libreswan/libreswan-3.23-ppk-update.patch

diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 38fa4de..08c8d9e 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1486,12 +1486,14 @@ typedef enum {
 	v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */
 	v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */
 	v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */
-
-	v2N_USE_PPK = 40960,            /* draft-ietf-ipsecme-qr-ikev2-01 */
-	v2N_PPK_IDENTITY = 40961,       /* draft-ietf-ipsecme-qr-ikev2-01 */
-	v2N_NO_PPK_AUTH = 40962,        /* draft-ietf-ipsecme-qr-ikev2-01 */
-
-	/* 16432 - 40969 Unassigned */
+	v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */
+	v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */
+	v2N_PUZZLE = 16434, /* RFC-8019 */
+	v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */
+	v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */
+	v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */
+
+	/* 16438 - 40969 Unassigned */
 	/* 40960 - 65535 Private Use */
 } v2_notification_t;
 
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index ab6db3e..a0dab63 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = {
 };
 */
 
-static const char *const ikev2_notify_name_private[] = {
-	"v2N_USE_PPK",
-	"v2N_PPK_IDENTITY",
-	"v2N_NO_PPK_AUTH",
-};
-
-static enum_names ikev2_notify_names_private = {
-	v2N_USE_PPK,
-	v2N_NO_PPK_AUTH,
-	ARRAY_REF(ikev2_notify_name_private),
-	"v2N_", /* prefix */
-	NULL
-};
-
 /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
 static const char *const ikev2_notify_name_16384[] = {
 	"v2N_INITIAL_CONTACT",    /* 16384 */
@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = {
 	"v2N_SENDER_REQUEST_ID",
 	"v2N_IKEV2_FRAGMENTATION_SUPPORTED",    /* 16430 */
 	"v2N_SIGNATURE_HASH_ALGORITHMS",
+	"v2N_CLONE_IKE_SA_SUPPORTED",
+	"v2N_CLONE_IKE_SA",
+	"v2N_PUZZLE",
+	"v2N_USE_PPK", /* 16435 */
+	"v2N_PPK_IDENTITY",
+	"v2N_NO_PPK_AUTH",
 };
 
 static enum_names ikev2_notify_names_16384 = {
 	v2N_INITIAL_CONTACT,
-	v2N_SIGNATURE_HASH_ALGORITHMS,
+	v2N_NO_PPK_AUTH,
 	ARRAY_REF(ikev2_notify_name_16384),
 	"v2N_", /* prefix */
-	&ikev2_notify_names_private
+	NULL
 };
 
 static const char *const ikev2_notify_name[] = {
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 258ba85..b86eea8 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
 				break;
 			}
 
-			if (LIN(POLICY_PPK_ALLOW, policy)) {
-				no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
+			no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
 
-				if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
-					loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
-					return STF_FATAL;
-				}
-				DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
-				st->st_no_ppk_auth = no_ppk_auth;
-			} else {
-				libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK");
+			if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
+				loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
+				return STF_FATAL;
 			}
+			DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
+			st->st_no_ppk_auth = no_ppk_auth;
 			break;
 		}
 		case v2N_MOBIKE_SUPPORTED:
@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
 		}
 	}
 
-	/* if we found proper PPK ID, we should use that without fallback to no ppk */
-	if (found_ppk)
+	/*
+	 * If we found proper PPK ID and policy allows PPK, use that.
+	 * Otherwise use NO_PPK_AUTH
+	 */
+	if (found_ppk && LIN(POLICY_PPK_ALLOW, policy))
 		freeanychunk(st->st_no_ppk_auth);
 
 	if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {