Store completed authentication rounds permanently on IKE_SA, with flush option
authorMartin Willi <martin@strongswan.org>
Tue, 1 Dec 2009 10:35:30 +0000 (11:35 +0100)
committerMartin Willi <martin@strongswan.org>
Tue, 1 Dec 2009 10:35:30 +0000 (11:35 +0100)
src/charon/bus/bus.c
src/charon/bus/bus.h
src/charon/bus/listeners/listener.h
src/charon/sa/ike_sa.c
src/charon/sa/ike_sa.h
src/charon/sa/tasks/ike_auth.c

index 6a72f4a..1dd3aee 100644 (file)
@@ -696,7 +696,7 @@ static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
 /**
  * Implementation of bus_t.authorize
  */
-static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
+static bool authorize(private_bus_t *this, bool final)
 {
        enumerator_t *enumerator;
        ike_sa_t *ike_sa;
@@ -715,7 +715,7 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
                }
                entry->calling++;
                keep = entry->listener->authorize(entry->listener, ike_sa,
-                                                                                 auth, final, &success);
+                                                                                 final, &success);
                entry->calling--;
                if (!keep)
                {
@@ -765,7 +765,7 @@ bus_t *bus_create()
        this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
        this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
        this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
-       this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
+       this->public.authorize = (bool(*)(bus_t*, bool final))authorize;
        this->public.destroy = (void(*)(bus_t*)) destroy;
 
        this->listeners = linked_list_create();
index 86d1e27..af59a14 100644 (file)
@@ -263,11 +263,10 @@ struct bus_t {
        /**
         * IKE_SA authorization hook.
         *
-        * @param auth          list of auth_cfg_t, containing peers authentication info
         * @param final         TRUE if this is the final invocation
         * @return                      TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
         */
-       bool (*authorize)(bus_t *this, linked_list_t *auth, bool final);
+       bool (*authorize)(bus_t *this, bool final);
 
        /**
         * IKE_SA keymat hook.
index 1ff8c7c..67e36be 100644 (file)
@@ -167,12 +167,11 @@ struct listener_t {
         * it is invoked again, but with final = TRUE.
         *
         * @param ike_sa        IKE_SA to authorize
-        * @param auth          list of auth_cfg_t, done in peers authentication rounds
         * @param final         TRUE if this is the final hook invocation
         * @param success       set to TRUE to complete IKE_SA, FALSE abort
         * @return                      TRUE to stay registered, FALSE to unregister
         */
-       bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+       bool (*authorize)(listener_t *this, ike_sa_t *ike_sa,
                                          bool final, bool *success);
 };
 
index 43057a6..6f72fcc 100644 (file)
@@ -108,6 +108,16 @@ struct private_ike_sa_t {
        auth_cfg_t *my_auth;
 
        /**
+        * list of completed local authentication rounds
+        */
+       linked_list_t *my_auths;
+
+       /**
+        * list of completed remote authentication rounds
+        */
+       linked_list_t *other_auths;
+
+       /**
         * currently used authentication constraints, remote (as auth_cfg_t)
         */
        auth_cfg_t *other_auth;
@@ -378,6 +388,56 @@ static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
 }
 
 /**
+ * Implementation of ike_sa_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
+{
+       if (local)
+       {
+               this->my_auths->insert_last(this->my_auths, cfg);
+       }
+       else
+       {
+               this->other_auths->insert_last(this->other_auths, cfg);
+       }
+}
+
+/**
+ * Implementation of ike_sa_t.create_auth_cfg_enumerator
+ */
+static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this,
+                                                                                               bool local)
+{
+       if (local)
+       {
+               return this->my_auths->create_enumerator(this->my_auths);
+       }
+       return this->other_auths->create_enumerator(this->other_auths);
+}
+
+/**
+ * Flush the stored authentication round information
+ */
+static void flush_auth_cfgs(private_ike_sa_t *this)
+{
+       auth_cfg_t *cfg;
+
+       if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", TRUE))
+       {
+               while (this->my_auths->remove_last(this->my_auths,
+                                                                                  (void**)&cfg) == SUCCESS)
+               {
+                       cfg->destroy(cfg);
+               }
+               while (this->other_auths->remove_last(this->other_auths,
+                                                                                         (void**)&cfg) == SUCCESS)
+               {
+                       cfg->destroy(cfg);
+               }
+       }
+}
+
+/**
  * Implementation of ike_sa_t.get_proposal
  */
 static proposal_t* get_proposal(private_ike_sa_t *this)
@@ -1264,7 +1324,6 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
                {       /* invalid initiation attempt, close SA */
                        return DESTROY_ME;
                }
-               return status;
        }
        else
        {
@@ -1302,8 +1361,14 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
                                update_hosts(this, me, other);
                        }
                }
-               return this->task_manager->process_message(this->task_manager, message);
+               status = this->task_manager->process_message(this->task_manager, message);
+               if (message->get_exchange_type(message) == IKE_AUTH &&
+                       this->state == IKE_ESTABLISHED)
+               {       /* authentication completed */
+                       flush_auth_cfgs(this);
+               }
        }
+       return status;
 }
 
 /**
@@ -1990,6 +2055,10 @@ static void destroy(private_ike_sa_t *this)
        DESTROY_IF(this->proposal);
        this->my_auth->destroy(this->my_auth);
        this->other_auth->destroy(this->other_auth);
+       this->my_auths->destroy_offset(this->my_auths,
+                                                                  offsetof(auth_cfg_t, destroy));
+       this->other_auths->destroy_offset(this->other_auths,
+                                                                         offsetof(auth_cfg_t, destroy));
 
        this->ike_sa_id->destroy(this->ike_sa_id);
        free(this);
@@ -2015,6 +2084,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
        this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
        this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
+       this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator;
+       this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg;
        this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
        this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
        this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
@@ -2094,6 +2165,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->peer_cfg = NULL;
        this->my_auth = auth_cfg_create();
        this->other_auth = auth_cfg_create();
+       this->my_auths = linked_list_create();
+       this->other_auths = linked_list_create();
        this->proposal = NULL;
        this->task_manager = task_manager_create(&this->public);
        this->unique_id = ++unique_id;
index 99d795f..83d2c9c 100644 (file)
@@ -392,6 +392,22 @@ struct ike_sa_t {
        auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
 
        /**
+        * Insert a completed authentication round.
+        *
+        * @param local                 TRUE for own rules, FALSE for others constraints
+        * @param cfg                   auth config to append
+        */
+       void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
+
+       /**
+        * Create an enumerator over added authentication rounds.
+        *
+        * @param local                 TRUE for own rules, FALSE for others constraints
+        * @return                              enumerator over auth_cfg_t
+        */
+       enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
+
+       /**
         * Get the selected proposal of this IKE_SA.
         *
         * @return                              selected proposal
index 2c15ac7..7714b28 100644 (file)
@@ -68,16 +68,6 @@ struct private_ike_auth_t {
        packet_t *other_packet;
 
        /**
-        * completed authentication configs initiated by us (auth_cfg_t)
-        */
-       linked_list_t *my_cfgs;
-
-       /**
-        * completed authentication configs initiated by other (auth_cfg_t)
-        */
-       linked_list_t *other_cfgs;;
-
-       /**
         * currently active authenticator, to authenticate us
         */
        authenticator_t *my_auth;
@@ -183,14 +173,7 @@ static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
        {
                bool found = FALSE;
 
-               if (local)
-               {
-                       e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
-               }
-               else
-               {
-                       e2 = this->other_cfgs->create_enumerator(this->other_cfgs);
-               }
+               e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
                while (e2->enumerate(e2, &c2))
                {
                        if (c2->complies(c2, c1, FALSE))
@@ -224,7 +207,7 @@ static bool do_another_auth(private_ike_auth_t *this)
                return FALSE;
        }
 
-       done = this->my_cfgs->create_enumerator(this->my_cfgs);
+       done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
        todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
        while (todo->enumerate(todo, &todo_cfg))
        {
@@ -297,7 +280,7 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
                        enumerator_t *e1, *e2, *tmp;
                        auth_cfg_t *c1, *c2;
 
-                       e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
+                       e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
                        e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
 
                        if (strict)
@@ -427,7 +410,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
                        /* authentication step complete, reset authenticator */
                        cfg = auth_cfg_create();
                        cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
-                       this->my_cfgs->insert_last(this->my_cfgs, cfg);
+                       this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
                        this->my_auth->destroy(this->my_auth);
                        this->my_auth = NULL;
                        break;
@@ -562,13 +545,12 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
        /* store authentication information */
        cfg = auth_cfg_create();
        cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-       this->other_cfgs->insert_last(this->other_cfgs, cfg);
+       this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
 
        /* another auth round done, invoke authorize hook */
-       if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+       if (!charon->bus->authorize(charon->bus, FALSE))
        {
-               DBG1(DBG_IKE, "round %d authorization hook forbids IKE_SA, cancelling",
-                        this->other_cfgs->get_count(this->other_cfgs));
+               DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
                this->authentication_failed = TRUE;
                return NEED_MORE;
        }
@@ -691,7 +673,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                                cfg = auth_cfg_create();
                                cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
                                                   TRUE);
-                               this->my_cfgs->insert_last(this->my_cfgs, cfg);
+                               this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
                                this->my_auth->destroy(this->my_auth);
                                this->my_auth = NULL;
                                break;
@@ -723,7 +705,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
                                                                chunk_empty);
                        return FAILED;
                }
-               if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+               if (!charon->bus->authorize(charon->bus, TRUE))
                {
                        DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
                        message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
@@ -820,7 +802,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                                cfg = auth_cfg_create();
                                cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
                                                   TRUE);
-                               this->my_cfgs->insert_last(this->my_cfgs, cfg);
+                               this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
                                this->my_auth->destroy(this->my_auth);
                                this->my_auth = NULL;
                                this->do_another_auth = do_another_auth(this);
@@ -881,15 +863,14 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                /* store authentication information, reset authenticator */
                cfg = auth_cfg_create();
                cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-               this->other_cfgs->insert_last(this->other_cfgs, cfg);
+               this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
                this->other_auth->destroy(this->other_auth);
                this->other_auth = NULL;
 
                /* another auth round done, invoke authorize hook */
-               if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+               if (!charon->bus->authorize(charon->bus, FALSE))
                {
-                       DBG1(DBG_IKE, "round %d authorization forbids IKE_SA, cancelling",
-                                this->other_cfgs->get_count(this->other_cfgs));
+                       DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
                        return FAILED;
                }
        }
@@ -904,7 +885,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
                {
                        return FAILED;
                }
-               if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+               if (!charon->bus->authorize(charon->bus, TRUE))
                {
                        DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
                        return FAILED;
@@ -943,8 +924,6 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
        DESTROY_IF(this->peer_cfg);
        DESTROY_IF(this->my_auth);
        DESTROY_IF(this->other_auth);
-       this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
-       this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
        this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 
        this->my_packet = NULL;
@@ -956,8 +935,6 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
        this->do_another_auth = TRUE;
        this->expect_another_auth = TRUE;
        this->authentication_failed = FALSE;
-       this->my_cfgs = linked_list_create();
-       this->other_cfgs = linked_list_create();
        this->candidates = linked_list_create();
 }
 
@@ -973,8 +950,6 @@ static void destroy(private_ike_auth_t *this)
        DESTROY_IF(this->my_auth);
        DESTROY_IF(this->other_auth);
        DESTROY_IF(this->peer_cfg);
-       this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
-       this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
        this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
        free(this);
 }
@@ -1008,8 +983,6 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
        this->my_packet = NULL;
        this->other_packet = NULL;
        this->peer_cfg = NULL;
-       this->my_cfgs = linked_list_create();
-       this->other_cfgs = linked_list_create();
        this->candidates = linked_list_create();
        this->my_auth = NULL;
        this->other_auth = NULL;