[strongSwan-dev] integrating permis into strongswan

[Jan Willem Beusink]

Martin Willi wrote:
> Hi,
> 
>> I've changed the code of src/libcharon/sa/tasks/ike_auth.c as I want to
>> perform an authorization after an authentication.
> 
> You might have a look at our authorization hooks. It might be sufficient
> if your plugin registers a listener_t to the bus and do the
> authorization checks in these hooks.
When my code matures more this looks like an interesting option. By that
time I hope to have enough understanding of your sophisticated coding
style to be able to implement such a plugin.

Although I reckon only a plugin would not suffice as I also want to be
able to send a meaningful error message when "authorization hook forbids
IKE_SA, cancelling" occurs. And I would use extra configuration options
in the strongswan.conf file.

>> For this authorization step I need to connect via sockets to another
>> machine/program (permis). And figured that I could use the
>> socket_dynamic_socket to this end.
> 
> Probably not a good idea. Our socket_t implementations are very IKE
> specific and not a generic abstraction for sockets. It is easier to use
> plain BSD sockets for other protocols.
Indeed it is. Luckily my efforts were not all in vain as it helps me
understand the programming.

>> ../../src/libcharon/.libs/libcharon.so: undefined reference to
>> `socket_dynamic_socket_create'
> 
> You can't invoke the socket_dynamic_socket_create() function directly,
> as this code is implemented in a plugin. The function is only available
> after the plugin has been loaded by the plugin_loader. The plugin then
> registers this constructor function to the daemon.
No need when using BSD sockets :)

> Best regards
> Martin

Regards,

Jan Willem Beusink