[svn-upgrade] new version strongswan (4.4.1)

7 files changed, 96 insertions, 36 deletions

diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 8815ba741..e094200ca 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index 49146f18b..9a3ae0ab9 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -306,7 +306,8 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
 		return;
 	}
 	ca_section_destroy(ca);
-	/* TODO: flush cached certs */
+
+	lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
 }
 
 /**
@@ -356,12 +357,16 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
 	{
 		if (section->certuribase && cert->issued_by(cert, section->cert))
 		{
-			chunk_t hash, encoded = cert->get_encoding(cert);
-			hasher->allocate_hash(hasher, encoded, &hash);
-			section->hashes->insert_last(section->hashes,
-					identification_create_from_encoding(ID_KEY_ID, hash));
-			chunk_free(&hash);
-			chunk_free(&encoded);
+			chunk_t hash, encoded;
+
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+			{
+				hasher->allocate_hash(hasher, encoded, &hash);
+				section->hashes->insert_last(section->hashes,
+						identification_create_from_encoding(ID_KEY_ID, hash));
+				chunk_free(&hash);
+				chunk_free(&encoded);
+			}
 			break;
 		}
 	}
@@ -400,11 +405,11 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 		/* list authkey and keyid */
 		if (public)
 		{
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+			if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
 			{
 				fprintf(out, "  authkey:      %#B\n", &chunk);
 			}
-			if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+			if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 			{
 				fprintf(out, "  keyid:        %#B\n", &chunk);
 			}
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index bbc1e7a31..617069432 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -399,8 +399,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	if (ca)
 	{
 		identity = identification_create_from_string(ca);
-		certificate = charon->credentials->get_cert(charon->credentials,
-											CERT_X509, KEY_ANY, identity, TRUE);
+		certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509,
+											 KEY_ANY, identity, TRUE);
 		identity->destroy(identity);
 		if (certificate)
 		{
@@ -413,7 +413,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		}
 	}
 
-	/* AC groups */
+	/* groups */
 	if (end->groups)
 	{
 		enumerator_t *enumerator;
@@ -422,9 +422,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		enumerator = enumerator_create_token(end->groups, ",", " ");
 		while (enumerator->enumerate(enumerator, &group))
 		{
-			identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
-											chunk_create(group, strlen(group)));
-			cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+			cfg->add(cfg, AUTH_RULE_GROUP,
+					 identification_create_from_string(group));
 		}
 		enumerator->destroy(enumerator);
 	}
@@ -769,6 +768,14 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 			.jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
 		}
 	};
+	mark_t mark_in = {
+		.value = msg->add_conn.mark_in.value,
+		.mask = msg->add_conn.mark_in.mask
+	};
+	mark_t mark_out = {
+		.value = msg->add_conn.mark_out.value,
+		.mask = msg->add_conn.mark_out.mask
+	};
 
 	switch (msg->add_conn.dpd.action)
 	{	/* map startes magic values to our action type */
@@ -787,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 				msg->add_conn.name, &lifetime,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
 				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
-				msg->add_conn.inactivity);
+				msg->add_conn.inactivity, msg->add_conn.reqid,
+				&mark_in, &mark_out);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index a03aef697..f64421551 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -186,6 +186,11 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
 	}
 	else
 	{
+		if (!pos)
+		{
+			DBG1(DBG_CFG, "error parsing string");
+			return;
+		}
 		if (*(pos + 1) == '*')
 		{	/* is name[*] */
 			all = TRUE;
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index e0a5210a9..2816b9bb2 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
 			}
 			if (found)
 			{
-				new = cert->is_newer(cert, current);
+				new = crl_is_newer(crl, crl_c);
 				if (new)
 				{
 					this->certs->remove_at(this->certs, enumerator);
@@ -587,9 +587,11 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
 			free(hex.ptr);
 
-			chunk = cert->get_encoding(cert);
-			chunk_write(chunk, buf, "crl", 022, TRUE);
-			free(chunk.ptr);
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+			{
+				chunk_write(chunk, buf, "crl", 022, TRUE);
+				free(chunk.ptr);
+			}
 		}
 	}
 }
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c2a98da33..a6de35466 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -17,6 +17,10 @@
 
 #include <time.h>
 
+#ifdef HAVE_MALLINFO
+#include <malloc.h>
+#endif /* HAVE_MALLINFO */
+
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -55,6 +59,33 @@ struct private_stroke_list_t {
 };
 
 /**
+ * Log tasks of a specific queue to out
+ */
+static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name)
+{
+	enumerator_t *enumerator;
+	bool has = FALSE;
+	task_t *task;
+
+	enumerator = ike_sa->create_task_enumerator(ike_sa, q);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (!has)
+		{
+			fprintf(out, "%12s[%d]: Tasks %s: ", ike_sa->get_name(ike_sa),
+					ike_sa->get_unique_id(ike_sa), name);
+			has = TRUE;
+		}
+		fprintf(out, "%N ", task_type_names, task->get_type(task));
+	}
+	enumerator->destroy(enumerator);
+	if (has)
+	{
+		fprintf(out, "\n");
+	}
+}
+
+/**
  * log an IKE_SA to out
  */
 static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
@@ -140,6 +171,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 					buf+4);
 		}
+
+		log_task_q(out, ike_sa, TASK_QUEUE_QUEUED, "queued");
+		log_task_q(out, ike_sa, TASK_QUEUE_ACTIVE, "active");
+		log_task_q(out, ike_sa, TASK_QUEUE_PASSIVE, "passive");
 	}
 }
 
@@ -342,7 +377,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
 		rules = auth->create_enumerator(auth);
 		while (rules->enumerate(rules, &rule, &id))
 		{
-			if (rule == AUTH_RULE_AC_GROUP)
+			if (rule == AUTH_RULE_GROUP)
 			{
 				fprintf(out, "%12s:    group: %Y\n", name, id);
 			}
@@ -373,12 +408,19 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		u_int32_t dpd;
 		time_t since, now;
 		u_int size, online, offline;
-
 		now = time_monotonic(NULL);
 		since = time(NULL) - (now - this->uptime);
 
 		fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
 		fprintf(out, "  uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
+#ifdef HAVE_MALLINFO
+		{
+			struct mallinfo mi = mallinfo();
+
+			fprintf(out, "  malloc: sbrk %d, mmap %d, used %d, free %d\n",
+				    mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks);
+		}
+#endif /* HAVE_MALLINFO */
 		fprintf(out, "  worker threads: %d idle of %d,",
 				charon->processor->get_idle_threads(charon->processor),
 				charon->processor->get_total_threads(charon->processor));
@@ -534,9 +576,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 static linked_list_t* create_unique_cert_list(certificate_type_t type)
 {
 	linked_list_t *list = linked_list_create();
-	enumerator_t *enumerator = charon->credentials->create_cert_enumerator(
-									charon->credentials, type, KEY_ANY,
-									NULL, FALSE);
+	enumerator_t *enumerator = lib->credmgr->create_cert_enumerator(
+									lib->credmgr, type, KEY_ANY, NULL, FALSE);
 	certificate_t *cert;
 
 	while (enumerator->enumerate(enumerator, (void**)&cert))
@@ -585,11 +626,11 @@ static void list_public_key(public_key_t *public, FILE *out)
 	identification_t *id;
 	auth_cfg_t *auth;
 
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, keyid);
 		auth = auth_cfg_create();
-		private = charon->credentials->get_private(charon->credentials,
+		private = lib->credmgr->get_private(lib->credmgr,
 									public->get_type(public), id, auth);
 		auth->destroy(auth);
 		id->destroy(id);
@@ -599,11 +640,11 @@ static void list_public_key(public_key_t *public, FILE *out)
 			key_type_names, public->get_type(public),
 			public->get_keysize(public) * 8,
 			private ? ", has private key" : "");
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+	if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
 	{
 		fprintf(out, "  keyid:     %#B\n", &keyid);
 	}
-	if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		fprintf(out, "  subjkey:   %#B\n", &keyid);
 	}
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 56c18da38..18afa5af4 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -344,8 +344,7 @@ static void stroke_purge(private_stroke_socket_t *this,
 {
 	if (msg->purge.flags & PURGE_OCSP)
 	{
-		charon->credentials->flush_cache(charon->credentials,
-										 CERT_X509_OCSP_RESPONSE);
+		lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE);
 	}
 	if (msg->purge.flags & PURGE_IKE)
 	{
@@ -622,8 +621,8 @@ static bool open_socket(private_stroke_socket_t *this)
 static void destroy(private_stroke_socket_t *this)
 {
 	this->job->cancel(this->job);
-	charon->credentials->remove_set(charon->credentials, &this->ca->set);
-	charon->credentials->remove_set(charon->credentials, &this->cred->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->ca->set);
+	lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
 	this->cred->destroy(this->cred);
@@ -657,8 +656,8 @@ stroke_socket_t *stroke_socket_create()
 	this->control = stroke_control_create();
 	this->list = stroke_list_create(this->attribute);
 
-	charon->credentials->add_set(charon->credentials, &this->ca->set);
-	charon->credentials->add_set(charon->credentials, &this->cred->set);
+	lib->credmgr->add_set(lib->credmgr, &this->ca->set);
+	lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 	charon->backends->add_backend(charon->backends, &this->config->backend);
 	hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);