child-create: Properly handle DH group during migration when reestablishing
authorTobias Brunner <tobias@strongswan.org>
Wed, 1 Apr 2020 07:48:56 +0000 (09:48 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 7 May 2020 13:05:55 +0000 (15:05 +0200)
If such a task was active while reestablishing it will get queued on the
new IKE_SA.  If the DH group is already set, the DH groups won't be
stripped from the proposals and a KE payload will be sent, which is invalid
during IKE_AUTH.  We don't want to reset the group if the task is part of a
child-rekey task.

src/libcharon/sa/ikev2/tasks/child_create.c

index a642a76..278d09a 100644 (file)
@@ -1853,7 +1853,10 @@ METHOD(task_t, migrate, void,
        {
                this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
        }
-
+       if (!this->rekey)
+       {
+               this->dh_group = MODP_NONE;
+       }
        this->ike_sa = ike_sa;
        this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        this->proposal = NULL;