ike: Reset local SPI if retrying to connect in state IKE_CONNECTING
authorTobias Brunner <tobias@strongswan.org>
Tue, 29 Aug 2017 07:06:55 +0000 (09:06 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 4 Sep 2017 09:16:00 +0000 (11:16 +0200)
commitc353996191dbc3ab591278917dc3d08169ed1cc2
treead5f70bb406420b1565a3d5df60c6307b9953e69
parenteaedcf8c0054e9439969edfaf11e8e49df0e9c49
ike: Reset local SPI if retrying to connect in state IKE_CONNECTING

In case we send retransmits for an IKE_SA_INIT where we propose a DH
group the responder will reject we might later receive delayed responses
that either contain INVALID_KE_PAYLOAD notifies with the group we already
use or, if we retransmitted an IKE_SA_INIT with the requested group but
then had to restart again, a KE payload with a group different from the
one we proposed.  So far we didn't change the initiator SPI when
restarting the connection, i.e. these delayed responses were processed
and might have caused fatal errors due to a failed DH negotiation or
because of the internal retry counter in the ike-init task.  Changing
the initiator SPI avoids that as we won't process the delayed responses
anymore that caused this confusion.
src/libcharon/sa/ike_sa.c
src/libcharon/sa/ike_sa.h
src/libcharon/sa/ikev2/tasks/ike_init.c