New upstream version 5.6.2

6 files changed, 60 insertions, 42 deletions

diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index 19e7050da..f692e9966 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -84,8 +84,8 @@ CALLBACK(children_sn, int,
 {
 	hashtable_t *child;
 	char *mode, *interface, *priority;
-	char *rekey_time, *rekey_bytes, *rekey_packets;
-	bool no_time, no_bytes, no_packets, or = FALSE;
+	char *rekey_time, *rekey_bytes, *rekey_packets, *dpd_action, *dpd_delay;
+	bool no_time, no_bytes, no_packets, no_dpd, or = FALSE;
 	int ret;
 
 	child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
@@ -98,14 +98,18 @@ CALLBACK(children_sn, int,
 		rekey_time    = child->get(child, "rekey_time");
 		rekey_bytes   = child->get(child, "rekey_bytes");
 		rekey_packets = child->get(child, "rekey_packets");
+		dpd_action    = child->get(child, "dpd_action");
+		dpd_delay     = ike->get(ike, "dpd_delay");
+
 		no_time    = streq(rekey_time, "0");
 		no_bytes   = streq(rekey_bytes, "0");
 		no_packets = streq(rekey_packets, "0");
+		no_dpd     = streq(dpd_delay, "0");
 
 		if (strcaseeq(mode, "PASS") || strcaseeq(mode, "DROP") ||
 		   (no_time && no_bytes && no_packets))
 		{
-			printf("no rekeying\n");
+			printf("no rekeying");
 		}
 		else
 		{
@@ -124,8 +128,12 @@ CALLBACK(children_sn, int,
 			{
 				printf("%s %s packets", or ? " or" : "", rekey_packets);
 			}
-			printf("\n");
 		}
+		if (!no_dpd)
+		{
+			printf(", dpd action is %s", dpd_action);
+		}
+		printf("\n");
 
 		printf("    local:  %s\n", child->get(child, "local-ts"));
 		printf("    remote: %s\n", child->get(child, "remote-ts"));
@@ -153,7 +161,7 @@ CALLBACK(conn_sn, int,
 
 	if (streq(name, "children"))
 	{
-		return vici_parse_cb(res, children_sn, NULL, NULL, NULL);
+		return vici_parse_cb(res, children_sn, NULL, NULL, ike);
 	}
 	if (strpfx(name, "local") || strpfx(name, "remote"))
 	{
@@ -225,11 +233,17 @@ CALLBACK(conn_list, int,
 CALLBACK(conns, int,
 	void *null, vici_res_t *res, char *name)
 {
-	char *version, *reauth_time, *rekey_time;
+	int ret;
+	char *version, *reauth_time, *rekey_time, *dpd_delay;
+	hashtable_t *ike;
 
 	version     = vici_find_str(res, "", "%s.version", name);
-	reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
-	rekey_time  = vici_find_str(res, "", "%s.rekey_time", name);
+	reauth_time = vici_find_str(res, "0", "%s.reauth_time", name);
+	rekey_time  = vici_find_str(res, "0", "%s.rekey_time", name);
+	dpd_delay   = vici_find_str(res, "0", "%s.dpd_delay", name);
+
+	ike = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
+	free(ike->put(ike,"dpd_delay", strdup(dpd_delay)));
 
 	printf("%s: %s, ", name, version);
 	if (streq(version, "IKEv1"))
@@ -247,22 +261,26 @@ CALLBACK(conns, int,
 	{
 		printf("reauthentication every %ss", reauth_time);
 	}
-	if (streq(version, "IKEv1"))
-	{
-		printf("\n");
-	}
-	else
+	if (!streq(version, "IKEv1"))
 	{
 		if (streq(rekey_time, "0"))
 		{
-			printf(", no rekeying\n");
+			printf(", no rekeying");
 		}
 		else
 		{
-			printf(", rekeying every %ss\n", rekey_time);
+			printf(", rekeying every %ss", rekey_time);
 		}
 	}
-	return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
+	if (!streq(dpd_delay, "0"))
+	{
+		printf(", dpd delay %ss", dpd_delay);
+	}
+	printf("\n");
+
+	ret = vici_parse_cb(res, conn_sn, NULL, conn_list, ike);
+	free_hashtable(ike);
+	return ret;
 }
 
 CALLBACK(list_cb, void,
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index 8947866f5..d82c0f98e 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -75,15 +75,15 @@ static bool add_file_key_value(vici_req_t *req, char *key, char *value)
 }
 
 /**
- * Translate sletting key/values from a section into vici key-values/lists
+ * Translate sletting key/values from a section enumerator into vici
+ * key-values/lists. Destroys the enumerator.
  */
-static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+static bool add_key_values(vici_req_t *req, enumerator_t *enumerator)
 {
-	enumerator_t *enumerator;
 	char *key, *value;
 	bool ret = TRUE;
 
-	enumerator = cfg->create_key_value_enumerator(cfg, section);
+
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		if (streq(key, "cacert"))
@@ -115,17 +115,17 @@ static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
 static bool load_authority(vici_conn_t *conn, settings_t *cfg,
 						   char *section, command_format_options_t format)
 {
+	enumerator_t *enumerator;
 	vici_req_t *req;
 	vici_res_t *res;
 	bool ret = TRUE;
-	char buf[128];
-
-	snprintf(buf, sizeof(buf), "%s.%s", "authorities", section);
 
 	req = vici_begin("load-authority");
 
 	vici_begin_section(req, section);
-	if (!add_key_values(req, cfg, buf))
+	enumerator = cfg->create_key_value_enumerator(cfg, "authorities.%s",
+												  section);
+	if (!add_key_values(req, enumerator))
 	{
 		vici_free_req(req);
 		return FALSE;
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index d8541061e..15ef2f151 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -337,7 +337,7 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type,
 	credential_type_t credtype;
 	int subtype;
 	enumerator_t *enumerator, *secrets;
-	char *section, *key, *value, *file, buf[128];
+	char *section, *key, *value, *file;
 	shared_key_t *shared;
 	void *cred = NULL;
 	mem_cred_t *mem = NULL;
@@ -356,8 +356,8 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type,
 			file = ctx->cfg->get_str(ctx->cfg, "secrets.%s.file", NULL, section);
 			if (file && strcaseeq(file, name))
 			{
-				snprintf(buf, sizeof(buf), "secrets.%s", section);
-				secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf);
+				secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg,
+														"secrets.%s", section);
 				while (secrets->enumerate(secrets, &key, &value))
 				{
 					if (strpfx(key, "secret"))
@@ -657,7 +657,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
 	vici_req_t *req;
 	vici_res_t *res;
 	chunk_t data;
-	char *key, *value, buf[128], *type = NULL;
+	char *key, *value, *type = NULL;
 	bool ret = TRUE;
 	int i;
 	char *types[] = {
@@ -720,8 +720,8 @@ static bool load_secret(load_ctx_t *ctx, char *section)
 	chunk_clear(&data);
 
 	vici_begin_list(req, "owners");
-	snprintf(buf, sizeof(buf), "secrets.%s", section);
-	enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf);
+	enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, "secrets.%s",
+													   section);
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		if (strpfx(key, "id"))
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index 2b9fa2d42..feb8d3a52 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -41,14 +41,13 @@ static void add_list_key(vici_req_t *req, char *key, char *value)
 }
 
 /**
- * Translate setting key/values from a section into vici key-values/lists
+ * Translate setting key/values from a section enumerator into vici
+ * key-values/lists. Destroys the enumerator.
  */
-static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+static void add_key_values(vici_req_t *req, enumerator_t *enumerator)
 {
-	enumerator_t *enumerator;
 	char *key, *value;
 
-	enumerator = cfg->create_key_value_enumerator(cfg, section);
 	while (enumerator->enumerate(enumerator, &key, &value))
 	{
 		/* pool subnet is encoded as key/value, all other attributes as list */
@@ -70,17 +69,16 @@ static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
 static bool load_pool(vici_conn_t *conn, settings_t *cfg,
 					  char *section, command_format_options_t format)
 {
+	enumerator_t *enumerator;
 	vici_req_t *req;
 	vici_res_t *res;
 	bool ret = TRUE;
-	char buf[128];
-
-	snprintf(buf, sizeof(buf), "%s.%s", "pools", section);
 
 	req = vici_begin("load-pool");
 
 	vici_begin_section(req, section);
-	add_key_values(req, cfg, buf);
+	enumerator = cfg->create_key_value_enumerator(cfg, "pools.%s", section);
+	add_key_values(req, enumerator);
 	vici_end_section(req);
 
 	res = vici_submit(req, conn);
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 6c73d4775..637661083 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -726,9 +726,10 @@ trustchain validation, append hash algorithms to
 .RI "" "pubkey" ""
 or a key strength
 definition (for example
-.RI "" "pubkey\-sha1\-sha256" ""
+.RI "" "pubkey\-sha256\-sha512" ","
+.RI "" "rsa\-2048\-sha256\-sha384\-sha512" ""
 or
-.RI "" "rsa\-2048\-ecdsa\-256\-sha256\-sha384\-sha512" ")."
+.RI "" "rsa\-2048\-sha256\-ecdsa\-256\-sha256\-sha384" ")."
 Unless disabled in
 .RB "" "strongswan.conf" "(5),"
 or explicit IKEv2 signature constraints are configured
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 2dd9ea374..5675b31ca 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -587,8 +587,9 @@ connections.<conn>.remote<suffix>.auth = pubkey
 	key type followed by the minimum strength in bits (for example _ecdsa-384_
 	or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms
 	for trustchain validation, append hash algorithms to _pubkey_ or a key
-	strength definition (for example _pubkey-sha1-sha256_ or
-	_rsa-2048-ecdsa-256-sha256-sha384-sha512_).
+	strength definition (for example _pubkey-sha256-sha512_,
+	_rsa-2048-sha256-sha384-sha512_ or
+	_rsa-2048-sha256-ecdsa-256-sha256-sha384_).
 	Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature
 	constraints are configured (refer to the description of the **local**
 	section's **auth** keyword for details), such key types and hash algorithms