Ignore DH exchange in CHILD_SA rekeying if the selected proposal contains no DH group
authorMartin Willi <martin@revosec.ch>
Wed, 21 Apr 2010 06:40:55 +0000 (08:40 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 21 Apr 2010 06:41:46 +0000 (08:41 +0200)
src/libcharon/sa/tasks/child_create.c

index 3f002f2..bea4f73 100644 (file)
@@ -329,11 +329,11 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
                        this->dh_group = group;
                        return INVALID_ARG;
                }
-               else
-               {
-                       DBG1(DBG_IKE, "no acceptable proposal found");
-                       return FAILED;
-               }
+               /* the selected proposal does not use a DH group */
+               DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
+               DESTROY_IF(this->dh);
+               this->dh = NULL;
+               this->dh_group = MODP_NONE;
        }
 
        if (my_vip == NULL)