From: Martin Willi <martin@revosec.ch>
Date: Wed, 21 Apr 2010 06:40:55 +0000 (+0200)
Subject: Ignore DH exchange in CHILD_SA rekeying if the selected proposal contains no DH group
X-Git-Tag: 4.4.0~32
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1f6a707d10b930c73b0b2b3958fbd59a194cd0c7;p=thirdparty%2Fstrongswan.git

Ignore DH exchange in CHILD_SA rekeying if the selected proposal contains no DH group
---

diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 3f002f2633..bea4f73d5f 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -329,11 +329,11 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 			this->dh_group = group;
 			return INVALID_ARG;
 		}
-		else
-		{
-			DBG1(DBG_IKE, "no acceptable proposal found");
-			return FAILED;
-		}
+		/* the selected proposal does not use a DH group */
+		DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
+		DESTROY_IF(this->dh);
+		this->dh = NULL;
+		this->dh_group = MODP_NONE;
 	}
 
 	if (my_vip == NULL)