ike-init: Send USE_PPK notify as appropriate

src/libcharon/sa/ikev2/tasks/ike_init.c

@@ -269,6 +269,38 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
 	}
 }
 
+/**
+ * Check whether to send a USE_PPK notify
+ */
+static bool send_use_ppk(private_ike_init_t *this)
+{
+	peer_cfg_t *peer;
+	enumerator_t *keys;
+	shared_key_t *key;
+	bool use_ppk = FALSE;
+
+	if (this->initiator)
+	{
+		peer = this->ike_sa->get_peer_cfg(this->ike_sa);
+		if (peer->get_ppk_id(peer))
+		{
+			use_ppk = TRUE;
+		}
+	}
+	else if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK))
+	{
+		/* check if we have at least one PPK available */
+		keys = lib->credmgr->create_shared_enumerator(lib->credmgr, SHARED_PPK,
+													  NULL, NULL);
+		if (keys->enumerate(keys, &key, NULL, NULL))
+		{
+			use_ppk = TRUE;
+		}
+		keys->destroy(keys);
+	}
+	return use_ppk;
+}
+
 /**
  * build the payloads for the message
  */
@@ -396,6 +428,11 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 								chunk_empty);
 		}
 	}
+	/* notify the peer if we want to use/support PPK */
+	if (!this->old_sa && send_use_ppk(this))
+	{
+		message->add_notify(message, FALSE, USE_PPK, chunk_empty);
+	}
 	return TRUE;
 }
 
@@ -510,6 +547,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 							handle_supported_hash_algorithms(this, notify);
 						}
 						break;
+					case USE_PPK:
+						if (!this->old_sa)
+						{
+							this->ike_sa->enable_extension(this->ike_sa,
+														   EXT_PPK);
+						}
+						break;
 					case REDIRECTED_FROM:
 					{
 						identification_t *gateway;