/**
* Set IKE_SA to established state
*/
-static void establish(private_aggressive_mode_t *this)
+static bool establish(private_aggressive_mode_t *this)
{
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+ return TRUE;
}
/**
}
this->id_data = chunk_empty;
- if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
- {
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
- }
-
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
/* wait for XAUTH request */
- return SUCCESS;
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
/* TODO-IKEv1: not yet */
return FAILED;
default:
- establish(this);
- return SUCCESS;
+ if (!establish(this))
+ {
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+ break;
}
+ if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE));
+ }
+ return SUCCESS;
}
default:
return FAILED;
}
this->id_data = chunk_empty;
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
+ "IKE_SA, cancelling");
+ return send_delete(this);
+ }
+
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
/* TODO-IKEv1: not yet supported */
return FAILED;
default:
- establish(this);
+ if (!establish(this))
+ {
+ return send_delete(this);
+ }
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(
this->ike_sa->get_id(this->ike_sa)));
{
return send_notify(this, AUTHENTICATION_FAILED);
}
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+
return NEED_MORE;
}
return FAILED;
/**
* Set IKE_SA to established state
*/
-static void establish(private_main_mode_t *this)
+static bool establish(private_main_mode_t *this)
{
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+ return TRUE;
}
/**
{
return send_notify(this, AUTHENTICATION_FAILED);
}
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
+
this->state = MM_AUTH;
if (has_notify_errors(this, message))
{
{
return send_notify(this, AUTHENTICATION_FAILED);
}
+
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
/* TODO-IKEv1: not yet supported */
return FAILED;
default:
- establish(this);
+ if (!establish(this))
+ {
+ return send_notify(this, AUTHENTICATION_FAILED);
+ }
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(
this->ike_sa->get_id(this->ike_sa)));
{
return send_delete(this);
}
-
- if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+ if (!charon->bus->authorize(charon->bus, FALSE))
{
- this->ike_sa->queue_task(this->ike_sa,
- (task_t*)mode_config_create(this->ike_sa, TRUE));
+ DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
+ "cancelling");
+ return send_delete(this);
}
-
switch (this->method)
{
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
/* wait for XAUTH request */
- return SUCCESS;
+ break;
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
/* TODO-IKEv1: not yet */
return FAILED;
default:
- establish(this);
- return SUCCESS;
+ if (!establish(this))
+ {
+ return send_delete(this);
+ }
+ break;
+ }
+ if (this->peer_cfg->get_virtual_ip(this->peer_cfg))
+ {
+ this->ike_sa->queue_task(this->ike_sa,
+ (task_t*)mode_config_create(this->ike_sa, TRUE));
}
+ return SUCCESS;
}
default:
return FAILED;
/**
* Set IKE_SA to established state
*/
-static void establish(private_xauth_t *this)
+static bool establish(private_xauth_t *this)
{
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FALSE;
+ }
+
DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+ return TRUE;
}
METHOD(task_t, build_i_status, status_t,
message->add_payload(message, (payload_t *)cp);
- if (this->status == XAUTH_OK)
+ if (this->status == XAUTH_OK && establish(this))
{
- establish(this);
lib->processor->queue_job(lib->processor, (job_t*)
adopt_children_job_create(this->ike_sa->get_id(this->ike_sa)));
return SUCCESS;
DBG1(DBG_IKE, "destroying IKE_SA after failed XAuth authentication");
return FAILED;
}
- establish(this);
+ if (!establish(this))
+ {
+ return FAILED;
+ }
this->ike_sa->set_condition(this->ike_sa, COND_XAUTH_AUTHENTICATED, TRUE);
return SUCCESS;
}
projects / thirdparty / strongswan.git / commitdiff
