ike-init: Send USE_PPK notify as appropriate
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_init.c
index 295d4e9..28e28e4 100644 (file)
@@ -270,6 +270,38 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
 }
 
 /**
+ * Check whether to send a USE_PPK notify
+ */
+static bool send_use_ppk(private_ike_init_t *this)
+{
+       peer_cfg_t *peer;
+       enumerator_t *keys;
+       shared_key_t *key;
+       bool use_ppk = FALSE;
+
+       if (this->initiator)
+       {
+               peer = this->ike_sa->get_peer_cfg(this->ike_sa);
+               if (peer->get_ppk_id(peer))
+               {
+                       use_ppk = TRUE;
+               }
+       }
+       else if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK))
+       {
+               /* check if we have at least one PPK available */
+               keys = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PPK,
+                                                                                                         NULL, NULL);
+               if (keys->enumerate(keys, &key, NULL, NULL))
+               {
+                       use_ppk = TRUE;
+               }
+               keys->destroy(keys);
+       }
+       return use_ppk;
+}
+
+/**
  * build the payloads for the message
  */
 static bool build_payloads(private_ike_init_t *this, message_t *message)
@@ -396,6 +428,11 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
                                                                chunk_empty);
                }
        }
+       /* notify the peer if we want to use/support PPK */
+       if (!this->old_sa && send_use_ppk(this))
+       {
+               message->add_notify(message, FALSE, USE_PPK, chunk_empty);
+       }
        return TRUE;
 }
 
@@ -510,6 +547,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                                                        handle_supported_hash_algorithms(this, notify);
                                                }
                                                break;
+                                       case USE_PPK:
+                                               if (!this->old_sa)
+                                               {
+                                                       this->ike_sa->enable_extension(this->ike_sa,
+                                                                                                                  EXT_PPK);
+                                               }
+                                               break;
                                        case REDIRECTED_FROM:
                                        {
                                                identification_t *gateway;