charon-nm: Clear secrets when disconnecting

The need_secrets() method is called before connect() (where we clear the
previous secrets too), so e.g. a password-protected private could be
decrypted with the cached password from earlier but if the password was not
stored with the connection, it would later fail as no password was requested
from the user that could be passed to connect().

References #3428.

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index dba12764d1a3edab93ab64b95836c9a9348099ff..771466a6300534b121a203c9b0fccd83ff404220 100644 (file)
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -974,6 +974,11 @@ static gboolean do_disconnect(gpointer plugin)
                        enumerator->destroy(enumerator);
                        charon->controller->terminate_ike(charon->controller, id, FALSE,
                                                                                          controller_cb_empty, NULL, 0);
+
+                       /* clear secrets as we are asked for new secrets (where we'd find
+                        * the cached secrets from earlier connections) before we clear
+                        * them in connect() */
+                       priv->creds->clear(priv->creds);
                        return FALSE;
                }
        }