diff options
| author | Reto Buerki <reet@codelabs.ch> | 2015-04-23 11:19:24 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2015-05-04 18:07:51 +0200 |
| commit | 0b308faf6d546e01f7cb58db1377d4c26a5ee26b (patch) | |
| tree | 95261b195a73ca84739dea1ad5ee078b2ab56d50 | |
| parent | 72376234cbc449b062c68a24837aeefacad44ade (diff) | |
| download | strongswan-0b308faf6d546e01f7cb58db1377d4c26a5ee26b.tar.bz2 strongswan-0b308faf6d546e01f7cb58db1377d4c26a5ee26b.tar.xz | |
ike-init: Make nonceg a member of ike_init struct
This allows to control the life-cycle of a nonce in the context of the
ike init task. In the TKM use-case the nonce generator cannot be
destroyed before the ike init task is finalized, otherwise the created
nonce is detected as stale.
| -rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_init.c | 37 |
1 files changed, 17 insertions, 20 deletions
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 0d5700ef2..2d9bf518d 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -90,6 +90,11 @@ struct private_ike_init_t { chunk_t other_nonce; /** + * nonce generator + */ + nonce_gen_t *nonceg; + + /** * Negotiated proposal used for IKE_SA */ proposal_t *proposal; @@ -428,21 +433,12 @@ METHOD(task_t, build_i, status_t, /* generate nonce only when we are trying the first time */ if (this->my_nonce.ptr == NULL) { - nonce_gen_t *nonceg; - - nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); - if (!nonceg) - { - DBG1(DBG_IKE, "no nonce generator found to create nonce"); - return FAILED; - } - if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce)) + if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE, + &this->my_nonce)) { DBG1(DBG_IKE, "nonce allocation failed"); - nonceg->destroy(nonceg); return FAILED; } - nonceg->destroy(nonceg); } if (this->cookie.ptr) @@ -477,19 +473,11 @@ METHOD(task_t, process_r, status_t, DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message)); this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); - nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); - if (!nonceg) - { - DBG1(DBG_IKE, "no nonce generator found to create nonce"); - return FAILED; - } - if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce)) + if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE, &this->my_nonce)) { DBG1(DBG_IKE, "nonce allocation failed"); - nonceg->destroy(nonceg); return FAILED; } - nonceg->destroy(nonceg); #ifdef ME { @@ -756,6 +744,7 @@ METHOD(task_t, destroy, void, { DESTROY_IF(this->dh); DESTROY_IF(this->proposal); + DESTROY_IF(this->nonceg); chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); chunk_free(&this->cookie); @@ -801,6 +790,14 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa) "%s.signature_authentication", TRUE, lib->ns), ); + this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat); + if (!this->nonceg) + { + DBG1(DBG_IKE, "no nonce generator found to create nonce"); + free(this); + return FAILED; + } + if (initiator) { this->public.task.build = _build_i; |