ikev1: Send INITIAL_CONTACT notify in Main Mode

We currently send the notify in Main Mode only, as it is explicitly not allowed
by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make
that work, we'd need to handle that notify in Aggressive Mode, which could
allow a MitM to inject such notifies and do some harm.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

1 files changed, 28 insertions, 0 deletions

diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 2fb4c6935..5065e70ff 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -205,6 +205,32 @@ static status_t send_delete(private_main_mode_t *this)
 	return ALREADY_DONE;
 }
 
+/**
+ * Add an INITIAL_CONTACT notify if first contact with peer
+ */
+static void add_initial_contact(private_main_mode_t *this, message_t *message,
+								identification_t *idi)
+{
+	identification_t *idr;
+	host_t *host;
+
+	idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+	if (idr && !idr->contains_wildcards(idr))
+	{
+		if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
+		{
+			host = this->ike_sa->get_other_host(this->ike_sa);
+			if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+										idi, idr, host->get_family(host)))
+			{
+				message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
+									chunk_empty);
+			}
+		}
+	}
+}
+
 METHOD(task_t, build_i, status_t,
 	private_main_mode_t *this, message_t *message)
 {
@@ -311,6 +337,8 @@ METHOD(task_t, build_i, status_t,
 				return send_notify(this, AUTHENTICATION_FAILED);
 			}
 
+			add_initial_contact(this, message, id);
+
 			this->state = MM_AUTH;
 			return NEED_MORE;
 		}