As responder, enforce the same configuration while rekeying CHILD_SAs
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / child_create.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "child_create.h"
19
20 #include <daemon.h>
21 #include <sa/ikev2/keymat_v2.h>
22 #include <crypto/diffie_hellman.h>
23 #include <credentials/certificates/x509.h>
24 #include <encoding/payloads/sa_payload.h>
25 #include <encoding/payloads/ke_payload.h>
26 #include <encoding/payloads/ts_payload.h>
27 #include <encoding/payloads/nonce_payload.h>
28 #include <encoding/payloads/notify_payload.h>
29 #include <processing/jobs/delete_ike_sa_job.h>
30 #include <processing/jobs/inactivity_job.h>
31
32
33 typedef struct private_child_create_t private_child_create_t;
34
35 /**
36 * Private members of a child_create_t task.
37 */
38 struct private_child_create_t {
39
40 /**
41 * Public methods and task_t interface.
42 */
43 child_create_t public;
44
45 /**
46 * Assigned IKE_SA.
47 */
48 ike_sa_t *ike_sa;
49
50 /**
51 * Are we the initiator?
52 */
53 bool initiator;
54
55 /**
56 * nonce chosen by us
57 */
58 chunk_t my_nonce;
59
60 /**
61 * nonce chosen by peer
62 */
63 chunk_t other_nonce;
64
65 /**
66 * config to create the CHILD_SA from
67 */
68 child_cfg_t *config;
69
70 /**
71 * list of proposal candidates
72 */
73 linked_list_t *proposals;
74
75 /**
76 * selected proposal to use for CHILD_SA
77 */
78 proposal_t *proposal;
79
80 /**
81 * traffic selectors for initiators side
82 */
83 linked_list_t *tsi;
84
85 /**
86 * traffic selectors for responders side
87 */
88 linked_list_t *tsr;
89
90 /**
91 * source of triggering packet
92 */
93 traffic_selector_t *packet_tsi;
94
95 /**
96 * destination of triggering packet
97 */
98 traffic_selector_t *packet_tsr;
99
100 /**
101 * optional diffie hellman exchange
102 */
103 diffie_hellman_t *dh;
104
105 /**
106 * group used for DH exchange
107 */
108 diffie_hellman_group_t dh_group;
109
110 /**
111 * IKE_SAs keymat
112 */
113 keymat_v2_t *keymat;
114
115 /**
116 * mode the new CHILD_SA uses (transport/tunnel/beet)
117 */
118 ipsec_mode_t mode;
119
120 /**
121 * peer accepts TFC padding for this SA
122 */
123 bool tfcv3;
124
125 /**
126 * IPComp transform to use
127 */
128 ipcomp_transform_t ipcomp;
129
130 /**
131 * IPComp transform proposed or accepted by the other peer
132 */
133 ipcomp_transform_t ipcomp_received;
134
135 /**
136 * Own allocated SPI
137 */
138 u_int32_t my_spi;
139
140 /**
141 * SPI received in proposal
142 */
143 u_int32_t other_spi;
144
145 /**
146 * Own allocated Compression Parameter Index (CPI)
147 */
148 u_int16_t my_cpi;
149
150 /**
151 * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
152 */
153 u_int16_t other_cpi;
154
155 /**
156 * reqid to use if we are rekeying
157 */
158 u_int32_t reqid;
159
160 /**
161 * CHILD_SA which gets established
162 */
163 child_sa_t *child_sa;
164
165 /**
166 * successfully established the CHILD?
167 */
168 bool established;
169
170 /**
171 * whether the CHILD_SA rekeys an existing one
172 */
173 bool rekey;
174 };
175
176 /**
177 * get the nonce from a message
178 */
179 static status_t get_nonce(message_t *message, chunk_t *nonce)
180 {
181 nonce_payload_t *payload;
182
183 payload = (nonce_payload_t*)message->get_payload(message, NONCE);
184 if (payload == NULL)
185 {
186 return FAILED;
187 }
188 *nonce = payload->get_nonce(payload);
189 return NEED_MORE;
190 }
191
192 /**
193 * generate a new nonce to include in a CREATE_CHILD_SA message
194 */
195 static status_t generate_nonce(private_child_create_t *this)
196 {
197 nonce_gen_t *nonceg;
198
199 nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
200 if (!nonceg)
201 {
202 DBG1(DBG_IKE, "no nonce generator found to create nonce");
203 return FAILED;
204 }
205 nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce);
206 nonceg->destroy(nonceg);
207 return SUCCESS;
208 }
209
210 /**
211 * Check a list of traffic selectors if any selector belongs to host
212 */
213 static bool ts_list_is_host(linked_list_t *list, host_t *host)
214 {
215 traffic_selector_t *ts;
216 bool is_host = TRUE;
217 enumerator_t *enumerator = list->create_enumerator(list);
218
219 while (is_host && enumerator->enumerate(enumerator, (void**)&ts))
220 {
221 is_host = is_host && ts->is_host(ts, host);
222 }
223 enumerator->destroy(enumerator);
224 return is_host;
225 }
226
227 /**
228 * Allocate SPIs and update proposals
229 */
230 static bool allocate_spi(private_child_create_t *this)
231 {
232 enumerator_t *enumerator;
233 proposal_t *proposal;
234
235 /* TODO: allocate additional SPI for AH if we have such proposals */
236 this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
237 if (this->my_spi)
238 {
239 if (this->initiator)
240 {
241 enumerator = this->proposals->create_enumerator(this->proposals);
242 while (enumerator->enumerate(enumerator, &proposal))
243 {
244 proposal->set_spi(proposal, this->my_spi);
245 }
246 enumerator->destroy(enumerator);
247 }
248 else
249 {
250 this->proposal->set_spi(this->proposal, this->my_spi);
251 }
252 return TRUE;
253 }
254 return FALSE;
255 }
256
257 /**
258 * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
259 */
260 static void schedule_inactivity_timeout(private_child_create_t *this)
261 {
262 u_int32_t timeout;
263 bool close_ike;
264
265 timeout = this->config->get_inactivity(this->config);
266 if (timeout)
267 {
268 close_ike = lib->settings->get_bool(lib->settings,
269 "%s.inactivity_close_ike", FALSE, charon->name);
270 lib->scheduler->schedule_job(lib->scheduler, (job_t*)
271 inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
272 timeout, close_ike), timeout);
273 }
274 }
275
276 /**
277 * Install a CHILD_SA for usage, return value:
278 * - FAILED: no acceptable proposal
279 * - INVALID_ARG: diffie hellman group inacceptable
280 * - NOT_FOUND: TS inacceptable
281 */
282 static status_t select_and_install(private_child_create_t *this,
283 bool no_dh, bool ike_auth)
284 {
285 status_t status, status_i, status_o;
286 chunk_t nonce_i, nonce_r;
287 chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
288 chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
289 linked_list_t *my_ts, *other_ts;
290 host_t *me, *other, *other_vip, *my_vip;
291 bool private;
292
293 if (this->proposals == NULL)
294 {
295 DBG1(DBG_IKE, "SA payload missing in message");
296 return FAILED;
297 }
298 if (this->tsi == NULL || this->tsr == NULL)
299 {
300 DBG1(DBG_IKE, "TS payloads missing in message");
301 return NOT_FOUND;
302 }
303
304 me = this->ike_sa->get_my_host(this->ike_sa);
305 other = this->ike_sa->get_other_host(this->ike_sa);
306 my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
307 other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
308
309 private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
310 this->proposal = this->config->select_proposal(this->config,
311 this->proposals, no_dh, private);
312 if (this->proposal == NULL)
313 {
314 DBG1(DBG_IKE, "no acceptable proposal found");
315 return FAILED;
316 }
317 this->other_spi = this->proposal->get_spi(this->proposal);
318
319 if (!this->initiator && !allocate_spi(this))
320 { /* responder has no SPI allocated yet */
321 DBG1(DBG_IKE, "allocating SPI failed");
322 return FAILED;
323 }
324 this->child_sa->set_proposal(this->child_sa, this->proposal);
325
326 if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
327 {
328 u_int16_t group;
329
330 if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
331 &group, NULL))
332 {
333 DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
334 diffie_hellman_group_names, this->dh_group,
335 diffie_hellman_group_names, group);
336 this->dh_group = group;
337 return INVALID_ARG;
338 }
339 /* the selected proposal does not use a DH group */
340 DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
341 DESTROY_IF(this->dh);
342 this->dh = NULL;
343 this->dh_group = MODP_NONE;
344 }
345
346 if (my_vip == NULL)
347 {
348 my_vip = me;
349 }
350 if (other_vip == NULL)
351 {
352 other_vip = other;
353 }
354
355 if (this->initiator)
356 {
357 nonce_i = this->my_nonce;
358 nonce_r = this->other_nonce;
359 my_ts = this->tsi;
360 other_ts = this->tsr;
361 }
362 else
363 {
364 nonce_r = this->my_nonce;
365 nonce_i = this->other_nonce;
366 my_ts = this->tsr;
367 other_ts = this->tsi;
368 }
369 my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
370 my_vip);
371 other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
372 other_vip);
373
374 if (this->initiator)
375 {
376 if (ike_auth)
377 {
378 charon->bus->narrow(charon->bus, this->child_sa,
379 NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
380 }
381 else
382 {
383 charon->bus->narrow(charon->bus, this->child_sa,
384 NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
385 }
386 }
387 else
388 {
389 charon->bus->narrow(charon->bus, this->child_sa,
390 NARROW_RESPONDER, my_ts, other_ts);
391 }
392
393 if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
394 {
395 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
396 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
397 DBG1(DBG_IKE, "no acceptable traffic selectors found");
398 return NOT_FOUND;
399 }
400
401 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
402 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
403 if (this->initiator)
404 {
405 this->tsi = my_ts;
406 this->tsr = other_ts;
407 }
408 else
409 {
410 this->tsr = my_ts;
411 this->tsi = other_ts;
412 }
413
414 if (!this->initiator)
415 {
416 /* check if requested mode is acceptable, downgrade if required */
417 switch (this->mode)
418 {
419 case MODE_TRANSPORT:
420 if (!this->config->use_proxy_mode(this->config) &&
421 (!ts_list_is_host(this->tsi, other) ||
422 !ts_list_is_host(this->tsr, me))
423 )
424 {
425 this->mode = MODE_TUNNEL;
426 DBG1(DBG_IKE, "not using transport mode, not host-to-host");
427 }
428 else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
429 {
430 this->mode = MODE_TUNNEL;
431 DBG1(DBG_IKE, "not using transport mode, connection NATed");
432 }
433 break;
434 case MODE_BEET:
435 if (!ts_list_is_host(this->tsi, NULL) ||
436 !ts_list_is_host(this->tsr, NULL))
437 {
438 this->mode = MODE_TUNNEL;
439 DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
440 }
441 break;
442 default:
443 break;
444 }
445 }
446
447 this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
448 this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
449 this->child_sa->set_mode(this->child_sa, this->mode);
450 this->child_sa->set_protocol(this->child_sa,
451 this->proposal->get_protocol(this->proposal));
452
453 if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
454 {
455 this->my_cpi = this->other_cpi = 0;
456 this->ipcomp = IPCOMP_NONE;
457 }
458 status_i = status_o = FAILED;
459 if (this->keymat->derive_child_keys(this->keymat, this->proposal,
460 this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
461 {
462 if (this->initiator)
463 {
464 status_i = this->child_sa->install(this->child_sa,
465 encr_r, integ_r, this->my_spi, this->my_cpi,
466 TRUE, this->tfcv3, my_ts, other_ts);
467 status_o = this->child_sa->install(this->child_sa,
468 encr_i, integ_i, this->other_spi, this->other_cpi,
469 FALSE, this->tfcv3, my_ts, other_ts);
470 }
471 else
472 {
473 status_i = this->child_sa->install(this->child_sa,
474 encr_i, integ_i, this->my_spi, this->my_cpi,
475 TRUE, this->tfcv3, my_ts, other_ts);
476 status_o = this->child_sa->install(this->child_sa,
477 encr_r, integ_r, this->other_spi, this->other_cpi,
478 FALSE, this->tfcv3, my_ts, other_ts);
479 }
480 }
481 chunk_clear(&integ_i);
482 chunk_clear(&integ_r);
483 chunk_clear(&encr_i);
484 chunk_clear(&encr_r);
485
486 if (status_i != SUCCESS || status_o != SUCCESS)
487 {
488 DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
489 (status_i != SUCCESS) ? "inbound " : "",
490 (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
491 (status_o != SUCCESS) ? "outbound " : "");
492 return FAILED;
493 }
494
495 status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
496 if (status != SUCCESS)
497 {
498 DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
499 return NOT_FOUND;
500 }
501
502 charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
503 this->dh, nonce_i, nonce_r);
504
505 /* add to IKE_SA, and remove from task */
506 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
507 this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
508 this->established = TRUE;
509
510 if (!this->rekey)
511 { /* a rekeyed SA uses the same reqid, no need for a new job */
512 schedule_inactivity_timeout(this);
513 }
514 return SUCCESS;
515 }
516
517 /**
518 * build the payloads for the message
519 */
520 static void build_payloads(private_child_create_t *this, message_t *message)
521 {
522 sa_payload_t *sa_payload;
523 nonce_payload_t *nonce_payload;
524 ke_payload_t *ke_payload;
525 ts_payload_t *ts_payload;
526
527 /* add SA payload */
528 if (this->initiator)
529 {
530 sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
531 }
532 else
533 {
534 sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
535 }
536 message->add_payload(message, (payload_t*)sa_payload);
537
538 /* add nonce payload if not in IKE_AUTH */
539 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
540 {
541 nonce_payload = nonce_payload_create(NONCE);
542 nonce_payload->set_nonce(nonce_payload, this->my_nonce);
543 message->add_payload(message, (payload_t*)nonce_payload);
544 }
545
546 /* diffie hellman exchange, if PFS enabled */
547 if (this->dh)
548 {
549 ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE,
550 this->dh);
551 message->add_payload(message, (payload_t*)ke_payload);
552 }
553
554 /* add TSi/TSr payloads */
555 ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
556 message->add_payload(message, (payload_t*)ts_payload);
557 ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
558 message->add_payload(message, (payload_t*)ts_payload);
559
560 /* add a notify if we are not in tunnel mode */
561 switch (this->mode)
562 {
563 case MODE_TRANSPORT:
564 message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
565 break;
566 case MODE_BEET:
567 message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
568 break;
569 default:
570 break;
571 }
572 }
573
574 /**
575 * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
576 */
577 static void add_ipcomp_notify(private_child_create_t *this,
578 message_t *message, u_int8_t ipcomp)
579 {
580 if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
581 {
582 DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
583 "IPComp disabled");
584 return;
585 }
586
587 this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
588 if (this->my_cpi)
589 {
590 this->ipcomp = ipcomp;
591 message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
592 chunk_cata("cc", chunk_from_thing(this->my_cpi),
593 chunk_from_thing(ipcomp)));
594 }
595 else
596 {
597 DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
598 }
599 }
600
601 /**
602 * handle a received notify payload
603 */
604 static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
605 {
606 switch (notify->get_notify_type(notify))
607 {
608 case USE_TRANSPORT_MODE:
609 this->mode = MODE_TRANSPORT;
610 break;
611 case USE_BEET_MODE:
612 if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
613 { /* handle private use notify only if we know its meaning */
614 this->mode = MODE_BEET;
615 }
616 else
617 {
618 DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
619 "mode, but peer implementation unknown, skipped");
620 }
621 break;
622 case IPCOMP_SUPPORTED:
623 {
624 ipcomp_transform_t ipcomp;
625 u_int16_t cpi;
626 chunk_t data;
627
628 data = notify->get_notification_data(notify);
629 cpi = *(u_int16_t*)data.ptr;
630 ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
631 switch (ipcomp)
632 {
633 case IPCOMP_DEFLATE:
634 this->other_cpi = cpi;
635 this->ipcomp_received = ipcomp;
636 break;
637 case IPCOMP_LZS:
638 case IPCOMP_LZJH:
639 default:
640 DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
641 "transform ID we don't support %N",
642 ipcomp_transform_names, ipcomp);
643 break;
644 }
645 break;
646 }
647 case ESP_TFC_PADDING_NOT_SUPPORTED:
648 DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
649 notify_type_names, notify->get_notify_type(notify));
650 this->tfcv3 = FALSE;
651 break;
652 default:
653 break;
654 }
655 }
656
657 /**
658 * Read payloads from message
659 */
660 static void process_payloads(private_child_create_t *this, message_t *message)
661 {
662 enumerator_t *enumerator;
663 payload_t *payload;
664 sa_payload_t *sa_payload;
665 ke_payload_t *ke_payload;
666 ts_payload_t *ts_payload;
667
668 /* defaults to TUNNEL mode */
669 this->mode = MODE_TUNNEL;
670
671 enumerator = message->create_payload_enumerator(message);
672 while (enumerator->enumerate(enumerator, &payload))
673 {
674 switch (payload->get_type(payload))
675 {
676 case SECURITY_ASSOCIATION:
677 sa_payload = (sa_payload_t*)payload;
678 this->proposals = sa_payload->get_proposals(sa_payload);
679 break;
680 case KEY_EXCHANGE:
681 ke_payload = (ke_payload_t*)payload;
682 if (!this->initiator)
683 {
684 this->dh_group = ke_payload->get_dh_group_number(ke_payload);
685 this->dh = this->keymat->keymat.create_dh(
686 &this->keymat->keymat, this->dh_group);
687 }
688 if (this->dh)
689 {
690 this->dh->set_other_public_value(this->dh,
691 ke_payload->get_key_exchange_data(ke_payload));
692 }
693 break;
694 case TRAFFIC_SELECTOR_INITIATOR:
695 ts_payload = (ts_payload_t*)payload;
696 this->tsi = ts_payload->get_traffic_selectors(ts_payload);
697 break;
698 case TRAFFIC_SELECTOR_RESPONDER:
699 ts_payload = (ts_payload_t*)payload;
700 this->tsr = ts_payload->get_traffic_selectors(ts_payload);
701 break;
702 case NOTIFY:
703 handle_notify(this, (notify_payload_t*)payload);
704 break;
705 default:
706 break;
707 }
708 }
709 enumerator->destroy(enumerator);
710 }
711
712 METHOD(task_t, build_i, status_t,
713 private_child_create_t *this, message_t *message)
714 {
715 host_t *me, *other, *vip;
716 peer_cfg_t *peer_cfg;
717
718 switch (message->get_exchange_type(message))
719 {
720 case IKE_SA_INIT:
721 return get_nonce(message, &this->my_nonce);
722 case CREATE_CHILD_SA:
723 if (generate_nonce(this) != SUCCESS)
724 {
725 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
726 return SUCCESS;
727 }
728 if (this->dh_group == MODP_NONE)
729 {
730 this->dh_group = this->config->get_dh_group(this->config);
731 }
732 break;
733 case IKE_AUTH:
734 if (message->get_message_id(message) != 1)
735 {
736 /* send only in the first request, not in subsequent rounds */
737 return NEED_MORE;
738 }
739 break;
740 default:
741 break;
742 }
743
744 if (this->reqid)
745 {
746 DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
747 this->config->get_name(this->config), this->reqid);
748 }
749 else
750 {
751 DBG0(DBG_IKE, "establishing CHILD_SA %s",
752 this->config->get_name(this->config));
753 }
754
755 /* reuse virtual IP if we already have one */
756 me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
757 if (me == NULL)
758 {
759 me = this->ike_sa->get_my_host(this->ike_sa);
760 }
761 other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
762 if (other == NULL)
763 {
764 other = this->ike_sa->get_other_host(this->ike_sa);
765 }
766
767 /* check if we want a virtual IP, but don't have one */
768 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
769 vip = peer_cfg->get_virtual_ip(peer_cfg);
770 if (!this->reqid && vip)
771 {
772 /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
773 vip = host_create_any(vip->get_family(vip));
774 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
775 NULL, vip);
776 vip->destroy(vip);
777 }
778 else
779 { /* but narrow it for host2host / if we already have a vip */
780 this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
781 NULL, me);
782 }
783 this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
784 NULL, other);
785
786 if (this->packet_tsi)
787 {
788 this->tsi->insert_first(this->tsi,
789 this->packet_tsi->clone(this->packet_tsi));
790 }
791 if (this->packet_tsr)
792 {
793 this->tsr->insert_first(this->tsr,
794 this->packet_tsr->clone(this->packet_tsr));
795 }
796 this->proposals = this->config->get_proposals(this->config,
797 this->dh_group == MODP_NONE);
798 this->mode = this->config->get_mode(this->config);
799 if (this->mode == MODE_TRANSPORT &&
800 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
801 {
802 this->mode = MODE_TUNNEL;
803 DBG1(DBG_IKE, "not using transport mode, connection NATed");
804 }
805
806 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
807 this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
808 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
809
810 if (!allocate_spi(this))
811 {
812 DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
813 return FAILED;
814 }
815
816 if (this->dh_group != MODP_NONE)
817 {
818 this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
819 this->dh_group);
820 }
821
822 if (this->config->use_ipcomp(this->config))
823 {
824 /* IPCOMP_DEFLATE is the only transform we support at the moment */
825 add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
826 }
827
828 if (message->get_exchange_type(message) == IKE_AUTH)
829 {
830 charon->bus->narrow(charon->bus, this->child_sa,
831 NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
832 }
833 else
834 {
835 charon->bus->narrow(charon->bus, this->child_sa,
836 NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
837 }
838
839 build_payloads(this, message);
840
841 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
842 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
843 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
844 this->tsi = NULL;
845 this->tsr = NULL;
846 this->proposals = NULL;
847
848 return NEED_MORE;
849 }
850
851 METHOD(task_t, process_r, status_t,
852 private_child_create_t *this, message_t *message)
853 {
854 switch (message->get_exchange_type(message))
855 {
856 case IKE_SA_INIT:
857 return get_nonce(message, &this->other_nonce);
858 case CREATE_CHILD_SA:
859 get_nonce(message, &this->other_nonce);
860 break;
861 case IKE_AUTH:
862 if (message->get_message_id(message) != 1)
863 {
864 /* only handle first AUTH payload, not additional rounds */
865 return NEED_MORE;
866 }
867 default:
868 break;
869 }
870
871 process_payloads(this, message);
872
873 return NEED_MORE;
874 }
875
876 /**
877 * handle CHILD_SA setup failure
878 */
879 static void handle_child_sa_failure(private_child_create_t *this,
880 message_t *message)
881 {
882 if (message->get_exchange_type(message) == IKE_AUTH &&
883 lib->settings->get_bool(lib->settings,
884 "%s.close_ike_on_child_failure", FALSE, charon->name))
885 {
886 /* we delay the delete for 100ms, as the IKE_AUTH response must arrive
887 * first */
888 DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
889 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
890 delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
891 100);
892 }
893 else
894 {
895 DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
896 }
897 }
898
899 METHOD(task_t, build_r, status_t,
900 private_child_create_t *this, message_t *message)
901 {
902 peer_cfg_t *peer_cfg;
903 payload_t *payload;
904 enumerator_t *enumerator;
905 bool no_dh = TRUE, ike_auth = FALSE;
906
907 switch (message->get_exchange_type(message))
908 {
909 case IKE_SA_INIT:
910 return get_nonce(message, &this->my_nonce);
911 case CREATE_CHILD_SA:
912 if (generate_nonce(this) != SUCCESS)
913 {
914 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
915 chunk_empty);
916 return SUCCESS;
917 }
918 no_dh = FALSE;
919 break;
920 case IKE_AUTH:
921 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
922 { /* wait until all authentication round completed */
923 return NEED_MORE;
924 }
925 ike_auth = TRUE;
926 default:
927 break;
928 }
929
930 if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
931 {
932 DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
933 message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
934 return SUCCESS;
935 }
936
937 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
938 if (!this->config && peer_cfg && this->tsi && this->tsr)
939 {
940 host_t *me, *other;
941
942 me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
943 if (me == NULL)
944 {
945 me = this->ike_sa->get_my_host(this->ike_sa);
946 }
947 other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
948 if (other == NULL)
949 {
950 other = this->ike_sa->get_other_host(this->ike_sa);
951 }
952 this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
953 this->tsi, me, other);
954 }
955
956 if (this->config == NULL)
957 {
958 DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
959 this->tsr, this->tsi);
960 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
961 handle_child_sa_failure(this, message);
962 return SUCCESS;
963 }
964
965 /* check if ike_config_t included non-critical error notifies */
966 enumerator = message->create_payload_enumerator(message);
967 while (enumerator->enumerate(enumerator, &payload))
968 {
969 if (payload->get_type(payload) == NOTIFY)
970 {
971 notify_payload_t *notify = (notify_payload_t*)payload;
972
973 switch (notify->get_notify_type(notify))
974 {
975 case INTERNAL_ADDRESS_FAILURE:
976 case FAILED_CP_REQUIRED:
977 {
978 DBG1(DBG_IKE,"configuration payload negotiation "
979 "failed, no CHILD_SA built");
980 enumerator->destroy(enumerator);
981 handle_child_sa_failure(this, message);
982 return SUCCESS;
983 }
984 default:
985 break;
986 }
987 }
988 }
989 enumerator->destroy(enumerator);
990
991 this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
992 this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
993 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
994
995 if (this->ipcomp_received != IPCOMP_NONE)
996 {
997 if (this->config->use_ipcomp(this->config))
998 {
999 add_ipcomp_notify(this, message, this->ipcomp_received);
1000 }
1001 else
1002 {
1003 DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
1004 notify_type_names, IPCOMP_SUPPORTED);
1005 }
1006 }
1007
1008 switch (select_and_install(this, no_dh, ike_auth))
1009 {
1010 case SUCCESS:
1011 break;
1012 case NOT_FOUND:
1013 message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
1014 handle_child_sa_failure(this, message);
1015 return SUCCESS;
1016 case INVALID_ARG:
1017 {
1018 u_int16_t group = htons(this->dh_group);
1019 message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
1020 chunk_from_thing(group));
1021 handle_child_sa_failure(this, message);
1022 return SUCCESS;
1023 }
1024 case FAILED:
1025 default:
1026 message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
1027 handle_child_sa_failure(this, message);
1028 return SUCCESS;
1029 }
1030
1031 build_payloads(this, message);
1032
1033 DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
1034 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
1035 this->child_sa->get_name(this->child_sa),
1036 this->child_sa->get_reqid(this->child_sa),
1037 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
1038 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
1039 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
1040 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
1041
1042 if (!this->rekey)
1043 { /* invoke the child_up() hook if we are not rekeying */
1044 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
1045 }
1046 return SUCCESS;
1047 }
1048
1049 METHOD(task_t, process_i, status_t,
1050 private_child_create_t *this, message_t *message)
1051 {
1052 enumerator_t *enumerator;
1053 payload_t *payload;
1054 bool no_dh = TRUE, ike_auth = FALSE;
1055
1056 switch (message->get_exchange_type(message))
1057 {
1058 case IKE_SA_INIT:
1059 return get_nonce(message, &this->other_nonce);
1060 case CREATE_CHILD_SA:
1061 get_nonce(message, &this->other_nonce);
1062 no_dh = FALSE;
1063 break;
1064 case IKE_AUTH:
1065 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1066 { /* wait until all authentication round completed */
1067 return NEED_MORE;
1068 }
1069 ike_auth = TRUE;
1070 default:
1071 break;
1072 }
1073
1074 /* check for erronous notifies */
1075 enumerator = message->create_payload_enumerator(message);
1076 while (enumerator->enumerate(enumerator, &payload))
1077 {
1078 if (payload->get_type(payload) == NOTIFY)
1079 {
1080 notify_payload_t *notify = (notify_payload_t*)payload;
1081 notify_type_t type = notify->get_notify_type(notify);
1082
1083 switch (type)
1084 {
1085 /* handle notify errors related to CHILD_SA only */
1086 case NO_PROPOSAL_CHOSEN:
1087 case SINGLE_PAIR_REQUIRED:
1088 case NO_ADDITIONAL_SAS:
1089 case INTERNAL_ADDRESS_FAILURE:
1090 case FAILED_CP_REQUIRED:
1091 case TS_UNACCEPTABLE:
1092 case INVALID_SELECTORS:
1093 {
1094 DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
1095 notify_type_names, type);
1096 enumerator->destroy(enumerator);
1097 handle_child_sa_failure(this, message);
1098 /* an error in CHILD_SA creation is not critical */
1099 return SUCCESS;
1100 }
1101 case INVALID_KE_PAYLOAD:
1102 {
1103 chunk_t data;
1104 u_int16_t group = MODP_NONE;
1105
1106 data = notify->get_notification_data(notify);
1107 if (data.len == sizeof(group))
1108 {
1109 memcpy(&group, data.ptr, data.len);
1110 group = ntohs(group);
1111 }
1112 DBG1(DBG_IKE, "peer didn't accept DH group %N, "
1113 "it requested %N", diffie_hellman_group_names,
1114 this->dh_group, diffie_hellman_group_names, group);
1115 this->dh_group = group;
1116 this->public.task.migrate(&this->public.task, this->ike_sa);
1117 enumerator->destroy(enumerator);
1118 return NEED_MORE;
1119 }
1120 default:
1121 {
1122 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
1123 { /* handle notifies if not handled in IKE_AUTH */
1124 if (type <= 16383)
1125 {
1126 DBG1(DBG_IKE, "received %N notify error",
1127 notify_type_names, type);
1128 enumerator->destroy(enumerator);
1129 return SUCCESS;
1130 }
1131 DBG2(DBG_IKE, "received %N notify",
1132 notify_type_names, type);
1133 }
1134 break;
1135 }
1136 }
1137 }
1138 }
1139 enumerator->destroy(enumerator);
1140
1141 process_payloads(this, message);
1142
1143 if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
1144 {
1145 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
1146 " one, no CHILD_SA built");
1147 handle_child_sa_failure(this, message);
1148 return SUCCESS;
1149 }
1150 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
1151 {
1152 DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
1153 "IPComp is disabled");
1154 this->ipcomp = IPCOMP_NONE;
1155 }
1156 else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
1157 {
1158 DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
1159 "no CHILD_SA built");
1160 handle_child_sa_failure(this, message);
1161 return SUCCESS;
1162 }
1163
1164 if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
1165 {
1166 DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
1167 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
1168 this->child_sa->get_name(this->child_sa),
1169 this->child_sa->get_reqid(this->child_sa),
1170 ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
1171 ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
1172 this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
1173 this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
1174
1175 if (!this->rekey)
1176 { /* invoke the child_up() hook if we are not rekeying */
1177 charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
1178 }
1179 }
1180 else
1181 {
1182 handle_child_sa_failure(this, message);
1183 }
1184 return SUCCESS;
1185 }
1186
1187 METHOD(child_create_t, use_reqid, void,
1188 private_child_create_t *this, u_int32_t reqid)
1189 {
1190 this->reqid = reqid;
1191 }
1192
1193 METHOD(child_create_t, get_child, child_sa_t*,
1194 private_child_create_t *this)
1195 {
1196 return this->child_sa;
1197 }
1198
1199 METHOD(child_create_t, set_config, void,
1200 private_child_create_t *this, child_cfg_t *cfg)
1201 {
1202 DESTROY_IF(this->config);
1203 this->config = cfg;
1204 }
1205
1206 METHOD(child_create_t, get_lower_nonce, chunk_t,
1207 private_child_create_t *this)
1208 {
1209 if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
1210 min(this->my_nonce.len, this->other_nonce.len)) < 0)
1211 {
1212 return this->my_nonce;
1213 }
1214 else
1215 {
1216 return this->other_nonce;
1217 }
1218 }
1219
1220 METHOD(task_t, get_type, task_type_t,
1221 private_child_create_t *this)
1222 {
1223 return TASK_CHILD_CREATE;
1224 }
1225
1226 METHOD(task_t, migrate, void,
1227 private_child_create_t *this, ike_sa_t *ike_sa)
1228 {
1229 chunk_free(&this->my_nonce);
1230 chunk_free(&this->other_nonce);
1231 if (this->tsr)
1232 {
1233 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1234 }
1235 if (this->tsi)
1236 {
1237 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1238 }
1239 DESTROY_IF(this->child_sa);
1240 DESTROY_IF(this->proposal);
1241 DESTROY_IF(this->dh);
1242 if (this->proposals)
1243 {
1244 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1245 }
1246
1247 this->ike_sa = ike_sa;
1248 this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
1249 this->proposal = NULL;
1250 this->proposals = NULL;
1251 this->tsi = NULL;
1252 this->tsr = NULL;
1253 this->dh = NULL;
1254 this->child_sa = NULL;
1255 this->mode = MODE_TUNNEL;
1256 this->ipcomp = IPCOMP_NONE;
1257 this->ipcomp_received = IPCOMP_NONE;
1258 this->other_cpi = 0;
1259 this->reqid = 0;
1260 this->established = FALSE;
1261 }
1262
1263 METHOD(task_t, destroy, void,
1264 private_child_create_t *this)
1265 {
1266 chunk_free(&this->my_nonce);
1267 chunk_free(&this->other_nonce);
1268 if (this->tsr)
1269 {
1270 this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
1271 }
1272 if (this->tsi)
1273 {
1274 this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
1275 }
1276 if (!this->established)
1277 {
1278 DESTROY_IF(this->child_sa);
1279 }
1280 DESTROY_IF(this->packet_tsi);
1281 DESTROY_IF(this->packet_tsr);
1282 DESTROY_IF(this->proposal);
1283 DESTROY_IF(this->dh);
1284 if (this->proposals)
1285 {
1286 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
1287 }
1288
1289 DESTROY_IF(this->config);
1290 free(this);
1291 }
1292
1293 /*
1294 * Described in header.
1295 */
1296 child_create_t *child_create_create(ike_sa_t *ike_sa,
1297 child_cfg_t *config, bool rekey,
1298 traffic_selector_t *tsi, traffic_selector_t *tsr)
1299 {
1300 private_child_create_t *this;
1301
1302 INIT(this,
1303 .public = {
1304 .get_child = _get_child,
1305 .set_config = _set_config,
1306 .get_lower_nonce = _get_lower_nonce,
1307 .use_reqid = _use_reqid,
1308 .task = {
1309 .get_type = _get_type,
1310 .migrate = _migrate,
1311 .destroy = _destroy,
1312 },
1313 },
1314 .ike_sa = ike_sa,
1315 .config = config,
1316 .packet_tsi = tsi ? tsi->clone(tsi) : NULL,
1317 .packet_tsr = tsr ? tsr->clone(tsr) : NULL,
1318 .dh_group = MODP_NONE,
1319 .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
1320 .mode = MODE_TUNNEL,
1321 .tfcv3 = TRUE,
1322 .ipcomp = IPCOMP_NONE,
1323 .ipcomp_received = IPCOMP_NONE,
1324 .rekey = rekey,
1325 );
1326
1327 if (config)
1328 {
1329 this->public.task.build = _build_i;
1330 this->public.task.process = _process_i;
1331 this->initiator = TRUE;
1332 }
1333 else
1334 {
1335 this->public.task.build = _build_r;
1336 this->public.task.process = _process_r;
1337 this->initiator = FALSE;
1338 }
1339
1340 return &this->public;
1341 }