ike-init: Fail if DH group in KE payload does not match proposed group
authorTobias Brunner <tobias@strongswan.org>
Fri, 25 Aug 2017 12:42:51 +0000 (14:42 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 4 Sep 2017 09:02:55 +0000 (11:02 +0200)
src/libcharon/sa/ikev2/tasks/ike_init.c

index 58b7106..9a207ac 100644 (file)
@@ -502,7 +502,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                        this->dh = this->keymat->keymat.create_dh(
                                                                &this->keymat->keymat, this->dh_group);
                }
-               if (this->dh)
+               else if (this->dh)
+               {
+                       this->dh_failed = this->dh->get_dh_group(this->dh) != this->dh_group;
+               }
+               if (this->dh && !this->dh_failed)
                {
                        this->dh_failed = !this->dh->set_other_public_value(this->dh,
                                                                ke_payload->get_key_exchange_data(ke_payload));