Invoke authorization hooks for IKEv1 connections
authorMartin Willi <martin@revosec.ch>
Wed, 18 Jan 2012 12:12:07 +0000 (13:12 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:36 +0000 (17:31 +0100)
src/libcharon/sa/ikev1/tasks/aggressive_mode.c
src/libcharon/sa/ikev1/tasks/main_mode.c
src/libcharon/sa/ikev1/tasks/xauth.c

index 1fe36a9..b89b71b 100755 (executable)
@@ -95,8 +95,14 @@ struct private_aggressive_mode_t {
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_aggressive_mode_t *this)
+static bool establish(private_aggressive_mode_t *this)
 {
+       if (!charon->bus->authorize(charon->bus, TRUE))
+       {
+               DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+               return FALSE;
+       }
+
        DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +113,8 @@ static void establish(private_aggressive_mode_t *this)
 
        this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
        charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+       return TRUE;
 }
 
 /**
@@ -278,28 +286,31 @@ METHOD(task_t, build_i, status_t,
                        }
                        this->id_data = chunk_empty;
 
-                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
-                       {
-                               this->ike_sa->queue_task(this->ike_sa,
-                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
-                       }
-
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
                                case AUTH_XAUTH_INIT_RSA:
                                case AUTH_HYBRID_INIT_RSA:
                                        /* wait for XAUTH request */
-                                       return SUCCESS;
+                                       break;
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
                                        /* TODO-IKEv1: not yet */
                                        return FAILED;
                                default:
-                                       establish(this);
-                                       return SUCCESS;
+                                       if (!establish(this))
+                                       {
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
+                                       break;
                        }
+                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+                       {
+                               this->ike_sa->queue_task(this->ike_sa,
+                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
+                       }
+                       return SUCCESS;
                }
                default:
                        return FAILED;
@@ -405,6 +416,13 @@ METHOD(task_t, process_r, status_t,
                        }
                        this->id_data = chunk_empty;
 
+                       if (!charon->bus->authorize(charon->bus, FALSE))
+                       {
+                               DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
+                                        "IKE_SA, cancelling");
+                               return send_delete(this);
+                       }
+
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
@@ -419,7 +437,10 @@ METHOD(task_t, process_r, status_t,
                                        /* TODO-IKEv1: not yet supported */
                                        return FAILED;
                                default:
-                                       establish(this);
+                                       if (!establish(this))
+                                       {
+                                               return send_delete(this);
+                                       }
                                        lib->processor->queue_job(lib->processor, (job_t*)
                                                                        adopt_children_job_create(
                                                                                this->ike_sa->get_id(this->ike_sa)));
@@ -557,6 +578,13 @@ METHOD(task_t, process_i, status_t,
                {
                        return send_notify(this, AUTHENTICATION_FAILED);
                }
+               if (!charon->bus->authorize(charon->bus, FALSE))
+               {
+                       DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
+                                "cancelling");
+                       return send_notify(this, AUTHENTICATION_FAILED);
+               }
+
                return NEED_MORE;
        }
        return FAILED;
index ba1a9ad..c1a61ce 100755 (executable)
@@ -95,8 +95,14 @@ struct private_main_mode_t {
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_main_mode_t *this)
+static bool establish(private_main_mode_t *this)
 {
+       if (!charon->bus->authorize(charon->bus, TRUE))
+       {
+               DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+               return FALSE;
+       }
+
        DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa),
@@ -107,6 +113,8 @@ static void establish(private_main_mode_t *this)
 
        this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
        charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+       return TRUE;
 }
 
 /**
@@ -406,6 +414,13 @@ METHOD(task_t, process_r, status_t,
                        {
                                return send_notify(this, AUTHENTICATION_FAILED);
                        }
+                       if (!charon->bus->authorize(charon->bus, FALSE))
+                       {
+                               DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+                                        "cancelling");
+                               return send_notify(this, AUTHENTICATION_FAILED);
+                       }
+
                        this->state = MM_AUTH;
                        if (has_notify_errors(this, message))
                        {
@@ -467,6 +482,7 @@ METHOD(task_t, build_r, status_t,
                        {
                                return send_notify(this, AUTHENTICATION_FAILED);
                        }
+
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
@@ -481,7 +497,10 @@ METHOD(task_t, build_r, status_t,
                                        /* TODO-IKEv1: not yet supported */
                                        return FAILED;
                                default:
-                                       establish(this);
+                                       if (!establish(this))
+                                       {
+                                               return send_notify(this, AUTHENTICATION_FAILED);
+                                       }
                                        lib->processor->queue_job(lib->processor, (job_t*)
                                                                        adopt_children_job_create(
                                                                                this->ike_sa->get_id(this->ike_sa)));
@@ -577,29 +596,37 @@ METHOD(task_t, process_i, status_t,
                        {
                                return send_delete(this);
                        }
-
-                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+                       if (!charon->bus->authorize(charon->bus, FALSE))
                        {
-                               this->ike_sa->queue_task(this->ike_sa,
-                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
+                               DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+                                        "cancelling");
+                               return send_delete(this);
                        }
-
                        switch (this->method)
                        {
                                case AUTH_XAUTH_INIT_PSK:
                                case AUTH_XAUTH_INIT_RSA:
                                case AUTH_HYBRID_INIT_RSA:
                                        /* wait for XAUTH request */
-                                       return SUCCESS;
+                                       break;
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
                                        /* TODO-IKEv1: not yet */
                                        return FAILED;
                                default:
-                                       establish(this);
-                                       return SUCCESS;
+                                       if (!establish(this))
+                                       {
+                                               return send_delete(this);
+                                       }
+                                       break;
+                       }
+                       if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+                       {
+                               this->ike_sa->queue_task(this->ike_sa,
+                                                       (task_t*)mode_config_create(this->ike_sa, TRUE));
                        }
+                       return SUCCESS;
                }
                default:
                        return FAILED;
index e836bed..aa79811 100755 (executable)
@@ -140,8 +140,19 @@ static xauth_method_t *load_method(private_xauth_t* this)
 /**
  * Set IKE_SA to established state
  */
-static void establish(private_xauth_t *this)
+static bool establish(private_xauth_t *this)
 {
+       if (!charon->bus->authorize(charon->bus, FALSE))
+       {
+               DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
+               return FALSE;
+       }
+       if (!charon->bus->authorize(charon->bus, TRUE))
+       {
+               DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+               return FALSE;
+       }
+
        DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
                 this->ike_sa->get_name(this->ike_sa),
                 this->ike_sa->get_unique_id(this->ike_sa),
@@ -152,6 +163,8 @@ static void establish(private_xauth_t *this)
 
        this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
        charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+       return TRUE;
 }
 
 METHOD(task_t, build_i_status, status_t,
@@ -210,9 +223,8 @@ METHOD(task_t, build_r_ack, status_t,
 
        message->add_payload(message, (payload_t *)cp);
 
-       if (this->status == XAUTH_OK)
+       if (this->status == XAUTH_OK && establish(this))
        {
-               establish(this);
                lib->processor->queue_job(lib->processor, (job_t*)
                                adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
                return SUCCESS;
@@ -311,7 +323,10 @@ METHOD(task_t, process_i_status, status_t,
                DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
                return FAILED;
        }
-       establish(this);
+       if (!establish(this))
+       {
+               return FAILED;
+       }
        this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
        return SUCCESS;
 }