New upstream version 5.5.1

15 files changed, 201 insertions, 44 deletions

diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index ca9b49906..af0b65cd0 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -2,6 +2,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
+	-DSWANCTLDIR=\""${swanctldir}\"" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index b943c09ce..ce1520424 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -449,7 +449,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -483,8 +482,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -538,6 +535,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -545,6 +544,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
+	-DSWANCTLDIR=\""${swanctldir}\"" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index cf5a85a8d..18a3ef7b5 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -481,6 +481,19 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 		errmsg = <error string on failure>
 	}
 
+### flush-certs() ###
+
+Flushes the certificate cache. The optional type argument allows to flush
+only certificates of a given type, e.g. all cached CRLs.
+
+	{
+		type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+												OCSP_RESPONSE|PUBKEY or ANY>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
 ### clear-creds() ###
 
 Clear all loaded certificate, private key and shared key credentials. This
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index e32e9668c..523868c68 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
index de374aa11..d19739709 100644
--- a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
@@ -560,6 +560,21 @@ print "----- unload-authority -----\n";
 ($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
 print $res ? "ok\n" : "failed: $errmsg\n";
 
+=item flush_certs()
+
+flushes the volatile certificate cache. Optionally only a given certificate
+type is flushed.
+
+  my %vars = ( type => 'x509_crl' );
+  my ($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- flush-certs -----\n";
+%vars = ( type => 'x509_crl' );
+($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
 =item clear_creds()
 
 clears all loaded certificate, private key and shared key credentials. This
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
index 78197136a..5c09b14ed 100644
--- a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
@@ -96,6 +96,10 @@ sub load_shared {
     return request_vars_res('load-shared', @_);
 }
 
+sub flush_certs {
+    return request_vars_res('flush-certs', @_);
+}
+
 sub clear_creds {
    return request_res('clear-creds', @_);
 }
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 7d1c64267..4f1a91703 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -289,7 +289,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -323,8 +322,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -378,6 +375,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
index 66de8590a..5bd4b7c40 100644
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -166,6 +166,17 @@ class Session(object):
         """
         self.handler.request("load-shared", secret)
 
+    def flush_certs(self, filter=None):
+        """Flush the volatile certificate cache.
+
+        Flush the certificate stored temporarily in the cache. The filter
+        allows to flush only a certain type of certificates, e.g. CRLs.
+
+        :param filter: flush only certificates of a given type (optional)
+        :type filter: dict
+        """
+        self.handler.request("flush-certs", filter)
+
     def clear_creds(self):
         """Clear credentials loaded over vici.
 
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index aceb28adc..e176285a8 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -267,7 +267,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -301,8 +300,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -356,6 +353,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index 018f50766..1a95fc3dd 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -449,6 +449,12 @@ module Vici
     end
 
     ##
+    # Flush credential cache.
+    def flush_certs((match = nil)
+      check_success(@transp.request("flush-certs", Message.new(match)))
+    end
+
+    ##
     # Clear all loaded credentials.
     def clear_creds()
       check_success(@transp.request("clear-creds"))
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index d919e1d94..2110fd31d 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -437,6 +437,7 @@ typedef struct {
 	linked_list_t *remote_ts;
 	uint32_t replay_window;
 	bool policies;
+	bool policies_fwd_out;
 	child_cfg_create_t cfg;
 } child_data_t;
 
@@ -462,6 +463,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
 	DBG2(DBG_CFG, "   mode = %N", ipsec_mode_names, cfg->mode);
 	DBG2(DBG_CFG, "   policies = %u", data->policies);
+	DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
 		DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@@ -503,7 +505,7 @@ static void free_child_data(child_data_t *data)
  */
 static bool parse_proposal(linked_list_t *list, protocol_id_t proto, chunk_t v)
 {
-	char buf[128];
+	char buf[BUF_LEN];
 	proposal_t *proposal;
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
@@ -566,7 +568,7 @@ CALLBACK(parse_ah_proposal, bool,
 CALLBACK(parse_ts, bool,
 	linked_list_t *out, chunk_t v)
 {
-	char buf[128], *protoport, *sep, *port = "", *end;
+	char buf[BUF_LEN], *protoport, *sep, *port = "", *end;
 	traffic_selector_t *ts = NULL;
 	struct protoent *protoent;
 	struct servent *svc;
@@ -720,7 +722,7 @@ typedef struct {
  */
 static bool parse_map(enum_map_t *map, int count, int *out, chunk_t v)
 {
-	char buf[128];
+	char buf[BUF_LEN];
 	int i;
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
@@ -1051,7 +1053,7 @@ CALLBACK(parse_auth, bool,
  */
 static bool parse_id(auth_cfg_t *cfg, auth_rule_t rule, chunk_t v)
 {
-	char buf[256];
+	char buf[BUF_LEN];
 
 	if (!vici_stringify(v, buf, sizeof(buf)))
 	{
@@ -1330,31 +1332,32 @@ CALLBACK(child_kv, bool,
 	child_data_t *child, vici_message_t *message, char *name, chunk_t value)
 {
 	parse_rule_t rules[] = {
-		{ "updown",			parse_string,		&child->cfg.updown					},
-		{ "hostaccess",		parse_bool,			&child->cfg.hostaccess				},
-		{ "mode",			parse_mode,			&child->cfg.mode					},
-		{ "policies",		parse_bool,			&child->policies					},
-		{ "replay_window",	parse_uint32,		&child->replay_window				},
-		{ "rekey_time",		parse_time,			&child->cfg.lifetime.time.rekey		},
-		{ "life_time",		parse_time,			&child->cfg.lifetime.time.life		},
-		{ "rand_time",		parse_time,			&child->cfg.lifetime.time.jitter	},
-		{ "rekey_bytes",	parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
-		{ "life_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.life		},
-		{ "rand_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
-		{ "rekey_packets",	parse_uint64,		&child->cfg.lifetime.packets.rekey	},
-		{ "life_packets",	parse_uint64,		&child->cfg.lifetime.packets.life	},
-		{ "rand_packets",	parse_uint64,		&child->cfg.lifetime.packets.jitter	},
-		{ "dpd_action",		parse_action,		&child->cfg.dpd_action				},
-		{ "start_action",	parse_action,		&child->cfg.start_action			},
-		{ "close_action",	parse_action,		&child->cfg.close_action			},
-		{ "ipcomp",			parse_bool,			&child->cfg.ipcomp					},
-		{ "inactivity",		parse_time,			&child->cfg.inactivity				},
-		{ "reqid",			parse_uint32,		&child->cfg.reqid					},
-		{ "mark_in",		parse_mark,			&child->cfg.mark_in					},
-		{ "mark_out",		parse_mark,			&child->cfg.mark_out				},
-		{ "tfc_padding",	parse_tfc,			&child->cfg.tfc						},
-		{ "priority",		parse_uint32,		&child->cfg.priority				},
-		{ "interface",		parse_string,		&child->cfg.interface				},
+		{ "updown",				parse_string,		&child->cfg.updown					},
+		{ "hostaccess",			parse_bool,			&child->cfg.hostaccess				},
+		{ "mode",				parse_mode,			&child->cfg.mode					},
+		{ "policies",			parse_bool,			&child->policies					},
+		{ "policies_fwd_out",	parse_bool,			&child->policies_fwd_out			},
+		{ "replay_window",		parse_uint32,		&child->replay_window				},
+		{ "rekey_time",			parse_time,			&child->cfg.lifetime.time.rekey		},
+		{ "life_time",			parse_time,			&child->cfg.lifetime.time.life		},
+		{ "rand_time",			parse_time,			&child->cfg.lifetime.time.jitter	},
+		{ "rekey_bytes",		parse_bytes,		&child->cfg.lifetime.bytes.rekey	},
+		{ "life_bytes",			parse_bytes,		&child->cfg.lifetime.bytes.life		},
+		{ "rand_bytes",			parse_bytes,		&child->cfg.lifetime.bytes.jitter	},
+		{ "rekey_packets",		parse_uint64,		&child->cfg.lifetime.packets.rekey	},
+		{ "life_packets",		parse_uint64,		&child->cfg.lifetime.packets.life	},
+		{ "rand_packets",		parse_uint64,		&child->cfg.lifetime.packets.jitter	},
+		{ "dpd_action",			parse_action,		&child->cfg.dpd_action				},
+		{ "start_action",		parse_action,		&child->cfg.start_action			},
+		{ "close_action",		parse_action,		&child->cfg.close_action			},
+		{ "ipcomp",				parse_bool,			&child->cfg.ipcomp					},
+		{ "inactivity",			parse_time,			&child->cfg.inactivity				},
+		{ "reqid",				parse_uint32,		&child->cfg.reqid					},
+		{ "mark_in",			parse_mark,			&child->cfg.mark_in					},
+		{ "mark_out",			parse_mark,			&child->cfg.mark_out				},
+		{ "tfc_padding",		parse_tfc,			&child->cfg.tfc						},
+		{ "priority",			parse_uint32,		&child->cfg.priority				},
+		{ "interface",			parse_string,		&child->cfg.interface				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1537,6 +1540,7 @@ CALLBACK(children_sn, bool,
 		}
 	}
 	child.cfg.suppress_policies = !child.policies;
+	child.cfg.fwd_out_policies = child.policies_fwd_out;
 
 	check_lifetimes(&child.cfg.lifetime);
 
@@ -1976,7 +1980,7 @@ CALLBACK(config_sn, bool,
 		.send_cert = CERT_SEND_IF_ASKED,
 		.version = IKE_ANY,
 		.remote_port = IKEV2_UDP_PORT,
-		.fragmentation = FRAGMENTATION_NO,
+		.fragmentation = FRAGMENTATION_YES,
 		.unique = UNIQUE_NO,
 		.keyingtries = 1,
 		.rekey_time = LFT_UNDEFINED,
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 3411b7d6c..baf285fb8 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,9 +25,16 @@
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/x509.h>
 
+#include <errno.h>
+
 typedef struct private_vici_cred_t private_vici_cred_t;
 
 /**
+ * Directory for saved X.509 CRLs
+ */
+#define CRL_DIR SWANCTLDIR "/x509crl"
+
+/**
  * Private data of an vici_cred_t object.
  */
 struct private_vici_cred_t {
@@ -46,8 +53,54 @@ struct private_vici_cred_t {
 	 * credentials
 	 */
 	mem_cred_t *creds;
+
+	/**
+	 * cache CRLs to disk?
+	 */
+	bool cachecrl;
+
 };
 
+METHOD(credential_set_t, cache_cert, void,
+	private_vici_cred_t *this, certificate_t *cert)
+{
+	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
+	{
+		/* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
+		crl_t *crl = (crl_t*)cert;
+
+		cert->get_ref(cert);
+		if (this->creds->add_crl(this->creds, crl))
+		{
+			char buf[BUF_LEN];
+			chunk_t chunk, hex;
+			bool is_delta_crl;
+
+			is_delta_crl = crl->is_delta_crl(crl, NULL);
+			chunk = crl->get_authKeyIdentifier(crl);
+			hex = chunk_to_hex(chunk, NULL, FALSE);
+			snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
+										is_delta_crl ? "_delta" : "");
+			free(hex.ptr);
+
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+			{
+				if (chunk_write(chunk, buf, 022, TRUE))
+				{
+					DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+						 buf, chunk.len);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+						 buf, strerror(errno));
+				}
+				free(chunk.ptr);
+			}
+		}
+	}
+}
+
 /**
  * Create a (error) reply message
  */
@@ -287,6 +340,24 @@ CALLBACK(clear_creds, vici_message_t*,
 	return create_reply(NULL);
 }
 
+CALLBACK(flush_certs, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	certificate_type_t type = CERT_ANY;
+	x509_flag_t flag = X509_NONE;
+	char *str;
+
+	str = message->get_str(message, NULL, "type");
+	if (str && !enum_from_name(certificate_type_names, str, &type) &&
+			   !vici_cert_info_from_str(str, &type, &flag))
+	{
+		return create_reply("invalid certificate type '%s'", str);
+	}
+	lib->credmgr->flush_cache(lib->credmgr, type);
+
+	return create_reply(NULL);
+}
+
 static void manage_command(private_vici_cred_t *this,
 						   char *name, vici_command_cb_t cb, bool reg)
 {
@@ -300,6 +371,7 @@ static void manage_command(private_vici_cred_t *this,
 static void manage_commands(private_vici_cred_t *this, bool reg)
 {
 	manage_command(this, "clear-creds", clear_creds, reg);
+	manage_command(this, "flush-certs", flush_certs, reg);
 	manage_command(this, "load-cert", load_cert, reg);
 	manage_command(this, "load-key", load_key, reg);
 	manage_command(this, "load-shared", load_shared, reg);
@@ -330,6 +402,13 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 
 	INIT(this,
 		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)_cache_cert,
+			},
 			.add_cert = _add_cert,
 			.destroy = _destroy,
 		},
@@ -337,6 +416,11 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 		.creds = mem_cred_create(),
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		this->cachecrl = TRUE;
+		DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
 	manage_commands(this, TRUE);
diff --git a/src/libcharon/plugins/vici/vici_cred.h b/src/libcharon/plugins/vici/vici_cred.h
index 8359c0e88..6ce514786 100644
--- a/src/libcharon/plugins/vici/vici_cred.h
+++ b/src/libcharon/plugins/vici/vici_cred.h
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,6 +26,8 @@
 
 #include "vici_dispatcher.h"
 
+#include <credentials/credential_set.h>
+
 typedef struct vici_cred_t vici_cred_t;
 
 /**
@@ -31,6 +36,11 @@ typedef struct vici_cred_t vici_cred_t;
 struct vici_cred_t {
 
 	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
+	/**
 	 * Add a certificate to the certificate store
 	 *
 	 * @param cert	certificate to be added to store
diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c
index ed7c743c7..136651261 100644
--- a/src/libcharon/plugins/vici/vici_plugin.c
+++ b/src/libcharon/plugins/vici/vici_plugin.c
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -130,6 +130,7 @@ static bool register_vici(private_vici_plugin_t *this,
 			this->cred = vici_cred_create(this->dispatcher);
 			this->authority = vici_authority_create(this->dispatcher,
 													this->cred);
+			lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 			lib->credmgr->add_set(lib->credmgr, &this->authority->set);
 			this->config = vici_config_create(this->dispatcher, this->authority,
 											  this->cred);
@@ -158,6 +159,7 @@ static bool register_vici(private_vici_plugin_t *this,
 		this->logger->destroy(this->logger);
 		this->attrs->destroy(this->attrs);
 		this->config->destroy(this->config);
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 		lib->credmgr->remove_set(lib->credmgr, &this->authority->set);
 		this->authority->destroy(this->authority);
 		this->cred->destroy(this->cred);
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 04cea004e..828b61927 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1072,6 +1072,7 @@ CALLBACK(get_algorithms, vici_message_t*,
 	integrity_algorithm_t integrity;
 	hash_algorithm_t hash;
 	pseudo_random_function_t prf;
+	ext_out_function_t xof;
 	diffie_hellman_group_t group;
 	rng_quality_t quality;
 	const char *plugin_name;
@@ -1123,6 +1124,15 @@ CALLBACK(get_algorithms, vici_message_t*,
 	enumerator->destroy(enumerator);
 	b->end_section(b);
 
+	b->begin_section(b, "xof");
+	enumerator = lib->crypto->create_xof_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &xof, &plugin_name))
+	{
+		add_algorithm(b, ext_out_function_names, xof, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
 	b->begin_section(b, "dh");
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &group, &plugin_name))