break;
1022 case PLV2_TS_INITIATOR:
1023 ts_payload = (ts_payload_t*)payload;
1024 this->tsi = ts_payload->get_traffic_selectors(ts_payload);
1025 break;
1026 case PLV2_TS_RESPONDER:
1027 ts_payload = (ts_payload_t*)payload;
1028 this->tsr = ts_payload->get_traffic_selectors(ts_payload);
1029 break;
1030 case PLV2_NOTIFY:
1031 handle_notify(this, (notify_payload_t*)payload);
1032 break;
1033 default:
1034 break;
1035 }
1036 }
1037 enumerator->destroy(enumerator);
1038 }
1039
1040 METHOD(task_t, build_i, status_t,
1041 private_child_create_t *this, message_t *message)
1042 {
1043 enumerator_t *enumerator;
1044 host_t *vip;
1045 peer_cfg_t *peer_cfg;
1046 linked_list_t *list;
1047
1048 switch (message->get_exchange_type(message))
1049 {
1050 case IKE_SA_INIT:
1051 return get_nonce(message, &this->my_nonce);
1052 case CREATE_CHILD_SA:
1053 if (!generate_nonce(this))
1054 {
1055 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
1056 chunk_empty);
1057 return SUCCESS;
1058 }
1059 if (!this->retry && this->dh_group == MODP_NONE)
1060 { /* during a rekeying the group might already be set */
1061 this->dh_group = this->config->get_dh_group(this->config);
1062 }
1063 break;
1064 case IKE_AUTH:
1065 if (message->get_message_id(message) != 1)
1066 {
1067 /* send only in the first request, not in subsequent rounds */
1068 return NEED_MORE;
1069 }
1070 break;
1071 default:
1072 break;
1073 }
1074
1075 /* check if we want a virtual IP, but don't have one */
1076 list = linked_list_create();
1077 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1078 if (!this->rekey)
1079 {
1080 enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
1081 while (enumerator->enumerate(enumerator, &vip))
1082 {
1083 /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
1084 vip = host_create_any(vip->get_family(vip));
1085 list->insert_last(list, vip);
1086 }
1087 enumerator->destroy(enumerator);
1088 }
1089 if (list->get_count(list))
1090 {
1091 this->tsi = this->config->get_traffic_selectors(this->config,
1092 TRUE, NULL, list, TRUE);
1093 list->destroy_offset(list, offsetof(host_t, destroy));
1094 }
1095 else
1096 { /* no virtual IPs configured */
1097 list->destroy(list);
1098 list = get_dynamic_hosts(this->ike_sa, TRUE);
1099 this->tsi = this->config->get_traffic_selectors(this->config,
1100 TRUE, NULL, list, TRUE);
1101 list->destroy(list);
1102 }
1103 list = get_dynamic_hosts(this->ike_sa, FALSE);
1104 this->tsr = this->config->get_traffic_selectors(this->config,
1105 FALSE, NULL, list, TRUE);
1106 list->destroy(list);
1107
1108 if (this->packet_tsi)
1109 {
1110 this->tsi->insert_first(this->tsi,
1111 this->packet_tsi->clone(this->packet_tsi));
1112 }
1113 if (this->packet_tsr)
1114 {
1115 this->tsr->insert_first(this->tsr,
1116 this->packet_tsr->clone(this->packet_tsr));
1117 }
1118 this->proposals = this->config->get_proposals(this->config,
1119 this->dh_group == MODP_NONE);
1120 this->mode = this->config->get_mode(this->config);
1121
1122 this->child.if_id_in_def = this->ike_sa->get_if_id(this->ike_sa, TRUE);
1123 this->child.if_id_out_def = this->ike_sa->get_if_id(this->ike_sa, FALSE);
1124 this->child.encap = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
1125 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
1126 this->ike_sa->get_other_host(this->ike_sa),
1127 this->config, &this->child);
1128
1129 if (this->child.reqid)
1130 {
1131 DBG0(DBG_IKE, "establishing CHILD_SA %s{%d} reqid %d",
1132 this->child_sa->get_name(this->child_sa),
1133 this->child_sa->get_unique_id(this->child_sa), this->child.reqid);
1134 }
1135 else
1136 {
1137 DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
1138 this->child_sa->get_name(this->child_sa),
1139 this->child_sa->get_unique_id(this->child_sa));
1140 }
1141
1142 if (!allocate_spi(this))
1143 {
1144 DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
1145 return FAILED;
1146 }
1147
1148 if (!update_and_check_proposals(this))
1149 {
1150 DBG1(DBG_IKE, "requested DH group %N not contained in any of our "
1151 "proposals",
1152 diffie_hellman_group_names, this->dh_group);
1153 return FAILED;
1154 }
1155
1156 if (this->dh_group != MODP_NONE)
1157 {
1158 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
1159 this->dh_group);
1160 }
1161
1162 if (this->config->has_option(this->config, OPT_IPCOMP))
1163 {
1164 /* IPCOMP_DEFLATE is the only transform we support at the moment */
1165 add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
1166 }
1167
1168 if (message->get_exchange_type(message) == IKE_AUTH)
1169 {
1170 charon->bus->narrow(charon->bus, this->child_sa,
1171 NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
1172 }
1173 else
1174 {
1175 charon->bus->narrow(charon->bus, this->child_sa,
1176 NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
1177 }
1178
1179 if (!build_payloads(this, message))
1180 {
1181 return FAILED;
1182 }
1183
1184 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1185 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1186 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1187 this->tsi = NULL;
1188 this->tsr = NULL;
1189 this->proposals = NULL;
1190
1191 return NEED_MORE;
1192 }
1193
1194 METHOD(task_t, process_r, status_t,
1195 private_child_create_t *this, message_t *message)
1196 {
1197 switch (message->get_exchange_type(message))
1198 {
1199 case IKE_SA_INIT:
1200 return get_nonce(message, &this->other_nonce);
1201 case CREATE_CHILD_SA:
1202 get_nonce(message, &this->other_nonce);
1203 break;
1204 case IKE_AUTH:
1205 if (message->get_message_id(message) != 1)
1206 {
1207 /* only handle first AUTH payload, not additional rounds */
1208 return NEED_MORE;
1209 }
1210 default:
1211 break;
1212 }
1213
1214 process_payloads(this, message);
1215
1216 return NEED_MORE;
1217 }
1218
1219 /**
1220 * handle CHILD_SA setup failure
1221 */
1222 static void handle_child_sa_failure(private_child_create_t *this,
1223 message_t *message)
1224 {
1225 bool is_first;
1226
1227 is_first = message->get_exchange_type(message) == IKE_AUTH;
1228 if (is_first &&
1229 lib->settings->get_bool(lib->settings,
1230 "%s.close_ike_on_child_failure", FALSE, lib->ns))
1231 {
1232 /* we delay the delete for 100ms, as the IKE_AUTH response must arrive
1233 * first */
1234 DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
1235 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
1236 delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
1237 100);
1238 }
1239 else
1240 {
1241 DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
1242 charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE,
1243 is_first);
1244 }
1245 }
1246
1247 /**
1248 * Substitute transport mode NAT selectors, if applicable
1249 */
1250 static linked_list_t* get_ts_if_nat_transport(private_child_create_t *this,
1251 bool local, linked_list_t *in)
1252 {
1253 linked_list_t *out = NULL;
1254 ike_condition_t cond;
1255
1256 if (this->mode == MODE_TRANSPORT)
1257 {
1258 cond = local ? COND_NAT_HERE : COND_NAT_THERE;
1259 if (this->ike_sa->has_condition(this->ike_sa, cond))
1260 {
1261 out = get_transport_nat_ts(this, local, in);
1262 if (out->get_count(out) == 0)
1263 {
1264 out->destroy(out);
1265 out = NULL;
1266 }
1267 }
1268 }
1269 return out;
1270 }
1271
1272 /**
1273 * Select a matching CHILD config as responder
1274 */
1275 static child_cfg_t* select_child_cfg(private_child_create_t *this)
1276 {
1277 peer_cfg_t *peer_cfg;
1278 child_cfg_t *child_cfg = NULL;;
1279
1280 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1281 if (peer_cfg && this->tsi && this->tsr)
1282 {
1283 linked_list_t *listr, *listi, *tsr, *tsi;
1284
1285 tsr = get_ts_if_nat_transport(this, TRUE, this->tsr);
1286 tsi = get_ts_if_nat_transport(this, FALSE, this->tsi);
1287
1288 listr = get_dynamic_hosts(this->ike_sa, TRUE);
1289 listi = get_dynamic_hosts(this->ike_sa, FALSE);
1290 child_cfg = peer_cfg->select_child_cfg(peer_cfg,
1291 tsr ?: this->tsr, tsi ?: this->tsi,
1292 listr, listi);
1293 if ((tsi || tsr) && child_cfg &&
1294 child_cfg->get_mode(child_cfg) != MODE_TRANSPORT)
1295 {
1296 /* found a CHILD config, but it doesn't use transport mode */
1297 child_cfg->destroy(child_cfg);
1298 child_cfg = NULL;
1299 }
1300 if (!child_cfg && (tsi || tsr))
1301 {
1302 /* no match for the substituted NAT selectors, try it without */
1303 child_cfg = peer_cfg->select_child_cfg(peer_cfg,
1304 this->tsr, this->tsi, listr, listi);
1305 }
1306 listr->destroy(listr);
1307 listi->destroy(listi);
1308 DESTROY_OFFSET_IF(tsi, offsetof(traffic_selector_t, destroy));
1309 DESTROY_OFFSET_IF(tsr, offsetof(traffic_selector_t, destroy));
1310 }
1311
1312 return child_cfg;
1313 }
1314
1315 METHOD(task_t, build_r, status_t,
1316 private_child_create_t *this, message_t *message)
1317 {
1318 payload_t *payload;
1319 enumerator_t *enumerator;
1320 bool no_dh = TRUE, ike_auth = FALSE;
1321
1322 switch (message->get_exchange_type(message))
1323 {
1324 case IKE_SA_INIT:
1325 return get_nonce(message, &this->my_nonce);
1326 case CREATE_CHILD_SA:
1327 if (!generate_nonce(this))
1328 {
1329 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
1330 chunk_empty);
1331 return SUCCESS;
1332 }
1333 if (this->dh_failed)
1334 {
1335 DBG1(DBG_IKE, "applying DH public value failed");
1336 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
1337 chunk_empty);
1338 return SUCCESS;
1339 }
1340 no_dh = FALSE;
1341 break;
1342 case IKE_AUTH:
1343 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1344 { /* wait until all authentication round completed */
1345 return NEED_MORE;
1346 }
1347 if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
1348 { /* no CHILD_SA is created for redirected SAs */
1349 return SUCCESS;
1350 }
1351 ike_auth = TRUE;
1352 default:
1353 break;
1354 }
1355
1356 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
1357 {
1358 DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
1359 message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
1360 return SUCCESS;
1361 }
1362 if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
1363 {
1364 DBG1(DBG_IKE, "unable to create CHILD_SA while deleting IKE_SA");
1365 message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
1366 return SUCCESS;
1367 }
1368
1369 if (this->config == NULL)
1370 {
1371 this->config = select_child_cfg(this);
1372 }
1373 if (this->config == NULL)
1374 {
1375 DBG1(DBG_IKE, "traffic selectors %#R === %#R unacceptable",
1376 this->tsr, this->tsi);
1377 charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
1378 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
1379 handle_child_sa_failure(this, message);
1380 return SUCCESS;
1381 }
1382
1383 /* check if ike_config_t included non-critical error notifies */
1384 enumerator = message->create_payload_enumerator(message);
1385 while (enumerator->enumerate(enumerator, &payload))
1386 {
1387 if (payload->get_type(payload) == PLV2_NOTIFY)
1388 {
1389 notify_payload_t *notify = (notify_payload_t*)payload;
1390
1391 switch (notify->get_notify_type(notify))
1392 {
1393 case INTERNAL_ADDRESS_FAILURE:
1394 case FAILED_CP_REQUIRED:
1395 {
1396 DBG1(DBG_IKE,"configuration payload negotiation "
1397 "failed, no CHILD_SA built");
1398 enumerator->destroy(enumerator);
1399 handle_child_sa_failure(this, message);
1400 return SUCCESS;
1401 }
1402 default:
1403 break;
1404 }
1405 }
1406 }
1407 enumerator->destroy(enumerator);
1408
1409 this->child.if_id_in_def = this->ike_sa->get_if_id(this->ike_sa, TRUE);
1410 this->child.if_id_out_def = this->ike_sa->get_if_id(this->ike_sa, FALSE);
1411 this->child.encap = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
1412 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
1413 this->ike_sa->get_other_host(this->ike_sa),
1414 this->config, &this->child);
1415
1416 if (this->ipcomp_received != IPCOMP_NONE)
1417 {
1418 if (this->config->has_option(this->config, OPT_IPCOMP))
1419 {
1420 add_ipcomp_notify(this, message, this->ipcomp_received);
1421 }
1422 else
1423 {
1424 DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
1425 notify_type_names, IPCOMP_SUPPORTED);
1426 }
1427 }
1428
1429 switch (select_and_install(this, no_dh, ike_auth))
1430 {
1431 case SUCCESS:
1432 break;
1433 case NOT_FOUND:
1434 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
1435 handle_child_sa_failure(this, message);
1436 return SUCCESS;
1437 case INVALID_ARG:
1438 {
1439 uint16_t group = htons(this->dh_group);
1440 message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
1441 chunk_from_thing(group));
1442 return SUCCESS;
1443 }
1444 case FAILED:
1445 default:
1446 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
1447 handle_child_sa_failure(this, message);
1448 return SUCCESS;
1449 }
1450
1451 if (!build_payloads(this, message))
1452 {
1453 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
1454 handle_child_sa_failure(this, message);
1455 return SUCCESS;
1456 }
1457
1458 if (!this->rekey)
1459 { /* invoke the child_up() hook if we are not rekeying */
1460 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
1461 }
1462 return SUCCESS;
1463 }
1464
1465 /**
1466 * Raise alerts for received notify errors
1467 */
1468 static void raise_alerts(private_child_create_t *this, notify_type_t type)
1469 {
1470 linked_list_t *list;
1471
1472 switch (type)
1473 {
1474 case NO_PROPOSAL_CHOSEN:
1475 list = this->config->get_proposals(this->config, FALSE);
1476 charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, list);
1477 list->destroy_offset(list, offsetof(proposal_t, destroy));
1478 break;
1479 default:
1480 break;
1481 }
1482 }
1483
1484 METHOD(task_t, build_i_delete, status_t,
1485 private_child_create_t *this, message_t *message)
1486 {
1487 message->set_exchange_type(message, INFORMATIONAL);
1488 if (this->my_spi && this->proto)
1489 {
1490 delete_payload_t *del;
1491
1492 del = delete_payload_create(PLV2_DELETE, this->proto);
1493 del->add_spi(del, this->my_spi);
1494 message->add_payload(message, (payload_t*)del);
1495
1496 DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
1497 protocol_id_names, this->proto, ntohl(this->my_spi));
1498 }
1499 return NEED_MORE;
1500 }
1501
1502 /**
1503 * Change task to delete the failed CHILD_SA as initiator
1504 */
1505 static status_t delete_failed_sa(private_child_create_t *this)
1506 {
1507 if (this->my_spi && this->proto)
1508 {
1509 this->public.task.build = _build_i_delete;
1510 this->public.task.process = (void*)return_success;
1511 return NEED_MORE;
1512 }
1513 return SUCCESS;
1514 }
1515
1516 METHOD(task_t, process_i, status_t,
1517 private_child_create_t *this, message_t *message)
1518 {
1519 enumerator_t *enumerator;
1520 payload_t *payload;
1521 bool no_dh = TRUE, ike_auth = FALSE;
1522
1523 switch (message->get_exchange_type(message))
1524 {
1525 case IKE_SA_INIT:
1526 return get_nonce(message, &this->other_nonce);
1527 case CREATE_CHILD_SA:
1528 get_nonce(message, &this->other_nonce);
1529 no_dh = FALSE;
1530 break;
1531 case IKE_AUTH:
1532 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1533 { /* wait until all authentication round completed */
1534 return NEED_MORE;
1535 }
1536 ike_auth = TRUE;
1537 default:
1538 break;
1539 }
1540
1541 /* check for erroneous notifies */
1542 enumerator = message->create_payload_enumerator(message);
1543 while (enumerator->enumerate(enumerator, &payload))
1544 {
1545 if (payload->get_type(payload) == PLV2_NOTIFY)
1546 {
1547 notify_payload_t *notify = (notify_payload_t*)payload;
1548 notify_type_t type = notify->get_notify_type(notify);
1549
1550 switch (type)
1551 {
1552 /* handle notify errors related to CHILD_SA only */
1553 case NO_PROPOSAL_CHOSEN:
1554 case SINGLE_PAIR_REQUIRED:
1555 case NO_ADDITIONAL_SAS:
1556 case INTERNAL_ADDRESS_FAILURE:
1557 case FAILED_CP_REQUIRED:
1558 case TS_UNACCEPTABLE:
1559 case INVALID_SELECTORS:
1560 {
1561 DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
1562 notify_type_names, type);
1563 enumerator->destroy(enumerator);
1564 raise_alerts(this, type);
1565 handle_child_sa_failure(this, message);
1566 /* an error in CHILD_SA creation is not critical */
1567 return SUCCESS;
1568 }
1569 case TEMPORARY_FAILURE:
1570 {
1571 DBG1(DBG_IKE, "received %N notify, will retry later",
1572 notify_type_names, type);
1573 enumerator->destroy(enumerator);
1574 if (!this->rekey)
1575 { /* the rekey task will retry itself if necessary */
1576 schedule_delayed_retry(this);
1577 }
1578 return SUCCESS;
1579 }
1580 case INVALID_KE_PAYLOAD:
1581 {
1582 chunk_t data;
1583 uint16_t group = MODP_NONE;
1584
1585 data = notify->get_notification_data(notify);
1586 if (data.len == sizeof(group))
1587 {
1588 memcpy(&group, data.ptr, data.len);
1589 group = ntohs(group);
1590 }
1591 if (this->retry)
1592 {
1593 DBG1(DBG_IKE, "already retried with DH group %N, "
1594 "ignore requested %N", diffie_hellman_group_names,
1595 this->dh_group, diffie_hellman_group_names, group);
1596 handle_child_sa_failure(this, message);
1597 /* an error in CHILD_SA creation is not critical */
1598 return SUCCESS;
1599 }
1600 DBG1(DBG_IKE, "peer didn't accept DH group %N, "
1601 "it requested %N", diffie_hellman_group_names,
1602 this->dh_group, diffie_hellman_group_names, group);
1603 this->retry = TRUE;
1604 this->dh_group = group;
1605 this->child_sa->set_state(this->child_sa, CHILD_RETRYING);
1606 this->public.task.migrate(&this->public.task, this->ike_sa);
1607 enumerator->destroy(enumerator);
1608 return NEED_MORE;
1609 }
1610 default:
1611 {
1612 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
1613 { /* handle notifies if not handled in IKE_AUTH */
1614 if (type <= 16383)
1615 {
1616 DBG1(DBG_IKE, "received %N notify error",
1617 notify_type_names, type);
1618 enumerator->destroy(enumerator);
1619 return SUCCESS;
1620 }
1621 DBG2(DBG_IKE, "received %N notify",
1622 notify_type_names, type);
1623 }
1624 break;
1625 }
1626 }
1627 }
1628 }
1629 enumerator->destroy(enumerator);
1630
1631 process_payloads(this, message);
1632
1633 if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
1634 {
1635 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
1636 " one, no CHILD_SA built");
1637 handle_child_sa_failure(this, message);
1638 return delete_failed_sa(this);
1639 }
1640 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
1641 {
1642 DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
1643 "IPComp is disabled");
1644 this->ipcomp = IPCOMP_NONE;
1645 }
1646 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
1647 {
1648 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
1649 "no CHILD_SA built");
1650 handle_child_sa_failure(this, message);
1651 return delete_failed_sa(this);
1652 }
1653
1654 if (this->dh_failed)
1655 {
1656 DBG1(DBG_IKE, "applying DH public value failed");
1657 handle_child_sa_failure(this, message);
1658 return delete_failed_sa(this);
1659 }
1660
1661 if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
1662 {
1663 if (!this->rekey)
1664 { /* invoke the child_up() hook if we are not rekeying */
1665 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
1666 }
1667 }
1668 else
1669 {
1670 handle_child_sa_failure(this, message);
1671 return delete_failed_sa(this);
1672 }
1673 return SUCCESS;
1674 }
1675
1676 METHOD(child_create_t, use_reqid, void,
1677 private_child_create_t *this, uint32_t reqid)
1678 {
1679 this->child.reqid = reqid;
1680 }
1681
1682 METHOD(child_create_t, use_marks, void,
1683 private_child_create_t *this, uint32_t in, uint32_t out)
1684 {
1685 this->child.mark_in = in;
1686 this->child.mark_out = out;
1687 }
1688
1689 METHOD(child_create_t, use_if_ids, void,
1690 private_child_create_t *this, uint32_t in, uint32_t out)
1691 {
1692 this->child.if_id_in = in;
1693 this->child.if_id_out = out;
1694 }
1695
1696 METHOD(child_create_t, use_dh_group, void,
1697 private_child_create_t *this, diffie_hellman_group_t dh_group)
1698 {
1699 this->dh_group = dh_group;
1700 }
1701
1702 METHOD(child_create_t, get_child, child_sa_t*,
1703 private_child_create_t *this)
1704 {
1705 return this->child_sa;
1706 }
1707
1708 METHOD(child_create_t, set_config, void,
1709 private_child_create_t *this, child_cfg_t *cfg)
1710 {
1711 DESTROY_IF(this->config);
1712 this->config = cfg;
1713 }
1714
1715 METHOD(child_create_t, get_lower_nonce, chunk_t,
1716 private_child_create_t *this)
1717 {
1718 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
1719 min(this->my_nonce.len, this->other_nonce.len)) < 0)
1720 {
1721 return this->my_nonce;
1722 }
1723 else
1724 {
1725 return this->other_nonce;
1726 }
1727 }
1728
1729 METHOD(task_t, get_type, task_type_t,
1730 private_child_create_t *this)
1731 {
1732 return TASK_CHILD_CREATE;
1733 }
1734
1735 METHOD(task_t, migrate, void,
1736 private_child_create_t *this, ike_sa_t *ike_sa)
1737 {
1738 chunk_free(&this->my_nonce);
1739 chunk_free(&this->other_nonce);
1740 if (this->tsr)
1741 {
1742 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1743 }
1744 if (this->tsi)
1745 {
1746 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1747 }
1748 DESTROY_IF(this->child_sa);
1749 DESTROY_IF(this->proposal);
1750 DESTROY_IF(this->nonceg);
1751 DESTROY_IF(this->dh);
1752 this->dh_failed = FALSE;
1753 if (this->proposals)
1754 {
1755 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1756 }
1757
1758 this->ike_sa = ike_sa;
1759 this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
1760 this->proposal = NULL;
1761 this->proposals = NULL;
1762 this->tsi = NULL;
1763 this->tsr = NULL;
1764 this->dh = NULL;
1765 this->nonceg = NULL;
1766 this->child_sa = NULL;
1767 this->mode = MODE_TUNNEL;
1768 this->ipcomp = IPCOMP_NONE;
1769 this->ipcomp_received = IPCOMP_NONE;
1770 this->other_cpi = 0;
1771 this->established = FALSE;
1772 this->child = (child_sa_create_t){};
1773 }
1774
1775 METHOD(task_t, destroy, void,
1776 private_child_create_t *this)
1777 {
1778 chunk_free(&this->my_nonce);
1779 chunk_free(&this->other_nonce);
1780 if (this->tsr)
1781 {
1782 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1783 }
1784 if (this->tsi)
1785 {
1786 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1787 }
1788 if (!this->established)
1789 {
1790 DESTROY_IF(this->child_sa);
1791 }
1792 DESTROY_IF(this->packet_tsi);
1793 DESTROY_IF(this->packet_tsr);
1794 DESTROY_IF(this->proposal);
1795 DESTROY_IF(this->dh);
1796 if (this->proposals)
1797 {
1798 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1799 }
1800 DESTROY_IF(this->config);
1801 DESTROY_IF(this->nonceg);
1802 free(this);
1803 }
1804
1805 /*
1806 * Described in header.
1807 */
1808 child_create_t *child_create_create(ike_sa_t *ike_sa,
1809 child_cfg_t *config, bool rekey,
1810 traffic_selector_t *tsi, traffic_selector_t *tsr)
1811 {
1812 private_child_create_t *this;
1813
1814 INIT(this,
1815 .public = {
1816 .get_child = _get_child,
1817 .set_config = _set_config,
1818 .get_lower_nonce = _get_lower_nonce,
1819 .use_reqid = _use_reqid,
1820 .use_marks = _use_marks,
1821 .use_if_ids = _use_if_ids,
1822 .use_dh_group = _use_dh_group,
1823 .task = {
1824 .get_type = _get_type,
1825 .migrate = _migrate,
1826 .destroy = _destroy,
1827 },
1828 },
1829 .ike_sa = ike_sa,
1830 .config = config,
1831 .packet_tsi = tsi ? tsi->clone(tsi) : NULL,
1832 .packet_tsr = tsr ? tsr->clone(tsr) : NULL,
1833 .dh_group = MODP_NONE,
1834 .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
1835 .mode = MODE_TUNNEL,
1836 .tfcv3 = TRUE,
1837 .ipcomp = IPCOMP_NONE,
1838 .ipcomp_received = IPCOMP_NONE,
1839 .rekey = rekey,
1840 .retry = FALSE,
1841 );
1842
1843 if (config)
1844 {
1845 this->public.task.build = _build_i;
1846 this->public.task.process = _process_i;
1847 this->initiator = TRUE;
1848 }
1849 else
1850 {
1851 this->public.task.build = _build_r;
1852 this->public.task.process = _process_r;
1853 this->initiator = FALSE;
1854 }
1855 return &this->public;
1856 }