child-create: Properly handle DH group during migration when reestablishing

If such a task was active while reestablishing it will get queued on the
new IKE_SA.  If the DH group is already set, the DH groups won't be
stripped from the proposals and a KE payload will be sent, which is invalid
during IKE_AUTH.  We don't want to reset the group if the task is part of a
child-rekey task.

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index a642a76861b044efcbc8816d362f5689c471628e..278d09a6068fea8c29858a09bc1261e0938cdeb3 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1853,7 +1853,10 @@ METHOD(task_t, migrate, void,
        {
                this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
        }
-
+       if (!this->rekey)
+       {
+               this->dh_group = MODP_NONE;
+       }
        this->ike_sa = ike_sa;
        this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        this->proposal = NULL;