From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 28 Nov 2018 14:52:27 +0000 (+0100)
Subject: ikev2: Ignore COOKIE notifies we already received
X-Git-Tag: 5.7.2dr4~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01f462f0d327bc202b88cce1d5ee3f0e90056be2;p=thirdparty%2Fstrongswan.git

ikev2: Ignore COOKIE notifies we already received

This could be due to a delayed response to an IKE_SA_INIT retransmit.

Fixes #2837.
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index b5086182b4..b570904e21 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -890,6 +890,20 @@ METHOD(task_t, pre_process_i, status_t,
 
 			switch (type)
 			{
+				case COOKIE:
+				{
+					chunk_t cookie;
+
+					cookie = notify->get_notification_data(notify);
+					if (chunk_equals(cookie, this->cookie))
+					{
+						DBG1(DBG_IKE, "ignore response with duplicate COOKIE "
+							 "notify");
+						enumerator->destroy(enumerator);
+						return FAILED;
+					}
+					break;
+				}
 				case REDIRECT:
 				{
 					identification_t *gateway;