ikev1: Send INITIAL_CONTACT notify in Main Mode
We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
This commit is contained in:
parent
8131d180a8
commit
11b42933bf
|
@ -205,6 +205,32 @@ static status_t send_delete(private_main_mode_t *this)
|
|||
return ALREADY_DONE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Add an INITIAL_CONTACT notify if first contact with peer
|
||||
*/
|
||||
static void add_initial_contact(private_main_mode_t *this, message_t *message,
|
||||
identification_t *idi)
|
||||
{
|
||||
identification_t *idr;
|
||||
host_t *host;
|
||||
|
||||
idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
|
||||
if (idr && !idr->contains_wildcards(idr))
|
||||
{
|
||||
if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
|
||||
this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
|
||||
{
|
||||
host = this->ike_sa->get_other_host(this->ike_sa);
|
||||
if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
|
||||
idi, idr, host->get_family(host)))
|
||||
{
|
||||
message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
|
||||
chunk_empty);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(task_t, build_i, status_t,
|
||||
private_main_mode_t *this, message_t *message)
|
||||
{
|
||||
|
@ -311,6 +337,8 @@ METHOD(task_t, build_i, status_t,
|
|||
return send_notify(this, AUTHENTICATION_FAILED);
|
||||
}
|
||||
|
||||
add_initial_contact(this, message, id);
|
||||
|
||||
this->state = MM_AUTH;
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue