ike-init: Move creation of DH instance after INVALID_KE_PAYLOAD to build_i()
authorTobias Brunner <tobias@strongswan.org>
Fri, 2 Feb 2018 09:26:36 +0000 (10:26 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 9 Feb 2018 09:20:05 +0000 (10:20 +0100)
This way we get proper error handling if the DH group the peer requested
is not actually supported for some reason (otherwise we'd just retry to
initiate with the configured group and get back another notify).

src/libcharon/sa/ikev2/tasks/ike_init.c

index d75d217..635c32c 100644 (file)
@@ -544,6 +544,18 @@ METHOD(task_t, build_i, status_t,
                        return FAILED;
                }
        }
+       else if (this->dh->get_dh_group(this->dh) != this->dh_group)
+       {       /* reset DH instance if group changed (INVALID_KE_PAYLOAD) */
+               this->dh->destroy(this->dh);
+               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+                                                                                                 this->dh_group);
+               if (!this->dh)
+               {
+                       DBG1(DBG_IKE, "requested DH group %N not supported",
+                                diffie_hellman_group_names, this->dh_group);
+                       return FAILED;
+               }
+       }
 
        /* generate nonce only when we are trying the first time */
        if (this->my_nonce.ptr == NULL)
@@ -929,12 +941,6 @@ METHOD(task_t, migrate, void,
        this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        this->proposal = NULL;
        this->dh_failed = FALSE;
-       if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
-       {       /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
-               this->dh->destroy(this->dh);
-               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
-                                                                                                 this->dh_group);
-       }
 }
 
 METHOD(task_t, destroy, void,