ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILED
authorMartin Willi <martin@revosec.ch>
Fri, 17 May 2013 08:30:13 +0000 (10:30 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 11 Jun 2013 13:54:26 +0000 (15:54 +0200)
RFC 5996 compatible implementations MAY send an INFORMATIONAL message
with an AUTHENTICATION_FAILED if the initiator failed to authenticate us.
Handle such a message like a DELETE for an IKE_SA.

src/libcharon/sa/ikev2/task_manager_v2.c

index 5298abf..839bdb9 100644 (file)
@@ -849,6 +849,12 @@ static status_t process_request(private_task_manager_t *this,
                                                                        task = (task_t*)ike_auth_lifetime_create(
                                                                                                                        this->ike_sa, FALSE);
                                                                        break;
+                                                               case AUTHENTICATION_FAILED:
+                                                                       /* initiator failed to authenticate us.
+                                                                        * We use ike_delete to handle this, which
+                                                                        * invokes all the required hooks. */
+                                                                       task = (task_t*)ike_delete_create(
+                                                                                                               this->ike_sa, FALSE);
                                                                default:
                                                                        break;
                                                        }