Invoke authorization hooks for IKEv1 connections

src/libcharon/sa/ikev1/tasks/aggressive_mode.c

@@ -95,8 +95,14 @@ struct private_aggressive_mode_t {
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_aggressive_mode_t *this)
+static bool establish(private_aggressive_mode_t *this)
 {
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+
 	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +113,8 @@ static void establish(private_aggressive_mode_t *this)
 
 	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	return TRUE;
 }
 
 /**
@@ -278,28 +286,31 @@ METHOD(task_t, build_i, status_t,
 			}
 			this->id_data = chunk_empty;
 
-			if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
-			{
-				this->ike_sa->queue_task(this->ike_sa,
-							(task_t*)mode_config_create(this->ike_sa, TRUE));
-			}
-
 			switch (this->method)
 			{
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
 					/* wait for XAUTH request */
-					return SUCCESS;
+					break;
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:
 					/* TODO-IKEv1: not yet */
 					return FAILED;
 				default:
-					establish(this);
-					return SUCCESS;
+					if (!establish(this))
+					{
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
+					break;
 			}
+			if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+			{
+				this->ike_sa->queue_task(this->ike_sa,
+							(task_t*)mode_config_create(this->ike_sa, TRUE));
+			}
+			return SUCCESS;
 		}
 		default:
 			return FAILED;
@@ -405,6 +416,13 @@ METHOD(task_t, process_r, status_t,
 			}
 			this->id_data = chunk_empty;
 
+			if (!charon->bus->authorize(charon->bus, FALSE))
+			{
+				DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
+					 "IKE_SA, cancelling");
+				return send_delete(this);
+			}
+
 			switch (this->method)
 			{
 				case AUTH_XAUTH_INIT_PSK:
@@ -419,7 +437,10 @@ METHOD(task_t, process_r, status_t,
 					/* TODO-IKEv1: not yet supported */
 					return FAILED;
 				default:
-					establish(this);
+					if (!establish(this))
+					{
+						return send_delete(this);
+					}
 					lib->processor->queue_job(lib->processor, (job_t*)
 									adopt_children_job_create(
 										this->ike_sa->get_id(this->ike_sa)));
@@ -557,6 +578,13 @@ METHOD(task_t, process_i, status_t,
 		{
 			return send_notify(this, AUTHENTICATION_FAILED);
 		}
+		if (!charon->bus->authorize(charon->bus, FALSE))
+		{
+			DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
+				 "cancelling");
+			return send_notify(this, AUTHENTICATION_FAILED);
+		}
+
 		return NEED_MORE;
 	}
 	return FAILED;

src/libcharon/sa/ikev1/tasks/main_mode.c

@@ -95,8 +95,14 @@ struct private_main_mode_t {
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_main_mode_t *this)
+static bool establish(private_main_mode_t *this)
 {
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+
 	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +113,8 @@ static void establish(private_main_mode_t *this)
 
 	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	return TRUE;
 }
 
 /**
@@ -406,6 +414,13 @@ METHOD(task_t, process_r, status_t,
 			{
 				return send_notify(this, AUTHENTICATION_FAILED);
 			}
+			if (!charon->bus->authorize(charon->bus, FALSE))
+			{
+				DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+					 "cancelling");
+				return send_notify(this, AUTHENTICATION_FAILED);
+			}
+
 			this->state = MM_AUTH;
 			if (has_notify_errors(this, message))
 			{
@@ -467,6 +482,7 @@ METHOD(task_t, build_r, status_t,
 			{
 				return send_notify(this, AUTHENTICATION_FAILED);
 			}
+
 			switch (this->method)
 			{
 				case AUTH_XAUTH_INIT_PSK:
@@ -481,7 +497,10 @@ METHOD(task_t, build_r, status_t,
 					/* TODO-IKEv1: not yet supported */
 					return FAILED;
 				default:
-					establish(this);
+					if (!establish(this))
+					{
+						return send_notify(this, AUTHENTICATION_FAILED);
+					}
 					lib->processor->queue_job(lib->processor, (job_t*)
 									adopt_children_job_create(
 										this->ike_sa->get_id(this->ike_sa)));
@@ -577,29 +596,37 @@ METHOD(task_t, process_i, status_t,
 			{
 				return send_delete(this);
 			}
-
-			if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+			if (!charon->bus->authorize(charon->bus, FALSE))
 			{
-				this->ike_sa->queue_task(this->ike_sa,
-							(task_t*)mode_config_create(this->ike_sa, TRUE));
+				DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+					 "cancelling");
+				return send_delete(this);
 			}
-
 			switch (this->method)
 			{
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
 					/* wait for XAUTH request */
-					return SUCCESS;
+					break;
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:
 					/* TODO-IKEv1: not yet */
 					return FAILED;
 				default:
-					establish(this);
-					return SUCCESS;
+					if (!establish(this))
+					{
+						return send_delete(this);
+					}
+					break;
 			}
+			if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+			{
+				this->ike_sa->queue_task(this->ike_sa,
+							(task_t*)mode_config_create(this->ike_sa, TRUE));
+			}
+			return SUCCESS;
 		}
 		default:
 			return FAILED;

src/libcharon/sa/ikev1/tasks/xauth.c

@@ -140,8 +140,19 @@ static xauth_method_t *load_method(private_xauth_t* this)
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_xauth_t *this)
+static bool establish(private_xauth_t *this)
 {
+	if (!charon->bus->authorize(charon->bus, FALSE))
+	{
+		DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		return FALSE;
+	}
+
 	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
 		 this->ike_sa->get_name(this->ike_sa),
 		 this->ike_sa->get_unique_id(this->ike_sa),
@@ -152,6 +163,8 @@ static void establish(private_xauth_t *this)
 
 	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
 	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	return TRUE;
 }
 
 METHOD(task_t, build_i_status, status_t,
@@ -210,9 +223,8 @@ METHOD(task_t, build_r_ack, status_t,
 
 	message->add_payload(message, (payload_t *)cp);
 
-	if (this->status == XAUTH_OK)
+	if (this->status == XAUTH_OK && establish(this))
 	{
-		establish(this);
 		lib->processor->queue_job(lib->processor, (job_t*)
 				adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
 		return SUCCESS;
@@ -311,7 +323,10 @@ METHOD(task_t, process_i_status, status_t,
 		DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
 		return FAILED;
 	}
-	establish(this);
+	if (!establish(this))
+	{
+		return FAILED;
+	}
 	this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
 	return SUCCESS;
 }