- New upstream release.

- Don't disable internal crypto plugins, pluto expects to find them in
  some cases.
- Enable integrity checking.

6 files changed, 53 insertions, 66 deletions

diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index 83e431c43..bf45fdb42 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -260,7 +260,7 @@ attribute_manager_t *attribute_manager_create()
 	
 	this->providers = linked_list_create();
 	this->handlers = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index 3a3a78466..cfd611858 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -438,7 +438,7 @@ backend_manager_t *backend_manager_create()
 	this->public.destroy = (void (*)(backend_manager_t*))destroy;
 	
 	this->backends = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_DEFAULT);
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 	
 	return &this->public;
 }
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 43e41671a..990ee3fd6 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -345,35 +345,6 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
 }
 
 /**
- * Implementation of child_cfg_t.equal_traffic_selectors.
- */
-bool equal_traffic_selectors(private_child_cfg_t *this, bool local,
-							 linked_list_t *ts_list, host_t *host)
-{
-	linked_list_t *this_list;
-	traffic_selector_t *this_ts, *ts;
-	bool result;
-
-	this_list = (local) ? this->my_ts : this->other_ts;
-
-	/* currently equality is established for single traffic selectors only */
-	if (this_list->get_count(this_list) != 1 || ts_list->get_count(ts_list) != 1)
-	{
-		return FALSE;
-	}
-
-	this_list->get_first(this_list, (void**)&this_ts);
-	this_ts = this_ts->clone(this_ts);
-	this_ts->set_address(this_ts, host);
-	ts_list->get_first(ts_list, (void**)&ts);
-
-	result = ts->equals(ts, this_ts);
-
-	this_ts->destroy(this_ts);
-	return result;
-}
-
-/**
  * Implementation of child_cfg_t.get_updown.
  */
 static char* get_updown(private_child_cfg_t *this)
@@ -525,7 +496,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
 	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
-	this->public.equal_traffic_selectors = (bool (*)(child_cfg_t*,bool,linked_list_t*,host_t*))equal_traffic_selectors;
 	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
 	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
 	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 185fee3da..33c75701c 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -150,18 +150,6 @@ struct child_cfg_t {
 	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
 											linked_list_t *supplied,
 											host_t *host);
-
-	/**
-	 * Checks [single] traffic selectors for equality 
-	 *
-	 * @param local			TRUE for TS on local side, FALSE for remote
-	 * @param ts			list with single traffic selector to compare with
-	 * @param host			address to use for narrowing "dynamic" TS', or NULL
-	 * @return				TRUE if TS are equal, FALSE otherwise
-	 */ 
-	bool (*equal_traffic_selectors)(child_cfg_t *this, bool local,
-								   linked_list_t *ts_list, host_t *host);
-
 	/**
 	 * Get the updown script to run for the CHILD_SA.
 	 * 
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index da796d6a2..f096f269e 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -250,22 +250,46 @@ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
 }
 
 /**
- * Check if child_cfg contains traffic selectors
+ * Check how good a list of TS matches a given child config
  */
-static int contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts,
-						host_t *host)
+static int get_ts_match(child_cfg_t *cfg, bool local,
+						linked_list_t *sup_list, host_t *host)
 {
-	linked_list_t *selected;
-	int prio;
+	linked_list_t *cfg_list;
+	enumerator_t *sup_enum, *cfg_enum;
+	traffic_selector_t *sup_ts, *cfg_ts;
+	int match = 0, round;
 	
-	if (child->equal_traffic_selectors(child, mine, ts, host))
+	/* fetch configured TS list, narrowing dynamic TS */
+	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
+	
+	/* use a round counter to rate leading TS with higher priority */
+	round = sup_list->get_count(sup_list);
+	
+	sup_enum = sup_list->create_enumerator(sup_list);
+	while (sup_enum->enumerate(sup_enum, &sup_ts))
 	{
-		return 2;
+		cfg_enum = cfg_list->create_enumerator(cfg_list);
+		while (cfg_enum->enumerate(cfg_enum, &cfg_ts))
+		{
+			if (cfg_ts->equals(cfg_ts, sup_ts))
+			{	/* equality is honored better than matches */
+				match += round * 5;
+			}
+			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
+					 sup_ts->is_contained_in(sup_ts, cfg_ts))
+			{
+				match += round * 1;
+			}
+		}
+		cfg_enum->destroy(cfg_enum);
+		round--;
 	}
-	selected = child->get_traffic_selectors(child, mine, ts, host);
-	prio = selected->get_count(selected) ? 1 : 0;
-	selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
-	return prio;
+	sup_enum->destroy(sup_enum);
+	
+	cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
+	
+	return match;
 }
 
 /**
@@ -279,21 +303,23 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
 	child_cfg_t *current, *found = NULL;
 	enumerator_t *enumerator;
 	int best = 0;
-
-	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);	
+	
+	DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
 	enumerator = create_child_cfg_enumerator(this);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		int prio = contains_ts(current, TRUE, my_ts, my_host) +
-				   contains_ts(current, FALSE, other_ts, other_host);
-
-		if (prio)
+		int my_prio, other_prio;
+		
+		my_prio = get_ts_match(current, TRUE, my_ts, my_host);
+		other_prio = get_ts_match(current, FALSE, other_ts, other_host);
+		
+		if (my_prio && other_prio)
 		{
-			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d",
-				 current->get_name(current), prio);
-			if (prio > best)
+			DBG2(DBG_CFG, "  candidate \"%s\" with prio %d+%d",
+				 current->get_name(current), my_prio, other_prio);
+			if (my_prio + other_prio > best)
 			{
-				best = prio;
+				best = my_prio + other_prio;
 				DESTROY_IF(found);
 				found = current->get_ref(current);
 			}
@@ -637,7 +663,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->ike_version = ike_version;
 	this->ike_cfg = ike_cfg;
 	this->child_cfgs = linked_list_create();
-	this->mutex = mutex_create(MUTEX_DEFAULT);
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 	this->cert_policy = cert_policy;
 	this->unique = unique;
 	this->keyingtries = keyingtries;
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index e2dfcca4f..cf7e19605 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -266,6 +266,9 @@ static bool is_authenticated_encryption(u_int16_t alg)
 		case ENCR_AES_GCM_ICV8:
 		case ENCR_AES_GCM_ICV12:
 		case ENCR_AES_GCM_ICV16:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
 			return TRUE;
 	}
 	return FALSE;