child-create: Fail if we already retried with a requested DH group

With faulty peers that always return the same unusable DH group in
INVALID_KE_PAYLOADs we'd otherwise get stuck in a loop.

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index f39c623493b5b695393f6b673589a74644e39e45..c90af23b9939db561998e27b12b206f39fd946e1 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1570,6 +1570,15 @@ METHOD(task_t, process_i, status_t,
                                                memcpy(&group, data.ptr, data.len);
                                                group = ntohs(group);
                                        }
+                                       if (this->retry)
+                                       {
+                                               DBG1(DBG_IKE, "already retried with DH group %N, ignore"
+                                                        "requested %N", diffie_hellman_group_names,
+                                                        this->dh_group, diffie_hellman_group_names, group);
+                                               handle_child_sa_failure(this, message);
+                                               /* an error in CHILD_SA creation is not critical */
+                                               return SUCCESS;
+                                       }
                                        DBG1(DBG_IKE, "peer didn't accept DH group %N, "
                                                 "it requested %N", diffie_hellman_group_names,
                                                 this->dh_group, diffie_hellman_group_names, group);