From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Jun 2016 16:19:48 +0000 (+0200)
Subject: ikev1: Don't retransmit Aggressive Mode response
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fikev1-am-no-retransmit;p=thirdparty%2Fstrongswan.git

ikev1: Don't retransmit Aggressive Mode response

These could theoretically be used for an amplified DDoS attack.
---

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index b0c4f5f849..7964fbe9e4 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -743,8 +743,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 				continue;
 			case NEED_MORE:
 				/* processed, but task needs another exchange */
-				if (task->get_type(task) == TASK_QUICK_MODE ||
-					task->get_type(task) == TASK_AGGRESSIVE_MODE)
+				if (task->get_type(task) == TASK_QUICK_MODE)
 				{	/* we rely on initiator retransmission, except for
 					 * three-message exchanges */
 					expect_request = TRUE;