From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 1 Apr 2020 07:48:56 +0000 (+0200)
Subject: child-create: Properly handle DH group during migration when reestablishing
X-Git-Tag: 5.9.0dr1~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0184a69b7b14b91d13d30906b6e3da2ab155c608;p=thirdparty%2Fstrongswan.git

child-create: Properly handle DH group during migration when reestablishing

If such a task was active while reestablishing it will get queued on the
new IKE_SA.  If the DH group is already set, the DH groups won't be
stripped from the proposals and a KE payload will be sent, which is invalid
during IKE_AUTH.  We don't want to reset the group if the task is part of a
child-rekey task.
---

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index a642a76861..278d09a606 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1853,7 +1853,10 @@ METHOD(task_t, migrate, void,
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 	}
-
+	if (!this->rekey)
+	{
+		this->dh_group = MODP_NONE;
+	}
 	this->ike_sa = ike_sa;
 	this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
 	this->proposal = NULL;