diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-04-30 17:51:33 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-04-30 17:51:33 +0200 |
| commit | c83921a2b566aa9d55d8ccc7258f04fca6292ee6 (patch) | |
| tree | 44039788fc816c84d5788df847d1555413ebe55a | |
| parent | 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (diff) | |
| download | vyos-strongswan-c83921a2b566aa9d55d8ccc7258f04fca6292ee6.tar.gz vyos-strongswan-c83921a2b566aa9d55d8ccc7258f04fca6292ee6.zip | |
Imported Upstream version 5.0.4
254 files changed, 1712 insertions, 95 deletions
diff --git a/Android.common.mk b/Android.common.mk index 21dbbb9ce..4dce2e3d3 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -15,5 +15,5 @@ add_plugin = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.0.3" +strongswan_VERSION := "5.0.4" diff --git a/Makefile.in b/Makefile.in index a457a4519..61541b2e4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -287,6 +287,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -1,3 +1,25 @@ +strongswan-5.0.4 +---------------- + +- Fixed a security vulnerability in the openssl plugin which was reported by + Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944. + Before the fix, if the openssl plugin's ECDSA signature verification was used, + due to a misinterpretation of the error code returned by the OpenSSL + ECDSA_verify() function, an empty or zeroed signature was accepted as a + legitimate one. + +- The handling of a couple of other non-security relevant openssl return codes + was fixed as well. + +- The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its + TCG TNC IF-MAP 2.1 interface. + +- The charon.initiator_only option causes charon to ignore IKE initiation + requests. + +- The openssl plugin can now use the openssl-fips library. + + strongswan-5.0.3 ---------------- @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.0.3. +# Generated by GNU Autoconf 2.69 for strongSwan 5.0.4. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.0.3' -PACKAGE_STRING='strongSwan 5.0.3' +PACKAGE_VERSION='5.0.4' +PACKAGE_STRING='strongSwan 5.0.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1045,6 +1045,7 @@ ipsecuser systemdsystemunitdir HAVE_SYSTEMD_FALSE HAVE_SYSTEMD_TRUE +fips_mode ipsec_script routing_table_prio routing_table @@ -1140,6 +1141,7 @@ with_linux_headers with_routing_table with_routing_table_prio with_ipsec_script +with_fips_mode with_tss with_capabilities with_mpz_powm_sec @@ -1863,7 +1865,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.0.3 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.0.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1933,7 +1935,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.0.3:";; + short | recursive ) echo "Configuration of strongSwan 5.0.4:";; esac cat <<\_ACEOF @@ -2164,6 +2166,8 @@ Optional Packages: set priority for IPsec routing table (default: 220). --with-ipsec-script=arg change the name of the ipsec script (default: ipsec). + --with-fips-mode=arg set openssl FIPS mode: disabled(0), enabled(1), + Suite B enabled(2) (default: 0). --with-tss=arg set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers" (default: no). @@ -2300,7 +2304,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.0.3 +strongSwan configure 5.0.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2822,7 +2826,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.0.3, which was +It was created by strongSwan $as_me 5.0.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3637,7 +3641,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.0.3' + VERSION='5.0.4' cat >>confdefs.h <<_ACEOF @@ -4070,6 +4074,18 @@ fi +# Check whether --with-fips-mode was given. +if test "${with_fips_mode+set}" = set; then : + withval=$with_fips_mode; fips_mode="$withval" + +else + fips_mode="0" + + +fi + + + # Check whether --with-tss was given. if test "${with_tss+set}" = set; then : @@ -22557,7 +22573,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.0.3, which was +This file was extended by strongSwan $as_me 5.0.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22623,7 +22639,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.0.3 +strongSwan config.status 5.0.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.in b/configure.in index 1e367d094..9a00b6256 100644 --- a/configure.in +++ b/configure.in @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.0.3]) +AC_INIT([strongSwan],[5.0.4]) AM_INIT_AUTOMAKE(tar-ustar) AC_CONFIG_MACRO_DIR([m4/config]) AC_CONFIG_HEADERS([config.h]) @@ -46,6 +46,7 @@ ARG_WITH_SUBST([linux-headers], [\${top_srcdir}/src/include], [set director ARG_WITH_SUBST([routing-table], [220], [set routing table to use for IPsec routes]) ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table]) ARG_WITH_SUBST([ipsec-script], [ipsec], [change the name of the ipsec script]) +ARG_WITH_SUBST([fips-mode], [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)]) ARG_WITH_SET([tss], [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"]) ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"]) diff --git a/init/Makefile.in b/init/Makefile.in index 7603fa066..a4e2c4445 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -236,6 +236,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in index 7b95497ab..0486da5e4 100644 --- a/init/systemd/Makefile.in +++ b/init/systemd/Makefile.in @@ -225,6 +225,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu2 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.2ubuntu1 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.2 Debian-2.4.2-1ubuntu2" +VERSION="2.4.2 Debian-2.4.2-1.2ubuntu1" TIMESTAMP="" package_revision=1.3337 diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4 index 828104cfd..02b4bbec5 100644 --- a/m4/config/libtool.m4 +++ b/m4/config/libtool.m4 @@ -1324,7 +1324,14 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; ppc64-*linux*|powerpc64-*linux*) LD="${LD-ld} -m elf32ppclinux" @@ -1688,7 +1695,8 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -2512,17 +2520,6 @@ freebsd* | dragonfly*) esac ;; -gnu*) - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no - library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' - soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no - hardcode_into_libs=yes - ;; - haiku*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no @@ -2639,7 +2636,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -3255,10 +3252,6 @@ freebsd* | dragonfly*) fi ;; -gnu*) - lt_cv_deplibs_check_method=pass_all - ;; - haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -3297,7 +3290,7 @@ irix5* | irix6* | nonstopux*) ;; # This must be glibc/ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; @@ -4049,7 +4042,7 @@ m4_if([$1], [CXX], [ ;; esac ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # KAI C++ Compiler @@ -4348,7 +4341,7 @@ m4_if([$1], [CXX], [ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -6241,9 +6234,6 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(ld_shlibs, $1)=yes ;; - gnu*) - ;; - haiku*) _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' _LT_TAGVAR(link_all_deplibs, $1)=yes @@ -6405,7 +6395,7 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler diff --git a/man/Makefile.in b/man/Makefile.in index daebe3b90..50b7144a1 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -227,6 +227,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index 554a6e8ca..981b53dba 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2012-06-26" "5.0.3rc1" "strongSwan" +.TH IPSEC.CONF 5 "2012-06-26" "5.0.4" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 0948e5cc9..9b3d19190 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.3rc1" "strongSwan" +.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.4" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 34dfde735..3c820dbf9 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.3" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.4" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING). Limit new connections based on the number of jobs currently queued for processing (see IKE_SA_INIT DROPPING). .TP +.BR charon.initiator_only " [no]" +Causes charon daemon to ignore IKE initiation requests. +.TP .BR charon.install_routes " [yes]" Install routes into a separate routing table for established IPsec tunnels .TP @@ -777,6 +780,9 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" ENGINE ID to use in the OpenSSL plugin .TP +.BR libstrongswan.plugins.openssl.fips_mode " [0]" +Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) +.TP .BR libstrongswan.plugins.pkcs11.modules List of available PKCS#11 modules .TP diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index d483addbd..44fe330e8 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING). Limit new connections based on the number of jobs currently queued for processing (see IKE_SA_INIT DROPPING). .TP +.BR charon.initiator_only " [no]" +Causes charon daemon to ignore IKE initiation requests. +.TP .BR charon.install_routes " [yes]" Install routes into a separate routing table for established IPsec tunnels .TP @@ -777,6 +780,9 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" ENGINE ID to use in the OpenSSL plugin .TP +.BR libstrongswan.plugins.openssl.fips_mode " [0]" +Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) +.TP .BR libstrongswan.plugins.pkcs11.modules List of available PKCS#11 modules .TP diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 1aa9c2e60..390c820aa 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -283,6 +283,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/scripts/dnssec.c b/scripts/dnssec.c index 89ea56ea6..315a14618 100644 --- a/scripts/dnssec.c +++ b/scripts/dnssec.c @@ -16,25 +16,47 @@ #include <stdio.h> #include <library.h> +#include <utils/debug.h> + +/** + * Define debug level + */ +static level_t dbg_level = 1; + +static void dbg_dnssec(debug_t group, level_t level, char *fmt, ...) +{ + if ((level <= dbg_level) || level <= 1) + { + va_list args; + + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); + va_end(args); + } +} int main(int argc, char *argv[]) { resolver_t *resolver; resolver_response_t *response; enumerator_t *enumerator; + chunk_t rdata; rr_set_t *rrset; rr_t *rr; - chunk_t chunk; library_init(NULL); atexit(library_deinit); + + dbg = dbg_dnssec; + if (!lib->plugins->load(lib->plugins, NULL, PLUGINS)) { return 1; } if (argc != 2) { - fprintf(stderr, "usage: %s <name>\n", argv[0]); + fprintf(stderr, "usage: dnssec <name>\n"); return 1; } @@ -82,9 +104,7 @@ int main(int argc, char *argv[]) enumerator = rrset->create_rr_enumerator(rrset); while (enumerator->enumerate(enumerator, &rr)) { - printf(" name: "); - printf(rr->get_name(rr)); - printf("\n"); + printf(" name: %s\n", rr->get_name(rr)); } enumerator = rrset->create_rrsig_enumerator(rrset); @@ -93,13 +113,10 @@ int main(int argc, char *argv[]) printf(" RRSIGs for the RRset:\n"); while (enumerator->enumerate(enumerator, &rr)) { - printf(" name: "); - printf(rr->get_name(rr)); - printf("\n RDATA: "); - chunk = rr->get_rdata(rr); - chunk = chunk_to_hex(chunk, NULL, TRUE); - printf(chunk.ptr); - printf("\n"); + rdata = rr->get_rdata(rr); + + printf(" name: %s\n", rr->get_name(rr)); + printf(" RDATA: %#B\n", &rdata); } } diff --git a/src/Makefile.in b/src/Makefile.in index a40a82cd8..d9227f5f3 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -265,6 +265,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 87f4c4f95..8908c9856 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -218,6 +218,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index ad03d7d92..312ee3e47 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -229,6 +229,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index c079690ac..2b959d109 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -229,6 +229,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in index b5c4e3f45..e26dd5586 100644 --- a/src/charon-nm/Makefile.in +++ b/src/charon-nm/Makefile.in @@ -224,6 +224,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in index 74e842115..ebca82f7d 100644 --- a/src/charon-tkm/Makefile.in +++ b/src/charon-tkm/Makefile.in @@ -195,6 +195,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index a617874b7..941fff697 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -222,6 +222,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 1405fcd05..9f6945087 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -18,7 +18,7 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon AM_CFLAGS = \ - -DPLUGINDIR=\"${plugindir}\" \ + -DPLUGINDIR=\"${DESTDIR}${plugindir}\" \ -rdynamic # we keep track of build dependencies in deps and use libs to store the paths diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index cdb82f2b1..ac2787473 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -285,6 +285,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -373,8 +374,8 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libcharon -AM_CFLAGS = -DPLUGINDIR=\"${plugindir}\" -rdynamic $(am__append_1) \ - $(am__append_4) $(am__append_22) +AM_CFLAGS = -DPLUGINDIR=\"${DESTDIR}${plugindir}\" -rdynamic \ + $(am__append_1) $(am__append_4) $(am__append_22) # we keep track of build dependencies in deps and use libs to store the paths # to the installed libraries. for executables we use the built files directly diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in index 978402e65..11b20e3a3 100644 --- a/src/conftest/Makefile.in +++ b/src/conftest/Makefile.in @@ -233,6 +233,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index e8f5cf9af..86b0822a7 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -257,6 +257,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index f2b94cf0c..b52639bb8 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -195,6 +195,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 6849592e8..fe65cc484 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -229,6 +229,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index ad2997471..0dbaf937b 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2012-06-19" "5.0.3rc1" "strongSwan" +.TH IPSEC 8 "2012-06-19" "5.0.4" "strongSwan" .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index e772528d1..f55db9379 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -698,6 +698,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index b5cdaaa89..0db5a8a9c 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -759,6 +759,33 @@ METHOD(bus_t, narrow, void, this->mutex->unlock(this->mutex); } +METHOD(bus_t, assign_vips, void, + private_bus_t *this, ike_sa_t *ike_sa, bool assign) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->assign_vips) + { + continue; + } + entry->calling++; + keep = entry->listener->assign_vips(entry->listener, ike_sa, assign); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + METHOD(bus_t, destroy, void, private_bus_t *this) { @@ -807,6 +834,7 @@ bus_t *bus_create() .child_rekey = _child_rekey, .authorize = _authorize, .narrow = _narrow, + .assign_vips = _assign_vips, .destroy = _destroy, }, .listeners = linked_list_create(), diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 18d57bce1..75244d6bf 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -386,6 +386,14 @@ struct bus_t { void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new); /** + * Virtual IP assignment hook. + * + * @param ike_sa IKE_SA the VIPs are assigned to + * @param assign TRUE if assigned to IKE_SA, FALSE if released + */ + void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign); + + /** * Destroy the event bus. */ void (*destroy) (bus_t *this); diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 782289302..ef4daced2 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -190,6 +190,19 @@ struct listener_t { */ bool (*narrow)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, narrow_hook_t type, linked_list_t *local, linked_list_t *remote); + + /** + * Virtual IP address assignment hook + * + * This hook gets invoked when a a Virtual IP address is assigned to an + * IKE_SA (assign = TRUE) and again when it is released (assign = FALSE) + * + * @param ike_sa IKE_SA the VIPs are assigned to + * @param assign TRUE if assigned to IKE_SA, FALSE if released + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*assign_vips)(listener_t *this, ike_sa_t *ike_sa, bool assign); + }; #endif /** LISTENER_H_ @}*/ diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index 6b2c2bf5b..2ca721a85 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -148,6 +148,12 @@ struct private_receiver_t { * Delay response messages? */ bool receive_delay_response; + + /** + * Endpoint is allowed to act as an initiator only + */ + bool initiator_only; + }; /** @@ -541,7 +547,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) if (message->get_request(message) && message->get_exchange_type(message) == IKE_SA_INIT) { - if (drop_ike_sa_init(this, message)) + if (this->initiator_only || drop_ike_sa_init(this, message)) { message->destroy(message); return JOB_REQUEUE_DIRECT; @@ -552,7 +558,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) { id = message->get_ike_sa_id(message); if (id->get_responder_spi(id) == 0 && - drop_ike_sa_init(this, message)) + (this->initiator_only || drop_ike_sa_init(this, message))) { message->destroy(message); return JOB_REQUEUE_DIRECT; @@ -650,6 +656,8 @@ receiver_t *receiver_create() "%s.receive_delay_request", TRUE, charon->name), this->receive_delay_response = lib->settings->get_bool(lib->settings, "%s.receive_delay_response", TRUE, charon->name), + this->initiator_only = lib->settings->get_bool(lib->settings, + "%s.initiator_only", FALSE, charon->name), this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (!this->hasher) diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 52cd6186e..7b2b19bcc 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in index 4a76714d2..41f42ffec 100644 --- a/src/libcharon/plugins/android_dns/Makefile.in +++ b/src/libcharon/plugins/android_dns/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in index 73459ac92..698935436 100644 --- a/src/libcharon/plugins/android_log/Makefile.in +++ b/src/libcharon/plugins/android_log/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in index 6868c52a1..72e2ad601 100644 --- a/src/libcharon/plugins/certexpire/Makefile.in +++ b/src/libcharon/plugins/certexpire/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in index e191dc6c7..886624123 100644 --- a/src/libcharon/plugins/coupling/Makefile.in +++ b/src/libcharon/plugins/coupling/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index 717180379..504aa5f93 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in index d1b5dfbe6..f4efc5f6e 100644 --- a/src/libcharon/plugins/duplicheck/Makefile.in +++ b/src/libcharon/plugins/duplicheck/Makefile.in @@ -259,6 +259,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 4d162b4eb..99ec32471 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index 947b58f01..0ddc9915b 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in index 1789b28e9..0579c4989 100644 --- a/src/libcharon/plugins/eap_dynamic/Makefile.in +++ b/src/libcharon/plugins/eap_dynamic/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 5241a5c7d..95837fc3a 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index e8d2e2b64..3eb99bb89 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 1a31f27f1..6dd09c55d 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 930f87013..97e03fde9 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in index c0411cb1e..ae8a289bf 100644 --- a/src/libcharon/plugins/eap_peap/Makefile.in +++ b/src/libcharon/plugins/eap_peap/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index a686dde90..aa2cf3da5 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index 59340df01..c9e1cdaad 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -85,6 +85,11 @@ struct private_eap_radius_t { * Handle the Filter-Id attribute as IPsec CHILD_SA name? */ bool filter_id; + + /** + * Format string we use for Called/Calling-Station-Id for a host + */ + char *station_id_fmt; }; /** @@ -200,10 +205,10 @@ static void add_radius_request_attrs(private_eap_radius_t *this, default: break; } - snprintf(buf, sizeof(buf), "%#H", host); + snprintf(buf, sizeof(buf), this->station_id_fmt, host); request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf)); host = ike_sa->get_other_host(ike_sa); - snprintf(buf, sizeof(buf), "%#H", host); + snprintf(buf, sizeof(buf), this->station_id_fmt, host); request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf)); } @@ -591,6 +596,15 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer "%s.plugins.eap-radius.filter_id", FALSE, charon->name), ); + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name)) + { + this->station_id_fmt = "%#H"; + } + else + { + this->station_id_fmt = "%H"; + } this->client = eap_radius_create_client(); if (!this->client) { diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index ec78c8ef2..e9843470a 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -51,6 +51,11 @@ struct private_eap_radius_accounting_t { * Session ID prefix */ u_int32_t prefix; + + /** + * Format string we use for Called/Calling-Station-Id for a host + */ + char *station_id_fmt; }; /** @@ -195,7 +200,8 @@ static bool send_message(private_eap_radius_accounting_t *this, /** * Add common IKE_SA parameters to RADIUS account message */ -static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa) +static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, + radius_message_t *message, ike_sa_t *ike_sa) { enumerator_t *enumerator; host_t *vip, *host; @@ -227,10 +233,10 @@ static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa) default: break; } - snprintf(buf, sizeof(buf), "%#H", host); + snprintf(buf, sizeof(buf), this->station_id_fmt, host); message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf)); host = ike_sa->get_other_host(ike_sa); - snprintf(buf, sizeof(buf), "%#H", host); + snprintf(buf, sizeof(buf), this->station_id_fmt, host); message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf)); snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa)); @@ -364,7 +370,7 @@ static job_requeue_t send_interim(interim_data_t *data) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); - add_ike_sa_parameters(message, ike_sa); + add_ike_sa_parameters(this, message, ike_sa); value = htonl(bytes_out); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); @@ -454,7 +460,7 @@ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) schedule_interim(this, entry); this->mutex->unlock(this->mutex); - add_ike_sa_parameters(message, ike_sa); + add_ike_sa_parameters(this, message, ike_sa); if (!send_message(this, message)) { eap_radius_handle_timeout(ike_sa->get_id(ike_sa)); @@ -486,7 +492,7 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); - add_ike_sa_parameters(message, ike_sa); + add_ike_sa_parameters(this, message, ike_sa); value = htonl(entry->bytes.sent); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); @@ -679,7 +685,15 @@ eap_radius_accounting_t *eap_radius_accounting_create() (hashtable_equals_t)equals, 32), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); - + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name)) + { + this->station_id_fmt = "%#H"; + } + else + { + this->station_id_fmt = "%H"; + } if (lib->settings->get_bool(lib->settings, "%s.plugins.eap-radius.accounting", FALSE, charon->name)) { diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 3baf46731..e186cb0fe 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -105,7 +105,7 @@ static void load_configs(private_eap_radius_plugin_t *this) "%s.plugins.eap-radius.secret", NULL, charon->name); if (!secret) { - DBG1(DBG_CFG, "no RADUIS secret defined"); + DBG1(DBG_CFG, "no RADIUS secret defined"); return; } nas_identifier = lib->settings->get_str(lib->settings, diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index e4657bb64..9c183bc29 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 5816de4ef..f0eaf8766 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in index 2876af72f..18cce4e2c 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in +++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in @@ -255,6 +255,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 6f2467fad..bc0c77f43 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -255,6 +255,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 366c554d7..b01e4b973 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 0b63da04e..1937428ec 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index bc7157e6b..5c2a94ae0 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index 30a858102..a687e8b3d 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index df5bc442e..2a4fd35fe 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in index ba7ec3ecf..b06fdf430 100644 --- a/src/libcharon/plugins/error_notify/Makefile.in +++ b/src/libcharon/plugins/error_notify/Makefile.in @@ -260,6 +260,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 2596f9f20..5dbc49939 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 466cce320..ae99e143f 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in index fd50854fc..f204b7236 100644 --- a/src/libcharon/plugins/ipseckey/Makefile.in +++ b/src/libcharon/plugins/ipseckey/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index f10dbb96f..5296fc0f2 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index e382b266c..189116bb5 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -262,6 +262,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in index 3b7d3247c..24eb31feb 100644 --- a/src/libcharon/plugins/lookip/Makefile.in +++ b/src/libcharon/plugins/lookip/Makefile.in @@ -257,6 +257,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in index 2e511a0a8..c907e9e2d 100644 --- a/src/libcharon/plugins/maemo/Makefile.in +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index af003c463..283b0401f 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index f679b11f1..770cd8ce0 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in index 84faa1db6..e3b359174 100644 --- a/src/libcharon/plugins/radattr/Makefile.in +++ b/src/libcharon/plugins/radattr/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 72f7deead..0edca4959 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index e73d2003a..2e04d6627 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 855c307a8..a12e4a893 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 95fe34802..96f83b4d1 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 77497e2b9..7d1100c08 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in index 56dc0b366..ab4d1b9ad 100644 --- a/src/libcharon/plugins/systime_fix/Makefile.in +++ b/src/libcharon/plugins/systime_fix/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in index 96912c618..ed3775e9d 100644 --- a/src/libcharon/plugins/tnc_ifmap/Makefile.in +++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in @@ -255,6 +255,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c index 4b2538e34..4ad19c530 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c @@ -71,8 +71,8 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this) */ static bool reload_metadata(private_tnc_ifmap_listener_t *this) { - enumerator_t *enumerator; ike_sa_t *ike_sa; + enumerator_t *enumerator; bool success = TRUE; enumerator = charon->controller->create_ike_sa_enumerator( @@ -83,7 +83,8 @@ static bool reload_metadata(private_tnc_ifmap_listener_t *this) { continue; } - if (!this->ifmap->publish_ike_sa(this->ifmap, ike_sa, TRUE)) + if (!this->ifmap->publish_ike_sa(this->ifmap, ike_sa, TRUE) || + !this->ifmap->publish_virtual_ips(this->ifmap, ike_sa, TRUE)) { success = FALSE; break; @@ -104,6 +105,13 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } +METHOD(listener_t, assign_vips, bool, + private_tnc_ifmap_listener_t *this, ike_sa_t *ike_sa, bool assign) +{ + this->ifmap->publish_virtual_ips(this->ifmap, ike_sa, assign); + return TRUE; +} + METHOD(listener_t, alert, bool, private_tnc_ifmap_listener_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args) @@ -144,6 +152,7 @@ tnc_ifmap_listener_t *tnc_ifmap_listener_create(bool reload) .public = { .listener = { .ike_updown = _ike_updown, + .assign_vips = _assign_vips, .alert = _alert, }, .destroy = _destroy, diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c index 8d5da5812..df7d2e2a1 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c @@ -579,6 +579,55 @@ METHOD(tnc_ifmap_soap_t, publish_device_ip, bool, return success; } +METHOD(tnc_ifmap_soap_t, publish_virtual_ips, bool, + private_tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, bool assign) +{ + tnc_ifmap_soap_msg_t *soap_msg; + xmlNodePtr request, node; + u_int32_t ike_sa_id; + enumerator_t *enumerator; + host_t *vip; + bool success; + + /* extract relevant data from IKE_SA*/ + ike_sa_id = ike_sa->get_unique_id(ike_sa); + + /* build publish request */ + request = create_publish_request(this); + + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE); + while (enumerator->enumerate(enumerator, &vip)) + { + /** + * update or delete access-request-ip metadata for a virtual IP address + */ + if (assign) + { + node = xmlNewNode(NULL, "update"); + } + else + { + node = create_delete_filter(this, "access-request-ip"); + } + xmlAddChild(request, node); + + /* add access-request, virtual ip-address and [if assign] metadata */ + xmlAddChild(node, create_access_request(this, ike_sa_id)); + xmlAddChild(node, create_ip_address(this, vip)); + if (assign) + { + xmlAddChild(node, create_metadata(this, "access-request-ip")); + } + } + enumerator->destroy(enumerator); + + soap_msg = tnc_ifmap_soap_msg_create(this->uri, this->user_pass, this->tls); + success = soap_msg->post(soap_msg, request, "publishReceived", NULL); + soap_msg->destroy(soap_msg); + + return success; +} + METHOD(tnc_ifmap_soap_t, publish_enforcement_report, bool, private_tnc_ifmap_soap_t *this, host_t *host, char *action, char *reason) { @@ -851,6 +900,7 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create() .purgePublisher = _purgePublisher, .publish_ike_sa = _publish_ike_sa, .publish_device_ip = _publish_device_ip, + .publish_virtual_ips = _publish_virtual_ips, .publish_enforcement_report = _publish_enforcement_report, .endSession = _endSession, .get_session_id = _get_session_id, diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h index 4a0434a54..fbc65a2b1 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.h @@ -56,7 +56,7 @@ struct tnc_ifmap_soap_t { /** * Publish metadata about established/deleted IKE_SAs * - * @param ike_sa IKE_SA for which metadate is published + * @param ike_sa IKE_SA for which metadata is published * @param up TRUE if IKE_SEA is up, FALSE if down * @return TRUE if command was successful */ @@ -71,6 +71,16 @@ struct tnc_ifmap_soap_t { bool (*publish_device_ip)(tnc_ifmap_soap_t *this, host_t *host); /** + * Publish Virtual IP access-request-ip metadata + * + * @param ike_sa IKE_SA for which Virtual IP metadata is published + * @param assign TRUE if assigned, FALSE if removed + * @return TRUE if command was successful + */ + bool (*publish_virtual_ips)(tnc_ifmap_soap_t *this, ike_sa_t *ike_sa, + bool assign); + + /** * Publish enforcement-report metadata * * @param host Host to be enforced diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in index 4e0a18310..7fb2e563c 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.in +++ b/src/libcharon/plugins/tnc_imc/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in index 37964757f..8b175a993 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.in +++ b/src/libcharon/plugins/tnc_imv/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in index 0db60a288..87e6ed928 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.in +++ b/src/libcharon/plugins/tnc_pdp/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnc_tnccs/Makefile.in b/src/libcharon/plugins/tnc_tnccs/Makefile.in index 7ca6df3c8..4179dcaae 100644 --- a/src/libcharon/plugins/tnc_tnccs/Makefile.in +++ b/src/libcharon/plugins/tnc_tnccs/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in index c74704f2d..19538feb0 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.in +++ b/src/libcharon/plugins/tnccs_11/Makefile.in @@ -260,6 +260,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in index f0cb9fa54..3c9a34a2f 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.in +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -258,6 +258,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in index 5f375516b..820870dd7 100644 --- a/src/libcharon/plugins/tnccs_dynamic/Makefile.in +++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index b8e03e0a8..6c5be9830 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 175cece27..8b5b98db5 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -255,6 +255,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in index 4a9a81847..85c5fc97e 100644 --- a/src/libcharon/plugins/unity/Makefile.in +++ b/src/libcharon/plugins/unity/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c index 9d145b93f..3dec7a3b6 100644 --- a/src/libcharon/plugins/unity/unity_handler.c +++ b/src/libcharon/plugins/unity/unity_handler.c @@ -190,8 +190,6 @@ static job_requeue_t add_exclude_async(entry_t *entry) child_cfg->add_traffic_selector(child_cfg, TRUE, traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0, 65535)); - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); while (enumerator->enumerate(enumerator, &host)) { @@ -200,6 +198,7 @@ static job_requeue_t add_exclude_async(entry_t *entry) 32, 0, 0, 65535)); } enumerator->destroy(enumerator); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); charon->shunts->install(charon->shunts, child_cfg); child_cfg->destroy(child_cfg); diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index 25505db0b..f40eab065 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in index ca3c027ae..7c6f8cd06 100644 --- a/src/libcharon/plugins/whitelist/Makefile.in +++ b/src/libcharon/plugins/whitelist/Makefile.in @@ -259,6 +259,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in index 0a74b2926..aecc871f4 100644 --- a/src/libcharon/plugins/xauth_eap/Makefile.in +++ b/src/libcharon/plugins/xauth_eap/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in index 7348ab8de..a7088a2d0 100644 --- a/src/libcharon/plugins/xauth_generic/Makefile.in +++ b/src/libcharon/plugins/xauth_generic/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in index c8f7a6a33..358875197 100644 --- a/src/libcharon/plugins/xauth_noauth/Makefile.in +++ b/src/libcharon/plugins/xauth_noauth/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in index 0538a028f..34ebb37b9 100644 --- a/src/libcharon/plugins/xauth_pam/Makefile.in +++ b/src/libcharon/plugins/xauth_pam/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 8c4dabd81..63c04d9c0 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -776,6 +776,10 @@ METHOD(ike_sa_t, clear_virtual_ips, void, linked_list_t *vips = local ? this->my_vips : this->other_vips; host_t *vip; + if (!local && vips->get_count(vips)) + { + charon->bus->assign_vips(charon->bus, &this->public, FALSE); + } while (vips->remove_first(vips, (void**)&vip) == SUCCESS) { if (local) @@ -2105,6 +2109,10 @@ METHOD(ike_sa_t, destroy, void, vip->destroy(vip); } this->my_vips->destroy(this->my_vips); + if (this->other_vips->get_count(this->other_vips)) + { + charon->bus->assign_vips(charon->bus, &this->public, FALSE); + } while (this->other_vips->remove_last(this->other_vips, (void**)&vip) == SUCCESS) { diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index d637c26fe..17132feee 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -387,6 +387,8 @@ METHOD(task_t, build_r, status_t, pools->destroy(pools); return SUCCESS; } + charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); + if (pools->get_count(pools) && !this->vips->get_count(this->vips)) { DBG1(DBG_IKE, "expected a virtual IP request, sending %N", diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index 2733a91b4..cadf76d8f 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 4504822ad..395b55aca 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -300,6 +300,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index cb2cf1eaf..113a66039 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index 155db8581..0d7d55790 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -261,6 +261,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index 514bb402a..5bc67de27 100644 --- a/src/libhydra/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index b5a327906..9702010bb 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index c9d4be0fd..b00f74473 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index ad3ca468a..a4895df2a 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index 509479c81..1e5ff16b7 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index d9a27c12d..f560a5230 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -300,6 +300,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 3f1a5fe32..351e659ad 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -247,6 +247,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index bd5e97065..7ac9e0812 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -247,6 +247,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index 9e541e0e9..1a3e64e38 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -247,6 +247,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index b4e2a3a4f..e375f7cbb 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index dff414497..a7f9f2eed 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -206,6 +206,7 @@ METHOD(imv_os_database_t, get_device_id, int, e->destroy(e); return id; } + e->destroy(e); /* register new device ID in database and return primary key */ return (this->db->execute(this->db, &id, diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index 8a4460bee..cfd4463a2 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -247,6 +247,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 946fffc45..4cf92ddf5 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -247,6 +247,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index 7a64713a7..24940df7c 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -284,6 +284,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in index 1420a95dc..f0b89c68f 100644 --- a/src/libpts/Makefile.in +++ b/src/libpts/Makefile.in @@ -303,6 +303,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in index 181dbc272..c30945b79 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.in +++ b/src/libpts/plugins/imc_attestation/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index 2e75807b4..153865d30 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -260,6 +260,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 81445acbf..b2116c0ff 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -847,6 +847,7 @@ METHOD(attest_db_t, list_devices, void, if (e_ar) { e_ar->enumerate(e_ar, &ar_id_type, &ar_id_value); + ar_id_value = chunk_clone(ar_id_value); e_ar->destroy(e_ar); } } @@ -854,6 +855,7 @@ METHOD(attest_db_t, list_devices, void, { printf(" %.*s", (int)ar_id_value.len, ar_id_value.ptr); } + last_ar_id = ar_id; } printf("\n"); } @@ -973,8 +975,8 @@ METHOD(attest_db_t, list_packages, void, enumerator_t *e; char *package, *version; os_package_state_t security; - int gid, gid_old = 0, spaces, count = 0; - time_t t; + int gid, gid_old = 0, spaces, count = 0, t; + time_t timestamp; if (this->pid) { @@ -1000,7 +1002,8 @@ METHOD(attest_db_t, list_packages, void, printf(" "); } } - printf(" %T (%s)%N\n", &t, this->utc, version, + timestamp = t; + printf(" %T (%s)%N\n", ×tamp, this->utc, version, os_package_state_names, security); count++; } diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in index aec424f1a..89e2b5a3f 100644 --- a/src/libpttls/Makefile.in +++ b/src/libpttls/Makefile.in @@ -244,6 +244,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h index 1a23a119e..fb1d08097 100644 --- a/src/libpttls/sasl/sasl_mechanism.h +++ b/src/libpttls/sasl/sasl_mechanism.h @@ -14,6 +14,9 @@ */ /** + * @defgroup sasl sasl + * @ingroup pt_tls + * * @defgroup sasl_mechanism sasl_mechanism * @{ @ingroup sasl */ diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in index efccbe905..4dabbbdbc 100644 --- a/src/libradius/Makefile.in +++ b/src/libradius/Makefile.in @@ -244,6 +244,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index 4ed190cf3..a2ccc28e3 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -244,6 +244,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 15219c4f3..5435de406 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -514,6 +514,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 819c6808e..4dec61203 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -150,6 +150,51 @@ static bool equals(char *a, char *b) return streq(a, b); } +/** + * Write magic to memory, and try to clear it with memwipe() + */ +__attribute__((noinline)) +static void do_magic(int magic, int **stack) +{ + int buf[32], i; + + /* tell caller where callee stack is (but don't point to buf) */ + *stack = &i; + for (i = 0; i < countof(buf); i++) + { + buf[i] = magic; + } + /* passing buf to dbg should make sure the compiler can't optimize out buf. + * we use directly dbg(3), as DBG3() might be stripped with DEBUG_LEVEL. */ + dbg(DBG_LIB, 3, "memwipe() pre: %b", buf, sizeof(buf)); + memwipe(buf, sizeof(buf)); +} + +/** + * Check if memwipe works as expected + */ +static bool check_memwipe() +{ + int magic = 0xCAFEBABE, *ptr, *deeper, i, stackdir = 1; + + do_magic(magic, &deeper); + + ptr = &magic; + if (deeper < ptr) + { /* stack grows down */ + stackdir = -1; + } + for (i = 0; i < 128; i++) + { + ptr = ptr + stackdir; + if (*ptr == magic) + { + return FALSE; + } + } + return TRUE; +} + /* * see header file */ @@ -221,6 +266,12 @@ bool library_init(char *settings) this->public.scheduler = scheduler_create(); this->public.plugins = plugin_loader_create(); + if (!check_memwipe()) + { + DBG1(DBG_LIB, "memwipe() check failed"); + return FALSE; + } + if (lib->settings->get_bool(lib->settings, "libstrongswan.integrity_test", FALSE)) { @@ -239,4 +290,3 @@ bool library_init(char *settings) return !this->integrity_failed; } - diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 6010b9c9c..71e25a6a1 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in index aab2cd847..eff6aec83 100644 --- a/src/libstrongswan/plugins/af_alg/Makefile.in +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index e7280adcb..b17a69a76 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 2727a55b1..9c0390c96 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 311f04b87..ee7f386dd 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in index b771d76d9..12131c65c 100644 --- a/src/libstrongswan/plugins/cmac/Makefile.in +++ b/src/libstrongswan/plugins/cmac/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in index e01f1397e..72517e9a1 100644 --- a/src/libstrongswan/plugins/constraints/Makefile.in +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index 7d930d7aa..18abf3a38 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index ace838923..73f180c29 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 8a8e8fe66..22241cccd 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index c30dcb530..402143106 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 6a34c8a7b..878713157 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index a690613e4..660813f25 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index f866cbb1f..3716a09fe 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 13fcd7ab5..74c19a734 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index 59c15f7c0..cc4e8b108 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 11755b04c..0b8e68e4e 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index fd25eb78a..3243b2643 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index e22be6523..68a4244ba 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index d054952bd..5e73813d5 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in index 4f651a8f8..bd04ab901 100644 --- a/src/libstrongswan/plugins/nonce/Makefile.in +++ b/src/libstrongswan/plugins/nonce/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index e71567311..0ca27983f 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -1,7 +1,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -rdynamic +AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode} if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-openssl.la diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index 5eca47a1c..ba45e4bbc 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -256,6 +256,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -326,7 +327,7 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -rdynamic +AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode} @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-openssl.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-openssl.la libstrongswan_openssl_la_SOURCES = \ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index c8a45f79a..38cc8bedf 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this, if (openssl_hash_chunk(nid_hash, data, &hash)) { valid = ECDSA_verify(0, hash.ptr, hash.len, - signature.ptr, signature.len, this->ec); + signature.ptr, signature.len, this->ec) == 1; free(hash.ptr); } return valid; diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 915082234..ce6610ad6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void, plugin_t *openssl_plugin_create() { private_openssl_plugin_t *this; + int fips_mode; + + fips_mode = lib->settings->get_int(lib->settings, + "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE); +#ifdef OPENSSL_FIPS + if (!FIPS_mode_set(fips_mode)) + { + DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode); + return NULL; + } + DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode, + fips_mode ? "en" : "dis"); +#else + DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode); + if (fips_mode) + { + return NULL; + } +#endif INIT(this, .public = { diff --git a/src/libstrongswan/plugins/openssl/openssl_rng.c b/src/libstrongswan/plugins/openssl/openssl_rng.c index d3d64f5e8..10db6293a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rng.c +++ b/src/libstrongswan/plugins/openssl/openssl_rng.c @@ -57,7 +57,7 @@ METHOD(rng_t, get_bytes, bool, { ret = RAND_pseudo_bytes((char*)buffer, bytes); } - return ret != 0; + return ret == 1; } METHOD(rng_t, allocate_bytes, bool, diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index fb86a6bf1..036f53d23 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -428,7 +428,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, if (blob.ptr) { this->rsa = d2i_RSAPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len); - if (this->rsa && RSA_check_key(this->rsa)) + if (this->rsa && RSA_check_key(this->rsa) == 1) { return &this->public; } @@ -450,7 +450,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, this->rsa->dmq1 = BN_bin2bn((const u_char*)exp2.ptr, exp2.len, NULL); } this->rsa->iqmp = BN_bin2bn((const u_char*)coeff.ptr, coeff.len, NULL); - if (RSA_check_key(this->rsa)) + if (RSA_check_key(this->rsa) == 1) { return &this->public; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index bf71d7901..48beedef6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -48,8 +48,6 @@ struct private_openssl_rsa_public_key_t { refcount_t ref; }; - - /** * Verification of an EMPSA PKCS1 signature described in PKCS#1 */ @@ -67,12 +65,17 @@ static bool verify_emsa_pkcs1_signature(private_openssl_rsa_public_key_t *this, if (type == NID_undef) { - chunk_t hash = chunk_alloc(rsa_size); + char *buf; + int len; - hash.len = RSA_public_decrypt(signature.len, signature.ptr, hash.ptr, - this->rsa, RSA_PKCS1_PADDING); - valid = chunk_equals(data, hash); - free(hash.ptr); + buf = malloc(rsa_size); + len = RSA_public_decrypt(signature.len, signature.ptr, buf, this->rsa, + RSA_PKCS1_PADDING); + if (len != -1) + { + valid = chunk_equals(data, chunk_create(buf, len)); + } + free(buf); } else { diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c index 8c00e6a57..446c93e2b 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c @@ -42,7 +42,14 @@ struct private_openssl_sha1_prf_t { METHOD(prf_t, get_bytes, bool, private_openssl_sha1_prf_t *this, chunk_t seed, u_int8_t *bytes) { +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + if (!SHA1_Update(&this->ctx, seed.ptr, seed.len)) + { + return FALSE; + } +#else /* OPENSSL_VERSION_NUMBER < 1.0 */ SHA1_Update(&this->ctx, seed.ptr, seed.len); +#endif if (bytes) { @@ -84,7 +91,14 @@ METHOD(prf_t, get_key_size, size_t, METHOD(prf_t, set_key, bool, private_openssl_sha1_prf_t *this, chunk_t key) { +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + if (!SHA1_Init(&this->ctx)) + { + return FALSE; + } +#else /* OPENSSL_VERSION_NUMBER < 1.0 */ SHA1_Init(&this->ctx); +#endif if (key.len % 4) { diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index e9ac1d5e3..a82e8d578 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index bb346b373..fa7e3891e 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index a96c6259f..897adfcc7 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index b4e78cd37..18af15599 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index aab1ae9de..90a0ae97c 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -253,6 +253,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in index 38781d34d..a4ef63364 100644 --- a/src/libstrongswan/plugins/pkcs7/Makefile.in +++ b/src/libstrongswan/plugins/pkcs7/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in index ea62a7d44..879020383 100644 --- a/src/libstrongswan/plugins/pkcs8/Makefile.in +++ b/src/libstrongswan/plugins/pkcs8/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 2b54fd426..cecba00ba 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 12eaa8a47..4909f4c8a 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in index e2d9e1a6b..b611821a8 100644 --- a/src/libstrongswan/plugins/rdrand/Makefile.in +++ b/src/libstrongswan/plugins/rdrand/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index c0008c5b4..bc92c6ed1 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -252,6 +252,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 0308e1b26..4cb0a0907 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 3d4e915b2..09fed2bdb 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in index 035747700..8220dcaff 100644 --- a/src/libstrongswan/plugins/soup/Makefile.in +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 1a9b21407..580cae7f1 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 6cce8686b..f468cc3fd 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -257,6 +257,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in index f1a37bb03..4dfb2f31c 100644 --- a/src/libstrongswan/plugins/unbound/Makefile.in +++ b/src/libstrongswan/plugins/unbound/Makefile.in @@ -251,6 +251,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index a0fcfd8ad..0e5520149 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -250,6 +250,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 8730ba3fa..a679ce313 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -248,6 +248,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index a98c5a6d6..fa910ecca 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -254,6 +254,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in index 46f92341b..58ddf401c 100644 --- a/src/libtnccs/Makefile.in +++ b/src/libtnccs/Makefile.in @@ -244,6 +244,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in index d7b4660fb..320faf616 100644 --- a/src/libtncif/Makefile.in +++ b/src/libtncif/Makefile.in @@ -216,6 +216,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 4ed11faca..029df6120 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -265,6 +265,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 829915407..27065e2f0 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -255,6 +255,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index fbd973876..d5e041387 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index b4cb38592..f86c6596d 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -220,6 +220,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 7b11ae171..fc796328c 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -249,6 +249,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 2e43f7000..c50d4622b 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -235,6 +235,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 779dafd7c..e73489058 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -220,6 +220,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/testing/Makefile.in b/testing/Makefile.in index c7b90ef58..1083ae45a 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -195,6 +195,7 @@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ diff --git a/testing/hosts/default/etc/pts/data.sql b/testing/hosts/default/etc/pts/data.sql new file mode 100644 index 000000000..dde7c9fa5 --- /dev/null +++ b/testing/hosts/default/etc/pts/data.sql @@ -0,0 +1,107 @@ +/* Products */ + +INSERT INTO products ( + name +) VALUES ( + 'Debian 7.0' +); + +INSERT INTO products ( + name +) VALUES ( + 'Debian 7.0 i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Debian 7.0 x86_64' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04 i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04 x86_64' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.10' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.10 i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.10 x86_64' +); + +/* Packages */ + +INSERT INTO packages ( + name +) VALUES ( + 'libssl-dev' +); + +INSERT INTO packages ( + name +) VALUES ( + 'libssl1.0.0' +); + +INSERT INTO packages ( + name +) VALUES ( + 'libssl1.0.0-dbg' +); + +INSERT INTO packages ( + name +) VALUES ( + 'openssl' +); + +/* Versions */ + +INSERT INTO versions ( + package, product, release, time +) values ( + 1, 1, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) values ( + 2, 1, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) values ( + 3, 1, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) values ( + 4, 1, '1.0.1e-2', 1366531494 +); diff --git a/testing/hosts/default/etc/pts/data.sql~ b/testing/hosts/default/etc/pts/data.sql~ new file mode 100644 index 000000000..b08d035ab --- /dev/null +++ b/testing/hosts/default/etc/pts/data.sql~ @@ -0,0 +1,107 @@ +/* Products */ + +INSERT INTO products ( + name +) VALUES ( + 'Debian 7.0' +); + +INSERT INTO products ( + name +) VALUES ( + 'Debian 7.0 i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Debian 7.0 x86_64' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04 i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04 x86_64' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.10' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.10 i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.10 x86_64' +); + +INSERT INTO versions ( + package, product, release, time +) values ( + 1, 1, '1.0.1e-2', 1366531494 +); + +/* Packages */ + +INSERT INTO packages ( + name +) VALUES ( + 'libssl-dev' +); + +INSERT INTO packages ( + name +) VALUES ( + 'libssl1.0.0' +); + +INSERT INTO packages ( + name +) VALUES ( + 'libssl1.0.0-dbg' +); + +INSERT INTO packages ( + name +) VALUES ( + 'openssl' +); + +/* Versions */ + +INSERT INTO versions ( + package, product, release, time +) values ( + 2, 1, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) values ( + 3, 1, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) values ( + 4, 1, '1.0.1e-2', 1366531494 +); diff --git a/testing/hosts/default/etc/pts/tables.sql b/testing/hosts/default/etc/pts/tables.sql new file mode 100644 index 000000000..0c038d365 --- /dev/null +++ b/testing/hosts/default/etc/pts/tables.sql @@ -0,0 +1,146 @@ +/* PTS SQLite database */ + +DROP TABLE IF EXISTS files; +CREATE TABLE files ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + path TEXT NOT NULL +); +DROP INDEX IF EXISTS files_path; +CREATE INDEX files_path ON files ( + path +); + +DROP TABLE IF EXISTS products; +CREATE TABLE products ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); +DROP INDEX IF EXISTS products_name; +CREATE INDEX products_name ON products ( + name +); + +DROP TABLE IF EXISTS product_file; +CREATE TABLE product_file ( + product INTEGER NOT NULL, + file INTEGER NOT NULL, + measurement INTEGER DEFAULT 0, + metadata INTEGER DEFAULT 0, + PRIMARY KEY (product, file) +); + +DROP TABLE IF EXISTS file_hashes; +CREATE TABLE file_hashes ( + file INTEGER NOT NULL, + directory INTEGER DEFAULT 0, + product INTEGER NOT NULL, + key INTEGER DEFAULT 0, + algo INTEGER NOT NULL, + hash BLOB NOT NULL, + PRIMARY KEY(file, directory, product, algo) +); + +DROP TABLE IF EXISTS keys; +CREATE TABLE keys ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + keyid BLOB NOT NULL, + owner TEXT NOT NULL +); +DROP INDEX IF EXISTS keys_keyid; +CREATE INDEX keys_keyid ON keys ( + keyid +); +DROP INDEX IF EXISTS keys_owner; +CREATE INDEX keys_owner ON keys ( + owner +); + +DROP TABLE IF EXISTS components; +CREATE TABLE components ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + vendor_id INTEGER NOT NULL, + name INTEGER NOT NULL, + qualifier INTEGER DEFAULT 0 +); + + +DROP TABLE IF EXISTS key_component; +CREATE TABLE key_component ( + key INTEGER NOT NULL, + component INTEGER NOT NULL, + depth INTEGER DEFAULT 0, + seq_no INTEGER DEFAULT 0, + PRIMARY KEY (key, component) +); + + +DROP TABLE IF EXISTS component_hashes; +CREATE TABLE component_hashes ( + component INTEGER NOT NULL, + key INTEGER NOT NULL, + seq_no INTEGER NOT NULL, + pcr INTEGER NOT NULL, + algo INTEGER NOT NULL, + hash BLOB NOT NULL, + PRIMARY KEY(component, key, seq_no, algo) +); + +DROP TABLE IF EXISTS packages; +CREATE TABLE packages ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); +DROP INDEX IF EXISTS packages_name; +CREATE INDEX packages_name ON packages ( + name +); + +DROP TABLE IF EXISTS versions; +CREATE TABLE versions ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + package INTEGER NOT NULL, + product INTEGER NOT NULL, + release TEXT NOT NULL, + security INTEGER DEFAULT 0, + time INTEGER DEFAULT 0 +); +DROP INDEX IF EXISTS versions_release; +CREATE INDEX versions_release ON versions ( + release +); +DROP INDEX IF EXISTS versions_package_product; +CREATE INDEX versions_package_product ON versions ( + package, product +); + +DROP TABLE IF EXISTS devices; +CREATE TABLE devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + value BLOB NOT NULL +); +DROP INDEX IF EXISTS devices_id; +CREATE INDEX devices_value ON devices ( + value +); + +DROP TABLE IF EXISTS device_infos; +CREATE TABLE device_infos ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + device INTEGER NOT NULL, + time INTEGER NOT NULL, + ar_id INTEGER DEFAULT 0, + product INTEGER DEFAULT 0, + count INTEGER DEFAULT 0, + count_update INTEGER DEFAULT 0, + count_blacklist INTEGER DEFAULT 0, + flags INTEGER DEFAULT 0 +); + +DROP TABLE IF EXISTS identities; +CREATE TABLE identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + data BLOB NOT NULL, + UNIQUE (type, data) +); diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index c426f0af5..354b48bd7 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -17,7 +17,7 @@ INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev -INC=$INC,libalog0.4.1-base-dev,hostapd +INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev SERVICES="apache2 dbus isc-dhcp-server slapd bind9" INC=$INC,${SERVICES// /,} diff --git a/testing/scripts/recipes/011_xfrm-proxy.mk b/testing/scripts/recipes/009_xfrm-proxy.mk index 569fbfe3c..569fbfe3c 100644 --- a/testing/scripts/recipes/011_xfrm-proxy.mk +++ b/testing/scripts/recipes/009_xfrm-proxy.mk diff --git a/testing/scripts/recipes/009_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 971cd170f..971cd170f 100644 --- a/testing/scripts/recipes/009_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk diff --git a/testing/scripts/recipes/011_openssl-fips.mk b/testing/scripts/recipes/011_openssl-fips.mk new file mode 100644 index 000000000..5d28b181e --- /dev/null +++ b/testing/scripts/recipes/011_openssl-fips.mk @@ -0,0 +1,23 @@ +#!/usr/bin/make + +PV = 2.0.3 +PKG = openssl-fips-$(PV) +TAR = $(PKG).tar.gz +SRC = http://www.openssl.org/source/$(TAR) + +all: install + +$(TAR): + wget $(SRC) + +$(PKG): $(TAR) + tar xfz $(TAR) + +configure: $(PKG) + cd $(PKG) && ./config + +build: configure + cd $(PKG) && make + +install: build + cd $(PKG) && make install diff --git a/testing/scripts/recipes/012_openssl.mk b/testing/scripts/recipes/012_openssl.mk new file mode 100644 index 000000000..9312445ce --- /dev/null +++ b/testing/scripts/recipes/012_openssl.mk @@ -0,0 +1,13 @@ +#!/usr/bin/make + +PV = 1.0.1e +PKG = openssl-$(PV) +SRC = http://download.strongswan.org/testing/openssl-fips/ + +all: install + +$(PKG): + wget -r $(SRC) --no-directories --directory-prefix $(PKG) --accept deb + +install: $(PKG) + cd $(PKG) && dpkg -i *.deb diff --git a/testing/scripts/recipes/010_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 94abb9ddb..14fdebbc9 100644 --- a/testing/scripts/recipes/010_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -12,6 +12,7 @@ CONFIG_OPTS = \ --with-random-device=/dev/urandom \ --disable-load-warning \ --enable-curl \ + --enable-soup \ --enable-ldap \ --enable-eap-aka \ --enable-eap-aka-3gpp2 \ diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt new file mode 100644 index 000000000..478004162 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/description.txt @@ -0,0 +1,10 @@ +The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b> +but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b> +she ignores the repeated IKE requests sent by <b>dave</b>. +<p/> +After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a +connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat new file mode 100644 index 000000000..80fd7c5be --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat @@ -0,0 +1,8 @@ +dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..58914391c --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc900c4f2 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + initiator_only = yes +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..b262ecbea --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..9251921ff --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4c5df8825 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7f31b170b --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat new file mode 100644 index 000000000..fc7173430 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt new file mode 100644 index 000000000..478004162 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/description.txt @@ -0,0 +1,10 @@ +The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b> +but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b> +she ignores the repeated IKE requests sent by <b>dave</b>. +<p/> +After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a +connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat new file mode 100644 index 000000000..80fd7c5be --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat @@ -0,0 +1,8 @@ +dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..dd2ceea60 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc900c4f2 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + initiator_only = yes +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..b417977c9 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..9251921ff --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..acc2ef758 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + reauth=no + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7f31b170b --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat new file mode 100644 index 000000000..fc7173430 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-cpa/description.txt b/testing/tests/openssl-ikev2/rw-cpa/description.txt new file mode 100644 index 000000000..aaebb1843 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/description.txt @@ -0,0 +1,9 @@ +The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b> +but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b> +she ignores the repeated IKE requests sent by <b>dave</b>. +<p/> +After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a +connection to gateway <b>moon</b>. The authentication is based on <b>X.509 ECDSA certificates</b>. +Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of +an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall, +<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat b/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat new file mode 100644 index 000000000..7169a091d --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/evaltest.dat @@ -0,0 +1,11 @@ +dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES +moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..61e13df41 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128gcm128-prfsha256-ecp256! + esp=aes128gcm128-ecp256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..29709926a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS +4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T +BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9 +MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+ +sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx +ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn +s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..43621f711 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIK+8T+EmoyNMwjq+GDC7UnYrx4TR8hu7h85IgNiTOQUNoAoGCCqGSM49 +AwEHoUQDQgAEIKf2fxoM71Qg3VXCGKhEZpdCq6GRGlaohfLsvHZU0uJsTbOrJw3R +Fofy8103dzVZwooU9l4B8TpPDa1+IQTDGA== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..3d6725162 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA carolKey.pem diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush new file mode 100644 index 000000000..b3ab63c51 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.flush @@ -0,0 +1,21 @@ +*filter + +-F + +-P INPUT ACCEPT +-P OUTPUT ACCEPT +-P FORWARD ACCEPT + +COMMIT + +*nat + +-F + +COMMIT + +*mangle + +-F + +COMMIT diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..3d99c0197 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +# allow traffic tunnelled via IPsec +-A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +COMMIT diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..128d4f2d9 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default + + initiator_only = yes +} + +libstrongswan { + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } + plugins { + openssl { + fips_mode = 2 + } + } +} diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..22fcb3eb5 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128gcm128-prfsha256-ecp256! + esp=aes128gcm128-ecp256! + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..075d8f1e5 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y +IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA +zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G +A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1 +atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai +dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj +LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH +ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/ +wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv +g+Z+grJzTppAqpwRpg== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..f628f88e5 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX ++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9 +t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P +JDBocD1n1eCSwM67KOfouuPmOML0QgU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..ebd3a2839 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA daveKey.pem diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush new file mode 100644 index 000000000..b3ab63c51 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.flush @@ -0,0 +1,21 @@ +*filter + +-F + +-P INPUT ACCEPT +-P OUTPUT ACCEPT +-P FORWARD ACCEPT + +COMMIT + +*nat + +-F + +COMMIT + +*mangle + +-F + +COMMIT diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..3d99c0197 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +# allow traffic tunnelled via IPsec +-A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +COMMIT diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..958a502c2 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 + initiator_only = yes +} + +libstrongswan { + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } + plugins { + openssl { + fips_mode = 2 + } + } +} diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f7044e51d --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + reauth=no + keyexchange=ikev2 + ike=aes128gcm128-prfsha256-ecp256! + esp=aes128gcm128-ecp256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 000000000..5178c7f38 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO +PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs +5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9 +BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX +Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU +Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu +j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD +VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG +SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt +l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH +mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD +CI9WpQ== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..beab0485f --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42 +yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz +1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw +tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq +pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..1ef3eccb5 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA moonKey.pem diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush new file mode 100644 index 000000000..b3ab63c51 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.flush @@ -0,0 +1,21 @@ +*filter + +-F + +-P INPUT ACCEPT +-P OUTPUT ACCEPT +-P FORWARD ACCEPT + +COMMIT + +*nat + +-F + +COMMIT + +*mangle + +-F + +COMMIT diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..cc12d1659 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +# allow traffic tunnelled via IPsec +-A FORWARD -i eth0 -o eth1 -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +COMMIT diff --git a/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fc49f9fd2 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default +} + +libstrongswan { + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } + plugins { + openssl { + fips_mode = 2 + } + } +} diff --git a/testing/tests/openssl-ikev2/rw-cpa/posttest.dat b/testing/tests/openssl-ikev2/rw-cpa/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/rw-cpa/pretest.dat b/testing/tests/openssl-ikev2/rw-cpa/pretest.dat new file mode 100644 index 000000000..fc7173430 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-cpa/test.conf b/testing/tests/openssl-ikev2/rw-cpa/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cpa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 3c13e5ffa..c780c4a48 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -6,8 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon:: ipsec attest --devices 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec attest --devices 2> /dev/null::Windows 1.2.3.*dave@strongswan.org::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES @@ -16,4 +18,3 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO - diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index b11617cb2..0927c88b0 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication=no plugins { eap-ttls { @@ -18,7 +18,14 @@ charon { libimcv { plugins { imv-os { + database = sqlite:///etc/pts/config.db request_installed_packages = yes } } } + +attest { + load = random nonce openssl sqlite + database = sqlite:///etc/pts/config.db +} + diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat index 74b902c69..48514d6e0 100644 --- a/testing/tests/tnc/tnccs-20-os/posttest.dat +++ b/testing/tests/tnc/tnccs-20-os/posttest.dat @@ -5,3 +5,4 @@ moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush carol::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 8169afab2..28f2f339c 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -2,6 +2,8 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config @@ -12,3 +14,5 @@ carol::sleep 1 carol::ipsec up home dave::ipsec up home dave::sleep 1 +moon::ipsec attest --packages --product 'Debian 7.0' +moon::ipsec attest --devices |