Imported Upstream version 5.3.0

9 files changed, 49 insertions, 44 deletions

diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 3663cf825..a80d28ac6 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -266,6 +266,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 0998efa9d..21dbd5e89 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -443,7 +443,7 @@ ip_packet_t *ip_packet_create_from_data(host_t *src, host_t *dst,
 		{
 			struct ip6_hdr ip = {
 				.ip6_flow = htonl(6),
-				.ip6_plen = htons(40 + data.len),
+				.ip6_plen = htons(data.len),
 				.ip6_nxt = next_header,
 				.ip6_hlim = 0x80,
 			};
diff --git a/src/libipsec/ipsec_event_listener.h b/src/libipsec/ipsec_event_listener.h
index c5c39b0f1..f15f6fe52 100644
--- a/src/libipsec/ipsec_event_listener.h
+++ b/src/libipsec/ipsec_event_listener.h
@@ -35,14 +35,12 @@ struct ipsec_event_listener_t {
 	/**
 	 * Called when the lifetime of an IPsec SA expired
 	 *
-	 * @param reqid			reqid of the expired SA
 	 * @param protocol		protocol of the expired SA
 	 * @param spi			spi of the expired SA
+	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE if this is a hard expire, FALSE otherwise
 	 */
-	void (*expire)(u_int32_t reqid, u_int8_t protocol, u_int32_t spi,
-				   bool hard);
-
+	void (*expire)(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard);
 };
 
 #endif /** IPSEC_EVENT_LISTENER_H_ @}*/
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index c6b2a550d..048063053 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -65,9 +65,9 @@ typedef struct {
 	} type;
 
 	/**
-	 * Reqid of the SA, if any
+	 * Protocol of the SA
 	 */
-	u_int32_t reqid;
+	u_int8_t protocol;
 
 	/**
 	 * SPI of the SA, if any
@@ -75,13 +75,16 @@ typedef struct {
 	u_int32_t spi;
 
 	/**
+	 * SA destination address
+	 */
+	host_t *dst;
+
+	/**
 	 * Additional data for specific event types
 	 */
 	union {
 
 		struct {
-			/** Protocol of the SA */
-			u_int8_t protocol;
 			/** TRUE in case of a hard expire */
 			bool hard;
 		} expire;
@@ -91,6 +94,15 @@ typedef struct {
 } ipsec_event_t;
 
 /**
+ * Destroy IPsec event data
+ */
+static void ipsec_event_destroy(ipsec_event_t *event)
+{
+	event->dst->destroy(event->dst);
+	free(event);
+}
+
+/**
  * Dequeue events and relay them to listeners
  */
 static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
@@ -110,31 +122,31 @@ static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
 			case IPSEC_EVENT_EXPIRE:
 				if (current->expire)
 				{
-					current->expire(event->reqid, event->data.expire.protocol,
-									event->spi, event->data.expire.hard);
+					current->expire(event->protocol, event->spi, event->dst,
+									event->data.expire.hard);
 				}
 				break;
 		}
 	}
 	enumerator->destroy(enumerator);
 	this->lock->unlock(this->lock);
-	free(event);
+	ipsec_event_destroy(event);
 	return JOB_REQUEUE_DIRECT;
 }
 
 METHOD(ipsec_event_relay_t, expire, void,
-	private_ipsec_event_relay_t *this, u_int32_t reqid, u_int8_t protocol,
-	u_int32_t spi, bool hard)
+	private_ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi,
+	host_t *dst, bool hard)
 {
 	ipsec_event_t *event;
 
 	INIT(event,
 		.type = IPSEC_EVENT_EXPIRE,
-		.reqid = reqid,
+		.protocol = protocol,
 		.spi = spi,
+		.dst = dst->clone(dst),
 		.data = {
 			.expire = {
-				.protocol = protocol,
 				.hard = hard,
 			},
 		},
diff --git a/src/libipsec/ipsec_event_relay.h b/src/libipsec/ipsec_event_relay.h
index c6935d546..1dddf121b 100644
--- a/src/libipsec/ipsec_event_relay.h
+++ b/src/libipsec/ipsec_event_relay.h
@@ -38,13 +38,13 @@ struct ipsec_event_relay_t {
 	/**
 	 * Raise an expire event.
 	 *
-	 * @param reqid			reqid of the expired IPsec SA
 	 * @param protocol		protocol (e.g ESP) of the expired SA
 	 * @param spi			SPI of the expired SA
+	 * @param dst			destination address of expired SA
 	 * @param hard			TRUE for a hard expire, FALSE otherwise
 	 */
-	void (*expire)(ipsec_event_relay_t *this, u_int32_t reqid,
-				   u_int8_t protocol, u_int32_t spi, bool hard);
+	void (*expire)(ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi,
+				   host_t *dst, bool hard);
 
 	/**
 	 * Register a listener to events raised by this manager
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
index 6ec8bd25e..ccbbb1b3c 100644
--- a/src/libipsec/ipsec_sa.c
+++ b/src/libipsec/ipsec_sa.c
@@ -194,8 +194,8 @@ METHOD(ipsec_sa_t, expire, void,
 		if (!this->hard_expired)
 		{
 			this->hard_expired = TRUE;
-			ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
-								  this->spi, TRUE);
+			ipsec->events->expire(ipsec->events, this->protocol, this->spi,
+								  this->dst, TRUE);
 		}
 	}
 	else
@@ -203,8 +203,8 @@ METHOD(ipsec_sa_t, expire, void,
 		if (!this->hard_expired && !this->soft_expired)
 		{
 			this->soft_expired = TRUE;
-			ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
-								  this->spi, FALSE);
+			ipsec->events->expire(ipsec->events, this->protocol, this->spi,
+								  this->dst, FALSE);
 		}
 	}
 }
@@ -275,8 +275,7 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 		u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
 		lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 		u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
-		u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
-		traffic_selector_t *src_ts,	traffic_selector_t *dst_ts)
+		u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound)
 {
 	private_ipsec_sa_t *this;
 
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
index 5e69f18cf..8dad29ac5 100644
--- a/src/libipsec/ipsec_sa.h
+++ b/src/libipsec/ipsec_sa.h
@@ -197,8 +197,6 @@ struct ipsec_sa_t {
  * @param encap			enable UDP encapsulation (must be TRUE)
  * @param esn			Extended Sequence Numbers (currently not supported)
  * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
- * @param src_ts		source traffic selector
- * @param dst_ts		destination traffic selector
  * @return				the IPsec SA, or NULL if the creation failed
  */
 ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
@@ -207,8 +205,6 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
 							u_int16_t enc_alg, chunk_t enc_key,
 							u_int16_t int_alg, chunk_t int_key,
 							ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
-							bool encap, bool esn, bool inbound,
-							traffic_selector_t *src_ts,
-							traffic_selector_t *dst_ts);
+							bool encap, bool esn, bool inbound);
 
 #endif /** IPSEC_SA_H_ @}*/
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index 1db1776c0..07ffa9e4f 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -396,12 +396,10 @@ static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
 
 METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 	private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int8_t protocol,
-	u_int32_t reqid, u_int32_t *spi)
+	u_int32_t *spi)
 {
 	u_int32_t spi_new;
 
-	DBG2(DBG_ESP, "allocating SPI for reqid {%u}", reqid);
-
 	this->mutex->lock(this->mutex);
 	if (!this->rng)
 	{
@@ -420,7 +418,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 								 (u_int8_t*)&spi_new))
 		{
 			this->mutex->unlock(this->mutex);
-			DBG1(DBG_ESP, "failed to allocate SPI for reqid {%u}", reqid);
+			DBG1(DBG_ESP, "failed to allocate SPI");
 			return FAILED;
 		}
 		/* make sure the SPI is valid (not in range 0-255) */
@@ -432,7 +430,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
 
 	*spi = spi_new;
 
-	DBG2(DBG_ESP, "allocated SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+	DBG2(DBG_ESP, "allocated SPI %.8x", ntohl(*spi));
 	return SUCCESS;
 }
 
@@ -442,7 +440,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
-	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+	bool update)
 {
 	ipsec_sa_entry_t *entry;
 	ipsec_sa_t *sa_new;
@@ -456,7 +454,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 
 	sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc,
 							 lifetime, enc_alg, enc_key, int_alg, int_key, mode,
-							 ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+							 ipcomp, cpi, encap, esn, inbound);
 	if (!sa_new)
 	{
 		DBG1(DBG_ESP, "failed to create SAD entry");
@@ -465,7 +463,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
 
 	this->mutex->lock(this->mutex);
 
-	if (inbound)
+	if (update)
 	{	/* remove any pre-allocated SPIs */
 		u_int32_t *spi_alloc;
 
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 8c234cefa..a57eab4e7 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -45,12 +45,11 @@ struct ipsec_sa_mgr_t {
 	 * @param src			source address of the SA
 	 * @param dst			destination address of the SA
 	 * @param protocol		protocol of the SA (only ESP supported)
-	 * @param reqid			reqid for the SA
 	 * @param spi			the allocated SPI
 	 * @return				SUCCESS of operation successful
 	 */
 	status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
-						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+						u_int8_t protocol, u_int32_t *spi);
 
 	/**
 	 * Add a new SA
@@ -74,8 +73,7 @@ struct ipsec_sa_mgr_t {
 	 * @param encap			enable UDP encapsulation (must be TRUE)
 	 * @param esn			Extended Sequence Numbers (currently not supported)
 	 * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
-	 * @param src_ts		source traffic selector
-	 * @param dst_ts		destination traffic selector
+	 * @param update		TRUE if an SPI has already been allocated for SA
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
@@ -84,8 +82,7 @@ struct ipsec_sa_mgr_t {
 					   u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
 					   chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 					   u_int16_t cpi, bool initiator, bool encap, bool esn,
-					   bool inbound, traffic_selector_t *src_ts,
-					   traffic_selector_t *dst_ts);
+					   bool inbound, bool update);
 
 	/**
 	 * Update the hosts on an installed SA.