ikev2: Handle INVALID_SYNTAX after IKE_AUTH by deleting IKE_SA

When serving as a responder and receiving an INFORMATIONAL exchange containing INVALID_SYNTAX after IKE_AUTH, the IKE_SA should be deleted. Currently, it only gets deleted after receiving AUTHENTICATION_FAILED. RFC7296 section 2.21.2 says: In an IKE_AUTH exchange, or in the INFORMATIONAL exchange immediately following it (in case an error happened when processing a response to IKE_AUTH), the UNSUPPORTED_CRITICAL_PAYLOAD, INVALID_SYNTAX, and AUTHENTICATION_FAILED notifications are the only ones to cause the IKE SA to be deleted or not created, without a Delete payload. Closes strongswan/strongswan#2636
2025-10-03 00:00:24 -04:00 · 2025-01-27 21:48:35 -08:00 · 2025-01-27 21:48:35 -08:00 · 543a4c86f9
commit 543a4c86f9
parent d38eaa6dd7
1 changed files with 5 additions and 3 deletions
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@ -1269,10 +1269,12 @@ static status_t process_request(private_task_manager_t *this,
 									task = (task_t*)ike_auth_lifetime_create(
 															this->ike_sa, FALSE);
 									break;
+								case INVALID_SYNTAX:
 								case AUTHENTICATION_FAILED:
-									/* initiator failed to authenticate us.
-									 * We use ike_delete to handle this, which
-									 * invokes all the required hooks. */
+									/* initiator failed to authenticate us or
+									 * parse our response. we use ike_delete to
+									 * handle this, which invokes all the
+									 * required hooks */
 									task = (task_t*)ike_delete_create(
 														this->ike_sa, FALSE);
 									break;