[Swan-commit] Changes to ref refs/heads/master
cagney at vault.libreswan.fi
Sat May 11 14:26:00 UTC 2019
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri May 10 13:47:07 2019 -0400
ikev2: when PAM fails immediately delete the state using STF_FATAL
Presumably when the MITM fails to prove their credentials the first
time it's unlikely they will succeed with their second attempt. Stops
a retransmit going through the same code path triggering a PEXPECT.
Also tweak the cert code path that was triggering the PEXPECT to fail
immediately when re-called.
The code was returning STF_FAIL+v2N which does nothing to the state.
Add note suggesting code should return STF_ZOMBIFY - where
complete_v2_state_transition() sends the now recorded auth-failed
notification and transitions the state to zombie. That way it can
linger, responding to any duplicate and equally invalid auth requests.
More information about the Swan-commit