[strongSwan-dev] integrating permis into strongswan

Jan Willem Beusink jan.willem.beusink at ti-wmc.nl
Wed May 19 09:49:39 CEST 2010

Martin Willi wrote:
> Hi,
>> I've changed the code of src/libcharon/sa/tasks/ike_auth.c as I want to
>> perform an authorization after an authentication.
> You might have a look at our authorization hooks. It might be sufficient
> if your plugin registers a listener_t to the bus and do the
> authorization checks in these hooks.
When my code matures more this looks like an interesting option. By that
time I hope to have enough understanding of your sophisticated coding
style to be able to implement such a plugin.

Although I reckon only a plugin would not suffice as I also want to be
able to send a meaningful error message when "authorization hook forbids
IKE_SA, cancelling" occurs. And I would use extra configuration options
in the strongswan.conf file.

>> For this authorization step I need to connect via sockets to another
>> machine/program (permis). And figured that I could use the
>> socket_dynamic_socket to this end.
> Probably not a good idea. Our socket_t implementations are very IKE
> specific and not a generic abstraction for sockets. It is easier to use
> plain BSD sockets for other protocols.
Indeed it is. Luckily my efforts were not all in vain as it helps me
understand the programming.

>> ../../src/libcharon/.libs/libcharon.so: undefined reference to
>> `socket_dynamic_socket_create'
> You can't invoke the socket_dynamic_socket_create() function directly,
> as this code is implemented in a plugin. The function is only available
> after the plugin has been loaded by the plugin_loader. The plugin then
> registers this constructor function to the daemon.
No need when using BSD sockets :)

> Best regards
> Martin


Jan Willem Beusink

More information about the Dev mailing list