New upstream version 5.5.2

6 files changed, 75 insertions, 85 deletions

diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 7eacc516a..50a6d5953 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index f2d110434..bbdc2116d 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -642,28 +642,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		/* force unique connections for mediation connections */
 		msg->add_conn.unique = 1;
 	}
-
-	if (msg->add_conn.ikeme.mediated_by)
+	else if (msg->add_conn.ikeme.mediated_by)
 	{
-		peer_cfg_t *mediated_by;
-
-		mediated_by = charon->backends->get_peer_cfg_by_name(
-							charon->backends, msg->add_conn.ikeme.mediated_by);
-		if (!mediated_by)
-		{
-			DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
-				 msg->add_conn.ikeme.mediated_by);
-			return NULL;
-		}
-		if (!mediated_by->is_mediation(mediated_by))
-		{
-			DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
-				 "no mediation connection, aborting",
-				 msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
-			mediated_by->destroy(mediated_by);
-			return NULL;
-		}
-		peer.mediated_by = mediated_by;
+		peer.mediated_by = msg->add_conn.ikeme.mediated_by;
 		if (msg->add_conn.ikeme.peerid)
 		{
 			peer.peer_id = identification_create_from_string(
@@ -982,73 +963,60 @@ static void add_ts(private_stroke_config_t *this,
 				   stroke_end_t *end, child_cfg_t *child_cfg, bool local)
 {
 	traffic_selector_t *ts;
+	bool ts_added = FALSE;
 
-	if (end->tohost)
-	{
-		ts = traffic_selector_create_dynamic(end->protocol,
-											 end->from_port, end->to_port);
-		child_cfg->add_traffic_selector(child_cfg, local, ts);
-	}
-	else
+	if (end->subnets)
 	{
-		if (!end->subnets)
-		{
-			host_t *net;
+		enumerator_t *enumerator;
+		char *subnet, *pos;
+		uint16_t from_port, to_port;
+		uint8_t proto;
 
-			net = host_create_from_string(end->address, 0);
-			if (net)
-			{
-				ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
-												end->from_port, end->to_port);
-				child_cfg->add_traffic_selector(child_cfg, local, ts);
-			}
-		}
-		else
+		enumerator = enumerator_create_token(end->subnets, ",", " ");
+		while (enumerator->enumerate(enumerator, &subnet))
 		{
-			enumerator_t *enumerator;
-			char *subnet, *pos;
-			uint16_t from_port, to_port;
-			uint8_t proto;
+			from_port = end->from_port;
+			to_port = end->to_port;
+			proto = end->protocol;
 
-			enumerator = enumerator_create_token(end->subnets, ",", " ");
-			while (enumerator->enumerate(enumerator, &subnet))
+			pos = strchr(subnet, '[');
+			if (pos)
 			{
-				from_port = end->from_port;
-				to_port = end->to_port;
-				proto = end->protocol;
-
-				pos = strchr(subnet, '[');
-				if (pos)
-				{
-					*(pos++) = '\0';
-					if (!parse_protoport(pos, &from_port, &to_port, &proto))
-					{
-						DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
-							 pos);
-						continue;
-					}
-				}
-				if (streq(subnet, "%dynamic"))
+				*(pos++) = '\0';
+				if (!parse_protoport(pos, &from_port, &to_port, &proto))
 				{
-					ts = traffic_selector_create_dynamic(proto,
-														 from_port, to_port);
-				}
-				else
-				{
-					ts = traffic_selector_create_from_cidr(subnet, proto,
-														   from_port, to_port);
-				}
-				if (ts)
-				{
-					child_cfg->add_traffic_selector(child_cfg, local, ts);
-				}
-				else
-				{
-					DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
+					DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
+						 pos);
+					continue;
 				}
 			}
-			enumerator->destroy(enumerator);
+			if (streq(subnet, "%dynamic"))
+			{
+				ts = traffic_selector_create_dynamic(proto,
+													 from_port, to_port);
+			}
+			else
+			{
+				ts = traffic_selector_create_from_cidr(subnet, proto,
+													   from_port, to_port);
+			}
+			if (ts)
+			{
+				child_cfg->add_traffic_selector(child_cfg, local, ts);
+				ts_added = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
+			}
 		}
+		enumerator->destroy(enumerator);
+	}
+	if (!ts_added)
+	{
+		ts = traffic_selector_create_dynamic(end->protocol,
+											 end->from_port, end->to_port);
+		child_cfg->add_traffic_selector(child_cfg, local, ts);
 	}
 }
 
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index fb60d3973..ee8306772 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -641,7 +641,8 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 	mode = child_cfg->get_mode(child_cfg);
 	if (mode == MODE_PASS || mode == MODE_DROP)
 	{
-		if (charon->shunts->install(charon->shunts, child_cfg))
+		if (charon->shunts->install(charon->shunts,
+									peer_cfg->get_name(peer_cfg), child_cfg))
 		{
 			fprintf(out, "'%s' shunt %N policy installed\n",
 					name, ipsec_mode_names, mode);
@@ -729,15 +730,30 @@ METHOD(stroke_control_t, route, void,
 METHOD(stroke_control_t, unroute, void,
 	private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
 {
+	child_cfg_t *child_cfg;
 	child_sa_t *child_sa;
 	enumerator_t *enumerator;
+	char *ns, *found = NULL;
 	uint32_t id = 0;
 
-	if (charon->shunts->uninstall(charon->shunts, msg->unroute.name))
+	enumerator = charon->shunts->create_enumerator(charon->shunts);
+	while (enumerator->enumerate(enumerator, &ns, &child_cfg))
 	{
+		if (ns && streq(msg->unroute.name, child_cfg->get_name(child_cfg)))
+		{
+			found = strdup(ns);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (found && charon->shunts->uninstall(charon->shunts, found,
+										   msg->unroute.name))
+	{
+		free(found);
 		fprintf(out, "shunt policy '%s' uninstalled\n", msg->unroute.name);
 		return;
 	}
+	free(found);
 
 	enumerator = charon->traps->create_enumerator(charon->traps);
 	while (enumerator->enumerate(enumerator, NULL, &child_sa))
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 77911c7b0..9b61afb5c 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1310,7 +1310,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			break;
 		}
 		if (match("RSA", &token) || match("ECDSA", &token) ||
-			match("BLISS", &token))
+			match("BLISS", &token) || match("PKCS8", &token))
 		{
 			if (match("RSA", &token))
 			{
@@ -1320,10 +1320,14 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 			{
 				key_type = KEY_ECDSA;
 			}
-			else
+			else if (match("BLISS", &token))
 			{
 				key_type = KEY_BLISS;
 			}
+			else
+			{
+				key_type = KEY_ANY;
+			}
 			if (!load_private(secrets, line, line_nr, prompt, key_type))
 			{
 				break;
@@ -1356,7 +1360,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, "
-						  "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
+						  "PKCS8 P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
 			break;
 		}
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index cec26579d..92e368669 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -603,7 +603,7 @@ METHOD(stroke_list_t, status, void,
 	/* Enumerate shunt policies */
 	first = TRUE;
 	enumerator = charon->shunts->create_enumerator(charon->shunts);
-	while (enumerator->enumerate(enumerator, &child_cfg))
+	while (enumerator->enumerate(enumerator, NULL, &child_cfg))
 	{
 		if (name && !streq(name, child_cfg->get_name(child_cfg)))
 		{
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index f64b99f08..62095e368 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -70,6 +70,8 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
 				PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ED25519),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ED448),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),