ikev1: Send INITIAL_CONTACT notify in Main Mode

We currently send the notify in Main Mode only, as it is explicitly not allowed
by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make
that work, we'd need to handle that notify in Aggressive Mode, which could
allow a MitM to inject such notifies and do some harm.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 2fb4c6935ab1d9cef9d8a2d470c8f0f24ab06d16..5065e70ffc25216dae39a2250d1dce6763b3b0c0 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -205,6 +205,32 @@ static status_t send_delete(private_main_mode_t *this)
        return ALREADY_DONE;
 }
 
+/**
+ * Add an INITIAL_CONTACT notify if first contact with peer
+ */
+static void add_initial_contact(private_main_mode_t *this, message_t *message,
+                                                               identification_t *idi)
+{
+       identification_t *idr;
+       host_t *host;
+
+       idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+       if (idr && !idr->contains_wildcards(idr))
+       {
+               if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+                       this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
+               {
+                       host = this->ike_sa->get_other_host(this->ike_sa);
+                       if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+                                                                               idi, idr, host->get_family(host)))
+                       {
+                               message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
+                                                                       chunk_empty);
+                       }
+               }
+       }
+}
+
 METHOD(task_t, build_i, status_t,
        private_main_mode_t *this, message_t *message)
 {
@@ -311,6 +337,8 @@ METHOD(task_t, build_i, status_t,
                                return send_notify(this, AUTHENTICATION_FAILED);
                        }
 
+                       add_initial_contact(this, message, id);
+
                        this->state = MM_AUTH;
                        return NEED_MORE;
                }