Remove all ESP proposals with non-matching DH group during Quick Mode

According to RFC 2409, section 5.5, if PFS is used all proposals MUST
include the selected DH group, so we remove proposals without the
proposed group and remove other DH groups from the remaining proposals.

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 82a7238c37fd86cf107cbc77f36905614a17a718..07958947518318fd481bc07e438386de4ba9502d 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -735,11 +735,33 @@ METHOD(task_t, build_i, status_t,
                                DBG1(DBG_IKE, "allocating SPI from kernel failed");
                                return FAILED;
                        }
+                       group = this->config->get_dh_group(this->config);
+                       if (group != MODP_NONE)
+                       {
+                               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+                                                                                                                 group);
+                               if (!this->dh)
+                               {
+                                       DBG1(DBG_IKE, "configured DH group %N not supported",
+                                                diffie_hellman_group_names, group);
+                                       return FAILED;
+                               }
+                       }
 
                        list = this->config->get_proposals(this->config, FALSE);
                        enumerator = list->create_enumerator(list);
                        while (enumerator->enumerate(enumerator, &proposal))
                        {
+                               if (group != MODP_NONE)
+                               {
+                                       if (!proposal->has_dh_group(proposal, group))
+                                       {
+                                               list->remove_at(list, enumerator);
+                                               proposal->destroy(proposal);
+                                               continue;
+                                       }
+                                       proposal->strip_dh(proposal, group);
+                               }
                                proposal->set_spi(proposal, this->spi_i);
                        }
                        enumerator->destroy(enumerator);
@@ -755,18 +777,8 @@ METHOD(task_t, build_i, status_t,
                        {
                                return FAILED;
                        }
-
-                       group = this->config->get_dh_group(this->config);
                        if (group != MODP_NONE)
                        {
-                               this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
-                                                                                                                 group);
-                               if (!this->dh)
-                               {
-                                       DBG1(DBG_IKE, "configured DH group %N not supported",
-                                                diffie_hellman_group_names, group);
-                                       return FAILED;
-                               }
                                add_ke(this, message);
                        }
                        if (!this->tsi)