child-create: Fail if we already retried with a requested DH group
authorTobias Brunner <tobias@strongswan.org>
Fri, 9 Feb 2018 14:27:50 +0000 (15:27 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 23 Feb 2018 08:25:46 +0000 (09:25 +0100)
With faulty peers that always return the same unusable DH group in
INVALID_KE_PAYLOADs we'd otherwise get stuck in a loop.

src/libcharon/sa/ikev2/tasks/child_create.c

index f39c623..c90af23 100644 (file)
@@ -1570,6 +1570,15 @@ METHOD(task_t, process_i, status_t,
                                                memcpy(&group, data.ptr, data.len);
                                                group = ntohs(group);
                                        }
+                                       if (this->retry)
+                                       {
+                                               DBG1(DBG_IKE, "already retried with DH group %N, ignore"
+                                                        "requested %N", diffie_hellman_group_names,
+                                                        this->dh_group, diffie_hellman_group_names, group);
+                                               handle_child_sa_failure(this, message);
+                                               /* an error in CHILD_SA creation is not critical */
+                                               return SUCCESS;
+                                       }
                                        DBG1(DBG_IKE, "peer didn't accept DH group %N, "
                                                 "it requested %N", diffie_hellman_group_names,
                                                 this->dh_group, diffie_hellman_group_names, group);