From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 25 Aug 2017 12:42:51 +0000 (+0200)
Subject: ike-init: Fail if DH group in KE payload does not match proposed group
X-Git-Tag: 5.6.1dr2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd371590ab6960e5c7664a751d3d3f7001a8a48e;p=thirdparty%2Fstrongswan.git

ike-init: Fail if DH group in KE payload does not match proposed group
---

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 58b710616e..9a207ac6b1 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -502,7 +502,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			this->dh = this->keymat->keymat.create_dh(
 								&this->keymat->keymat, this->dh_group);
 		}
-		if (this->dh)
+		else if (this->dh)
+		{
+			this->dh_failed = this->dh->get_dh_group(this->dh) != this->dh_group;
+		}
+		if (this->dh && !this->dh_failed)
 		{
 			this->dh_failed = !this->dh->set_other_public_value(this->dh,
 								ke_payload->get_key_exchange_data(ke_payload));