encoding: Remove DH public value verification from KE payload
authorMartin Willi <martin@revosec.ch>
Mon, 23 Mar 2015 13:34:11 +0000 (14:34 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 23 Mar 2015 16:54:03 +0000 (17:54 +0100)
This commit reverts 84738b1a and 2ed5f569.

As we have no DH group available in the KE payload for IKEv1, the verification
can't work in that stage. Instead, we now verify DH groups in the DH backends,
which works for any IKE version or any other purpose.

src/libcharon/encoding/payloads/ke_payload.c

index c2599a6..50fd73f 100644 (file)
@@ -142,79 +142,6 @@ static encoding_rule_t encodings_v1[] = {
 METHOD(payload_t, verify, status_t,
        private_ke_payload_t *this)
 {
-       diffie_hellman_params_t *params;
-       diffie_hellman_group_t g = this->dh_group_number;
-       bool valid = TRUE;
-
-       if (this->type == PLV1_KEY_EXCHANGE)
-       {
-               /* IKEv1 does not transmit the group */
-               return SUCCESS;
-       }
-
-       switch (g)
-       {
-               case MODP_NONE:
-                       valid = FALSE;
-                       break;
-               case MODP_768_BIT:
-               case MODP_1024_BIT:
-               case MODP_1536_BIT:
-               case MODP_2048_BIT:
-               case MODP_3072_BIT:
-               case MODP_4096_BIT:
-               case MODP_6144_BIT:
-               case MODP_8192_BIT:
-               case MODP_1024_160:
-               case MODP_2048_224:
-               case MODP_2048_256:
-                       params = diffie_hellman_get_params(g);
-                       if (params)
-                       {
-                               valid = this->key_exchange_data.len == params->prime.len;
-                       }
-                       break;
-               case ECP_192_BIT:
-                       valid = this->key_exchange_data.len == 48;
-                       break;
-               case ECP_224_BIT:
-               case ECP_224_BP:
-                       valid = this->key_exchange_data.len == 56;
-                       break;
-               case ECP_256_BIT:
-               case ECP_256_BP:
-                       valid = this->key_exchange_data.len == 64;
-                       break;
-               case ECP_384_BIT:
-               case ECP_384_BP:
-                       valid = this->key_exchange_data.len == 96;
-                       break;
-               case ECP_512_BP:
-                       valid = this->key_exchange_data.len == 128;
-                       break;
-               case ECP_521_BIT:
-                       valid = this->key_exchange_data.len == 132;
-                       break;
-               case NTRU_112_BIT:
-               case NTRU_128_BIT:
-               case NTRU_192_BIT:
-               case NTRU_256_BIT:
-                       /* NTRU public key size depends on the parameter set, but is
-                        * at least 512 bytes */
-                       valid = this->key_exchange_data.len > 512;
-                       break;
-               case MODP_NULL:
-               case MODP_CUSTOM:
-                       break;
-               /* compile-warn unhandled groups, but accept them so we can negotiate
-                * a different group that we support. */
-       }
-       if (!valid)
-       {
-               DBG1(DBG_ENC, "invalid KE data size (%zu bytes) for %N",
-                        this->key_exchange_data.len, diffie_hellman_group_names, g);
-               return FAILED;
-       }
        return SUCCESS;
 }