Imported Upstream version 4.6.4

17 files changed, 179 insertions, 127 deletions

diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c
index 8e0836f0e..02015f273 100644
--- a/src/libcharon/encoding/payloads/certreq_payload.c
+++ b/src/libcharon/encoding/payloads/certreq_payload.c
@@ -111,8 +111,7 @@ METHOD(payload_t, verify, status_t,
 {
 	if (this->encoding == ENC_X509_SIGNATURE)
 	{
-		if (this->data.len < HASH_SIZE_SHA1 ||
-			this->data.len % HASH_SIZE_SHA1)
+		if (this->data.len % HASH_SIZE_SHA1)
 		{
 			DBG1(DBG_ENC, "invalid X509 hash length (%d) in certreq",
 				 this->data.len);
diff --git a/src/libcharon/encoding/payloads/cp_payload.h b/src/libcharon/encoding/payloads/cp_payload.h
index 7dcf58f7e..afae6091a 100644
--- a/src/libcharon/encoding/payloads/cp_payload.h
+++ b/src/libcharon/encoding/payloads/cp_payload.h
@@ -63,7 +63,7 @@ struct cp_payload_t {
 	payload_t payload_interface;
 
 	/**
-	 * Creates an iterator of stored configuration_attribute_t objects.
+	 * Creates an enumerator of stored configuration_attribute_t objects.
 	 *
 	 * @return			enumerator over configration_attribute_T
 	 */
diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index eafb668b6..cacaef222 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -284,6 +284,18 @@ eap_payload_t *eap_payload_create_data(chunk_t data)
 /*
  * Described in header
  */
+eap_payload_t *eap_payload_create_data_own(chunk_t data)
+{
+	eap_payload_t *this = eap_payload_create();
+
+	this->set_data(this, data);
+	free(data.ptr);
+	return this;
+}
+
+/*
+ * Described in header
+ */
 eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier)
 {
 	chunk_t data;
diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h
index 0bde4b15e..60d9c99d2 100644
--- a/src/libcharon/encoding/payloads/eap_payload.h
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@@ -95,18 +95,27 @@ struct eap_payload_t {
 /**
  * Creates an empty eap_payload_t object.
  *
- * @return eap_payload_t object
+ * @return 			eap_payload_t object
  */
 eap_payload_t *eap_payload_create(void);
 
 /**
  * Creates an eap_payload_t object with data.
  *
- * @return eap_payload_t object
+ * @param data		data, gets cloned
+ * @return 			eap_payload_t object
  */
 eap_payload_t *eap_payload_create_data(chunk_t data);
 
 /**
+ * Creates an eap_payload_t object with data, owning the data.
+ *
+ * @param data		data on heap, gets owned and freed
+ * @return 			eap_payload_t object
+ */
+eap_payload_t *eap_payload_create_data_own(chunk_t data);
+
+/**
  * Creates an eap_payload_t object with a code.
  *
  * Could should be either EAP_SUCCESS/EAP_FAILURE, use
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index 3b23ea9fb..e7b8063b7 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -142,7 +142,7 @@ METHOD(payload_t, set_next_type, void,
 }
 
 /**
- * Compute the lenght of the whole payload
+ * Compute the length of the whole payload
  */
 static void compute_length(private_encryption_payload_t *this)
 {
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.c b/src/libcharon/encoding/payloads/endpoint_notify.c
index faec1ea71..1ead0a052 100644
--- a/src/libcharon/encoding/payloads/endpoint_notify.c
+++ b/src/libcharon/encoding/payloads/endpoint_notify.c
@@ -76,6 +76,11 @@ ENUM(me_endpoint_type_names, HOST, RELAYED,
 );
 
 /**
+ * Forward declaration
+ */
+static private_endpoint_notify_t *endpoint_notify_create();
+
+/**
  * Helper functions to parse integer values
  */
 static status_t parse_uint8(u_int8_t **cur, u_int8_t *top, u_int8_t *val)
@@ -216,10 +221,8 @@ static chunk_t build_notification_data(private_endpoint_notify_t *this)
 	return data;
 }
 
-/**
- * Implementation of endpoint_notify_t.build_notify
- */
-static notify_payload_t *build_notify(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, build_notify, notify_payload_t*,
+	private_endpoint_notify_t *this)
 {
 	chunk_t data;
 	notify_payload_t *notify;
@@ -233,64 +236,53 @@ static notify_payload_t *build_notify(private_endpoint_notify_t *this)
 	return notify;
 }
 
-/**
- * Implementation of endpoint_notify_t.get_priority.
- */
-static u_int32_t get_priority(private_endpoint_notify_t *this)
+
+METHOD(endpoint_notify_t, get_priority, u_int32_t,
+	private_endpoint_notify_t *this)
 {
 	return this->priority;
 }
 
-/**
- * Implementation of endpoint_notify_t.set_priority.
- */
-static void set_priority(private_endpoint_notify_t *this, u_int32_t priority)
+METHOD(endpoint_notify_t, set_priority, void,
+	private_endpoint_notify_t *this, u_int32_t priority)
 {
 	this->priority = priority;
 }
 
-/**
- * Implementation of endpoint_notify_t.get_type.
- */
-static me_endpoint_type_t get_type(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, get_type,  me_endpoint_type_t,
+	private_endpoint_notify_t *this)
 {
 	return this->type;
 }
 
-/**
- * Implementation of endpoint_notify_t.get_family.
- */
-static me_endpoint_family_t get_family(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, get_family, me_endpoint_family_t,
+	private_endpoint_notify_t *this)
 {
 	return this->family;
 }
 
-/**
- * Implementation of endpoint_notify_t.get_host.
- */
-static host_t *get_host(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, get_host, host_t*,
+	private_endpoint_notify_t *this)
 {
 	return this->endpoint;
 }
 
-/**
- * Implementation of endpoint_notify_t.get_base.
- */
-static host_t *get_base(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, get_base, host_t*,
+	private_endpoint_notify_t *this)
 {
 	return (!this->base) ? this->endpoint : this->base;
 }
 
-/**
- * Implementation of endpoint_notify_t.clone.
- */
-static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, clone_, endpoint_notify_t*,
+	private_endpoint_notify_t *this)
 {
-	private_endpoint_notify_t *clone = (private_endpoint_notify_t*)endpoint_notify_create();
+	private_endpoint_notify_t *clone;
 
+	clone = endpoint_notify_create();
 	clone->priority = this->priority;
 	clone->type = this->type;
 	clone->family = this->family;
+
 	if (this->endpoint)
 	{
 		clone->endpoint = this->endpoint->clone(this->endpoint);
@@ -304,52 +296,47 @@ static endpoint_notify_t *_clone(private_endpoint_notify_t *this)
 	return &clone->public;
 }
 
-/**
- * Implementation of endpoint_notify_t.destroy.
- */
-static status_t destroy(private_endpoint_notify_t *this)
+METHOD(endpoint_notify_t, destroy, void,
+	private_endpoint_notify_t *this)
 {
 	DESTROY_IF(this->endpoint);
 	DESTROY_IF(this->base);
 	free(this);
-	return SUCCESS;
 }
 
-/*
- * Described in header
+/**
+ * Creates an empty endpoint notify
  */
-endpoint_notify_t *endpoint_notify_create()
+static private_endpoint_notify_t *endpoint_notify_create()
 {
-	private_endpoint_notify_t *this = malloc_thing(private_endpoint_notify_t);
-
-	/* public functions */
-	this->public.get_priority = (u_int32_t (*) (endpoint_notify_t *)) get_priority;
-	this->public.set_priority = (void (*) (endpoint_notify_t *, u_int32_t)) set_priority;
-	this->public.get_type = (me_endpoint_type_t (*) (endpoint_notify_t *)) get_type;
-	this->public.get_family = (me_endpoint_family_t (*) (endpoint_notify_t *)) get_family;
-	this->public.get_host = (host_t *(*) (endpoint_notify_t *)) get_host;
-	this->public.get_base = (host_t *(*) (endpoint_notify_t *)) get_base;
-	this->public.build_notify = (notify_payload_t *(*) (endpoint_notify_t *)) build_notify;
-	this->public.clone = (endpoint_notify_t *(*) (endpoint_notify_t *)) _clone;
-	this->public.destroy = (void (*) (endpoint_notify_t *)) destroy;
-
-	/* set default values of the fields */
-	this->priority = 0;
-	this->family = NO_FAMILY;
-	this->type = NO_TYPE;
-	this->endpoint = NULL;
-	this->base = NULL;
-
-	return &this->public;
+	private_endpoint_notify_t *this;
+
+	INIT(this,
+		.public = {
+			.get_priority = _get_priority,
+			.set_priority = _set_priority,
+			.get_type = _get_type,
+			.get_family = _get_family,
+			.get_host = _get_host,
+			.get_base = _get_base,
+			.build_notify = _build_notify,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.family = NO_FAMILY,
+		.type = NO_TYPE,
+	);
+
+	return this;
 }
 
 /**
  * Described in header
  */
-endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, host_t *host, host_t *base)
+endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
+													host_t *host, host_t *base)
 {
-	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
-
+	private_endpoint_notify_t *this = endpoint_notify_create();
 	this->type = type;
 
 	switch(type)
@@ -406,13 +393,17 @@ endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type, hos
  */
 endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify)
 {
+	private_endpoint_notify_t *this;
+	chunk_t data;
+
 	if (notify->get_notify_type(notify) != ME_ENDPOINT)
 	{
 		return NULL;
 	}
 
-	private_endpoint_notify_t *this = (private_endpoint_notify_t*)endpoint_notify_create();
-	chunk_t data = notify->get_notification_data(notify);
+	this = endpoint_notify_create();
+	data = notify->get_notification_data(notify);
+
 	if (parse_notification_data(this, data) != SUCCESS)
 	{
 		destroy(this);
diff --git a/src/libcharon/encoding/payloads/endpoint_notify.h b/src/libcharon/encoding/payloads/endpoint_notify.h
index 120eef49a..853aadf3d 100644
--- a/src/libcharon/encoding/payloads/endpoint_notify.h
+++ b/src/libcharon/encoding/payloads/endpoint_notify.h
@@ -125,7 +125,7 @@ struct endpoint_notify_t {
 	/**
 	 * Generates a notification payload from this endpoint.
 	 *
-	 * @return 			built notify_payload_t
+	 * @return			built notify_payload_t
 	 */
 	notify_payload_t *(*build_notify) (endpoint_notify_t *this);
 
@@ -143,19 +143,12 @@ struct endpoint_notify_t {
 };
 
 /**
- * Creates an empty endpoint_notify_t object.
- *
- * @return			created endpoint_notify_t object
- */
-endpoint_notify_t *endpoint_notify_create(void);
-
-
-/**
  * Creates an endpoint_notify_t object from a host.
  *
  * @param type		the endpoint type
  * @param host		host to base the notify on (gets cloned)
- * @param base		base of the endpoint, applies only to reflexive endpoints (gets cloned)
+ * @param base		base of the endpoint, applies only to reflexive
+ *					endpoints (gets cloned)
  * @return			created endpoint_notify_t object
  */
 endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
@@ -166,7 +159,7 @@ endpoint_notify_t *endpoint_notify_create_from_host(me_endpoint_type_t type,
  *
  * @param notify	the notify payload
  * @return			- created endpoint_notify_t object
- * 					- NULL if invalid payload
+ *					- NULL if invalid payload
  */
 endpoint_notify_t *endpoint_notify_create_from_payload(notify_payload_t *notify);
 
diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c
index 80dcee0cb..24d22f3a1 100644
--- a/src/libcharon/encoding/payloads/ike_header.c
+++ b/src/libcharon/encoding/payloads/ike_header.c
@@ -101,17 +101,18 @@ struct private_ike_header_t {
 
 ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
 	"EXCHANGE_TYPE_UNDEFINED");
-ENUM_NEXT(exchange_type_names, IKE_SA_INIT, INFORMATIONAL, EXCHANGE_TYPE_UNDEFINED,
+ENUM_NEXT(exchange_type_names, IKE_SA_INIT, IKE_SESSION_RESUME, EXCHANGE_TYPE_UNDEFINED,
 	"IKE_SA_INIT",
 	"IKE_AUTH",
 	"CREATE_CHILD_SA",
-	"INFORMATIONAL");
+	"INFORMATIONAL",
+	"IKE_SESSION_RESUME");
 #ifdef ME
-ENUM_NEXT(exchange_type_names, ME_CONNECT, ME_CONNECT, INFORMATIONAL,
+ENUM_NEXT(exchange_type_names, ME_CONNECT, ME_CONNECT, IKE_SESSION_RESUME,
 	"ME_CONNECT");
 ENUM_END(exchange_type_names, ME_CONNECT);
 #else
-ENUM_END(exchange_type_names, INFORMATIONAL);
+ENUM_END(exchange_type_names, IKE_SESSION_RESUME);
 #endif /* ME */
 
 /**
diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h
index f52c852c5..5579a4961 100644
--- a/src/libcharon/encoding/payloads/ike_header.h
+++ b/src/libcharon/encoding/payloads/ike_header.h
@@ -80,6 +80,11 @@ enum exchange_type_t{
 	 * INFORMATIONAL.
 	 */
 	INFORMATIONAL = 37,
+
+	/**
+	 * IKE_SESSION_RESUME (RFC 5723).
+	 */
+	IKE_SESSION_RESUME = 38,
 #ifdef ME
 	/**
 	 * ME_CONNECT
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index 77f15ec6d..e03d1af67 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -56,7 +56,9 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTIC
 	"CHILD_SA_NOT_FOUND");
 ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND,
 	"ME_CONNECT_FAILED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
+	"MS_NOTIFY_STATUS");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -90,18 +92,28 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNEC
 	"LINK_ID",
 	"USE_WESP_MODE",
 	"ROHC_SUPPORTED",
-	"EAP_ONLY_AUTHENTICATION");
-ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
+	"EAP_ONLY_AUTHENTICATION",
+	"CHILDLESS_IKEV2_SUPPORTED",
+	"QUICK_CRASH_DETECTION",
+	"IKEV2_MESSAGE_ID_SYNC_SUPPORTED",
+	"IKEV2_REPLAY_COUNTER_SYNC_SUPPORTED",
+	"IKEV2_MESSAGE_ID_SYNC",
+	"IPSEC_REPLAY_COUNTER_SYNC",
+	"SECURE PASSWORD_METHOD",
+	"PSK_PERSIST",
+	"PSK_CONFIRM");
+ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, PSK_CONFIRM,
 	"USE_BEET_MODE");
-ENUM_NEXT(notify_type_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
+ENUM_NEXT(notify_type_names, ME_MEDIATION, RADIUS_ATTRIBUTE, USE_BEET_MODE,
 	"ME_MEDIATION",
 	"ME_ENDPOINT",
 	"ME_CALLBACK",
 	"ME_CONNECTID",
 	"ME_CONNECTKEY",
 	"ME_CONNECTAUTH",
-	"ME_RESPONSE");
-ENUM_END(notify_type_names, ME_RESPONSE);
+	"ME_RESPONSE",
+	"RADIUS_ATTRIBUTE",);
+ENUM_END(notify_type_names, RADIUS_ATTRIBUTE);
 
 
 ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
@@ -135,11 +147,13 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUT
 	"NO_CHILD_SA");
 ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND,
 	"ME_CONN_FAIL");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
+	"MS_STATUS");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, PSK_CONFIRM, MS_NOTIFY_STATUS,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
-	"IPCOMP_SUPP",
+	"IPCOMP_SUP",
 	"NATD_S_IP",
 	"NATD_D_IP",
 	"COOKIE",
@@ -169,18 +183,28 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_
 	"LINK_ID",
 	"WESP_MODE",
 	"ROHC_SUP",
-	"EAP_ONLY");
-ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
+	"EAP_ONLY",
+	"CHDLESS_SUP",
+	"CRASH_DET",
+	"MSG_ID_SYN_SUP",
+	"RPL_CTR_SYN_SUP",
+	"MSG_ID_SYN",
+	"RPL_CTR_SYN",
+	"SEC_PASSWD",
+	"PSK_PST",
+	"PSK_CFM");
+ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, PSK_CONFIRM,
 	"BEET_MODE");
-ENUM_NEXT(notify_type_short_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE,
+ENUM_NEXT(notify_type_short_names, ME_MEDIATION, RADIUS_ATTRIBUTE, USE_BEET_MODE,
 	"ME_MED",
 	"ME_EP",
 	"ME_CB",
 	"ME_CID",
 	"ME_CKEY",
 	"ME_CAUTH",
-	"ME_R");
-ENUM_END(notify_type_short_names, ME_RESPONSE);
+	"ME_R",
+	"RADIUS");
+ENUM_END(notify_type_short_names, RADIUS_ATTRIBUTE);
 
 
 typedef struct private_notify_payload_t private_notify_payload_t;
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 8abc236e1..ced282700 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -71,6 +71,9 @@ enum notify_type_t {
 	/* IKE-ME, private use */
 	ME_CONNECT_FAILED = 8192,
 
+	/* Windows error code */
+	MS_NOTIFY_STATUS = 12345,
+
 	/* notify status messages */
 	INITIAL_CONTACT = 16384,
 	SET_WINDOW_SIZE = 16385,
@@ -115,7 +118,20 @@ enum notify_type_t {
 	ROHC_SUPPORTED = 16416,
 	/* EAP-only authentication, RFC 5998 */
 	EAP_ONLY_AUTHENTICATION = 16417,
-
+	/* Childless initiation of IKEv2 SA, RFC 6023 */
+	CHILDLESS_IKEV2_SUPPORTED = 16418,
+	/* Quick crash detection for IKE, RFC 6290 */
+	QUICK_CRASH_DETECTION = 16419,
+	/* High availability of IKEv2/IPsec, RFC 6311 */
+	IKEV2_MESSAGE_ID_SYNC_SUPPORTED = 16420,
+	IKEV2_REPLAY_COUNTER_SYNC_SUPPORTED = 16421,
+	IKEV2_MESSAGE_ID_SYNC = 16422,
+	IPSEC_REPLAY_COUNTER_SYNC = 16423,
+	/* Secure password methods, RFC 6467 */
+	SECURE_PASSWORD_METHOD = 16424,
+	/* PACE - draft-kuegler-ipsecme-pace-ikev2 */
+	PSK_PERSIST = 16425,
+	PSK_CONFIRM = 16426,
 	/* BEET mode, not even a draft yet. private use */
 	USE_BEET_MODE = 40961,
 	/* IKE-ME, private use */
@@ -125,7 +141,9 @@ enum notify_type_t {
 	ME_CONNECTID = 40965,
 	ME_CONNECTKEY = 40966,
 	ME_CONNECTAUTH = 40967,
-	ME_RESPONSE = 40968
+	ME_RESPONSE = 40968,
+	/* RADIUS attribute received/to send to a AAA backend */
+	RADIUS_ATTRIBUTE = 40969,
 };
 
 /**
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index d1e677db7..a2c0a4385 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -39,7 +39,8 @@
 
 ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
 	"NO_PAYLOAD");
-ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
+ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION,
+							  GENERIC_SECURE_PASSWORD_METHOD, NO_PAYLOAD,
 	"SECURITY_ASSOCIATION",
 	"KEY_EXCHANGE",
 	"ID_INITIATOR",
@@ -55,9 +56,10 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, N
 	"TRAFFIC_SELECTOR_RESPONDER",
 	"ENCRYPTED",
 	"CONFIGURATION",
-	"EXTENSIBLE_AUTHENTICATION");
+	"EXTENSIBLE_AUTHENTICATION",
+	"GENERIC_SECURE_PASSWORD_METHOD");
 #ifdef ME
-ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
+ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, GENERIC_SECURE_PASSWORD_METHOD,
 	"ID_PEER");
 ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
 	"HEADER",
@@ -67,7 +69,8 @@ ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
 	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
 	"CONFIGURATION_ATTRIBUTE");
 #else
-ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION,
+ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE,
+							  GENERIC_SECURE_PASSWORD_METHOD,
 	"HEADER",
 	"PROPOSAL_SUBSTRUCTURE",
 	"TRANSFORM_SUBSTRUCTURE",
@@ -80,7 +83,8 @@ ENUM_END(payload_type_names, CONFIGURATION_ATTRIBUTE);
 /* short forms of payload names */
 ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
 	"--");
-ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
+ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION,
+									GENERIC_SECURE_PASSWORD_METHOD, NO_PAYLOAD,
 	"SA",
 	"KE",
 	"IDi",
@@ -96,9 +100,11 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICAT
 	"TSr",
 	"E",
 	"CP",
-	"EAP");
+	"EAP",
+	"GSPM");
 #ifdef ME
-ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION,
+ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER,
+									GENERIC_SECURE_PASSWORD_METHOD,
 	"IDp");
 ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
 	"HDR",
@@ -108,7 +114,8 @@ ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER,
 	"TSSUB",
 	"CPATTR");
 #else
-ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION,
+ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE,
+									GENERIC_SECURE_PASSWORD_METHOD,
 	"HDR",
 	"PROP",
 	"TRANS",
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 0f407ff42..a9af29b5b 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -79,7 +79,7 @@ enum payload_type_t{
 	AUTHENTICATION = 39,
 
 	/**
-	 * Nonces, for initator and responder (Ni, Nr, N)
+	 * Nonces, for initiator and responder (Ni, Nr, N)
 	 */
 	NONCE = 40,
 
@@ -123,6 +123,11 @@ enum payload_type_t{
 	 */
 	EXTENSIBLE_AUTHENTICATION = 48,
 
+	/**
+	 * Generic Secure Password Method (GSPM).
+	 */
+	GENERIC_SECURE_PASSWORD_METHOD = 49,
+
 #ifdef ME
 	/**
 	 * Identification payload for peers has a value from
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index f39c3b0e6..4753d574d 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -407,7 +407,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(
 
 	this = (private_proposal_substructure_t*)proposal_substructure_create();
 
-	/* encryption algorithm is only availble in ESP */
+	/* encryption algorithm is only available in ESP */
 	enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
 	while (enumerator->enumerate(enumerator, &alg, &key_size))
 	{
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index db20d052f..010f63cfd 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -106,7 +106,6 @@ METHOD(payload_t, verify, status_t,
 	status_t status = SUCCESS;
 	enumerator_t *enumerator;
 	proposal_substructure_t *substruct;
-	bool first = TRUE;
 
 	/* check proposal numbering */
 	enumerator = this->proposals->create_enumerator(this->proposals);
@@ -115,16 +114,6 @@ METHOD(payload_t, verify, status_t,
 		current_number = substruct->get_proposal_number(substruct);
 		if (current_number < expected_number)
 		{
-			if (current_number != expected_number + 1)
-			{
-				DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
-					 current_number, expected_number, expected_number + 1);
-				status = FAILED;
-				break;
-			}
-		}
-		else if (current_number < expected_number)
-		{
 			DBG1(DBG_ENC, "proposal number smaller than previous");
 			status = FAILED;
 			break;
@@ -136,7 +125,6 @@ METHOD(payload_t, verify, status_t,
 			DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
 			break;
 		}
-		first = FALSE;
 		expected_number = current_number;
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c
index 0428da726..3f04b3539 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.c
+++ b/src/libcharon/encoding/payloads/transform_substructure.c
@@ -84,7 +84,7 @@ encoding_rule_t transform_substructure_encodings[] = {
 	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type)	},
 	/* 1 Reserved Byte */
 	{ RESERVED_BYTE,		offsetof(private_transform_substructure_t, reserved[1])		},
-	/* tranform ID is a number of 8 bit */
+	/* transform ID is a number of 8 bit */
 	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)	},
 	/* Attributes are stored in a transform attribute,
 	   offset points to a linked_list_t pointer */
diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h
index c961700a4..102dbb3d3 100644
--- a/src/libcharon/encoding/payloads/transform_substructure.h
+++ b/src/libcharon/encoding/payloads/transform_substructure.h
@@ -118,7 +118,7 @@ transform_substructure_t *transform_substructure_create(void);
  *
  * @param type			type of transform to create
  * @param id			transform id specifc for the transform type
- * @param key_length	key length for key lenght attribute, 0 to omit
+ * @param key_length	key length for key length attribute, 0 to omit
  * @return				transform_substructure_t object
  */
 transform_substructure_t *transform_substructure_create_type(