14 files changed, 503 insertions, 106 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 65cfe5292..a46b0d9a1 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -28,6 +28,7 @@ networking/host.c networking/host_resolver.c networking/packet.c \
 networking/tun_device.c \
 pen/pen.c plugins/plugin_loader.c plugins/plugin_feature.c processing/jobs/job.c \
 processing/jobs/callback_job.c processing/processor.c processing/scheduler.c \
+resolver/resolver_manager.c resolver/rr_set.c \
 selectors/traffic_selector.c threading/thread.c threading/thread_value.c \
 threading/mutex.c threading/semaphore.c threading/rwlock.c threading/spinlock.c \
 utils/utils.c utils/chunk.c utils/debug.c utils/enum.c utils/identification.c \
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index a718de3dc..a2ffe0295 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -999,14 +999,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 {
 	enumerator_t *enumerator;
 	auth_cfg_t *clone;
-	entry_t *entry;
+	auth_rule_t type;
+	void *value;
 
 	clone = auth_cfg_create();
 	/* this enumerator skips duplicates for rules we expect only once */
-	enumerator = this->entries->create_enumerator(this->entries);
-	while (enumerator->enumerate(enumerator, &entry))
+	enumerator = create_enumerator(this);
+	while (enumerator->enumerate(enumerator, &type, &value))
 	{
-		switch (entry->type)
+		switch (type)
 		{
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
@@ -1014,8 +1015,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_GROUP:
 			case AUTH_RULE_XAUTH_IDENTITY:
 			{
-				identification_t *id = (identification_t*)entry->value;
-				clone->add(clone, entry->type, id->clone(id));
+				identification_t *id = (identification_t*)value;
+				clone->add(clone, type, id->clone(id));
 				break;
 			}
 			case AUTH_RULE_CA_CERT:
@@ -1025,8 +1026,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_REVOCATION_CERT:
 			{
-				certificate_t *cert = (certificate_t*)entry->value;
-				clone->add(clone, entry->type, cert->get_ref(cert));
+				certificate_t *cert = (certificate_t*)value;
+				clone->add(clone, type, cert->get_ref(cert));
 				break;
 			}
 			case AUTH_RULE_XAUTH_BACKEND:
@@ -1034,7 +1035,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_HELPER_IM_HASH_URL:
 			case AUTH_HELPER_SUBJECT_HASH_URL:
 			{
-				clone->add(clone, entry->type, strdup(entry->value));
+				clone->add(clone, type, strdup(value));
 				break;
 			}
 			case AUTH_RULE_IDENTITY_LOOSE:
@@ -1046,7 +1047,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_RSA_STRENGTH:
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
-				clone->add(clone, entry->type, (uintptr_t)entry->value);
+				clone->add(clone, type, (uintptr_t)value);
 				break;
 			case AUTH_RULE_MAX:
 				break;
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 08b226468..12db0961b 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -451,7 +451,10 @@ METHOD(crypto_tester_t, test_aead, bool,
 failure:
 		aead->destroy(aead);
 		chunk_free(&cipher);
-		chunk_free(&plain);
+		if (plain.ptr != vector->plain)
+		{
+			chunk_free(&plain);
+		}
 		if (failed)
 		{
 			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
index d5e302f94..79ab31804 100644
--- a/src/libstrongswan/plugins/ccm/ccm_aead.h
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -42,8 +42,8 @@ struct ccm_aead_t {
 /**
  * Create a ccm_aead instance.
  *
- * @param key_size		key size in bytes
  * @param algo			algorithm to implement, a CCM mode
+ * @param key_size		key size in bytes
  * @return				aead, NULL if not supported
  */
 ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
index db4be2442..846c3c76c 100644
--- a/src/libstrongswan/plugins/gcm/gcm_aead.h
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -42,8 +42,8 @@ struct gcm_aead_t {
 /**
  * Create a gcm_aead instance.
  *
- * @param key_size		key size in bytes
  * @param algo			algorithm to implement, a gcm mode
+ * @param key_size		key size in bytes
  * @return				aead, NULL if not supported
  */
 gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index f971a5e08..e71567311 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -25,7 +25,8 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_crl.c openssl_crl.h \
 	openssl_pkcs7.c openssl_pkcs7.h \
 	openssl_rng.c openssl_rng.h \
-	openssl_hmac.c openssl_hmac.h
+	openssl_hmac.c openssl_hmac.h \
+	openssl_gcm.c openssl_gcm.h
 
 libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
 libstrongswan_openssl_la_LIBADD  = -lcrypto
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c
new file mode 100644
index 000000000..fde7ae71d
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "openssl_gcm.h"
+
+#include <openssl/evp.h>
+
+/** as defined in RFC 4106 */
+#define IV_LEN		8
+#define SALT_LEN	4
+#define NONCE_LEN	(IV_LEN + SALT_LEN)
+
+typedef struct private_aead_t private_aead_t;
+
+/**
+ * Private data of aead_t
+ */
+struct private_aead_t {
+
+	/**
+	 * Public interface
+	 */
+	aead_t public;
+
+	/**
+	 * The encryption key
+	 */
+	chunk_t	key;
+
+	/**
+	 * Salt value
+	 */
+	char salt[SALT_LEN];
+
+	/**
+	 * Size of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * The cipher to use
+	 */
+	const EVP_CIPHER *cipher;
+};
+
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
+				  u_char *out, int enc)
+{
+	EVP_CIPHER_CTX ctx;
+	u_char nonce[NONCE_LEN];
+	bool success = FALSE;
+	int len;
+
+	memcpy(nonce, this->salt, SALT_LEN);
+	memcpy(nonce + SALT_LEN, iv.ptr, IV_LEN);
+
+	EVP_CIPHER_CTX_init(&ctx);
+	EVP_CIPHER_CTX_set_padding(&ctx, 0);
+	if (!EVP_CipherInit_ex(&ctx, this->cipher, NULL, NULL, NULL, enc) ||
+		!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, NONCE_LEN, NULL) ||
+		!EVP_CipherInit_ex(&ctx, NULL, NULL, this->key.ptr, nonce, enc))
+	{
+		goto done;
+	}
+	if (!enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, this->icv_size,
+									 data.ptr + data.len))
+	{	/* set ICV for verification on decryption */
+		goto done;
+	}
+	if (assoc.len && !EVP_CipherUpdate(&ctx, NULL, &len, assoc.ptr, assoc.len))
+	{	/* set AAD if specified */
+		goto done;
+	}
+	if (!EVP_CipherUpdate(&ctx, out, &len, data.ptr, data.len) ||
+		!EVP_CipherFinal_ex(&ctx, out + len, &len))
+	{	/* EVP_CipherFinal_ex fails if ICV is incorrect on decryption */
+		goto done;
+	}
+	if (enc && !EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, this->icv_size,
+									out + data.len))
+	{	/* copy back the ICV when encrypting */
+		goto done;
+	}
+	success = TRUE;
+
+done:
+	EVP_CIPHER_CTX_cleanup(&ctx);
+	return success;
+}
+
+METHOD(aead_t, encrypt, bool,
+	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	u_char *out;
+
+	out = plain.ptr;
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		out = encrypted->ptr;
+	}
+	return crypt(this, plain, assoc, iv, out, 1);
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	u_char *out;
+
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+
+	out = encrypted.ptr;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		out = plain->ptr;
+	}
+	return crypt(this, encrypted, assoc, iv, out, 0);
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_aead_t *this)
+{
+	return this->cipher->block_size;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_aead_t *this)
+{
+	return IV_LEN;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_aead_t *this)
+{
+	return this->key.len + SALT_LEN;
+}
+
+METHOD(aead_t, set_key, bool,
+	private_aead_t *this, chunk_t key)
+{
+	if (key.len != get_key_size(this))
+	{
+		return FALSE;
+	}
+	memcpy(this->salt, key.ptr + key.len - SALT_LEN, SALT_LEN);
+	memcpy(this->key.ptr, key.ptr, this->key.len);
+	return TRUE;
+}
+
+METHOD(aead_t, destroy, void,
+	private_aead_t *this)
+{
+	chunk_clear(&this->key);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_block_size = _get_block_size,
+			.get_icv_size = _get_icv_size,
+			.get_iv_size = _get_iv_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
+
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+			this->icv_size = 8;
+			break;
+		case ENCR_AES_GCM_ICV12:
+			this->icv_size = 12;
+			break;
+		case ENCR_AES_GCM_ICV16:
+			this->icv_size = 16;
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+			switch (key_size)
+			{
+				case 0:
+					key_size = 16;
+					/* FALL */
+				case 16:
+					this->cipher = EVP_get_cipherbyname("aes-128-gcm");
+					break;
+				case 24:
+					this->cipher = EVP_get_cipherbyname("aes-192-gcm");
+					break;
+				case 32:
+					this->cipher = EVP_get_cipherbyname("aes-256-gcm");
+					break;
+				default:
+					free(this);
+					return NULL;
+			}
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+
+	if (!this->cipher)
+	{
+		free(this);
+		return NULL;
+	}
+
+	this->key = chunk_alloc(key_size);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h
new file mode 100644
index 000000000..12d2e8ab6
--- /dev/null
+++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2013 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Implements the aead_t interface using OpenSSL in GCM mode.
+ *
+ * @defgroup openssl_gcm openssl_gcm
+ * @{ @ingroup openssl_p
+ */
+
+#ifndef OPENSSL_GCM_H_
+#define OPENSSL_GCM_H_
+
+#include <crypto/aead.h>
+
+/**
+ * Constructor to create aead_t implementation.
+ *
+ * @param algo			algorithm to implement
+ * @param key_size		key size in bytes
+ * @return				aead_t object, NULL if not supported
+ */
+aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** OPENSSL_GCM_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
index ccc426235..9c3c4040c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs7.c
@@ -13,8 +13,10 @@
  * for more details.
  */
 
+#include <openssl/opensslv.h>
 #include <openssl/opensslconf.h>
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
 #ifndef OPENSSL_NO_CMS
 
 #include "openssl_pkcs7.h"
@@ -788,3 +790,4 @@ pkcs7_t *openssl_pkcs7_load(container_type_t type, va_list args)
 }
 
 #endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index dd6a379d2..282fe2b1b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -43,6 +43,7 @@
 #include "openssl_pkcs7.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
+#include "openssl_gcm.h"
 
 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
 
@@ -304,6 +305,19 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
 #endif
 #endif /* OPENSSL_NO_HMAC */
+#ifndef OPENSSL_NO_AES
+		/* AES GCM */
+		PLUGIN_REGISTER(AEAD, openssl_gcm_create),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
+#endif /* OPENSSL_NO_AES */
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
@@ -366,10 +380,12 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
 		PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
 			PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
+#if OPENSSL_VERSION_NUMBER >= 0x0090807fL
 #ifndef OPENSSL_NO_CMS
 		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
 			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
 #endif /* OPENSSL_NO_CMS */
+#endif /* OPENSSL_VERSION_NUMBER */
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */
 		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
@@ -470,4 +486,3 @@ plugin_t *openssl_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 87e57095c..ff8285f8c 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -174,7 +174,24 @@ static u_int8_t calc_netbits(private_traffic_selector_t *this)
 /**
  * internal generic constructor
  */
-static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+						ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * Check if TS contains "opaque" ports
+ */
+static bool is_opaque(private_traffic_selector_t *this)
+{
+	return this->from_port == 0xffff && this->to_port == 0;
+}
+
+/**
+ * Check if TS contains "any" ports
+ */
+static bool is_any(private_traffic_selector_t *this)
+{
+	return this->from_port == 0 && this->to_port == 0xffff;
+}
 
 /**
  * Described in header.
@@ -248,7 +265,7 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 
 	/* check if we have protocol and/or port selectors */
 	has_proto = this->protocol != 0;
-	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+	has_ports = !is_any(this);
 
 	if (!has_proto && !has_ports)
 	{
@@ -283,8 +300,9 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	{
 		if (this->from_port == this->to_port)
 		{
-			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+			struct servent *serv;
 
+			serv = getservbyport(htons(this->from_port), serv_proto);
 			if (serv)
 			{
 				written += print_in_hook(data, "%s", serv->s_name);
@@ -294,9 +312,14 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 				written += print_in_hook(data, "%d", this->from_port);
 			}
 		}
+		else if (is_opaque(this))
+		{
+			written += print_in_hook(data, "OPAQUE");
+		}
 		else
 		{
-			written += print_in_hook(data, "%d-%d", this->from_port, this->to_port);
+			written += print_in_hook(data, "%d-%d",
+									 this->from_port, this->to_port);
 		}
 	}
 
@@ -305,24 +328,55 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
 	return written;
 }
 
-/**
- * Implements traffic_selector_t.get_subset
- */
-static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other, *subset;
+	u_int16_t from_port, to_port;
+	u_char *from, *to;
+	u_int8_t protocol;
+	size_t size;
+
+	other = (private_traffic_selector_t*)other_public;
+
 	if (this->dynamic || other->dynamic)
 	{	/* no set_address() applied, TS has no subset */
 		return NULL;
 	}
-	if (this->type == other->type && (this->protocol == other->protocol ||
-								this->protocol == 0 || other->protocol == 0))
+
+	if (this->type != other->type)
+	{
+		return NULL;
+	}
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			size = sizeof(this->from4);
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			size = sizeof(this->from6);
+			break;
+		default:
+			return NULL;
+	}
+
+	if (this->protocol != other->protocol &&
+		this->protocol != 0 && other->protocol != 0)
 	{
-		u_int16_t from_port, to_port;
-		u_char *from, *to;
-		u_int8_t protocol;
-		size_t size;
-		private_traffic_selector_t *new_ts;
+		return NULL;
+	}
+	/* select protocol, which is not zero */
+	protocol = max(this->protocol, other->protocol);
 
+	if ((is_opaque(this) && is_opaque(other)) ||
+		(is_opaque(this) && is_any(other)) ||
+		(is_opaque(other) && is_any(this)))
+	{
+		from_port = 0xffff;
+		to_port = 0;
+	}
+	else
+	{
 		/* calculate the maximum port range allowed for both */
 		from_port = max(this->from_port, other->from_port);
 		to_port = min(this->to_port, other->to_port);
@@ -330,60 +384,46 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		{
 			return NULL;
 		}
-		/* select protocol, which is not zero */
-		protocol = max(this->protocol, other->protocol);
-
-		switch (this->type)
-		{
-			case TS_IPV4_ADDR_RANGE:
-				size = sizeof(this->from4);
-				break;
-			case TS_IPV6_ADDR_RANGE:
-				size = sizeof(this->from6);
-				break;
-			default:
-				return NULL;
-		}
+	}
+	/* get higher from-address */
+	if (memcmp(this->from, other->from, size) > 0)
+	{
+		from = this->from;
+	}
+	else
+	{
+		from = other->from;
+	}
+	/* get lower to-address */
+	if (memcmp(this->to, other->to, size) > 0)
+	{
+		to = other->to;
+	}
+	else
+	{
+		to = this->to;
+	}
+	/* if "from" > "to", we don't have a match */
+	if (memcmp(from, to, size) > 0)
+	{
+		return NULL;
+	}
 
-		/* get higher from-address */
-		if (memcmp(this->from, other->from, size) > 0)
-		{
-			from = this->from;
-		}
-		else
-		{
-			from = other->from;
-		}
-		/* get lower to-address */
-		if (memcmp(this->to, other->to, size) > 0)
-		{
-			to = other->to;
-		}
-		else
-		{
-			to = this->to;
-		}
-		/* if "from" > "to", we don't have a match */
-		if (memcmp(from, to, size) > 0)
-		{
-			return NULL;
-		}
+	/* we have a match in protocol, port, and address: return it... */
+	subset = traffic_selector_create(protocol, this->type, from_port, to_port);
+	memcpy(subset->from, from, size);
+	memcpy(subset->to, to, size);
+	calc_netbits(subset);
 
-		/* we have a match in protocol, port, and address: return it... */
-		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
-		memcpy(new_ts->from, from, size);
-		memcpy(new_ts->to, to, size);
-		calc_netbits(new_ts);
-		return &new_ts->public;
-	}
-	return NULL;
+	return &subset->public;
 }
 
-/**
- * Implements traffic_selector_t.equals
- */
-static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+METHOD(traffic_selector_t, equals, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other_public)
 {
+	private_traffic_selector_t *other;
+
+	other = (private_traffic_selector_t*)other_public;
 	if (this->type != other->type)
 	{
 		return FALSE;
@@ -535,11 +575,8 @@ METHOD(traffic_selector_t, set_address, void,
 	}
 }
 
-/**
- * Implements traffic_selector_t.is_contained_in.
- */
-static bool is_contained_in(private_traffic_selector_t *this,
-							private_traffic_selector_t *other)
+METHOD(traffic_selector_t, is_contained_in, bool,
+	private_traffic_selector_t *this, traffic_selector_t *other)
 {
 	private_traffic_selector_t *subset;
 	bool contained_in = FALSE;
@@ -548,7 +585,7 @@ static bool is_contained_in(private_traffic_selector_t *this,
 
 	if (subset)
 	{
-		if (equals(subset, this))
+		if (equals(subset, &this->public))
 		{
 			contained_in = TRUE;
 		}
@@ -739,12 +776,13 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * see header
  */
 traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
-							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+							u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port)
 {
 	private_traffic_selector_t *this;
 	chunk_t from;
 
-	this = traffic_selector_create(protocol, 0, 0, 65535);
+	this = traffic_selector_create(protocol, 0, from_port, to_port);
 
 	switch (net->get_family(net))
 	{
@@ -763,11 +801,6 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
 	memcpy(this->from, from.ptr, from.len);
 	netbits = min(netbits, this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
 	calc_range(this, netbits);
-	if (port)
-	{
-		this->from_port = port;
-		this->to_port = port;
-	}
 	net->destroy(net);
 
 	return &this->public;
@@ -818,8 +851,9 @@ traffic_selector_t *traffic_selector_create_from_string(
 /*
  * see header
  */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
-									u_int8_t protocol, u_int16_t port)
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port)
 {
 	host_t *net;
 	int bits;
@@ -827,7 +861,8 @@ traffic_selector_t *traffic_selector_create_from_cidr(char *string,
 	net = host_create_from_subnet(string, &bits);
 	if (net)
 	{
-		return traffic_selector_create_from_subnet(net, bits, protocol, port);
+		return traffic_selector_create_from_subnet(net, bits, protocol,
+												   from_port, to_port);
 	}
 	return NULL;
 }
@@ -859,8 +894,8 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	INIT(this,
 		.public = {
-			.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset,
-			.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals,
+			.get_subset = _get_subset,
+			.equals = _equals,
 			.get_from_address = _get_from_address,
 			.get_to_address = _get_to_address,
 			.get_from_port = _get_from_port,
@@ -869,7 +904,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 			.get_protocol = _get_protocol,
 			.is_host = _is_host,
 			.is_dynamic = _is_dynamic,
-			.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in,
+			.is_contained_in = _is_contained_in,
 			.includes = _includes,
 			.set_address = _set_address,
 			.to_subnet = _to_subnet,
@@ -884,4 +919,3 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
 
 	return this;
 }
-
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index b6da391aa..0de358b99 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -238,11 +238,13 @@ traffic_selector_t *traffic_selector_create_from_string(
  *
  * @param string		CIDR string, such as 10.1.0.0/16
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			single port for this TS, 0 for any port
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return				traffic selector, NULL if string invalid
  */
-traffic_selector_t *traffic_selector_create_from_cidr(char *string,
-									u_int8_t protocol, u_int16_t port);
+traffic_selector_t *traffic_selector_create_from_cidr(
+										char *string, u_int8_t protocol,
+										u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a new traffic selector using data read from the net.
@@ -288,14 +290,15 @@ traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
  * @param net			subnet to use
  * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
  * @param protocol		protocol for this ts, such as TCP or UDP
- * @param port			port number, host order
+ * @param from_port		start of allowed port range
+ * @param to_port		end of port range
  * @return
  *						- traffic_selector_t object
  *						- NULL if address family of net not supported
  */
 traffic_selector_t *traffic_selector_create_from_subnet(
-									host_t *net, u_int8_t netbits,
-									u_int8_t protocol, u_int16_t port);
+							host_t *net, u_int8_t netbits, u_int8_t protocol,
+							u_int16_t from_port, u_int16_t to_port);
 
 /**
  * Create a traffic selector for host-to-host cases.
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index e524409c7..d6d98d1ef 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -129,7 +129,11 @@ static thread_value_t *current_thread;
 
 #ifndef HAVE_PTHREAD_CANCEL
 /* if pthread_cancel is not available, we emulate it using a signal */
+#ifdef ANDROID
+#define SIG_CANCEL SIGUSR2
+#else
 #define SIG_CANCEL (SIGRTMIN+7)
+#endif
 
 /* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
  * "cancelled" thread */
diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
index c36a76efe..44a14496c 100644
--- a/src/libstrongswan/utils/capabilities.c
+++ b/src/libstrongswan/utils/capabilities.c
@@ -29,7 +29,9 @@
 
 #include <utils/debug.h>
 
-#if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R)
+#if !defined(HAVE_GETPWNAM_R) || \
+    !defined(HAVE_GETGRNAM_R) || \
+    !defined(HAVE_GETPWUID_R)
 # include <threading/mutex.h>
 # define EMULATE_R_FUNCS
 #endif
@@ -188,6 +190,34 @@ METHOD(capabilities_t, resolve_gid, bool,
 	return FALSE;
 }
 
+/**
+ * Initialize supplementary groups for unprivileged user
+ */
+static bool init_supplementary_groups(private_capabilities_t *this)
+{
+	struct passwd *pwp;
+	int res = -1;
+
+#ifdef HAVE_GETPWUID_R
+	struct passwd pwd;
+	char buf[1024];
+
+	if (getpwuid_r(this->uid, &pwd, buf, sizeof(buf), &pwp) == 0 && pwp)
+	{
+		res = initgroups(pwp->pw_name, this->gid);
+	}
+#else /* HAVE_GETPWUID_R */
+	this->mutex->lock(this->mutex);
+	pwp = getpwuid(this->uid);
+	if (pwp)
+	{
+		res = initgroups(pwp->pw_name, this->gid);
+	}
+	this->mutex->unlock(this->mutex);
+#endif /* HAVE_GETPWUID_R */
+	return res == 0;
+}
+
 METHOD(capabilities_t, drop, bool,
 	private_capabilities_t *this)
 {
@@ -195,6 +225,12 @@ METHOD(capabilities_t, drop, bool,
 	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
 #endif
 
+	if (!init_supplementary_groups(this))
+	{
+		DBG1(DBG_LIB, "initializing supplementary groups for %u failed",
+			 this->uid);
+		return FALSE;
+	}
 	if (this->gid && setgid(this->gid) != 0)
 	{
 		DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",