7 files changed, 137 insertions, 55 deletions

diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c
index 2a97205bb..330528885 100644
--- a/src/libstrongswan/plugins/plugin_feature.c
+++ b/src/libstrongswan/plugins/plugin_feature.c
@@ -40,6 +40,8 @@ ENUM(plugin_feature_names, FEATURE_NONE, FEATURE_CUSTOM,
 	"CERT_ENCODE",
 	"EAP_SERVER",
 	"EAP_CLIENT",
+	"XAUTH_SERVER",
+	"XAUTH_CLIENT",
 	"DATABASE",
 	"FETCHER",
 	"CUSTOM",
@@ -96,6 +98,9 @@ bool plugin_feature_matches(plugin_feature_t *a, plugin_feature_t *b)
 					   streq(a->arg.fetcher, b->arg.fetcher);
 			case FEATURE_CUSTOM:
 				return streq(a->arg.custom, b->arg.custom);
+			case FEATURE_XAUTH_SERVER:
+			case FEATURE_XAUTH_PEER:
+				return streq(a->arg.xauth, b->arg.xauth);
 		}
 	}
 	return FALSE;
@@ -229,6 +234,14 @@ char* plugin_feature_get_string(plugin_feature_t *feature)
 				return str;
 			}
 			break;
+		case FEATURE_XAUTH_SERVER:
+		case FEATURE_XAUTH_PEER:
+			if (asprintf(&str, "%N:%s", plugin_feature_names, feature->type,
+					feature->arg.xauth) > 0)
+			{
+				return str;
+			}
+			break;
 	}
 	if (!str)
 	{
diff --git a/src/libstrongswan/plugins/plugin_feature.h b/src/libstrongswan/plugins/plugin_feature.h
index b1500feba..344d1943d 100644
--- a/src/libstrongswan/plugins/plugin_feature.h
+++ b/src/libstrongswan/plugins/plugin_feature.h
@@ -129,6 +129,10 @@ struct plugin_feature_t {
 		FEATURE_EAP_SERVER,
 		/** EAP peer implementation */
 		FEATURE_EAP_PEER,
+		/** XAuth server implementation */
+		FEATURE_XAUTH_SERVER,
+		/** XAuth peer implementation */
+		FEATURE_XAUTH_PEER,
 		/** database_t */
 		FEATURE_DATABASE,
 		/** fetcher_t */
@@ -182,6 +186,8 @@ struct plugin_feature_t {
 		char *fetcher;
 		/** FEATURE_CUSTOM */
 		char *custom;
+		/** FEATURE_XAUTH_SERVER/CLIENT */
+		char *xauth;
 
 		/** FEATURE_REGISTER */
 		struct {
@@ -266,6 +272,8 @@ struct plugin_feature_t {
 #define _PLUGIN_FEATURE_DATABASE(kind, type)				__PLUGIN_FEATURE(kind, DATABASE, .database = type)
 #define _PLUGIN_FEATURE_FETCHER(kind, type)					__PLUGIN_FEATURE(kind, FETCHER, .fetcher = type)
 #define _PLUGIN_FEATURE_CUSTOM(kind, name)					__PLUGIN_FEATURE(kind, CUSTOM, .custom = name)
+#define _PLUGIN_FEATURE_XAUTH_SERVER(kind, name)			__PLUGIN_FEATURE(kind, XAUTH_SERVER, .xauth = name)
+#define _PLUGIN_FEATURE_XAUTH_PEER(kind, name)				__PLUGIN_FEATURE(kind, XAUTH_PEER, .xauth = name)
 
 #define __PLUGIN_FEATURE_REGISTER(type, _f)					(plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
 #define __PLUGIN_FEATURE_REGISTER_BUILDER(type, _f, _final)	(plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg = {.f = _f, .final = _final, }}
diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c
index 7f81e2622..418eeae28 100644
--- a/src/libstrongswan/plugins/random/random_plugin.c
+++ b/src/libstrongswan/plugins/random/random_plugin.c
@@ -15,9 +15,24 @@
 
 #include "random_plugin.h"
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
 #include <library.h>
+#include <debug.h>
 #include "random_rng.h"
 
+#ifndef DEV_RANDOM
+# define DEV_RANDOM "/dev/random"
+#endif
+
+#ifndef DEV_URANDOM
+# define DEV_URANDOM "/dev/urandom"
+#endif
+
 typedef struct private_random_plugin_t private_random_plugin_t;
 
 /**
@@ -31,6 +46,41 @@ struct private_random_plugin_t {
 	random_plugin_t public;
 };
 
+/** /dev/random file descriptor */
+static int dev_random = -1;
+/** /dev/urandom file descriptor */
+static int dev_urandom = -1;
+
+/**
+ * See header.
+ */
+int random_plugin_get_dev_random()
+{
+	return dev_random;
+}
+
+/**
+ * See header.
+ */
+int random_plugin_get_dev_urandom()
+{
+	return dev_urandom;
+}
+
+/**
+ * Open a random device file
+ */
+static bool open_dev(char *file, int *fd)
+{
+	*fd = open(file, O_RDONLY);
+	if (*fd == -1)
+	{
+		DBG1(DBG_LIB, "opening \"%s\" failed: %s", file, strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
 METHOD(plugin_t, get_name, char*,
 	private_random_plugin_t *this)
 {
@@ -52,6 +102,14 @@ METHOD(plugin_t, get_features, int,
 METHOD(plugin_t, destroy, void,
 	private_random_plugin_t *this)
 {
+	if (dev_random != -1)
+	{
+		close(dev_random);
+	}
+	if (dev_urandom != -1)
+	{
+		close(dev_urandom);
+	}
 	free(this);
 }
 
@@ -72,6 +130,13 @@ plugin_t *random_plugin_create()
 		},
 	);
 
+	if (!open_dev(DEV_URANDOM, &dev_urandom) ||
+		!open_dev(DEV_RANDOM, &dev_random))
+	{
+		destroy(this);
+		return NULL;
+	}
+
 	return &this->public.plugin;
 }
 
diff --git a/src/libstrongswan/plugins/random/random_plugin.h b/src/libstrongswan/plugins/random/random_plugin.h
index 7e22c3e5f..c34fa8196 100644
--- a/src/libstrongswan/plugins/random/random_plugin.h
+++ b/src/libstrongswan/plugins/random/random_plugin.h
@@ -39,4 +39,14 @@ struct random_plugin_t {
 	plugin_t plugin;
 };
 
+/**
+ * Get the /dev/random file descriptor
+ */
+int random_plugin_get_dev_random();
+
+/**
+ * Get the /dev/urandom file descriptor
+ */
+int random_plugin_get_dev_urandom();
+
 #endif /** RANDOM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c
index 1d99a63d5..42eddbb09 100644
--- a/src/libstrongswan/plugins/random/random_rng.c
+++ b/src/libstrongswan/plugins/random/random_rng.c
@@ -15,22 +15,12 @@
  */
 
 #include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 #include <debug.h>
 
 #include "random_rng.h"
-
-#ifndef DEV_RANDOM
-# define DEV_RANDOM "/dev/random"
-#endif
-
-#ifndef DEV_URANDOM
-# define DEV_URANDOM "/dev/urandom"
-#endif
+#include "random_plugin.h"
 
 typedef struct private_random_rng_t private_random_rng_t;
 
@@ -47,12 +37,7 @@ struct private_random_rng_t {
 	/**
 	 * random device, depends on quality
 	 */
-	int dev;
-
-	/**
-	 * file we read random bytes from
-	 */
-	char *file;
+	int fd;
 };
 
 METHOD(rng_t, get_bytes, void,
@@ -65,14 +50,12 @@ METHOD(rng_t, get_bytes, void,
 
 	while (done < bytes)
 	{
-		got = read(this->dev, buffer + done, bytes - done);
+		got = read(this->fd, buffer + done, bytes - done);
 		if (got <= 0)
 		{
-			DBG1(DBG_LIB, "reading from \"%s\" failed: %s, retrying...",
-				 this->file, strerror(errno));
-			close(this->dev);
+			DBG1(DBG_LIB, "reading from random FD %d failed: %s, retrying...",
+				 this->fd, strerror(errno));
 			sleep(1);
-			this->dev = open(this->file, 0);
 		}
 		done += got;
 	}
@@ -88,7 +71,6 @@ METHOD(rng_t, allocate_bytes, void,
 METHOD(rng_t, destroy, void,
 	private_random_rng_t *this)
 {
-	close(this->dev);
 	free(this);
 }
 
@@ -109,22 +91,18 @@ random_rng_t *random_rng_create(rng_quality_t quality)
 		},
 	);
 
-	if (quality == RNG_TRUE)
+	switch (quality)
 	{
-		this->file = DEV_RANDOM;
-	}
-	else
-	{
-		this->file = DEV_URANDOM;
+		case RNG_TRUE:
+			this->fd = random_plugin_get_dev_random();
+			break;
+		case RNG_STRONG:
+		case RNG_WEAK:
+		default:
+			this->fd = random_plugin_get_dev_urandom();
+			break;
 	}
 
-	this->dev = open(this->file, 0);
-	if (this->dev < 0)
-	{
-		DBG1(DBG_LIB, "opening \"%s\" failed: %s", this->file, strerror(errno));
-		free(this);
-		return NULL;
-	}
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 34f347d1a..ff3ef14d8 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -103,7 +103,7 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth)
 	bool verified = FALSE;
 
 	wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response);
-	lib->credmgr->add_local_set(lib->credmgr, &wrapper->set);
+	lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
 
 	subject = &response->certificate;
 	responder = subject->get_issuer(subject);
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index b7aee2e94..59f490025 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -752,6 +752,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
 				case OID_CLIENT_AUTH:
 					this->flags |= X509_CLIENT_AUTH;
 					break;
+				case OID_IKE_INTERMEDIATE:
+					this->flags |= X509_IKE_INTERMEDIATE;
+					break;
 				case OID_OCSP_SIGNING:
 					this->flags |= X509_OCSP_SIGNER;
 					break;
@@ -1105,19 +1108,19 @@ static void parse_policyConstraints(chunk_t blob, int level0,
  * ASN.1 definition of ipAddrBlocks according to RFC 3779
  */
 static const asn1Object_t ipAddrBlocksObjects[] = {
-	{ 0, "ipAddrBlocks",	        ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 0, "ipAddrBlocks",			ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
 	{ 1,   "ipAddressFamily",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
-	{ 2,     "addressFamily",	    ASN1_OCTET_STRING,	ASN1_BODY			}, /*  2 */
-	{ 2,     "inherit",             ASN1_NULL,          ASN1_OPT|ASN1_NONE  }, /*  3 */
-	{ 2,     "end choice",          ASN1_EOC,           ASN1_END            }, /*  4 */
-	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,	    ASN1_OPT|ASN1_LOOP	}, /*  5 */
-	{ 3,       "addressPrefix",	    ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
-	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /*  7 */
-	{ 3,       "addressRange",      ASN1_SEQUENCE,      ASN1_OPT|ASN1_NONE  }, /*  8 */
-	{ 4,         "min",             ASN1_BIT_STRING,    ASN1_BODY           }, /*  9 */
-	{ 4,         "max",             ASN1_BIT_STRING,    ASN1_BODY           }, /* 10 */
-	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /* 11 */
-	{ 2,     "end opt/loop",        ASN1_EOC,           ASN1_END            }, /* 12 */
+	{ 2,     "addressFamily",		ASN1_OCTET_STRING,	ASN1_BODY			}, /*  2 */
+	{ 2,     "inherit",				ASN1_NULL,			ASN1_OPT|ASN1_NONE	}, /*  3 */
+	{ 2,     "end choice",			ASN1_EOC,			ASN1_END			}, /*  4 */
+	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,		ASN1_OPT|ASN1_LOOP	}, /*  5 */
+	{ 3,       "addressPrefix",		ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 3,       "addressRange",		ASN1_SEQUENCE,		ASN1_OPT|ASN1_NONE	}, /*  8 */
+	{ 4,         "min",				ASN1_BIT_STRING,	ASN1_BODY			}, /*  9 */
+	{ 4,         "max",				ASN1_BIT_STRING,	ASN1_BODY			}, /* 10 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /* 11 */
+	{ 2,     "end opt/loop",		ASN1_EOC,			ASN1_END			}, /* 12 */
 	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 13 */
 	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
 };
@@ -1994,6 +1997,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
+	chunk_t ikeIntermediate = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -2107,7 +2111,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 							asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
 	}
 
-	/* add serverAuth extendedKeyUsage flag */
+	/* add extendedKeyUsage flags */
 	if (cert->flags & X509_SERVER_AUTH)
 	{
 		serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
@@ -2116,20 +2120,24 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
 	}
-
-	/* add ocspSigning extendedKeyUsage flag */
+	if (cert->flags & X509_IKE_INTERMEDIATE)
+	{
+		ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
+	}
 	if (cert->flags & X509_OCSP_SIGNER)
 	{
 		ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
 	}
 
-	if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
+	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
+		ocspSigning.ptr)
 	{
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
 								asn1_wrap(ASN1_OCTET_STRING, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mmm",
-										serverAuth, clientAuth, ocspSigning)));
+									asn1_wrap(ASN1_SEQUENCE, "mmmm",
+										serverAuth, clientAuth, ikeIntermediate,
+										ocspSigning)));
 	}
 
 	/* add subjectKeyIdentifier to CA and OCSP signer certificates */