return array_create_enumerator(this->other_auths);
}
+/**
+ * Flush the stored authentication round information
+ */
+static void flush_auth_cfgs(private_ike_sa_t *this)
+{
+ auth_cfg_t *cfg;
+
+ this->my_auth->purge(this->my_auth, FALSE);
+ this->other_auth->purge(this->other_auth, FALSE);
+
+ while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
+ {
+ cfg->destroy(cfg);
+ }
+ while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
+ {
+ cfg->destroy(cfg);
+ }
+}
+
METHOD(ike_sa_t, verify_peer_certificate, bool,
private_ike_sa_t *this)
{
return FALSE;
}
- if (lib->settings->get_bool(lib->settings,
+ if (!this->flush_auth_cfg &&
+ lib->settings->get_bool(lib->settings,
"%s.flush_auth_cfg", FALSE, lib->ns))
- {
+ { /* we can do this check only once if auth configs are flushed */
DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
"information has been flushed");
return FALSE;
}
+ this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
+ FALSE);
e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
e2 = array_create_enumerator(this->other_auths);
}
if (!peer->get_validity(peer, NULL, ¬_before, ¬_after))
{
- /* FIXME: theoretically we could find a newer cert with the same
- * identity and public key below...but it's not the cert used by
- * the peer during the original authentication so... */
DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
¬_before, FALSE, ¬_after, FALSE);
valid = FALSE;
}
e1->destroy(e1);
e2->destroy(e2);
- return valid;
-}
-/**
- * Flush the stored authentication round information
- */
-static void flush_auth_cfgs(private_ike_sa_t *this)
-{
- auth_cfg_t *cfg;
-
- this->my_auth->purge(this->my_auth, FALSE);
- this->other_auth->purge(this->other_auth, FALSE);
-
- while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
+ if (this->flush_auth_cfg)
{
- cfg->destroy(cfg);
- }
- while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
- {
- cfg->destroy(cfg);
+ this->flush_auth_cfg = FALSE;
+ flush_auth_cfgs(this);
}
+ return valid;
}
METHOD(ike_sa_t, get_proposal, proposal_t*,
status = this->task_manager->process_message(this->task_manager, message);
if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
{
- /* authentication completed */
- this->flush_auth_cfg = FALSE;
- flush_auth_cfgs(this);
+ /* authentication completed but if the online validation is suspended we
+ * need the auth cfgs until we did the delayed verification, we flush
+ * them afterwards */
+ if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
+ {
+ this->flush_auth_cfg = FALSE;
+ flush_auth_cfgs(this);
+ }
}
return status;
}
projects / thirdparty / strongswan.git / commitdiff
