New upstream version 5.5.2

7 files changed, 108 insertions, 39 deletions

diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 6a9c342f4..3c6dd5198 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -249,7 +249,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
 			{
 				proposal->strip_dh(proposal, MODP_NONE);
 			}
-			selected = proposal->select(proposal, match, private);
+			selected = proposal->select(proposal, match, prefer_self, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -306,25 +306,30 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 	{
 		e1 = this->other_ts->create_enumerator(this->other_ts);
 	}
-	/* In a first step, replace "dynamic" TS with the host list */
+	/* in a first step, replace "dynamic" TS with the host list */
 	while (e1->enumerate(e1, &ts1))
 	{
-		if (hosts && hosts->get_count(hosts) &&
-			ts1->is_dynamic(ts1))
-		{
-			e2 = hosts->create_enumerator(hosts);
-			while (e2->enumerate(e2, &host))
+		if (hosts && hosts->get_count(hosts))
+		{	/* set hosts if TS is dynamic or as initiator in transport mode */
+			bool dynamic = ts1->is_dynamic(ts1);
+			if (dynamic || (this->mode == MODE_TRANSPORT && !this->proxy_mode &&
+							!supplied))
 			{
-				ts2 = ts1->clone(ts1);
-				ts2->set_address(ts2, host);
-				derived->insert_last(derived, ts2);
+				e2 = hosts->create_enumerator(hosts);
+				while (e2->enumerate(e2, &host))
+				{
+					ts2 = ts1->clone(ts1);
+					if (dynamic || !host->is_anyaddr(host))
+					{	/* don't make regular TS larger than they were */
+						ts2->set_address(ts2, host);
+					}
+					derived->insert_last(derived, ts2);
+				}
+				e2->destroy(e2);
+				continue;
 			}
-			e2->destroy(e2);
-		}
-		else
-		{
-			derived->insert_last(derived, ts1->clone(ts1));
 		}
+		derived->insert_last(derived, ts1->clone(ts1));
 	}
 	e1->destroy(e1);
 
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 7d52ac88f..480dd3720 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2016 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -339,7 +339,7 @@ METHOD(ike_cfg_t, select_proposal, proposal_t*,
 		}
 		while (match_enum->enumerate(match_enum, (void**)&match))
 		{
-			selected = proposal->select(proposal, match, private);
+			selected = proposal->select(proposal, match, prefer_self, private);
 			if (selected)
 			{
 				DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -559,6 +559,39 @@ int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
 /**
  * Described in header.
  */
+bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local)
+{
+	private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
+	enumerator_t *enumerator;
+	host_t *host;
+	char *str;
+	bool found = FALSE;
+
+	if (local)
+	{
+		enumerator = this->my_hosts->create_enumerator(this->my_hosts);
+	}
+	else
+	{
+		enumerator = this->other_hosts->create_enumerator(this->other_hosts);
+	}
+	while (enumerator->enumerate(enumerator, &str))
+	{
+		host = host_create_from_string(str, 0);
+		if (host && addr->ip_equals(addr, host))
+		{
+			found = TRUE;
+			break;
+		}
+		DESTROY_IF(host);
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Described in header.
+ */
 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
 						  char *me, uint16_t my_port,
 						  char *other, uint16_t other_port,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index afcb772fe..4d37264f6 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2016 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -266,4 +266,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
  */
 int ike_cfg_get_family(ike_cfg_t *this, bool local);
 
+/**
+ * Determine if the given address was explicitly configured as local or remote
+ * address.
+ *
+ * @param this				ike config to check
+ * @param addr				address to check
+ * @param local				TRUE to check local addresses, FALSE for remote
+ * @return					TRUE if address was configured
+ */
+bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
+
 #endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 6463c7a36..5d7ab076e 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -164,7 +164,7 @@ struct private_peer_cfg_t {
 	/**
 	 * Name of the mediation connection to mediate through
 	 */
-	peer_cfg_t *mediated_by;
+	char *mediated_by;
 
 	/**
 	 * ID of our peer at the mediation server (= leftid of the peer's conn with
@@ -235,6 +235,7 @@ METHOD(enumerator_t, child_cfgs_replace_enumerate, bool,
 		{
 			break;
 		}
+		this->wrapped->destroy(this->wrapped);
 		this->wrapped = this->added->create_enumerator(this->added);
 		this->add = TRUE;
 	}
@@ -579,7 +580,7 @@ METHOD(peer_cfg_t, is_mediation, bool,
 	return this->mediation;
 }
 
-METHOD(peer_cfg_t, get_mediated_by, peer_cfg_t*,
+METHOD(peer_cfg_t, get_mediated_by, char*,
 	private_peer_cfg_t *this)
 {
 	return this->mediated_by;
@@ -682,7 +683,7 @@ METHOD(peer_cfg_t, equals, bool,
 		auth_cfg_equal(this, other)
 #ifdef ME
 		&& this->mediation == other->mediation &&
-		this->mediated_by == other->mediated_by &&
+		streq(this->mediated_by, other->mediated_by) &&
 		(this->peer_id == other->peer_id ||
 		 (this->peer_id && other->peer_id &&
 		  this->peer_id->equals(this->peer_id, other->peer_id)))
@@ -712,8 +713,8 @@ METHOD(peer_cfg_t, destroy, void,
 		this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
 		this->pools->destroy_function(this->pools, free);
 #ifdef ME
-		DESTROY_IF(this->mediated_by);
 		DESTROY_IF(this->peer_id);
+		free(this->mediated_by);
 #endif /* ME */
 		this->mutex->destroy(this->mutex);
 		free(this->name);
@@ -801,7 +802,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 		.refcount = 1,
 #ifdef ME
 		.mediation = data->mediation,
-		.mediated_by = data->mediated_by,
+		.mediated_by = strdupnull(data->mediated_by),
 		.peer_id = data->peer_id,
 #endif /* ME */
 	);
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 8e4d5331c..b294ae72f 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -319,14 +319,14 @@ struct peer_cfg_t {
 	 *
 	 * @return				TRUE, if this is a mediation connection
 	 */
-	bool (*is_mediation) (peer_cfg_t *this);
+	bool (*is_mediation)(peer_cfg_t *this);
 
 	/**
-	 * Get peer_cfg of the connection this one is mediated through.
+	 * Get name of the connection this one is mediated through.
 	 *
-	 * @return				the peer_cfg of the mediation connection
+	 * @return				the name of the mediation connection
 	 */
-	peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
+	char* (*get_mediated_by)(peer_cfg_t *this);
 
 	/**
 	 * Get the id of the other peer at the mediation server.
@@ -338,7 +338,7 @@ struct peer_cfg_t {
 	 *
 	 * @return				the id of the other peer
 	 */
-	identification_t* (*get_peer_id) (peer_cfg_t *this);
+	identification_t* (*get_peer_id)(peer_cfg_t *this);
 #endif /* ME */
 
 	/**
@@ -398,8 +398,8 @@ struct peer_cfg_create_t {
 #ifdef ME
 	/** TRUE if this is a mediation connection */
 	bool mediation;
-	/** peer_cfg_t of the mediation connection to mediate through (adopted) */
-	peer_cfg_t *mediated_by;
+	/** peer_cfg_t of the mediation connection to mediate through (cloned) */
+	char *mediated_by;
 	/** ID that identifies our peer at the mediation server (adopted) */
 	identification_t *peer_id;
 #endif /* ME */
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 011c0b8b0..a2dc113a5 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -273,7 +273,8 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
 }
 
 METHOD(proposal_t, select_proposal, proposal_t*,
-	private_proposal_t *this, proposal_t *other, bool private)
+	private_proposal_t *this, proposal_t *other, bool other_remote,
+	bool private)
 {
 	proposal_t *selected;
 
@@ -285,7 +286,17 @@ METHOD(proposal_t, select_proposal, proposal_t*,
 		return NULL;
 	}
 
-	selected = proposal_create(this->protocol, other->get_number(other));
+	if (other_remote)
+	{
+		selected = proposal_create(this->protocol, other->get_number(other));
+		selected->set_spi(selected, other->get_spi(other));
+	}
+	else
+	{
+		selected = proposal_create(this->protocol, this->number);
+		selected->set_spi(selected, this->spi);
+
+	}
 
 	if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) ||
 		!select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) ||
@@ -298,7 +309,6 @@ METHOD(proposal_t, select_proposal, proposal_t*,
 	}
 
 	DBG2(DBG_CFG, "  proposal matches");
-	selected->set_spi(selected, other->get_spi(other));
 	return selected;
 }
 
@@ -915,6 +925,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case ECP_256_BP:
 			case ECP_384_BP:
 			case ECP_512_BP:
+			case CURVE_25519:
+			case CURVE_448:
 			case NTRU_128_BIT:
 			case NTRU_192_BIT:
 			case NTRU_256_BIT:
@@ -956,9 +968,12 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
+			case MODP_1024_160:
 			case MODP_2048_224:
+			case MODP_2048_256:
+				/* RFC 5114 primes are of questionable source */
+				break;
 			case MODP_1536_BIT:
-			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
 			case ECP_192_BIT:
@@ -966,7 +981,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 				/* rarely used */
 				break;
 			case MODP_2048_BIT:
-			case MODP_2048_256:
 			case MODP_1024_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index f9f277820..2bdf3454f 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -124,10 +125,14 @@ struct proposal_t {
 	 * in common, a resulting proposal of this kind is created.
 	 *
 	 * @param other			proposal to compare against
+	 * @param other_remote	whether other is the remote proposal from which to
+	 *						copy SPI and proposal number to the result,
+	 *						otherwise copy from this proposal
 	 * @param private		accepts algorithms allocated in a private range
 	 * @return				selected proposal, NULL if proposals don't match
 	 */
-	proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
+	proposal_t *(*select)(proposal_t *this, proposal_t *other,
+						  bool other_remote, bool private);
 
 	/**
 	 * Get the protocol ID of the proposal.