[strongSwan-dev] authorize hook on IKE auth

Emeric POUPON emeric.poupon at stormshield.eu
Tue Jul 25 10:11:55 CEST 2017


Hello,

In src/libcharon/sa/ikev2/tasks/ike_auth.c, there is the following block of code in process_r:

    /* another auth round done, invoke authorize hook */
    if (!charon->bus->authorize(charon->bus, FALSE))
    {
        DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
        this->authentication_failed = TRUE;
        return NEED_MORE;
    }

    apply_auth_cfg(this, FALSE);

    if (!update_cfg_candidates(this, FALSE))
    {
        this->authentication_failed = TRUE;
        return NEED_MORE;
    }



The authorize hook is called before the auth config is applied to the current IKE SA.
Therefore, we are not able to take a decision in the hook since we don't have access to the auth info.
We need to wait for the next hook or the final hook, and this seems to be questionable.
Why is the hook called before the apply_auth_cfg call?

What do you think?

Emeric


More information about the Dev mailing list