Try to rekey without KE exchange if peer returns INVALID_KE_PAYLOAD(NONE)
authorMartin Willi <martin@revosec.ch>
Fri, 8 Jun 2012 08:35:02 +0000 (10:35 +0200)
committerMartin Willi <martin@revosec.ch>
Fri, 8 Jun 2012 08:35:02 +0000 (10:35 +0200)
According to RFC5996, implementations should just ignore the KE payload
if they select a non-PFS proposals. Some implementations don't, but
return MODP_NONE in INVALID_KE_PAYLOAD, hence we accept that, too.

src/libcharon/sa/ikev2/tasks/child_create.c

index f0cb24a..1148eba 100644 (file)
@@ -171,6 +171,11 @@ struct private_child_create_t {
         * whether the CHILD_SA rekeys an existing one
         */
        bool rekey;
+
+       /**
+        * whether we are retrying with another DH group
+        */
+       bool retry;
 };
 
 /**
@@ -725,7 +730,7 @@ METHOD(task_t, build_i, status_t,
                                message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
                                return SUCCESS;
                        }
-                       if (this->dh_group == MODP_NONE)
+                       if (!this->retry)
                        {
                                this->dh_group = this->config->get_dh_group(this->config);
                        }
@@ -1112,6 +1117,7 @@ METHOD(task_t, process_i, status_t,
                                        DBG1(DBG_IKE, "peer didn't accept DH group %N, "
                                                 "it requested %N", diffie_hellman_group_names,
                                                 this->dh_group, diffie_hellman_group_names, group);
+                                       this->retry = TRUE;
                                        this->dh_group = group;
                                        this->public.task.migrate(&this->public.task, this->ike_sa);
                                        enumerator->destroy(enumerator);
@@ -1322,6 +1328,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
                .ipcomp = IPCOMP_NONE,
                .ipcomp_received = IPCOMP_NONE,
                .rekey = rekey,
+               .retry = FALSE,
        );
 
        if (config)