ike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling

This is currently not an issue for CHILD_SA rekeying tests as these only
check rekeyings of the CHILD_SA created with the IKE_SA, i.e. there is
no previous DH group to reuse.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index dae9a4dc796ab46da4f3c240c80f488317842e08..10225df74008b81133a412f96895f055b0ffcd7e 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -534,7 +534,8 @@ METHOD(task_t, build_i, status_t,
        /* if we are retrying after an INVALID_KE_PAYLOAD we already have one */
        if (!this->dh)
        {
-               if (this->old_sa)
+               if (this->old_sa && lib->settings->get_bool(lib->settings,
+                                                               "%s.prefer_previous_dh_group", TRUE, lib->ns))
                {       /* reuse the DH group we used for the old IKE_SA when rekeying */
                        proposal_t *proposal;
                        uint16_t dh_group;

diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c
index ba39657a4499ecce368d9638221a9951959c82a0..e22a0c288354f0db89f58ebbda28394ba450aa68 100644 (file)
--- a/src/libcharon/tests/suites/test_ike_rekey.c
+++ b/src/libcharon/tests/suites/test_ike_rekey.c
@@ -138,6 +138,8 @@ START_TEST(test_regular_ke_invalid)
 
        lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
                                                        TRUE, lib->ns);
+       lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+                                                       FALSE, lib->ns);
 
        initiate_rekey(a);
 
@@ -382,6 +384,8 @@ START_TEST(test_collision_ke_invalid)
 
        lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
                                                        TRUE, lib->ns);
+       lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+                                                       FALSE, lib->ns);
 
        /* Six nonces and SPIs are needed (SPI 1 and 2 are used for the initial
         * IKE_SA):
@@ -591,6 +595,8 @@ START_TEST(test_collision_ke_invalid_delayed_retry)
 
        lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
                                                        TRUE, lib->ns);
+       lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+                                                       FALSE, lib->ns);
 
        /* Five nonces and SPIs are needed (SPI 1 and 2 are used for the initial
         * IKE_SA):