ikev2: Destroy IKE_SA if INVALID_SYNTAX notify is received in response

RFC 7296, section 2.21.3:

   If a peer parsing a request notices that it is badly formatted (after
   it has passed the message authentication code checks and window
   checks) and it returns an INVALID_SYNTAX notification, then this
   error notification is considered fatal in both peers, meaning that
   the IKE SA is deleted without needing an explicit Delete payload.

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 0b223d39110f9f737f22382ef8981bd135d2dfaa..6bafd42e0d8119a9a1f7e08d4fe64a443ec8065e 100644 (file)
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -704,6 +704,23 @@ static status_t process_response(private_task_manager_t *this,
                return DESTROY_ME;
        }
 
+       /* handle fatal INVALID_SYNTAX notifies */
+       switch (message->get_exchange_type(message))
+       {
+               case CREATE_CHILD_SA:
+               case INFORMATIONAL:
+                       if (message->get_notify(message, INVALID_SYNTAX))
+                       {
+                               DBG1(DBG_IKE, "received %N notify error, destroying IKE_SA",
+                                        notify_type_names, INVALID_SYNTAX);
+                               charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+                               return DESTROY_ME;
+                       }
+                       break;
+               default:
+                       break;
+       }
+
        enumerator = array_create_enumerator(this->active_tasks);
        while (enumerator->enumerate(enumerator, &task))
        {