From 8fa48933d6f58fedc21cb196cab1a20a4910c8ec Mon Sep 17 00:00:00 2001 From: Mike Belopuhov Date: Fri, 7 Nov 2014 14:12:58 +0000 Subject: Fixup a few problems with EAP state transition First of all we don't need to satisfy valid EAP state flags for IKEV2_STATE_EAP as it's an initial EAP exchange state. Then when waiting for the "ca" process to construct our AUTH payload we need to bail while sa_localauth is not available. With this change Win7 is able to establish the the tunnel again. ok markus --- sbin/iked/ikev2.c | 9 +++++---- sbin/iked/policy.c | 5 ++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 05b16480c70..55d1e96eade 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.115 2014/11/07 14:02:32 mikeb Exp $ */ +/* $OpenBSD: ikev2.c,v 1.116 2014/11/07 14:12:57 mikeb Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -2276,13 +2276,14 @@ ikev2_resp_ike_eap(struct iked *env, struct iked_sa *sa, struct ibuf *eapmsg) int ret = -1; ssize_t len = 0; - if (!sa_stateok(sa, IKEV2_STATE_EAP)) - return (0); - /* Responder only */ if (sa->sa_hdr.sh_initiator) return (-1); + /* Check if "ca" has done it's job yet */ + if (!sa->sa_localauth.id_type) + return (0); + /* New encrypted message buffer */ if ((e = ibuf_static()) == NULL) goto done; diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index 635e0051f90..b70fd4b2110 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.34 2014/05/06 10:24:22 markus Exp $ */ +/* $OpenBSD: policy.c,v 1.35 2014/11/07 14:12:57 mikeb Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -286,8 +286,7 @@ sa_stateok(struct iked_sa *sa, int state) if (state == IKEV2_STATE_SA_INIT || state == IKEV2_STATE_VALID || - state == IKEV2_STATE_EAP_VALID || - state == IKEV2_STATE_EAP) { + state == IKEV2_STATE_EAP_VALID) { log_debug("%s: %s flags 0x%02x, require 0x%02x %s", __func__, print_map(state, ikev2_state_map), (sa->sa_stateflags & require), require, -- cgit v1.2.3