From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Oct 2012 16:09:16 +0000 (+0200)
Subject: Remove all ESP proposals with non-matching DH group during Quick Mode
X-Git-Tag: 5.0.2dr4~265
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f48e7272322941f23abf9b517a13bf54dde3f79f;p=thirdparty%2Fstrongswan.git

Remove all ESP proposals with non-matching DH group during Quick Mode

According to RFC 2409, section 5.5, if PFS is used all proposals MUST
include the selected DH group, so we remove proposals without the
proposed group and remove other DH groups from the remaining proposals.
---

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 82a7238c37..0795894751 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -735,11 +735,33 @@ METHOD(task_t, build_i, status_t,
 				DBG1(DBG_IKE, "allocating SPI from kernel failed");
 				return FAILED;
 			}
+			group = this->config->get_dh_group(this->config);
+			if (group != MODP_NONE)
+			{
+				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+														  group);
+				if (!this->dh)
+				{
+					DBG1(DBG_IKE, "configured DH group %N not supported",
+						 diffie_hellman_group_names, group);
+					return FAILED;
+				}
+			}
 
 			list = this->config->get_proposals(this->config, FALSE);
 			enumerator = list->create_enumerator(list);
 			while (enumerator->enumerate(enumerator, &proposal))
 			{
+				if (group != MODP_NONE)
+				{
+					if (!proposal->has_dh_group(proposal, group))
+					{
+						list->remove_at(list, enumerator);
+						proposal->destroy(proposal);
+						continue;
+					}
+					proposal->strip_dh(proposal, group);
+				}
 				proposal->set_spi(proposal, this->spi_i);
 			}
 			enumerator->destroy(enumerator);
@@ -755,18 +777,8 @@ METHOD(task_t, build_i, status_t,
 			{
 				return FAILED;
 			}
-
-			group = this->config->get_dh_group(this->config);
 			if (group != MODP_NONE)
 			{
-				this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
-														  group);
-				if (!this->dh)
-				{
-					DBG1(DBG_IKE, "configured DH group %N not supported",
-						 diffie_hellman_group_names, group);
-					return FAILED;
-				}
 				add_ke(this, message);
 			}
 			if (!this->tsi)