From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 2 Feb 2018 09:59:25 +0000 (+0100)
Subject: ike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling
X-Git-Tag: 5.6.2rc1~19^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=576d9b907c4cde0d4b11daf382c6ea625b45d619;p=thirdparty%2Fstrongswan.git

ike-init: Make DH group reuse optional to test INVALID_KE_PAYLOAD handling

This is currently not an issue for CHILD_SA rekeying tests as these only
check rekeyings of the CHILD_SA created with the IKE_SA, i.e. there is
no previous DH group to reuse.
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index dae9a4dc79..10225df740 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -534,7 +534,8 @@ METHOD(task_t, build_i, status_t,
 	/* if we are retrying after an INVALID_KE_PAYLOAD we already have one */
 	if (!this->dh)
 	{
-		if (this->old_sa)
+		if (this->old_sa && lib->settings->get_bool(lib->settings,
+								"%s.prefer_previous_dh_group", TRUE, lib->ns))
 		{	/* reuse the DH group we used for the old IKE_SA when rekeying */
 			proposal_t *proposal;
 			uint16_t dh_group;
diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c
index ba39657a44..e22a0c2883 100644
--- a/src/libcharon/tests/suites/test_ike_rekey.c
+++ b/src/libcharon/tests/suites/test_ike_rekey.c
@@ -138,6 +138,8 @@ START_TEST(test_regular_ke_invalid)
 
 	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
 							TRUE, lib->ns);
+	lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+							FALSE, lib->ns);
 
 	initiate_rekey(a);
 
@@ -382,6 +384,8 @@ START_TEST(test_collision_ke_invalid)
 
 	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
 							TRUE, lib->ns);
+	lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+							FALSE, lib->ns);
 
 	/* Six nonces and SPIs are needed (SPI 1 and 2 are used for the initial
 	 * IKE_SA):
@@ -591,6 +595,8 @@ START_TEST(test_collision_ke_invalid_delayed_retry)
 
 	lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals",
 							TRUE, lib->ns);
+	lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group",
+							FALSE, lib->ns);
 
 	/* Five nonces and SPIs are needed (SPI 1 and 2 are used for the initial
 	 * IKE_SA):