diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-10-05 19:21:17 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-10-05 19:21:17 +0000 |
| commit | 300828b798abf7272620b04a7183a24100879d49 (patch) | |
| tree | ca5fdc7b6e01cf09ebb4dd490096b0baf5dcfe25 /sbin/iked/ikev2.c | |
| parent | 3aec350734df2b9f6d4a0e4b6fc334fc9404ffd9 (diff) | |
Only handle AUTHENTICATION_FAILED for IKE_AUTH and INFORMATIONAL exchanges.
Reply to INFORMATIONAL messages with AUTHENTICATION_FAILED before deleting
the SA.
ok markus@
Diffstat (limited to 'sbin/iked/ikev2.c')
| -rw-r--r-- | sbin/iked/ikev2.c | 35 |
1 files changed, 23 insertions, 12 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 60311dbd30e..6b73ab8b68c 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.263 2020/10/03 20:23:08 tobhe Exp $ */ +/* $OpenBSD: ikev2.c,v 1.264 2020/10/05 19:21:16 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -1059,6 +1059,19 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg, (void)ikev2_init_auth(env, msg); break; case IKEV2_EXCHANGE_IKE_AUTH: + if (msg->msg_flags & IKED_MSG_FLAGS_AUTHENTICATION_FAILED) { + log_debug("%s: AUTHENTICATION_FAILED, closing SA", + __func__); + ikev2_log_cert_info(SPI_SA(sa, __func__), + sa->sa_hdr.sh_initiator ? &sa->sa_rcert + : &sa->sa_icert); + ikev2_ike_sa_setreason(sa, + "authentication failed notification from peer"); + sa_state(env, sa, IKEV2_STATE_CLOSED); + msg->msg_sa = NULL; + return; + } + (void)ikev2_ike_auth_recv(env, sa, msg); break; case IKEV2_EXCHANGE_CREATE_CHILD_SA: @@ -2515,6 +2528,15 @@ ikev2_resp_informational(struct iked *env, struct iked_sa *sa, IKEV2_EXCHANGE_INFORMATIONAL, firstpayload, 1); if (ret != -1) msg->msg_responded = 1; + if (msg->msg_flags & IKED_MSG_FLAGS_AUTHENTICATION_FAILED) { + log_debug("%s: AUTHENTICATION_FAILED, closing SA", + __func__); + ikev2_log_cert_info(SPI_SA(sa, __func__), + sa->sa_hdr.sh_initiator ? &sa->sa_rcert : &sa->sa_icert); + ikev2_ike_sa_setreason(sa, + "authentication failed notification from peer"); + sa_state(env, sa, IKEV2_STATE_CLOSED); + } done: ibuf_release(buf); return (ret); @@ -2835,17 +2857,6 @@ ikev2_handle_notifies(struct iked *env, struct iked_message *msg) sa->sa_stateflags &= ~IKED_REQ_CHILDSA; } - if (msg->msg_flags & IKED_MSG_FLAGS_AUTHENTICATION_FAILED) { - log_debug("%s: AUTHENTICATION_FAILED, closing SA", __func__); - ikev2_log_cert_info(SPI_SA(sa, __func__), - sa->sa_hdr.sh_initiator ? &sa->sa_rcert : &sa->sa_icert); - ikev2_ike_sa_setreason(sa, - "authentication failed notification from peer"); - sa_state(env, sa, IKEV2_STATE_CLOSED); - msg->msg_sa = NULL; - return (-1); - } - if (msg->msg_flags & IKED_MSG_FLAGS_INVALID_KE) { /* XXX chould also happen for PFS */ group = betoh16(msg->msg_group); |