From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 8 May 2020 08:33:55 +0000 (+0200)
Subject: charon-nm: Clear secrets when disconnecting
X-Git-Tag: 5.9.0dr1~18
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=d5d8375610595bf521934084f63999f71d9fbc22;p=thirdparty%2Fstrongswan.git

charon-nm: Clear secrets when disconnecting

The need_secrets() method is called before connect() (where we clear the
previous secrets too), so e.g. a password-protected private could be
decrypted with the cached password from earlier but if the password was not
stored with the connection, it would later fail as no password was requested
from the user that could be passed to connect().

References #3428.
---

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index dba12764d1..771466a630 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -974,6 +974,11 @@ static gboolean do_disconnect(gpointer plugin)
 			enumerator->destroy(enumerator);
 			charon->controller->terminate_ike(charon->controller, id, FALSE,
 											  controller_cb_empty, NULL, 0);
+
+			/* clear secrets as we are asked for new secrets (where we'd find
+			 * the cached secrets from earlier connections) before we clear
+			 * them in connect() */
+			priv->creds->clear(priv->creds);
 			return FALSE;
 		}
 	}