From: Tobias Brunner Date: Thu, 26 Jul 2018 13:20:30 +0000 (+0200) Subject: ike-init: Send USE_PPK notify as appropriate X-Git-Tag: 5.7.0rc1~19^2~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=600b10685280cc4d4d60db64093bc5d9c22882ca;p=thirdparty%2Fstrongswan.git ike-init: Send USE_PPK notify as appropriate --- diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index 295d4e9d95..28e28e4106 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -269,6 +269,38 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this, } } +/** + * Check whether to send a USE_PPK notify + */ +static bool send_use_ppk(private_ike_init_t *this) +{ + peer_cfg_t *peer; + enumerator_t *keys; + shared_key_t *key; + bool use_ppk = FALSE; + + if (this->initiator) + { + peer = this->ike_sa->get_peer_cfg(this->ike_sa); + if (peer->get_ppk_id(peer)) + { + use_ppk = TRUE; + } + } + else if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK)) + { + /* check if we have at least one PPK available */ + keys = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PPK, + NULL, NULL); + if (keys->enumerate(keys, &key, NULL, NULL)) + { + use_ppk = TRUE; + } + keys->destroy(keys); + } + return use_ppk; +} + /** * build the payloads for the message */ @@ -396,6 +428,11 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) chunk_empty); } } + /* notify the peer if we want to use/support PPK */ + if (!this->old_sa && send_use_ppk(this)) + { + message->add_notify(message, FALSE, USE_PPK, chunk_empty); + } return TRUE; } @@ -510,6 +547,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message) handle_supported_hash_algorithms(this, notify); } break; + case USE_PPK: + if (!this->old_sa) + { + this->ike_sa->enable_extension(this->ike_sa, + EXT_PPK); + } + break; case REDIRECTED_FROM: { identification_t *gateway;