[svn-upgrade] new version strongswan (4.5.0)

13 files changed, 349 insertions, 272 deletions

diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 09131c4be..00c49c487 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 5dbdde32c..599481911 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -40,15 +40,43 @@ struct private_gcrypt_crypter_t {
 	 * gcrypt algorithm identifier
 	 */
 	int alg;
+
+	/**
+	 * are we using counter mode?
+	 */
+	bool ctr_mode;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) ctr;
 };
 
 /**
- * Implementation of crypter_t.decrypt.
+ * Set the IV for en/decryption
  */
-static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+static void set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
+{
+	if (this->ctr_mode)
+	{
+		memcpy(this->ctr.iv, iv.ptr, sizeof(this->ctr.iv));
+		this->ctr.counter = htonl(1);
+		gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr));
+	}
+	else
+	{
+		gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	}
+}
+
+METHOD(crypter_t, decrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -61,13 +89,10 @@ static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -80,40 +105,60 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
+	if (this->ctr_mode)
+	{	/* counter mode does not need any padding */
+		return 1;
+	}
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
 	return len;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_gcrypt_crypter_t *this)
+{
+	size_t len = 0;
+
+	if (this->ctr_mode)
+	{
+		return sizeof(this->ctr.iv);
+	}
+	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
+	return len;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
+	if (this->ctr_mode)
+	{
+		return len + sizeof(this->ctr.nonce);
+	}
 	return len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_gcrypt_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_gcrypt_crypter_t *this, chunk_t key)
 {
+	if (this->ctr_mode)
+	{
+		/* last 4 bytes are the nonce */
+		memcpy(this->ctr.nonce, key.ptr + key.len - sizeof(this->ctr.nonce),
+			   sizeof(this->ctr.nonce));
+		key.len -= sizeof(this->ctr.nonce);
+	}
 	gcry_cipher_setkey(this->h, key.ptr, key.len);
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_gcrypt_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_gcrypt_crypter_t *this)
 {
 	gcry_cipher_close(this->h);
 	free(this);
@@ -149,18 +194,19 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			gcrypt_alg = GCRY_CIPHER_CAST5;
 			break;
 		case ENCR_BLOWFISH:
-			if (key_size != 16)
+			if (key_size != 16 && key_size != 0)
 			{	/* gcrypt currently supports 128 bit blowfish only */
 				return NULL;
 			}
 			gcrypt_alg = GCRY_CIPHER_BLOWFISH;
 			break;
-		/* case ENCR_AES_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_AES_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_AES128;
 					break;
@@ -174,13 +220,14 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
-		/* case ENCR_CAMELLIA_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_CAMELLIA_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
 #ifdef HAVE_GCRY_CIPHER_CAMELLIA
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_CAMELLIA128;
 					break;
@@ -198,6 +245,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_SERPENT_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_SERPENT128;
 					break;
@@ -214,6 +262,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_TWOFISH_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_TWOFISH128;
 					break;
@@ -228,9 +277,22 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.alg = gcrypt_alg,
+		.ctr_mode = mode == GCRY_CIPHER_MODE_CTR,
+	);
 
-	this->alg = gcrypt_alg;
 	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
 	if (err)
 	{
@@ -239,14 +301,6 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		free(this);
 		return NULL;
 	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
index ce0ead4a8..e565e28c7 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
@@ -33,7 +33,7 @@ struct gcrypt_crypter_t {
 	/**
 	 * The crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 08d6239ad..6c4665da2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -73,10 +73,8 @@ struct private_gcrypt_dh_t {
 	size_t p_len;
 };
 
-/**
- * Implementation of gcrypt_dh_t.set_other_public_value.
- */
-static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t value)
 {
 	gcry_mpi_t p_min_1;
 	gcry_error_t err;
@@ -134,18 +132,14 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
 	return chunk;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_my_public_value.
- */
-static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t *value)
 {
 	*value = export_mpi(this->ya, this->p_len);
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gcrypt_dh_t *this, chunk_t *secret)
 {
 	if (!this->zz)
 	{
@@ -155,18 +149,14 @@ static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
 	return SUCCESS;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gcrypt_dh_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gcrypt_dh_t.destroy.
- */
-static void destroy(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gcrypt_dh_t *this)
 {
 	gcry_mpi_release(this->p);
 	gcry_mpi_release(this->xa);
@@ -178,42 +168,37 @@ static void destroy(private_gcrypt_dh_t *this)
 }
 
 /*
- * Described in header.
+ * Generic internal constructor
  */
-gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len,
+							chunk_t g, chunk_t p)
 {
 	private_gcrypt_dh_t *this;
-	diffie_hellman_params_t *params;
 	gcry_error_t err;
 	chunk_t random;
 	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gcrypt_dh_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
-	this->group = group;
-	this->p_len = params->prime.len;
-	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
-						params->prime.ptr, params->prime.len, NULL);
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
+	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, p.ptr, p.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
-	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG,
-						params->generator.ptr, params->generator.len, NULL);
+	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG, g.ptr, g.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi generator failed: %s", gpg_strerror(err));
@@ -225,7 +210,7 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (rng)
 	{	/* prefer external randomizer */
-		rng->allocate_bytes(rng, params->exp_len, &random);
+		rng->allocate_bytes(rng, exp_len, &random);
 		rng->destroy(rng);
 		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
 							random.ptr, random.len, NULL);
@@ -241,21 +226,49 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	}
 	else
 	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
-		this->xa = gcry_mpi_new(params->exp_len * 8);
-		gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM);
+		this->xa = gcry_mpi_new(exp_len * 8);
+		gcry_mpi_randomize(this->xa, exp_len * 8, GCRY_STRONG_RANDOM);
 	}
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
-		gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1);
+		gcry_mpi_clear_bit(this->xa, exp_len * 8 - 1);
 	}
 
 	this->ya = gcry_mpi_new(this->p_len * 8);
-	this->yb = NULL;
-	this->zz = NULL;
 
 	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
 
 	return &this->public;
 }
 
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+{
+
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(group, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
index 95b68dcd0..a70958dc4 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
@@ -44,5 +44,16 @@ struct gcrypt_dh_t {
  */
 gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gcrypt_dh_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gcrypt_dh_t object, NULL if not supported
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p);
+
 #endif /** GCRYPT_DH_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 39609c16c..96c87614f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -37,27 +37,20 @@ struct private_gcrypt_hasher_t {
 	gcry_md_hd_t hd;
 };
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_gcrypt_hasher_t *this)
 {
 	return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd));
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_reset(this->hd);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	gcry_md_write(this->hd, chunk.ptr, chunk.len);
 	if (hash)
@@ -67,11 +60,8 @@ static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -84,10 +74,8 @@ static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_gcrypt_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_close(this->hd);
 	free(this);
@@ -132,7 +120,17 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
 	if (err)
@@ -143,12 +141,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
index 708ccaafb..a7542bcdd 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
@@ -33,7 +33,7 @@ struct gcrypt_hasher_t {
 	/**
 	 * The hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 039036b2c..590add5c8 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -93,10 +93,8 @@ static struct gcry_thread_cbs thread_functions = {
 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
 };
 
-/**
- * Implementation of gcrypt_plugin_t.destroy
- */
-static void destroy(private_gcrypt_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gcrypt_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 					(hasher_constructor_t)gcrypt_hasher_create);
@@ -106,6 +104,8 @@ static void destroy(private_gcrypt_plugin_t *this)
 					(rng_constructor_t)gcrypt_rng_create);
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->remove_dh(lib->crypto,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -139,9 +139,13 @@ plugin_t *gcrypt_plugin_create()
 	}
 	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 
-	this = malloc_thing(private_gcrypt_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* hashers */
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
@@ -172,8 +176,14 @@ plugin_t *gcrypt_plugin_create()
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#ifdef HAVE_GCRY_CIPHER_CAMELLIA
 	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
 	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
@@ -210,13 +220,15 @@ plugin_t *gcrypt_plugin_create()
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 
 	/* RSA */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
index d0d252572..d29755de9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -35,11 +35,8 @@ struct private_gcrypt_rng_t {
 	rng_quality_t quality;
 };
 
-/**
- * Implementation of gcrypt_rng_t.get_bytes.
- */
-static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	switch (this->quality)
 	{
@@ -55,20 +52,15 @@ static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
 	}
 }
 
-/**
- * Implementation of gcrypt_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_gcrypt_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
 }
 
-/**
- * Implementation of gcrypt_rng_t.destroy.
- */
-static void destroy(private_gcrypt_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_gcrypt_rng_t *this)
 {
 	free(this);
 }
@@ -90,13 +82,16 @@ gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
-
-	this->quality = quality;
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index b8e86aba0..38ce2cd6c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -192,19 +192,15 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	return !!signature->len;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *sig)
+METHOD(private_key_t, sign, bool,
+	private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *sig)
 {
 	switch (scheme)
 	{
@@ -229,17 +225,21 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 	}
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool decrypt(private_gcrypt_rsa_private_key_t *this,
-					chunk_t encrypted, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t encrypted, chunk_t *plain)
 {
 	gcry_error_t err;
 	gcry_sexp_t in, out;
 	chunk_t padded;
 	u_char *pos = NULL;;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
 						  encrypted.len, encrypted.ptr);
 	if (err)
@@ -277,18 +277,14 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gcrypt_rsa_private_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -304,11 +300,9 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty;
 	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
@@ -385,11 +379,9 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -409,19 +401,15 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_ref.
- */
-static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -434,25 +422,29 @@ static void destroy(private_gcrypt_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
+static private_gcrypt_rsa_private_key_t *create_empty()
 {
-	private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	private_gcrypt_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -493,7 +485,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
 		DBG1(DBG_LIB, "building S-expression failed: %s", gpg_strerror(err));
 		return NULL;
 	}
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_pk_genkey(&this->key, param);
 	gcry_sexp_release(param);
 	if (err)
@@ -552,7 +544,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
 		break;
 	}
 
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_sexp_build(&this->key, NULL,
 					"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
 					n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
index 4c3605f4b..0f3d66b80 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 80a91b976..f8645da97 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -159,19 +159,15 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gcrypt_rsa_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -196,15 +192,19 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *encrypted)
+METHOD(public_key_t, encrypt_, bool,
+	private_gcrypt_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *encrypted)
 {
 	gcry_sexp_t in, out;
 	gcry_error_t err;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
 	 * 00 | 02 | RANDOM | 00 | DATA */
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
@@ -228,19 +228,15 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 	return !!encrypted->len;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gcrypt_rsa_public_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -256,11 +252,9 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -280,19 +274,15 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_public_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -331,21 +321,23 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
 		break;
 	}
 
-	this = malloc_thing(private_gcrypt_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
index fa18c357b..ca0a284a2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**