From: Martin Willi <martin@revosec.ch>
Date: Thu, 15 Dec 2011 16:28:58 +0000 (+0100)
Subject: Send delete if Main Mode authentication fails as initiator
X-Git-Tag: 5.0.0~338^2~9^2~189
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=429d95fef265e1c24da09d4559d7858a9d03467f;p=thirdparty%2Fstrongswan.git

Send delete if Main Mode authentication fails as initiator
---

diff --git a/src/libcharon/sa/task_manager_v1.c b/src/libcharon/sa/task_manager_v1.c
index 2f905516d1..c10f63d0f6 100644
--- a/src/libcharon/sa/task_manager_v1.c
+++ b/src/libcharon/sa/task_manager_v1.c
@@ -180,6 +180,11 @@ static void flush_queue(private_task_manager_t *this, linked_list_t *list)
 {
 	task_t *task;
 
+	if (this->queued)
+	{
+		this->queued->destroy(this->queued);
+		this->queued = NULL;
+	}
 	while (list->remove_last(list, (void**)&task) == SUCCESS)
 	{
 		task->destroy(task);
@@ -305,15 +310,23 @@ METHOD(task_manager_t, initiate, status_t,
 				}
 				break;
 			case IKE_CONNECTING:
+				if (activate_task(this, TASK_ISAKMP_DELETE))
+				{
+					exchange = INFORMATIONAL_V1;
+					new_mid = TRUE;
+					break;
+				}
 				if (activate_task(this, TASK_XAUTH))
 				{
 					exchange = TRANSACTION;
 					new_mid = TRUE;
+					break;
 				}
 				if (activate_task(this, TASK_INFORMATIONAL))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
+					break;
 				}
 				break;
 			case IKE_ESTABLISHED:
@@ -333,16 +346,19 @@ METHOD(task_manager_t, initiate, status_t,
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
+					break;
 				}
 				if (activate_task(this, TASK_ISAKMP_DELETE))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
+					break;
 				}
 				if (activate_task(this, TASK_QUICK_DELETE))
 				{
 					exchange = INFORMATIONAL_V1;
 					new_mid = TRUE;
+					break;
 				}
 				break;
 			default:
diff --git a/src/libcharon/sa/tasks/main_mode.c b/src/libcharon/sa/tasks/main_mode.c
index 525484f6f6..5b2cdf77e2 100644
--- a/src/libcharon/sa/tasks/main_mode.c
+++ b/src/libcharon/sa/tasks/main_mode.c
@@ -31,6 +31,7 @@
 #include <sa/tasks/xauth.h>
 #include <sa/tasks/mode_config.h>
 #include <sa/tasks/informational.h>
+#include <sa/tasks/isakmp_delete.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -495,6 +496,17 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type)
 	return ALREADY_DONE;
 }
 
+/**
+ * Queue a delete task if authentication failed as initiator
+ */
+static status_t send_delete(private_main_mode_t *this)
+{
+	this->ike_sa->queue_task(this->ike_sa,
+						(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
+	/* cancel all active tasks in favour of informational */
+	return ALREADY_DONE;
+}
+
 METHOD(task_t, build_i, status_t,
 	private_main_mode_t *this, message_t *message)
 {
@@ -1034,7 +1046,7 @@ METHOD(task_t, process_i, status_t,
 			if (!id_payload)
 			{
 				DBG1(DBG_IKE, "IDir payload missing");
-				return send_notify(this, INVALID_PAYLOAD_TYPE);
+				return send_delete(this);
 			}
 			id = id_payload->get_identification(id_payload);
 			if (!id->matches(id, this->other_auth->get(this->other_auth,
@@ -1042,7 +1054,7 @@ METHOD(task_t, process_i, status_t,
 			{
 				DBG1(DBG_IKE, "IDir does not match");
 				id->destroy(id);
-				return send_notify(this, INVALID_ID_INFORMATION);
+				return send_delete(this);
 			}
 			this->ike_sa->set_other_id(this->ike_sa, id);
 
@@ -1051,12 +1063,12 @@ METHOD(task_t, process_i, status_t,
 														 message) != SUCCESS)
 			{
 				DESTROY_IF(authenticator);
-				return send_notify(this, AUTHENTICATION_FAILED);
+				return send_delete(this);
 			}
 			authenticator->destroy(authenticator);
 			if (!check_constraints(this))
 			{
-				return send_notify(this, AUTHENTICATION_FAILED);
+				return send_delete(this);
 			}
 			save_auth_cfg(this, FALSE);