Discussion:
[strongSwan-dev] authorize hook on IKE auth
Emeric POUPON
2017-07-25 08:11:55 UTC
Permalink
Hello,

In src/libcharon/sa/ikev2/tasks/ike_auth.c, there is the following block of code in process_r:

/* another auth round done, invoke authorize hook */
if (!charon->bus->authorize(charon->bus, FALSE))
{
DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
this->authentication_failed = TRUE;
return NEED_MORE;
}

apply_auth_cfg(this, FALSE);

if (!update_cfg_candidates(this, FALSE))
{
this->authentication_failed = TRUE;
return NEED_MORE;
}



The authorize hook is called before the auth config is applied to the current IKE SA.
Therefore, we are not able to take a decision in the hook since we don't have access to the auth info.
We need to wait for the next hook or the final hook, and this seems to be questionable.
Why is the hook called before the apply_auth_cfg call?

What do you think?

Emeric
Martin Willi
2017-07-25 08:53:19 UTC
Permalink
Hi Emeric
Post by Emeric POUPON
The authorize hook is called before the auth config is applied to the current IKE SA.
This is intended. apply_auth_cfg() copies the currently active
authentication round to the list of completed authentication rounds.

In your authorize hook, you can use ike_sa_t.get_auth_cfg() to get the
current authentication round data; after apply_auth_cfg() that object
is placed into the rounds completed. You can enumerate all completed
rounds using ike_sa_t.create_auth_cfg_enumerator().

Regards
Martin
Emeric POUPON
2017-07-25 10:23:17 UTC
Permalink
Hi Martin
Post by Martin Willi
Post by Emeric POUPON
The authorize hook is called before the auth config is applied to the current IKE SA.
This is intended. apply_auth_cfg() copies the currently active
authentication round to the list of completed authentication rounds.
In your authorize hook, you can use ike_sa_t.get_auth_cfg() to get the
current authentication round data; after apply_auth_cfg() that object
is placed into the rounds completed. You can enumerate all completed
rounds using ike_sa_t.create_auth_cfg_enumerator().
Thanks for your answer.
It seems to work fine using IKEv2 with PSK and PKI configs.

However, it does not seem to work the same way with IKEv1 configs.
During the hook, there is no active authentication round data, but it is set in the list of completed rounds.

Is that a normal behavior?

Regards,
Emeric POUPON
2017-08-21 11:34:47 UTC
Permalink
Post by Emeric POUPON
Hi Martin
Post by Martin Willi
Post by Emeric POUPON
The authorize hook is called before the auth config is applied to the current IKE SA.
This is intended. apply_auth_cfg() copies the currently active
authentication round to the list of completed authentication rounds.
In your authorize hook, you can use ike_sa_t.get_auth_cfg() to get the
current authentication round data; after apply_auth_cfg() that object
is placed into the rounds completed. You can enumerate all completed
rounds using ike_sa_t.create_auth_cfg_enumerator().
Thanks for your answer.
It seems to work fine using IKEv2 with PSK and PKI configs.
However, it does not seem to work the same way with IKEv1 configs.
During the hook, there is no active authentication round data, but it is set in
the list of completed rounds.
Is that a normal behavior?
Regards,
No thoughts on this?

Emeric

Loading...