New upstream version 5.5.3

12 files changed, 152 insertions, 40 deletions

diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index cdefbff79..fd2b89849 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -454,6 +454,7 @@ docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 host = @host@
@@ -476,6 +477,7 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
 libiptc_CFLAGS = @libiptc_CFLAGS@
 libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 9bda949d0..f47f80cad 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -480,11 +480,12 @@ Load a certificate into the daemon.
 Load a private key into the daemon.
 
 	{
-		type = <private key type, RSA|ECDSA>
+		type = <private key type, rsa|ecdsa|bliss|any>
 		data = <PEM or DER encoded key data>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
+		id = <hex-encoded SHA-1 key identifier of the public key on success>
 	}
 
 ### unload-key() ###
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index 385aa9775..0e9626aa3 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -272,6 +272,7 @@ docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 host = @host@
@@ -294,6 +295,7 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
 libiptc_CFLAGS = @libiptc_CFLAGS@
 libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index f783d7068..7d5383290 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -294,6 +294,7 @@ docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 host = @host@
@@ -316,6 +317,7 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
 libiptc_CFLAGS = @libiptc_CFLAGS@
 libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py
index 919231d43..370229463 100644
--- a/src/libcharon/plugins/vici/python/vici/protocol.py
+++ b/src/libcharon/plugins/vici/python/vici/protocol.py
@@ -62,7 +62,7 @@ class Packet(object):
 
     @classmethod
     def _named_request(cls, request_type, request, message=None):
-        requestdata = request.encode("UTF-8")
+        request = request.encode("UTF-8")
         payload = struct.pack("!BB", request_type, len(request)) + request
         if message is not None:
             return payload + message
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index 125f44ee1..5691a74d1 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -272,6 +272,7 @@ docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
 host = @host@
@@ -294,6 +295,7 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
 libiptc_CFLAGS = @libiptc_CFLAGS@
 libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
@@ -468,8 +470,8 @@ distclean-generic:
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
-@RUBY_GEMS_INSTALL_FALSE@install-data-local:
 @RUBY_GEMS_INSTALL_FALSE@uninstall-local:
+@RUBY_GEMS_INSTALL_FALSE@install-data-local:
 clean: clean-am
 
 clean-am: clean-generic clean-libtool clean-local mostlyclean-am
diff --git a/src/libcharon/plugins/vici/suites/test_message.c b/src/libcharon/plugins/vici/suites/test_message.c
index 045e34fff..73bba239b 100644
--- a/src/libcharon/plugins/vici/suites/test_message.c
+++ b/src/libcharon/plugins/vici/suites/test_message.c
@@ -122,9 +122,14 @@ typedef struct {
 	endecode_test_t *next;
 } endecode_enum_t;
 
-static bool endecode_enumerate(endecode_enum_t *this, vici_type_t *type,
-							   char **name, chunk_t *data)
+METHOD(enumerator_t, endecode_enumerate, bool,
+	endecode_enum_t *this, va_list args)
 {
+	vici_type_t *type;
+	chunk_t *data;
+	char **name;
+
+	VA_ARGS_VGET(args, type, name, data);
 	if (this->next)
 	{
 		*type = this->next->type;
@@ -149,7 +154,8 @@ static enumerator_t *endecode_create_enumerator(endecode_test_t *test)
 
 	INIT(enumerator,
 		.public = {
-			.enumerate = (void*)endecode_enumerate,
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _endecode_enumerate,
 			.destroy = (void*)free,
 		},
 		.next = test,
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index 4e1fa9708..ab765fa14 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -184,16 +184,22 @@ METHOD(attribute_provider_t, release_address, bool,
 	return found;
 }
 
-/**
- * Filter mapping attribute_t to enumerated type/value arguments
- */
-static bool attr_filter(void *data, attribute_t **attr,
-						configuration_attribute_type_t *type,
-						void *in, chunk_t *value)
+CALLBACK(attr_filter, bool,
+	void *data, enumerator_t *orig, va_list args)
 {
-	*type = (*attr)->type;
-	*value = (*attr)->value;
-	return TRUE;
+	attribute_t *attr;
+	configuration_attribute_type_t *type;
+	chunk_t *value;
+
+	VA_ARGS_VGET(args, type, value);
+
+	if (orig->enumerate(orig, &attr))
+	{
+		*type = attr->type;
+		*value = attr->value;
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
@@ -203,7 +209,7 @@ CALLBACK(create_nested, enumerator_t*,
 	pool_t *pool, void *this)
 {
 	return enumerator_create_filter(array_create_enumerator(pool->attrs),
-									(void*)attr_filter, NULL, NULL);
+									attr_filter, NULL, NULL);
 }
 
 /**
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 12497ec5e..0c355e3a0 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -141,13 +141,20 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
 									 (void*)this->lock->unlock, this->lock);
 }
 
-/**
- * Enumerator filter function for ike configs
- */
-static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
+CALLBACK(ike_filter, bool,
+	void *data, enumerator_t *orig, va_list args)
 {
-	*out = (*in)->get_ike_cfg(*in);
-	return TRUE;
+	peer_cfg_t *cfg;
+	ike_cfg_t **out;
+
+	VA_ARGS_VGET(args, out);
+
+	if (orig->enumerate(orig, &cfg))
+	{
+		*out = cfg->get_ike_cfg(cfg);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
@@ -155,7 +162,7 @@ METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
 {
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->conns->create_enumerator(this->conns),
-									(void*)ike_filter, this->lock,
+									ike_filter, this->lock,
 									(void*)this->lock->unlock);
 }
 
@@ -478,7 +485,6 @@ typedef struct {
 	linked_list_t *remote_ts;
 	uint32_t replay_window;
 	bool policies;
-	bool policies_fwd_out;
 	child_cfg_create_t cfg;
 } child_data_t;
 
@@ -500,12 +506,12 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   life_packets = %llu", cfg->lifetime.packets.life);
 	DBG2(DBG_CFG, "   rand_packets = %llu", cfg->lifetime.packets.jitter);
 	DBG2(DBG_CFG, "   updown = %s", cfg->updown);
-	DBG2(DBG_CFG, "   hostaccess = %u", cfg->hostaccess);
-	DBG2(DBG_CFG, "   ipcomp = %u", cfg->ipcomp);
+	DBG2(DBG_CFG, "   hostaccess = %u", cfg->options & OPT_HOSTACCESS);
+	DBG2(DBG_CFG, "   ipcomp = %u", cfg->options & OPT_IPCOMP);
 	DBG2(DBG_CFG, "   mode = %N%s", ipsec_mode_names, cfg->mode,
-		 cfg->proxy_mode ? "_PROXY" : "");
+		 cfg->options & OPT_PROXY_MODE ? "_PROXY" : "");
 	DBG2(DBG_CFG, "   policies = %u", data->policies);
-	DBG2(DBG_CFG, "   policies_fwd_out = %u", data->policies_fwd_out);
+	DBG2(DBG_CFG, "   policies_fwd_out = %u", cfg->options & OPT_FWD_OUT_POLICIES);
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
 		DBG2(DBG_CFG, "   replay_window = %u", data->replay_window);
@@ -525,6 +531,8 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
 	DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
 	DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
+	DBG2(DBG_CFG, "   hw_offload = %u", cfg->options & OPT_HW_OFFLOAD);
+	DBG2(DBG_CFG, "   sha256_96 = %u", cfg->options & OPT_SHA256_96);
 }
 
 /**
@@ -827,13 +835,80 @@ CALLBACK(parse_mode, bool,
 	if (parse_map(map, countof(map), &d, v))
 	{
 		cfg->mode = d;
-		cfg->proxy_mode = (d == MODE_TRANSPORT) && (v.len > 9);
+		if ((d == MODE_TRANSPORT) && (v.len > 9))
+		{
+			cfg->options |= OPT_PROXY_MODE;
+		}
 		return TRUE;
 	}
 	return FALSE;
 }
 
 /**
+ * Enable a child_cfg_option_t
+ */
+static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt,
+						 chunk_t v)
+{
+	bool val;
+
+	if (parse_bool(&val, v))
+	{
+		if (val)
+		{
+			*out |= opt;
+		}
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Parse OPT_HOSTACCESS option
+ */
+CALLBACK(parse_opt_haccess, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_HOSTACCESS, v);
+}
+
+/**
+ * Parse OPT_FWD_OUT_POLICIES option
+ */
+CALLBACK(parse_opt_fwd_out, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_FWD_OUT_POLICIES, v);
+}
+
+/**
+ * Parse OPT_FWD_OUT_POLICIES option
+ */
+CALLBACK(parse_opt_ipcomp, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_IPCOMP, v);
+}
+
+/**
+ * Parse OPT_HW_OFFLOAD option
+ */
+CALLBACK(parse_opt_hw_offl, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_HW_OFFLOAD, v);
+}
+
+/**
+ * Parse OPT_SHA256_96 option
+ */
+CALLBACK(parse_opt_sha256_96, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_SHA256_96, v);
+}
+
+/**
  * Parse an action_t
  */
 CALLBACK(parse_action, bool,
@@ -1336,6 +1411,7 @@ CALLBACK(parse_frag, bool,
 {
 	enum_map_t map[] = {
 		{ "yes",		FRAGMENTATION_YES		},
+		{ "accept",		FRAGMENTATION_ACCEPT	},
 		{ "no",			FRAGMENTATION_NO		},
 		{ "force",		FRAGMENTATION_FORCE		},
 	};
@@ -1465,10 +1541,10 @@ CALLBACK(child_kv, bool,
 {
 	parse_rule_t rules[] = {
 		{ "updown",				parse_string,		&child->cfg.updown					},
-		{ "hostaccess",			parse_bool,			&child->cfg.hostaccess				},
+		{ "hostaccess",			parse_opt_haccess,	&child->cfg.options					},
 		{ "mode",				parse_mode,			&child->cfg							},
 		{ "policies",			parse_bool,			&child->policies					},
-		{ "policies_fwd_out",	parse_bool,			&child->policies_fwd_out			},
+		{ "policies_fwd_out",	parse_opt_fwd_out,	&child->cfg.options					},
 		{ "replay_window",		parse_uint32,		&child->replay_window				},
 		{ "rekey_time",			parse_time,			&child->cfg.lifetime.time.rekey		},
 		{ "life_time",			parse_time,			&child->cfg.lifetime.time.life		},
@@ -1482,7 +1558,7 @@ CALLBACK(child_kv, bool,
 		{ "dpd_action",			parse_action,		&child->cfg.dpd_action				},
 		{ "start_action",		parse_action,		&child->cfg.start_action			},
 		{ "close_action",		parse_action,		&child->cfg.close_action			},
-		{ "ipcomp",				parse_bool,			&child->cfg.ipcomp					},
+		{ "ipcomp",				parse_opt_ipcomp,	&child->cfg.options					},
 		{ "inactivity",			parse_time,			&child->cfg.inactivity				},
 		{ "reqid",				parse_uint32,		&child->cfg.reqid					},
 		{ "mark_in",			parse_mark,			&child->cfg.mark_in					},
@@ -1490,6 +1566,8 @@ CALLBACK(child_kv, bool,
 		{ "tfc_padding",		parse_tfc,			&child->cfg.tfc						},
 		{ "priority",			parse_uint32,		&child->cfg.priority				},
 		{ "interface",			parse_string,		&child->cfg.interface				},
+		{ "hw_offload",			parse_opt_hw_offl,	&child->cfg.options					},
+		{ "sha256_96",			parse_opt_sha256_96,&child->cfg.options					},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1755,8 +1833,7 @@ CALLBACK(children_sn, bool,
 			child.proposals->insert_last(child.proposals, proposal);
 		}
 	}
-	child.cfg.suppress_policies = !child.policies;
-	child.cfg.fwd_out_policies = child.policies_fwd_out;
+	child.cfg.options |= child.policies ? 0 : OPT_NO_POLICIES;
 
 	check_lifetimes(&child.cfg.lifetime);
 
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 6c7c194c2..5d8bf2f05 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2015-2016 Andreas Steffen
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2017 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2014 Martin Willi
@@ -206,9 +206,10 @@ CALLBACK(load_cert, vici_message_t*,
 CALLBACK(load_key, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
+	vici_builder_t *builder;
 	key_type_t type;
 	private_key_t *key;
-	chunk_t data;
+	chunk_t data, fp;
 	char *str;
 
 	str = message->get_str(message, NULL, "type");
@@ -248,12 +249,19 @@ CALLBACK(load_key, vici_message_t*,
 		return create_reply("parsing %N private key failed",
 							key_type_names, type);
 	}
+	if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp))
+	{
+		return create_reply("failed to get key id");
+	}
 
 	DBG1(DBG_CFG, "loaded %N private key", key_type_names, type);
 
+	builder = vici_builder_create();
+	builder->add_kv(builder, "success", "yes");
+	builder->add_kv(builder, "id", "%+B", &fp);
 	this->creds->add_key(this->creds, key);
 
-	return create_reply(NULL);
+	return builder->finalize(builder);
 }
 
 CALLBACK(unload_key, vici_message_t*,
diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c
index 58b896773..91d344994 100644
--- a/src/libcharon/plugins/vici/vici_message.c
+++ b/src/libcharon/plugins/vici/vici_message.c
@@ -135,11 +135,16 @@ typedef struct {
 } parse_enumerator_t;
 
 METHOD(enumerator_t, parse_enumerate, bool,
-	parse_enumerator_t *this, vici_type_t *out, char **name, chunk_t *value)
+	parse_enumerator_t *this, va_list args)
 {
+	vici_type_t *out;
+	chunk_t *value;
+	char **name;
 	uint8_t type;
 	chunk_t data;
 
+	VA_ARGS_VGET(args, out, name, value);
+
 	if (!this->reader->remaining(this->reader) ||
 		!this->reader->read_uint8(this->reader, &type))
 	{
@@ -218,7 +223,8 @@ METHOD(vici_message_t, create_enumerator, enumerator_t*,
 
 	INIT(enumerator,
 		.public = {
-			.enumerate = (void*)_parse_enumerate,
+			.enumerate = enumerator_enumerate_default,
+			.venumerate = _parse_enumerate,
 			.destroy = _parse_destroy,
 		},
 		.reader = bio_reader_create(this->encoding),
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index c0f4e2de9..2cc59591f 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -107,7 +107,7 @@ static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
 			cfg = child->get_config(child);
 		}
 		mode = child ? child->get_mode(child) : cfg->get_mode(cfg);
-		if (mode == MODE_TRANSPORT && cfg->use_proxy_mode(cfg))
+		if (mode == MODE_TRANSPORT && cfg->has_option(cfg, OPT_PROXY_MODE))
 		{	/* only report this if the negotiated mode is actually TRANSPORT */
 			sub_mode = "_PROXY";
 		}