New upstream version 5.6.1

8 files changed, 152 insertions, 69 deletions

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 19ea72d0b..65baf8771 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -61,10 +61,9 @@ struct private_pubkey_authenticator_t {
  * Parse authentication data used for Signature Authentication as per RFC 7427
  */
 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
-									  signature_scheme_t *scheme)
+									  signature_params_t *params)
 {
 	uint8_t len;
-	int oid;
 
 	if (!auth_data->len)
 	{
@@ -72,14 +71,11 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
 	}
 	len = auth_data->ptr[0];
 	*auth_data = chunk_skip(*auth_data, 1);
-	/* we currently don't support schemes that require parameters */
-	oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL);
-	*scheme = signature_scheme_from_oid(oid);
-	if (*scheme == SIGN_UNKNOWN)
+	if (!signature_params_parse(*auth_data, 1, params))
 	{
 		return FALSE;
 	}
-	*key_type = key_type_from_signature_scheme(*scheme);
+	*key_type = key_type_from_signature_scheme(params->scheme);
 	*auth_data = chunk_skip(*auth_data, len);
 	return TRUE;
 }
@@ -88,18 +84,16 @@ static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
  * Build authentication data used for Signature Authentication as per RFC 7427
  */
 static bool build_signature_auth_data(chunk_t *auth_data,
-									  signature_scheme_t scheme)
+									  signature_params_t *params)
 {
 	chunk_t data;
 	uint8_t len;
-	int oid;
 
-	oid = signature_scheme_to_oid(scheme);
-	if (oid == OID_UNKNOWN)
+	if (!signature_params_build(params, &data))
 	{
+		chunk_free(auth_data);
 		return FALSE;
 	}
-	data = asn1_algorithmIdentifier(oid);
 	len = data.len;
 	*auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
 	return TRUE;
@@ -114,13 +108,13 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 {
 	enumerator_t *enumerator;
 	signature_scheme_t scheme;
-	uintptr_t config;
+	signature_params_t *config;
 	auth_rule_t rule;
 	key_type_t key_type;
 	bool have_config = FALSE;
 	array_t *selected;
 
-	selected = array_create(sizeof(signature_scheme_t), 0);
+	selected = array_create(0, 0);
 	key_type = private->get_type(private);
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &rule, &config))
@@ -130,12 +124,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 			continue;
 		}
 		have_config = TRUE;
-		if (key_type == key_type_from_signature_scheme(config) &&
+		if (key_type == key_type_from_signature_scheme(config->scheme) &&
 			keymat->hash_algorithm_supported(keymat,
-										hasher_from_signature_scheme(config)))
+								hasher_from_signature_scheme(config->scheme,
+															 config->params)))
 		{
-			scheme = config;
-			array_insert(selected, ARRAY_TAIL, &scheme);
+			array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -146,24 +140,30 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 		 * and supported by the other peer */
 		enumerator = signature_schemes_for_key(key_type,
 											   private->get_keysize(private));
-		while (enumerator->enumerate(enumerator, &scheme))
+		while (enumerator->enumerate(enumerator, &config))
 		{
+			if (config->scheme == SIGN_RSA_EMSA_PSS &&
+				!lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
+										 lib->ns))
+			{
+				continue;
+			}
 			if (keymat->hash_algorithm_supported(keymat,
-										hasher_from_signature_scheme(scheme)))
+								hasher_from_signature_scheme(config->scheme,
+															 config->params)))
 			{
-				array_insert(selected, ARRAY_TAIL, &scheme);
+				array_insert(selected, ARRAY_TAIL,
+							 signature_params_clone(config));
 			}
 		}
 		enumerator->destroy(enumerator);
 
-		/* for RSA we tried at least SHA-512, also try other schemes down to
-		 * what we'd use with classic authentication */
+		/* for RSA we tried at least SHA-512, also try other schemes */
 		if (key_type == KEY_RSA)
 		{
 			signature_scheme_t schemes[] = {
 				SIGN_RSA_EMSA_PKCS1_SHA2_384,
 				SIGN_RSA_EMSA_PKCS1_SHA2_256,
-				SIGN_RSA_EMSA_PKCS1_SHA1,
 			}, contained;
 			bool found;
 			int i, j;
@@ -182,9 +182,13 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 					}
 				}
 				if (!found && keymat->hash_algorithm_supported(keymat,
-										hasher_from_signature_scheme(scheme)))
+										hasher_from_signature_scheme(scheme,
+																	 NULL)))
 				{
-					array_insert(selected, ARRAY_TAIL, &scheme);
+					INIT(config,
+						.scheme = scheme,
+					)
+					array_insert(selected, ARRAY_TAIL, config);
 				}
 			}
 		}
@@ -192,6 +196,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 	return selected;
 }
 
+CALLBACK(destroy_scheme, void,
+	signature_params_t *params, int idx, void *user)
+{
+	signature_params_destroy(params);
+}
+
 /**
  * Create a signature using RFC 7427 signature authentication
  */
@@ -201,7 +211,7 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
 {
 	enumerator_t *enumerator;
 	keymat_v2_t *keymat;
-	signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
+	signature_params_t *params = NULL;
 	array_t *schemes;
 	chunk_t octets = chunk_empty;
 	status_t status = FAILED;
@@ -221,11 +231,11 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
 								schemes))
 	{
 		enumerator = array_create_enumerator(schemes);
-		while (enumerator->enumerate(enumerator, &schemep))
+		while (enumerator->enumerate(enumerator, &params))
 		{
-			scheme = *schemep;
-			if (private->sign(private, scheme, octets, auth_data) &&
-				build_signature_auth_data(auth_data, scheme))
+			if (private->sign(private, params->scheme, params->params, octets,
+							  auth_data) &&
+				build_signature_auth_data(auth_data, params))
 			{
 				status = SUCCESS;
 				break;
@@ -233,16 +243,34 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
 			else
 			{
 				DBG2(DBG_IKE, "unable to create %N signature for %N key",
-					 signature_scheme_names, scheme, key_type_names,
+					 signature_scheme_names, params->scheme, key_type_names,
 					 private->get_type(private));
 			}
 		}
 		enumerator->destroy(enumerator);
 	}
-	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-		 signature_scheme_names, scheme,
-		 status == SUCCESS ? "successful" : "failed");
-	array_destroy(schemes);
+	if (params)
+	{
+		if (params->scheme == SIGN_RSA_EMSA_PSS)
+		{
+			rsa_pss_params_t *pss = params->params;
+			DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N %s", id,
+				 signature_scheme_names, params->scheme,
+				 hash_algorithm_short_names_upper, pss->hash,
+				 status == SUCCESS ? "successful" : "failed");
+		}
+		else
+		{
+			DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+				 signature_scheme_names, params->scheme,
+				 status == SUCCESS ? "successful" : "failed");
+		}
+	}
+	else
+	{
+		DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id);
+	}
+	array_destroy_function(schemes, destroy_scheme, NULL);
 	chunk_free(&octets);
 	return status;
 }
@@ -253,23 +281,27 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
  */
 static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
 								   bool verify, identification_t *id,
-								   chunk_t *octets, signature_scheme_t *scheme)
+								   chunk_t *octets, signature_params_t **scheme)
 {
 	keymat_v2_t *keymat;
 	array_t *schemes;
 	bool success = FALSE;
 
-	schemes = array_create(sizeof(signature_scheme_t), 0);
-	array_insert(schemes, ARRAY_TAIL, scheme);
+	schemes = array_create(0, 0);
+	array_insert(schemes, ARRAY_TAIL, *scheme);
 
 	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 	if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
 								id, this->reserved, octets, schemes) &&
-		array_get(schemes, 0, &scheme))
+		array_remove(schemes, 0, scheme))
 	{
 		success = TRUE;
 	}
-	array_destroy(schemes);
+	else
+	{
+		*scheme = NULL;
+	}
+	array_destroy_function(schemes, destroy_scheme, NULL);
 	return success;
 }
 
@@ -282,6 +314,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
 							 chunk_t *auth_data)
 {
 	signature_scheme_t scheme;
+	signature_params_t *params;
 	chunk_t octets = chunk_empty;
 	status_t status = FAILED;
 
@@ -319,11 +352,18 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
 			return FAILED;
 	}
 
-	if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) &&
-		private->sign(private, scheme, octets, auth_data))
+	INIT(params,
+		.scheme = scheme,
+	);
+	if (get_auth_octets_scheme(this, FALSE, id, &octets, &params) &&
+		private->sign(private, params->scheme, NULL, octets, auth_data))
 	{
 		status = SUCCESS;
 	}
+	if (params)
+	{
+		signature_params_destroy(params);
+	}
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
 		 auth_method_names, *auth_method,
 		 status == SUCCESS ? "successful" : "failed");
@@ -385,7 +425,7 @@ METHOD(authenticator_t, process, status_t,
 	auth_cfg_t *auth, *current_auth;
 	enumerator_t *enumerator;
 	key_type_t key_type = KEY_ECDSA;
-	signature_scheme_t scheme;
+	signature_params_t *params;
 	status_t status = NOT_FOUND;
 	const char *reason = "unsupported";
 	bool online;
@@ -395,25 +435,26 @@ METHOD(authenticator_t, process, status_t,
 	{
 		return FAILED;
 	}
+	INIT(params);
 	auth_method = auth_payload->get_auth_method(auth_payload);
 	auth_data = auth_payload->get_data(auth_payload);
 	switch (auth_method)
 	{
 		case AUTH_RSA:
 			key_type = KEY_RSA;
-			scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+			params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
 			break;
 		case AUTH_ECDSA_256:
-			scheme = SIGN_ECDSA_256;
+			params->scheme = SIGN_ECDSA_256;
 			break;
 		case AUTH_ECDSA_384:
-			scheme = SIGN_ECDSA_384;
+			params->scheme = SIGN_ECDSA_384;
 			break;
 		case AUTH_ECDSA_521:
-			scheme = SIGN_ECDSA_521;
+			params->scheme = SIGN_ECDSA_521;
 			break;
 		case AUTH_DS:
-			if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
+			if (parse_signature_auth_data(&auth_data, &key_type, params))
 			{
 				break;
 			}
@@ -422,10 +463,11 @@ METHOD(authenticator_t, process, status_t,
 		default:
 			DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
 				 auth_method, reason);
+			signature_params_destroy(params);
 			return INVALID_ARG;
 	}
 	id = this->ike_sa->get_other_id(this->ike_sa);
-	if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme))
+	if (!get_auth_octets_scheme(this, TRUE, id, &octets, &params))
 	{
 		return FAILED;
 	}
@@ -436,15 +478,31 @@ METHOD(authenticator_t, process, status_t,
 													key_type, id, auth, online);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
-		if (public->verify(public, scheme, octets, auth_data))
+		if (public->verify(public, params->scheme, params->params, octets,
+						   auth_data))
 		{
-			DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
-				 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
-				 auth_method == AUTH_DS ? scheme : auth_method);
+			if (auth_method != AUTH_DS)
+			{
+				DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
+					 auth_method_names, auth_method);
+			}
+			else if (params->scheme == SIGN_RSA_EMSA_PSS)
+			{
+				rsa_pss_params_t *pss = params->params;
+				DBG1(DBG_IKE, "authentication of '%Y' with %N_%N successful",
+					 id, signature_scheme_names, params->scheme,
+					 hash_algorithm_short_names_upper, pss->hash);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
+					 signature_scheme_names, params->scheme);
+			}
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+			auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+					  signature_params_clone(params));
 			if (!online)
 			{
 				auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
@@ -459,6 +517,7 @@ METHOD(authenticator_t, process, status_t,
 	}
 	enumerator->destroy(enumerator);
 	chunk_free(&octets);
+	signature_params_destroy(params);
 	if (status == NOT_FOUND)
 	{
 		DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index 36bf149fe..084ed40f0 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -101,8 +101,9 @@ struct keymat_v2_t {
 	 * @param id			identity
 	 * @param reserved		reserved bytes of id_payload
 	 * @param octests		chunk receiving allocated auth octets
-	 * @param schemes		array containing signature schemes in case they
-	 * 						need to be modified by the keymat implementation
+	 * @param schemes		array containing signature schemes
+	 * 						(signature_params_t*) in case they need to be
+	 *						modified by the keymat implementation
 	 * @return				TRUE if octets created successfully
 	 */
 	bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index c2ddbc588..361eb0fe1 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -131,7 +131,7 @@ struct private_task_manager_t {
 	array_t *queued_tasks;
 
 	/**
-	 * Array of active tasks, initiated by ourselve
+	 * Array of active tasks, initiated by ourselves
 	 */
 	array_t *active_tasks;
 
@@ -1780,9 +1780,11 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
 	child_cfg_t *cfg;
+	peer_cfg_t *peer;
 	ike_sa_t *new;
 	host_t *host;
 	queued_task_t *queued;
+	bool children = FALSE;
 
 	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 								this->ike_sa->get_version(this->ike_sa), TRUE);
@@ -1791,7 +1793,8 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 		return;
 	}
 
-	new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
+	peer = this->ike_sa->get_peer_cfg(this->ike_sa);
+	new->set_peer_cfg(new, peer);
 	host = this->ike_sa->get_other_host(this->ike_sa);
 	new->set_other_host(new, host->clone(host));
 	host = this->ike_sa->get_my_host(this->ike_sa);
@@ -1809,6 +1812,7 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 		cfg = child_sa->get_config(child_sa);
 		new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
 												  FALSE, NULL, NULL)->task);
+		children = TRUE;
 	}
 	enumerator->destroy(enumerator);
 
@@ -1821,10 +1825,24 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 			new->queue_task(new, queued->task);
 			array_remove_at(this->queued_tasks, enumerator);
 			free(queued);
+			children = TRUE;
 		}
 	}
 	enumerator->destroy(enumerator);
 
+	if (!children
+#ifdef ME
+		/* allow reauth of mediation connections without CHILD_SAs */
+		&& !peer->is_mediation(peer)
+#endif /* ME */
+		)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+		DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
+			 "to recreate");
+		return;
+	}
+
 	/* suspend online revocation checking until the SA is established */
 	new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
 
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index cac3bc0a2..4d4d72e0b 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1377,7 +1377,6 @@ METHOD(task_t, build_r, status_t,
 			uint16_t group = htons(this->dh_group);
 			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
 								chunk_from_thing(group));
-			handle_child_sa_failure(this, message);
 			return SUCCESS;
 		}
 		case FAILED:
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 2217295b6..164f8fc03 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -349,7 +349,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
 									child_sa->get_unique_id(child_sa)), delay);
 				continue;
 			}
-			else if (expire)
+			else if (now < expire)
 			{	/* let it expire naturally */
 				continue;
 			}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 53daaf2ad..aeaa701c9 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -471,7 +471,6 @@ METHOD(task_t, build_i, status_t,
 
 		if (idr && !idr->contains_wildcards(idr) &&
 			message->get_message_id(message) == 1 &&
-			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
 			this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
 		{
 			host_t *host;
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 58b710616..d75d21715 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -158,7 +158,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 	peer_cfg_t *peer;
 	auth_cfg_t *auth;
 	auth_rule_t rule;
-	uintptr_t config;
+	signature_params_t *config;
 	int written;
 	size_t len = BUF_LEN;
 	char buf[len];
@@ -177,7 +177,8 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 			{
 				if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
 				{
-					hash = hasher_from_signature_scheme(config);
+					hash = hasher_from_signature_scheme(config->scheme,
+														config->params);
 					if (hasher_algorithm_for_ikev2(hash))
 					{
 						algos->add(algos, hash);
@@ -502,7 +503,11 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			this->dh = this->keymat->keymat.create_dh(
 								&this->keymat->keymat, this->dh_group);
 		}
-		if (this->dh)
+		else if (this->dh)
+		{
+			this->dh_failed = this->dh->get_dh_group(this->dh) != this->dh_group;
+		}
+		if (this->dh && !this->dh_failed)
 		{
 			this->dh_failed = !this->dh->set_other_public_value(this->dh,
 								ke_payload->get_key_exchange_data(ke_payload));
@@ -811,7 +816,7 @@ METHOD(task_t, process_i, status_t,
 
 					if (this->old_sa == NULL)
 					{	/* reset the IKE_SA if we are not rekeying */
-						this->ike_sa->reset(this->ike_sa);
+						this->ike_sa->reset(this->ike_sa, FALSE);
 					}
 
 					enumerator->destroy(enumerator);
@@ -829,7 +834,7 @@ METHOD(task_t, process_i, status_t,
 				{
 					chunk_free(&this->cookie);
 					this->cookie = chunk_clone(notify->get_notification_data(notify));
-					this->ike_sa->reset(this->ike_sa);
+					this->ike_sa->reset(this->ike_sa, FALSE);
 					enumerator->destroy(enumerator);
 					DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
 					this->retry++;
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index e85b276e8..f72fbc437 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -97,6 +97,8 @@ static vid_data_t vids[] = {
 	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
 	{ "Cisco Delete Reason", 0, NULL, 0,
 	  "CISCO-DELETE-REASON" },
+	{ "Cisco FlexVPN Supported", 0, NULL, 0,
+	  "FLEXVPN-SUPPORTED" },
 	{ "Cisco Copyright (c) 2009", 0, NULL, 0,
 	  "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
 	{ "FRAGMENTATION", 0, NULL, 16,