child-rekey: Use previously negotiated DH group when rekeying CHILD_SAs
authorTobias Brunner <tobias@strongswan.org>
Fri, 2 Feb 2018 09:48:21 +0000 (10:48 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 9 Feb 2018 09:20:05 +0000 (10:20 +0100)
For the CHILD_SA created with the IKE_SA the group won't be set in the
proposal, so we will use the first one configure just as if the SA was
created new with a CREATE_CHILD_SA exchange.  I guess we could
theoretically try to use the DH group negotiated for IKE but then this
would get a lot more complicated as we'd have to check if that group is
actually contained in any of the CHILD_SA's configured proposals.

src/libcharon/sa/ikev2/tasks/child_rekey.c

index b67e9b8..f900566 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2017 Tobias Brunner
+ * Copyright (C) 2009-2018 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -190,8 +190,18 @@ METHOD(task_t, build_i, status_t,
        /* our CHILD_CREATE task does the hard work for us */
        if (!this->child_create)
        {
+               proposal_t *proposal;
+               uint16_t dh_group;
+
                this->child_create = child_create_create(this->ike_sa,
                                                                        config->get_ref(config), TRUE, NULL, NULL);
+
+               proposal = this->child_sa->get_proposal(this->child_sa);
+               if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+                                                                       &dh_group, NULL))
+               {       /* reuse the DH group negotiated previously */
+                       this->child_create->use_dh_group(this->child_create, dh_group);
+               }
        }
        reqid = this->child_sa->get_reqid(this->child_sa);
        this->child_create->use_reqid(this->child_create, reqid);