From: Tobias Brunner Date: Fri, 2 Feb 2018 09:48:21 +0000 (+0100) Subject: child-rekey: Use previously negotiated DH group when rekeying CHILD_SAs X-Git-Tag: 5.6.2rc1~19^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27b0bd91d486c0438c5b02de320f6dc313612421;p=thirdparty%2Fstrongswan.git child-rekey: Use previously negotiated DH group when rekeying CHILD_SAs For the CHILD_SA created with the IKE_SA the group won't be set in the proposal, so we will use the first one configure just as if the SA was created new with a CREATE_CHILD_SA exchange. I guess we could theoretically try to use the DH group negotiated for IKE but then this would get a lot more complicated as we'd have to check if that group is actually contained in any of the CHILD_SA's configured proposals. --- diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index b67e9b80f0..f90056658f 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2017 Tobias Brunner + * Copyright (C) 2009-2018 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -190,8 +190,18 @@ METHOD(task_t, build_i, status_t, /* our CHILD_CREATE task does the hard work for us */ if (!this->child_create) { + proposal_t *proposal; + uint16_t dh_group; + this->child_create = child_create_create(this->ike_sa, config->get_ref(config), TRUE, NULL, NULL); + + proposal = this->child_sa->get_proposal(this->child_sa); + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + &dh_group, NULL)) + { /* reuse the DH group negotiated previously */ + this->child_create->use_dh_group(this->child_create, dh_group); + } } reqid = this->child_sa->get_reqid(this->child_sa); this->child_create->use_reqid(this->child_create, reqid);