ikev1: Don't retransmit Aggressive Mode response

These could theoretically be used for an amplified DDoS attack.

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index b0c4f5f849372295b2124fda8fd6f23759ab220b..7964fbe9e4c5954dc3310794649ea1ed8d6d91bb 100644 (file)
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -743,8 +743,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
                                continue;
                        case NEED_MORE:
                                /* processed, but task needs another exchange */
-                               if (task->get_type(task) == TASK_QUICK_MODE ||
-                                       task->get_type(task) == TASK_AGGRESSIVE_MODE)
+                               if (task->get_type(task) == TASK_QUICK_MODE)
                                {       /* we rely on initiator retransmission, except for
                                         * three-message exchanges */
                                        expect_request = TRUE;