From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 9 Feb 2018 14:27:50 +0000 (+0100)
Subject: child-create: Fail if we already retried with a requested DH group
X-Git-Tag: 5.6.3dr1~44^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f1bf89ed9a3ef7b85e11c9e81bda1322773bebb;p=thirdparty%2Fstrongswan.git

child-create: Fail if we already retried with a requested DH group

With faulty peers that always return the same unusable DH group in
INVALID_KE_PAYLOADs we'd otherwise get stuck in a loop.
---

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index f39c623493..c90af23b99 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1570,6 +1570,15 @@ METHOD(task_t, process_i, status_t,
 						memcpy(&group, data.ptr, data.len);
 						group = ntohs(group);
 					}
+					if (this->retry)
+					{
+						DBG1(DBG_IKE, "already retried with DH group %N, ignore"
+							 "requested %N", diffie_hellman_group_names,
+							 this->dh_group, diffie_hellman_group_names, group);
+						handle_child_sa_failure(this, message);
+						/* an error in CHILD_SA creation is not critical */
+						return SUCCESS;
+					}
 					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
 						 "it requested %N", diffie_hellman_group_names,
 						 this->dh_group, diffie_hellman_group_names, group);