]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d058fd3)
ike-init: Move creation of DH instance after INVALID_KE_PAYLOAD to build_i()
authorTobias Brunner <tobias@strongswan.org>
Fri, 2 Feb 2018 09:26:36 +0000 (10:26 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 9 Feb 2018 09:20:05 +0000 (10:20 +0100)
This way we get proper error handling if the DH group the peer requested
is not actually supported for some reason (otherwise we'd just retry to
initiate with the configured group and get back another notify).

src/libcharon/sa/ikev2/tasks/ike_init.c patch | blob | blame | history

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index d75d217150e5038d56c483ca037fef9401d18d93..635c32c0d2ee799d039f9565891291ddab452a16 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -544,6 +544,18 @@ METHOD(task_t, build_i, status_t,
                        return FAILED;
                }
        }
+       else if (this->dh->get_dh_group(this->dh) != this->dh_group)
+       {       /* reset DH instance if group changed (INVALID_KE_PAYLOAD) */
+               this->dh->destroy(this->dh);
+               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+                                                                                                 this->dh_group);
+               if (!this->dh)
+               {
+                       DBG1(DBG_IKE, "requested DH group %N not supported",
+                                diffie_hellman_group_names, this->dh_group);
+                       return FAILED;
+               }
+       }
 
        /* generate nonce only when we are trying the first time */
        if (this->my_nonce.ptr == NULL)
@@ -929,12 +941,6 @@ METHOD(task_t, migrate, void,
        this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
        this->proposal = NULL;
        this->dh_failed = FALSE;
-       if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
-       {       /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
-               this->dh->destroy(this->dh);
-               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
-                                                                                                 this->dh_group);
-       }
 }
 
 METHOD(task_t, destroy, void,
Unnamed repository; edit this file 'description' to name the repository.