Reenable ikev2_init_auth() return value check. Make sure sa_stateok()

returns 0 on error.  This code path is taken multiple times until all
requirements for sa_stateok() are met, so don't delete the SA because
of a single failure.

ok patrick@

1 files changed, 9 insertions, 3 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 65ad2a2e9c6..53b1b99a5f1 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.282 2020/11/16 12:59:20 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.283 2020/11/16 18:00:30 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1086,7 +1086,13 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 		if (ikev2_handle_certreq(env, msg) != 0)
 			return;
 
-		(void)ikev2_init_auth(env, msg);
+		if (ikev2_init_auth(env, msg) != 0) {
+			ikev2_ike_sa_setreason(sa,
+			    "failed to initiate IKE_AUTH exchange");
+			sa_state(env, sa, IKEV2_STATE_CLOSED);
+			msg->msg_sa = NULL;
+			return;
+		}
 		break;
 	case IKEV2_EXCHANGE_IKE_AUTH:
 		if (msg->msg_flags & IKED_MSG_FLAGS_AUTHENTICATION_FAILED) {
@@ -1388,7 +1394,7 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa)
 	ssize_t				 len;
 
 	if (!sa_stateok(sa, IKEV2_STATE_SA_INIT))
-		return (-1);
+		return (0);
 
 	if (!sa->sa_localauth.id_type) {
 		log_debug("%s: no local auth", __func__);