From: Reto Buerki <reet@codelabs.ch>
Date: Thu, 23 Apr 2015 09:19:24 +0000 (+0200)
Subject: ike-init: Make nonceg a member of ike_init struct
X-Git-Tag: 5.3.1rc1~35^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b308faf6d546e01f7cb58db1377d4c26a5ee26b;p=thirdparty%2Fstrongswan.git

ike-init: Make nonceg a member of ike_init struct

This allows to control the life-cycle of a nonce in the context of the
ike init task. In the TKM use-case the nonce generator cannot be
destroyed before the ike init task is finalized, otherwise the created
nonce is detected as stale.
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 0d5700ef29..2d9bf518d3 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -89,6 +89,11 @@ struct private_ike_init_t {
 	 */
 	chunk_t other_nonce;
 
+	/**
+	 * nonce generator
+	 */
+	nonce_gen_t *nonceg;
+
 	/**
 	 * Negotiated proposal used for IKE_SA
 	 */
@@ -428,21 +433,12 @@ METHOD(task_t, build_i, status_t,
 	/* generate nonce only when we are trying the first time */
 	if (this->my_nonce.ptr == NULL)
 	{
-		nonce_gen_t *nonceg;
-
-		nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
-		if (!nonceg)
-		{
-			DBG1(DBG_IKE, "no nonce generator found to create nonce");
-			return FAILED;
-		}
-		if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+		if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE,
+										  &this->my_nonce))
 		{
 			DBG1(DBG_IKE, "nonce allocation failed");
-			nonceg->destroy(nonceg);
 			return FAILED;
 		}
-		nonceg->destroy(nonceg);
 	}
 
 	if (this->cookie.ptr)
@@ -477,19 +473,11 @@ METHOD(task_t, process_r,  status_t,
 	DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 
-	nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
-	if (!nonceg)
-	{
-		DBG1(DBG_IKE, "no nonce generator found to create nonce");
-		return FAILED;
-	}
-	if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+	if (!this->nonceg->allocate_nonce(this->nonceg, NONCE_SIZE, &this->my_nonce))
 	{
 		DBG1(DBG_IKE, "nonce allocation failed");
-		nonceg->destroy(nonceg);
 		return FAILED;
 	}
-	nonceg->destroy(nonceg);
 
 #ifdef ME
 	{
@@ -756,6 +744,7 @@ METHOD(task_t, destroy, void,
 {
 	DESTROY_IF(this->dh);
 	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->nonceg);
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
 	chunk_free(&this->cookie);
@@ -801,6 +790,14 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 								"%s.signature_authentication", TRUE, lib->ns),
 	);
 
+	this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+	if (!this->nonceg)
+	{
+		DBG1(DBG_IKE, "no nonce generator found to create nonce");
+		free(this);
+		return FAILED;
+	}
+
 	if (initiator)
 	{
 		this->public.task.build = _build_i;