summaryrefslogtreecommitdiff
path: root/src/charon/bus
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/bus')
-rw-r--r--src/charon/bus/bus.c42
-rw-r--r--src/charon/bus/bus.h28
-rw-r--r--src/charon/bus/listeners/file_logger.c2
-rw-r--r--src/charon/bus/listeners/file_logger.h2
-rw-r--r--src/charon/bus/listeners/sys_logger.c2
-rw-r--r--src/charon/bus/listeners/sys_logger.h2
6 files changed, 66 insertions, 12 deletions
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 504947465..bb7014b0b 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: bus.c 4622 2008-11-11 10:52:37Z martin $
*/
#include "bus.h"
@@ -521,6 +519,45 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
}
/**
+ * Implementation of bus_t.authorize
+ */
+static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
+{
+ enumerator_t *enumerator;
+ ike_sa_t *ike_sa;
+ entry_t *entry;
+ bool keep, success = TRUE;
+
+ ike_sa = pthread_getspecific(this->thread_sa);
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->authorize)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->authorize(entry->listener, ike_sa,
+ auth, final, &success);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ break;
+ }
+ if (!success)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+ return success;
+}
+
+/**
* Implementation of bus_t.destroy.
*/
static void destroy(private_bus_t *this)
@@ -548,6 +585,7 @@ bus_t *bus_create()
this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+ this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
this->public.destroy = (void(*)(bus_t*)) destroy;
this->listeners = linked_list_create();
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index fe7d1e53d..5faea088f 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: bus.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -210,6 +208,23 @@ struct listener_t {
*/
bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+
+ /**
+ * Hook called to invoke additional authorization rules.
+ *
+ * An authorization hook gets invoked several times: After each
+ * authentication round, the hook gets invoked with with final = FALSE.
+ * After authentication is complete and the peer configuration is selected,
+ * it is invoked again, but with final = TRUE.
+ *
+ * @param ike_sa IKE_SA to authorize
+ * @param auth list of auth_cfg_t, done in peers authentication rounds
+ * @param final TRUE if this is the final hook invocation
+ * @param success set to TRUE to complete IKE_SA, FALSE abort
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+ bool final, bool *success);
};
/**
@@ -317,6 +332,15 @@ struct bus_t {
void (*message)(bus_t *this, message_t *message, bool incoming);
/**
+ * IKE_SA authorization hook.
+ *
+ * @param auth list of auth_cfg_t, containing peers authentication info
+ * @param final TRUE if this is the final invocation
+ * @return TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
+ */
+ bool (*authorize)(bus_t *this, linked_list_t *auth, bool final);
+
+ /**
* IKE_SA keymat hook.
*
* @param ike_sa IKE_SA this keymat belongs to
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
index 4259630ec..c3213f5f8 100644
--- a/src/charon/bus/listeners/file_logger.c
+++ b/src/charon/bus/listeners/file_logger.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: file_logger.c 4622 2008-11-11 10:52:37Z martin $
*/
#include <stdio.h>
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 5cd37adc0..7282224a5 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: file_logger.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 37dbce926..5bcf28f24 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sys_logger.c 4434 2008-10-14 08:52:13Z martin $
*/
#include <stdio.h>
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 50301924e..6eda096a9 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sys_logger.h 5003 2009-03-24 17:43:01Z martin $
*/
/**