From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 9 Feb 2018 14:13:54 +0000 (+0100)
Subject: child-create: Make sure the returned KE payload uses the proposed DH group
X-Git-Tag: 5.6.3dr1~44^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ecbcfbdaa15b3f94ab33b0431a72809e05cf438d;p=thirdparty%2Fstrongswan.git

child-create: Make sure the returned KE payload uses the proposed DH group
---

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 85dac6d59e..952f9cd779 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -981,7 +981,12 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 					this->dh = this->keymat->keymat.create_dh(
 										&this->keymat->keymat, this->dh_group);
 				}
-				if (this->dh)
+				else if (this->dh)
+				{
+					this->dh_failed = this->dh->get_dh_group(this->dh) !=
+									ke_payload->get_dh_group_number(ke_payload);
+				}
+				if (this->dh && !this->dh_failed)
 				{
 					this->dh_failed = !this->dh->set_other_public_value(this->dh,
 								ke_payload->get_key_exchange_data(ke_payload));