Invoke the per-round authorize() hook before purging current auth info on IKE_SA

1 files changed, 10 insertions, 10 deletions

diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index 03394dd5c..0756c7d60 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -621,11 +621,6 @@ METHOD(task_t, process_r, status_t,
 		this->initial_contact = TRUE;
 	}
 
-	/* store authentication information */
-	cfg = auth_cfg_create();
-	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
 	/* another auth round done, invoke authorize hook */
 	if (!charon->bus->authorize(charon->bus, FALSE))
 	{
@@ -634,6 +629,11 @@ METHOD(task_t, process_r, status_t,
 		return NEED_MORE;
 	}
 
+	/* store authentication information */
+	cfg = auth_cfg_create();
+	cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+	this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
 	if (!update_cfg_candidates(this, FALSE))
 	{
 		this->authentication_failed = TRUE;
@@ -949,17 +949,17 @@ METHOD(task_t, process_i, status_t,
 			this->other_auth->destroy(this->other_auth);
 			this->other_auth = NULL;
 		}
-		/* store authentication information, reset authenticator */
-		cfg = auth_cfg_create();
-		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
-		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
-
 		/* another auth round done, invoke authorize hook */
 		if (!charon->bus->authorize(charon->bus, FALSE))
 		{
 			DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
 			return FAILED;
 		}
+
+		/* store authentication information, reset authenticator */
+		cfg = auth_cfg_create();
+		cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+		this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
 	}
 
 	if (this->my_auth)