Imported Upstream version 5.5.0

7 files changed, 147 insertions, 99 deletions

diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 2b22b333a..9f63cb0b5 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -79,8 +89,6 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = src/libcharon/plugins/stroke
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -94,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -205,12 +214,14 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+ATOMICLIB = @ATOMICLIB@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
@@ -260,6 +271,7 @@ LIBTOOL = @LIBTOOL@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
@@ -294,6 +306,7 @@ PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
@@ -405,6 +418,7 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
@@ -474,7 +488,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/stroke/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --gnu src/libcharon/plugins/stroke/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -796,6 +809,8 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-pluginLTLIBRARIES
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index d0eb2aac3..f2d110434 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -252,7 +252,7 @@ static void swap_ends(stroke_msg_t *msg)
 static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg)
 {
 	ike_cfg_t *ike_cfg;
-	u_int16_t ikeport;
+	uint16_t ikeport;
 	char me[256], other[256];
 
 	swap_ends(msg);
@@ -616,12 +616,17 @@ static mem_pool_t *create_pool_range(char *str)
 static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 								  stroke_msg_t *msg, ike_cfg_t *ike_cfg)
 {
-	identification_t *peer_id = NULL;
-	peer_cfg_t *mediated_by = NULL;
-	unique_policy_t unique;
-	u_int32_t rekey = 0, reauth = 0, over, jitter;
 	peer_cfg_t *peer_cfg;
 	auth_cfg_t *auth_cfg;
+	peer_cfg_create_t peer = {
+		.cert_policy = msg->add_conn.me.sendcert,
+		.keyingtries = msg->add_conn.rekey.tries,
+		.no_mobike = !msg->add_conn.mobike,
+		.aggressive = msg->add_conn.aggressive,
+		.push_mode = msg->add_conn.pushmode,
+		.dpd = msg->add_conn.dpd.delay,
+		.dpd_timeout = msg->add_conn.dpd.timeout,
+	};
 
 #ifdef ME
 	if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
@@ -633,14 +638,17 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 
 	if (msg->add_conn.ikeme.mediation)
 	{
+		peer.mediation = TRUE;
 		/* force unique connections for mediation connections */
 		msg->add_conn.unique = 1;
 	}
 
 	if (msg->add_conn.ikeme.mediated_by)
 	{
-		mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
-											msg->add_conn.ikeme.mediated_by);
+		peer_cfg_t *mediated_by;
+
+		mediated_by = charon->backends->get_peer_cfg_by_name(
+							charon->backends, msg->add_conn.ikeme.mediated_by);
 		if (!mediated_by)
 		{
 			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
@@ -655,58 +663,55 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 			mediated_by->destroy(mediated_by);
 			return NULL;
 		}
+		peer.mediated_by = mediated_by;
 		if (msg->add_conn.ikeme.peerid)
 		{
-			peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
+			peer.peer_id = identification_create_from_string(
+												msg->add_conn.ikeme.peerid);
 		}
 		else if (msg->add_conn.other.id)
 		{
-			peer_id = identification_create_from_string(msg->add_conn.other.id);
+			peer.peer_id = identification_create_from_string(
+												msg->add_conn.other.id);
 		}
 	}
 #endif /* ME */
 
-	jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
-	over = msg->add_conn.rekey.margin;
+	peer.jitter_time = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
+	peer.over_time = msg->add_conn.rekey.margin;
 	if (msg->add_conn.rekey.reauth)
 	{
-		reauth = msg->add_conn.rekey.ike_lifetime - over;
+		peer.reauth_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
 	}
 	else
 	{
-		rekey = msg->add_conn.rekey.ike_lifetime - over;
+		peer.rekey_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
 	}
 	switch (msg->add_conn.unique)
 	{
 		case 1: /* yes */
 		case 2: /* replace */
-			unique = UNIQUE_REPLACE;
+			peer.unique = UNIQUE_REPLACE;
 			break;
 		case 3: /* keep */
-			unique = UNIQUE_KEEP;
+			peer.unique = UNIQUE_KEEP;
 			break;
 		case 4: /* never */
-			unique = UNIQUE_NEVER;
+			peer.unique = UNIQUE_NEVER;
 			break;
 		default: /* no */
-			unique = UNIQUE_NO;
+			peer.unique = UNIQUE_NO;
 			break;
 	}
 	if (msg->add_conn.dpd.action == 0)
 	{	/* dpdaction=none disables DPD */
-		msg->add_conn.dpd.delay = 0;
+		peer.dpd = 0;
 	}
 
 	/* other.sourceip is managed in stroke_attributes. If it is set, we define
 	 * the pool name as the connection name, which the attribute provider
 	 * uses to serve pool addresses. */
-	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
-		msg->add_conn.me.sendcert, unique,
-		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
-		msg->add_conn.mobike, msg->add_conn.aggressive,
-		msg->add_conn.pushmode == 0,
-		msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
-		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
+	peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, &peer);
 
 	if (msg->add_conn.other.sourceip)
 	{
@@ -883,8 +888,8 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 /**
  * Parse a protoport specifier
  */
-static bool parse_protoport(char *token, u_int16_t *from_port,
-							u_int16_t *to_port, u_int8_t *protocol)
+static bool parse_protoport(char *token, uint16_t *from_port,
+							uint16_t *to_port, uint8_t *protocol)
 {
 	char *sep, *port = "", *endptr;
 	struct protoent *proto;
@@ -923,7 +928,7 @@ static bool parse_protoport(char *token, u_int16_t *from_port,
 			{
 				return FALSE;
 			}
-			*protocol = (u_int8_t)p;
+			*protocol = (uint8_t)p;
 		}
 	}
 	if (streq(port, "%any"))
@@ -1002,8 +1007,8 @@ static void add_ts(private_stroke_config_t *this,
 		{
 			enumerator_t *enumerator;
 			char *subnet, *pos;
-			u_int16_t from_port, to_port;
-			u_int8_t proto;
+			uint16_t from_port, to_port;
+			uint8_t proto;
 
 			enumerator = enumerator_create_token(end->subnets, ",", " ");
 			while (enumerator->enumerate(enumerator, &subnet))
@@ -1070,45 +1075,50 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 									stroke_msg_t *msg)
 {
 	child_cfg_t *child_cfg;
-	lifetime_cfg_t lifetime = {
-		.time = {
-			.life = msg->add_conn.rekey.ipsec_lifetime,
-			.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-			.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+	child_cfg_create_t child = {
+		.lifetime = {
+			.time = {
+				.life = msg->add_conn.rekey.ipsec_lifetime,
+				.rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+				.jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+			},
+			.bytes = {
+				.life = msg->add_conn.rekey.life_bytes,
+				.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+				.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+			},
+			.packets = {
+				.life = msg->add_conn.rekey.life_packets,
+				.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+				.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+			},
 		},
-		.bytes = {
-			.life = msg->add_conn.rekey.life_bytes,
-			.rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
-			.jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+		.mark_in = {
+			.value = msg->add_conn.mark_in.value,
+			.mask = msg->add_conn.mark_in.mask
 		},
-		.packets = {
-			.life = msg->add_conn.rekey.life_packets,
-			.rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
-			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
-		}
-	};
-	mark_t mark_in = {
-		.value = msg->add_conn.mark_in.value,
-		.mask = msg->add_conn.mark_in.mask
-	};
-	mark_t mark_out = {
-		.value = msg->add_conn.mark_out.value,
-		.mask = msg->add_conn.mark_out.mask
+		.mark_out = {
+			.value = msg->add_conn.mark_out.value,
+			.mask = msg->add_conn.mark_out.mask
+		},
+		.reqid = msg->add_conn.reqid,
+		.mode = msg->add_conn.mode,
+		.proxy_mode = msg->add_conn.proxy_mode,
+		.ipcomp = msg->add_conn.ipcomp,
+		.tfc = msg->add_conn.tfc,
+		.inactivity = msg->add_conn.inactivity,
+		.dpd_action = map_action(msg->add_conn.dpd.action),
+		.close_action = map_action(msg->add_conn.close_action),
+		.updown = msg->add_conn.me.updown,
+		.hostaccess = msg->add_conn.me.hostaccess,
+		.suppress_policies = !msg->add_conn.install_policy,
 	};
 
-	child_cfg = child_cfg_create(
-				msg->add_conn.name, &lifetime, msg->add_conn.me.updown,
-				msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE,
-				map_action(msg->add_conn.dpd.action),
-				map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
-				msg->add_conn.inactivity, msg->add_conn.reqid,
-				&mark_in, &mark_out, msg->add_conn.tfc);
+	child_cfg = child_cfg_create(msg->add_conn.name, &child);
 	if (msg->add_conn.replay_window != -1)
 	{
 		child_cfg->set_replay_window(child_cfg, msg->add_conn.replay_window);
 	}
-	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
-											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
 	add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
 
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 36da5ff21..fb60d3973 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -198,7 +198,7 @@ METHOD(stroke_control_t, initiate, void,
 /**
  * Parse a terminate/rekey specifier
  */
-static bool parse_specifier(char *string, u_int32_t *id,
+static bool parse_specifier(char *string, uint32_t *id,
 							char **name, bool *child, bool *all)
 {
 	int len;
@@ -266,7 +266,7 @@ static bool parse_specifier(char *string, u_int32_t *id,
  * Report the result of a terminate() call to console
  */
 static void report_terminate_status(private_stroke_control_t *this,
-						status_t status, FILE *out, u_int32_t id, bool child)
+						status_t status, FILE *out, uint32_t id, bool child)
 {
 	char *prefix, *postfix;
 
@@ -300,7 +300,7 @@ static void report_terminate_status(private_stroke_control_t *this,
 /**
  * Call the charon controller to terminate a CHILD_SA
  */
-static void charon_terminate(private_stroke_control_t *this, u_int32_t id,
+static void charon_terminate(private_stroke_control_t *this, uint32_t id,
 							 stroke_msg_t *msg, FILE *out, bool child)
 {
 	if (msg->output_verbosity >= 0)
@@ -336,7 +336,7 @@ METHOD(stroke_control_t, terminate, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	char *name;
-	u_int32_t id;
+	uint32_t id;
 	bool child, all;
 	ike_sa_t *ike_sa;
 	enumerator_t *enumerator;
@@ -424,7 +424,7 @@ METHOD(stroke_control_t, rekey, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
 	char *name;
-	u_int32_t id;
+	uint32_t id;
 	bool child, all, finished = FALSE;
 	ike_sa_t *ike_sa;
 	enumerator_t *enumerator;
@@ -591,13 +591,13 @@ METHOD(stroke_control_t, purge_ike, void,
 /**
  * Find an existing CHILD_SA/reqid
  */
-static u_int32_t find_reqid(child_cfg_t *child_cfg)
+static uint32_t find_reqid(child_cfg_t *child_cfg)
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
 	char *name;
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	reqid = charon->traps->find_reqid(charon->traps, child_cfg);
 	if (reqid)
@@ -636,7 +636,7 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 						 char *name, FILE *out)
 {
 	ipsec_mode_t mode;
-	u_int32_t reqid;
+	uint32_t reqid;
 
 	mode = child_cfg->get_mode(child_cfg);
 	if (mode == MODE_PASS || mode == MODE_DROP)
@@ -731,7 +731,7 @@ METHOD(stroke_control_t, unroute, void,
 {
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
-	u_int32_t id = 0;
+	uint32_t id = 0;
 
 	if (charon->shunts->uninstall(charon->shunts, msg->unroute.name))
 	{
diff --git a/src/libcharon/plugins/stroke/stroke_counter.c b/src/libcharon/plugins/stroke/stroke_counter.c
index 5fa1fb165..e93fd4ef2 100644
--- a/src/libcharon/plugins/stroke/stroke_counter.c
+++ b/src/libcharon/plugins/stroke/stroke_counter.c
@@ -58,7 +58,7 @@ struct private_stroke_counter_t {
 	/**
 	 * Global counter values
 	 */
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 
 	/**
 	 * Counters for specific connection names, char* => entry_t
@@ -78,7 +78,7 @@ typedef struct {
 	/** connection name */
 	char *name;
 	/** counter values for connection */
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 } entry_t;
 
 /**
@@ -290,7 +290,7 @@ METHOD(listener_t, message_hook, bool,
  * Print a single counter value to out
  */
 static void print_counter(FILE *out, stroke_counter_type_t type,
-						  u_int64_t counter)
+						  uint64_t counter)
 {
 	fprintf(out, "%-18N %12llu\n", stroke_counter_type_names, type, counter);
 }
@@ -300,7 +300,7 @@ static void print_counter(FILE *out, stroke_counter_type_t type,
  */
 static void print_one(private_stroke_counter_t *this, FILE *out, char *name)
 {
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 	entry_t *entry;
 	int i;
 
@@ -365,7 +365,7 @@ static void print_all(private_stroke_counter_t *this, FILE *out)
  */
 static void print_global(private_stroke_counter_t *this, FILE *out)
 {
-	u_int64_t counter[COUNTER_MAX];
+	uint64_t counter[COUNTER_MAX];
 	int i;
 
 	this->lock->lock(this->lock);
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 42928882a..929e6fc84 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -754,6 +754,8 @@ typedef struct {
 	chunk_t keyid;
 	/** number of tries */
 	int try;
+	/** provided PIN */
+	shared_key_t *shared;
 } pin_cb_data_t;
 
 /**
@@ -798,7 +800,9 @@ static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
 			{
 				*match_other = ID_MATCH_NONE;
 			}
-			return shared_key_create(SHARED_PIN, chunk_clone(secret));
+			DESTROY_IF(data->shared);
+			data->shared = shared_key_create(SHARED_PIN, chunk_clone(secret));
+			return data->shared->get_ref(data->shared);
 		}
 	}
 	return NULL;
@@ -815,7 +819,7 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 	private_key_t *key = NULL;
 	u_int slot;
 	chunk_t chunk;
-	shared_key_t *shared;
+	shared_key_t *shared = NULL;
 	identification_t *id;
 	mem_cred_t *mem = NULL;
 	callback_cred_t *cb = NULL;
@@ -867,10 +871,11 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 			return TRUE;
 		}
 		/* use callback credential set to prompt for the pin */
-		pin_data.prompt = prompt;
-		pin_data.card = smartcard;
-		pin_data.keyid = chunk;
-		pin_data.try = 0;
+		pin_data = (pin_cb_data_t){
+			.prompt = prompt,
+			.card = smartcard,
+			.keyid = chunk,
+		};
 		cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
 		lib->credmgr->add_local_set(lib->credmgr, &cb->set, FALSE);
 	}
@@ -880,30 +885,48 @@ static bool load_pin(mem_cred_t *secrets, chunk_t line, int line_nr,
 		shared = shared_key_create(SHARED_PIN, secret);
 		id = identification_create_from_encoding(ID_KEY_ID, chunk);
 		mem = mem_cred_create();
-		mem->add_shared(mem, shared, id, NULL);
+		mem->add_shared(mem, shared->get_ref(shared), id, NULL);
 		lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
 	}
 
 	/* unlock: smartcard needs the pin and potentially calls public set */
 	key = (private_key_t*)load_from_smartcard(format, slot, module, keyid,
 											  CRED_PRIVATE_KEY, KEY_ANY);
+
+	if (key)
+	{
+		DBG1(DBG_CFG, "  loaded private key from %.*s", (int)sc.len, sc.ptr);
+		secrets->add_key(secrets, key);
+	}
 	if (mem)
 	{
+		if (!key)
+		{
+			shared->destroy(shared);
+			shared = NULL;
+		}
 		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
 		mem->destroy(mem);
 	}
 	if (cb)
 	{
+		if (key)
+		{
+			shared = pin_data.shared;
+		}
+		else
+		{
+			DESTROY_IF(pin_data.shared);
+		}
 		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
 		cb->destroy(cb);
 	}
-	chunk_clear(&chunk);
-
-	if (key)
+	if (shared)
 	{
-		DBG1(DBG_CFG, "  loaded private key from %.*s", (int)sc.len, sc.ptr);
-		secrets->add_key(secrets, key);
+		id = identification_create_from_encoding(ID_KEY_ID, chunk);
+		secrets->add_shared(secrets, shared, id, NULL);
 	}
+	chunk_clear(&chunk);
 	return TRUE;
 }
 
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 0371c7032..6c5703a16 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -206,7 +206,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 {
 	time_t use_in, use_out, rekey, now;
-	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
+	uint64_t bytes_in, bytes_out, packets_in, packets_out;
 	proposal_t *proposal;
 	linked_list_t *my_ts, *other_ts;
 	child_cfg_t *config;
@@ -244,7 +244,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			proposal = child_sa->get_proposal(child_sa);
 			if (proposal)
 			{
-				u_int16_t alg, ks;
+				uint16_t alg, ks;
 				bool first = TRUE;
 
 				if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
@@ -286,7 +286,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			{
 				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
 						packets_in, (packets_in == 1) ? "": "s",
-						(u_int64_t)(now - use_in));
+						(uint64_t)(now - use_in));
 			}
 
 			child_sa->get_usestats(child_sa, FALSE,
@@ -296,7 +296,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			{
 				fprintf(out, " (%" PRIu64 " pkt%s, %" PRIu64 "s ago)",
 						packets_out, (packets_out == 1) ? "": "s",
-						(u_int64_t)(now - use_out));
+						(uint64_t)(now - use_out));
 			}
 			fprintf(out, ", rekeying ");
 
@@ -474,7 +474,7 @@ METHOD(stroke_list_t, status, void,
 		ike_version_t ike_version;
 		char *pool;
 		host_t *host;
-		u_int32_t dpd;
+		uint32_t dpd;
 		time_t since, now;
 		u_int size, online, offline, i;
 		struct utsname utsname;
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index ee32dbca2..4f7483666 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -613,7 +613,7 @@ static void stroke_config(private_stroke_socket_t *this,
 static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
 {
 	stroke_msg_t *msg;
-	u_int16_t len;
+	uint16_t len;
 	FILE *out;
 
 	/* read length */