Commit dc8b479eb8 for strongswan.org

commit dc8b479eb890c52acc8034f03855d3539c9ec64b
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Wed May 20 13:49:44 2026 +0200

    ike-init: Fix key derivation if SA is reset after IKE_INTERMEDIATE retransmits

    Because the `derived` flag was not reset (it's set after the initial
    IKE_SA_INIT exchange), no keys would get derived when sending
    IKE_INTERMEDIATE during the next try.  As there is then no `aead_t`
    available, encrypting the message would fail and the initiation would
    remain stuck.

    Fixes: 0d49ddec2ef5 ("ike-init: Add support for multiple key exchanges")

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index a84df2c669..b7083917ad 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -600,14 +600,7 @@ static bool additional_key_exchange_required(private_ike_init_t *this)
  */
 static void clear_key_exchanges(private_ike_init_t *this)
 {
-	int i;
-
-	for (i = 0; i < MAX_KEY_EXCHANGES; i++)
-	{
-		this->key_exchanges[i].type = 0;
-		this->key_exchanges[i].method = 0;
-		this->key_exchanges[i].done = FALSE;
-	}
+	memset(this->key_exchanges, 0, sizeof(this->key_exchanges));
 	this->ke_index = 0;

 	array_destroy_offset(this->kes, offsetof(key_exchange_t, destroy));