*/
auth_cfg_t *my_auth;
+ /**
+ * list of completed local authentication rounds
+ */
+ linked_list_t *my_auths;
+
+ /**
+ * list of completed remote authentication rounds
+ */
+ linked_list_t *other_auths;
+
/**
* currently used authentication constraints, remote (as auth_cfg_t)
*/
return this->other_auth;
}
+/**
+ * Implementation of ike_sa_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
+{
+ if (local)
+ {
+ this->my_auths->insert_last(this->my_auths, cfg);
+ }
+ else
+ {
+ this->other_auths->insert_last(this->other_auths, cfg);
+ }
+}
+
+/**
+ * Implementation of ike_sa_t.create_auth_cfg_enumerator
+ */
+static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this,
+ bool local)
+{
+ if (local)
+ {
+ return this->my_auths->create_enumerator(this->my_auths);
+ }
+ return this->other_auths->create_enumerator(this->other_auths);
+}
+
+/**
+ * Flush the stored authentication round information
+ */
+static void flush_auth_cfgs(private_ike_sa_t *this)
+{
+ auth_cfg_t *cfg;
+
+ if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", TRUE))
+ {
+ while (this->my_auths->remove_last(this->my_auths,
+ (void**)&cfg) == SUCCESS)
+ {
+ cfg->destroy(cfg);
+ }
+ while (this->other_auths->remove_last(this->other_auths,
+ (void**)&cfg) == SUCCESS)
+ {
+ cfg->destroy(cfg);
+ }
+ }
+}
+
/**
* Implementation of ike_sa_t.get_proposal
*/
{ /* invalid initiation attempt, close SA */
return DESTROY_ME;
}
- return status;
}
else
{
update_hosts(this, me, other);
}
}
- return this->task_manager->process_message(this->task_manager, message);
+ status = this->task_manager->process_message(this->task_manager, message);
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ this->state == IKE_ESTABLISHED)
+ { /* authentication completed */
+ flush_auth_cfgs(this);
+ }
}
+ return status;
}
/**
DESTROY_IF(this->proposal);
this->my_auth->destroy(this->my_auth);
this->other_auth->destroy(this->other_auth);
+ this->my_auths->destroy_offset(this->my_auths,
+ offsetof(auth_cfg_t, destroy));
+ this->other_auths->destroy_offset(this->other_auths,
+ offsetof(auth_cfg_t, destroy));
this->ike_sa_id->destroy(this->ike_sa_id);
free(this);
this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
+ this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator;
+ this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg;
this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
this->peer_cfg = NULL;
this->my_auth = auth_cfg_create();
this->other_auth = auth_cfg_create();
+ this->my_auths = linked_list_create();
+ this->other_auths = linked_list_create();
this->proposal = NULL;
this->task_manager = task_manager_create(&this->public);
this->unique_id = ++unique_id;
*/
packet_t *other_packet;
- /**
- * completed authentication configs initiated by us (auth_cfg_t)
- */
- linked_list_t *my_cfgs;
-
- /**
- * completed authentication configs initiated by other (auth_cfg_t)
- */
- linked_list_t *other_cfgs;;
-
/**
* currently active authenticator, to authenticate us
*/
{
bool found = FALSE;
- if (local)
- {
- e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
- }
- else
- {
- e2 = this->other_cfgs->create_enumerator(this->other_cfgs);
- }
+ e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
while (e2->enumerate(e2, &c2))
{
if (c2->complies(c2, c1, FALSE))
return FALSE;
}
- done = this->my_cfgs->create_enumerator(this->my_cfgs);
+ done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
while (todo->enumerate(todo, &todo_cfg))
{
enumerator_t *e1, *e2, *tmp;
auth_cfg_t *c1, *c2;
- e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
+ e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
if (strict)
/* authentication step complete, reset authenticator */
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
- this->my_cfgs->insert_last(this->my_cfgs, cfg);
+ this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
this->my_auth->destroy(this->my_auth);
this->my_auth = NULL;
break;
/* store authentication information */
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
- this->other_cfgs->insert_last(this->other_cfgs, cfg);
+ this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
/* another auth round done, invoke authorize hook */
- if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+ if (!charon->bus->authorize(charon->bus, FALSE))
{
- DBG1(DBG_IKE, "round %d authorization hook forbids IKE_SA, cancelling",
- this->other_cfgs->get_count(this->other_cfgs));
+ DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
this->authentication_failed = TRUE;
return NEED_MORE;
}
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
TRUE);
- this->my_cfgs->insert_last(this->my_cfgs, cfg);
+ this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
this->my_auth->destroy(this->my_auth);
this->my_auth = NULL;
break;
chunk_empty);
return FAILED;
}
- if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+ if (!charon->bus->authorize(charon->bus, TRUE))
{
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
TRUE);
- this->my_cfgs->insert_last(this->my_cfgs, cfg);
+ this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
this->my_auth->destroy(this->my_auth);
this->my_auth = NULL;
this->do_another_auth = do_another_auth(this);
/* store authentication information, reset authenticator */
cfg = auth_cfg_create();
cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
- this->other_cfgs->insert_last(this->other_cfgs, cfg);
+ this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
this->other_auth->destroy(this->other_auth);
this->other_auth = NULL;
/* another auth round done, invoke authorize hook */
- if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+ if (!charon->bus->authorize(charon->bus, FALSE))
{
- DBG1(DBG_IKE, "round %d authorization forbids IKE_SA, cancelling",
- this->other_cfgs->get_count(this->other_cfgs));
+ DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
return FAILED;
}
}
{
return FAILED;
}
- if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+ if (!charon->bus->authorize(charon->bus, TRUE))
{
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
return FAILED;
DESTROY_IF(this->peer_cfg);
DESTROY_IF(this->my_auth);
DESTROY_IF(this->other_auth);
- this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
- this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
this->my_packet = NULL;
this->do_another_auth = TRUE;
this->expect_another_auth = TRUE;
this->authentication_failed = FALSE;
- this->my_cfgs = linked_list_create();
- this->other_cfgs = linked_list_create();
this->candidates = linked_list_create();
}
DESTROY_IF(this->my_auth);
DESTROY_IF(this->other_auth);
DESTROY_IF(this->peer_cfg);
- this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
- this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
free(this);
}
this->my_packet = NULL;
this->other_packet = NULL;
this->peer_cfg = NULL;
- this->my_cfgs = linked_list_create();
- this->other_cfgs = linked_list_create();
this->candidates = linked_list_create();
this->my_auth = NULL;
this->other_auth = NULL;
projects / thirdparty / strongswan.git / commitdiff
