[svn-upgrade] Integrating new upstream version, strongswan (4.2.13)

7 files changed, 83 insertions, 57 deletions

diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
index 47dac47d4..07ca48e6f 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: eap_mschapv2.c 4888 2009-02-19 14:32:13Z tobias $
+ * $Id: eap_mschapv2.c 4896 2009-02-24 13:39:50Z martin $
  */
 
 #include "eap_mschapv2.h"
@@ -643,7 +643,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
 	rng->destroy(rng);
 			
 	shared = charon->credentials->get_shared(charon->credentials,
-											 SHARED_EAP, this->server, this->peer);
+											 SHARED_EAP, this->peer, this->server);
 	if (shared == NULL)
 	{
 		DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 1f2b6f723..72744b784 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -83,8 +83,8 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
  */
 static void signal_failure(NMVPNPlugin *plugin)
 {
-	/* TODO: NM does not handle this failure!? 
-	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); */
+	/* TODO: NM does not handle this failure!? */
+	nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); 
 	nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
 }
 
@@ -144,7 +144,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	nm_creds_t *creds;
 	NMSettingVPN *settings;
 	identification_t *user = NULL, *gateway;
-	char *address, *str;
+	const char *address, *str;
 	bool virtual, encap, ipcomp;
 	ike_cfg_t *ike_cfg;
 	peer_cfg_t *peer_cfg;
@@ -164,20 +164,20 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	
 	DBG4(DBG_CFG, "received NetworkManager connection: %s",
 		 nm_setting_to_string(NM_SETTING(settings)));
-	address = g_hash_table_lookup(settings->data, "address");
+	address = nm_setting_vpn_get_data_item(settings, "address");
 	if (!address || !*address)
 	{
 		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
 				    "Gateway address missing.");
 		return FALSE;
 	}
-	str = g_hash_table_lookup(settings->data, "virtual");
+	str = nm_setting_vpn_get_data_item(settings, "virtual");
 	virtual = str && streq(str, "yes");
-	str = g_hash_table_lookup(settings->data, "encap");
+	str = nm_setting_vpn_get_data_item(settings, "encap");
 	encap = str && streq(str, "yes");
-	str = g_hash_table_lookup(settings->data, "ipcomp");
+	str = nm_setting_vpn_get_data_item(settings, "ipcomp");
 	ipcomp = str && streq(str, "yes");
-	str = g_hash_table_lookup(settings->data, "method");
+	str = nm_setting_vpn_get_data_item(settings, "method");
 	if (str)
 	{
 		if (streq(str, "psk"))
@@ -202,7 +202,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	creds->clear(creds);
 	
 	/* gateway cert */
-	str = g_hash_table_lookup(settings->data, "certificate");
+	str = nm_setting_vpn_get_data_item(settings, "certificate");
 	if (str)
 	{
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -220,20 +220,20 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	if (auth_class == AUTH_CLASS_EAP)
 	{
 		/* username/password authentication ... */
-		str = g_hash_table_lookup(settings->data, "user");
+		str = nm_setting_vpn_get_data_item(settings, "user");
 		if (str)
 		{
 			user = identification_create_from_encoding(ID_KEY_ID,
 											chunk_create(str, strlen(str)));
-			str = g_hash_table_lookup(settings->secrets, "password");
-			creds->set_username_password(creds, user, str);
+			str = nm_setting_vpn_get_secret(settings, "password");
+			creds->set_username_password(creds, user, (char*)str);
 		}
 	}
 	
 	if (auth_class == AUTH_CLASS_PUBKEY)
 	{
 		/* ... or certificate/private key authenitcation */
-		str = g_hash_table_lookup(settings->data, "usercert");
+		str = nm_setting_vpn_get_data_item(settings, "usercert");
 		if (str)
 		{
 			public_key_t *public;
@@ -241,10 +241,16 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			
 			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 									  BUILD_FROM_FILE, str, BUILD_END);	
-									  
+			if (!cert)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"Loading peer certificate failed.");
+				return FALSE;
+			}
 			/* try agent */  
-			str = g_hash_table_lookup(settings->secrets, "agent");
-			if (agent && str && cert)
+			str = nm_setting_vpn_get_secret(settings, "agent");
+			if (agent && str)
 			{
 				public = cert->get_public_key(cert);
 				if (public)
@@ -256,25 +262,38 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 												 BUILD_END);
 					public->destroy(public);
 				}
+				if (!private)
+				{
+					g_set_error(err, NM_VPN_PLUGIN_ERROR,
+								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+								"Connecting to SSH agent failed.");
+				}
 			}
 			/* ... or key file */  
-			str = g_hash_table_lookup(settings->data, "userkey");
-			if (!agent && str && cert)
+			str = nm_setting_vpn_get_data_item(settings, "userkey");
+			if (!agent && str)
 			{
 				chunk_t secret, chunk;
 				bool pgp = FALSE;
 				
-				secret.ptr = g_hash_table_lookup(settings->secrets, "password");
+				secret.ptr = (char*)nm_setting_vpn_get_secret(settings,
+																 "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file(str, &secret, &chunk, &pgp))
+				if (pem_asn1_load_file((char*)str, &secret, &chunk, &pgp))
 				{
 					private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
 								KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
 					free(chunk.ptr);
 				}
+				if (!private)
+				{
+					g_set_error(err, NM_VPN_PLUGIN_ERROR,
+								NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+								"Loading private key failed.");
+				}
 			}
 			if (private)
 			{
@@ -285,8 +304,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			else
 			{
 				DESTROY_IF(cert);
-				g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-							"Loading user certificate/private key failed.");
 				return FALSE;
 			}
 		}
@@ -302,7 +319,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	/**
 	 * Set up configurations
 	 */
-	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", address);
+	ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
 					user, gateway->clone(gateway),
@@ -367,40 +384,40 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 							 char **setting_name, GError **error)
 {
 	NMSettingVPN *settings;
-	char *method, *path;
+	const char *method, *path;
 	chunk_t secret = chunk_empty, key;
 	bool pgp = FALSE;
 	
 	settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
 														NM_TYPE_SETTING_VPN));
-	method = g_hash_table_lookup(settings->data, "method");
+	method = nm_setting_vpn_get_data_item(settings, "method");
 	if (method)
 	{
 		if (streq(method, "eap"))
 		{
-			if (g_hash_table_lookup(settings->secrets, "password"))
+			if (nm_setting_vpn_get_secret(settings, "password"))
 			{
 				return FALSE;
 			}
 		}
 		else if (streq(method, "agent"))
 		{
-			if (g_hash_table_lookup(settings->secrets, "agent"))
+			if (nm_setting_vpn_get_secret(settings, "agent"))
 			{
 				return FALSE;
 			}
 		}
 		else if (streq(method, "key"))
 		{
-			path = g_hash_table_lookup(settings->data, "userkey");
+			path = nm_setting_vpn_get_data_item(settings, "userkey");
 			if (path)
 			{
-				secret.ptr = g_hash_table_lookup(settings->secrets, "password");
+				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
 				if (secret.ptr)
 				{
 					secret.len = strlen(secret.ptr);
 				}
-				if (pem_asn1_load_file(path, &secret, &key, &pgp))
+				if (pem_asn1_load_file((char*)path, &secret, &key, &pgp))
 				{
 					free(key.ptr);
 					return FALSE;
@@ -434,6 +451,9 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
 		}
 	}
 	enumerator->destroy(enumerator);
+	
+	g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
+				"Connection not found.");
 	return FALSE;
 }
 
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 8f5dc54dd..9761e88e9 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -554,10 +554,10 @@ static void leases(char *filter, bool utc)
 			printf("%-7s ", "expired");
 		}
 		
-		printf(" %#T  ", &acquired, utc);
+		printf(" %T  ", &acquired, utc);
 		if (released)
 		{
-			printf("%#T  ", &released, utc);
+			printf("%T  ", &released, utc);
 		}
 		else
 		{
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index cd6f7c0cd..826aa8318 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -89,7 +89,7 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
 		e->destroy(e);
 		return pool;
 	}
-	DBG1(DBG_CFG, "ip pool '%s' not found");
+	DESTROY_IF(e);
 	return 0;
 }
 
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index 7591a1e27..f850b5320 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -307,6 +307,7 @@ static bool release_address(private_stroke_attribute_t *this,
 				{
 					DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
 					pool->offline->put(pool->offline, id, (void*)offset);
+					found = TRUE;
 				}
 			}
 		}
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 07e0ca768..434aec22b 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -804,7 +804,7 @@ static void load_secrets(private_stroke_cred_t *this)
 		}
 		else if (match("PIN", &token))
 		{
-			chunk_t sc = chunk_empty;
+			chunk_t sc = chunk_empty, secret = chunk_empty;
 			char smartcard[32], keyid[22], pin[32];
 			private_key_t *key;
 			u_int slot;
@@ -847,13 +847,13 @@ static void load_secrets(private_stroke_cred_t *this)
 				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
 				goto error;
 			}
-			ugh = extract_secret(&chunk, &line);
+			ugh = extract_secret(&secret, &line);
 			if (ugh != NULL)
 			{
 				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
 				goto error;
 			}
-			snprintf(pin, sizeof(pin), "%.*s", chunk.len, chunk.ptr);
+			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
 			pin[sizeof(pin) - 1] = '\0';
 			
 			/* we assume an RSA key */
@@ -867,6 +867,7 @@ static void load_secrets(private_stroke_cred_t *this)
 				this->private->insert_last(this->private, key);
 			}
 			memset(pin, 0, sizeof(pin));
+			chunk_clear(&secret);
 		}
 		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
 				 (match("EAP", &token) && (type = SHARED_EAP)) ||
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 8042875c9..94b3def3a 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -88,7 +88,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		time_t established;
 		
 		established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
-		fprintf(out, " %#V ago", &now, &established);
+		fprintf(out, " %V ago", &now, &established);
 	}
 	
 	fprintf(out, ", %H[%D]...%H[%D]\n",
@@ -116,11 +116,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 			
 			if (rekey)
 			{
-				fprintf(out, ", rekeying in %#V", &rekey, &now);
+				fprintf(out, ", rekeying in %V", &rekey, &now);
 			}
 			if (reauth)
 			{
-				fprintf(out, ", %N reauthentication in %#V", auth_class_names,
+				fprintf(out, ", %N reauthentication in %V", auth_class_names,
 						get_auth_class(ike_sa->get_peer_cfg(ike_sa)),
 						&reauth, &now);
 			}
@@ -212,7 +212,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			rekey = child_sa->get_lifetime(child_sa, FALSE);
 			if (rekey)
 			{
-				fprintf(out, "in %#V", &now, &rekey);
+				fprintf(out, "in %V", &now, &rekey);
 			}
 			else
 			{
@@ -265,12 +265,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		char *plugin, *pool;
 		host_t *host;
 		u_int32_t dpd;
-		time_t uptime = time(NULL) - this->uptime;
+		time_t now = time(NULL);
 		bool first = TRUE;
 		u_int size, online, offline;
 		
 		fprintf(out, "Performance:\n");
-		fprintf(out, "  uptime: %V, since %#T\n", &uptime, &this->uptime, FALSE);
+		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE);
 		fprintf(out, "  worker threads: %d idle of %d,",
 				charon->processor->get_idle_threads(charon->processor),
 				charon->processor->get_total_threads(charon->processor));
@@ -290,6 +290,10 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		enumerator = this->attribute->create_pool_enumerator(this->attribute);
 		while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
 		{
+			if (name && !streq(name, pool))
+			{
+				continue;
+			}
 			if (first)
 			{
 				first = FALSE;
@@ -655,26 +659,26 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 
 			/* list validity */
 			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			fprintf(out, "  validity:  not before %#T, ", &notBefore, utc);
+			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
 			if (now < notBefore)
 			{
-				fprintf(out, "not valid yet (valid in %#V)\n", &now, &notBefore);
+				fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
 			}
 			else
 			{
 				fprintf(out, "ok\n");
 			}
-			fprintf(out, "             not after  %#T, ", &notAfter, utc);
+			fprintf(out, "             not after  %T, ", &notAfter, utc);
 			if (now > notAfter)
 			{
-				fprintf(out, "expired (%#V ago)\n", &now, &notAfter);
+				fprintf(out, "expired (%V ago)\n", &now, &notAfter);
 			}
 			else
 			{
 				fprintf(out, "ok");
 				if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
 				{
-					fprintf(out, " (expires in %#V)", &now, &notAfter);
+					fprintf(out, " (expires in %V)", &now, &notAfter);
 				}
 				fprintf(out, " \n");
 			}
@@ -755,18 +759,18 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
 
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %#T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %#T, ", &nextUpdate, utc);
+		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %T, ", &nextUpdate, utc);
 		if (now > nextUpdate)
 		{
-			fprintf(out, "expired (%#V ago)\n", &now, &nextUpdate);
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
 		}
 		else
 		{
 			fprintf(out, "ok");
 			if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24)
 			{
-				fprintf(out, " (expires in %#V)", &now, &nextUpdate);
+				fprintf(out, " (expires in %V)", &now, &nextUpdate);
 			}
 			fprintf(out, " \n");
 		}
@@ -828,18 +832,18 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
 
 		/* list validity */
 		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %#T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %#T, ", &nextUpdate, utc);
+		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
+		fprintf(out, "             next %T, ", &nextUpdate, utc);
 		if (now > nextUpdate)
 		{
-			fprintf(out, "expired (%#V ago)\n", &now, &nextUpdate);
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
 		}
 		else
 		{
 			fprintf(out, "ok");
 			if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
 			{
-				fprintf(out, " (expires in %#V)", &now, &nextUpdate);
+				fprintf(out, " (expires in %V)", &now, &nextUpdate);
 			}
 			fprintf(out, " \n");
 		}