ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checks
This commit is contained in:
parent
f1cbacc5d1
commit
e41adf5f05
|
@ -463,6 +463,26 @@ METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
|
||||||
return array_create_enumerator(this->other_auths);
|
return array_create_enumerator(this->other_auths);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Flush the stored authentication round information
|
||||||
|
*/
|
||||||
|
static void flush_auth_cfgs(private_ike_sa_t *this)
|
||||||
|
{
|
||||||
|
auth_cfg_t *cfg;
|
||||||
|
|
||||||
|
this->my_auth->purge(this->my_auth, FALSE);
|
||||||
|
this->other_auth->purge(this->other_auth, FALSE);
|
||||||
|
|
||||||
|
while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
|
||||||
|
{
|
||||||
|
cfg->destroy(cfg);
|
||||||
|
}
|
||||||
|
while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
|
||||||
|
{
|
||||||
|
cfg->destroy(cfg);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
METHOD(ike_sa_t, verify_peer_certificate, bool,
|
METHOD(ike_sa_t, verify_peer_certificate, bool,
|
||||||
private_ike_sa_t *this)
|
private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
|
@ -482,13 +502,16 @@ METHOD(ike_sa_t, verify_peer_certificate, bool,
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (lib->settings->get_bool(lib->settings,
|
if (!this->flush_auth_cfg &&
|
||||||
|
lib->settings->get_bool(lib->settings,
|
||||||
"%s.flush_auth_cfg", FALSE, lib->ns))
|
"%s.flush_auth_cfg", FALSE, lib->ns))
|
||||||
{
|
{ /* we can do this check only once if auth configs are flushed */
|
||||||
DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
|
DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
|
||||||
"information has been flushed");
|
"information has been flushed");
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
|
||||||
|
FALSE);
|
||||||
|
|
||||||
e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
|
e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
|
||||||
e2 = array_create_enumerator(this->other_auths);
|
e2 = array_create_enumerator(this->other_auths);
|
||||||
|
@ -514,9 +537,6 @@ METHOD(ike_sa_t, verify_peer_certificate, bool,
|
||||||
}
|
}
|
||||||
if (!peer->get_validity(peer, NULL, ¬_before, ¬_after))
|
if (!peer->get_validity(peer, NULL, ¬_before, ¬_after))
|
||||||
{
|
{
|
||||||
/* FIXME: theoretically we could find a newer cert with the same
|
|
||||||
* identity and public key below...but it's not the cert used by
|
|
||||||
* the peer during the original authentication so... */
|
|
||||||
DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
|
DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
|
||||||
¬_before, FALSE, ¬_after, FALSE);
|
¬_before, FALSE, ¬_after, FALSE);
|
||||||
valid = FALSE;
|
valid = FALSE;
|
||||||
|
@ -561,29 +581,15 @@ METHOD(ike_sa_t, verify_peer_certificate, bool,
|
||||||
}
|
}
|
||||||
e1->destroy(e1);
|
e1->destroy(e1);
|
||||||
e2->destroy(e2);
|
e2->destroy(e2);
|
||||||
|
|
||||||
|
if (this->flush_auth_cfg)
|
||||||
|
{
|
||||||
|
this->flush_auth_cfg = FALSE;
|
||||||
|
flush_auth_cfgs(this);
|
||||||
|
}
|
||||||
return valid;
|
return valid;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Flush the stored authentication round information
|
|
||||||
*/
|
|
||||||
static void flush_auth_cfgs(private_ike_sa_t *this)
|
|
||||||
{
|
|
||||||
auth_cfg_t *cfg;
|
|
||||||
|
|
||||||
this->my_auth->purge(this->my_auth, FALSE);
|
|
||||||
this->other_auth->purge(this->other_auth, FALSE);
|
|
||||||
|
|
||||||
while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
|
|
||||||
{
|
|
||||||
cfg->destroy(cfg);
|
|
||||||
}
|
|
||||||
while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
|
|
||||||
{
|
|
||||||
cfg->destroy(cfg);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
METHOD(ike_sa_t, get_proposal, proposal_t*,
|
METHOD(ike_sa_t, get_proposal, proposal_t*,
|
||||||
private_ike_sa_t *this)
|
private_ike_sa_t *this)
|
||||||
{
|
{
|
||||||
|
@ -1543,9 +1549,14 @@ METHOD(ike_sa_t, process_message, status_t,
|
||||||
status = this->task_manager->process_message(this->task_manager, message);
|
status = this->task_manager->process_message(this->task_manager, message);
|
||||||
if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
|
if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
|
||||||
{
|
{
|
||||||
/* authentication completed */
|
/* authentication completed but if the online validation is suspended we
|
||||||
this->flush_auth_cfg = FALSE;
|
* need the auth cfgs until we did the delayed verification, we flush
|
||||||
flush_auth_cfgs(this);
|
* them afterwards */
|
||||||
|
if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
|
||||||
|
{
|
||||||
|
this->flush_auth_cfg = FALSE;
|
||||||
|
flush_auth_cfgs(this);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue