diff --git a/include/ietf_constants.h b/include/ietf_constants.h index 38fa4de..08c8d9e 100644 --- a/include/ietf_constants.h +++ b/include/ietf_constants.h @@ -1486,12 +1486,14 @@ typedef enum { v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */ v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */ v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */ - - v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */ - v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */ - v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */ - - /* 16432 - 40969 Unassigned */ + v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */ + v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */ + v2N_PUZZLE = 16434, /* RFC-8019 */ + v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */ + v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */ + v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */ + + /* 16438 - 40969 Unassigned */ /* 40960 - 65535 Private Use */ } v2_notification_t; diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c index ab6db3e..a0dab63 100644 --- a/lib/libswan/constants.c +++ b/lib/libswan/constants.c @@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = { }; */ -static const char *const ikev2_notify_name_private[] = { - "v2N_USE_PPK", - "v2N_PPK_IDENTITY", - "v2N_NO_PPK_AUTH", -}; - -static enum_names ikev2_notify_names_private = { - v2N_USE_PPK, - v2N_NO_PPK_AUTH, - ARRAY_REF(ikev2_notify_name_private), - "v2N_", /* prefix */ - NULL -}; - /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */ static const char *const ikev2_notify_name_16384[] = { "v2N_INITIAL_CONTACT", /* 16384 */ @@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = { "v2N_SENDER_REQUEST_ID", "v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */ "v2N_SIGNATURE_HASH_ALGORITHMS", + "v2N_CLONE_IKE_SA_SUPPORTED", + "v2N_CLONE_IKE_SA", + "v2N_PUZZLE", + "v2N_USE_PPK", /* 16435 */ + "v2N_PPK_IDENTITY", + "v2N_NO_PPK_AUTH", }; static enum_names ikev2_notify_names_16384 = { v2N_INITIAL_CONTACT, - v2N_SIGNATURE_HASH_ALGORITHMS, + v2N_NO_PPK_AUTH, ARRAY_REF(ikev2_notify_name_16384), "v2N_", /* prefix */ - &ikev2_notify_names_private + NULL }; static const char *const ikev2_notify_name[] = { diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c index 258ba85..b86eea8 100644 --- a/programs/pluto/ikev2_parent.c +++ b/programs/pluto/ikev2_parent.c @@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) break; } - if (LIN(POLICY_PPK_ALLOW, policy)) { - no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); + no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); - if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { - loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); - return STF_FATAL; - } - DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); - st->st_no_ppk_auth = no_ppk_auth; - } else { - libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK"); + if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { + loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); + return STF_FATAL; } + DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); + st->st_no_ppk_auth = no_ppk_auth; break; } case v2N_MOBIKE_SUPPORTED: @@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) } } - /* if we found proper PPK ID, we should use that without fallback to no ppk */ - if (found_ppk) + /* + * If we found proper PPK ID and policy allows PPK, use that. + * Otherwise use NO_PPK_AUTH + */ + if (found_ppk && LIN(POLICY_PPK_ALLOW, policy)) freeanychunk(st->st_no_ppk_auth); if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {