4 files changed, 20 insertions, 6 deletions

diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
index ea1889a61..8d4b04b66 100644
--- a/src/libcharon/sa/authenticator.c
+++ b/src/libcharon/sa/authenticator.c
@@ -127,7 +127,7 @@ authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
 		case AUTH_XAUTH_RESP_PSK:
 			return (authenticator_t*)psk_v1_authenticator_create(ike_sa,
 										initiator, dh, dh_value, sa_payload,
-										id_payload);
+										id_payload, FALSE);
 		case AUTH_RSA:
 		case AUTH_XAUTH_INIT_RSA:
 		case AUTH_XAUTH_RESP_RSA:
diff --git a/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c
index f1bc1ecc2..689f5f376 100644
--- a/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/hybrid_authenticator.c
@@ -16,6 +16,7 @@
 #include "hybrid_authenticator.h"
 
 #include <daemon.h>
+#include <sa/ikev1/authenticators/psk_v1_authenticator.h>
 
 typedef struct private_hybrid_authenticator_t private_hybrid_authenticator_t;
 
@@ -89,10 +90,10 @@ hybrid_authenticator_t *hybrid_authenticator_create(ike_sa_t *ike_sa,
 				.destroy = _destroy,
 			},
 		},
+		.hash = (authenticator_t*)psk_v1_authenticator_create(ike_sa, initiator,
+						dh, dh_value, sa_payload, id_payload, TRUE),
 		.sig = authenticator_create_v1(ike_sa, initiator, AUTH_RSA, dh,
-							dh_value, sa_payload, id_payload),
-		.hash = authenticator_create_v1(ike_sa, initiator, AUTH_PSK,
-							dh, dh_value, sa_payload, chunk_clone(id_payload)),
+						dh_value, sa_payload, chunk_clone(id_payload)),
 	);
 	if (!this->sig || !this->hash)
 	{
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
index ce794a286..769c0dad3 100644
--- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
@@ -60,6 +60,11 @@ struct private_psk_v1_authenticator_t {
 	 * Encoded ID payload, without fixed header
 	 */
 	chunk_t id_payload;
+
+	/**
+	 * Used for Hybrid authentication to build hash without PSK?
+	 */
+	bool hybrid;
 };
 
 METHOD(authenticator_t, build, status_t,
@@ -90,6 +95,7 @@ METHOD(authenticator_t, process, status_t,
 	hash_payload_t *hash_payload;
 	keymat_v1_t *keymat;
 	chunk_t hash, dh;
+	auth_cfg_t *auth;
 
 	hash_payload = (hash_payload_t*)message->get_payload(message, HASH_V1);
 	if (!hash_payload)
@@ -107,6 +113,11 @@ METHOD(authenticator_t, process, status_t,
 	if (chunk_equals(hash, hash_payload->get_hash(hash_payload)))
 	{
 		free(hash.ptr);
+		if (!this->hybrid)
+		{
+			auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+		}
 		return SUCCESS;
 	}
 	free(hash.ptr);
@@ -127,7 +138,7 @@ METHOD(authenticator_t, destroy, void,
 psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
 										bool initiator, diffie_hellman_t *dh,
 										chunk_t dh_value, chunk_t sa_payload,
-										chunk_t id_payload)
+										chunk_t id_payload, bool hybrid)
 {
 	private_psk_v1_authenticator_t *this;
 
@@ -146,6 +157,7 @@ psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
 		.dh_value = dh_value,
 		.sa_payload = sa_payload,
 		.id_payload = id_payload,
+		.hybrid = hybrid,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h
index 194b96456..d48410074 100644
--- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.h
@@ -46,11 +46,12 @@ struct psk_v1_authenticator_t {
  * @param sa_payload		generated SA payload data, without payload header
  * @param id_payload		encoded ID payload of peer to authenticate or verify
  *							without payload header (gets owned)
+ * @param hybrid			TRUE if used for hybrid authentication without PSK
  * @return					PSK authenticator
  */
 psk_v1_authenticator_t *psk_v1_authenticator_create(ike_sa_t *ike_sa,
 										bool initiator, diffie_hellman_t *dh,
 										chunk_t dh_value, chunk_t sa_payload,
-										chunk_t id_payload);
+										chunk_t id_payload, bool hybrid);
 
 #endif /** PSK_V1_AUTHENTICATOR_H_ @}*/