Invoke authorization hooks for IKEv1 connections
This commit is contained in:
parent
1a0648490c
commit
f420f51f55
|
@ -95,8 +95,14 @@ struct private_aggressive_mode_t {
|
|||
/**
|
||||
* Set IKE_SA to established state
|
||||
*/
|
||||
static void establish(private_aggressive_mode_t *this)
|
||||
static bool establish(private_aggressive_mode_t *this)
|
||||
{
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
||||
this->ike_sa->get_name(this->ike_sa),
|
||||
this->ike_sa->get_unique_id(this->ike_sa),
|
||||
|
@ -107,6 +113,8 @@ static void establish(private_aggressive_mode_t *this)
|
|||
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
||||
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -278,28 +286,31 @@ METHOD(task_t, build_i, status_t,
|
|||
}
|
||||
this->id_data = chunk_empty;
|
||||
|
||||
if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE));
|
||||
}
|
||||
|
||||
switch (this->method)
|
||||
{
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
case AUTH_HYBRID_INIT_RSA:
|
||||
/* wait for XAUTH request */
|
||||
return SUCCESS;
|
||||
break;
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
case AUTH_XAUTH_RESP_RSA:
|
||||
case AUTH_HYBRID_RESP_RSA:
|
||||
/* TODO-IKEv1: not yet */
|
||||
return FAILED;
|
||||
default:
|
||||
establish(this);
|
||||
return SUCCESS;
|
||||
if (!establish(this))
|
||||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE));
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
default:
|
||||
return FAILED;
|
||||
|
@ -405,6 +416,13 @@ METHOD(task_t, process_r, status_t,
|
|||
}
|
||||
this->id_data = chunk_empty;
|
||||
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
|
||||
"IKE_SA, cancelling");
|
||||
return send_delete(this);
|
||||
}
|
||||
|
||||
switch (this->method)
|
||||
{
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
|
@ -419,7 +437,10 @@ METHOD(task_t, process_r, status_t,
|
|||
/* TODO-IKEv1: not yet supported */
|
||||
return FAILED;
|
||||
default:
|
||||
establish(this);
|
||||
if (!establish(this))
|
||||
{
|
||||
return send_delete(this);
|
||||
}
|
||||
lib->processor->queue_job(lib->processor, (job_t*)
|
||||
adopt_children_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa)));
|
||||
|
@ -557,6 +578,13 @@ METHOD(task_t, process_i, status_t,
|
|||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
||||
return NEED_MORE;
|
||||
}
|
||||
return FAILED;
|
||||
|
|
|
@ -95,8 +95,14 @@ struct private_main_mode_t {
|
|||
/**
|
||||
* Set IKE_SA to established state
|
||||
*/
|
||||
static void establish(private_main_mode_t *this)
|
||||
static bool establish(private_main_mode_t *this)
|
||||
{
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
||||
this->ike_sa->get_name(this->ike_sa),
|
||||
this->ike_sa->get_unique_id(this->ike_sa),
|
||||
|
@ -107,6 +113,8 @@ static void establish(private_main_mode_t *this)
|
|||
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
||||
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -406,6 +414,13 @@ METHOD(task_t, process_r, status_t,
|
|||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
||||
this->state = MM_AUTH;
|
||||
if (has_notify_errors(this, message))
|
||||
{
|
||||
|
@ -467,6 +482,7 @@ METHOD(task_t, build_r, status_t,
|
|||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
||||
switch (this->method)
|
||||
{
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
|
@ -481,7 +497,10 @@ METHOD(task_t, build_r, status_t,
|
|||
/* TODO-IKEv1: not yet supported */
|
||||
return FAILED;
|
||||
default:
|
||||
establish(this);
|
||||
if (!establish(this))
|
||||
{
|
||||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
lib->processor->queue_job(lib->processor, (job_t*)
|
||||
adopt_children_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa)));
|
||||
|
@ -577,29 +596,37 @@ METHOD(task_t, process_i, status_t,
|
|||
{
|
||||
return send_delete(this);
|
||||
}
|
||||
|
||||
if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE));
|
||||
DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
|
||||
"cancelling");
|
||||
return send_delete(this);
|
||||
}
|
||||
|
||||
switch (this->method)
|
||||
{
|
||||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
case AUTH_HYBRID_INIT_RSA:
|
||||
/* wait for XAUTH request */
|
||||
return SUCCESS;
|
||||
break;
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
case AUTH_XAUTH_RESP_RSA:
|
||||
case AUTH_HYBRID_RESP_RSA:
|
||||
/* TODO-IKEv1: not yet */
|
||||
return FAILED;
|
||||
default:
|
||||
establish(this);
|
||||
return SUCCESS;
|
||||
if (!establish(this))
|
||||
{
|
||||
return send_delete(this);
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
|
||||
{
|
||||
this->ike_sa->queue_task(this->ike_sa,
|
||||
(task_t*)mode_config_create(this->ike_sa, TRUE));
|
||||
}
|
||||
return SUCCESS;
|
||||
}
|
||||
default:
|
||||
return FAILED;
|
||||
|
|
|
@ -140,8 +140,19 @@ static xauth_method_t *load_method(private_xauth_t* this)
|
|||
/**
|
||||
* Set IKE_SA to established state
|
||||
*/
|
||||
static void establish(private_xauth_t *this)
|
||||
static bool establish(private_xauth_t *this)
|
||||
{
|
||||
if (!charon->bus->authorize(charon->bus, FALSE))
|
||||
{
|
||||
DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
|
||||
return FALSE;
|
||||
}
|
||||
if (!charon->bus->authorize(charon->bus, TRUE))
|
||||
{
|
||||
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
|
||||
this->ike_sa->get_name(this->ike_sa),
|
||||
this->ike_sa->get_unique_id(this->ike_sa),
|
||||
|
@ -152,6 +163,8 @@ static void establish(private_xauth_t *this)
|
|||
|
||||
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
|
||||
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(task_t, build_i_status, status_t,
|
||||
|
@ -210,9 +223,8 @@ METHOD(task_t, build_r_ack, status_t,
|
|||
|
||||
message->add_payload(message, (payload_t *)cp);
|
||||
|
||||
if (this->status == XAUTH_OK)
|
||||
if (this->status == XAUTH_OK && establish(this))
|
||||
{
|
||||
establish(this);
|
||||
lib->processor->queue_job(lib->processor, (job_t*)
|
||||
adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
|
||||
return SUCCESS;
|
||||
|
@ -311,7 +323,10 @@ METHOD(task_t, process_i_status, status_t,
|
|||
DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
|
||||
return FAILED;
|
||||
}
|
||||
establish(this);
|
||||
if (!establish(this))
|
||||
{
|
||||
return FAILED;
|
||||
}
|
||||
this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
|
||||
return SUCCESS;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue