child-create: Make sure the returned KE payload uses the proposed DH group
authorTobias Brunner <tobias@strongswan.org>
Fri, 9 Feb 2018 14:13:54 +0000 (15:13 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 23 Feb 2018 08:25:46 +0000 (09:25 +0100)
src/libcharon/sa/ikev2/tasks/child_create.c

index 85dac6d..952f9cd 100644 (file)
@@ -981,7 +981,12 @@ static void process_payloads(private_child_create_t *this, message_t *message)
                                        this->dh = this->keymat->keymat.create_dh(
                                                                                &this->keymat->keymat, this->dh_group);
                                }
-                               if (this->dh)
+                               else if (this->dh)
+                               {
+                                       this->dh_failed = this->dh->get_dh_group(this->dh) !=
+                                                                       ke_payload->get_dh_group_number(ke_payload);
+                               }
+                               if (this->dh && !this->dh_failed)
                                {
                                        this->dh_failed = !this->dh->set_other_public_value(this->dh,
                                                                ke_payload->get_key_exchange_data(ke_payload));