Invoke the per-round authorize() hook before purging current auth info on IKE_SA
authorMartin Willi <martin@revosec.ch>
Thu, 3 Feb 2011 12:31:11 +0000 (13:31 +0100)
committerMartin Willi <martin@revosec.ch>
Thu, 3 Feb 2011 16:08:39 +0000 (17:08 +0100)
src/libcharon/sa/tasks/ike_auth.c

index 03394dd..0756c7d 100644 (file)
@@ -621,11 +621,6 @@ METHOD(task_t, process_r, status_t,
                this->initial_contact = TRUE;
        }
 
-       /* store authentication information */
-       cfg = auth_cfg_create();
-       cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-       this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
        /* another auth round done, invoke authorize hook */
        if (!charon->bus->authorize(charon->bus, FALSE))
        {
@@ -634,6 +629,11 @@ METHOD(task_t, process_r, status_t,
                return NEED_MORE;
        }
 
+       /* store authentication information */
+       cfg = auth_cfg_create();
+       cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+       this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
        if (!update_cfg_candidates(this, FALSE))
        {
                this->authentication_failed = TRUE;
@@ -949,17 +949,17 @@ METHOD(task_t, process_i, status_t,
                        this->other_auth->destroy(this->other_auth);
                        this->other_auth = NULL;
                }
-               /* store authentication information, reset authenticator */
-               cfg = auth_cfg_create();
-               cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-               this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
                /* another auth round done, invoke authorize hook */
                if (!charon->bus->authorize(charon->bus, FALSE))
                {
                        DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
                        return FAILED;
                }
+
+               /* store authentication information, reset authenticator */
+               cfg = auth_cfg_create();
+               cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+               this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
        }
 
        if (this->my_auth)