From 0184a69b7b14b91d13d30906b6e3da2ab155c608 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 1 Apr 2020 09:48:56 +0200 Subject: [PATCH] child-create: Properly handle DH group during migration when reestablishing If such a task was active while reestablishing it will get queued on the new IKE_SA. If the DH group is already set, the DH groups won't be stripped from the proposals and a KE payload will be sent, which is invalid during IKE_AUTH. We don't want to reset the group if the task is part of a child-rekey task. --- src/libcharon/sa/ikev2/tasks/child_create.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index a642a76861..278d09a606 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -1853,7 +1853,10 @@ METHOD(task_t, migrate, void, { this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); } - + if (!this->rekey) + { + this->dh_group = MODP_NONE; + } this->ike_sa = ike_sa; this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); this->proposal = NULL; -- 2.47.2