ikev2: Destroy IKE_SA if INVALID_SYNTAX notify is received in response
authorTobias Brunner <tobias@strongswan.org>
Mon, 25 Nov 2019 14:55:54 +0000 (15:55 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 9 Dec 2019 11:26:54 +0000 (12:26 +0100)
RFC 7296, section 2.21.3:

   If a peer parsing a request notices that it is badly formatted (after
   it has passed the message authentication code checks and window
   checks) and it returns an INVALID_SYNTAX notification, then this
   error notification is considered fatal in both peers, meaning that
   the IKE SA is deleted without needing an explicit Delete payload.

src/libcharon/sa/ikev2/task_manager_v2.c

index 0b223d3..6bafd42 100644 (file)
@@ -704,6 +704,23 @@ static status_t process_response(private_task_manager_t *this,
                return DESTROY_ME;
        }
 
+       /* handle fatal INVALID_SYNTAX notifies */
+       switch (message->get_exchange_type(message))
+       {
+               case CREATE_CHILD_SA:
+               case INFORMATIONAL:
+                       if (message->get_notify(message, INVALID_SYNTAX))
+                       {
+                               DBG1(DBG_IKE, "received %N notify error, destroying IKE_SA",
+                                        notify_type_names, INVALID_SYNTAX);
+                               charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+                               return DESTROY_ME;
+                       }
+                       break;
+               default:
+                       break;
+       }
+
        enumerator = array_create_enumerator(this->active_tasks);
        while (enumerator->enumerate(enumerator, &task))
        {