Updated entity name in copyright statements

This is needed, because the standard mandates that the remote entity
must be configured as ims (mimicking the APN setting I think), but on
the other hand the ePDG will identify itself with its FQDN in the end. I
tested this and this is currently the only way to do it with strongswan
I think, because you cannot configure different identities.

NEWS

@@ -2743,7 +2743,7 @@ strongswan-4.1.5
 strongswan-4.1.4
 ----------------
 
-- The pluto IKEv1 daemon now exhibits the same behaviour as its
+- The pluto IKEv1 daemon now exhibits the same behavior as its
   IKEv2 companion charon by inserting an explicit route via the
   _updown script only if a sourceip exists. This is admissible
   since routing through the IPsec tunnel is handled automatically

README.md

@@ -1,4 +1,4 @@
-# strongSwan Configuration #
+## Patched version, containing patch to disable parsing of AUTH payload in IKEv2 Phase2, because we only want EAP-AKA ##
 
 ## Overview ##
 

configure.ac

@@ -3,6 +3,8 @@
 # Copyright (C) 2006-2019 Andreas Steffen
 # Copyright (C) 2006-2014 Martin Willi
 # HSR Hochschule fuer Technik Rapperswil
+# Copyright (C) 2017 Domonkos P. Tomcsanyi
+# umlaut Communications Gmbh.
 #
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -19,7 +21,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.9.3dr4])
+AC_INIT([strongSwan],[5.9.3])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -199,7 +201,8 @@ ARG_ENABL_SET([eap-sim-pcsc],   [enable EAP-SIM backend based on a smartcard rea
 ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
 ARG_ENABL_SET([eap-aka-3gpp],   [enable EAP AKA backend implementing 3GPP MILENAGE algorithms in software.])
 ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
-ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
+ARG_ENABL_SET([eap-simaka-pcsc],   [enable EAP-SIM/AKA backend based on a smartcard reader. Requires libpcsclite.])
+ARG_ENABL_SET([eap-simaka-sql],    [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
 ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
 ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
 ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
@@ -1203,6 +1206,12 @@ if test x$eap_sim_pcsc = xtrue; then
 	AC_SUBST(pcsclite_LIBS)
 fi
 
+if test x$eap_simaka_pcsc = xtrue; then
+	PKG_CHECK_MODULES(pcsclite, [libpcsclite])
+	AC_SUBST(pcsclite_CFLAGS)
+	AC_SUBST(pcsclite_LIBS)
+fi
+
 if test x$nm = xtrue; then
 	PKG_CHECK_MODULES(nm, [gthread-2.0 libnm])
 	AC_SUBST(nm_CFLAGS)
@@ -1533,6 +1542,7 @@ ADD_PLUGIN([eap-sim-pcsc],         [c charon])
 ADD_PLUGIN([eap-aka],              [c charon])
 ADD_PLUGIN([eap-aka-3gpp],         [c charon])
 ADD_PLUGIN([eap-aka-3gpp2],        [c charon])
+ADD_PLUGIN([eap-simaka-pcsc],      [c charon])
 ADD_PLUGIN([eap-simaka-sql],       [c charon])
 ADD_PLUGIN([eap-simaka-pseudonym], [c charon])
 ADD_PLUGIN([eap-simaka-reauth],    [c charon])
@@ -1704,6 +1714,7 @@ AM_CONDITIONAL(USE_RADATTR, test x$radattr = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_PCSC, test x$eap_sim_pcsc = xtrue)
+AM_CONDITIONAL(USE_EAP_SIMAKA_PCSC, test x$eap_simaka_pcsc = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue)
@@ -1996,6 +2007,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/eap_sim/Makefile
 	src/libcharon/plugins/eap_sim_file/Makefile
 	src/libcharon/plugins/eap_sim_pcsc/Makefile
+	src/libcharon/plugins/eap_simaka_pcsc/Makefile
 	src/libcharon/plugins/eap_simaka_sql/Makefile
 	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
 	src/libcharon/plugins/eap_simaka_reauth/Makefile

scripts/test.sh

@@ -37,7 +37,7 @@ build_botan()
 
 build_wolfssl()
 {
-	WOLFSSL_REV=v4.7.0-stable
+	WOLFSSL_REV=0caf3ba456f1 # v4.7.1r + SHA-3 fix
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 
 	if test -d "$WOLFSSL_DIR"; then
@@ -46,14 +46,15 @@ build_wolfssl()
 
 	echo "$ build_wolfssl()"
 
-	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_ECC_BRAINPOOL"
+	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
+					-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
 	WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
 					--disable-crypttests --disable-examples
-					--enable-keygen --enable-rsapss --enable-aesccm
-					--enable-aesctr --enable-des3 --enable-camellia
-					--enable-curve25519 --enable-ed25519
-					--enable-curve448 --enable-ed448
-					--enable-sha3 --enable-shake256 --enable-ecccustcurves"
+					--enable-aesccm --enable-aesctr --enable-camellia
+					--enable-curve25519 --enable-curve448 --enable-des3
+					--enable-ecccustcurves --enable-ed25519 --enable-ed448
+					--enable-keygen --enable-md4 --enable-rsapss --enable-sha3
+					--enable-shake256"
 
 	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
 	cd $WOLFSSL_DIR &&

src/frontends/android/app/src/main/java/org/strongswan/android/logic/SimpleFetcher.java

@@ -118,7 +118,7 @@ public class SimpleFetcher
 	/**
 	 * Disable the fetcher and abort any future requests.
 	 *
-	 * The native thread is not cancelable as it is working on an IKE_SA (cancelling the methods of
+	 * The native thread is not cancelable as it is working on an IKE_SA (canceling the methods of
 	 * HttpURLConnection is not reliably possible anyway), so to abort while fetching we cancel the
 	 * Future (causing a return from fetch() immediately) and let the executor thread continue its
 	 * thing in the background.

src/frontends/android/gradlew.bat

@@ -46,7 +46,7 @@ echo location of your Java installation.
 goto fail
 
 :init
-@rem Get command-line arguments, handling Windowz variants
+@rem Get command-line arguments, handling Windows variants
 
 if not "%OS%" == "Windows_NT" goto win9xME_args
 if "%@eval[2+2]" == "4" goto 4NT_args

src/frontends/osx/charon-xpc/xpc_channels.c

@@ -64,7 +64,7 @@ typedef struct {
 } entry_t;
 
 /**
- * Clean up an entry, cancelling connection
+ * Clean up an entry, canceling connection
  */
 static void destroy_entry(entry_t *entry)
 {

src/libcharon/Makefile.am

@@ -369,6 +369,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_EAP_SIMAKA_PCSC
+  SUBDIRS += plugins/eap_simaka_pcsc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_simaka_pcsc/libstrongswan-eap-simaka-pcsc.la
+endif
+endif
+
 if USE_EAP_SIMAKA_REAUTH
   SUBDIRS += plugins/eap_simaka_reauth
 if MONOLITHIC

src/libcharon/network/socket_manager.c

@@ -66,7 +66,7 @@ METHOD(socket_manager_t, receiver, status_t,
 		this->lock->unlock(this->lock);
 		return NOT_SUPPORTED;
 	}
-	/* receive is blocking and the thread can be cancelled */
+	/* receive is blocking and the thread can be canceled */
 	thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock);
 	status = this->socket->receive(this->socket, packet);
 	thread_cleanup_pop(TRUE);

src/libcharon/plugins/eap_aka_3gpp/eap_aka_3gpp_plugin.h

@@ -63,8 +63,8 @@ typedef struct eap_aka_3gpp_plugin_t eap_aka_3gpp_plugin_t;
  * SQN with its own locally stored value. This potentially allows an attacker
  * to do replay attacks. But since the server has proven his identity via IKE,
  * such an attack is only possible between server and AAA (if any).
- * Note that SEQ_CHECK only controls the compile-time default behaviour,
- * but the run-time behaviour can always be controlled by setting the
+ * Note that SEQ_CHECK only controls the compile-time default behavior,
+ * but the run-time behavior can always be controlled by setting the
  * charon.plugins.eap-aka-3gpp.seq_check config variable.
  */
 struct eap_aka_3gpp_plugin_t {

src/libcharon/plugins/eap_simaka_pcsc/Makefile.am

@@ -0,0 +1,23 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libsimaka
+
+AM_CFLAGS = \
+        ${pcsclite_CFLAGS} \
+	$(PLUGIN_CFLAGS)
+
+libstrongswan_eap_simaka_pcsc_la_LIBADD  = ${pcsclite_LIBS}
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-simaka-pcsc.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-simaka-pcsc.la
+libstrongswan_eap_simaka_pcsc_la_LIBADD += $(top_builddir)/src/libsimaka/libsimaka.la
+endif
+
+libstrongswan_eap_simaka_pcsc_la_SOURCES = \
+	eap_simaka_pcsc_plugin.h eap_simaka_pcsc_plugin.c \
+	eap_simaka_pcsc_card.h eap_simaka_pcsc_card.c
+
+libstrongswan_eap_simaka_pcsc_la_LDFLAGS = -module -avoid-version

src/libcharon/plugins/eap_simaka_pcsc/eap_simaka_pcsc_card.c

@@ -0,0 +1,828 @@
+/*
+ * Copyright (C) 2017 Domonkos P. Tomcsanyi
+ * umlaut Communications Gmbh.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include "eap_simaka_pcsc_card.h"
+#include <PCSC/wintypes.h>
+#include <PCSC/winscard.h>
+#include <daemon.h>
+#include <string.h>
+
+typedef struct private_eap_simaka_pcsc_card_t private_eap_simaka_pcsc_card_t;
+
+/**
+ * Private data of an eap_simaka_pcsc_card_t object.
+ */
+struct private_eap_simaka_pcsc_card_t {
+
+	/**
+	 * Public eap_simaka_pcsc_card_t interface.
+	 */
+	eap_simaka_pcsc_card_t public;
+};
+
+/**
+ * Maximum length for an IMSI.
+ */
+#define SIM_IMSI_MAX_LEN 15
+
+/**
+ * Length of the status at the end of response APDUs.
+ */
+#define APDU_STATUS_LEN 2
+
+/**
+ * First byte of status word indicating success.
+ */
+#define APDU_SW1_SUCCESS 0x90
+
+/**
+ * First byte of status word indicating there is response data to be read.
+ */
+#define APDU_SW1_RESPONSE_DATA 0x9f
+
+/*
+ * Communication status
+ */
+#define ERROR_NONE 0
+#define ERROR_SCARD 1
+#define ERROR_CARD_ERROR 2
+
+/**
+ * Decode IMSI EF (Elementary File) into an ASCII string
+ */
+static bool decode_imsi_ef(unsigned char *input, int input_len, char *output)
+{
+	/* Only digits 0-9 valid in IMSIs */
+	static const char bcd_num_digits[] = {
+		'0', '1', '2', '3', '4', '5', '6', '7',
+		'8', '9', '\0', '\0', '\0', '\0', '\0', '\0'
+	};
+	int i;
+
+	/* Check length byte matches how many bytes we have, and that input
+	 * is correct length for an IMSI */
+	if (input[0] != input_len-1 || input_len < 2 || input_len > 9)
+	{
+		return FALSE;
+	}
+
+	/* Check type byte is IMSI (bottom 3 bits == 001) */
+	if ((input[1] & 0x07) != 0x01)
+	{
+		return FALSE;
+	}
+	*output++ = bcd_num_digits[input[1] >> 4];
+
+	for (i = 2; i < input_len; i++)
+	{
+		*output++ = bcd_num_digits[input[i] & 0xf];
+		*output++ = bcd_num_digits[input[i] >> 4];
+	}
+
+	*output++ = '\0';
+	return TRUE;
+}
+
+METHOD(simaka_card_t, get_triplet, bool,
+	private_eap_simaka_pcsc_card_t *this, identification_t *id,
+	char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN])
+{
+	status_t found = FALSE;
+	LONG rv;
+	SCARDCONTEXT hContext;
+	DWORD dwReaders;
+	LPSTR mszReaders;
+	char *cur_reader;
+	char full_nai[128];
+	SCARDHANDLE hCard;
+	enum { DISCONNECTED, CONNECTED, TRANSACTION } hCard_status = DISCONNECTED;
+
+	snprintf(full_nai, sizeof(full_nai), "%Y", id);
+
+	DBG2(DBG_IKE, "looking for triplet: %Y rand %b", id, rand, SIM_RAND_LEN);
+
+	rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardEstablishContext: %s", pcsc_stringify_error(rv));
+		return FALSE;
+	}
+
+	rv = SCardListReaders(hContext, NULL, NULL, &dwReaders);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
+		return FALSE;
+	}
+	mszReaders = malloc(sizeof(char)*dwReaders);
+
+	rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
+		return FALSE;
+	}
+
+	/* mszReaders is a multi-string of readers, separated by '\0' and
+	 * terminated by an additional '\0' */
+	for (cur_reader = mszReaders; *cur_reader != '\0' && found == FALSE;
+		 cur_reader += strlen(cur_reader) + 1)
+	{
+		DWORD dwActiveProtocol = -1;
+		const SCARD_IO_REQUEST *pioSendPci;
+		SCARD_IO_REQUEST pioRecvPci;
+		BYTE pbRecvBuffer[64];
+		DWORD dwRecvLength;
+		char imsi[SIM_IMSI_MAX_LEN + 1];
+
+		/* See GSM 11.11 for SIM APDUs */
+		static const BYTE pbSelectMF[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x3f, 0x00 };
+		static const BYTE pbSelectDFGSM[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x7f, 0x20 };
+		static const BYTE pbSelectIMSI[] = { 0xa0, 0xa4, 0x00, 0x00, 0x02, 0x6f, 0x07 };
+		static const BYTE pbReadBinary[] = { 0xa0, 0xb0, 0x00, 0x00, 0x09 };
+		BYTE pbRunGSMAlgorithm[5 + SIM_RAND_LEN] = { 0xa0, 0x88, 0x00, 0x00, 0x10 };
+		static const BYTE pbGetResponse[] = { 0xa0, 0xc0, 0x00, 0x00, 0x0c };
+
+		/* If on 2nd or later reader, make sure we end the transaction
+		 * and disconnect card in the previous reader */
+		switch (hCard_status)
+		{
+			case TRANSACTION:
+				SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
+				/* FALLTHRU */
+			case CONNECTED:
+				SCardDisconnect(hCard, SCARD_LEAVE_CARD);
+				/* FALLTHRU */
+			case DISCONNECTED:
+				hCard_status = DISCONNECTED;
+		}
+
+		/* Copy RAND into APDU */
+		memcpy(pbRunGSMAlgorithm + 5, rand, SIM_RAND_LEN);
+
+		rv = SCardConnect(hContext, cur_reader, SCARD_SHARE_SHARED,
+			SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &hCard, &dwActiveProtocol);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardConnect: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		hCard_status = CONNECTED;
+
+		switch(dwActiveProtocol)
+		{
+			case SCARD_PROTOCOL_T0:
+				pioSendPci = SCARD_PCI_T0;
+				break;
+			case SCARD_PROTOCOL_T1:
+				pioSendPci = SCARD_PCI_T1;
+				break;
+			default:
+				DBG1(DBG_IKE, "Unknown SCARD_PROTOCOL");
+				continue;
+		}
+
+		/* Start transaction */
+		rv = SCardBeginTransaction(hCard);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardBeginTransaction: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		hCard_status = TRANSACTION;
+
+		/* APDU: Select MF */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, pbSelectMF, sizeof(pbSelectMF),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Select MF failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* APDU: Select DF GSM */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, pbSelectDFGSM, sizeof(pbSelectDFGSM),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Select DF GSM failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* APDU: Select IMSI */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, pbSelectIMSI, sizeof(pbSelectIMSI),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* APDU: Read Binary (of IMSI) */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, pbReadBinary, sizeof(pbReadBinary),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
+		{
+			DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+
+		if (!decode_imsi_ef(pbRecvBuffer, dwRecvLength-APDU_STATUS_LEN, imsi))
+		{
+			DBG1(DBG_IKE, "Couldn't decode IMSI EF: %b",
+				 pbRecvBuffer, (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* The IMSI could be post/prefixed in the full NAI, so just make sure
+		 * it's in there */
+		if (!(strlen(full_nai) && strstr(full_nai, imsi)))
+		{
+			DBG1(DBG_IKE, "Not the SIM we're looking for, IMSI: %s", imsi);
+			continue;
+		}
+
+		/* APDU: Run GSM Algorithm */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci,
+						   pbRunGSMAlgorithm, sizeof(pbRunGSMAlgorithm),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Run GSM Algorithm failed: %b",
+				 pbRecvBuffer, (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* APDU: Get Response (of Run GSM Algorithm) */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, pbGetResponse, sizeof(pbGetResponse),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
+		{
+			DBG1(DBG_IKE, "Get Response failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* Extract out Kc and SRES from response */
+		if (dwRecvLength == SIM_SRES_LEN + SIM_KC_LEN + APDU_STATUS_LEN)
+		{
+			memcpy(sres, pbRecvBuffer, SIM_SRES_LEN);
+			memcpy(kc, pbRecvBuffer+4, SIM_KC_LEN);
+			/* This will also cause the loop to exit */
+			found = TRUE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "Get Response incorrect length: %b",
+				 pbRecvBuffer, (u_int)dwRecvLength);
+			continue;
+		}
+
+		/* Transaction will be ended and card disconnected at the
+		 * beginning of this loop or after this loop */
+	}
+
+	/* Make sure we end any previous transaction and disconnect card */
+	switch (hCard_status)
+	{
+		case TRANSACTION:
+			SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
+			/* FALLTHRU */
+		case CONNECTED:
+			SCardDisconnect(hCard, SCARD_LEAVE_CARD);
+			/* FALLTHRU */
+		case DISCONNECTED:
+			hCard_status = DISCONNECTED;
+	}
+
+	rv = SCardReleaseContext(hContext);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardReleaseContext: %s", pcsc_stringify_error(rv));
+	}
+
+	free(mszReaders);
+	return found;
+}
+
+METHOD(simaka_card_t, get_quintuplet, status_t,
+	private_eap_simaka_pcsc_card_t *this, identification_t *id,
+	char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
+	char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len)
+{
+	status_t found = SUCCESS;
+	LONG rv;
+	SCARDCONTEXT hContext;
+	DWORD dwReaders;
+	LPSTR mszReaders;
+	char *cur_reader;
+	char full_nai[128];
+	SCARDHANDLE hCard;
+	enum { DISCONNECTED, CONNECTED, TRANSACTION } hCard_status = DISCONNECTED;
+
+	snprintf(full_nai, sizeof(full_nai), "%Y", id);
+
+	DBG2(DBG_IKE, "looking for quintuplet: %Y rand %b", id, rand, SIM_RAND_LEN);
+
+	rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardEstablishContext: %s", pcsc_stringify_error(rv));
+		return FALSE;
+	}
+
+	rv = SCardListReaders(hContext, NULL, NULL, &dwReaders);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
+		return FALSE;
+	}
+	mszReaders = malloc(sizeof(char)*dwReaders);
+
+	rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardListReaders: %s", pcsc_stringify_error(rv));
+		return FALSE;
+	}
+
+	/* mszReaders is a multi-string of readers, separated by '\0' and
+	 * terminated by an additional '\0' */
+	for (cur_reader = mszReaders; *cur_reader != '\0' && found == FALSE;
+		 cur_reader += strlen(cur_reader) + 1)
+	{
+		DWORD dwActiveProtocol = -1;
+		const SCARD_IO_REQUEST *pioSendPci;
+		SCARD_IO_REQUEST pioRecvPci;
+		BYTE pbRecvBuffer[512];
+		DWORD dwRecvLength;
+		char imsi[SIM_IMSI_MAX_LEN + 1];
+        char aid_pattern[] = {0xA0, 0x00, 0x00, 0x00, 0x87, 0x10, 0x02}; //based on mitshell/card USIM.py:SELECT_ADF_USIM()
+        char *correct_aid = NULL;
+        int resLen = 0;
+
+		/* USIM APDUs */
+        BYTE abSelectEFDIR[] = {0x00, 0xA4, 0x08, 0x04, 0x02, 0x2F, 0x00};
+        // CLA  SELECT  P1     P2    len
+        // 0x00  0xC0  0x00   0x00  0x00
+        BYTE abGetResponse[] = {0x00, 0xC0, 0x00, 0x00, 0x1C};
+        // CLA  SELECT  P1 (by fileID) P2(UICC)  len  DATA (EF_IMSI address)
+        // 0x00  0xA4    0x00          0x04      0x02 0x6F  0x07
+        BYTE abSelectIMSI[] = {0x00, 0xA4, 0x00, 0x04, 0x02, 0x6F, 0x07};
+        BYTE abReadRecord[] = {0x00, 0xB2, 0x01, 0x04, 0x00}; //Le byte (last one) set to 0x00 so complete record is read up to 256 bytes
+        // CLA  SELECT  P1 (AID) P2(UICC)  len  DATA (AID)
+        // 0x00  0xA4    0x04     0x04    '0xc', '0xa0', '0x0', '0x0', '0x0', '0x87', '0x10', '0x2', '0xff', '0x49', '0xff', '0x5', '0x89'
+        BYTE abSelectUICC[] = {0x00, 0xA4, 0x04, 0x04};
+        BYTE abReadBinary[] = {0x00, 0xB0, 0x00, 0x00, 0x09};
+	    BYTE abAuthenticate[5 + 1 + SIM_RAND_LEN + 1 + SIM_RAND_LEN] = { 0x00, 0x88, 0x00, 0x81, 0x22, 0x10 }; //TOTAL_LEN + LEN(RAND) + RAND + LEN(AUTN) + AUTN
+	    int i,j;
+		/* If on 2nd or later reader, make sure we end the transaction
+		 * and disconnect card in the previous reader */
+		switch (hCard_status)
+		{
+			case TRANSACTION:
+				SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
+				/* FALLTHRU */
+			case CONNECTED:
+				SCardDisconnect(hCard, SCARD_LEAVE_CARD);
+				/* FALLTHRU */
+			case DISCONNECTED:
+				hCard_status = DISCONNECTED;
+		}
+
+		/* Copy RAND into APDU */
+		memcpy(abAuthenticate + 6, rand, SIM_RAND_LEN);
+		abAuthenticate[6 + SIM_RAND_LEN] = 0x10; //LEN of AUTN
+		memcpy(abAuthenticate + 6 + SIM_RAND_LEN + 1, autn, SIM_RAND_LEN); //Copy AUTN into APDU
+
+		rv = SCardConnect(hContext, cur_reader, SCARD_SHARE_SHARED,
+			SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &hCard, &dwActiveProtocol);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardConnect: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		hCard_status = CONNECTED;
+
+		switch(dwActiveProtocol)
+		{
+			case SCARD_PROTOCOL_T0:
+				pioSendPci = SCARD_PCI_T0;
+				break;
+			case SCARD_PROTOCOL_T1:
+				pioSendPci = SCARD_PCI_T1;
+				break;
+			default:
+				DBG1(DBG_IKE, "Unknown SCARD_PROTOCOL");
+				continue;
+		}
+
+		/* Start transaction */
+		rv = SCardBeginTransaction(hCard);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardBeginTransaction: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		hCard_status = TRANSACTION;
+
+		/* APDU: Select EFDIR */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, abSelectEFDIR, sizeof(abSelectEFDIR),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+
+
+        if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
+	    {  // Response bytes available, GET RESPONSE needs to be run
+           abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
+           dwRecvLength = sizeof(pbRecvBuffer);
+           rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ 
+        }
+        else if ((pbRecvBuffer[0] == 0x6C && dwRecvLength < 3) || (pbRecvBuffer[0] == 0x67 && dwRecvLength < 3)) //WRONG length used, correcting it
+	    {
+            abSelectEFDIR[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
+            dwRecvLength = sizeof(pbRecvBuffer);
+            rv = SCardTransmit(hCard, pioSendPci, abSelectEFDIR, sizeof(abSelectEFDIR),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+	    }
+
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+/*
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Select EFDIR failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}*/
+
+		for(j=0; j<5; j++) //Fingers crossed there is no SIM card with more than 5 applications in its EF_DIR
+        {
+  		  /* APDU: Read Record */
+		  dwRecvLength = sizeof(pbRecvBuffer);
+          abReadRecord[2] = j;
+		  rv = SCardTransmit(hCard, pioSendPci, abReadRecord, sizeof(abReadRecord),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		  if (rv != SCARD_S_SUCCESS)
+		  {
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		  }
+/*
+		  if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		  {
+			DBG1(DBG_IKE, "Read Record failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		  }
+*/
+           DBG1(DBG_IKE, "READ RECORD #%d: %b", j, pbRecvBuffer,
+				 (u_int)dwRecvLength);
+           if ((pbRecvBuffer[0] == 0x6C && dwRecvLength < 3) || (pbRecvBuffer[0] == 0x67 && dwRecvLength < 3)) //WRONG length used, correcting it
+	       {
+             abReadRecord[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
+             dwRecvLength = sizeof(pbRecvBuffer);
+             rv = SCardTransmit(hCard, pioSendPci, abReadRecord, sizeof(abReadRecord),
+					   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+	       }
+
+		   if (rv != SCARD_S_SUCCESS)
+		   {
+			 DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			 continue;
+		   }
+
+		   if ((pbRecvBuffer[0]== 0x61) && (pbRecvBuffer[2] == 0x4F) && dwRecvLength > 6)
+		   {
+             correct_aid = memmem(pbRecvBuffer, dwRecvLength, aid_pattern, sizeof(aid_pattern));
+             DBG1(DBG_IKE, "Detecting AIDs...");
+             if(correct_aid)
+               break;
+           } else {
+			DBG1(DBG_IKE, "Failed to get AID, will not be able to proceed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		   }
+		 }
+
+         if(!correct_aid)
+         {
+ 		   DBG1(DBG_IKE, "NOT finding USIM AID (see ETSI TS 101 220 Annex E) pattern, will not be able to proceed: %b", pbRecvBuffer,
+			 (u_int)dwRecvLength);
+			continue;
+
+          } else {
+            unsigned char aid[pbRecvBuffer[3]]; //the transaction buffer contains the right AID with its length
+	        for(i=0; i < sizeof(aid); i++) {
+              aid[i] = (*correct_aid);
+              correct_aid++;
+            }
+            unsigned char final_apdu[sizeof(aid)+4];
+            for (i=0; i < sizeof(abSelectUICC); i++) {
+              final_apdu[i] = abSelectUICC[i];
+            }
+            final_apdu[sizeof(abSelectUICC)] = sizeof(aid); //len byte
+            for (i=0; i < sizeof(aid); i++) { //adding AID to the APDU
+              final_apdu[i+5] = aid[i];
+            }
+            DBG1(DBG_IKE, "Got AID: %b", aid,
+		              sizeof(aid));
+
+           DBG1(DBG_IKE, "Selecting UICC...");
+	  	   /* APDU: Select UICC */
+		   dwRecvLength = sizeof(pbRecvBuffer);
+           DBG1(DBG_IKE, "Sending APDU: %b", final_apdu,
+		                (u_int)pbRecvBuffer[3]+5);
+
+		   rv = SCardTransmit(hCard, pioSendPci, final_apdu, pbRecvBuffer[3]+5,
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+           if (rv != SCARD_S_SUCCESS)
+           {
+             DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+             continue;
+           }
+           if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
+           {  // Response bytes available, GET RESPONSE needs to be run
+             abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
+             dwRecvLength = sizeof(pbRecvBuffer);
+             rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+           }
+         }
+
+/*       if (dwRecvLength < APDU_STATUS_LEN ||
+                       pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		 {
+			DBG1(DBG_IKE, "Select UICC failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		 }
+*/
+
+
+        DBG1(DBG_IKE, "Selecting IMSI...");
+		/* APDU: Select IMSI */
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, abSelectIMSI, sizeof(abSelectIMSI),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+        if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
+        {  // Response bytes available, GET RESPONSE needs to be run
+          abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
+          dwRecvLength = sizeof(pbRecvBuffer);
+          rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+        }
+/*		
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Select IMSI failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+ */
+		/* APDU: Read Binary (of IMSI) */
+        DBG1(DBG_IKE, "Reading binary of IMSI...");
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci, abReadBinary, sizeof(abReadBinary),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+		DBG1(DBG_IKE, "Response: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+
+		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_SUCCESS)
+		{
+			DBG1(DBG_IKE, "Read binary of IMSI failed: %b", pbRecvBuffer,
+				 (u_int)dwRecvLength);
+			continue;
+		}
+
+		if (!decode_imsi_ef(pbRecvBuffer, dwRecvLength-APDU_STATUS_LEN, imsi))
+		{
+			DBG1(DBG_IKE, "Couldn't decode IMSI EF: %b",
+				 pbRecvBuffer, (u_int)dwRecvLength);
+			continue;
+		}
+		DBG1(DBG_IKE, "Got IMSI: %s", imsi);
+		/* The IMSI could be post/prefixed in the full NAI, so just make sure
+		 * it's in there */
+		if (!(strlen(full_nai) && strstr(full_nai, imsi)))
+		{
+			DBG1(DBG_IKE, "Not the SIM we're looking for, IMSI: %s", imsi);
+			continue;
+		}
+
+		/* APDU: Authenticate */
+                DBG1(DBG_IKE, "Running AUTHENTICATE...");
+		dwRecvLength = sizeof(pbRecvBuffer);
+		rv = SCardTransmit(hCard, pioSendPci,
+						   abAuthenticate, sizeof(abAuthenticate),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+		if (rv != SCARD_S_SUCCESS)
+		{
+			DBG1(DBG_IKE, "SCardTransmit: %s", pcsc_stringify_error(rv));
+			continue;
+		}
+
+                if (pbRecvBuffer[0] == 0x61 && dwRecvLength < 3)
+	        {  // Response bytes available, GET RESPONSE needs to be run
+                   abGetResponse[4] = pbRecvBuffer[1]; //setting the expected length to the one sent by the card
+                   dwRecvLength = sizeof(pbRecvBuffer);
+                   rv = SCardTransmit(hCard, pioSendPci, abGetResponse, sizeof(abGetResponse),
+						   &pioRecvPci, pbRecvBuffer, &dwRecvLength);
+ 
+                }
+
+		DBG1(DBG_IKE, "Response: %b",
+			 pbRecvBuffer, (u_int)dwRecvLength);
+
+/*		if (dwRecvLength < APDU_STATUS_LEN ||
+			pbRecvBuffer[dwRecvLength-APDU_STATUS_LEN] != APDU_SW1_RESPONSE_DATA)
+		{
+			DBG1(DBG_IKE, "Authenticate failed: %b",
+				 pbRecvBuffer, (u_int)dwRecvLength);
+			continue;
+		}
+*/
+        /* Parsing data from the response into RES, CK, IK */
+		if(pbRecvBuffer[0] == 0xDB)
+		{
+                        DBG1(DBG_IKE, "Successful 3G authentication");
+			if(pbRecvBuffer[1] == 0x08 || pbRecvBuffer[1] == 0x04) //RES
+			{
+                                resLen = pbRecvBuffer[1];
+				for(i=0; i< pbRecvBuffer[1]; i++)
+				{
+					res[i] = pbRecvBuffer[i+2];
+				}
+                                (*res_len) = resLen;
+			} else {
+				DBG1(DBG_IKE, "RES not 8 or 4 byte long, can't copy it.\n");
+				continue;
+			}
+			if(pbRecvBuffer[resLen+2] == 0x10) //CK SUCCESS_BYTE 0xDB(len=1) + RES_LEN(len1) + resLen
+			{
+				for(i=0; i<16; i++)
+				{
+					ck[i] = pbRecvBuffer[i+resLen+3];
+				}
+			} else {
+				DBG1(DBG_IKE, "CK not 16 byte long, can't copy it\n");
+				continue;
+			}
+			if(pbRecvBuffer[resLen+3+16] == 0x10) //IK SUCCESS_BYTE(len1) + RES_LEN(len1) + res + CK_LEN(len1) + CK(len16)
+			{
+				for(i=0; i<16; i++)
+				{
+					ik[i] = pbRecvBuffer[i+ resLen+3+16+1];
+				}
+			} else {
+				DBG1(DBG_IKE, "IK not 16 byte long, can't copy it\n");
+				continue;
+			}
+                        DBG1(DBG_IKE, "KEYs established. RES: %b", res, resLen);
+                        DBG1(DBG_IKE, "KEYs established. CK: %b", ck, 16);
+                        DBG1(DBG_IKE, "KEYs established. IK: %b", ik, 16);
+			found = SUCCESS;
+
+		}
+		if(pbRecvBuffer[0] == 0xDC)
+		{
+			DBG1(DBG_IKE, "Sync error between SIM card and network, currently NOT supported.\n");
+                        return NOT_SUPPORTED;
+		}
+
+		/* Transaction will be ended and card disconnected at the
+		 * beginning of this loop or after this loop */
+	}
+
+	/* Make sure we end any previous transaction and disconnect card */
+	switch (hCard_status)
+	{
+		case TRANSACTION:
+			SCardEndTransaction(hCard, SCARD_LEAVE_CARD);
+			/* FALLTHRU */
+		case CONNECTED:
+			SCardDisconnect(hCard, SCARD_LEAVE_CARD);
+			/* FALLTHRU */
+		case DISCONNECTED:
+			hCard_status = DISCONNECTED;
+	}
+
+	rv = SCardReleaseContext(hContext);
+	if (rv != SCARD_S_SUCCESS)
+	{
+		DBG1(DBG_IKE, "SCardReleaseContext: %s", pcsc_stringify_error(rv));
+	}
+
+	free(mszReaders);
+	return found;
+}
+
+METHOD(eap_simaka_pcsc_card_t, destroy, void,
+	private_eap_simaka_pcsc_card_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_simaka_pcsc_card_t *eap_simaka_pcsc_card_create()
+{
+	private_eap_simaka_pcsc_card_t *this;
+
+	INIT(this,
+		.public = {
+			.card = {
+				.get_triplet = _get_triplet,
+				.get_quintuplet = _get_quintuplet,
+				.resync = (void*)return_false,
+				.get_pseudonym = (void*)return_null,
+				.set_pseudonym = (void*)nop,
+				.get_reauth = (void*)return_null,
+				.set_reauth = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+	);
+	return &this->public;
+}
+

src/libcharon/plugins/eap_simaka_pcsc/eap_simaka_pcsc_card.h

@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2017 Domonkos P. Tomcsanyi
+ * umlaut Communications Gmbh.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_SIMAKA_PCSC_CARD_H_
+#define EAP_SIMAKA_PCSC_CARD_H_
+
+#include <simaka_card.h>
+
+typedef struct eap_simaka_pcsc_card_t eap_simaka_pcsc_card_t;
+
+/**
+ * SIM card implementing PC/SC backend.
+ */
+struct eap_simaka_pcsc_card_t {
+
+	/**
+	 * Implements simaka_card_t interface
+	 */
+	simaka_card_t card;
+
+	/**
+	 * Destroy a eap_simaka_pcsc_card_t.
+	 */
+	void (*destroy)(eap_simaka_pcsc_card_t *this);
+};
+
+/**
+ * Create a eap_simaka_pcsc_card instance.
+ */
+eap_simaka_pcsc_card_t *eap_simaka_pcsc_card_create();
+
+#endif /** EAP_SIMAKA_PCSC_CARD_H_ @}*/

src/libcharon/plugins/eap_simaka_pcsc/eap_simaka_pcsc_plugin.c

@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2017 Domonkos P. Tomcsanyi
+ * umlaut Communications Gmbh.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_simaka_pcsc_plugin.h"
+#include "eap_simaka_pcsc_card.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_simaka_pcsc_t private_eap_simaka_pcsc_t;
+
+/**
+ * Private data of an eap_simaka_pcsc_t object.
+ */
+struct private_eap_simaka_pcsc_t {
+
+	/**
+	 * Public eap_simaka_pcsc_plugin_t interface.
+	 */
+	eap_simaka_pcsc_plugin_t public;
+
+	/**
+	 * SIM card
+	 */
+	eap_simaka_pcsc_card_t *card;
+
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_eap_simaka_pcsc_t *this)
+{
+	return "eap-simaka-pcsc";
+}
+
+/**
+ * Callback providing our card to register
+ */
+static simaka_card_t* get_card(private_eap_simaka_pcsc_t *this)
+{
+	if (!this->card)
+	{
+		this->card = eap_simaka_pcsc_card_create();
+	}
+	return &this->card->card;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_eap_simaka_pcsc_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK(simaka_manager_register, get_card),
+			PLUGIN_PROVIDE(CUSTOM, "aka-card"),
+				PLUGIN_DEPENDS(CUSTOM, "aka-manager"),
+			PLUGIN_PROVIDE(CUSTOM, "sim-card"),
+				PLUGIN_DEPENDS(CUSTOM, "sim-manager"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_eap_simaka_pcsc_t *this)
+{
+	DESTROY_IF(this->card);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *eap_simaka_pcsc_plugin_create()
+{
+	private_eap_simaka_pcsc_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	return &this->public.plugin;
+}
+

src/libcharon/plugins/eap_simaka_pcsc/eap_simaka_pcsc_plugin.h

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2017 Domonkos P. Tomcsanyi
+ * umlaut Communications Gmbh.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef EAP_SIMAKA_PCSC_PLUGIN_H_
+#define EAP_SIMAKA_PCSC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_simaka_pcsc_plugin_t eap_simaka_pcsc_plugin_t;
+
+/**
+ * Plugin to provide EAP-AKA PC/SC based USIM card backend
+ */
+struct eap_simaka_pcsc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_SIMAKA_PCSC_PLUGIN_H_ @}*/

src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c

@@ -1372,6 +1372,7 @@ static void process_route(private_kernel_netlink_net_t *this,
 				if (RTA_PAYLOAD(rta) == sizeof(uint32_t) &&
 					this->routing_table == *(uint32_t*)RTA_DATA(rta))
 				{
+					DESTROY_IF(host);
 					return;
 				}
 				break;

src/libcharon/plugins/load_tester/load_tester_config.c

@@ -624,7 +624,7 @@ static void add_ts(private_load_tester_config_t *this,
 /**
  * Allocate and install a dynamic external address to use
  */
-static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
+static host_t *allocate_addr(private_load_tester_config_t *this, u_int num)
 {
 	enumerator_t *enumerator;
 	mem_pool_t *pool;
@@ -682,7 +682,7 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
 /**
  * Generate a new initiator config, num = 0 for responder config
  */
-static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
+static peer_cfg_t* generate_config(private_load_tester_config_t *this, u_int num)
 {
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;

src/libcharon/plugins/vici/libvici.h

@@ -58,7 +58,7 @@
  * - vici_end_list(): Close a previously opened list
  * - vici_add_list_item() / vici_add_list_itemf(): Add list item
  *
- * Once the request message is complete, it can be sent or cancelled with:
+ * Once the request message is complete, it can be sent or canceled with:
  *
  * - vici_submit()
  * - vici_free_req()

src/libcharon/plugins/vici/perl/Vici-Session/README.pod

@@ -640,7 +640,7 @@ print $res ? "ok\n" : "failed: $errmsg\n";
 # close vici socket
 close($socket);
 
-=head1 COPYRIGHT AND LICENCE
+=head1 COPYRIGHT AND LICENSE
 
 Copyright (c) 2015 Andreas Steffen
 

src/libcharon/plugins/vici/vici_builder.c

@@ -145,6 +145,7 @@ static void vadd_kv_or_li(private_vici_builder_t *this, char *key,
 	{
 		value = chunk_alloc(len + 1);
 		len = vsnprintf(value.ptr, value.len, fmt, args);
+		value.len = len;
 	}
 	else
 	{

src/libcharon/sa/ike_sa.h

@@ -1170,7 +1170,7 @@ struct ike_sa_t {
 	void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
 
 	/**
-	 * Flush a task queue, cancelling all tasks in it.
+	 * Flush a task queue, canceling all tasks in it.
 	 *
 	 * @param queue			queue type to flush
 	 */

src/libcharon/sa/ike_sa_manager.h

@@ -142,7 +142,7 @@ struct ike_sa_manager_t {
 	 *
 	 * Measures are taken according to the uniqueness policy of the IKE_SA.
 	 * The return value indicates whether duplicates have been found and if
-	 * further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
+	 * further measures should be taken (e.g. canceling an IKE_AUTH exchange).
 	 * check_uniqueness() must be called before the IKE_SA is complete,
 	 * deadlocks occur otherwise.
 	 *

src/libcharon/sa/ikev1/task_manager_v1.c

@@ -487,7 +487,7 @@ METHOD(task_manager_t, initiate, status_t,
 	message_t *message;
 	host_t *me, *other;
 	exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
-	bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
+	bool new_mid = FALSE, expect_response = FALSE, canceled = FALSE, keep = FALSE;
 
 	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
 		this->initiating.type != INFORMATIONAL_V1)
@@ -672,7 +672,7 @@ METHOD(task_manager_t, initiate, status_t,
 				/* processed, but task needs another exchange */
 				continue;
 			case ALREADY_DONE:
-				cancelled = TRUE;
+				canceled = TRUE;
 				break;
 			case FAILED:
 			default:
@@ -697,7 +697,7 @@ METHOD(task_manager_t, initiate, status_t,
 	{	/* tasks completed, no exchange active anymore */
 		this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 	}
-	if (cancelled)
+	if (canceled)
 	{
 		message->destroy(message);
 		return initiate(this);
@@ -754,7 +754,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	task_t *task;
 	message_t *message;
 	host_t *me, *other;
-	bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
+	bool delete = FALSE, canceled = FALSE, expect_request = FALSE;
 
 	me = request->get_destination(request);
 	other = request->get_source(request);
@@ -791,7 +791,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 				}
 				continue;
 			case ALREADY_DONE:
-				cancelled = TRUE;
+				canceled = TRUE;
 				break;
 			case INVALID_ARG:
 				if (task->get_type(task) == TASK_QUICK_MODE)
@@ -813,7 +813,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
 	enumerator->destroy(enumerator);
 
 	clear_packets(this->responding.packets);
-	if (cancelled)
+	if (canceled)
 	{
 		message->destroy(message);
 		return initiate(this);

src/libcharon/sa/ikev1/tasks/aggressive_mode.c

@@ -103,7 +103,7 @@ static bool establish(private_aggressive_mode_t *this)
 {
 	if (!charon->bus->authorize(charon->bus, TRUE))
 	{
-		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
 		return FALSE;
 	}
 
@@ -177,7 +177,7 @@ static status_t send_notify(private_aggressive_mode_t *this, notify_type_t type)
 
 	this->ike_sa->queue_task(this->ike_sa,
 						(task_t*)informational_create(this->ike_sa, notify));
-	/* cancel all active/passive tasks in favour of informational */
+	/* cancel all active/passive tasks in favor of informational */
 	this->ike_sa->flush_queue(this->ike_sa,
 					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
 	return ALREADY_DONE;
@@ -190,7 +190,7 @@ static status_t send_delete(private_aggressive_mode_t *this)
 {
 	this->ike_sa->queue_task(this->ike_sa,
 						(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
-	/* cancel all active tasks in favour of informational */
+	/* cancel all active tasks in favor of informational */
 	this->ike_sa->flush_queue(this->ike_sa,
 					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
 	return ALREADY_DONE;
@@ -320,7 +320,7 @@ METHOD(task_t, build_i, status_t,
 					if (charon->ike_sa_manager->check_uniqueness(
 								charon->ike_sa_manager, this->ike_sa, FALSE))
 					{
-						DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+						DBG1(DBG_IKE, "canceling Aggressive Mode due to "
 							 "uniqueness policy");
 						return send_notify(this, AUTHENTICATION_FAILED);
 					}
@@ -507,7 +507,7 @@ METHOD(task_t, process_r, status_t,
 			if (!charon->bus->authorize(charon->bus, FALSE))
 			{
 				DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids "
-					 "IKE_SA, cancelling");
+					 "IKE_SA, canceling");
 				charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
 				return send_delete(this);
 			}
@@ -529,7 +529,7 @@ METHOD(task_t, process_r, status_t,
 					if (charon->ike_sa_manager->check_uniqueness(
 								charon->ike_sa_manager, this->ike_sa, FALSE))
 					{
-						DBG1(DBG_IKE, "cancelling Aggressive Mode due to "
+						DBG1(DBG_IKE, "canceling Aggressive Mode due to "
 							 "uniqueness policy");
 						return send_delete(this);
 					}
@@ -709,7 +709,7 @@ METHOD(task_t, process_i, status_t,
 		if (!charon->bus->authorize(charon->bus, FALSE))
 		{
 			DBG1(DBG_IKE, "Aggressive Mode authorization hook forbids IKE_SA, "
-				 "cancelling");
+				 "canceling");
 			return send_notify(this, AUTHENTICATION_FAILED);
 		}
 

src/libcharon/sa/ikev1/tasks/main_mode.c

@@ -100,7 +100,7 @@ static bool establish(private_main_mode_t *this)
 {
 	if (!charon->bus->authorize(charon->bus, TRUE))
 	{
-		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
 		return FALSE;
 	}
 
@@ -186,7 +186,7 @@ static status_t send_notify(private_main_mode_t *this, notify_type_t type)
 
 	this->ike_sa->queue_task(this->ike_sa,
 						(task_t*)informational_create(this->ike_sa, notify));
-	/* cancel all active/passive tasks in favour of informational */
+	/* cancel all active/passive tasks in favor of informational */
 	this->ike_sa->flush_queue(this->ike_sa,
 					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
 	return ALREADY_DONE;
@@ -199,7 +199,7 @@ static status_t send_delete(private_main_mode_t *this)
 {
 	this->ike_sa->queue_task(this->ike_sa,
 						(task_t*)isakmp_delete_create(this->ike_sa, TRUE));
-	/* cancel all active tasks in favour of informational */
+	/* cancel all active tasks in favor of informational */
 	this->ike_sa->flush_queue(this->ike_sa,
 					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
 	return ALREADY_DONE;
@@ -483,7 +483,7 @@ METHOD(task_t, process_r, status_t,
 			if (!charon->bus->authorize(charon->bus, FALSE))
 			{
 				DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
-					 "cancelling");
+					 "canceling");
 				charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
 				return send_notify(this, AUTHENTICATION_FAILED);
 			}
@@ -565,7 +565,7 @@ METHOD(task_t, build_r, status_t,
 					if (charon->ike_sa_manager->check_uniqueness(
 								charon->ike_sa_manager, this->ike_sa, FALSE))
 					{
-						DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+						DBG1(DBG_IKE, "canceling Main Mode due to uniqueness "
 							 "policy");
 						return send_notify(this, AUTHENTICATION_FAILED);
 					}
@@ -725,7 +725,7 @@ METHOD(task_t, process_i, status_t,
 			if (!charon->bus->authorize(charon->bus, FALSE))
 			{
 				DBG1(DBG_IKE, "Main Mode authorization hook forbids IKE_SA, "
-					 "cancelling");
+					 "canceling");
 				charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
 				return send_delete(this);
 			}
@@ -748,7 +748,7 @@ METHOD(task_t, process_i, status_t,
 					if (charon->ike_sa_manager->check_uniqueness(
 								charon->ike_sa_manager, this->ike_sa, FALSE))
 					{
-						DBG1(DBG_IKE, "cancelling Main Mode due to uniqueness "
+						DBG1(DBG_IKE, "canceling Main Mode due to uniqueness "
 							 "policy");
 						return send_delete(this);
 					}

src/libcharon/sa/ikev1/tasks/quick_mode.c

@@ -773,7 +773,7 @@ static status_t send_notify(private_quick_mode_t *this, notify_type_t type)
 
 	this->ike_sa->queue_task(this->ike_sa,
 						(task_t*)informational_create(this->ike_sa, notify));
-	/* cancel all active/passive tasks in favour of informational */
+	/* cancel all active/passive tasks in favor of informational */
 	this->ike_sa->flush_queue(this->ike_sa,
 					this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
 	return ALREADY_DONE;

src/libcharon/sa/ikev1/tasks/xauth.c

@@ -150,17 +150,17 @@ static bool allowed(private_xauth_t *this)
 	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
 												 this->ike_sa, FALSE))
 	{
-		DBG1(DBG_IKE, "cancelling XAuth due to uniqueness policy");
+		DBG1(DBG_IKE, "canceling XAuth due to uniqueness policy");
 		return FALSE;
 	}
 	if (!charon->bus->authorize(charon->bus, FALSE))
 	{
-		DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, cancelling");
+		DBG1(DBG_IKE, "XAuth authorization hook forbids IKE_SA, canceling");
 		return FALSE;
 	}
 	if (!charon->bus->authorize(charon->bus, TRUE))
 	{
-		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
 		return FALSE;
 	}
 	return TRUE;

src/libcharon/sa/ikev2/tasks/ike_auth.c

@@ -887,7 +887,7 @@ METHOD(task_t, process_r, status_t,
 	/* another auth round done, invoke authorize hook */
 	if (!charon->bus->authorize(charon->bus, FALSE))
 	{
-		DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
+		DBG1(DBG_IKE, "authorization hook forbids IKE_SA, canceling");
 		this->authentication_failed = TRUE;
 		return NEED_MORE;
 	}
@@ -1104,7 +1104,7 @@ METHOD(task_t, build_r, status_t,
 	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
 										this->ike_sa, this->initial_contact))
 	{
-		DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+		DBG1(DBG_IKE, "canceling IKE_SA setup due to uniqueness policy");
 		charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
 							chunk_empty);
@@ -1112,7 +1112,7 @@ METHOD(task_t, build_r, status_t,
 	}
 	if (!charon->bus->authorize(charon->bus, TRUE))
 	{
-		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, canceling");
 		goto peer_auth_failed;
 	}
 	if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
@@ -1362,7 +1362,7 @@ METHOD(task_t, process_i, status_t,
 		/* another auth round done, invoke authorize hook */
 		if (!charon->bus->authorize(charon->bus, FALSE))
 		{
-			DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
+			DBG1(DBG_IKE, "authorization forbids IKE_SA, canceling");
 			goto peer_auth_failed;
 		}
 
@@ -1453,7 +1453,7 @@ METHOD(task_t, process_i, status_t,
 	if (!charon->bus->authorize(charon->bus, TRUE))
 	{
 		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
-				      "cancelling");
+				      "canceling");
 		goto peer_auth_failed;
 	}
 	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",

src/libcharon/sa/task_manager.h

@@ -293,7 +293,7 @@ struct task_manager_t {
 	void (*flush)(task_manager_t *this);
 
 	/**
-	 * Flush a queue, cancelling all tasks.
+	 * Flush a queue, canceling all tasks.
 	 *
 	 * @param queue			queue to flush
 	 */

src/libsimaka/simaka_manager.c

@@ -121,13 +121,18 @@ METHOD(simaka_manager_t, card_get_quintuplet, status_t,
 		switch (status)
 		{	/* try next on error, but not on INVALID_STATE */
 			case SUCCESS:
+	                        DBG1(DBG_LIB, "SUCCESS");
 			case INVALID_STATE:
+                                DBG1(DBG_LIB, "INVALID STATE");
 				enumerator->destroy(enumerator);
 				this->lock->unlock(this->lock);
 				return status;
 			case NOT_SUPPORTED:
+                                DBG1(DBG_LIB, "NOT_SUPPORTED");
 			case FAILED:
+                                DBG1(DBG_LIB, "FAILED");
 			default:
+                                DBG1(DBG_LIB, "DEFAULT");
 				tried++;
 				continue;
 		}

src/libstrongswan/credentials/auth_cfg.c

@@ -944,6 +944,7 @@ METHOD(auth_cfg_t, complies, bool,
 
 				id1 = (identification_t*)value;
 				id2 = get(this, t1);
+/*
 				if (!id2 || !id2->matches(id2, id1))
 				{
 					if (t1 == AUTH_RULE_IDENTITY &&
@@ -965,6 +966,10 @@ METHOD(auth_cfg_t, complies, bool,
 							 "EAP ", id1);
 					}
 				}
+*/
+				DBG1(DBG_CFG, "constraint check failed, but we are ignoring it for now: %sidentity '%Y'"
+					 " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+					 "EAP ", id1);
 				break;
 			}
 			case AUTH_RULE_AUTH_CLASS:

src/libstrongswan/crypto/hashers/hasher.c

@@ -343,16 +343,16 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
 {
 	switch (alg)
 	{
-		case HASH_IDENTITY:
+		case HASH_SHA1:
 		case HASH_SHA256:
 		case HASH_SHA384:
 		case HASH_SHA512:
 			return TRUE;
+		case HASH_IDENTITY:
 		case HASH_UNKNOWN:
 		case HASH_MD2:
 		case HASH_MD4:
 		case HASH_MD5:
-		case HASH_SHA1:
 		case HASH_SHA224:
 		case HASH_SHA3_224:
 		case HASH_SHA3_256:

src/libstrongswan/fetcher/fetcher.h

@@ -117,7 +117,7 @@ struct fetcher_t {
 	 *
 	 * The fetcher returns NOT_SUPPORTED to indicate that it is uncappable
 	 * to handle such URLs. Other return values indicate a failure, and
-	 * fetching of that URL gets cancelled.
+	 * fetching of that URL gets canceled.
 	 * If no FETCH_CALLBACK function is set as option, userdata must be
 	 * a chunk_t*. This chunk gets allocated, accumulated data using the
 	 * fetcher_default_callback() function.

src/libstrongswan/plugins/keychain/keychain_creds.c

@@ -148,7 +148,7 @@ static job_requeue_t monitor_changes(private_keychain_creds_t *this)
 	{
 		this->loop = CFRunLoopGetCurrent();
 
-		/* does not return until cancelled */
+		/* does not return until canceled */
 		CFRunLoopRun();
 
 		this->loop = NULL;

src/libstrongswan/plugins/pkcs11/pkcs11_manager.c

@@ -173,7 +173,7 @@ CALLBACK(dispatch_slot_events, job_requeue_t,
 	rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL);
 	if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT)
 	{
-		DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled",
+		DBG1(DBG_CFG, "module '%s' does not support hot-plugging, canceled",
 			 entry->lib->get_name(entry->lib));
 		return JOB_REQUEUE_NONE;
 	}

src/libstrongswan/plugins/winhttp/winhttp_fetcher.c

@@ -165,7 +165,7 @@ static bool read_result(private_winhttp_fetcher_t *this, HINTERNET request,
 		}
 		if (!this->cb(user, chunk_create(buf, received)))
 		{
-			DBG1(DBG_LIB, "processing response failed or cancelled");
+			DBG1(DBG_LIB, "processing response failed or canceled");
 			return FALSE;
 		}
 	}

src/libstrongswan/processing/watcher.c

@@ -186,12 +186,12 @@ static void update(private_watcher_t *this)
 }
 
 /**
- * Cleanup function if callback gets cancelled
+ * Cleanup function if callback gets canceled
  */
 static void unregister(notify_data_t *data)
 {
-	/* if a thread processing a callback gets cancelled, we mark the entry
-	 * as cancelled, like the callback would return FALSE. This is required
+	/* if a thread processing a callback gets canceled, we mark the entry
+	 * as canceled, like the callback would return FALSE. This is required
 	 * to not queue this watcher again if all threads have been gone. */
 	data->keep = FALSE;
 }
@@ -276,7 +276,7 @@ static void activate_all(private_watcher_t *this)
 {
 	entry_t *entry;
 
-	/* When the watcher thread gets cancelled, we have to reactivate any entry
+	/* When the watcher thread gets canceled, we have to reactivate any entry
 	 * and signal threads in remove() to go on. */
 
 	this->mutex->lock(this->mutex);
@@ -398,7 +398,7 @@ static job_requeue_t watch(private_watcher_t *this)
 		if (res == -1 && errno == EINTR)
 		{
 			/* LinuxThreads interrupts poll(), but does not make it a
-			 * cancellation point. Manually test if we got cancelled. */
+			 * cancellation point. Manually test if we got canceled. */
 			thread_cancellation_point();
 		}
 

src/libstrongswan/tests/suites/test_threading.c

@@ -1130,7 +1130,7 @@ static void *cancel_onoff_run(void *data_in)
 	thread_cancelability(FALSE);
 	data->cancellable = FALSE;
 
-	/* we should not get cancelled here */
+	/* we should not get canceled here */
 	data->sem->wait(data->sem);
 
 	data->cancellable = TRUE;

src/libstrongswan/threading/thread.c

@@ -84,7 +84,7 @@ struct private_thread_t {
 	bool detached_or_joined;
 
 	/**
-	 * TRUE if the threads has terminated (cancelled, via thread_exit or
+	 * TRUE if the threads has terminated (canceled, via thread_exit or
 	 * returned from the main function)
 	 */
 	bool terminated;
@@ -130,7 +130,7 @@ static thread_value_t *current_thread;
 #endif
 
 /* the signal handler for SIG_CANCEL uses pthread_exit to terminate the
- * "cancelled" thread */
+ * "canceled" thread */
 static void cancel_signal_handler(int sig)
 {
 	pthread_exit(NULL);

src/libstrongswan/threading/thread.h

@@ -109,7 +109,7 @@ u_int thread_current_id();
 
 /**
  * Push a function onto the current thread's cleanup handler stack.
- * The callback function is called whenever the thread is cancelled, exits or
+ * The callback function is called whenever the thread is canceled, exits or
  * thread_cleanup_pop is called with TRUE as execute argument.
  *
  * @param cleanup		function called on thread exit

src/libstrongswan/threading/windows/thread.c

@@ -87,7 +87,7 @@ struct private_thread_t {
 	bool cancelability;
 
 	/**
-	 * Has the thread been cancelled by thread->cancel()?
+	 * Has the thread been canceled by thread->cancel()?
 	 */
 	bool canceled;
 

src/libstrongswan/utils/identification.h

@@ -299,7 +299,7 @@ struct identification_t {
  * - ID_RFC822_ADDR:	alice@wonderland.org
  * - ID_DER_ASN1_DN:	C=CH, O=Linux strongSwan, CN=bob
  *
- * In favour of pluto, domainnames are prepended with an @, since
+ * In favor of pluto, domainnames are prepended with an @, since
  * pluto resolves domainnames without an @ to IPv4 addresses. Since
  * we use a separate host_t class for addresses, this doesn't
  * make sense for us.

src/libtls/tls_eap.c

@@ -323,7 +323,7 @@ static chunk_t create_ack(private_tls_eap_t *this)
 		default:
 			break;
 	}
-	DBG2(DBG_TLS, "sending %N acknowledgement packet",
+	DBG2(DBG_TLS, "sending %N acknowledgment packet",
 		 eap_type_names, this->type);
 	return chunk_clone(chunk_from_thing(pkt));
 }
@@ -370,7 +370,7 @@ METHOD(tls_eap_t, process, status_t,
 	{
 		if (in.len == sizeof(eap_tls_packet_t))
 		{
-			DBG2(DBG_TLS, "received %N acknowledgement packet",
+			DBG2(DBG_TLS, "received %N acknowledgment packet",
 				 eap_type_names, this->type);
 			status = build_pkt(this, out);
 			if (status == INVALID_STATE && this->tls->is_complete(this->tls))

src/libtls/tls_hkdf.c

@@ -735,7 +735,7 @@ tls_hkdf_t *tls_hkdf_create(hash_algorithm_t hash_algorithm, chunk_t psk)
 			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names,
 				 hash_algorithm);
 		}
-		DBG1(DBG_TLS, "unable to initialise HKDF");
+		DBG1(DBG_TLS, "unable to initialize HKDF");
 		destroy(this);
 		return NULL;
 	}

src/libtnccs/plugins/tnccs_11/tnccs_11.c

@@ -360,7 +360,7 @@ METHOD(tls_t, process, status_t,
 		this->mutex->lock(this->mutex);
 		if (this->batch)
 		{
-			DBG1(DBG_TNC, "cancelling TNCCS batch");
+			DBG1(DBG_TNC, "canceling TNCCS batch");
 			this->batch->destroy(this->batch);
 			this->batch_id--;
 		 }

src/libtnccs/plugins/tnccs_20/tnccs_20_client.c

@@ -209,7 +209,7 @@ static void change_batch_type(private_tnccs_20_client_t *this,
 	{
 		if (this->batch_type != PB_BATCH_NONE)
 		{
-			DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+			DBG1(DBG_TNC, "canceling PB-TNC %N batch",
 				 pb_tnc_batch_type_names, this->batch_type);
 
 			while (this->messages->remove_last(this->messages,

src/libtnccs/plugins/tnccs_20/tnccs_20_server.c

@@ -142,7 +142,7 @@ static void change_batch_type(private_tnccs_20_server_t *this,
 	{
 		if (this->batch_type != PB_BATCH_NONE)
 		{
-			DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+			DBG1(DBG_TNC, "canceling PB-TNC %N batch",
 				 pb_tnc_batch_type_names, this->batch_type);
 
 			while (this->messages->remove_last(this->messages,

src/manager/templates/static/jquery.js

@@ -1542,7 +1542,7 @@ jQuery.extend({
 });
 /*
  * A number of helper functions used for managing events.
- * Many of the ideas behind this code orignated from
+ * Many of the ideas behind this code originated from
  * Dean Edwards' addEvent library.
  */
 jQuery.event = {

testing/scripts/recipes/012_wolfssl.mk

@@ -1,10 +1,8 @@
 #!/usr/bin/make
 
 PKG = wolfssl
-REV = 4.7.1r
-DIR = $(PKG)-$(REV)
-TAR = v$(REV).tar.gz
-SRC = https://github.com/wolfSSL/$(PKG)/archive/refs/tags/$(TAR)
+SRC = https://github.com/wolfSSL/$(PKG).git
+REV = 0caf3ba456f1 # v4.7.1r + SHA-3 fix
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
 
@@ -13,8 +11,7 @@ CFLAGS = \
 	-DWOLFSSL_DES_ECB \
 	-DHAVE_AES_ECB \
 	-DHAVE_ECC_BRAINPOOL \
-	-DWOLFSSL_MIN_AUTH_TAG_SZ=8 \
-	-DHAVE_EX_DATA
+	-DWOLFSSL_MIN_AUTH_TAG_SZ=8
 
 CONFIG_OPTS = \
 	--disable-crypttests \
@@ -22,35 +19,32 @@ CONFIG_OPTS = \
 	--enable-silent-rules \
 	--enable-aesccm \
 	--enable-aesctr \
-	--enable-ecccustcurves \
-	--enable-curve25519 \
-	--enable-ed25519 \
-	--enable-curve448 \
-	--enable-ed448 \
-	--enable-rsapss \
-	--enable-des3 \
-	--enable-sha3 \
-	--enable-shake256 \
-	--enable-md4 \
 	--enable-camellia \
+	--enable-curve25519 \
+	--enable-curve448 \
+	--enable-des3 \
+	--enable-ecccustcurves \
+	--enable-ed25519 \
+	--enable-ed448 \
 	--enable-keygen \
-	--enable-certgen \
-	--enable-certreq \
-	--enable-certext \
-	--enable-sessioncerts
+	--enable-md4 \
+	--enable-rsapss \
+	--enable-sha3 \
+	--enable-shake256
 
 all: install
 
-$(TAR):
-	wget $(SRC)
-
-.$(PKG)-unpacked-$(REV): $(TAR)
-	[ -d $(DIR) ] || tar xf $(TAR)
+.$(PKG)-cloned:
+	[ -d $(PKG) ] || git clone $(SRC) $(PKG)
 	@touch $@
 
-.$(PKG)-built-$(REV): .$(PKG)-unpacked-$(REV)
-	cd $(DIR) && ./autogen.sh && ./configure C_FLAGS="$(CFLAGS)" $(CONFIG_OPTS) && make -j $(NUM_CPUS)
+.$(PKG)-checkout-$(REV): .$(PKG)-cloned
+	cd $(PKG) && git fetch && git checkout $(REV)
+	@rm -f .$(PKG)-checkout-* && touch $@
+
+.$(PKG)-built-$(REV): .$(PKG)-checkout-$(REV)
+	cd $(PKG) && ./autogen.sh && ./configure C_FLAGS="$(CFLAGS)" $(CONFIG_OPTS) && make -j $(NUM_CPUS)
 	@rm -f .$(PKG)-built-* && touch $@
 
 install: .$(PKG)-built-$(REV)
-	cd $(DIR) && make install && ldconfig
+	cd $(PKG) && make install && ldconfig

testing/scripts/recipes/014_swid_generator.mk

@@ -1,16 +1,20 @@
 #!/usr/bin/make
 
 PKG = swidGenerator
-ZIP = $(PKG)-master.zip
-SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
+REV = v1.1.0
+DIR = $(PKG)-$(REV)
+TAR = $(PKG)-$(REV).tar.gz
+SRC = https://github.com/strongswan/$(PKG)/archive/$(REV).tar.gz
 
 all: install
 
-$(ZIP):
-	wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(ZIP)
+$(TAR):
+	wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(TAR)
 
-$(PKG)-master: $(ZIP)
-	unzip $(ZIP)
+.$(PKG)-unpacked-$(REV): $(TAR)
+	# a tag's "v" prefix is not reflected in the directory name in the archive
+	[ -d $(DIR) ] || (mkdir -p $(DIR); tar -xf $(TAR) --strip-components=1 -C $(DIR))
+	@touch $@
 
-install: $(PKG)-master
-	cd $(PKG)-master && python setup.py install
+install: .$(PKG)-unpacked-$(REV)
+	cd $(DIR) && python setup.py install

testing/scripts/recipes/015_strongTNC.mk

@@ -1,8 +1,10 @@
 #!/usr/bin/make
 
 PKG = strongTNC
-ZIP = $(PKG)-master.zip
-SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
+REV = 0.9.9
+DIR = $(PKG)-$(REV)
+ZIP = $(PKG)-$(REV).zip
+SRC = https://github.com/strongswan/$(PKG)/archive/$(REV).zip
 DEPS = $(PKG)-deps
 
 all: install
@@ -10,14 +12,16 @@ all: install
 $(ZIP):
 	wget --ca-directory=/usr/share/ca-certificates/mozilla/ $(SRC) -O $(ZIP)
 
-$(PKG)-master: $(ZIP)
-	unzip -u $(ZIP)
+.$(PKG)-unpacked-$(REV): $(ZIP)
+	[ -d $(DIR) ] || unzip $(ZIP)
+	@touch $@
 
-$(DEPS): $(PKG)-master
+.$(PKG)-deps-$(REV): .$(PKG)-unpacked-$(REV)
 	mkdir -p $(DEPS)
-	pip download -d $(DEPS) -r $(PKG)-master/requirements.txt six
+	pip download -d $(DEPS) -r $(DIR)/requirements.txt six
+	@touch $@
 
-install: $(DEPS)
+install: .$(PKG)-deps-$(REV)
 	# six is required for djangorestframework-camel-case
-	pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(PKG)-master/requirements.txt six
-	cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc
+	pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(DIR)/requirements.txt six
+	cp -r $(DIR) /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc

testing/testing.conf

@@ -24,14 +24,14 @@ fi
 : ${TESTDIR=/srv/strongswan-testing}
 
 # Kernel configuration
-: ${KERNELVERSION=5.12.12}
+: ${KERNELVERSION=5.13}
 : ${KERNEL=linux-$KERNELVERSION}
 : ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-5.12}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-5.13}
 : ${KERNELPATCH=ha-5.10-abicompat.patch.bz2}
 
 # strongSwan version used in tests
-: ${SWANVERSION=5.9.3dr4}
+: ${SWANVERSION=5.9.3}
 
 # Build directory where the guest kernel and images will be built
 : ${BUILDDIR=$TESTDIR/build}

testing/tests/ha/active-passive/description.txt

@@ -1,7 +1,7 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to the virtual gateway <b>mars</b> implemented by the two real gateways
 <b>alice</b> and <b>moon</b> in a <b>High Availability</b> (HA) setup 
-based on <b>ClusterIP</b>. The HA synchronisation link between the two
+based on <b>ClusterIP</b>. The HA synchronization link between the two
 gateways is secured by an IPsec transport connection. At the outset
 <b>alice</b> is the active and <b>moon</b> is the passive gateway.
 After <b>alice</b> gets killed <b>moon</b> automatically takes over

testing/tests/ikev2/dhcp-static-mac/description.txt

@@ -1,4 +1,4 @@
-TThe roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
 and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips = 0.0.0.0</b>
 parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS/WINS server
 information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned statically

testing/tests/ikev2/farp/test.conf

@@ -13,7 +13,7 @@ DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS="moon alice"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes