Send delete if Main Mode authentication fails as initiator
authorMartin Willi <martin@revosec.ch>
Thu, 15 Dec 2011 16:28:58 +0000 (17:28 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:24 +0000 (17:31 +0100)
src/libcharon/sa/task_manager_v1.c
src/libcharon/sa/tasks/main_mode.c

index 2f90551..c10f63d 100644 (file)
@@ -180,6 +180,11 @@ static void flush_queue(private_task_manager_t *this, linked_list_t *list)
 {
        task_t *task;
 
+       if (this->queued)
+       {
+               this->queued->destroy(this->queued);
+               this->queued = NULL;
+       }
        while (list->remove_last(list, (void**)&task) == SUCCESS)
        {
                task->destroy(task);
@@ -305,15 +310,23 @@ METHOD(task_manager_t, initiate, status_t,
                                }
                                break;
                        case IKE_CONNECTING:
+                               if (activate_task(this, TASK_ISAKMP_DELETE))
+                               {
+                                       exchange = INFORMATIONAL_V1;
+                                       new_mid = TRUE;
+                                       break;
+                               }
                                if (activate_task(this, TASK_XAUTH))
                                {
                                        exchange = TRANSACTION;
                                        new_mid = TRUE;
+                                       break;
                                }
                                if (activate_task(this, TASK_INFORMATIONAL))
                                {
                                        exchange = INFORMATIONAL_V1;
                                        new_mid = TRUE;
+                                       break;
                                }
                                break;
                        case IKE_ESTABLISHED:
@@ -333,16 +346,19 @@ METHOD(task_manager_t, initiate, status_t,
                                {
                                        exchange = INFORMATIONAL_V1;
                                        new_mid = TRUE;
+                                       break;
                                }
                                if (activate_task(this, TASK_ISAKMP_DELETE))
                                {
                                        exchange = INFORMATIONAL_V1;
                                        new_mid = TRUE;
+                                       break;
                                }
                                if (activate_task(this, TASK_QUICK_DELETE))
                                {
                                        exchange = INFORMATIONAL_V1;
                                        new_mid = TRUE;
+                                       break;
                                }
                                break;
                        default:
index 525484f..5b2cdf7 100644 (file)
@@ -31,6 +31,7 @@
 #include <sa/tasks/xauth.h>
 #include <sa/tasks/mode_config.h>
 #include <sa/tasks/informational.h>
+#include <sa/tasks/isakmp_delete.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -495,6 +496,17 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type)
        return ALREADY_DONE;
 }
 
+/**
+ * Queue a delete task if authentication failed as initiator
+ */
+static status_t send_delete(private_main_mode_t *this)
+{
+       this->ike_sa->queue_task(this->ike_sa,
+                                               (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
+       /* cancel all active tasks in favour of informational */
+       return ALREADY_DONE;
+}
+
 METHOD(task_t, build_i, status_t,
        private_main_mode_t *this, message_t *message)
 {
@@ -1034,7 +1046,7 @@ METHOD(task_t, process_i, status_t,
                        if (!id_payload)
                        {
                                DBG1(DBG_IKE, "IDir payload missing");
-                               return send_notify(this, INVALID_PAYLOAD_TYPE);
+                               return send_delete(this);
                        }
                        id = id_payload->get_identification(id_payload);
                        if (!id->matches(id, this->other_auth->get(this->other_auth,
@@ -1042,7 +1054,7 @@ METHOD(task_t, process_i, status_t,
                        {
                                DBG1(DBG_IKE, "IDir does not match");
                                id->destroy(id);
-                               return send_notify(this, INVALID_ID_INFORMATION);
+                               return send_delete(this);
                        }
                        this->ike_sa->set_other_id(this->ike_sa, id);
 
@@ -1051,12 +1063,12 @@ METHOD(task_t, process_i, status_t,
                                                                                                                 message) != SUCCESS)
                        {
                                DESTROY_IF(authenticator);
-                               return send_notify(this, AUTHENTICATION_FAILED);
+                               return send_delete(this);
                        }
                        authenticator->destroy(authenticator);
                        if (!check_constraints(this))
                        {
-                               return send_notify(this, AUTHENTICATION_FAILED);
+                               return send_delete(this);
                        }
                        save_auth_cfg(this, FALSE);