child-create: Make nonceg a member of child_create struct

This allows to control the life-cycle of a nonce in the context of the
child create task. In the TKM use-case, it is required to reset the
nonce context if the created nonce is not consumed. This happens if the
child SA negotiation fails and it is detected before the SA is
established via the TKM kernel plugin (i.e. rekey collision).

1 files changed, 16 insertions, 12 deletions

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 6e00ebada..868f27164 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -65,6 +65,11 @@ struct private_child_create_t {
 	chunk_t other_nonce;
 
 	/**
+	 * nonce generator
+	 */
+	nonce_gen_t *nonceg;
+
+	/**
 	 * config to create the CHILD_SA from
 	 */
 	child_cfg_t *config;
@@ -216,22 +221,12 @@ static status_t get_nonce(message_t *message, chunk_t *nonce)
  */
 static status_t generate_nonce(private_child_create_t *this)
 {
-	nonce_gen_t *nonceg;
-
-	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
-	if (!nonceg)
-	{
-		DBG1(DBG_IKE, "no nonce generator found to create nonce");
-		return FAILED;
-	}
-	if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+	if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE,
+									  &this->my_nonce))
 	{
 		DBG1(DBG_IKE, "nonce allocation failed");
-		nonceg->destroy(nonceg);
 		return FAILED;
 	}
-	nonceg->destroy(nonceg);
-
 	return SUCCESS;
 }
 
@@ -1631,6 +1626,7 @@ METHOD(task_t, destroy, void,
 	}
 
 	DESTROY_IF(this->config);
+	DESTROY_IF(this->nonceg);
 	free(this);
 }
 
@@ -1670,6 +1666,14 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
 		.retry = FALSE,
 	);
 
+	this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+	if (!this->nonceg)
+	{
+		DBG1(DBG_IKE, "no nonce generator found to create nonce");
+		free(this);
+		return NULL;
+	}
+
 	if (config)
 	{
 		this->public.task.build = _build_i;