13 files changed, 211 insertions, 78 deletions

diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index d28223dca..31054634a 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -409,7 +409,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -435,6 +434,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -455,8 +456,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -511,8 +510,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -541,8 +538,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 0038f0844..5bd8c1727 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -75,7 +75,7 @@ for example.
 
 The defined packet types optionally wrap a message with additional data.
 Messages are currently used in CMD_REQUEST/CMD_RESPONSE, and in EVENT packets.
-A message uses a hierarchial tree of sections. Each section (or the implicit
+A message uses a hierarchical tree of sections. Each section (or the implicit
 root section) contains an arbitrary set of key/value pairs, lists and
 sub-sections. The length of a message is not part of the message itself, but
 the wrapping layer, usually calculated from the transport byte sequence length.
@@ -140,7 +140,7 @@ Consider the following structure using pseudo-markup for this example:
 		list1 = [ item1, item2 ]
 	}
 
-The example above reprensents a valid tree structure, that gets encoded as
+The example above represents a valid tree structure, that gets encoded as
 the following C array:
 
 	char msg[] = {
@@ -302,6 +302,7 @@ Initiate the rekeying of an SA.
 		ike = <rekey an IKE_SA by configuration name>
 		child-id = <rekey a CHILD_SA by its reqid>
 		ike-id = <rekey an IKE_SA by its unique id>
+		reauth = <reauthenticate instead of rekey an IKEv2 SA>
 	} => {
 		success = <yes or no>
 		matches = <number of matched SAs>
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index 59b0774b8..42e35745e 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -227,7 +227,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -253,6 +252,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -273,8 +274,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -329,8 +328,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -359,8 +356,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
index b0a942c04..d0700fa97 100644
--- a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
@@ -29,7 +29,9 @@ sub from_data {
     my $data = shift;
     my %hash = ();
 
-    parse($data, \%hash);
+    open my $data_fd, '<', \$data;
+    parse($data_fd, \%hash);
+    close $data_fd;
 
     my $self = {
         Hash => \%hash
@@ -62,29 +64,30 @@ sub result {
 # private functions
 
 sub parse {
-    my $data = shift;
+    my $fd = shift;
     my $hash = shift;
+    my $data;
 
-    while (length($data) > 0)
+    until ( eof $fd )
     {
-        (my $type, $data) = unpack('Ca*', $data);
+        my $type = unpack('C', read_data($fd, 1));
 
-		if ($type == SECTION_END)
-		{
-			return $data;
-		}
+        if ( $type == SECTION_END )
+        {
+            return;
+        }
 
-        (my $key, $data) = unpack('C/a*a*', $data);
+        my $key = read_len_data($fd, 1);
 
         if ( $type == KEY_VALUE )
         {
-            (my $value, $data) = unpack('n/a*a*', $data);
+            my $value = read_len_data($fd, 2);
             $hash->{$key} = $value;
         }
         elsif ( $type == SECTION_START )
         {
             my %section = ();
-            $data = parse($data, \%section);
+            parse($fd, \%section);
             $hash->{$key} = \%section;
         }
         elsif ( $type == LIST_START )
@@ -92,19 +95,20 @@ sub parse {
             my @list = ();
             my $more = 1;
 
-            while (length($data) > 0 and $more)
+            while ( !eof($fd) and $more )
             {
-                (my $type, $data) = unpack('Ca*', $data);
+                my $type = unpack('C', read_data($fd, 1));
+
                 if ( $type == LIST_ITEM )
                 {
-                    (my $value, $data) = unpack('n/a*a*', $data);
+                    my $value = read_len_data($fd, 2);
                     push(@list, $value);
                 }
                 elsif ( $type == LIST_END )
                 {
                     $more = 0;
                     $hash->{$key} = \@list;
-                 }
+                }
                 else
                 {
                     die "message parsing error: ", $type, "\n"
@@ -116,9 +120,28 @@ sub parse {
             die "message parsing error: ", $type, "\n"
         }
     }
+}
+
+sub read_data {
+    my $fd = shift;
+    my $len = shift;
+    my $data;
+
+    my $res = read $fd, $data, $len;
+    unless (defined $res and $res == $len)
+    {
+        die "message parsing error: unable to read ", $len, " bytes\n";
+    }
     return $data;
 }
 
+sub read_len_data {
+    my $fd = shift;
+    my $len = shift;
+
+    $len = unpack($len == 1 ? 'C' : 'n', read_data($fd, $len));
+    return read_data($fd, $len);
+}
 
 sub encode_hash {
     my $hash = shift;
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 057ea88f4..6592a1ae0 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -249,7 +249,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -275,6 +274,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -295,8 +296,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -351,8 +350,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -381,8 +378,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index ff4e07d2d..fb9d348d1 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -227,7 +227,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -253,6 +252,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -273,8 +274,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -329,8 +328,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -359,8 +356,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index f846a14af..61de99a1f 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -450,7 +450,7 @@ module Vici
 
     ##
     # Flush credential cache.
-    def flush_certs((match = nil)
+    def flush_certs(match = nil)
       check_success(@transp.request("flush-certs", Message.new(match)))
     end
 
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index 4d174253d..f7c7ce13a 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -705,7 +705,7 @@ CALLBACK(get_pools, vici_message_t*,
 			i = 0;
 			builder->begin_section(builder, "leases");
 			leases = vips->create_lease_enumerator(vips);
-			while (leases && leases->enumerate(leases, &uid, &lease, &on))
+			while (leases->enumerate(leases, &uid, &lease, &on))
 			{
 				snprintf(buf, sizeof(buf), "%d", i++);
 				builder->begin_section(builder, buf);
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index f4e9e33ee..10c62dc89 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2,8 +2,8 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015-2017 Tobias Brunner
- * Copyright (C) 2015-2016 Andreas Steffen
+ * Copyright (C) 2015-2018 Tobias Brunner
+ * Copyright (C) 2015-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -304,6 +304,8 @@ typedef struct {
 	bool mobike;
 	bool send_certreq;
 	bool pull;
+	identification_t *ppk_id;
+	bool ppk_required;
 	cert_policy_t send_cert;
 	uint64_t dpd_delay;
 	uint64_t dpd_timeout;
@@ -403,6 +405,8 @@ static void log_peer_data(peer_data_t *data)
 	DBG2(DBG_CFG, "  remote_port = %u", data->remote_port);
 	DBG2(DBG_CFG, "  send_certreq = %u", data->send_certreq);
 	DBG2(DBG_CFG, "  send_cert = %N", cert_policy_names, data->send_cert);
+	DBG2(DBG_CFG, "  ppk_id = %Y",  data->ppk_id);
+	DBG2(DBG_CFG, "  ppk_required = %u",  data->ppk_required);
 	DBG2(DBG_CFG, "  mobike = %u", data->mobike);
 	DBG2(DBG_CFG, "  aggressive = %u", data->aggressive);
 	DBG2(DBG_CFG, "  dscp = 0x%.2x", data->dscp);
@@ -469,6 +473,7 @@ static void free_peer_data(peer_data_t *data)
 	free(data->pools);
 	free(data->local_addrs);
 	free(data->remote_addrs);
+	DESTROY_IF(data->ppk_id);
 #ifdef ME
 	free(data->mediated_by);
 	DESTROY_IF(data->peer_id);
@@ -484,7 +489,6 @@ typedef struct {
 	linked_list_t *local_ts;
 	linked_list_t *remote_ts;
 	uint32_t replay_window;
-	bool policies;
 	child_cfg_create_t cfg;
 } child_data_t;
 
@@ -511,7 +515,7 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   ipcomp = %u", has_opt(OPT_IPCOMP));
 	DBG2(DBG_CFG, "   mode = %N%s", ipsec_mode_names, cfg->mode,
 		 has_opt(OPT_PROXY_MODE) ? "_PROXY" : "");
-	DBG2(DBG_CFG, "   policies = %u", data->policies);
+	DBG2(DBG_CFG, "   policies = %u", !has_opt(OPT_NO_POLICIES));
 	DBG2(DBG_CFG, "   policies_fwd_out = %u", has_opt(OPT_FWD_OUT_POLICIES));
 	if (data->replay_window != REPLAY_UNDEFINED)
 	{
@@ -529,12 +533,19 @@ static void log_child_data(child_data_t *data, char *name)
 	DBG2(DBG_CFG, "   mark_in_sa = %u", has_opt(OPT_MARK_IN_SA));
 	DBG2(DBG_CFG, "   mark_out = %u/%u",
 		 cfg->mark_out.value, cfg->mark_out.mask);
+	DBG2(DBG_CFG, "   set_mark_in = %u/%u",
+		 cfg->set_mark_in.value, cfg->set_mark_in.mask);
+	DBG2(DBG_CFG, "   set_mark_out = %u/%u",
+		 cfg->set_mark_out.value, cfg->set_mark_out.mask);
 	DBG2(DBG_CFG, "   inactivity = %llu", cfg->inactivity);
 	DBG2(DBG_CFG, "   proposals = %#P", data->proposals);
 	DBG2(DBG_CFG, "   local_ts = %#R", data->local_ts);
 	DBG2(DBG_CFG, "   remote_ts = %#R", data->remote_ts);
 	DBG2(DBG_CFG, "   hw_offload = %N", hw_offload_names, cfg->hw_offload);
 	DBG2(DBG_CFG, "   sha256_96 = %u", has_opt(OPT_SHA256_96));
+	DBG2(DBG_CFG, "   copy_df = %u", !has_opt(OPT_NO_COPY_DF));
+	DBG2(DBG_CFG, "   copy_ecn = %u", !has_opt(OPT_NO_COPY_ECN));
+	DBG2(DBG_CFG, "   copy_dscp = %N", dscp_copy_names, cfg->copy_dscp);
 }
 
 /**
@@ -847,16 +858,17 @@ CALLBACK(parse_mode, bool,
 }
 
 /**
- * Enable a child_cfg_option_t
+ * Enable a child_cfg_option_t, the flag controls whether the option is enabled
+ * if the parsed value is TRUE or FALSE.
  */
 static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt,
-						 chunk_t v)
+						 chunk_t v, bool add_if_true)
 {
 	bool val;
 
 	if (parse_bool(&val, v))
 	{
-		if (val)
+		if (val == add_if_true)
 		{
 			*out |= opt;
 		}
@@ -871,7 +883,16 @@ static bool parse_option(child_cfg_option_t *out, child_cfg_option_t opt,
 CALLBACK(parse_opt_haccess, bool,
 	child_cfg_option_t *out, chunk_t v)
 {
-	return parse_option(out, OPT_HOSTACCESS, v);
+	return parse_option(out, OPT_HOSTACCESS, v, TRUE);
+}
+
+/**
+ * Parse OPT_NO_POLICIES option
+ */
+CALLBACK(parse_opt_policies, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_NO_POLICIES, v, FALSE);
 }
 
 /**
@@ -880,7 +901,7 @@ CALLBACK(parse_opt_haccess, bool,
 CALLBACK(parse_opt_fwd_out, bool,
 	child_cfg_option_t *out, chunk_t v)
 {
-	return parse_option(out, OPT_FWD_OUT_POLICIES, v);
+	return parse_option(out, OPT_FWD_OUT_POLICIES, v, TRUE);
 }
 
 /**
@@ -889,17 +910,16 @@ CALLBACK(parse_opt_fwd_out, bool,
 CALLBACK(parse_opt_ipcomp, bool,
 	child_cfg_option_t *out, chunk_t v)
 {
-	return parse_option(out, OPT_IPCOMP, v);
+	return parse_option(out, OPT_IPCOMP, v, TRUE);
 }
 
-
 /**
  * Parse OPT_SHA256_96 option
  */
 CALLBACK(parse_opt_sha256_96, bool,
 	child_cfg_option_t *out, chunk_t v)
 {
-	return parse_option(out, OPT_SHA256_96, v);
+	return parse_option(out, OPT_SHA256_96, v, TRUE);
 }
 
 /**
@@ -908,7 +928,47 @@ CALLBACK(parse_opt_sha256_96, bool,
 CALLBACK(parse_opt_mark_in, bool,
 	child_cfg_option_t *out, chunk_t v)
 {
-	return parse_option(out, OPT_MARK_IN_SA, v);
+	return parse_option(out, OPT_MARK_IN_SA, v, TRUE);
+}
+
+/**
+ * Parse OPT_NO_COPY_DF option
+ */
+CALLBACK(parse_opt_copy_df, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_NO_COPY_DF, v, FALSE);
+}
+
+/**
+ * Parse OPT_NO_COPY_ECN option
+ */
+CALLBACK(parse_opt_copy_ecn, bool,
+	child_cfg_option_t *out, chunk_t v)
+{
+	return parse_option(out, OPT_NO_COPY_ECN, v, FALSE);
+}
+
+/**
+ * Parse a dscp_copy_t
+ */
+CALLBACK(parse_copy_dscp, bool,
+	dscp_copy_t *out, chunk_t v)
+{
+	enum_map_t map[] = {
+		{ "no",		DSCP_COPY_NO		},
+		{ "in",		DSCP_COPY_IN_ONLY	},
+		{ "out",	DSCP_COPY_OUT_ONLY	},
+		{ "yes",	DSCP_COPY_YES		},
+	};
+	int d;
+
+	if (parse_map(map, countof(map), &d, v))
+	{
+		*out = d;
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
@@ -1126,7 +1186,22 @@ CALLBACK(parse_mark, bool,
 	{
 		return FALSE;
 	}
-	return mark_from_string(buf, out);
+	return mark_from_string(buf, MARK_OP_UNIQUE, out);
+}
+
+/**
+ * Parse a mark_t when using it as set_mark.
+ */
+CALLBACK(parse_set_mark, bool,
+	mark_t *out, chunk_t v)
+{
+	char buf[32];
+
+	if (!vici_stringify(v, buf, sizeof(buf)))
+	{
+		return FALSE;
+	}
+	return mark_from_string(buf, MARK_OP_SAME, out);
 }
 
 /**
@@ -1514,9 +1589,8 @@ CALLBACK(parse_hosts, bool,
 	return TRUE;
 }
 
-#ifdef ME
 /**
- * Parse peer ID
+ * Parse peer/ppk ID
  */
 CALLBACK(parse_peer_id, bool,
 	identification_t **out, chunk_t v)
@@ -1530,7 +1604,7 @@ CALLBACK(parse_peer_id, bool,
 	*out = identification_create_from_string(buf);
 	return TRUE;
 }
-#endif /* ME */
+
 
 CALLBACK(cert_kv, bool,
 	cert_data_t *cert, vici_message_t *message, char *name, chunk_t value)
@@ -1567,7 +1641,7 @@ CALLBACK(child_kv, bool,
 		{ "updown",				parse_string,		&child->cfg.updown					},
 		{ "hostaccess",			parse_opt_haccess,	&child->cfg.options					},
 		{ "mode",				parse_mode,			&child->cfg							},
-		{ "policies",			parse_bool,			&child->policies					},
+		{ "policies",			parse_opt_policies,	&child->cfg.options					},
 		{ "policies_fwd_out",	parse_opt_fwd_out,	&child->cfg.options					},
 		{ "replay_window",		parse_uint32,		&child->replay_window				},
 		{ "rekey_time",			parse_time,			&child->cfg.lifetime.time.rekey		},
@@ -1588,11 +1662,16 @@ CALLBACK(child_kv, bool,
 		{ "mark_in",			parse_mark,			&child->cfg.mark_in					},
 		{ "mark_in_sa",			parse_opt_mark_in,	&child->cfg.options					},
 		{ "mark_out",			parse_mark,			&child->cfg.mark_out				},
+		{ "set_mark_in",		parse_set_mark,		&child->cfg.set_mark_in				},
+		{ "set_mark_out",		parse_set_mark,		&child->cfg.set_mark_out			},
 		{ "tfc_padding",		parse_tfc,			&child->cfg.tfc						},
 		{ "priority",			parse_uint32,		&child->cfg.priority				},
 		{ "interface",			parse_string,		&child->cfg.interface				},
 		{ "hw_offload",			parse_hw_offload,	&child->cfg.hw_offload				},
 		{ "sha256_96",			parse_opt_sha256_96,&child->cfg.options					},
+		{ "copy_df",			parse_opt_copy_df,	&child->cfg.options					},
+		{ "copy_ecn",			parse_opt_copy_ecn,	&child->cfg.options					},
+		{ "copy_dscp",			parse_copy_dscp,	&child->cfg.copy_dscp				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1604,7 +1683,7 @@ CALLBACK(auth_li, bool,
 {
 	parse_rule_t rules[] = {
 		{ "groups",			parse_group,		auth->cfg					},
-		{ "cert_policy",	parse_cert_policy,	auth						},
+		{ "cert_policy",	parse_cert_policy,	auth->cfg					},
 		{ "certs",			parse_certs,		auth						},
 		{ "cacerts",		parse_cacerts,		auth						},
 		{ "pubkeys",		parse_pubkeys,		auth						},
@@ -1669,6 +1748,8 @@ CALLBACK(peer_kv, bool,
 		{ "rekey_time",		parse_time,			&peer->rekey_time			},
 		{ "over_time",		parse_time,			&peer->over_time			},
 		{ "rand_time",		parse_time,			&peer->rand_time			},
+		{ "ppk_id",			parse_peer_id,		&peer->ppk_id				},
+		{ "ppk_required",	parse_bool,			&peer->ppk_required			},
 #ifdef ME
 		{ "mediation",		parse_bool,			&peer->mediation			},
 		{ "mediated_by",	parse_string,		&peer->mediated_by			},
@@ -1802,7 +1883,6 @@ CALLBACK(children_sn, bool,
 		.proposals = linked_list_create(),
 		.local_ts = linked_list_create(),
 		.remote_ts = linked_list_create(),
-		.policies = TRUE,
 		.replay_window = REPLAY_UNDEFINED,
 		.cfg = {
 			.mode = MODE_TUNNEL,
@@ -1858,7 +1938,6 @@ CALLBACK(children_sn, bool,
 			child.proposals->insert_last(child.proposals, proposal);
 		}
 	}
-	child.cfg.options |= child.policies ? 0 : OPT_NO_POLICIES;
 
 	check_lifetimes(&child.cfg.lifetime);
 
@@ -2212,8 +2291,8 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 			{
 				DBG1(DBG_CFG, "replaced vici connection: %s",
 					 peer_cfg->get_name(peer_cfg));
+				this->conns->insert_before(this->conns, enumerator, peer_cfg);
 				this->conns->remove_at(this->conns, enumerator);
-				this->conns->insert_last(this->conns, peer_cfg);
 				handle_start_actions(this, current, TRUE);
 				handle_start_actions(this, peer_cfg, FALSE);
 				current->destroy(current);
@@ -2407,6 +2486,8 @@ CALLBACK(config_sn, bool,
 		.push_mode = !peer.pull,
 		.dpd = peer.dpd_delay,
 		.dpd_timeout = peer.dpd_timeout,
+		.ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL,
+		.ppk_required = peer.ppk_required,
 	};
 #ifdef ME
 	cfg.mediation = peer.mediation;
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index ce19608dc..16e49fdbc 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -373,11 +373,13 @@ CALLBACK(rekey, vici_message_t*,
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	vici_builder_t *builder;
+	bool reauth;
 
 	child = request->get_str(request, NULL, "child");
 	ike = request->get_str(request, NULL, "ike");
 	child_id = request->get_int(request, 0, "child-id");
 	ike_id = request->get_int(request, 0, "ike-id");
+	reauth = request->get_bool(request, FALSE, "reauth");
 
 	if (!child && !ike && !ike_id && !child_id)
 	{
@@ -438,7 +440,7 @@ CALLBACK(rekey, vici_message_t*,
 				 (ike_id && ike_id == ike_sa->get_unique_id(ike_sa)))
 		{
 			lib->processor->queue_job(lib->processor,
-				(job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE));
+				(job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), reauth));
 			found++;
 		}
 	}
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index ec6c80a5b..038338805 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -442,6 +442,10 @@ CALLBACK(load_shared, vici_message_t*,
 	{
 		type = SHARED_NT_HASH;
 	}
+	else if (strcaseeq(str, "ppk"))
+	{
+		type = SHARED_PPK;
+	}
 	else
 	{
 		return create_reply("invalid shared key type: %s", str);
diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c
index 13761f59d..df5b85c64 100644
--- a/src/libcharon/plugins/vici/vici_message.c
+++ b/src/libcharon/plugins/vici/vici_message.c
@@ -102,18 +102,10 @@ bool vici_verify_type(vici_type_t type, u_int section, bool list)
 		DBG1(DBG_ENC, "'%N' outside of section", vici_type_names, type);
 		return FALSE;
 	}
-	if (type == VICI_END)
+	if (type == VICI_END && section)
 	{
-		if (section)
-		{
-			DBG1(DBG_ENC, "'%N' within section", vici_type_names, type);
-			return FALSE;
-		}
-		if (list)
-		{
-			DBG1(DBG_ENC, "'%N' within list", vici_type_names, type);
-			return FALSE;
-		}
+		DBG1(DBG_ENC, "'%N' within section", vici_type_names, type);
+		return FALSE;
 	}
 	return TRUE;
 }
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 82c3d7855..d7b61ca72 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2015-2017 Tobias Brunner
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2014 Martin Willi
@@ -417,6 +417,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 			b->add_kv(b, "dh-group", "%N", diffie_hellman_group_names, alg);
 		}
 	}
+	add_condition(b, ike_sa, "ppk", COND_PPK);
 
 	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
 	{
@@ -570,7 +571,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
 	list_mode(b, NULL, cfg);
 
 	b->begin_list(b, "local-ts");
-	list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL);
+	list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL, FALSE);
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
@@ -581,7 +582,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
 	b->end_list(b /* local-ts */);
 
 	b->begin_list(b, "remote-ts");
-	list = cfg->get_traffic_selectors(cfg, FALSE, NULL, NULL);
+	list = cfg->get_traffic_selectors(cfg, FALSE, NULL, NULL, FALSE);
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
@@ -737,6 +738,18 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
 		rules->destroy(rules);
 		b->end_list(b);
 
+		b->begin_list(b, "cert_policy");
+		rules = auth->create_enumerator(auth);
+		while (rules->enumerate(rules, &rule, &v))
+		{
+			if (rule == AUTH_RULE_CERT_POLICY)
+			{
+				b->add_li(b, "%s", v.str);
+			}
+		}
+		rules->destroy(rules);
+		b->end_list(b);
+
 		b->begin_list(b, "certs");
 		rules = auth->create_enumerator(auth);
 		while (rules->enumerate(rules, &rule, &v))
@@ -775,6 +788,7 @@ CALLBACK(list_conns, vici_message_t*,
 	child_cfg_t *child_cfg;
 	char *ike, *str, *interface;
 	uint32_t manual_prio, dpd_delay, dpd_timeout;
+	identification_t *ppk_id;
 	linked_list_t *list;
 	traffic_selector_t *ts;
 	lifetime_cfg_t *lft;
@@ -837,6 +851,16 @@ CALLBACK(list_conns, vici_message_t*,
 			b->add_kv(b, "dpd_timeout", "%u", dpd_timeout);
 		}
 
+		ppk_id = peer_cfg->get_ppk_id(peer_cfg);
+		if (ppk_id)
+		{
+			b->add_kv(b, "ppk_id", "%Y", ppk_id);
+		}
+		if (peer_cfg->ppk_required(peer_cfg))
+		{
+			b->add_kv(b, "ppk_required", "yes");
+		}
+
 		build_auth_cfgs(peer_cfg, TRUE, b);
 		build_auth_cfgs(peer_cfg, FALSE, b);
 
@@ -861,7 +885,8 @@ CALLBACK(list_conns, vici_message_t*,
 					  child_cfg->get_close_action(child_cfg));
 
 			b->begin_list(b, "local-ts");
-			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
+			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL,
+													NULL, FALSE);
 			selectors = list->create_enumerator(list);
 			while (selectors->enumerate(selectors, &ts))
 			{
@@ -872,7 +897,8 @@ CALLBACK(list_conns, vici_message_t*,
 			b->end_list(b /* local-ts */);
 
 			b->begin_list(b, "remote-ts");
-			list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
+			list = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL,
+													NULL, FALSE);
 			selectors = list->create_enumerator(list);
 			while (selectors->enumerate(selectors, &ts))
 			{