child-create: Make nonceg a member of child_create struct

This allows to control the life-cycle of a nonce in the context of the
child create task. In the TKM use-case, it is required to reset the
nonce context if the created nonce is not consumed. This happens if the
child SA negotiation fails and it is detected before the SA is
established via the TKM kernel plugin (i.e. rekey collision).

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 6e00ebadaa1732bbe121a5608c2f53f79ea00350..868f271648b4641917dbaf230fb6b027e4987664 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -64,6 +64,11 @@ struct private_child_create_t {
         */
        chunk_t other_nonce;
 
+       /**
+        * nonce generator
+        */
+       nonce_gen_t *nonceg;
+
        /**
         * config to create the CHILD_SA from
         */
@@ -216,22 +221,12 @@ static status_t get_nonce(message_t *message, chunk_t *nonce)
  */
 static status_t generate_nonce(private_child_create_t *this)
 {
-       nonce_gen_t *nonceg;
-
-       nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
-       if (!nonceg)
-       {
-               DBG1(DBG_IKE, "no nonce generator found to create nonce");
-               return FAILED;
-       }
-       if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+       if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE,
+                                                                         &this->my_nonce))
        {
                DBG1(DBG_IKE, "nonce allocation failed");
-               nonceg->destroy(nonceg);
                return FAILED;
        }
-       nonceg->destroy(nonceg);
-
        return SUCCESS;
 }
 
@@ -1631,6 +1626,7 @@ METHOD(task_t, destroy, void,
        }
 
        DESTROY_IF(this->config);
+       DESTROY_IF(this->nonceg);
        free(this);
 }
 
@@ -1670,6 +1666,14 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
                .retry = FALSE,
        );
 
+       this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+       if (!this->nonceg)
+       {
+               DBG1(DBG_IKE, "no nonce generator found to create nonce");
+               free(this);
+               return NULL;
+       }
+
        if (config)
        {
                this->public.task.build = _build_i;