projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
proposal: Add selection flags to clone() method
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / child_create.c
1 /*
2 * Copyright (C) 2008-2019 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "child_create.h"
19
20 #include <daemon.h>
21 #include <sa/ikev2/keymat_v2.h>
22 #include <crypto/diffie_hellman.h>
23 #include <credentials/certificates/x509.h>
24 #include <encoding/payloads/sa_payload.h>
25 #include <encoding/payloads/ke_payload.h>
26 #include <encoding/payloads/ts_payload.h>
27 #include <encoding/payloads/nonce_payload.h>
28 #include <encoding/payloads/notify_payload.h>
29 #include <encoding/payloads/delete_payload.h>
30 #include <processing/jobs/delete_ike_sa_job.h>
31 #include <processing/jobs/inactivity_job.h>
32 #include <processing/jobs/initiate_tasks_job.h>
33
34 typedef struct private_child_create_t private_child_create_t;
35
36 /**
37 * Private members of a child_create_t task.
38 */
39 struct private_child_create_t {
40
41 /**
42 * Public methods and task_t interface.
43 */
44 child_create_t public;
45
46 /**
47 * Assigned IKE_SA.
48 */
49 ike_sa_t *ike_sa;
50
51 /**
52 * Are we the initiator?
53 */
54 bool initiator;
55
56 /**
57 * nonce chosen by us
58 */
59 chunk_t my_nonce;
60
61 /**
62 * nonce chosen by peer
63 */
64 chunk_t other_nonce;
65
66 /**
67 * nonce generator
68 */
69 nonce_gen_t *nonceg;
70
71 /**
72 * config to create the CHILD_SA from
73 */
74 child_cfg_t *config;
75
76 /**
77 * list of proposal candidates
78 */
79 linked_list_t *proposals;
80
81 /**
82 * selected proposal to use for CHILD_SA
83 */
84 proposal_t *proposal;
85
86 /**
87 * traffic selectors for initiators side
88 */
89 linked_list_t *tsi;
90
91 /**
92 * traffic selectors for responders side
93 */
94 linked_list_t *tsr;
95
96 /**
97 * source of triggering packet
98 */
99 traffic_selector_t *packet_tsi;
100
101 /**
102 * destination of triggering packet
103 */
104 traffic_selector_t *packet_tsr;
105
106 /**
107 * optional diffie hellman exchange
108 */
109 diffie_hellman_t *dh;
110
111 /**
112 * Applying DH public value failed?
113 */
114 bool dh_failed;
115
116 /**
117 * group used for DH exchange
118 */
119 diffie_hellman_group_t dh_group;
120
121 /**
122 * IKE_SAs keymat
123 */
124 keymat_v2_t *keymat;
125
126 /**
127 * mode the new CHILD_SA uses (transport/tunnel/beet)
128 */
129 ipsec_mode_t mode;
130
131 /**
132 * peer accepts TFC padding for this SA
133 */
134 bool tfcv3;
135
136 /**
137 * IPComp transform to use
138 */
139 ipcomp_transform_t ipcomp;
140
141 /**
142 * IPComp transform proposed or accepted by the other peer
143 */
144 ipcomp_transform_t ipcomp_received;
145
146 /**
147 * IPsec protocol
148 */
149 protocol_id_t proto;
150
151 /**
152 * Own allocated SPI
153 */
154 uint32_t my_spi;
155
156 /**
157 * SPI received in proposal
158 */
159 uint32_t other_spi;
160
161 /**
162 * Own allocated Compression Parameter Index (CPI)
163 */
164 uint16_t my_cpi;
165
166 /**
167 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
168 */
169 uint16_t other_cpi;
170
171 /**
172 * Data collected to create the CHILD_SA
173 */
174 child_sa_create_t child;
175
176 /**
177 * CHILD_SA which gets established
178 */
179 child_sa_t *child_sa;
180
181 /**
182 * successfully established the CHILD?
183 */
184 bool established;
185
186 /**
187 * whether the CHILD_SA rekeys an existing one
188 */
189 bool rekey;
190
191 /**
192 * whether we are retrying with another DH group
193 */
194 bool retry;
195 };
196
197 /**
198 * Schedule a retry if creating the CHILD_SA temporary failed
199 */
200 static void schedule_delayed_retry(private_child_create_t *this)
201 {
202 child_create_t *task;
203 uint32_t retry;
204
205 retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
206
207 task = child_create_create(this->ike_sa,
208 this->config->get_ref(this->config), FALSE,
209 this->packet_tsi, this->packet_tsr);
210 task->use_reqid(task, this->child.reqid);
211 task->use_marks(task, this->child.mark_in, this->child.mark_out);
212 task->use_if_ids(task, this->child.if_id_in, this->child.if_id_out);
213
214 DBG1(DBG_IKE, "creating CHILD_SA failed, trying again in %d seconds",
215 retry);
216 this->ike_sa->queue_task_delayed(this->ike_sa, (task_t*)task, retry);
217 }
218
219 /**
220 * get the nonce from a message
221 */
222 static status_t get_nonce(message_t *message, chunk_t *nonce)
223 {
224 nonce_payload_t *payload;
225
226 payload = (nonce_payload_t*)message->get_payload(message, PLV2_NONCE);
227 if (payload == NULL)
228 {
229 return FAILED;
230 }
231 *nonce = payload->get_nonce(payload);
232 return NEED_MORE;
233 }
234
235 /**
236 * generate a new nonce to include in a CREATE_CHILD_SA message
237 */
238 static bool generate_nonce(private_child_create_t *this)
239 {
240 this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
241 if (!this->nonceg)
242 {
243 DBG1(DBG_IKE, "no nonce generator found to create nonce");
244 return FALSE;
245 }
246 if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE,
247 &this->my_nonce))
248 {
249 DBG1(DBG_IKE, "nonce allocation failed");
250 return FALSE;
251 }
252 return TRUE;
253 }
254
255 /**
256 * Check a list of traffic selectors if any selector belongs to host
257 */
258 static bool ts_list_is_host(linked_list_t *list, host_t *host)
259 {
260 traffic_selector_t *ts;
261 bool is_host = TRUE;
262 enumerator_t *enumerator = list->create_enumerator(list);
263
264 while (is_host && enumerator->enumerate(enumerator, (void**)&ts))
265 {
266 is_host = is_host && ts->is_host(ts, host);
267 }
268 enumerator->destroy(enumerator);
269 return is_host;
270 }
271
272 /**
273 * Allocate local SPI
274 */
275 static bool allocate_spi(private_child_create_t *this)
276 {
277 proposal_t *proposal;
278
279 if (this->initiator)
280 {
281 this->proto = PROTO_ESP;
282 /* we just get a SPI for the first protocol. TODO: If we ever support
283 * proposal lists with mixed protocols, we'd need multiple SPIs */
284 if (this->proposals->get_first(this->proposals,
285 (void**)&proposal) == SUCCESS)
286 {
287 this->proto = proposal->get_protocol(proposal);
288 }
289 }
290 else
291 {
292 this->proto = this->proposal->get_protocol(this->proposal);
293 }
294 this->my_spi = this->child_sa->alloc_spi(this->child_sa, this->proto);
295 return this->my_spi != 0;
296 }
297
298 /**
299 * Update the proposals with the allocated SPIs as initiator and check the DH
300 * group and promote it if necessary
301 */
302 static bool update_and_check_proposals(private_child_create_t *this)
303 {
304 enumerator_t *enumerator;
305 proposal_t *proposal;
306 linked_list_t *other_dh_groups;
307 bool found = FALSE;
308
309 other_dh_groups = linked_list_create();
310 enumerator = this->proposals->create_enumerator(this->proposals);
311 while (enumerator->enumerate(enumerator, &proposal))
312 {
313 proposal->set_spi(proposal, this->my_spi);
314
315 /* move the selected DH group to the front, if any */
316 if (this->dh_group != MODP_NONE)
317 { /* proposals that don't contain the selected group are
318 * moved to the back */
319 if (!proposal->promote_dh_group(proposal, this->dh_group))
320 {
321 this->proposals->remove_at(this->proposals, enumerator);
322 other_dh_groups->insert_last(other_dh_groups, proposal);
323 }
324 else
325 {
326 found = TRUE;
327 }
328 }
329 }
330 enumerator->destroy(enumerator);
331 enumerator = other_dh_groups->create_enumerator(other_dh_groups);
332 while (enumerator->enumerate(enumerator, (void**)&proposal))
333 { /* no need to remove from the list as we destroy it anyway*/
334 this->proposals->insert_last(this->proposals, proposal);
335 }
336 enumerator->destroy(enumerator);
337 other_dh_groups->destroy(other_dh_groups);
338
339 return this->dh_group == MODP_NONE || found;
340 }
341
342 /**
343 * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
344 */
345 static void schedule_inactivity_timeout(private_child_create_t *this)
346 {
347 uint32_t timeout, id;
348 bool close_ike;
349
350 timeout = this->config->get_inactivity(this->config);
351 if (timeout)
352 {
353 close_ike = lib->settings->get_bool(lib->settings,
354 "%s.inactivity_close_ike", FALSE, lib->ns);
355 id = this->child_sa->get_unique_id(this->child_sa);
356 lib->scheduler->schedule_job(lib->scheduler, (job_t*)
357 inactivity_job_create(id, timeout, close_ike), timeout);
358 }
359 }
360
361 /**
362 * Check if we have a an address pool configured
363 */
364 static bool have_pool(ike_sa_t *ike_sa)
365 {
366 enumerator_t *enumerator;
367 peer_cfg_t *peer_cfg;
368 char *pool;
369 bool found = FALSE;
370
371 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
372 if (peer_cfg)
373 {
374 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
375 if (enumerator->enumerate(enumerator, &pool))
376 {
377 found = TRUE;
378 }
379 enumerator->destroy(enumerator);
380 }
381 return found;
382 }
383
384 /**
385 * Get hosts to use for dynamic traffic selectors
386 */
387 static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
388 {
389 enumerator_t *enumerator;
390 linked_list_t *list;
391 host_t *host;
392
393 list = linked_list_create();
394 enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
395 while (enumerator->enumerate(enumerator, &host))
396 {
397 list->insert_last(list, host);
398 }
399 enumerator->destroy(enumerator);
400
401 if (list->get_count(list) == 0)
402 { /* no virtual IPs assigned */
403 if (local)
404 {
405 host = ike_sa->get_my_host(ike_sa);
406 list->insert_last(list, host);
407 }
408 else if (!have_pool(ike_sa))
409 { /* use host only if we don't have a pool configured */
410 host = ike_sa->get_other_host(ike_sa);
411 list->insert_last(list, host);
412 }
413 }
414 return list;
415 }
416
417 /**
418 * Substitute any host address with NATed address in traffic selector
419 */
420 static linked_list_t* get_transport_nat_ts(private_child_create_t *this,
421 bool local, linked_list_t *in)
422 {
423 enumerator_t *enumerator;
424 linked_list_t *out;
425 traffic_selector_t *ts;
426 host_t *ike, *first = NULL;
427 uint8_t mask;
428
429 if (local)
430 {
431 ike = this->ike_sa->get_my_host(this->ike_sa);
432 }
433 else
434 {
435 ike = this->ike_sa->get_other_host(this->ike_sa);
436 }
437
438 out = linked_list_create();
439
440 enumerator = in->create_enumerator(in);
441 while (enumerator->enumerate(enumerator, &ts))
442 {
443 /* require that all selectors match the first "host" selector */
444 if (ts->is_host(ts, first))
445 {
446 if (!first)
447 {
448 ts->to_subnet(ts, &first, &mask);
449 }
450 ts = ts->clone(ts);
451 ts->set_address(ts, ike);
452 out->insert_last(out, ts);
453 }
454 }
455 enumerator->destroy(enumerator);
456 DESTROY_IF(first);
457
458 return out;
459 }
460
461 /**
462 * Narrow received traffic selectors with configuration
463 */
464 static linked_list_t* narrow_ts(private_child_create_t *this, bool local,
465 linked_list_t *in)
466 {
467 linked_list_t *hosts, *nat, *ts;
468 ike_condition_t cond;
469
470 cond = local ? COND_NAT_HERE : COND_NAT_THERE;
471 hosts = get_dynamic_hosts(this->ike_sa, local);
472
473 if (this->mode == MODE_TRANSPORT &&
474 this->ike_sa->has_condition(this->ike_sa, cond))
475 {
476 nat = get_transport_nat_ts(this, local, in);
477 ts = this->config->get_traffic_selectors(this->config, local, nat,
478 hosts, TRUE);
479 nat->destroy_offset(nat, offsetof(traffic_selector_t, destroy));
480 }
481 else
482 {
483 ts = this->config->get_traffic_selectors(this->config, local, in,
484 hosts, TRUE);
485 }
486
487 hosts->destroy(hosts);
488
489 return ts;
490 }
491
492 /**
493 * Check if requested mode is acceptable
494 */
495 static bool check_mode(private_child_create_t *this, host_t *i, host_t *r)
496 {
497 switch (this->mode)
498 {
499 case MODE_TRANSPORT:
500 if (!this->config->has_option(this->config, OPT_PROXY_MODE) &&
501 (!ts_list_is_host(this->tsi, i) ||
502 !ts_list_is_host(this->tsr, r))
503 )
504 {
505 DBG1(DBG_IKE, "not using transport mode, not host-to-host");
506 return FALSE;
507 }
508 if (this->config->get_mode(this->config) != MODE_TRANSPORT)
509 {
510 return FALSE;
511 }
512 break;
513 case MODE_BEET:
514 if (!ts_list_is_host(this->tsi, NULL) ||
515 !ts_list_is_host(this->tsr, NULL))
516 {
517 DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
518 return FALSE;
519 }
520 if (this->config->get_mode(this->config) != MODE_BEET)
521 {
522 return FALSE;
523 }
524 break;
525 default:
526 break;
527 }
528 return TRUE;
529 }
530
531 /**
532 * Install a CHILD_SA for usage, return value:
533 * - FAILED: no acceptable proposal
534 * - INVALID_ARG: diffie hellman group unacceptable
535 * - NOT_FOUND: TS unacceptable
536 */
537 static status_t select_and_install(private_child_create_t *this,
538 bool no_dh, bool ike_auth)
539 {
540 status_t status, status_i, status_o;
541 child_sa_outbound_state_t out_state;
542 chunk_t nonce_i, nonce_r;
543 chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
544 chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
545 linked_list_t *my_ts, *other_ts;
546 host_t *me, *other;
547 proposal_selection_flag_t flags = 0;
548
549 if (this->proposals == NULL)
550 {
551 DBG1(DBG_IKE, "SA payload missing in message");
552 return FAILED;
553 }
554 if (this->tsi == NULL || this->tsr == NULL)
555 {
556 DBG1(DBG_IKE, "TS payloads missing in message");
557 return NOT_FOUND;
558 }
559
560 me = this->ike_sa->get_my_host(this->ike_sa);
561 other = this->ike_sa->get_other_host(this->ike_sa);
562
563 if (no_dh)
564 {
565 flags |= PROPOSAL_SKIP_DH;
566 }
567 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
568 {
569 flags |= PROPOSAL_SKIP_PRIVATE;
570 }
571 if (!lib->settings->get_bool(lib->settings,
572 "%s.prefer_configured_proposals", TRUE, lib->ns))
573 {
574 flags |= PROPOSAL_PREFER_SUPPLIED;
575 }
576 this->proposal = this->config->select_proposal(this->config,
577 this->proposals, flags);
578 if (this->proposal == NULL)
579 {
580 DBG1(DBG_IKE, "no acceptable proposal found");
581 charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD,
582 this->proposals);
583 return FAILED;
584 }
585 this->other_spi = this->proposal->get_spi(this->proposal);
586
587 if (!this->initiator)
588 {
589 if (!allocate_spi(this))
590 {
591 /* responder has no SPI allocated yet */
592 DBG1(DBG_IKE, "allocating SPI failed");
593 return FAILED;
594 }
595 this->proposal->set_spi(this->proposal, this->my_spi);
596 }
597 this->child_sa->set_proposal(this->child_sa, this->proposal);
598
599 if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
600 {
601 uint16_t group;
602
603 if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
604 &group, NULL))
605 {
606 DBG1(DBG_IKE, "DH group %N unacceptable, requesting %N",
607 diffie_hellman_group_names, this->dh_group,
608 diffie_hellman_group_names, group);
609 this->dh_group = group;
610 return INVALID_ARG;
611 }
612 /* the selected proposal does not use a DH group */
613 DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
614 DESTROY_IF(this->dh);
615 this->dh = NULL;
616 this->dh_group = MODP_NONE;
617 }
618
619 if (this->initiator)
620 {
621 nonce_i = this->my_nonce;
622 nonce_r = this->other_nonce;
623 my_ts = narrow_ts(this, TRUE, this->tsi);
624 other_ts = narrow_ts(this, FALSE, this->tsr);
625 }
626 else
627 {
628 nonce_r = this->my_nonce;
629 nonce_i = this->other_nonce;
630 my_ts = narrow_ts(this, TRUE, this->tsr);
631 other_ts = narrow_ts(this, FALSE, this->tsi);
632 }
633
634 if (this->initiator)
635 {
636 if (ike_auth)
637 {
638 charon->bus->narrow(charon->bus, this->child_sa,
639 NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
640 }
641 else
642 {
643 charon->bus->narrow(charon->bus, this->child_sa,
644 NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
645 }
646 }
647 else
648 {
649 charon->bus->narrow(charon->bus, this->child_sa,
650 NARROW_RESPONDER, my_ts, other_ts);
651 }
652
653 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
654 {
655 charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
656 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
657 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
658 DBG1(DBG_IKE, "no acceptable traffic selectors found");
659 return NOT_FOUND;
660 }
661
662 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
663 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
664 if (this->initiator)
665 {
666 this->tsi = my_ts;
667 this->tsr = other_ts;
668
669 if (!check_mode(this, me, other))
670 {
671 DBG1(DBG_IKE, "%N mode requested by responder is unacceptable",
672 ipsec_mode_names, this->mode);
673 return FAILED;
674 }
675 }
676 else
677 {
678 this->tsr = my_ts;
679 this->tsi = other_ts;
680
681 if (!check_mode(this, other, me))
682 {
683 this->mode = MODE_TUNNEL;
684 }
685 }
686
687 if (!this->initiator)
688 {
689 /* use a copy of the traffic selectors, as the POST hook should not
690 * change payloads */
691 my_ts = this->tsr->clone_offset(this->tsr,
692 offsetof(traffic_selector_t, clone));
693 other_ts = this->tsi->clone_offset(this->tsi,
694 offsetof(traffic_selector_t, clone));
695 charon->bus->narrow(charon->bus, this->child_sa,
696 NARROW_RESPONDER_POST, my_ts, other_ts);
697
698 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
699 {
700 my_ts->destroy_offset(my_ts,
701 offsetof(traffic_selector_t, destroy));
702 other_ts->destroy_offset(other_ts,
703 offsetof(traffic_selector_t, destroy));
704 return NOT_FOUND;
705 }
706 }
707
708 this->child_sa->set_policies(this->child_sa, my_ts, other_ts);
709 if (!this->initiator)
710 {
711 my_ts->destroy_offset(my_ts,
712 offsetof(traffic_selector_t, destroy));
713 other_ts->destroy_offset(other_ts,
714 offsetof(traffic_selector_t, destroy));
715 }
716
717 this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
718 this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
719 this->child_sa->set_mode(this->child_sa, this->mode);
720 this->child_sa->set_protocol(this->child_sa,
721 this->proposal->get_protocol(this->proposal));
722
723 if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
724 {
725 this->my_cpi = this->other_cpi = 0;
726 this->ipcomp = IPCOMP_NONE;
727 }
728 status_i = status_o = FAILED;
729 if (this->keymat->derive_child_keys(this->keymat, this->proposal,
730 this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
731 {
732 if (this->initiator)
733 {
734 status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
735 this->my_spi, this->my_cpi, this->initiator,
736 TRUE, this->tfcv3);
737 }
738 else
739 {
740 status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
741 this->my_spi, this->my_cpi, this->initiator,
742 TRUE, this->tfcv3);
743 }
744 if (this->rekey)
745 { /* during rekeyings we install the outbound SA and/or policies
746 * separately: as responder when we receive the delete for the old
747 * SA, as initiator pretty much immediately in the ike-rekey task,
748 * unless there was a rekey collision that we lost */
749 if (this->initiator)
750 {
751 status_o = this->child_sa->register_outbound(this->child_sa,
752 encr_i, integ_i, this->other_spi, this->other_cpi,
753 this->tfcv3);
754 }
755 else
756 {
757 status_o = this->child_sa->register_outbound(this->child_sa,
758 encr_r, integ_r, this->other_spi, this->other_cpi,
759 this->tfcv3);
760 }
761 }
762 else if (this->initiator)
763 {
764 status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
765 this->other_spi, this->other_cpi, this->initiator,
766 FALSE, this->tfcv3);
767 }
768 else
769 {
770 status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
771 this->other_spi, this->other_cpi, this->initiator,
772 FALSE, this->tfcv3);
773 }
774 }
775
776 if (status_i != SUCCESS || status_o != SUCCESS)
777 {
778 DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
779 (status_i != SUCCESS) ? "inbound " : "",
780 (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
781 (status_o != SUCCESS) ? "outbound " : "");
782 charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_SA_FAILED,
783 this->child_sa);
784 status = FAILED;
785 }
786 else
787 {
788 status = this->child_sa->install_policies(this->child_sa);
789
790 if (status != SUCCESS)
791 {
792 DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
793 charon->bus->alert(charon->bus, ALERT_INSTALL_CHILD_POLICY_FAILED,
794 this->child_sa);
795 status = NOT_FOUND;
796 }
797 else
798 {
799 charon->bus->child_derived_keys(charon->bus, this->child_sa,
800 this->initiator, encr_i, encr_r,
801 integ_i, integ_r);
802 }
803 }
804 chunk_clear(&integ_i);
805 chunk_clear(&integ_r);
806 chunk_clear(&encr_i);
807 chunk_clear(&encr_r);
808
809 if (status != SUCCESS)
810 {
811 return status;
812 }
813
814 charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
815 this->dh, nonce_i, nonce_r);
816
817 my_ts = linked_list_create_from_enumerator(
818 this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
819 other_ts = linked_list_create_from_enumerator(
820 this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
821 out_state = this->child_sa->get_outbound_state(this->child_sa);
822
823 DBG0(DBG_IKE, "%sCHILD_SA %s{%d} established "
824 "with SPIs %.8x_i %.8x_o and TS %#R === %#R",
825 (out_state == CHILD_OUTBOUND_INSTALLED) ? "" : "inbound ",
826 this->child_sa->get_name(this->child_sa),
827 this->child_sa->get_unique_id(this->child_sa),
828 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
829 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
830 my_ts, other_ts);
831
832 my_ts->destroy(my_ts);
833 other_ts->destroy(other_ts);
834
835 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
836 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
837 this->established = TRUE;
838
839 schedule_inactivity_timeout(this);
840 return SUCCESS;
841 }
842
843 /**
844 * build the payloads for the message
845 */
846 static bool build_payloads(private_child_create_t *this, message_t *message)
847 {
848 sa_payload_t *sa_payload;
849 nonce_payload_t *nonce_payload;
850 ke_payload_t *ke_payload;
851 ts_payload_t *ts_payload;
852 kernel_feature_t features;
853
854 /* add SA payload */
855 if (this->initiator)
856 {
857 sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
858 }
859 else
860 {
861 sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
862 }
863 message->add_payload(message, (payload_t*)sa_payload);
864
865 /* add nonce payload if not in IKE_AUTH */
866 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
867 {
868 nonce_payload = nonce_payload_create(PLV2_NONCE);
869 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
870 message->add_payload(message, (payload_t*)nonce_payload);
871 }
872
873 /* diffie hellman exchange, if PFS enabled */
874 if (this->dh)
875 {
876 ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE,
877 this->dh);
878 if (!ke_payload)
879 {
880 DBG1(DBG_IKE, "creating KE payload failed");
881 return FALSE;
882 }
883 message->add_payload(message, (payload_t*)ke_payload);
884 }
885
886 /* add TSi/TSr payloads */
887 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
888 message->add_payload(message, (payload_t*)ts_payload);
889 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
890 message->add_payload(message, (payload_t*)ts_payload);
891
892 /* add a notify if we are not in tunnel mode */
893 switch (this->mode)
894 {
895 case MODE_TRANSPORT:
896 message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
897 break;
898 case MODE_BEET:
899 message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
900 break;
901 default:
902 break;
903 }
904
905 features = charon->kernel->get_features(charon->kernel);
906 if (!(features & KERNEL_ESP_V3_TFC))
907 {
908 message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
909 chunk_empty);
910 }
911 return TRUE;
912 }
913
914 /**
915 * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
916 */
917 static void add_ipcomp_notify(private_child_create_t *this,
918 message_t *message, uint8_t ipcomp)
919 {
920 this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
921 if (this->my_cpi)
922 {
923 this->ipcomp = ipcomp;
924 message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
925 chunk_cata("cc", chunk_from_thing(this->my_cpi),
926 chunk_from_thing(ipcomp)));
927 }
928 else
929 {
930 DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
931 }
932 }
933
934 /**
935 * handle a received notify payload
936 */
937 static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
938 {
939 switch (notify->get_notify_type(notify))
940 {
941 case USE_TRANSPORT_MODE:
942 this->mode = MODE_TRANSPORT;
943 break;
944 case USE_BEET_MODE:
945 if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
946 { /* handle private use notify only if we know its meaning */
947 this->mode = MODE_BEET;
948 }
949 else
950 {
951 DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
952 "mode, but peer implementation unknown, skipped");
953 }
954 break;
955 case IPCOMP_SUPPORTED:
956 {
957 ipcomp_transform_t ipcomp;
958 uint16_t cpi;
959 chunk_t data;
960
961 data = notify->get_notification_data(notify);
962 cpi = *(uint16_t*)data.ptr;
963 ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
964 switch (ipcomp)
965 {
966 case IPCOMP_DEFLATE:
967 this->other_cpi = cpi;
968 this->ipcomp_received = ipcomp;
969 break;
970 case IPCOMP_LZS:
971 case IPCOMP_LZJH:
972 default:
973 DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
974 "transform ID we don't support %N",
975 ipcomp_transform_names, ipcomp);
976 break;
977 }
978 break;
979 }
980 case ESP_TFC_PADDING_NOT_SUPPORTED:
981 DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
982 notify_type_names, notify->get_notify_type(notify));
983 this->tfcv3 = FALSE;
984 break;
985 default:
986 break;
987 }
988 }
989
990 /**
991 * Read payloads from message
992 */
993 static void process_payloads(private_child_create_t *this, message_t *message)
994 {
995 enumerator_t *enumerator;
996 payload_t *payload;
997 sa_payload_t *sa_payload;
998 ke_payload_t *ke_payload;
999 ts_payload_t *ts_payload;
1000
1001 /* defaults to TUNNEL mode */
1002 this->mode = MODE_TUNNEL;
1003
1004 enumerator = message->create_payload_enumerator(message);
1005 while (enumerator->enumerate(enumerator, &payload))
1006 {
1007 switch (payload->get_type(payload))
1008 {
1009 case PLV2_SECURITY_ASSOCIATION:
1010 sa_payload = (sa_payload_t*)payload;
1011 this->proposals = sa_payload->get_proposals(sa_payload);
1012 break;
1013 case PLV2_KEY_EXCHANGE:
1014 ke_payload = (ke_payload_t*)payload;
1015 if (!this->initiator)
1016 {
1017 this->dh_group = ke_payload->get_dh_group_number(ke_payload);
1018 this->dh = this->keymat->keymat.create_dh(
1019 &this->keymat->keymat, this->dh_group);
1020 }
1021 else if (this->dh)
1022 {
1023 this->dh_failed = this->dh->get_dh_group(this->dh) !=
1024 ke_payload->get_dh_group_number(ke_payload);
1025 }
1026 if (this->dh && !this->dh_failed)
1027 {
1028 this->dh_failed = !this->dh->set_other_public_value(this->dh,
1029 ke_payload->get_key_exchange_data(ke_payload));
1030 }
1031 break;
1032 case PLV2_TS_INITIATOR:
1033 ts_payload = (ts_payload_t*)payload;
1034 this->tsi = ts_payload->get_traffic_selectors(ts_payload);
1035 break;
1036 case PLV2_TS_RESPONDER:
1037 ts_payload = (ts_payload_t*)payload;
1038 this->tsr = ts_payload->get_traffic_selectors(ts_payload);
1039 break;
1040 case PLV2_NOTIFY:
1041 handle_notify(this, (notify_payload_t*)payload);
1042 break;
1043 default:
1044 break;
1045 }
1046 }
1047 enumerator->destroy(enumerator);
1048 }
1049
1050 /**
1051 * Check if we should defer the creation of this CHILD_SA until after the
1052 * IKE_SA has been established childless.
1053 */
1054 static status_t defer_child_sa(private_child_create_t *this)
1055 {
1056 ike_cfg_t *ike_cfg;
1057
1058 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
1059
1060 if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_CHILDLESS))
1061 {
1062 if (ike_cfg->childless(ike_cfg) == CHILDLESS_FORCE)
1063 {
1064 return NEED_MORE;
1065 }
1066 }
1067 else if (ike_cfg->childless(ike_cfg) == CHILDLESS_FORCE)
1068 {
1069 DBG1(DBG_IKE, "peer does not support childless IKE_SA initiation");
1070 return DESTROY_ME;
1071 }
1072 return NOT_SUPPORTED;
1073 }
1074
1075 METHOD(task_t, build_i, status_t,
1076 private_child_create_t *this, message_t *message)
1077 {
1078 enumerator_t *enumerator;
1079 host_t *vip;
1080 peer_cfg_t *peer_cfg;
1081 linked_list_t *list;
1082
1083 switch (message->get_exchange_type(message))
1084 {
1085 case IKE_SA_INIT:
1086 return get_nonce(message, &this->my_nonce);
1087 case CREATE_CHILD_SA:
1088 if (!generate_nonce(this))
1089 {
1090 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
1091 chunk_empty);
1092 return SUCCESS;
1093 }
1094 if (!this->retry && this->dh_group == MODP_NONE)
1095 { /* during a rekeying the group might already be set */
1096 this->dh_group = this->config->get_dh_group(this->config);
1097 }
1098 break;
1099 case IKE_AUTH:
1100 if (message->get_message_id(message) != 1)
1101 {
1102 /* send only in the first request, not in subsequent rounds */
1103 return NEED_MORE;
1104 }
1105 switch (defer_child_sa(this))
1106 {
1107 case DESTROY_ME:
1108 /* config mismatch */
1109 return DESTROY_ME;
1110 case NEED_MORE:
1111 /* defer until after IKE_SA has been established */
1112 chunk_free(&this->my_nonce);
1113 return NEED_MORE;
1114 default:
1115 /* just continue to establish the CHILD_SA */
1116 break;
1117 }
1118 break;
1119 default:
1120 break;
1121 }
1122
1123 /* check if we want a virtual IP, but don't have one */
1124 list = linked_list_create();
1125 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1126 if (!this->rekey)
1127 {
1128 enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
1129 while (enumerator->enumerate(enumerator, &vip))
1130 {
1131 /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
1132 vip = host_create_any(vip->get_family(vip));
1133 list->insert_last(list, vip);
1134 }
1135 enumerator->destroy(enumerator);
1136 }
1137 if (list->get_count(list))
1138 {
1139 this->tsi = this->config->get_traffic_selectors(this->config,
1140 TRUE, NULL, list, TRUE);
1141 list->destroy_offset(list, offsetof(host_t, destroy));
1142 }
1143 else
1144 { /* no virtual IPs configured */
1145 list->destroy(list);
1146 list = get_dynamic_hosts(this->ike_sa, TRUE);
1147 this->tsi = this->config->get_traffic_selectors(this->config,
1148 TRUE, NULL, list, TRUE);
1149 list->destroy(list);
1150 }
1151 list = get_dynamic_hosts(this->ike_sa, FALSE);
1152 this->tsr = this->config->get_traffic_selectors(this->config,
1153 FALSE, NULL, list, TRUE);
1154 list->destroy(list);
1155
1156 if (this->packet_tsi)
1157 {
1158 this->tsi->insert_first(this->tsi,
1159 this->packet_tsi->clone(this->packet_tsi));
1160 }
1161 if (this->packet_tsr)
1162 {
1163 this->tsr->insert_first(this->tsr,
1164 this->packet_tsr->clone(this->packet_tsr));
1165 }
1166 this->proposals = this->config->get_proposals(this->config,
1167 this->dh_group == MODP_NONE);
1168 this->mode = this->config->get_mode(this->config);
1169
1170 this->child.if_id_in_def = this->ike_sa->get_if_id(this->ike_sa, TRUE);
1171 this->child.if_id_out_def = this->ike_sa->get_if_id(this->ike_sa, FALSE);
1172 this->child.encap = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
1173 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
1174 this->ike_sa->get_other_host(this->ike_sa),
1175 this->config, &this->child);
1176
1177 if (this->child.reqid)
1178 {
1179 DBG0(DBG_IKE, "establishing CHILD_SA %s{%d} reqid %d",
1180 this->child_sa->get_name(this->child_sa),
1181 this->child_sa->get_unique_id(this->child_sa), this->child.reqid);
1182 }
1183 else
1184 {
1185 DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
1186 this->child_sa->get_name(this->child_sa),
1187 this->child_sa->get_unique_id(this->child_sa));
1188 }
1189
1190 if (!allocate_spi(this))
1191 {
1192 DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
1193 return FAILED;
1194 }
1195
1196 if (!update_and_check_proposals(this))
1197 {
1198 DBG1(DBG_IKE, "requested DH group %N not contained in any of our "
1199 "proposals",
1200 diffie_hellman_group_names, this->dh_group);
1201 return FAILED;
1202 }
1203
1204 if (this->dh_group != MODP_NONE)
1205 {
1206 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
1207 this->dh_group);
1208 }
1209
1210 if (this->config->has_option(this->config, OPT_IPCOMP))
1211 {
1212 /* IPCOMP_DEFLATE is the only transform we support at the moment */
1213 add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
1214 }
1215
1216 if (message->get_exchange_type(message) == IKE_AUTH)
1217 {
1218 charon->bus->narrow(charon->bus, this->child_sa,
1219 NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
1220 }
1221 else
1222 {
1223 charon->bus->narrow(charon->bus, this->child_sa,
1224 NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
1225 }
1226
1227 if (!build_payloads(this, message))
1228 {
1229 return FAILED;
1230 }
1231
1232 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1233 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1234 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1235 this->tsi = NULL;
1236 this->tsr = NULL;
1237 this->proposals = NULL;
1238
1239 return NEED_MORE;
1240 }
1241
1242 METHOD(task_t, process_r, status_t,
1243 private_child_create_t *this, message_t *message)
1244 {
1245 switch (message->get_exchange_type(message))
1246 {
1247 case IKE_SA_INIT:
1248 return get_nonce(message, &this->other_nonce);
1249 case CREATE_CHILD_SA:
1250 get_nonce(message, &this->other_nonce);
1251 break;
1252 case IKE_AUTH:
1253 if (message->get_message_id(message) != 1)
1254 {
1255 /* only handle first AUTH payload, not additional rounds */
1256 return NEED_MORE;
1257 }
1258 default:
1259 break;
1260 }
1261
1262 process_payloads(this, message);
1263
1264 return NEED_MORE;
1265 }
1266
1267 /**
1268 * handle CHILD_SA setup failure
1269 */
1270 static void handle_child_sa_failure(private_child_create_t *this,
1271 message_t *message)
1272 {
1273 bool is_first;
1274
1275 is_first = message->get_exchange_type(message) == IKE_AUTH;
1276 if (is_first &&
1277 lib->settings->get_bool(lib->settings,
1278 "%s.close_ike_on_child_failure", FALSE, lib->ns))
1279 {
1280 /* we delay the delete for 100ms, as the IKE_AUTH response must arrive
1281 * first */
1282 DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
1283 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
1284 delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
1285 100);
1286 }
1287 else
1288 {
1289 DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
1290 charon->bus->alert(charon->bus, ALERT_KEEP_ON_CHILD_SA_FAILURE,
1291 is_first);
1292 }
1293 }
1294
1295 /**
1296 * Substitute transport mode NAT selectors, if applicable
1297 */
1298 static linked_list_t* get_ts_if_nat_transport(private_child_create_t *this,
1299 bool local, linked_list_t *in)
1300 {
1301 linked_list_t *out = NULL;
1302 ike_condition_t cond;
1303
1304 if (this->mode == MODE_TRANSPORT)
1305 {
1306 cond = local ? COND_NAT_HERE : COND_NAT_THERE;
1307 if (this->ike_sa->has_condition(this->ike_sa, cond))
1308 {
1309 out = get_transport_nat_ts(this, local, in);
1310 if (out->get_count(out) == 0)
1311 {
1312 out->destroy(out);
1313 out = NULL;
1314 }
1315 }
1316 }
1317 return out;
1318 }
1319
1320 /**
1321 * Select a matching CHILD config as responder
1322 */
1323 static child_cfg_t* select_child_cfg(private_child_create_t *this)
1324 {
1325 peer_cfg_t *peer_cfg;
1326 child_cfg_t *child_cfg = NULL;;
1327
1328 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1329 if (peer_cfg && this->tsi && this->tsr)
1330 {
1331 linked_list_t *listr, *listi, *tsr, *tsi;
1332
1333 tsr = get_ts_if_nat_transport(this, TRUE, this->tsr);
1334 tsi = get_ts_if_nat_transport(this, FALSE, this->tsi);
1335
1336 listr = get_dynamic_hosts(this->ike_sa, TRUE);
1337 listi = get_dynamic_hosts(this->ike_sa, FALSE);
1338 child_cfg = peer_cfg->select_child_cfg(peer_cfg,
1339 tsr ?: this->tsr, tsi ?: this->tsi,
1340 listr, listi);
1341 if ((tsi || tsr) && child_cfg &&
1342 child_cfg->get_mode(child_cfg) != MODE_TRANSPORT)
1343 {
1344 /* found a CHILD config, but it doesn't use transport mode */
1345 child_cfg->destroy(child_cfg);
1346 child_cfg = NULL;
1347 }
1348 if (!child_cfg && (tsi || tsr))
1349 {
1350 /* no match for the substituted NAT selectors, try it without */
1351 child_cfg = peer_cfg->select_child_cfg(peer_cfg,
1352 this->tsr, this->tsi, listr, listi);
1353 }
1354 listr->destroy(listr);
1355 listi->destroy(listi);
1356 DESTROY_OFFSET_IF(tsi, offsetof(traffic_selector_t, destroy));
1357 DESTROY_OFFSET_IF(tsr, offsetof(traffic_selector_t, destroy));
1358 }
1359
1360 return child_cfg;
1361 }
1362
1363 /**
1364 * Check how to handle a possibly childless IKE_SA
1365 */
1366 static status_t handle_childless(private_child_create_t *this)
1367 {
1368 ike_cfg_t *ike_cfg;
1369
1370 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
1371
1372 if (!this->proposals && !this->tsi && !this->tsr)
1373 {
1374 /* looks like a childless IKE_SA, check if we allow it */
1375 if (ike_cfg->childless(ike_cfg) == CHILDLESS_NEVER)
1376 {
1377 /* we don't allow childless initiation */
1378 DBG1(DBG_IKE, "peer tried to initiate a childless IKE_SA");
1379 return INVALID_STATE;
1380 }
1381 return SUCCESS;
1382 }
1383
1384 /* the peer apparently wants to create a regular IKE_SA */
1385 if (ike_cfg->childless(ike_cfg) == CHILDLESS_FORCE)
1386 {
1387 /* reject it if we only allow childless initiation */
1388 DBG1(DBG_IKE, "peer did not initiate a childless IKE_SA");
1389 return INVALID_STATE;
1390 }
1391 return NOT_SUPPORTED;
1392 }
1393
1394 METHOD(task_t, build_r, status_t,
1395 private_child_create_t *this, message_t *message)
1396 {
1397 payload_t *payload;
1398 enumerator_t *enumerator;
1399 bool no_dh = TRUE, ike_auth = FALSE;
1400
1401 switch (message->get_exchange_type(message))
1402 {
1403 case IKE_SA_INIT:
1404 return get_nonce(message, &this->my_nonce);
1405 case CREATE_CHILD_SA:
1406 if (!generate_nonce(this))
1407 {
1408 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
1409 chunk_empty);
1410 return SUCCESS;
1411 }
1412 if (this->dh_failed)
1413 {
1414 DBG1(DBG_IKE, "applying DH public value failed");
1415 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
1416 chunk_empty);
1417 return SUCCESS;
1418 }
1419 no_dh = FALSE;
1420 break;
1421 case IKE_AUTH:
1422 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1423 { /* wait until all authentication round completed */
1424 return NEED_MORE;
1425 }
1426 if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
1427 { /* no CHILD_SA is created for redirected SAs */
1428 return SUCCESS;
1429 }
1430 switch (handle_childless(this))
1431 {
1432 case SUCCESS:
1433 /* no CHILD_SA built */
1434 return SUCCESS;
1435 case INVALID_STATE:
1436 message->add_notify(message, FALSE, INVALID_SYNTAX,
1437 chunk_empty);
1438 return FAILED;
1439 default:
1440 /* continue with regular initiation */
1441 break;
1442 }
1443 ike_auth = TRUE;
1444 default:
1445 break;
1446 }
1447
1448 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
1449 {
1450 DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
1451 message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
1452 return SUCCESS;
1453 }
1454 if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
1455 {
1456 DBG1(DBG_IKE, "unable to create CHILD_SA while deleting IKE_SA");
1457 message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
1458 return SUCCESS;
1459 }
1460
1461 if (this->config == NULL)
1462 {
1463 this->config = select_child_cfg(this);
1464 }
1465 if (this->config == NULL)
1466 {
1467 DBG1(DBG_IKE, "traffic selectors %#R === %#R unacceptable",
1468 this->tsr, this->tsi);
1469 charon->bus->alert(charon->bus, ALERT_TS_MISMATCH, this->tsi, this->tsr);
1470 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
1471 handle_child_sa_failure(this, message);
1472 return SUCCESS;
1473 }
1474
1475 /* check if ike_config_t included non-critical error notifies */
1476 enumerator = message->create_payload_enumerator(message);
1477 while (enumerator->enumerate(enumerator, &payload))
1478 {
1479 if (payload->get_type(payload) == PLV2_NOTIFY)
1480 {
1481 notify_payload_t *notify = (notify_payload_t*)payload;
1482
1483 switch (notify->get_notify_type(notify))
1484 {
1485 case INTERNAL_ADDRESS_FAILURE:
1486 case FAILED_CP_REQUIRED:
1487 {
1488 DBG1(DBG_IKE,"configuration payload negotiation "
1489 "failed, no CHILD_SA built");
1490 enumerator->destroy(enumerator);
1491 handle_child_sa_failure(this, message);
1492 return SUCCESS;
1493 }
1494 default:
1495 break;
1496 }
1497 }
1498 }
1499 enumerator->destroy(enumerator);
1500
1501 this->child.if_id_in_def = this->ike_sa->get_if_id(this->ike_sa, TRUE);
1502 this->child.if_id_out_def = this->ike_sa->get_if_id(this->ike_sa, FALSE);
1503 this->child.encap = this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY);
1504 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
1505 this->ike_sa->get_other_host(this->ike_sa),
1506 this->config, &this->child);
1507
1508 if (this->ipcomp_received != IPCOMP_NONE)
1509 {
1510 if (this->config->has_option(this->config, OPT_IPCOMP))
1511 {
1512 add_ipcomp_notify(this, message, this->ipcomp_received);
1513 }
1514 else
1515 {
1516 DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
1517 notify_type_names, IPCOMP_SUPPORTED);
1518 }
1519 }
1520
1521 switch (select_and_install(this, no_dh, ike_auth))
1522 {
1523 case SUCCESS:
1524 break;
1525 case NOT_FOUND:
1526 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
1527 handle_child_sa_failure(this, message);
1528 return SUCCESS;
1529 case INVALID_ARG:
1530 {
1531 uint16_t group = htons(this->dh_group);
1532 message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
1533 chunk_from_thing(group));
1534 return SUCCESS;
1535 }
1536 case FAILED:
1537 default:
1538 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
1539 handle_child_sa_failure(this, message);
1540 return SUCCESS;
1541 }
1542
1543 if (!build_payloads(this, message))
1544 {
1545 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
1546 handle_child_sa_failure(this, message);
1547 return SUCCESS;
1548 }
1549
1550 if (!this->rekey)
1551 { /* invoke the child_up() hook if we are not rekeying */
1552 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
1553 }
1554 return SUCCESS;
1555 }
1556
1557 /**
1558 * Raise alerts for received notify errors
1559 */
1560 static void raise_alerts(private_child_create_t *this, notify_type_t type)
1561 {
1562 linked_list_t *list;
1563
1564 switch (type)
1565 {
1566 case NO_PROPOSAL_CHOSEN:
1567 list = this->config->get_proposals(this->config, FALSE);
1568 charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, list);
1569 list->destroy_offset(list, offsetof(proposal_t, destroy));
1570 break;
1571 default:
1572 break;
1573 }
1574 }
1575
1576 METHOD(task_t, build_i_delete, status_t,
1577 private_child_create_t *this, message_t *message)
1578 {
1579 message->set_exchange_type(message, INFORMATIONAL);
1580 if (this->my_spi && this->proto)
1581 {
1582 delete_payload_t *del;
1583
1584 del = delete_payload_create(PLV2_DELETE, this->proto);
1585 del->add_spi(del, this->my_spi);
1586 message->add_payload(message, (payload_t*)del);
1587
1588 DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
1589 protocol_id_names, this->proto, ntohl(this->my_spi));
1590 }
1591 return NEED_MORE;
1592 }
1593
1594 /**
1595 * Change task to delete the failed CHILD_SA as initiator
1596 */
1597 static status_t delete_failed_sa(private_child_create_t *this)
1598 {
1599 if (this->my_spi && this->proto)
1600 {
1601 this->public.task.build = _build_i_delete;
1602 this->public.task.process = (void*)return_success;
1603 return NEED_MORE;
1604 }
1605 return SUCCESS;
1606 }
1607
1608 METHOD(task_t, process_i, status_t,
1609 private_child_create_t *this, message_t *message)
1610 {
1611 enumerator_t *enumerator;
1612 payload_t *payload;
1613 bool no_dh = TRUE, ike_auth = FALSE;
1614
1615 switch (message->get_exchange_type(message))
1616 {
1617 case IKE_SA_INIT:
1618 return get_nonce(message, &this->other_nonce);
1619 case CREATE_CHILD_SA:
1620 get_nonce(message, &this->other_nonce);
1621 no_dh = FALSE;
1622 break;
1623 case IKE_AUTH:
1624 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1625 { /* wait until all authentication round completed */
1626 return NEED_MORE;
1627 }
1628 if (defer_child_sa(this) == NEED_MORE)
1629 { /* defer until after IKE_SA has been established */
1630 chunk_free(&this->other_nonce);
1631 return NEED_MORE;
1632 }
1633 ike_auth = TRUE;
1634 default:
1635 break;
1636 }
1637
1638 /* check for erroneous notifies */
1639 enumerator = message->create_payload_enumerator(message);
1640 while (enumerator->enumerate(enumerator, &payload))
1641 {
1642 if (payload->get_type(payload) == PLV2_NOTIFY)
1643 {
1644 notify_payload_t *notify = (notify_payload_t*)payload;
1645 notify_type_t type = notify->get_notify_type(notify);
1646
1647 switch (type)
1648 {
1649 /* handle notify errors related to CHILD_SA only */
1650 case NO_PROPOSAL_CHOSEN:
1651 case SINGLE_PAIR_REQUIRED:
1652 case NO_ADDITIONAL_SAS:
1653 case INTERNAL_ADDRESS_FAILURE:
1654 case FAILED_CP_REQUIRED:
1655 case TS_UNACCEPTABLE:
1656 case INVALID_SELECTORS:
1657 {
1658 DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
1659 notify_type_names, type);
1660 enumerator->destroy(enumerator);
1661 raise_alerts(this, type);
1662 handle_child_sa_failure(this, message);
1663 /* an error in CHILD_SA creation is not critical */
1664 return SUCCESS;
1665 }
1666 case TEMPORARY_FAILURE:
1667 {
1668 DBG1(DBG_IKE, "received %N notify, will retry later",
1669 notify_type_names, type);
1670 enumerator->destroy(enumerator);
1671 if (!this->rekey)
1672 { /* the rekey task will retry itself if necessary */
1673 schedule_delayed_retry(this);
1674 }
1675 return SUCCESS;
1676 }
1677 case INVALID_KE_PAYLOAD:
1678 {
1679 chunk_t data;
1680 uint16_t group = MODP_NONE;
1681
1682 data = notify->get_notification_data(notify);
1683 if (data.len == sizeof(group))
1684 {
1685 memcpy(&group, data.ptr, data.len);
1686 group = ntohs(group);
1687 }
1688 if (this->retry)
1689 {
1690 DBG1(DBG_IKE, "already retried with DH group %N, "
1691 "ignore requested %N", diffie_hellman_group_names,
1692 this->dh_group, diffie_hellman_group_names, group);
1693 handle_child_sa_failure(this, message);
1694 /* an error in CHILD_SA creation is not critical */
1695 return SUCCESS;
1696 }
1697 DBG1(DBG_IKE, "peer didn't accept DH group %N, "
1698 "it requested %N", diffie_hellman_group_names,
1699 this->dh_group, diffie_hellman_group_names, group);
1700 this->retry = TRUE;
1701 this->dh_group = group;
1702 this->child_sa->set_state(this->child_sa, CHILD_RETRYING);
1703 this->public.task.migrate(&this->public.task, this->ike_sa);
1704 enumerator->destroy(enumerator);
1705 return NEED_MORE;
1706 }
1707 default:
1708 {
1709 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
1710 { /* handle notifies if not handled in IKE_AUTH */
1711 if (type <= 16383)
1712 {
1713 DBG1(DBG_IKE, "received %N notify error",
1714 notify_type_names, type);
1715 enumerator->destroy(enumerator);
1716 return SUCCESS;
1717 }
1718 DBG2(DBG_IKE, "received %N notify",
1719 notify_type_names, type);
1720 }
1721 break;
1722 }
1723 }
1724 }
1725 }
1726 enumerator->destroy(enumerator);
1727
1728 process_payloads(this, message);
1729
1730 if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
1731 {
1732 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
1733 " one, no CHILD_SA built");
1734 handle_child_sa_failure(this, message);
1735 return delete_failed_sa(this);
1736 }
1737 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
1738 {
1739 DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
1740 "IPComp is disabled");
1741 this->ipcomp = IPCOMP_NONE;
1742 }
1743 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
1744 {
1745 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
1746 "no CHILD_SA built");
1747 handle_child_sa_failure(this, message);
1748 return delete_failed_sa(this);
1749 }
1750
1751 if (this->dh_failed)
1752 {
1753 DBG1(DBG_IKE, "applying DH public value failed");
1754 handle_child_sa_failure(this, message);
1755 return delete_failed_sa(this);
1756 }
1757
1758 if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
1759 {
1760 if (!this->rekey)
1761 { /* invoke the child_up() hook if we are not rekeying */
1762 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
1763 }
1764 }
1765 else
1766 {
1767 handle_child_sa_failure(this, message);
1768 return delete_failed_sa(this);
1769 }
1770 return SUCCESS;
1771 }
1772
1773 METHOD(child_create_t, use_reqid, void,
1774 private_child_create_t *this, uint32_t reqid)
1775 {
1776 this->child.reqid = reqid;
1777 }
1778
1779 METHOD(child_create_t, use_marks, void,
1780 private_child_create_t *this, uint32_t in, uint32_t out)
1781 {
1782 this->child.mark_in = in;
1783 this->child.mark_out = out;
1784 }
1785
1786 METHOD(child_create_t, use_if_ids, void,
1787 private_child_create_t *this, uint32_t in, uint32_t out)
1788 {
1789 this->child.if_id_in = in;
1790 this->child.if_id_out = out;
1791 }
1792
1793 METHOD(child_create_t, use_dh_group, void,
1794 private_child_create_t *this, diffie_hellman_group_t dh_group)
1795 {
1796 this->dh_group = dh_group;
1797 }
1798
1799 METHOD(child_create_t, get_child, child_sa_t*,
1800 private_child_create_t *this)
1801 {
1802 return this->child_sa;
1803 }
1804
1805 METHOD(child_create_t, set_config, void,
1806 private_child_create_t *this, child_cfg_t *cfg)
1807 {
1808 DESTROY_IF(this->config);
1809 this->config = cfg;
1810 }
1811
1812 METHOD(child_create_t, get_lower_nonce, chunk_t,
1813 private_child_create_t *this)
1814 {
1815 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
1816 min(this->my_nonce.len, this->other_nonce.len)) < 0)
1817 {
1818 return this->my_nonce;
1819 }
1820 else
1821 {
1822 return this->other_nonce;
1823 }
1824 }
1825
1826 METHOD(task_t, get_type, task_type_t,
1827 private_child_create_t *this)
1828 {
1829 return TASK_CHILD_CREATE;
1830 }
1831
1832 METHOD(task_t, migrate, void,
1833 private_child_create_t *this, ike_sa_t *ike_sa)
1834 {
1835 chunk_free(&this->my_nonce);
1836 chunk_free(&this->other_nonce);
1837 if (this->tsr)
1838 {
1839 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1840 }
1841 if (this->tsi)
1842 {
1843 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1844 }
1845 DESTROY_IF(this->child_sa);
1846 DESTROY_IF(this->proposal);
1847 DESTROY_IF(this->nonceg);
1848 DESTROY_IF(this->dh);
1849 this->dh_failed = FALSE;
1850 if (this->proposals)
1851 {
1852 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1853 }
1854
1855 this->ike_sa = ike_sa;
1856 this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
1857 this->proposal = NULL;
1858 this->proposals = NULL;
1859 this->tsi = NULL;
1860 this->tsr = NULL;
1861 this->dh = NULL;
1862 this->nonceg = NULL;
1863 this->child_sa = NULL;
1864 this->mode = MODE_TUNNEL;
1865 this->ipcomp = IPCOMP_NONE;
1866 this->ipcomp_received = IPCOMP_NONE;
1867 this->other_cpi = 0;
1868 this->established = FALSE;
1869 this->child = (child_sa_create_t){};
1870 }
1871
1872 METHOD(task_t, destroy, void,
1873 private_child_create_t *this)
1874 {
1875 chunk_free(&this->my_nonce);
1876 chunk_free(&this->other_nonce);
1877 if (this->tsr)
1878 {
1879 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1880 }
1881 if (this->tsi)
1882 {
1883 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1884 }
1885 if (!this->established)
1886 {
1887 DESTROY_IF(this->child_sa);
1888 }
1889 DESTROY_IF(this->packet_tsi);
1890 DESTROY_IF(this->packet_tsr);
1891 DESTROY_IF(this->proposal);
1892 DESTROY_IF(this->dh);
1893 if (this->proposals)
1894 {
1895 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1896 }
1897 DESTROY_IF(this->config);
1898 DESTROY_IF(this->nonceg);
1899 free(this);
1900 }
1901
1902 /*
1903 * Described in header.
1904 */
1905 child_create_t *child_create_create(ike_sa_t *ike_sa,
1906 child_cfg_t *config, bool rekey,
1907 traffic_selector_t *tsi, traffic_selector_t *tsr)
1908 {
1909 private_child_create_t *this;
1910
1911 INIT(this,
1912 .public = {
1913 .get_child = _get_child,
1914 .set_config = _set_config,
1915 .get_lower_nonce = _get_lower_nonce,
1916 .use_reqid = _use_reqid,
1917 .use_marks = _use_marks,
1918 .use_if_ids = _use_if_ids,
1919 .use_dh_group = _use_dh_group,
1920 .task = {
1921 .get_type = _get_type,
1922 .migrate = _migrate,
1923 .destroy = _destroy,
1924 },
1925 },
1926 .ike_sa = ike_sa,
1927 .config = config,
1928 .packet_tsi = tsi ? tsi->clone(tsi) : NULL,
1929 .packet_tsr = tsr ? tsr->clone(tsr) : NULL,
1930 .dh_group = MODP_NONE,
1931 .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
1932 .mode = MODE_TUNNEL,
1933 .tfcv3 = TRUE,
1934 .ipcomp = IPCOMP_NONE,
1935 .ipcomp_received = IPCOMP_NONE,
1936 .rekey = rekey,
1937 .retry = FALSE,
1938 );
1939
1940 if (config)
1941 {
1942 this->public.task.build = _build_i;
1943 this->public.task.process = _process_i;
1944 this->initiator = TRUE;
1945 }
1946 else
1947 {
1948 this->public.task.build = _build_r;
1949 this->public.task.process = _process_r;
1950 this->initiator = FALSE;
1951 }
1952 return &this->public;
1953 }
strongSwan - IPsec VPN