diff options
author | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:35:31 +0200 |
---|---|---|
committer | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:35:31 +0200 |
commit | df40590dead5696facf9943f46e222a5e831286d (patch) | |
tree | d701325b24c0e1c5676fa9cb8ed959254dd4367a | |
parent | 91b54afb0421705a4fb9d990d813007cd45bc2ce (diff) | |
parent | c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff) | |
download | vyos-strongswan-df40590dead5696facf9943f46e222a5e831286d.tar.gz vyos-strongswan-df40590dead5696facf9943f46e222a5e831286d.zip |
Merge tag 'upstream/5.1.3'
Upstream version 5.1.3
* tag 'upstream/5.1.3':
Import upstream version 5.1.3
600 files changed, 14024 insertions, 8684 deletions
diff --git a/Android.common.mk b/Android.common.mk index 14abca868..9f49831f0 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.1.2" +strongswan_VERSION := "5.1.3" diff --git a/Makefile.in b/Makefile.in index a81e93f0f..71157179d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -401,7 +401,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -1,3 +1,25 @@ +strongswan-5.1.3 +---------------- + +- Fixed an authentication bypass vulnerability triggered by rekeying an + unestablished IKEv2 SA while it gets actively initiated. This allowed an + attacker to trick a peer's IKE_SA state to established, without the need to + provide any valid authentication credentials. The vulnerability has been + registered as CVE-2014-2338. + +- The acert plugin evaluates X.509 Attribute Certificates. Group membership + information encoded as strings can be used to fulfill authorization checks + defined with the rightgroups option. Attribute Certificates can be loaded + locally or get exchanged in IKEv2 certificate payloads. + +- The pki command gained support to generate X.509 Attribute Certificates + using the --acert subcommand, while the --print command supports the ac type. + The openac utility has been removed in favor of the new pki functionality. + +- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols + has been extended by AEAD mode support, currently limited to AES-GCM. + + strongswan-5.1.2 ---------------- diff --git a/conf/Makefile.in b/conf/Makefile.in index d92593219..e14c44e3e 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -346,7 +346,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/conf/format-options.py b/conf/format-options.py index 04afed6d6..fc6e6e1fd 100755 --- a/conf/format-options.py +++ b/conf/format-options.py @@ -54,6 +54,7 @@ import sys import re from textwrap import TextWrapper from optparse import OptionParser +from operator import attrgetter class ConfigOption: """Representing a configuration option or described section in strongswan.conf""" @@ -67,9 +68,7 @@ class ConfigOption: self.options = [] def __cmp__(self, other): - if self.section == other.section: - return cmp(self.name, other.name) - return 1 if self.section else -1 + return cmp(self.name, other.name) def add_paragraph(self): """Adds a new paragraph to the description""" @@ -246,7 +245,7 @@ class ConfFormatter: self.__print_description(section, indent) print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name) print - for o in section.options: + for o in sorted(section.options, key=attrgetter('section')): if o.section: self.__print_section(o, indent + 1, section.commented) else: @@ -258,7 +257,7 @@ class ConfFormatter: """Print a list of options""" if not options: return - for option in options: + for option in sorted(options, key=attrgetter('section')): if option.section: self.__print_section(option, 0, False) else: diff --git a/conf/options/tools.conf b/conf/options/tools.conf index a3ab099ed..781635ceb 100644 --- a/conf/options/tools.conf +++ b/conf/options/tools.conf @@ -1,10 +1,3 @@ -openac { - - # Plugins to load in ipsec openac tool. - # load = - -} - pki { # Plugins to load in ipsec pki tool. diff --git a/conf/options/tools.opt b/conf/options/tools.opt index 23e6a1c9f..72a49de28 100644 --- a/conf/options/tools.opt +++ b/conf/options/tools.opt @@ -1,6 +1,3 @@ -openac.load = - Plugins to load in ipsec openac tool. - pki.load = Plugins to load in ipsec pki tool. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf index 53023b81e..64db67456 100644 --- a/conf/plugins/eap-radius.conf +++ b/conf/plugins/eap-radius.conf @@ -3,6 +3,10 @@ eap-radius { # Send RADIUS accounting information to RADIUS servers. # accounting = no + # Close the IKE_SA if there is a timeout during interim RADIUS accounting + # updates. + # accounting_close_on_timeout = yes + # If enabled, accounting is disabled unless an IKE_SA has at least one # virtual IP. # accounting_requires_vip = no diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index 0edd3458c..0df6a0d6f 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -1,6 +1,10 @@ charon.plugins.eap-radius.accounting = no Send RADIUS accounting information to RADIUS servers. +charon.plugins.eap-radius.accounting_close_on_timeout = yes + Close the IKE_SA if there is a timeout during interim RADIUS accounting + updates. + charon.plugins.eap-radius.accounting_requires_vip = no If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf index ffb1b45a3..2d8deaa8e 100644 --- a/conf/plugins/imc-attestation.conf +++ b/conf/plugins/imc-attestation.conf @@ -13,6 +13,9 @@ imc-attestation { # priority of this plugin. load = yes + # Enforce mandatory Diffie-Hellman groups. + # mandatory_dh_groups = yes + # DH nonce length. # nonce_len = 20 diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt index 9c108053b..aaac4c2c1 100644 --- a/conf/plugins/imc-attestation.opt +++ b/conf/plugins/imc-attestation.opt @@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert = charon.plugins.imc-attestation.aik_key = AIK public key file. +charon.plugins.imc-attestation.mandatory_dh_groups = yes + Enforce mandatory Diffie-Hellman groups. + charon.plugins.imc-attestation.nonce_len = 20 DH nonce length. @@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes Use Quote2 AIK signature instead of Quote signature. charon.plugins.imc-attestation.pcr_info = yes - Whether to send pcr_before and pcr_after info.
\ No newline at end of file + Whether to send pcr_before and pcr_after info. diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf index 48ffba839..3a1a7f225 100644 --- a/conf/plugins/imv-attestation.conf +++ b/conf/plugins/imv-attestation.conf @@ -35,6 +35,9 @@ imv-attestation { # priority of this plugin. load = yes + # Enforce mandatory Diffie-Hellman groups. + # mandatory_dh_groups = yes + # DH minimum nonce length. # min_nonce_len = 0 diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt index c0ae20488..f266281e6 100644 --- a/conf/plugins/imv-attestation.opt +++ b/conf/plugins/imv-attestation.opt @@ -1,6 +1,9 @@ charon.plugins.imv-attestation.cadir = Path to directory with AIK cacerts. +charon.plugins.imv-attestation.mandatory_dh_groups = yes + Enforce mandatory Diffie-Hellman groups. + charon.plugins.imv-attestation.dh_group = ecp256 Preferred Diffie-Hellman group. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 282b8fa70..12fde4903 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -48,6 +48,37 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. Number of half\-open IKE_SAs that activate the cookie mechanism. .TP +.BR charon.crypto_test.bench " [no]" +Benchmark crypto algorithms and order them by efficiency. + +.TP +.BR charon.crypto_test.bench_size " [1024]" +Buffer size used for crypto benchmark. + +.TP +.BR charon.crypto_test.bench_time " [50]" +Number of iterations to test each algorithm. + +.TP +.BR charon.crypto_test.on_add " [no]" +Test crypto algorithms during registration (requires test vectors provided by +the +.RI "" "test\-vectors" "" +plugin). + +.TP +.BR charon.crypto_test.on_create " [no]" +Test crypto algorithms on each crypto primitive instantiation. + +.TP +.BR charon.crypto_test.required " [no]" +Strictly require at least one test vector to enable an algorithm. + +.TP +.BR charon.crypto_test.rng_true " [no]" +Whether to test RNG with TRUE quality; requires a lot of entropy. + +.TP .BR charon.dh_exponent_ansi_x9_42 " [yes]" Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. @@ -69,6 +100,47 @@ Enable Denial of Service protection using cookies and aggressiveness checks. Compliance with the errata for RFC 4753. .TP +.B charon.filelog +.br +Section to define file loggers, see LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.B charon.filelog.<filename> +.br +<filename> is the full path to the log file. + +.TP +.BR charon.filelog.<filename>.<subsystem> " [<default>]" +Loglevel for a specific subsystem. + +.TP +.BR charon.filelog.<filename>.append " [yes]" +If this option is enabled log entries are appended to the existing file. + +.TP +.BR charon.filelog.<filename>.default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP +.BR charon.filelog.<filename>.flush_line " [no]" +Enabling this option disables block buffering and enables line buffering. + +.TP +.BR charon.filelog.<filename>.ike_name " [no]" +Prefix each log entry with the connection name and a unique numerical identifier +for each IKE_SA. + +.TP +.BR charon.filelog.<filename>.time_format " []" +Prefix each log entry with a timestamp. The option accepts a format string as +passed to +.RB "" "strftime" "(3)." + + +.TP .BR charon.flush_auth_cfg " [no]" If enabled objects used during authentication (certificates, identities etc.) are released to free memory once an IKE_SA is established. Enabling this might @@ -92,6 +164,14 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). Enable hash and URL support. .TP +.BR charon.host_resolver.max_threads " [3]" +Maximum number of concurrent resolver threads (they are terminated if unused). + +.TP +.BR charon.host_resolver.min_threads " [0]" +Minimum number of resolver threads to keep around. + +.TP .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared keys, which is discouraged due to security concerns (offline attacks on the @@ -115,6 +195,34 @@ Number of exclusively locked segments in the hash table. Size of the IKE_SA hash table. .TP +.B charon.imcv +.br +Defaults for options in this section can be configured in the +.RI "" "libimcv" "" +section. + +.TP +.BR charon.imcv.assessment_result " [yes]" +Whether IMVs send a standard IETF Assessment Result attribute. + +.TP +.BR charon.imcv.database " []" +Global IMV policy database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR charon.imcv.os_info.name " []" +Manually set the name of the client OS (e.g. Ubuntu). + +.TP +.BR charon.imcv.os_info.version " []" +Manually set the version of the client OS (e.g. 12.04 i686). + +.TP +.BR charon.imcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies. + +.TP .BR charon.inactivity_close_ike " [no]" Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. @@ -167,6 +275,18 @@ other interfaces are ignored. NAT keep alive interval. .TP +.BR charon.leak_detective.detailed " [yes]" +Includes source file names and line numbers in leak detective output. + +.TP +.BR charon.leak_detective.usage_threshold " [10240]" +Threshold in bytes for leaks to be reported (0 to report all). + +.TP +.BR charon.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all). + +.TP .BR charon.load " []" Plugins to load in the IKE daemon charon. @@ -198,225 +318,6 @@ WINS servers assigned to peer via configuration payload (CP). WINS servers assigned to peer via configuration payload (CP). .TP -.BR charon.port " [500]" -UDP port used locally. If set to 0 a random port will be allocated. - -.TP -.BR charon.port_nat_t " [4500]" -UDP port used locally in case of NAT\-T. If set to 0 a random port will be -allocated. Has to be different from -.RB "" "charon.port" "," -otherwise a random port -will be allocated. - -.TP -.BR charon.process_route " [yes]" -Process RTM_NEWROUTE and RTM_DELROUTE events. - -.TP -.BR charon.receive_delay " [0]" -Delay in ms for receiving packets, to simulate larger RTT. - -.TP -.BR charon.receive_delay_request " [yes]" -Delay request messages. - -.TP -.BR charon.receive_delay_response " [yes]" -Delay response messages. - -.TP -.BR charon.receive_delay_type " [0]" -Specific IKEv2 message type to delay, 0 for any. - -.TP -.BR charon.replay_window " [32]" -Size of the AH/ESP replay window, in packets. - -.TP -.BR charon.retransmit_base " [1.8]" -Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in -.RB "" "strongswan.conf" "(5)." - - -.TP -.BR charon.retransmit_timeout " [4.0]" -Timeout in seconds before sending first retransmit. - -.TP -.BR charon.retransmit_tries " [5]" -Number of times to retransmit a packet before giving up. - -.TP -.BR charon.retry_initiate_interval " [0]" -Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution -failed), 0 to disable retries. - -.TP -.BR charon.reuse_ikesa " [yes]" -Initiate CHILD_SA within existing IKE_SAs. - -.TP -.BR charon.routing_table " []" -Numerical routing table to install routes to. - -.TP -.BR charon.routing_table_prio " []" -Priority of the routing table. - -.TP -.BR charon.send_delay " [0]" -Delay in ms for sending packets, to simulate larger RTT. - -.TP -.BR charon.send_delay_request " [yes]" -Delay request messages. - -.TP -.BR charon.send_delay_response " [yes]" -Delay response messages. - -.TP -.BR charon.send_delay_type " [0]" -Specific IKEv2 message type to delay, 0 for any. - -.TP -.BR charon.send_vendor_id " [no]" -Send strongSwan vendor ID payload - -.TP -.BR charon.threads " [16]" -Number of worker threads in charon. Several of these are reserved for long -running tasks in internal modules and plugins. Therefore, make sure you don't -set this value too low. The number of idle worker threads listed in -.RI "" "ipsec statusall" "" -might be used as indicator on the number of reserved threads. - -.TP -.BR charon.user " []" -Name of the user the daemon changes to after startup. - -.TP -.BR charon.crypto_test.bench " [no]" -Benchmark crypto algorithms and order them by efficiency. - -.TP -.BR charon.crypto_test.bench_size " [1024]" -Buffer size used for crypto benchmark. - -.TP -.BR charon.crypto_test.bench_time " [50]" -Number of iterations to test each algorithm. - -.TP -.BR charon.crypto_test.on_add " [no]" -Test crypto algorithms during registration (requires test vectors provided by -the -.RI "" "test\-vectors" "" -plugin). - -.TP -.BR charon.crypto_test.on_create " [no]" -Test crypto algorithms on each crypto primitive instantiation. - -.TP -.BR charon.crypto_test.required " [no]" -Strictly require at least one test vector to enable an algorithm. - -.TP -.BR charon.crypto_test.rng_true " [no]" -Whether to test RNG with TRUE quality; requires a lot of entropy. - -.TP -.B charon.filelog -.br -Section to define file loggers, see LOGGER CONFIGURATION in -.RB "" "strongswan.conf" "(5)." - - -.TP -.B charon.filelog.<filename> -.br -<filename> is the full path to the log file. - -.TP -.BR charon.filelog.<filename>.<subsystem> " [<default>]" -Loglevel for a specific subsystem. - -.TP -.BR charon.filelog.<filename>.append " [yes]" -If this option is enabled log entries are appended to the existing file. - -.TP -.BR charon.filelog.<filename>.default " [1]" -Specifies the default loglevel to be used for subsystems for which no specific -loglevel is defined. - -.TP -.BR charon.filelog.<filename>.flush_line " [no]" -Enabling this option disables block buffering and enables line buffering. - -.TP -.BR charon.filelog.<filename>.ike_name " [no]" -Prefix each log entry with the connection name and a unique numerical identifier -for each IKE_SA. - -.TP -.BR charon.filelog.<filename>.time_format " []" -Prefix each log entry with a timestamp. The option accepts a format string as -passed to -.RB "" "strftime" "(3)." - - -.TP -.BR charon.host_resolver.max_threads " [3]" -Maximum number of concurrent resolver threads (they are terminated if unused). - -.TP -.BR charon.host_resolver.min_threads " [0]" -Minimum number of resolver threads to keep around. - -.TP -.B charon.imcv -.br -Defaults for options in this section can be configured in the -.RI "" "libimcv" "" -section. - -.TP -.BR charon.imcv.assessment_result " [yes]" -Whether IMVs send a standard IETF Assessment Result attribute. - -.TP -.BR charon.imcv.database " []" -Global IMV policy database URI. If it contains a password, make sure to adjust -the permissions of the config file accordingly. - -.TP -.BR charon.imcv.policy_script " [ipsec _imv_policy]" -Script called for each TNC connection to generate IMV policies. - -.TP -.BR charon.imcv.os_info.name " []" -Manually set the name of the client OS (e.g. Ubuntu). - -.TP -.BR charon.imcv.os_info.version " []" -Manually set the version of the client OS (e.g. 12.04 i686). - -.TP -.BR charon.leak_detective.detailed " [yes]" -Includes source file names and line numbers in leak detective output. - -.TP -.BR charon.leak_detective.usage_threshold " [10240]" -Threshold in bytes for leaks to be reported (0 to report all). - -.TP -.BR charon.leak_detective.usage_threshold_count " [0]" -Threshold in number of allocations for leaks to be reported (0 to report all). - -.TP .BR charon.plugins.android_log.loglevel " [1]" Loglevel for logging to Android specific logger. @@ -588,6 +489,10 @@ Request peer authentication based on a client certificate. Send RADIUS accounting information to RADIUS servers. .TP +.BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]" +Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. + +.TP .BR charon.plugins.eap-radius.accounting_requires_vip " [no]" If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. @@ -608,6 +513,23 @@ Closes all IKE_SAs if communication with the RADIUS server times out. If it is not set only the current IKE_SA is closed. .TP +.BR charon.plugins.eap-radius.dae.enable " [no]" +Enables support for the Dynamic Authorization Extension (RFC 5176). + +.TP +.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" +Address to listen for DAE messages from the RADIUS server. + +.TP +.BR charon.plugins.eap-radius.dae.port " [3799]" +Port to listen for DAE requests. + +.TP +.BR charon.plugins.eap-radius.dae.secret " []" +Shared secret used to verify/sign DAE messages. If set, make sure to adjust the +permissions of the config file accordingly. + +.TP .BR charon.plugins.eap-radius.eap_start " [no]" Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation. @@ -627,6 +549,20 @@ option in .TP +.BR charon.plugins.eap-radius.forward.ike_to_radius " []" +RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name +or attribute number, a colon can be used to specify vendor\-specific attributes, +e.g. Reply\-Message, or 11, or 36906:12). + +.TP +.BR charon.plugins.eap-radius.forward.radius_to_ike " []" +Same as +.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" "" +but from RADIUS to +IKEv2, a strongSwan specific private notify (40969) is used to transmit the +attributes. + +.TP .BR charon.plugins.eap-radius.id_prefix " []" Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP method. @@ -649,41 +585,6 @@ permissions of the config file accordingly. IP/Hostname of RADIUS server. .TP -.BR charon.plugins.eap-radius.sockets " [1]" -Number of sockets (ports) to use, increase for high load. - -.TP -.BR charon.plugins.eap-radius.dae.enable " [no]" -Enables support for the Dynamic Authorization Extension (RFC 5176). - -.TP -.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" -Address to listen for DAE messages from the RADIUS server. - -.TP -.BR charon.plugins.eap-radius.dae.port " [3799]" -Port to listen for DAE requests. - -.TP -.BR charon.plugins.eap-radius.dae.secret " []" -Shared secret used to verify/sign DAE messages. If set, make sure to adjust the -permissions of the config file accordingly. - -.TP -.BR charon.plugins.eap-radius.forward.ike_to_radius " []" -RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name -or attribute number, a colon can be used to specify vendor\-specific attributes, -e.g. Reply\-Message, or 11, or 36906:12). - -.TP -.BR charon.plugins.eap-radius.forward.radius_to_ike " []" -Same as -.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" "" -but from RADIUS to -IKEv2, a strongSwan specific private notify (40969) is used to transmit the -attributes. - -.TP .B charon.plugins.eap-radius.servers .br Section to specify multiple RADIUS servers. The @@ -706,6 +607,10 @@ accounting. For each RADIUS server a priority can be specified using the [0] option. .TP +.BR charon.plugins.eap-radius.sockets " [1]" +Number of sockets (ports) to use, increase for high load. + +.TP .B charon.plugins.eap-radius.xauth .br Section to configure multiple XAuth authentication rounds via RADIUS. The @@ -842,6 +747,10 @@ AIK certificate file. AIK public key file. .TP +.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP .BR charon.plugins.imc-attestation.nonce_len " [20]" DH nonce length. @@ -922,6 +831,10 @@ Preferred Diffie\-Hellman group. Preferred measurement hash algorithm. .TP +.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP .BR charon.plugins.imv-attestation.min_nonce_len " [0]" DH minimum nonce length. @@ -992,6 +905,12 @@ Section to configure the load\-tester plugin, see LOAD TESTS in for details. .TP +.B charon.plugins.load-tester.addrs +.br +Section that contains key/value pairs with address pools (in CIDR notation) to +use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +.TP .BR charon.plugins.load-tester.addrs_keep " [no]" Whether to keep dynamic addresses even after the associated SA got terminated. @@ -1157,12 +1076,6 @@ IKE version to use (0 means use IKEv2 as initiator and accept any version as responder). .TP -.B charon.plugins.load-tester.addrs -.br -Section that contains key/value pairs with address pools (in CIDR notation) to -use for a specific network interface e.g. eth0 = 10.10.0.0/16. - -.TP .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" Socket provided by the lookip plugin. @@ -1195,6 +1108,11 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). Whether to load certificates from tokens. .TP +.B charon.plugins.pkcs11.modules +.br +List of available PKCS#11 modules. + +.TP .BR charon.plugins.pkcs11.reload_certs " [no]" Reload certificates from all tokens if charon receives a SIGHUP. @@ -1223,11 +1141,6 @@ keys not stored on tokens. Whether the PKCS#11 modules should be used as RNG. .TP -.B charon.plugins.pkcs11.modules -.br -List of available PKCS#11 modules. - -.TP .BR charon.plugins.radattr.dir " []" Directory where RADIUS attributes are stored in client\-ID specific files. @@ -1378,14 +1291,6 @@ or .TP -.BR charon.plugins.tnc-pdp.server " []" -Name of the strongSwan PDP as contained in the AAA certificate. - -.TP -.BR charon.plugins.tnc-pdp.timeout " []" -Timeout in seconds before closing incomplete connections. - -.TP .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]" Enable PT\-TLS protocol on the strongSwan PDP. @@ -1411,6 +1316,14 @@ Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust the permissions of the config file accordingly. .TP +.BR charon.plugins.tnc-pdp.server " []" +Name of the strongSwan PDP as contained in the AAA certificate. + +.TP +.BR charon.plugins.tnc-pdp.timeout " []" +Timeout in seconds before closing incomplete connections. + +.TP .BR charon.plugins.tnccs-11.max_message_size " [45000]" Maximum size of a PA\-TNC message (XML & Base64 encoding). @@ -1472,6 +1385,22 @@ If an email address is received as an XAuth username, trim it to just the username part. .TP +.BR charon.port " [500]" +UDP port used locally. If set to 0 a random port will be allocated. + +.TP +.BR charon.port_nat_t " [4500]" +UDP port used locally in case of NAT\-T. If set to 0 a random port will be +allocated. Has to be different from +.RB "" "charon.port" "," +otherwise a random port +will be allocated. + +.TP +.BR charon.process_route " [yes]" +Process RTM_NEWROUTE and RTM_DELROUTE events. + +.TP .B charon.processor.priority_threads .br Section to configure the number of reserved threads per priority class see JOB @@ -1480,6 +1409,77 @@ PRIORITY MANAGEMENT in .TP +.BR charon.receive_delay " [0]" +Delay in ms for receiving packets, to simulate larger RTT. + +.TP +.BR charon.receive_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.receive_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.receive_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.replay_window " [32]" +Size of the AH/ESP replay window, in packets. + +.TP +.BR charon.retransmit_base " [1.8]" +Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.retransmit_timeout " [4.0]" +Timeout in seconds before sending first retransmit. + +.TP +.BR charon.retransmit_tries " [5]" +Number of times to retransmit a packet before giving up. + +.TP +.BR charon.retry_initiate_interval " [0]" +Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution +failed), 0 to disable retries. + +.TP +.BR charon.reuse_ikesa " [yes]" +Initiate CHILD_SA within existing IKE_SAs. + +.TP +.BR charon.routing_table " []" +Numerical routing table to install routes to. + +.TP +.BR charon.routing_table_prio " []" +Priority of the routing table. + +.TP +.BR charon.send_delay " [0]" +Delay in ms for sending packets, to simulate larger RTT. + +.TP +.BR charon.send_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.send_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.send_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.send_vendor_id " [no]" +Send strongSwan vendor ID payload + +.TP .B charon.syslog .br Section to define syslog loggers, see LOGGER CONFIGURATION in @@ -1487,16 +1487,6 @@ Section to define syslog loggers, see LOGGER CONFIGURATION in .TP -.BR charon.syslog.identifier " []" -Global identifier used for an -.RB "" "openlog" "(3)" -call, prepended to each log message -by syslog. If not configured, -.RB "" "openlog" "(3)" -is not called, so the value will -depend on system defaults (often the program name). - -.TP .B charon.syslog.<facility> .br <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION @@ -1519,6 +1509,24 @@ Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. .TP +.BR charon.syslog.identifier " []" +Global identifier used for an +.RB "" "openlog" "(3)" +call, prepended to each log message +by syslog. If not configured, +.RB "" "openlog" "(3)" +is not called, so the value will +depend on system defaults (often the program name). + +.TP +.BR charon.threads " [16]" +Number of worker threads in charon. Several of these are reserved for long +running tasks in internal modules and plugins. Therefore, make sure you don't +set this value too low. The number of idle worker threads listed in +.RI "" "ipsec statusall" "" +might be used as indicator on the number of reserved threads. + +.TP .BR charon.tls.cipher " []" List of TLS encryption ciphers. @@ -1539,6 +1547,10 @@ List of TLS cipher suites. TNC IMC/IMV configuration file. .TP +.BR charon.user " []" +Name of the user the daemon changes to after startup. + +.TP .BR charon.x509.enforce_critical " [yes]" Discard certificates with unsupported or unknown critical extensions. @@ -1623,10 +1635,6 @@ Number of thread for mediation service web application. Session timeout for mediation service. .TP -.BR openac.load " []" -Plugins to load in ipsec openac tool. - -.TP .BR pacman.database " []" Database URI for the database that stores the package information. If it contains a password, make sure to adjust the permissions of the config file @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.1.2. +# Generated by GNU Autoconf 2.69 for strongSwan 5.1.3. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.1.2' -PACKAGE_STRING='strongSwan 5.1.2' +PACKAGE_VERSION='5.1.3' +PACKAGE_STRING='strongSwan 5.1.3' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -921,6 +921,8 @@ USE_PKCS1_FALSE USE_PKCS1_TRUE USE_PUBKEY_FALSE USE_PUBKEY_TRUE +USE_ACERT_FALSE +USE_ACERT_TRUE USE_CONSTRAINTS_FALSE USE_CONSTRAINTS_TRUE USE_REVOCATION_FALSE @@ -974,7 +976,6 @@ manager_plugins scripts_plugins pki_plugins scepclient_plugins -openac_plugins attest_plugins pool_plugins starter_plugins @@ -1196,58 +1197,58 @@ with_tss with_capabilities with_mpz_powm_sec with_dev_headers +with_printf_hooks with_systemdsystemunitdir with_user with_group with_charon_udp_port with_charon_natt_port -enable_curl -enable_unbound -enable_soup -enable_ldap enable_aes -enable_des +enable_af_alg enable_blowfish -enable_rc2 +enable_ccm +enable_cmac +enable_ctr +enable_des +enable_fips_prf +enable_gcm +enable_gcrypt +enable_gmp +enable_hmac enable_md4 enable_md5 +enable_nonce +enable_ntru +enable_openssl +enable_padlock +enable_random +enable_rc2 +enable_rdrand enable_sha1 enable_sha2 -enable_fips_prf -enable_gmp -enable_rdrand -enable_random -enable_nonce -enable_x509 -enable_revocation -enable_constraints -enable_pubkey +enable_xcbc +enable_dnskey +enable_pem +enable_pgp enable_pkcs1 enable_pkcs7 enable_pkcs8 enable_pkcs12 -enable_pgp -enable_dnskey +enable_pubkey enable_sshkey -enable_dnscert -enable_ipseckey -enable_pem -enable_hmac -enable_cmac -enable_xcbc -enable_af_alg -enable_test_vectors +enable_x509 +enable_curl +enable_ldap +enable_soup +enable_unbound enable_mysql enable_sqlite -enable_stroke -enable_medsrv -enable_medcli -enable_smp -enable_sql -enable_leak_detective -enable_lock_profiler -enable_unit_tester -enable_load_tester +enable_addrblock +enable_acert +enable_agent +enable_constraints +enable_coupling +enable_dnscert enable_eap_sim enable_eap_sim_file enable_eap_sim_pcsc @@ -1266,89 +1267,91 @@ enable_eap_peap enable_eap_tnc enable_eap_dynamic enable_eap_radius +enable_ipseckey +enable_keychain +enable_pkcs11 +enable_revocation +enable_whitelist enable_xauth_generic enable_xauth_eap enable_xauth_pam enable_xauth_noauth -enable_tnc_ifmap -enable_tnc_pdp -enable_tnc_imc -enable_tnc_imv -enable_tnccs_11 -enable_tnccs_20 -enable_tnccs_dynamic -enable_imc_test -enable_imv_test -enable_imc_scanner -enable_imv_scanner -enable_imc_os -enable_imv_os -enable_imc_attestation -enable_imv_attestation -enable_imc_swid -enable_imv_swid enable_kernel_netlink enable_kernel_pfkey enable_kernel_pfroute enable_kernel_klips enable_kernel_libipsec -enable_libipsec enable_socket_default enable_socket_dynamic -enable_farp -enable_dumm -enable_fast -enable_manager -enable_mediation -enable_integrity_test -enable_load_warning -enable_ikev1 -enable_ikev2 -enable_charon -enable_tools -enable_scripts -enable_conftest -enable_updown +enable_stroke +enable_smp +enable_sql +enable_uci +enable_android_dns enable_attr enable_attr_sql enable_dhcp +enable_osx_attr enable_resolve -enable_padlock -enable_openssl -enable_gcrypt -enable_agent -enable_keychain -enable_pkcs11 -enable_ctr -enable_ccm -enable_gcm -enable_ntru -enable_addrblock enable_unity -enable_uci -enable_osx_attr -enable_android_dns +enable_imc_test +enable_imv_test +enable_imc_scanner +enable_imv_scanner +enable_imc_os +enable_imv_os +enable_imc_attestation +enable_imv_attestation +enable_imc_swid +enable_imv_swid +enable_tnc_ifmap +enable_tnc_imc +enable_tnc_imv +enable_tnc_pdp +enable_tnccs_11 +enable_tnccs_20 +enable_tnccs_dynamic enable_android_log -enable_maemo -enable_nm -enable_ha -enable_whitelist -enable_lookip -enable_error_notify enable_certexpire -enable_systime_fix -enable_led enable_duplicheck -enable_coupling +enable_error_notify +enable_farp +enable_ha +enable_led +enable_load_tester +enable_lookip +enable_maemo enable_radattr -enable_vstr -enable_monolithic +enable_systime_fix +enable_test_vectors +enable_unit_tester +enable_updown +enable_charon +enable_cmd +enable_conftest +enable_dumm +enable_fast +enable_libipsec +enable_manager +enable_medcli +enable_medsrv +enable_nm +enable_scripts +enable_tkm +enable_tools enable_bfd_backtraces +enable_ikev1 +enable_ikev2 +enable_integrity_test +enable_load_warning +enable_mediation enable_unwind_backtraces enable_coverage -enable_tkm -enable_cmd +enable_leak_detective +enable_lock_profiler +enable_monolithic enable_defaults +enable_all enable_dependency_tracking with_lib_prefix enable_shared @@ -1926,7 +1929,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.1.2 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.1.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1996,7 +1999,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.1.2:";; + short | recursive ) echo "Configuration of strongSwan 5.1.3:";; esac cat <<\_ACEOF @@ -2006,64 +2009,61 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-silent-rules less verbose build output (undo: "make V=1") --disable-silent-rules verbose build output (undo: "make V=0") - --enable-curl enable CURL fetcher plugin to fetch files via - libcurl. Requires libcurl. - --enable-unbound enable UNBOUND resolver plugin to perform DNS - queries via libunbound. Requires libldns and - libunbound. - --enable-soup enable soup fetcher plugin to fetch from HTTP via - libsoup. Requires libsoup. - --enable-ldap enable LDAP fetching plugin to fetch files via - libldap. Requires openLDAP. --disable-aes disable AES software implementation plugin. - --disable-des disable DES/3DES software implementation plugin. + --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API. --enable-blowfish enable Blowfish software implementation plugin. - --disable-rc2 disable RC2 software implementation plugin. + --enable-ccm enables the CCM AEAD wrapper crypto plugin. + --disable-cmac disable CMAC crypto implementation plugin. + --enable-ctr enables the Counter Mode wrapper crypto plugin. + --disable-des disable DES/3DES software implementation plugin. + --disable-fips-prf disable FIPS PRF software implementation plugin. + --enable-gcm enables the GCM AEAD wrapper crypto plugin. + --enable-gcrypt enables the libgcrypt plugin. + --disable-gmp disable GNU MP (libgmp) based crypto implementation + plugin. + --disable-hmac disable HMAC crypto implementation plugin. --enable-md4 enable MD4 software implementation plugin. --disable-md5 disable MD5 software implementation plugin. + --disable-nonce disable nonce generation plugin. + --enable-ntru enables the NTRU crypto plugin. + --enable-openssl enables the OpenSSL crypto plugin. + --enable-padlock enables VIA Padlock crypto plugin. + --disable-random disable RNG implementation on top of /dev/(u)random. + --disable-rc2 disable RC2 software implementation plugin. + --enable-rdrand enable Intel RDRAND random generator plugin. --disable-sha1 disable SHA1 software implementation plugin. --disable-sha2 disable SHA256/SHA384/SHA512 software implementation plugin. - --disable-fips-prf disable FIPS PRF software implementation plugin. - --disable-gmp disable GNU MP (libgmp) based crypto implementation - plugin. - --enable-rdrand enable Intel RDRAND random generator plugin. - --disable-random disable RNG implementation on top of /dev/(u)random. - --disable-nonce disable nonce generation plugin. - --disable-x509 disable X509 certificate implementation plugin. - --disable-revocation disable X509 CRL/OCSP revocation check plugin. - --disable-constraints disable advanced X509 constraint checking plugin. - --disable-pubkey disable RAW public key support plugin. + --disable-xcbc disable xcbc crypto implementation plugin. + --disable-dnskey disable DNS RR key decoding plugin. + --disable-pem disable PEM decoding plugin. + --disable-pgp disable PGP key decoding plugin. --disable-pkcs1 disable PKCS1 key decoding plugin. --disable-pkcs7 disable PKCS7 container support plugin. --disable-pkcs8 disable PKCS8 private key decoding plugin. --disable-pkcs12 disable PKCS12 container support plugin. - --disable-pgp disable PGP key decoding plugin. - --disable-dnskey disable DNS RR key decoding plugin. + --disable-pubkey disable RAW public key support plugin. --disable-sshkey disable SSH key decoding plugin. - --enable-dnscert enable DNSCERT authentication plugin. - --enable-ipseckey enable IPSECKEY authentication plugin. - --disable-pem disable PEM decoding plugin. - --disable-hmac disable HMAC crypto implementation plugin. - --disable-cmac disable CMAC crypto implementation plugin. - --disable-xcbc disable xcbc crypto implementation plugin. - --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API. - --enable-test-vectors enable plugin providing crypto test vectors. + --disable-x509 disable X509 certificate implementation plugin. + --enable-curl enable CURL fetcher plugin to fetch files via + libcurl. Requires libcurl. + --enable-ldap enable LDAP fetching plugin to fetch files via + libldap. Requires openLDAP. + --enable-soup enable soup fetcher plugin to fetch from HTTP via + libsoup. Requires libsoup. + --enable-unbound enable UNBOUND resolver plugin to perform DNS + queries via libunbound. Requires libldns and + libunbound. --enable-mysql enable MySQL database support. Requires libmysqlclient_r. --enable-sqlite enable SQLite database support. Requires libsqlite3. - --disable-stroke disable charons stroke configuration backend. - --enable-medsrv enable mediation server web frontend and daemon - plugin. - --enable-medcli enable mediation client configuration database - plugin. - --enable-smp enable SMP configuration and control interface. - Requires libxml. - --enable-sql enable SQL database configuration backend. - --enable-leak-detective enable malloc hooks to find memory leaks. - --enable-lock-profiler enable lock/mutex profiling code. - --enable-unit-tester enable unit tests on IKEv2 daemon startup. - --enable-load-tester enable load testing plugin for IKEv2 daemon. + --enable-addrblock enables RFC 3779 address block constraint support. + --enable-acert enable X509 attribute certificate checking plugin. + --enable-agent enables the ssh-agent signing plugin. + --disable-constraints disable advanced X509 constraint checking plugin. + --enable-coupling enable IKEv2 plugin to couple peer certificates + permanently to authentication. + --enable-dnscert enable DNSCERT authentication plugin. --enable-eap-sim enable SIM authentication module for EAP. --enable-eap-sim-file enable EAP-SIM backend based on a triplet file. --enable-eap-sim-pcsc enable EAP-SIM backend based on a smartcard reader. @@ -2088,31 +2088,17 @@ Optional Features: --enable-eap-tnc enable EAP TNC trusted network connect module. --enable-eap-dynamic enable dynamic EAP proxy module. --enable-eap-radius enable RADIUS proxy authentication module. + --enable-ipseckey enable IPSECKEY authentication plugin. + --enable-keychain enables OS X Keychain Services credential set. + --enable-pkcs11 enables the PKCS11 token support plugin. + --disable-revocation disable X509 CRL/OCSP revocation check plugin. + --enable-whitelist enable peer identity whitelisting plugin. --disable-xauth-generic disable generic XAuth backend. --enable-xauth-eap enable XAuth backend using EAP methods to verify passwords. --enable-xauth-pam enable XAuth backend using PAM to verify passwords. --enable-xauth-noauth enable XAuth pseudo-backend that does not actually verify or even request any credentials. - --enable-tnc-ifmap enable TNC IF-MAP module. Requires libxml - --enable-tnc-pdp enable TNC policy decision point module. - --enable-tnc-imc enable TNC IMC module. - --enable-tnc-imv enable TNC IMV module. - --enable-tnccs-11 enable TNCCS 1.1 protocol module. Requires libxml - --enable-tnccs-20 enable TNCCS 2.0 protocol module. - --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module. - --enable-imc-test enable IMC test module. - --enable-imv-test enable IMV test module. - --enable-imc-scanner enable IMC port scanner module. - --enable-imv-scanner enable IMV port scanner module. - --enable-imc-os enable IMC operating system module. - --enable-imv-os enable IMV operating system module. - --enable-imc-attestation - enable IMC attestation module. - --enable-imv-attestation - enable IMV attestation module. - --enable-imc-swid enable IMC swid module. - --enable-imv-swid enable IMV swid module. --disable-kernel-netlink disable the netlink kernel interface. --enable-kernel-pfkey enable the PF_KEY kernel interface. @@ -2120,85 +2106,103 @@ Optional Features: --enable-kernel-klips enable the KLIPS kernel interface. --enable-kernel-libipsec enable the libipsec kernel interface. - --enable-libipsec enable user space IPsec implementation. --disable-socket-default disable default socket implementation for charon. --enable-socket-dynamic enable dynamic socket implementation for charon - --enable-farp enable ARP faking plugin that responds to ARP - requests to peers virtual IP - --enable-dumm enable the DUMM UML test framework. - --enable-fast enable libfast (FastCGI Application Server w/ - templates. - --enable-manager enable web management console (proof of concept). - --enable-mediation enable IKEv2 Mediation Extension. - --enable-integrity-test enable integrity testing of libstrongswan and - plugins. - --disable-load-warning disable the charon plugin load option warning in - starter. - --disable-ikev1 disable IKEv1 protocol support in charon. - --disable-ikev2 disable IKEv2 protocol support in charon. - --disable-charon disable the IKEv1/IKEv2 keying daemon charon. - --disable-tools disable additional utilities (openac, scepclient and - pki). - --disable-scripts disable additional utilities (found in directory - scripts). - --enable-conftest enforce Suite B conformance test framework. - --disable-updown disable updown firewall script plugin. + --disable-stroke disable charons stroke configuration backend. + --enable-smp enable SMP configuration and control interface. + Requires libxml. + --enable-sql enable SQL database configuration backend. + --enable-uci enable OpenWRT UCI configuration plugin. + --enable-android-dns enable Android specific DNS handler. --disable-attr disable strongswan.conf based configuration attribute plugin. --enable-attr-sql enable SQL based configuration attribute plugin. --enable-dhcp enable DHCP based attribute provider plugin. + --enable-osx-attr enable OS X SystemConfiguration attribute handler. --disable-resolve disable resolve DNS handler plugin. - --enable-padlock enables VIA Padlock crypto plugin. - --enable-openssl enables the OpenSSL crypto plugin. - --enable-gcrypt enables the libgcrypt plugin. - --enable-agent enables the ssh-agent signing plugin. - --enable-keychain enables OS X Keychain Services credential set. - --enable-pkcs11 enables the PKCS11 token support plugin. - --enable-ctr enables the Counter Mode wrapper crypto plugin. - --enable-ccm enables the CCM AEAD wrapper crypto plugin. - --enable-gcm enables the GCM AEAD wrapper crypto plugin. - --enable-ntru enables the NTRU crypto plugin. - --enable-addrblock enables RFC 3779 address block constraint support. --enable-unity enables Cisco Unity extension plugin. - --enable-uci enable OpenWRT UCI configuration plugin. - --enable-osx-attr enable OS X SystemConfiguration attribute handler. - --enable-android-dns enable Android specific DNS handler. + --enable-imc-test enable IMC test module. + --enable-imv-test enable IMV test module. + --enable-imc-scanner enable IMC port scanner module. + --enable-imv-scanner enable IMV port scanner module. + --enable-imc-os enable IMC operating system module. + --enable-imv-os enable IMV operating system module. + --enable-imc-attestation + enable IMC attestation module. + --enable-imv-attestation + enable IMV attestation module. + --enable-imc-swid enable IMC swid module. + --enable-imv-swid enable IMV swid module. + --enable-tnc-ifmap enable TNC IF-MAP module. Requires libxml + --enable-tnc-imc enable TNC IMC module. + --enable-tnc-imv enable TNC IMV module. + --enable-tnc-pdp enable TNC policy decision point module. + --enable-tnccs-11 enable TNCCS 1.1 protocol module. Requires libxml + --enable-tnccs-20 enable TNCCS 2.0 protocol module. + --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module. --enable-android-log enable Android specific logger plugin. - --enable-maemo enable Maemo specific plugin. - --enable-nm enable NetworkManager backend. - --enable-ha enable high availability cluster plugin. - --enable-whitelist enable peer identity whitelisting plugin. - --enable-lookip enable fast virtual IP lookup and notification - plugin. - --enable-error-notify enable error notification plugin. --enable-certexpire enable CSV export of expiration dates of used certificates. - --enable-systime-fix enable plugin to handle cert lifetimes with invalid - system time gracefully. - --enable-led enable plugin to control LEDs on IKEv2 activity - using the Linux kernel LED subsystem. --enable-duplicheck advanced duplicate checking plugin using liveness checks. - --enable-coupling enable IKEv2 plugin to couple peer certificates - permanently to authentication. + --enable-error-notify enable error notification plugin. + --enable-farp enable ARP faking plugin that responds to ARP + requests to peers virtual IP + --enable-ha enable high availability cluster plugin. + --enable-led enable plugin to control LEDs on IKEv2 activity + using the Linux kernel LED subsystem. + --enable-load-tester enable load testing plugin for IKEv2 daemon. + --enable-lookip enable fast virtual IP lookup and notification + plugin. + --enable-maemo enable Maemo specific plugin. --enable-radattr enable plugin to inject and process custom RADIUS attributes as IKEv2 client. - --enable-vstr enforce using the Vstr string library to replace - glibc-like printf hooks. - --enable-monolithic build monolithic version of libstrongswan that - includes all enabled plugins. Similarly, the plugins - of charon are assembled in libcharon. + --enable-systime-fix enable plugin to handle cert lifetimes with invalid + system time gracefully. + --enable-test-vectors enable plugin providing crypto test vectors. + --enable-unit-tester enable unit tests on IKEv2 daemon startup. + --disable-updown disable updown firewall script plugin. + --disable-charon disable the IKEv1/IKEv2 keying daemon charon. + --enable-cmd enable the command line IKE client charon-cmd. + --enable-conftest enforce Suite B conformance test framework. + --enable-dumm enable the DUMM UML test framework. + --enable-fast enable libfast (FastCGI Application Server w/ + templates. + --enable-libipsec enable user space IPsec implementation. + --enable-manager enable web management console (proof of concept). + --enable-medcli enable mediation client configuration database + plugin. + --enable-medsrv enable mediation server web frontend and daemon + plugin. + --enable-nm enable NetworkManager backend. + --disable-scripts disable additional utilities (found in directory + scripts). + --enable-tkm enable Trusted Key Manager support. + --disable-tools disable additional utilities (scepclient and pki). --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory leaks and segfaults. + --disable-ikev1 disable IKEv1 protocol support in charon. + --disable-ikev2 disable IKEv2 protocol support in charon. + --enable-integrity-test enable integrity testing of libstrongswan and + plugins. + --disable-load-warning disable the charon plugin load option warning in + starter. + --enable-mediation enable IKEv2 Mediation Extension. --enable-unwind-backtraces use libunwind to create backtraces for memory leaks and segfaults. --enable-coverage enable lcov coverage report generation. - --enable-tkm enable Trusted Key Manager support. - --enable-cmd enable the command line IKE client charon-cmd. + --enable-leak-detective enable malloc hooks to find memory leaks. + --enable-lock-profiler enable lock/mutex profiling code. + --enable-monolithic build monolithic version of libstrongswan that + includes all enabled plugins. Similarly, the plugins + of charon are assembled in libcharon. --disable-defaults disable all default plugins (they can be enabled with their respective --enable options) + --enable-all enable all plugins and features (they can be + disabled with their respective --disable options). + Mainly for testing. --enable-dependency-tracking do not reject slow dependency extractors --disable-dependency-tracking @@ -2257,6 +2261,9 @@ Optional Packages: libgmp, if available (default: yes). --with-dev-headers=arg install strongSwan development headers to directory. (default: no). + --with-printf-hooks=arg force the use of a specific printf hook + implementation (auto, builtin, glibc, vstr). + (default: auto). --with-systemdsystemunitdir=arg directory for systemd service files (default: $systemdsystemunitdir_default). @@ -2382,7 +2389,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.1.2 +strongSwan configure 5.1.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2904,7 +2911,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.1.2, which was +It was created by strongSwan $as_me 5.1.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3767,7 +3774,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.1.2' + VERSION='5.1.3' cat >>confdefs.h <<_ACEOF @@ -4426,6 +4433,16 @@ fi +# Check whether --with-printf-hooks was given. +if test "${with_printf_hooks+set}" = set; then : + withval=$with_printf_hooks; printf_hooks="$withval" +else + printf_hooks=auto + +fi + + + if test -n "$PKG_CONFIG"; then systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) fi @@ -4534,6 +4551,7 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z` # ARG_ENABL_SET(option, help) # --------------------------- # Create a --enable-$1 option with helptext, set a variable $1 to true/false +# All $1 are collected in the variable $disabled_by_default # ARG_DISBL_SET(option, help) @@ -4543,81 +4561,102 @@ ipsec_script_upper=`echo -n "$ipsec_script" | tr a-z A-Z` -# Check whether --enable-curl was given. -if test "${enable_curl+set}" = set; then : - enableval=$enable_curl; curl_given=true +# crypto plugins +# Check whether --enable-aes was given. +if test "${enable_aes+set}" = set; then : + enableval=$enable_aes; aes_given=true if test x$enableval = xyes; then - curl=true + aes=true else - curl=false + aes=false fi else - curl=false - curl_given=false + aes=true + aes_given=false fi + enabled_by_default=${enabled_by_default}" aes" -# Check whether --enable-unbound was given. -if test "${enable_unbound+set}" = set; then : - enableval=$enable_unbound; unbound_given=true +# Check whether --enable-af-alg was given. +if test "${enable_af_alg+set}" = set; then : + enableval=$enable_af_alg; af_alg_given=true if test x$enableval = xyes; then - unbound=true + af_alg=true else - unbound=false + af_alg=false fi else - unbound=false - unbound_given=false + af_alg=false + af_alg_given=false fi + disabled_by_default=${disabled_by_default}" af_alg" -# Check whether --enable-soup was given. -if test "${enable_soup+set}" = set; then : - enableval=$enable_soup; soup_given=true +# Check whether --enable-blowfish was given. +if test "${enable_blowfish+set}" = set; then : + enableval=$enable_blowfish; blowfish_given=true if test x$enableval = xyes; then - soup=true + blowfish=true else - soup=false + blowfish=false fi else - soup=false - soup_given=false + blowfish=false + blowfish_given=false fi + disabled_by_default=${disabled_by_default}" blowfish" -# Check whether --enable-ldap was given. -if test "${enable_ldap+set}" = set; then : - enableval=$enable_ldap; ldap_given=true +# Check whether --enable-ccm was given. +if test "${enable_ccm+set}" = set; then : + enableval=$enable_ccm; ccm_given=true if test x$enableval = xyes; then - ldap=true + ccm=true else - ldap=false + ccm=false fi else - ldap=false - ldap_given=false + ccm=false + ccm_given=false fi + disabled_by_default=${disabled_by_default}" ccm" -# Check whether --enable-aes was given. -if test "${enable_aes+set}" = set; then : - enableval=$enable_aes; aes_given=true +# Check whether --enable-cmac was given. +if test "${enable_cmac+set}" = set; then : + enableval=$enable_cmac; cmac_given=true if test x$enableval = xyes; then - aes=true + cmac=true else - aes=false + cmac=false fi else - aes=true - aes_given=false + cmac=true + cmac_given=false fi - enabled_by_default=${enabled_by_default}" aes" + enabled_by_default=${enabled_by_default}" cmac" + +# Check whether --enable-ctr was given. +if test "${enable_ctr+set}" = set; then : + enableval=$enable_ctr; ctr_given=true + if test x$enableval = xyes; then + ctr=true + else + ctr=false + fi +else + ctr=false + ctr_given=false + +fi + + disabled_by_default=${disabled_by_default}" ctr" # Check whether --enable-des was given. if test "${enable_des+set}" = set; then : @@ -4635,36 +4674,85 @@ fi enabled_by_default=${enabled_by_default}" des" -# Check whether --enable-blowfish was given. -if test "${enable_blowfish+set}" = set; then : - enableval=$enable_blowfish; blowfish_given=true +# Check whether --enable-fips-prf was given. +if test "${enable_fips_prf+set}" = set; then : + enableval=$enable_fips_prf; fips_prf_given=true if test x$enableval = xyes; then - blowfish=true + fips_prf=true else - blowfish=false + fips_prf=false fi else - blowfish=false - blowfish_given=false + fips_prf=true + fips_prf_given=false fi + enabled_by_default=${enabled_by_default}" fips_prf" -# Check whether --enable-rc2 was given. -if test "${enable_rc2+set}" = set; then : - enableval=$enable_rc2; rc2_given=true +# Check whether --enable-gcm was given. +if test "${enable_gcm+set}" = set; then : + enableval=$enable_gcm; gcm_given=true if test x$enableval = xyes; then - rc2=true + gcm=true else - rc2=false + gcm=false fi else - rc2=true - rc2_given=false + gcm=false + gcm_given=false fi - enabled_by_default=${enabled_by_default}" rc2" + disabled_by_default=${disabled_by_default}" gcm" + +# Check whether --enable-gcrypt was given. +if test "${enable_gcrypt+set}" = set; then : + enableval=$enable_gcrypt; gcrypt_given=true + if test x$enableval = xyes; then + gcrypt=true + else + gcrypt=false + fi +else + gcrypt=false + gcrypt_given=false + +fi + + disabled_by_default=${disabled_by_default}" gcrypt" + +# Check whether --enable-gmp was given. +if test "${enable_gmp+set}" = set; then : + enableval=$enable_gmp; gmp_given=true + if test x$enableval = xyes; then + gmp=true + else + gmp=false + fi +else + gmp=true + gmp_given=false + +fi + + enabled_by_default=${enabled_by_default}" gmp" + +# Check whether --enable-hmac was given. +if test "${enable_hmac+set}" = set; then : + enableval=$enable_hmac; hmac_given=true + if test x$enableval = xyes; then + hmac=true + else + hmac=false + fi +else + hmac=true + hmac_given=false + +fi + + enabled_by_default=${enabled_by_default}" hmac" # Check whether --enable-md4 was given. if test "${enable_md4+set}" = set; then : @@ -4680,6 +4768,7 @@ else fi + disabled_by_default=${disabled_by_default}" md4" # Check whether --enable-md5 was given. if test "${enable_md5+set}" = set; then : @@ -4697,69 +4786,101 @@ fi enabled_by_default=${enabled_by_default}" md5" -# Check whether --enable-sha1 was given. -if test "${enable_sha1+set}" = set; then : - enableval=$enable_sha1; sha1_given=true +# Check whether --enable-nonce was given. +if test "${enable_nonce+set}" = set; then : + enableval=$enable_nonce; nonce_given=true if test x$enableval = xyes; then - sha1=true + nonce=true else - sha1=false + nonce=false fi else - sha1=true - sha1_given=false + nonce=true + nonce_given=false fi - enabled_by_default=${enabled_by_default}" sha1" + enabled_by_default=${enabled_by_default}" nonce" -# Check whether --enable-sha2 was given. -if test "${enable_sha2+set}" = set; then : - enableval=$enable_sha2; sha2_given=true +# Check whether --enable-ntru was given. +if test "${enable_ntru+set}" = set; then : + enableval=$enable_ntru; ntru_given=true if test x$enableval = xyes; then - sha2=true + ntru=true else - sha2=false + ntru=false fi else - sha2=true - sha2_given=false + ntru=false + ntru_given=false fi - enabled_by_default=${enabled_by_default}" sha2" + disabled_by_default=${disabled_by_default}" ntru" -# Check whether --enable-fips-prf was given. -if test "${enable_fips_prf+set}" = set; then : - enableval=$enable_fips_prf; fips_prf_given=true +# Check whether --enable-openssl was given. +if test "${enable_openssl+set}" = set; then : + enableval=$enable_openssl; openssl_given=true if test x$enableval = xyes; then - fips_prf=true + openssl=true else - fips_prf=false + openssl=false fi else - fips_prf=true - fips_prf_given=false + openssl=false + openssl_given=false fi - enabled_by_default=${enabled_by_default}" fips_prf" + disabled_by_default=${disabled_by_default}" openssl" -# Check whether --enable-gmp was given. -if test "${enable_gmp+set}" = set; then : - enableval=$enable_gmp; gmp_given=true +# Check whether --enable-padlock was given. +if test "${enable_padlock+set}" = set; then : + enableval=$enable_padlock; padlock_given=true if test x$enableval = xyes; then - gmp=true + padlock=true else - gmp=false + padlock=false fi else - gmp=true - gmp_given=false + padlock=false + padlock_given=false fi - enabled_by_default=${enabled_by_default}" gmp" + disabled_by_default=${disabled_by_default}" padlock" + +# Check whether --enable-random was given. +if test "${enable_random+set}" = set; then : + enableval=$enable_random; random_given=true + if test x$enableval = xyes; then + random=true + else + random=false + fi +else + random=true + random_given=false + +fi + + enabled_by_default=${enabled_by_default}" random" + +# Check whether --enable-rc2 was given. +if test "${enable_rc2+set}" = set; then : + enableval=$enable_rc2; rc2_given=true + if test x$enableval = xyes; then + rc2=true + else + rc2=false + fi +else + rc2=true + rc2_given=false + +fi + + enabled_by_default=${enabled_by_default}" rc2" # Check whether --enable-rdrand was given. if test "${enable_rdrand+set}" = set; then : @@ -4775,102 +4896,104 @@ else fi + disabled_by_default=${disabled_by_default}" rdrand" -# Check whether --enable-random was given. -if test "${enable_random+set}" = set; then : - enableval=$enable_random; random_given=true +# Check whether --enable-sha1 was given. +if test "${enable_sha1+set}" = set; then : + enableval=$enable_sha1; sha1_given=true if test x$enableval = xyes; then - random=true + sha1=true else - random=false + sha1=false fi else - random=true - random_given=false + sha1=true + sha1_given=false fi - enabled_by_default=${enabled_by_default}" random" + enabled_by_default=${enabled_by_default}" sha1" -# Check whether --enable-nonce was given. -if test "${enable_nonce+set}" = set; then : - enableval=$enable_nonce; nonce_given=true +# Check whether --enable-sha2 was given. +if test "${enable_sha2+set}" = set; then : + enableval=$enable_sha2; sha2_given=true if test x$enableval = xyes; then - nonce=true + sha2=true else - nonce=false + sha2=false fi else - nonce=true - nonce_given=false + sha2=true + sha2_given=false fi - enabled_by_default=${enabled_by_default}" nonce" + enabled_by_default=${enabled_by_default}" sha2" -# Check whether --enable-x509 was given. -if test "${enable_x509+set}" = set; then : - enableval=$enable_x509; x509_given=true +# Check whether --enable-xcbc was given. +if test "${enable_xcbc+set}" = set; then : + enableval=$enable_xcbc; xcbc_given=true if test x$enableval = xyes; then - x509=true + xcbc=true else - x509=false + xcbc=false fi else - x509=true - x509_given=false + xcbc=true + xcbc_given=false fi - enabled_by_default=${enabled_by_default}" x509" + enabled_by_default=${enabled_by_default}" xcbc" -# Check whether --enable-revocation was given. -if test "${enable_revocation+set}" = set; then : - enableval=$enable_revocation; revocation_given=true +# encoding/decoding plugins +# Check whether --enable-dnskey was given. +if test "${enable_dnskey+set}" = set; then : + enableval=$enable_dnskey; dnskey_given=true if test x$enableval = xyes; then - revocation=true + dnskey=true else - revocation=false + dnskey=false fi else - revocation=true - revocation_given=false + dnskey=true + dnskey_given=false fi - enabled_by_default=${enabled_by_default}" revocation" + enabled_by_default=${enabled_by_default}" dnskey" -# Check whether --enable-constraints was given. -if test "${enable_constraints+set}" = set; then : - enableval=$enable_constraints; constraints_given=true +# Check whether --enable-pem was given. +if test "${enable_pem+set}" = set; then : + enableval=$enable_pem; pem_given=true if test x$enableval = xyes; then - constraints=true + pem=true else - constraints=false + pem=false fi else - constraints=true - constraints_given=false + pem=true + pem_given=false fi - enabled_by_default=${enabled_by_default}" constraints" + enabled_by_default=${enabled_by_default}" pem" -# Check whether --enable-pubkey was given. -if test "${enable_pubkey+set}" = set; then : - enableval=$enable_pubkey; pubkey_given=true +# Check whether --enable-pgp was given. +if test "${enable_pgp+set}" = set; then : + enableval=$enable_pgp; pgp_given=true if test x$enableval = xyes; then - pubkey=true + pgp=true else - pubkey=false + pgp=false fi else - pubkey=true - pubkey_given=false + pgp=true + pgp_given=false fi - enabled_by_default=${enabled_by_default}" pubkey" + enabled_by_default=${enabled_by_default}" pgp" # Check whether --enable-pkcs1 was given. if test "${enable_pkcs1+set}" = set; then : @@ -4936,37 +5059,21 @@ fi enabled_by_default=${enabled_by_default}" pkcs12" -# Check whether --enable-pgp was given. -if test "${enable_pgp+set}" = set; then : - enableval=$enable_pgp; pgp_given=true - if test x$enableval = xyes; then - pgp=true - else - pgp=false - fi -else - pgp=true - pgp_given=false - -fi - - enabled_by_default=${enabled_by_default}" pgp" - -# Check whether --enable-dnskey was given. -if test "${enable_dnskey+set}" = set; then : - enableval=$enable_dnskey; dnskey_given=true +# Check whether --enable-pubkey was given. +if test "${enable_pubkey+set}" = set; then : + enableval=$enable_pubkey; pubkey_given=true if test x$enableval = xyes; then - dnskey=true + pubkey=true else - dnskey=false + pubkey=false fi else - dnskey=true - dnskey_given=false + pubkey=true + pubkey_given=false fi - enabled_by_default=${enabled_by_default}" dnskey" + enabled_by_default=${enabled_by_default}" pubkey" # Check whether --enable-sshkey was given. if test "${enable_sshkey+set}" = set; then : @@ -4984,130 +5091,88 @@ fi enabled_by_default=${enabled_by_default}" sshkey" -# Check whether --enable-dnscert was given. -if test "${enable_dnscert+set}" = set; then : - enableval=$enable_dnscert; dnscert_given=true - if test x$enableval = xyes; then - dnscert=true - else - dnscert=false - fi -else - dnscert=false - dnscert_given=false - -fi - - -# Check whether --enable-ipseckey was given. -if test "${enable_ipseckey+set}" = set; then : - enableval=$enable_ipseckey; ipseckey_given=true - if test x$enableval = xyes; then - ipseckey=true - else - ipseckey=false - fi -else - ipseckey=false - ipseckey_given=false - -fi - - -# Check whether --enable-pem was given. -if test "${enable_pem+set}" = set; then : - enableval=$enable_pem; pem_given=true - if test x$enableval = xyes; then - pem=true - else - pem=false - fi -else - pem=true - pem_given=false - -fi - - enabled_by_default=${enabled_by_default}" pem" - -# Check whether --enable-hmac was given. -if test "${enable_hmac+set}" = set; then : - enableval=$enable_hmac; hmac_given=true +# Check whether --enable-x509 was given. +if test "${enable_x509+set}" = set; then : + enableval=$enable_x509; x509_given=true if test x$enableval = xyes; then - hmac=true + x509=true else - hmac=false + x509=false fi else - hmac=true - hmac_given=false + x509=true + x509_given=false fi - enabled_by_default=${enabled_by_default}" hmac" + enabled_by_default=${enabled_by_default}" x509" -# Check whether --enable-cmac was given. -if test "${enable_cmac+set}" = set; then : - enableval=$enable_cmac; cmac_given=true +# fetcher/resolver plugins +# Check whether --enable-curl was given. +if test "${enable_curl+set}" = set; then : + enableval=$enable_curl; curl_given=true if test x$enableval = xyes; then - cmac=true + curl=true else - cmac=false + curl=false fi else - cmac=true - cmac_given=false + curl=false + curl_given=false fi - enabled_by_default=${enabled_by_default}" cmac" + disabled_by_default=${disabled_by_default}" curl" -# Check whether --enable-xcbc was given. -if test "${enable_xcbc+set}" = set; then : - enableval=$enable_xcbc; xcbc_given=true +# Check whether --enable-ldap was given. +if test "${enable_ldap+set}" = set; then : + enableval=$enable_ldap; ldap_given=true if test x$enableval = xyes; then - xcbc=true + ldap=true else - xcbc=false + ldap=false fi else - xcbc=true - xcbc_given=false + ldap=false + ldap_given=false fi - enabled_by_default=${enabled_by_default}" xcbc" + disabled_by_default=${disabled_by_default}" ldap" -# Check whether --enable-af-alg was given. -if test "${enable_af_alg+set}" = set; then : - enableval=$enable_af_alg; af_alg_given=true +# Check whether --enable-soup was given. +if test "${enable_soup+set}" = set; then : + enableval=$enable_soup; soup_given=true if test x$enableval = xyes; then - af_alg=true + soup=true else - af_alg=false + soup=false fi else - af_alg=false - af_alg_given=false + soup=false + soup_given=false fi + disabled_by_default=${disabled_by_default}" soup" -# Check whether --enable-test-vectors was given. -if test "${enable_test_vectors+set}" = set; then : - enableval=$enable_test_vectors; test_vectors_given=true +# Check whether --enable-unbound was given. +if test "${enable_unbound+set}" = set; then : + enableval=$enable_unbound; unbound_given=true if test x$enableval = xyes; then - test_vectors=true + unbound=true else - test_vectors=false + unbound=false fi else - test_vectors=false - test_vectors_given=false + unbound=false + unbound_given=false fi + disabled_by_default=${disabled_by_default}" unbound" +# database plugins # Check whether --enable-mysql was given. if test "${enable_mysql+set}" = set; then : enableval=$enable_mysql; mysql_given=true @@ -5122,6 +5187,7 @@ else fi + disabled_by_default=${disabled_by_default}" mysql" # Check whether --enable-sqlite was given. if test "${enable_sqlite+set}" = set; then : @@ -5137,142 +5203,104 @@ else fi + disabled_by_default=${disabled_by_default}" sqlite" -# Check whether --enable-stroke was given. -if test "${enable_stroke+set}" = set; then : - enableval=$enable_stroke; stroke_given=true - if test x$enableval = xyes; then - stroke=true - else - stroke=false - fi -else - stroke=true - stroke_given=false - -fi - - enabled_by_default=${enabled_by_default}" stroke" - -# Check whether --enable-medsrv was given. -if test "${enable_medsrv+set}" = set; then : - enableval=$enable_medsrv; medsrv_given=true - if test x$enableval = xyes; then - medsrv=true - else - medsrv=false - fi -else - medsrv=false - medsrv_given=false - -fi - - -# Check whether --enable-medcli was given. -if test "${enable_medcli+set}" = set; then : - enableval=$enable_medcli; medcli_given=true - if test x$enableval = xyes; then - medcli=true - else - medcli=false - fi -else - medcli=false - medcli_given=false - -fi - - -# Check whether --enable-smp was given. -if test "${enable_smp+set}" = set; then : - enableval=$enable_smp; smp_given=true +# authentication/credential plugins +# Check whether --enable-addrblock was given. +if test "${enable_addrblock+set}" = set; then : + enableval=$enable_addrblock; addrblock_given=true if test x$enableval = xyes; then - smp=true + addrblock=true else - smp=false + addrblock=false fi else - smp=false - smp_given=false + addrblock=false + addrblock_given=false fi + disabled_by_default=${disabled_by_default}" addrblock" -# Check whether --enable-sql was given. -if test "${enable_sql+set}" = set; then : - enableval=$enable_sql; sql_given=true +# Check whether --enable-acert was given. +if test "${enable_acert+set}" = set; then : + enableval=$enable_acert; acert_given=true if test x$enableval = xyes; then - sql=true + acert=true else - sql=false + acert=false fi else - sql=false - sql_given=false + acert=false + acert_given=false fi + disabled_by_default=${disabled_by_default}" acert" -# Check whether --enable-leak-detective was given. -if test "${enable_leak_detective+set}" = set; then : - enableval=$enable_leak_detective; leak_detective_given=true +# Check whether --enable-agent was given. +if test "${enable_agent+set}" = set; then : + enableval=$enable_agent; agent_given=true if test x$enableval = xyes; then - leak_detective=true + agent=true else - leak_detective=false + agent=false fi else - leak_detective=false - leak_detective_given=false + agent=false + agent_given=false fi + disabled_by_default=${disabled_by_default}" agent" -# Check whether --enable-lock-profiler was given. -if test "${enable_lock_profiler+set}" = set; then : - enableval=$enable_lock_profiler; lock_profiler_given=true +# Check whether --enable-constraints was given. +if test "${enable_constraints+set}" = set; then : + enableval=$enable_constraints; constraints_given=true if test x$enableval = xyes; then - lock_profiler=true + constraints=true else - lock_profiler=false + constraints=false fi else - lock_profiler=false - lock_profiler_given=false + constraints=true + constraints_given=false fi + enabled_by_default=${enabled_by_default}" constraints" -# Check whether --enable-unit-tester was given. -if test "${enable_unit_tester+set}" = set; then : - enableval=$enable_unit_tester; unit_tester_given=true +# Check whether --enable-coupling was given. +if test "${enable_coupling+set}" = set; then : + enableval=$enable_coupling; coupling_given=true if test x$enableval = xyes; then - unit_tester=true + coupling=true else - unit_tester=false + coupling=false fi else - unit_tester=false - unit_tester_given=false + coupling=false + coupling_given=false fi + disabled_by_default=${disabled_by_default}" coupling" -# Check whether --enable-load-tester was given. -if test "${enable_load_tester+set}" = set; then : - enableval=$enable_load_tester; load_tester_given=true +# Check whether --enable-dnscert was given. +if test "${enable_dnscert+set}" = set; then : + enableval=$enable_dnscert; dnscert_given=true if test x$enableval = xyes; then - load_tester=true + dnscert=true else - load_tester=false + dnscert=false fi else - load_tester=false - load_tester_given=false + dnscert=false + dnscert_given=false fi + disabled_by_default=${disabled_by_default}" dnscert" # Check whether --enable-eap-sim was given. if test "${enable_eap_sim+set}" = set; then : @@ -5288,6 +5316,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_sim" # Check whether --enable-eap-sim-file was given. if test "${enable_eap_sim_file+set}" = set; then : @@ -5303,6 +5332,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_sim_file" # Check whether --enable-eap-sim-pcsc was given. if test "${enable_eap_sim_pcsc+set}" = set; then : @@ -5318,6 +5348,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_sim_pcsc" # Check whether --enable-eap-aka was given. if test "${enable_eap_aka+set}" = set; then : @@ -5333,6 +5364,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_aka" # Check whether --enable-eap-aka-3gpp2 was given. if test "${enable_eap_aka_3gpp2+set}" = set; then : @@ -5348,6 +5380,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_aka_3gpp2" # Check whether --enable-eap-simaka-sql was given. if test "${enable_eap_simaka_sql+set}" = set; then : @@ -5363,6 +5396,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_simaka_sql" # Check whether --enable-eap-simaka-pseudonym was given. if test "${enable_eap_simaka_pseudonym+set}" = set; then : @@ -5378,6 +5412,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_simaka_pseudonym" # Check whether --enable-eap-simaka-reauth was given. if test "${enable_eap_simaka_reauth+set}" = set; then : @@ -5393,6 +5428,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_simaka_reauth" # Check whether --enable-eap-identity was given. if test "${enable_eap_identity+set}" = set; then : @@ -5408,6 +5444,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_identity" # Check whether --enable-eap-md5 was given. if test "${enable_eap_md5+set}" = set; then : @@ -5423,6 +5460,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_md5" # Check whether --enable-eap-gtc was given. if test "${enable_eap_gtc+set}" = set; then : @@ -5438,6 +5476,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_gtc" # Check whether --enable-eap-mschapv2 was given. if test "${enable_eap_mschapv2+set}" = set; then : @@ -5453,6 +5492,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_mschapv2" # Check whether --enable-eap-tls was given. if test "${enable_eap_tls+set}" = set; then : @@ -5468,6 +5508,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_tls" # Check whether --enable-eap-ttls was given. if test "${enable_eap_ttls+set}" = set; then : @@ -5483,6 +5524,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_ttls" # Check whether --enable-eap-peap was given. if test "${enable_eap_peap+set}" = set; then : @@ -5498,6 +5540,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_peap" # Check whether --enable-eap-tnc was given. if test "${enable_eap_tnc+set}" = set; then : @@ -5513,6 +5556,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_tnc" # Check whether --enable-eap-dynamic was given. if test "${enable_eap_dynamic+set}" = set; then : @@ -5528,6 +5572,7 @@ else fi + disabled_by_default=${disabled_by_default}" eap_dynamic" # Check whether --enable-eap-radius was given. if test "${enable_eap_radius+set}" = set; then : @@ -5543,1188 +5588,1262 @@ else fi + disabled_by_default=${disabled_by_default}" eap_radius" -# Check whether --enable-xauth-generic was given. -if test "${enable_xauth_generic+set}" = set; then : - enableval=$enable_xauth_generic; xauth_generic_given=true +# Check whether --enable-ipseckey was given. +if test "${enable_ipseckey+set}" = set; then : + enableval=$enable_ipseckey; ipseckey_given=true if test x$enableval = xyes; then - xauth_generic=true + ipseckey=true else - xauth_generic=false + ipseckey=false fi else - xauth_generic=true - xauth_generic_given=false + ipseckey=false + ipseckey_given=false fi - enabled_by_default=${enabled_by_default}" xauth_generic" + disabled_by_default=${disabled_by_default}" ipseckey" -# Check whether --enable-xauth-eap was given. -if test "${enable_xauth_eap+set}" = set; then : - enableval=$enable_xauth_eap; xauth_eap_given=true +# Check whether --enable-keychain was given. +if test "${enable_keychain+set}" = set; then : + enableval=$enable_keychain; keychain_given=true if test x$enableval = xyes; then - xauth_eap=true + keychain=true else - xauth_eap=false + keychain=false fi else - xauth_eap=false - xauth_eap_given=false + keychain=false + keychain_given=false fi + disabled_by_default=${disabled_by_default}" keychain" -# Check whether --enable-xauth-pam was given. -if test "${enable_xauth_pam+set}" = set; then : - enableval=$enable_xauth_pam; xauth_pam_given=true +# Check whether --enable-pkcs11 was given. +if test "${enable_pkcs11+set}" = set; then : + enableval=$enable_pkcs11; pkcs11_given=true if test x$enableval = xyes; then - xauth_pam=true + pkcs11=true else - xauth_pam=false + pkcs11=false fi else - xauth_pam=false - xauth_pam_given=false + pkcs11=false + pkcs11_given=false fi + disabled_by_default=${disabled_by_default}" pkcs11" -# Check whether --enable-xauth-noauth was given. -if test "${enable_xauth_noauth+set}" = set; then : - enableval=$enable_xauth_noauth; xauth_noauth_given=true +# Check whether --enable-revocation was given. +if test "${enable_revocation+set}" = set; then : + enableval=$enable_revocation; revocation_given=true if test x$enableval = xyes; then - xauth_noauth=true + revocation=true else - xauth_noauth=false + revocation=false fi else - xauth_noauth=false - xauth_noauth_given=false + revocation=true + revocation_given=false fi + enabled_by_default=${enabled_by_default}" revocation" -# Check whether --enable-tnc-ifmap was given. -if test "${enable_tnc_ifmap+set}" = set; then : - enableval=$enable_tnc_ifmap; tnc_ifmap_given=true +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; whitelist_given=true if test x$enableval = xyes; then - tnc_ifmap=true + whitelist=true else - tnc_ifmap=false + whitelist=false fi else - tnc_ifmap=false - tnc_ifmap_given=false + whitelist=false + whitelist_given=false fi + disabled_by_default=${disabled_by_default}" whitelist" -# Check whether --enable-tnc-pdp was given. -if test "${enable_tnc_pdp+set}" = set; then : - enableval=$enable_tnc_pdp; tnc_pdp_given=true +# Check whether --enable-xauth-generic was given. +if test "${enable_xauth_generic+set}" = set; then : + enableval=$enable_xauth_generic; xauth_generic_given=true if test x$enableval = xyes; then - tnc_pdp=true + xauth_generic=true else - tnc_pdp=false + xauth_generic=false fi else - tnc_pdp=false - tnc_pdp_given=false + xauth_generic=true + xauth_generic_given=false fi + enabled_by_default=${enabled_by_default}" xauth_generic" -# Check whether --enable-tnc-imc was given. -if test "${enable_tnc_imc+set}" = set; then : - enableval=$enable_tnc_imc; tnc_imc_given=true +# Check whether --enable-xauth-eap was given. +if test "${enable_xauth_eap+set}" = set; then : + enableval=$enable_xauth_eap; xauth_eap_given=true if test x$enableval = xyes; then - tnc_imc=true + xauth_eap=true else - tnc_imc=false + xauth_eap=false fi else - tnc_imc=false - tnc_imc_given=false + xauth_eap=false + xauth_eap_given=false fi + disabled_by_default=${disabled_by_default}" xauth_eap" -# Check whether --enable-tnc-imv was given. -if test "${enable_tnc_imv+set}" = set; then : - enableval=$enable_tnc_imv; tnc_imv_given=true +# Check whether --enable-xauth-pam was given. +if test "${enable_xauth_pam+set}" = set; then : + enableval=$enable_xauth_pam; xauth_pam_given=true if test x$enableval = xyes; then - tnc_imv=true + xauth_pam=true else - tnc_imv=false + xauth_pam=false fi else - tnc_imv=false - tnc_imv_given=false + xauth_pam=false + xauth_pam_given=false fi + disabled_by_default=${disabled_by_default}" xauth_pam" -# Check whether --enable-tnccs-11 was given. -if test "${enable_tnccs_11+set}" = set; then : - enableval=$enable_tnccs_11; tnccs_11_given=true +# Check whether --enable-xauth-noauth was given. +if test "${enable_xauth_noauth+set}" = set; then : + enableval=$enable_xauth_noauth; xauth_noauth_given=true if test x$enableval = xyes; then - tnccs_11=true + xauth_noauth=true else - tnccs_11=false + xauth_noauth=false fi else - tnccs_11=false - tnccs_11_given=false + xauth_noauth=false + xauth_noauth_given=false fi + disabled_by_default=${disabled_by_default}" xauth_noauth" -# Check whether --enable-tnccs-20 was given. -if test "${enable_tnccs_20+set}" = set; then : - enableval=$enable_tnccs_20; tnccs_20_given=true +# kernel interfaces / sockets +# Check whether --enable-kernel-netlink was given. +if test "${enable_kernel_netlink+set}" = set; then : + enableval=$enable_kernel_netlink; kernel_netlink_given=true if test x$enableval = xyes; then - tnccs_20=true + kernel_netlink=true else - tnccs_20=false + kernel_netlink=false fi else - tnccs_20=false - tnccs_20_given=false + kernel_netlink=true + kernel_netlink_given=false fi + enabled_by_default=${enabled_by_default}" kernel_netlink" -# Check whether --enable-tnccs-dynamic was given. -if test "${enable_tnccs_dynamic+set}" = set; then : - enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true +# Check whether --enable-kernel-pfkey was given. +if test "${enable_kernel_pfkey+set}" = set; then : + enableval=$enable_kernel_pfkey; kernel_pfkey_given=true if test x$enableval = xyes; then - tnccs_dynamic=true + kernel_pfkey=true else - tnccs_dynamic=false + kernel_pfkey=false fi else - tnccs_dynamic=false - tnccs_dynamic_given=false + kernel_pfkey=false + kernel_pfkey_given=false fi + disabled_by_default=${disabled_by_default}" kernel_pfkey" -# Check whether --enable-imc-test was given. -if test "${enable_imc_test+set}" = set; then : - enableval=$enable_imc_test; imc_test_given=true +# Check whether --enable-kernel-pfroute was given. +if test "${enable_kernel_pfroute+set}" = set; then : + enableval=$enable_kernel_pfroute; kernel_pfroute_given=true if test x$enableval = xyes; then - imc_test=true + kernel_pfroute=true else - imc_test=false + kernel_pfroute=false fi else - imc_test=false - imc_test_given=false + kernel_pfroute=false + kernel_pfroute_given=false fi + disabled_by_default=${disabled_by_default}" kernel_pfroute" -# Check whether --enable-imv-test was given. -if test "${enable_imv_test+set}" = set; then : - enableval=$enable_imv_test; imv_test_given=true +# Check whether --enable-kernel-klips was given. +if test "${enable_kernel_klips+set}" = set; then : + enableval=$enable_kernel_klips; kernel_klips_given=true if test x$enableval = xyes; then - imv_test=true + kernel_klips=true else - imv_test=false + kernel_klips=false fi else - imv_test=false - imv_test_given=false + kernel_klips=false + kernel_klips_given=false fi + disabled_by_default=${disabled_by_default}" kernel_klips" -# Check whether --enable-imc-scanner was given. -if test "${enable_imc_scanner+set}" = set; then : - enableval=$enable_imc_scanner; imc_scanner_given=true +# Check whether --enable-kernel-libipsec was given. +if test "${enable_kernel_libipsec+set}" = set; then : + enableval=$enable_kernel_libipsec; kernel_libipsec_given=true if test x$enableval = xyes; then - imc_scanner=true + kernel_libipsec=true else - imc_scanner=false + kernel_libipsec=false fi else - imc_scanner=false - imc_scanner_given=false + kernel_libipsec=false + kernel_libipsec_given=false fi + disabled_by_default=${disabled_by_default}" kernel_libipsec" -# Check whether --enable-imv-scanner was given. -if test "${enable_imv_scanner+set}" = set; then : - enableval=$enable_imv_scanner; imv_scanner_given=true +# Check whether --enable-socket-default was given. +if test "${enable_socket_default+set}" = set; then : + enableval=$enable_socket_default; socket_default_given=true if test x$enableval = xyes; then - imv_scanner=true + socket_default=true else - imv_scanner=false + socket_default=false fi else - imv_scanner=false - imv_scanner_given=false + socket_default=true + socket_default_given=false fi + enabled_by_default=${enabled_by_default}" socket_default" -# Check whether --enable-imc-os was given. -if test "${enable_imc_os+set}" = set; then : - enableval=$enable_imc_os; imc_os_given=true +# Check whether --enable-socket-dynamic was given. +if test "${enable_socket_dynamic+set}" = set; then : + enableval=$enable_socket_dynamic; socket_dynamic_given=true if test x$enableval = xyes; then - imc_os=true + socket_dynamic=true else - imc_os=false + socket_dynamic=false fi else - imc_os=false - imc_os_given=false + socket_dynamic=false + socket_dynamic_given=false fi + disabled_by_default=${disabled_by_default}" socket_dynamic" -# Check whether --enable-imv-os was given. -if test "${enable_imv_os+set}" = set; then : - enableval=$enable_imv_os; imv_os_given=true +# configuration/control plugins +# Check whether --enable-stroke was given. +if test "${enable_stroke+set}" = set; then : + enableval=$enable_stroke; stroke_given=true if test x$enableval = xyes; then - imv_os=true + stroke=true else - imv_os=false + stroke=false fi else - imv_os=false - imv_os_given=false + stroke=true + stroke_given=false fi + enabled_by_default=${enabled_by_default}" stroke" -# Check whether --enable-imc-attestation was given. -if test "${enable_imc_attestation+set}" = set; then : - enableval=$enable_imc_attestation; imc_attestation_given=true +# Check whether --enable-smp was given. +if test "${enable_smp+set}" = set; then : + enableval=$enable_smp; smp_given=true if test x$enableval = xyes; then - imc_attestation=true + smp=true else - imc_attestation=false + smp=false fi else - imc_attestation=false - imc_attestation_given=false + smp=false + smp_given=false fi + disabled_by_default=${disabled_by_default}" smp" -# Check whether --enable-imv-attestation was given. -if test "${enable_imv_attestation+set}" = set; then : - enableval=$enable_imv_attestation; imv_attestation_given=true +# Check whether --enable-sql was given. +if test "${enable_sql+set}" = set; then : + enableval=$enable_sql; sql_given=true if test x$enableval = xyes; then - imv_attestation=true + sql=true else - imv_attestation=false + sql=false fi else - imv_attestation=false - imv_attestation_given=false + sql=false + sql_given=false fi + disabled_by_default=${disabled_by_default}" sql" -# Check whether --enable-imc-swid was given. -if test "${enable_imc_swid+set}" = set; then : - enableval=$enable_imc_swid; imc_swid_given=true +# Check whether --enable-uci was given. +if test "${enable_uci+set}" = set; then : + enableval=$enable_uci; uci_given=true if test x$enableval = xyes; then - imc_swid=true + uci=true else - imc_swid=false + uci=false fi else - imc_swid=false - imc_swid_given=false + uci=false + uci_given=false fi + disabled_by_default=${disabled_by_default}" uci" -# Check whether --enable-imv-swid was given. -if test "${enable_imv_swid+set}" = set; then : - enableval=$enable_imv_swid; imv_swid_given=true +# attribute provider/consumer plugins +# Check whether --enable-android-dns was given. +if test "${enable_android_dns+set}" = set; then : + enableval=$enable_android_dns; android_dns_given=true if test x$enableval = xyes; then - imv_swid=true + android_dns=true else - imv_swid=false + android_dns=false fi else - imv_swid=false - imv_swid_given=false + android_dns=false + android_dns_given=false fi + disabled_by_default=${disabled_by_default}" android_dns" -# Check whether --enable-kernel-netlink was given. -if test "${enable_kernel_netlink+set}" = set; then : - enableval=$enable_kernel_netlink; kernel_netlink_given=true +# Check whether --enable-attr was given. +if test "${enable_attr+set}" = set; then : + enableval=$enable_attr; attr_given=true if test x$enableval = xyes; then - kernel_netlink=true + attr=true else - kernel_netlink=false + attr=false fi else - kernel_netlink=true - kernel_netlink_given=false + attr=true + attr_given=false fi - enabled_by_default=${enabled_by_default}" kernel_netlink" + enabled_by_default=${enabled_by_default}" attr" -# Check whether --enable-kernel-pfkey was given. -if test "${enable_kernel_pfkey+set}" = set; then : - enableval=$enable_kernel_pfkey; kernel_pfkey_given=true +# Check whether --enable-attr-sql was given. +if test "${enable_attr_sql+set}" = set; then : + enableval=$enable_attr_sql; attr_sql_given=true if test x$enableval = xyes; then - kernel_pfkey=true + attr_sql=true else - kernel_pfkey=false + attr_sql=false fi else - kernel_pfkey=false - kernel_pfkey_given=false + attr_sql=false + attr_sql_given=false fi + disabled_by_default=${disabled_by_default}" attr_sql" -# Check whether --enable-kernel-pfroute was given. -if test "${enable_kernel_pfroute+set}" = set; then : - enableval=$enable_kernel_pfroute; kernel_pfroute_given=true +# Check whether --enable-dhcp was given. +if test "${enable_dhcp+set}" = set; then : + enableval=$enable_dhcp; dhcp_given=true if test x$enableval = xyes; then - kernel_pfroute=true + dhcp=true else - kernel_pfroute=false + dhcp=false fi else - kernel_pfroute=false - kernel_pfroute_given=false + dhcp=false + dhcp_given=false fi + disabled_by_default=${disabled_by_default}" dhcp" -# Check whether --enable-kernel-klips was given. -if test "${enable_kernel_klips+set}" = set; then : - enableval=$enable_kernel_klips; kernel_klips_given=true +# Check whether --enable-osx-attr was given. +if test "${enable_osx_attr+set}" = set; then : + enableval=$enable_osx_attr; osx_attr_given=true if test x$enableval = xyes; then - kernel_klips=true + osx_attr=true else - kernel_klips=false + osx_attr=false fi else - kernel_klips=false - kernel_klips_given=false + osx_attr=false + osx_attr_given=false fi + disabled_by_default=${disabled_by_default}" osx_attr" -# Check whether --enable-kernel-libipsec was given. -if test "${enable_kernel_libipsec+set}" = set; then : - enableval=$enable_kernel_libipsec; kernel_libipsec_given=true +# Check whether --enable-resolve was given. +if test "${enable_resolve+set}" = set; then : + enableval=$enable_resolve; resolve_given=true if test x$enableval = xyes; then - kernel_libipsec=true + resolve=true else - kernel_libipsec=false + resolve=false fi else - kernel_libipsec=false - kernel_libipsec_given=false + resolve=true + resolve_given=false fi + enabled_by_default=${enabled_by_default}" resolve" -# Check whether --enable-libipsec was given. -if test "${enable_libipsec+set}" = set; then : - enableval=$enable_libipsec; libipsec_given=true +# Check whether --enable-unity was given. +if test "${enable_unity+set}" = set; then : + enableval=$enable_unity; unity_given=true if test x$enableval = xyes; then - libipsec=true + unity=true else - libipsec=false + unity=false fi else - libipsec=false - libipsec_given=false + unity=false + unity_given=false fi + disabled_by_default=${disabled_by_default}" unity" -# Check whether --enable-socket-default was given. -if test "${enable_socket_default+set}" = set; then : - enableval=$enable_socket_default; socket_default_given=true +# TNC modules/plugins +# Check whether --enable-imc-test was given. +if test "${enable_imc_test+set}" = set; then : + enableval=$enable_imc_test; imc_test_given=true if test x$enableval = xyes; then - socket_default=true + imc_test=true else - socket_default=false + imc_test=false fi else - socket_default=true - socket_default_given=false + imc_test=false + imc_test_given=false fi - enabled_by_default=${enabled_by_default}" socket_default" + disabled_by_default=${disabled_by_default}" imc_test" -# Check whether --enable-socket-dynamic was given. -if test "${enable_socket_dynamic+set}" = set; then : - enableval=$enable_socket_dynamic; socket_dynamic_given=true +# Check whether --enable-imv-test was given. +if test "${enable_imv_test+set}" = set; then : + enableval=$enable_imv_test; imv_test_given=true if test x$enableval = xyes; then - socket_dynamic=true + imv_test=true else - socket_dynamic=false + imv_test=false fi else - socket_dynamic=false - socket_dynamic_given=false + imv_test=false + imv_test_given=false fi + disabled_by_default=${disabled_by_default}" imv_test" -# Check whether --enable-farp was given. -if test "${enable_farp+set}" = set; then : - enableval=$enable_farp; farp_given=true +# Check whether --enable-imc-scanner was given. +if test "${enable_imc_scanner+set}" = set; then : + enableval=$enable_imc_scanner; imc_scanner_given=true if test x$enableval = xyes; then - farp=true + imc_scanner=true else - farp=false + imc_scanner=false fi else - farp=false - farp_given=false + imc_scanner=false + imc_scanner_given=false fi + disabled_by_default=${disabled_by_default}" imc_scanner" -# Check whether --enable-dumm was given. -if test "${enable_dumm+set}" = set; then : - enableval=$enable_dumm; dumm_given=true +# Check whether --enable-imv-scanner was given. +if test "${enable_imv_scanner+set}" = set; then : + enableval=$enable_imv_scanner; imv_scanner_given=true if test x$enableval = xyes; then - dumm=true + imv_scanner=true else - dumm=false + imv_scanner=false fi else - dumm=false - dumm_given=false + imv_scanner=false + imv_scanner_given=false fi + disabled_by_default=${disabled_by_default}" imv_scanner" -# Check whether --enable-fast was given. -if test "${enable_fast+set}" = set; then : - enableval=$enable_fast; fast_given=true +# Check whether --enable-imc-os was given. +if test "${enable_imc_os+set}" = set; then : + enableval=$enable_imc_os; imc_os_given=true if test x$enableval = xyes; then - fast=true + imc_os=true else - fast=false + imc_os=false fi else - fast=false - fast_given=false + imc_os=false + imc_os_given=false fi + disabled_by_default=${disabled_by_default}" imc_os" -# Check whether --enable-manager was given. -if test "${enable_manager+set}" = set; then : - enableval=$enable_manager; manager_given=true +# Check whether --enable-imv-os was given. +if test "${enable_imv_os+set}" = set; then : + enableval=$enable_imv_os; imv_os_given=true if test x$enableval = xyes; then - manager=true + imv_os=true else - manager=false + imv_os=false fi else - manager=false - manager_given=false + imv_os=false + imv_os_given=false fi + disabled_by_default=${disabled_by_default}" imv_os" -# Check whether --enable-mediation was given. -if test "${enable_mediation+set}" = set; then : - enableval=$enable_mediation; mediation_given=true +# Check whether --enable-imc-attestation was given. +if test "${enable_imc_attestation+set}" = set; then : + enableval=$enable_imc_attestation; imc_attestation_given=true if test x$enableval = xyes; then - mediation=true + imc_attestation=true else - mediation=false + imc_attestation=false fi else - mediation=false - mediation_given=false + imc_attestation=false + imc_attestation_given=false fi + disabled_by_default=${disabled_by_default}" imc_attestation" -# Check whether --enable-integrity-test was given. -if test "${enable_integrity_test+set}" = set; then : - enableval=$enable_integrity_test; integrity_test_given=true +# Check whether --enable-imv-attestation was given. +if test "${enable_imv_attestation+set}" = set; then : + enableval=$enable_imv_attestation; imv_attestation_given=true if test x$enableval = xyes; then - integrity_test=true + imv_attestation=true else - integrity_test=false + imv_attestation=false fi else - integrity_test=false - integrity_test_given=false + imv_attestation=false + imv_attestation_given=false fi + disabled_by_default=${disabled_by_default}" imv_attestation" -# Check whether --enable-load-warning was given. -if test "${enable_load_warning+set}" = set; then : - enableval=$enable_load_warning; load_warning_given=true +# Check whether --enable-imc-swid was given. +if test "${enable_imc_swid+set}" = set; then : + enableval=$enable_imc_swid; imc_swid_given=true if test x$enableval = xyes; then - load_warning=true + imc_swid=true else - load_warning=false + imc_swid=false fi else - load_warning=true - load_warning_given=false + imc_swid=false + imc_swid_given=false fi - enabled_by_default=${enabled_by_default}" load_warning" + disabled_by_default=${disabled_by_default}" imc_swid" -# Check whether --enable-ikev1 was given. -if test "${enable_ikev1+set}" = set; then : - enableval=$enable_ikev1; ikev1_given=true +# Check whether --enable-imv-swid was given. +if test "${enable_imv_swid+set}" = set; then : + enableval=$enable_imv_swid; imv_swid_given=true if test x$enableval = xyes; then - ikev1=true + imv_swid=true else - ikev1=false + imv_swid=false fi else - ikev1=true - ikev1_given=false + imv_swid=false + imv_swid_given=false fi - enabled_by_default=${enabled_by_default}" ikev1" + disabled_by_default=${disabled_by_default}" imv_swid" -# Check whether --enable-ikev2 was given. -if test "${enable_ikev2+set}" = set; then : - enableval=$enable_ikev2; ikev2_given=true +# Check whether --enable-tnc-ifmap was given. +if test "${enable_tnc_ifmap+set}" = set; then : + enableval=$enable_tnc_ifmap; tnc_ifmap_given=true if test x$enableval = xyes; then - ikev2=true + tnc_ifmap=true else - ikev2=false + tnc_ifmap=false fi else - ikev2=true - ikev2_given=false + tnc_ifmap=false + tnc_ifmap_given=false fi - enabled_by_default=${enabled_by_default}" ikev2" + disabled_by_default=${disabled_by_default}" tnc_ifmap" -# Check whether --enable-charon was given. -if test "${enable_charon+set}" = set; then : - enableval=$enable_charon; charon_given=true +# Check whether --enable-tnc-imc was given. +if test "${enable_tnc_imc+set}" = set; then : + enableval=$enable_tnc_imc; tnc_imc_given=true if test x$enableval = xyes; then - charon=true + tnc_imc=true else - charon=false + tnc_imc=false fi else - charon=true - charon_given=false + tnc_imc=false + tnc_imc_given=false fi - enabled_by_default=${enabled_by_default}" charon" + disabled_by_default=${disabled_by_default}" tnc_imc" -# Check whether --enable-tools was given. -if test "${enable_tools+set}" = set; then : - enableval=$enable_tools; tools_given=true +# Check whether --enable-tnc-imv was given. +if test "${enable_tnc_imv+set}" = set; then : + enableval=$enable_tnc_imv; tnc_imv_given=true if test x$enableval = xyes; then - tools=true + tnc_imv=true else - tools=false + tnc_imv=false fi else - tools=true - tools_given=false + tnc_imv=false + tnc_imv_given=false fi - enabled_by_default=${enabled_by_default}" tools" + disabled_by_default=${disabled_by_default}" tnc_imv" -# Check whether --enable-scripts was given. -if test "${enable_scripts+set}" = set; then : - enableval=$enable_scripts; scripts_given=true +# Check whether --enable-tnc-pdp was given. +if test "${enable_tnc_pdp+set}" = set; then : + enableval=$enable_tnc_pdp; tnc_pdp_given=true if test x$enableval = xyes; then - scripts=true + tnc_pdp=true else - scripts=false + tnc_pdp=false fi else - scripts=true - scripts_given=false + tnc_pdp=false + tnc_pdp_given=false fi - enabled_by_default=${enabled_by_default}" scripts" + disabled_by_default=${disabled_by_default}" tnc_pdp" -# Check whether --enable-conftest was given. -if test "${enable_conftest+set}" = set; then : - enableval=$enable_conftest; conftest_given=true +# Check whether --enable-tnccs-11 was given. +if test "${enable_tnccs_11+set}" = set; then : + enableval=$enable_tnccs_11; tnccs_11_given=true if test x$enableval = xyes; then - conftest=true + tnccs_11=true else - conftest=false + tnccs_11=false fi else - conftest=false - conftest_given=false + tnccs_11=false + tnccs_11_given=false fi + disabled_by_default=${disabled_by_default}" tnccs_11" -# Check whether --enable-updown was given. -if test "${enable_updown+set}" = set; then : - enableval=$enable_updown; updown_given=true +# Check whether --enable-tnccs-20 was given. +if test "${enable_tnccs_20+set}" = set; then : + enableval=$enable_tnccs_20; tnccs_20_given=true if test x$enableval = xyes; then - updown=true + tnccs_20=true else - updown=false + tnccs_20=false fi else - updown=true - updown_given=false + tnccs_20=false + tnccs_20_given=false fi - enabled_by_default=${enabled_by_default}" updown" + disabled_by_default=${disabled_by_default}" tnccs_20" -# Check whether --enable-attr was given. -if test "${enable_attr+set}" = set; then : - enableval=$enable_attr; attr_given=true +# Check whether --enable-tnccs-dynamic was given. +if test "${enable_tnccs_dynamic+set}" = set; then : + enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true if test x$enableval = xyes; then - attr=true + tnccs_dynamic=true else - attr=false + tnccs_dynamic=false fi else - attr=true - attr_given=false + tnccs_dynamic=false + tnccs_dynamic_given=false fi - enabled_by_default=${enabled_by_default}" attr" + disabled_by_default=${disabled_by_default}" tnccs_dynamic" -# Check whether --enable-attr-sql was given. -if test "${enable_attr_sql+set}" = set; then : - enableval=$enable_attr_sql; attr_sql_given=true +# misc plugins +# Check whether --enable-android-log was given. +if test "${enable_android_log+set}" = set; then : + enableval=$enable_android_log; android_log_given=true if test x$enableval = xyes; then - attr_sql=true + android_log=true else - attr_sql=false + android_log=false fi else - attr_sql=false - attr_sql_given=false + android_log=false + android_log_given=false fi + disabled_by_default=${disabled_by_default}" android_log" -# Check whether --enable-dhcp was given. -if test "${enable_dhcp+set}" = set; then : - enableval=$enable_dhcp; dhcp_given=true +# Check whether --enable-certexpire was given. +if test "${enable_certexpire+set}" = set; then : + enableval=$enable_certexpire; certexpire_given=true if test x$enableval = xyes; then - dhcp=true + certexpire=true else - dhcp=false + certexpire=false fi else - dhcp=false - dhcp_given=false + certexpire=false + certexpire_given=false fi + disabled_by_default=${disabled_by_default}" certexpire" -# Check whether --enable-resolve was given. -if test "${enable_resolve+set}" = set; then : - enableval=$enable_resolve; resolve_given=true +# Check whether --enable-duplicheck was given. +if test "${enable_duplicheck+set}" = set; then : + enableval=$enable_duplicheck; duplicheck_given=true if test x$enableval = xyes; then - resolve=true + duplicheck=true else - resolve=false + duplicheck=false fi else - resolve=true - resolve_given=false + duplicheck=false + duplicheck_given=false fi - enabled_by_default=${enabled_by_default}" resolve" + disabled_by_default=${disabled_by_default}" duplicheck" -# Check whether --enable-padlock was given. -if test "${enable_padlock+set}" = set; then : - enableval=$enable_padlock; padlock_given=true +# Check whether --enable-error-notify was given. +if test "${enable_error_notify+set}" = set; then : + enableval=$enable_error_notify; error_notify_given=true if test x$enableval = xyes; then - padlock=true + error_notify=true else - padlock=false + error_notify=false fi else - padlock=false - padlock_given=false + error_notify=false + error_notify_given=false fi + disabled_by_default=${disabled_by_default}" error_notify" -# Check whether --enable-openssl was given. -if test "${enable_openssl+set}" = set; then : - enableval=$enable_openssl; openssl_given=true +# Check whether --enable-farp was given. +if test "${enable_farp+set}" = set; then : + enableval=$enable_farp; farp_given=true if test x$enableval = xyes; then - openssl=true + farp=true else - openssl=false + farp=false fi else - openssl=false - openssl_given=false + farp=false + farp_given=false fi + disabled_by_default=${disabled_by_default}" farp" -# Check whether --enable-gcrypt was given. -if test "${enable_gcrypt+set}" = set; then : - enableval=$enable_gcrypt; gcrypt_given=true +# Check whether --enable-ha was given. +if test "${enable_ha+set}" = set; then : + enableval=$enable_ha; ha_given=true if test x$enableval = xyes; then - gcrypt=true + ha=true else - gcrypt=false + ha=false fi else - gcrypt=false - gcrypt_given=false + ha=false + ha_given=false fi + disabled_by_default=${disabled_by_default}" ha" -# Check whether --enable-agent was given. -if test "${enable_agent+set}" = set; then : - enableval=$enable_agent; agent_given=true +# Check whether --enable-led was given. +if test "${enable_led+set}" = set; then : + enableval=$enable_led; led_given=true if test x$enableval = xyes; then - agent=true + led=true else - agent=false + led=false fi else - agent=false - agent_given=false + led=false + led_given=false fi + disabled_by_default=${disabled_by_default}" led" -# Check whether --enable-keychain was given. -if test "${enable_keychain+set}" = set; then : - enableval=$enable_keychain; keychain_given=true +# Check whether --enable-load-tester was given. +if test "${enable_load_tester+set}" = set; then : + enableval=$enable_load_tester; load_tester_given=true if test x$enableval = xyes; then - keychain=true + load_tester=true else - keychain=false + load_tester=false fi else - keychain=false - keychain_given=false + load_tester=false + load_tester_given=false fi + disabled_by_default=${disabled_by_default}" load_tester" -# Check whether --enable-pkcs11 was given. -if test "${enable_pkcs11+set}" = set; then : - enableval=$enable_pkcs11; pkcs11_given=true +# Check whether --enable-lookip was given. +if test "${enable_lookip+set}" = set; then : + enableval=$enable_lookip; lookip_given=true if test x$enableval = xyes; then - pkcs11=true + lookip=true else - pkcs11=false + lookip=false fi else - pkcs11=false - pkcs11_given=false + lookip=false + lookip_given=false fi + disabled_by_default=${disabled_by_default}" lookip" -# Check whether --enable-ctr was given. -if test "${enable_ctr+set}" = set; then : - enableval=$enable_ctr; ctr_given=true +# Check whether --enable-maemo was given. +if test "${enable_maemo+set}" = set; then : + enableval=$enable_maemo; maemo_given=true if test x$enableval = xyes; then - ctr=true + maemo=true else - ctr=false + maemo=false fi else - ctr=false - ctr_given=false + maemo=false + maemo_given=false fi + disabled_by_default=${disabled_by_default}" maemo" -# Check whether --enable-ccm was given. -if test "${enable_ccm+set}" = set; then : - enableval=$enable_ccm; ccm_given=true +# Check whether --enable-radattr was given. +if test "${enable_radattr+set}" = set; then : + enableval=$enable_radattr; radattr_given=true if test x$enableval = xyes; then - ccm=true + radattr=true else - ccm=false + radattr=false fi else - ccm=false - ccm_given=false + radattr=false + radattr_given=false fi + disabled_by_default=${disabled_by_default}" radattr" -# Check whether --enable-gcm was given. -if test "${enable_gcm+set}" = set; then : - enableval=$enable_gcm; gcm_given=true +# Check whether --enable-systime-fix was given. +if test "${enable_systime_fix+set}" = set; then : + enableval=$enable_systime_fix; systime_fix_given=true if test x$enableval = xyes; then - gcm=true + systime_fix=true else - gcm=false + systime_fix=false fi else - gcm=false - gcm_given=false + systime_fix=false + systime_fix_given=false fi + disabled_by_default=${disabled_by_default}" systime_fix" -# Check whether --enable-ntru was given. -if test "${enable_ntru+set}" = set; then : - enableval=$enable_ntru; ntru_given=true +# Check whether --enable-test-vectors was given. +if test "${enable_test_vectors+set}" = set; then : + enableval=$enable_test_vectors; test_vectors_given=true if test x$enableval = xyes; then - ntru=true + test_vectors=true else - ntru=false + test_vectors=false fi else - ntru=false - ntru_given=false + test_vectors=false + test_vectors_given=false fi + disabled_by_default=${disabled_by_default}" test_vectors" -# Check whether --enable-addrblock was given. -if test "${enable_addrblock+set}" = set; then : - enableval=$enable_addrblock; addrblock_given=true +# Check whether --enable-unit-tester was given. +if test "${enable_unit_tester+set}" = set; then : + enableval=$enable_unit_tester; unit_tester_given=true if test x$enableval = xyes; then - addrblock=true + unit_tester=true else - addrblock=false + unit_tester=false fi else - addrblock=false - addrblock_given=false + unit_tester=false + unit_tester_given=false fi + disabled_by_default=${disabled_by_default}" unit_tester" -# Check whether --enable-unity was given. -if test "${enable_unity+set}" = set; then : - enableval=$enable_unity; unity_given=true +# Check whether --enable-updown was given. +if test "${enable_updown+set}" = set; then : + enableval=$enable_updown; updown_given=true if test x$enableval = xyes; then - unity=true + updown=true else - unity=false + updown=false fi else - unity=false - unity_given=false + updown=true + updown_given=false fi + enabled_by_default=${enabled_by_default}" updown" -# Check whether --enable-uci was given. -if test "${enable_uci+set}" = set; then : - enableval=$enable_uci; uci_given=true +# programs/components +# Check whether --enable-charon was given. +if test "${enable_charon+set}" = set; then : + enableval=$enable_charon; charon_given=true if test x$enableval = xyes; then - uci=true + charon=true else - uci=false + charon=false fi else - uci=false - uci_given=false + charon=true + charon_given=false fi + enabled_by_default=${enabled_by_default}" charon" -# Check whether --enable-osx-attr was given. -if test "${enable_osx_attr+set}" = set; then : - enableval=$enable_osx_attr; osx_attr_given=true +# Check whether --enable-cmd was given. +if test "${enable_cmd+set}" = set; then : + enableval=$enable_cmd; cmd_given=true if test x$enableval = xyes; then - osx_attr=true + cmd=true else - osx_attr=false + cmd=false fi else - osx_attr=false - osx_attr_given=false + cmd=false + cmd_given=false fi + disabled_by_default=${disabled_by_default}" cmd" -# Check whether --enable-android-dns was given. -if test "${enable_android_dns+set}" = set; then : - enableval=$enable_android_dns; android_dns_given=true +# Check whether --enable-conftest was given. +if test "${enable_conftest+set}" = set; then : + enableval=$enable_conftest; conftest_given=true if test x$enableval = xyes; then - android_dns=true + conftest=true else - android_dns=false + conftest=false fi else - android_dns=false - android_dns_given=false + conftest=false + conftest_given=false fi + disabled_by_default=${disabled_by_default}" conftest" -# Check whether --enable-android-log was given. -if test "${enable_android_log+set}" = set; then : - enableval=$enable_android_log; android_log_given=true +# Check whether --enable-dumm was given. +if test "${enable_dumm+set}" = set; then : + enableval=$enable_dumm; dumm_given=true if test x$enableval = xyes; then - android_log=true + dumm=true else - android_log=false + dumm=false fi else - android_log=false - android_log_given=false + dumm=false + dumm_given=false fi + disabled_by_default=${disabled_by_default}" dumm" -# Check whether --enable-maemo was given. -if test "${enable_maemo+set}" = set; then : - enableval=$enable_maemo; maemo_given=true +# Check whether --enable-fast was given. +if test "${enable_fast+set}" = set; then : + enableval=$enable_fast; fast_given=true if test x$enableval = xyes; then - maemo=true + fast=true else - maemo=false + fast=false fi else - maemo=false - maemo_given=false + fast=false + fast_given=false fi + disabled_by_default=${disabled_by_default}" fast" -# Check whether --enable-nm was given. -if test "${enable_nm+set}" = set; then : - enableval=$enable_nm; nm_given=true +# Check whether --enable-libipsec was given. +if test "${enable_libipsec+set}" = set; then : + enableval=$enable_libipsec; libipsec_given=true if test x$enableval = xyes; then - nm=true + libipsec=true else - nm=false + libipsec=false fi else - nm=false - nm_given=false + libipsec=false + libipsec_given=false fi + disabled_by_default=${disabled_by_default}" libipsec" -# Check whether --enable-ha was given. -if test "${enable_ha+set}" = set; then : - enableval=$enable_ha; ha_given=true +# Check whether --enable-manager was given. +if test "${enable_manager+set}" = set; then : + enableval=$enable_manager; manager_given=true if test x$enableval = xyes; then - ha=true + manager=true else - ha=false + manager=false fi else - ha=false - ha_given=false + manager=false + manager_given=false fi + disabled_by_default=${disabled_by_default}" manager" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; whitelist_given=true +# Check whether --enable-medcli was given. +if test "${enable_medcli+set}" = set; then : + enableval=$enable_medcli; medcli_given=true if test x$enableval = xyes; then - whitelist=true + medcli=true else - whitelist=false + medcli=false fi else - whitelist=false - whitelist_given=false + medcli=false + medcli_given=false fi + disabled_by_default=${disabled_by_default}" medcli" -# Check whether --enable-lookip was given. -if test "${enable_lookip+set}" = set; then : - enableval=$enable_lookip; lookip_given=true +# Check whether --enable-medsrv was given. +if test "${enable_medsrv+set}" = set; then : + enableval=$enable_medsrv; medsrv_given=true if test x$enableval = xyes; then - lookip=true + medsrv=true else - lookip=false + medsrv=false fi else - lookip=false - lookip_given=false + medsrv=false + medsrv_given=false fi + disabled_by_default=${disabled_by_default}" medsrv" -# Check whether --enable-error-notify was given. -if test "${enable_error_notify+set}" = set; then : - enableval=$enable_error_notify; error_notify_given=true +# Check whether --enable-nm was given. +if test "${enable_nm+set}" = set; then : + enableval=$enable_nm; nm_given=true if test x$enableval = xyes; then - error_notify=true + nm=true else - error_notify=false + nm=false fi else - error_notify=false - error_notify_given=false + nm=false + nm_given=false fi + disabled_by_default=${disabled_by_default}" nm" -# Check whether --enable-certexpire was given. -if test "${enable_certexpire+set}" = set; then : - enableval=$enable_certexpire; certexpire_given=true +# Check whether --enable-scripts was given. +if test "${enable_scripts+set}" = set; then : + enableval=$enable_scripts; scripts_given=true if test x$enableval = xyes; then - certexpire=true + scripts=true else - certexpire=false + scripts=false fi else - certexpire=false - certexpire_given=false + scripts=true + scripts_given=false fi + enabled_by_default=${enabled_by_default}" scripts" -# Check whether --enable-systime-fix was given. -if test "${enable_systime_fix+set}" = set; then : - enableval=$enable_systime_fix; systime_fix_given=true +# Check whether --enable-tkm was given. +if test "${enable_tkm+set}" = set; then : + enableval=$enable_tkm; tkm_given=true if test x$enableval = xyes; then - systime_fix=true + tkm=true else - systime_fix=false + tkm=false fi else - systime_fix=false - systime_fix_given=false + tkm=false + tkm_given=false fi + disabled_by_default=${disabled_by_default}" tkm" -# Check whether --enable-led was given. -if test "${enable_led+set}" = set; then : - enableval=$enable_led; led_given=true +# Check whether --enable-tools was given. +if test "${enable_tools+set}" = set; then : + enableval=$enable_tools; tools_given=true if test x$enableval = xyes; then - led=true + tools=true else - led=false + tools=false fi else - led=false - led_given=false + tools=true + tools_given=false fi + enabled_by_default=${enabled_by_default}" tools" -# Check whether --enable-duplicheck was given. -if test "${enable_duplicheck+set}" = set; then : - enableval=$enable_duplicheck; duplicheck_given=true +# optional features +# Check whether --enable-bfd-backtraces was given. +if test "${enable_bfd_backtraces+set}" = set; then : + enableval=$enable_bfd_backtraces; bfd_backtraces_given=true if test x$enableval = xyes; then - duplicheck=true + bfd_backtraces=true else - duplicheck=false + bfd_backtraces=false fi else - duplicheck=false - duplicheck_given=false + bfd_backtraces=false + bfd_backtraces_given=false fi + disabled_by_default=${disabled_by_default}" bfd_backtraces" -# Check whether --enable-coupling was given. -if test "${enable_coupling+set}" = set; then : - enableval=$enable_coupling; coupling_given=true +# Check whether --enable-ikev1 was given. +if test "${enable_ikev1+set}" = set; then : + enableval=$enable_ikev1; ikev1_given=true if test x$enableval = xyes; then - coupling=true + ikev1=true else - coupling=false + ikev1=false fi else - coupling=false - coupling_given=false + ikev1=true + ikev1_given=false fi + enabled_by_default=${enabled_by_default}" ikev1" -# Check whether --enable-radattr was given. -if test "${enable_radattr+set}" = set; then : - enableval=$enable_radattr; radattr_given=true +# Check whether --enable-ikev2 was given. +if test "${enable_ikev2+set}" = set; then : + enableval=$enable_ikev2; ikev2_given=true if test x$enableval = xyes; then - radattr=true + ikev2=true else - radattr=false + ikev2=false fi else - radattr=false - radattr_given=false + ikev2=true + ikev2_given=false fi + enabled_by_default=${enabled_by_default}" ikev2" -# Check whether --enable-vstr was given. -if test "${enable_vstr+set}" = set; then : - enableval=$enable_vstr; vstr_given=true +# Check whether --enable-integrity-test was given. +if test "${enable_integrity_test+set}" = set; then : + enableval=$enable_integrity_test; integrity_test_given=true if test x$enableval = xyes; then - vstr=true + integrity_test=true else - vstr=false + integrity_test=false fi else - vstr=false - vstr_given=false + integrity_test=false + integrity_test_given=false fi + disabled_by_default=${disabled_by_default}" integrity_test" -# Check whether --enable-monolithic was given. -if test "${enable_monolithic+set}" = set; then : - enableval=$enable_monolithic; monolithic_given=true +# Check whether --enable-load-warning was given. +if test "${enable_load_warning+set}" = set; then : + enableval=$enable_load_warning; load_warning_given=true if test x$enableval = xyes; then - monolithic=true + load_warning=true else - monolithic=false + load_warning=false fi else - monolithic=false - monolithic_given=false + load_warning=true + load_warning_given=false fi + enabled_by_default=${enabled_by_default}" load_warning" -# Check whether --enable-bfd-backtraces was given. -if test "${enable_bfd_backtraces+set}" = set; then : - enableval=$enable_bfd_backtraces; bfd_backtraces_given=true +# Check whether --enable-mediation was given. +if test "${enable_mediation+set}" = set; then : + enableval=$enable_mediation; mediation_given=true if test x$enableval = xyes; then - bfd_backtraces=true + mediation=true else - bfd_backtraces=false + mediation=false fi else - bfd_backtraces=false - bfd_backtraces_given=false + mediation=false + mediation_given=false fi + disabled_by_default=${disabled_by_default}" mediation" # Check whether --enable-unwind-backtraces was given. if test "${enable_unwind_backtraces+set}" = set; then : @@ -6740,7 +6859,9 @@ else fi + disabled_by_default=${disabled_by_default}" unwind_backtraces" +# compile options # Check whether --enable-coverage was given. if test "${enable_coverage+set}" = set; then : enableval=$enable_coverage; coverage_given=true @@ -6755,36 +6876,55 @@ else fi + disabled_by_default=${disabled_by_default}" coverage" -# Check whether --enable-tkm was given. -if test "${enable_tkm+set}" = set; then : - enableval=$enable_tkm; tkm_given=true +# Check whether --enable-leak-detective was given. +if test "${enable_leak_detective+set}" = set; then : + enableval=$enable_leak_detective; leak_detective_given=true if test x$enableval = xyes; then - tkm=true + leak_detective=true else - tkm=false + leak_detective=false fi else - tkm=false - tkm_given=false + leak_detective=false + leak_detective_given=false fi + disabled_by_default=${disabled_by_default}" leak_detective" -# Check whether --enable-cmd was given. -if test "${enable_cmd+set}" = set; then : - enableval=$enable_cmd; cmd_given=true +# Check whether --enable-lock-profiler was given. +if test "${enable_lock_profiler+set}" = set; then : + enableval=$enable_lock_profiler; lock_profiler_given=true if test x$enableval = xyes; then - cmd=true + lock_profiler=true else - cmd=false + lock_profiler=false fi else - cmd=false - cmd_given=false + lock_profiler=false + lock_profiler_given=false fi + disabled_by_default=${disabled_by_default}" lock_profiler" + +# Check whether --enable-monolithic was given. +if test "${enable_monolithic+set}" = set; then : + enableval=$enable_monolithic; monolithic_given=true + if test x$enableval = xyes; then + monolithic=true + else + monolithic=false + fi +else + monolithic=false + monolithic_given=false + +fi + + disabled_by_default=${disabled_by_default}" monolithic" # =================================== @@ -6811,7 +6951,35 @@ fi if test x$defaults = xfalse; then for option in $enabled_by_default; do eval test x\${${option}_given} = xtrue && continue - let $option=false + eval $option=false + done +fi + +# ============================== +# option to enable all options +# ============================== + +# Check whether --enable-all was given. +if test "${enable_all+set}" = set; then : + enableval=$enable_all; all_given=true + if test x$enableval = xyes; then + all=true + else + all=false + fi +else + all=false + all_given=false + +fi + + disabled_by_default=${disabled_by_default}" all" + + +if test x$all_given = xtrue; then + for option in $disabled_by_default; do + eval test x\${${option}_given} = xtrue && continue + eval $option=true done fi @@ -17646,6 +17814,7 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS="$save_CFLAGS" + fi @@ -17948,9 +18117,20 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ fi -# check for the new register_printf_specifier function with len argument, -# or the deprecated register_printf_function without -ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier" +case "$printf_hooks" in +auto|builtin|glibc|vstr) + ;; +*) + { $as_echo "$as_me:${as_lineno-$LINENO}: invalid printf hook implementation, defaulting to 'auto'" >&5 +$as_echo "$as_me: invalid printf hook implementation, defaulting to 'auto'" >&6;} + printf_hooks=auto + ;; +esac + +if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then + # check for the new register_printf_specifier function with len argument, + # or the deprecated register_printf_function without + ac_fn_c_check_func "$LINENO" "register_printf_specifier" "ac_cv_func_register_printf_specifier" if test "x$ac_cv_func_register_printf_specifier" = xyes; then : $as_echo "#define HAVE_PRINTF_SPECIFIER /**/" >>confdefs.h @@ -17963,9 +18143,14 @@ $as_echo "#define HAVE_PRINTF_FUNCTION /**/" >>confdefs.h else - { $as_echo "$as_me:${as_lineno-$LINENO}: printf does not support custom format specifiers!" >&5 -$as_echo "$as_me: printf does not support custom format specifiers!" >&6;} - builtin_printf=true + { $as_echo "$as_me:${as_lineno-$LINENO}: printf(3) does not support custom format specifiers!" >&5 +$as_echo "$as_me: printf(3) does not support custom format specifiers!" >&6;} + if test x$printf_hooks = xglibc; then + as_fn_error $? "please select a different printf hook implementation" "$LINENO" 5 + else + # fallback to builtin printf hook implementation + printf_hooks=builtin + fi fi @@ -17973,8 +18158,9 @@ fi fi +fi -if test x$vstr = xtrue; then +if test x$printf_hooks = xvstr; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5 $as_echo_n "checking for main in -lvstr... " >&6; } if ${ac_cv_lib_vstr_main+:} false; then : @@ -18014,10 +18200,9 @@ fi $as_echo "#define USE_VSTR /**/" >>confdefs.h - builtin_printf=false fi -if test x$builtin_printf = xtrue; then +if test x$printf_hooks = xbuiltin; then $as_echo "#define USE_BUILTIN_PRINTF /**/" >>confdefs.h @@ -20162,7 +20347,6 @@ charon_plugins= starter_plugins= pool_plugins= attest_plugins= -openac_plugins= scepclient_plugins= pki_plugins= scripts_plugins= @@ -20181,7 +20365,6 @@ t_plugins= if test x$test_vectors = xtrue; then s_plugins=${s_plugins}" test-vectors" charon_plugins=${charon_plugins}" test-vectors" - openac_plugins=${openac_plugins}" test-vectors" scepclient_plugins=${scepclient_plugins}" test-vectors" pki_plugins=${pki_plugins}" test-vectors" @@ -20255,7 +20438,6 @@ if test x$pkcs11 = xtrue; then if test x$aes = xtrue; then s_plugins=${s_plugins}" aes" charon_plugins=${charon_plugins}" aes" - openac_plugins=${openac_plugins}" aes" scepclient_plugins=${scepclient_plugins}" aes" pki_plugins=${pki_plugins}" aes" scripts_plugins=${scripts_plugins}" aes" @@ -20267,7 +20449,6 @@ if test x$aes = xtrue; then if test x$des = xtrue; then s_plugins=${s_plugins}" des" charon_plugins=${charon_plugins}" des" - openac_plugins=${openac_plugins}" des" scepclient_plugins=${scepclient_plugins}" des" pki_plugins=${pki_plugins}" des" scripts_plugins=${scripts_plugins}" des" @@ -20279,7 +20460,6 @@ if test x$des = xtrue; then if test x$blowfish = xtrue; then s_plugins=${s_plugins}" blowfish" charon_plugins=${charon_plugins}" blowfish" - openac_plugins=${openac_plugins}" blowfish" scepclient_plugins=${scepclient_plugins}" blowfish" pki_plugins=${pki_plugins}" blowfish" scripts_plugins=${scripts_plugins}" blowfish" @@ -20291,7 +20471,6 @@ if test x$blowfish = xtrue; then if test x$rc2 = xtrue; then s_plugins=${s_plugins}" rc2" charon_plugins=${charon_plugins}" rc2" - openac_plugins=${openac_plugins}" rc2" scepclient_plugins=${scepclient_plugins}" rc2" pki_plugins=${pki_plugins}" rc2" scripts_plugins=${scripts_plugins}" rc2" @@ -20303,7 +20482,6 @@ if test x$rc2 = xtrue; then if test x$sha1 = xtrue; then s_plugins=${s_plugins}" sha1" charon_plugins=${charon_plugins}" sha1" - openac_plugins=${openac_plugins}" sha1" scepclient_plugins=${scepclient_plugins}" sha1" pki_plugins=${pki_plugins}" sha1" scripts_plugins=${scripts_plugins}" sha1" @@ -20317,7 +20495,6 @@ if test x$sha1 = xtrue; then if test x$sha2 = xtrue; then s_plugins=${s_plugins}" sha2" charon_plugins=${charon_plugins}" sha2" - openac_plugins=${openac_plugins}" sha2" scepclient_plugins=${scepclient_plugins}" sha2" pki_plugins=${pki_plugins}" sha2" scripts_plugins=${scripts_plugins}" sha2" @@ -20331,7 +20508,6 @@ if test x$sha2 = xtrue; then if test x$md4 = xtrue; then s_plugins=${s_plugins}" md4" charon_plugins=${charon_plugins}" md4" - openac_plugins=${openac_plugins}" md4" manager_plugins=${manager_plugins}" md4" scepclient_plugins=${scepclient_plugins}" md4" pki_plugins=${pki_plugins}" md4" @@ -20343,7 +20519,6 @@ if test x$md4 = xtrue; then if test x$md5 = xtrue; then s_plugins=${s_plugins}" md5" charon_plugins=${charon_plugins}" md5" - openac_plugins=${openac_plugins}" md5" scepclient_plugins=${scepclient_plugins}" md5" pki_plugins=${pki_plugins}" md5" scripts_plugins=${scripts_plugins}" md5" @@ -20356,7 +20531,6 @@ if test x$md5 = xtrue; then if test x$rdrand = xtrue; then s_plugins=${s_plugins}" rdrand" charon_plugins=${charon_plugins}" rdrand" - openac_plugins=${openac_plugins}" rdrand" scepclient_plugins=${scepclient_plugins}" rdrand" pki_plugins=${pki_plugins}" rdrand" scripts_plugins=${scripts_plugins}" rdrand" @@ -20370,7 +20544,6 @@ if test x$rdrand = xtrue; then if test x$random = xtrue; then s_plugins=${s_plugins}" random" charon_plugins=${charon_plugins}" random" - openac_plugins=${openac_plugins}" random" scepclient_plugins=${scepclient_plugins}" random" pki_plugins=${pki_plugins}" random" scripts_plugins=${scripts_plugins}" random" @@ -20392,7 +20565,6 @@ if test x$nonce = xtrue; then if test x$x509 = xtrue; then s_plugins=${s_plugins}" x509" charon_plugins=${charon_plugins}" x509" - openac_plugins=${openac_plugins}" x509" scepclient_plugins=${scepclient_plugins}" x509" pki_plugins=${pki_plugins}" x509" scripts_plugins=${scripts_plugins}" x509" @@ -20418,6 +20590,12 @@ if test x$constraints = xtrue; then fi +if test x$acert = xtrue; then + s_plugins=${s_plugins}" acert" + charon_plugins=${charon_plugins}" acert" + + fi + if test x$pubkey = xtrue; then s_plugins=${s_plugins}" pubkey" charon_plugins=${charon_plugins}" pubkey" @@ -20428,7 +20606,6 @@ if test x$pubkey = xtrue; then if test x$pkcs1 = xtrue; then s_plugins=${s_plugins}" pkcs1" charon_plugins=${charon_plugins}" pkcs1" - openac_plugins=${openac_plugins}" pkcs1" scepclient_plugins=${scepclient_plugins}" pkcs1" pki_plugins=${pki_plugins}" pkcs1" scripts_plugins=${scripts_plugins}" pkcs1" @@ -20454,7 +20631,6 @@ if test x$pkcs7 = xtrue; then if test x$pkcs8 = xtrue; then s_plugins=${s_plugins}" pkcs8" charon_plugins=${charon_plugins}" pkcs8" - openac_plugins=${openac_plugins}" pkcs8" scepclient_plugins=${scepclient_plugins}" pkcs8" pki_plugins=${pki_plugins}" pkcs8" scripts_plugins=${scripts_plugins}" pkcs8" @@ -20513,7 +20689,6 @@ if test x$ipseckey = xtrue; then if test x$pem = xtrue; then s_plugins=${s_plugins}" pem" charon_plugins=${charon_plugins}" pem" - openac_plugins=${openac_plugins}" pem" scepclient_plugins=${scepclient_plugins}" pem" pki_plugins=${pki_plugins}" pem" scripts_plugins=${scripts_plugins}" pem" @@ -20534,7 +20709,6 @@ if test x$padlock = xtrue; then if test x$openssl = xtrue; then s_plugins=${s_plugins}" openssl" charon_plugins=${charon_plugins}" openssl" - openac_plugins=${openac_plugins}" openssl" scepclient_plugins=${scepclient_plugins}" openssl" pki_plugins=${pki_plugins}" openssl" scripts_plugins=${scripts_plugins}" openssl" @@ -20549,7 +20723,6 @@ if test x$openssl = xtrue; then if test x$gcrypt = xtrue; then s_plugins=${s_plugins}" gcrypt" charon_plugins=${charon_plugins}" gcrypt" - openac_plugins=${openac_plugins}" gcrypt" scepclient_plugins=${scepclient_plugins}" gcrypt" pki_plugins=${pki_plugins}" gcrypt" scripts_plugins=${scripts_plugins}" gcrypt" @@ -20564,7 +20737,6 @@ if test x$gcrypt = xtrue; then if test x$af_alg = xtrue; then s_plugins=${s_plugins}" af-alg" charon_plugins=${charon_plugins}" af-alg" - openac_plugins=${openac_plugins}" af-alg" scepclient_plugins=${scepclient_plugins}" af-alg" pki_plugins=${pki_plugins}" af-alg" scripts_plugins=${scripts_plugins}" af-alg" @@ -20586,7 +20758,6 @@ if test x$fips_prf = xtrue; then if test x$gmp = xtrue; then s_plugins=${s_plugins}" gmp" charon_plugins=${charon_plugins}" gmp" - openac_plugins=${openac_plugins}" gmp" scepclient_plugins=${scepclient_plugins}" gmp" pki_plugins=${pki_plugins}" gmp" scripts_plugins=${scripts_plugins}" gmp" @@ -21125,7 +21296,6 @@ if test x$unit_tester = xtrue; then - # ====================== # set Makefile.am vars # ====================== @@ -21300,6 +21470,14 @@ else USE_CONSTRAINTS_FALSE= fi + if test x$acert = xtrue; then + USE_ACERT_TRUE= + USE_ACERT_FALSE='#' +else + USE_ACERT_TRUE='#' + USE_ACERT_FALSE= +fi + if test x$pubkey = xtrue; then USE_PUBKEY_TRUE= USE_PUBKEY_FALSE='#' @@ -22357,7 +22535,7 @@ else USE_LIBCAP_FALSE= fi - if test x$vstr = xtrue; then + if test x$printf_hooks = xvstr; then USE_VSTR_TRUE= USE_VSTR_FALSE='#' else @@ -22365,7 +22543,7 @@ else USE_VSTR_FALSE= fi - if test x$builtin_printf = xtrue; then + if test x$printf_hooks = xbuiltin; then USE_BUILTIN_PRINTF_TRUE= USE_BUILTIN_PRINTF_FALSE='#' else @@ -22535,14 +22713,14 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libpts/Makefile src/libpts/plugins/imc_attestation/Makefile src/libpts/plugins/imv_attestation/Makefile src/libpts/plugins/imc_swid/Makefile src/libpts/plugins/imv_swid/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile scripts/Makefile testing/Makefile" # ================= # build man pages # ================= -ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---verify.1" +ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1" cat >confcache <<\_ACEOF @@ -22771,6 +22949,10 @@ if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_ACERT_TRUE}" && test -z "${USE_ACERT_FALSE}"; then + as_fn_error $? "conditional \"USE_ACERT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then as_fn_error $? "conditional \"USE_PUBKEY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -23744,7 +23926,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.1.2, which was +This file was extended by strongSwan $as_me 5.1.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23810,7 +23992,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.1.2 +strongSwan config.status 5.1.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -24246,6 +24428,7 @@ do "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;; "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;; "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;; + "src/libstrongswan/plugins/acert/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/acert/Makefile" ;; "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;; "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;; "src/libstrongswan/plugins/pkcs7/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs7/Makefile" ;; @@ -24285,6 +24468,7 @@ do "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;; "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;; "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;; + "src/libtls/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/tests/Makefile" ;; "src/libradius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libradius/Makefile" ;; "src/libtncif/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtncif/Makefile" ;; "src/libtnccs/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtnccs/Makefile" ;; @@ -24374,7 +24558,6 @@ do "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;; "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;; "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;; - "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;; "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;; "src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;; "src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;; @@ -24404,6 +24587,7 @@ do "src/pki/man/pki---req.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---req.1" ;; "src/pki/man/pki---self.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---self.1" ;; "src/pki/man/pki---signcrl.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---signcrl.1" ;; + "src/pki/man/pki---acert.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---acert.1" ;; "src/pki/man/pki---verify.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---verify.1" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; diff --git a/configure.ac b/configure.ac index 8a925c29a..2ad372b18 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.1.2]) +AC_INIT([strongSwan],[5.1.3]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -66,6 +66,7 @@ ARG_WITH_SET([tss], [no], [set implementation of the Trusted Co ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"]) ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available]) ARG_WITH_SET([dev-headers], [no], [install strongSwan development headers to directory.]) +ARG_WITH_SET([printf-hooks], [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).]) if test -n "$PKG_CONFIG"; then systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) @@ -118,53 +119,57 @@ AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`]) m4_include(m4/macros/enable-disable.m4) -ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.]) -ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.]) -ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.]) -ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.]) +# crypto plugins ARG_DISBL_SET([aes], [disable AES software implementation plugin.]) -ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.]) +ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.]) ARG_ENABL_SET([blowfish], [enable Blowfish software implementation plugin.]) -ARG_DISBL_SET([rc2], [disable RC2 software implementation plugin.]) +ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.]) +ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.]) +ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.]) +ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.]) +ARG_DISBL_SET([fips-prf], [disable FIPS PRF software implementation plugin.]) +ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.]) +ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.]) +ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.]) +ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.]) ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.]) +ARG_DISBL_SET([nonce], [disable nonce generation plugin.]) +ARG_ENABL_SET([ntru], [enables the NTRU crypto plugin.]) +ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.]) +ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.]) +ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) +ARG_DISBL_SET([rc2], [disable RC2 software implementation plugin.]) +ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.]) ARG_DISBL_SET([sha1], [disable SHA1 software implementation plugin.]) ARG_DISBL_SET([sha2], [disable SHA256/SHA384/SHA512 software implementation plugin.]) -ARG_DISBL_SET([fips-prf], [disable FIPS PRF software implementation plugin.]) -ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.]) -ARG_ENABL_SET([rdrand], [enable Intel RDRAND random generator plugin.]) -ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) -ARG_DISBL_SET([nonce], [disable nonce generation plugin.]) -ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) -ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.]) -ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.]) -ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.]) +ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) +# encoding/decoding plugins +ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) +ARG_DISBL_SET([pem], [disable PEM decoding plugin.]) +ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.]) ARG_DISBL_SET([pkcs1], [disable PKCS1 key decoding plugin.]) ARG_DISBL_SET([pkcs7], [disable PKCS7 container support plugin.]) ARG_DISBL_SET([pkcs8], [disable PKCS8 private key decoding plugin.]) ARG_DISBL_SET([pkcs12], [disable PKCS12 container support plugin.]) -ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.]) -ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) +ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.]) ARG_DISBL_SET([sshkey], [disable SSH key decoding plugin.]) -ARG_ENABL_SET([dnscert], [enable DNSCERT authentication plugin.]) -ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.]) -ARG_DISBL_SET([pem], [disable PEM decoding plugin.]) -ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) -ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.]) -ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) -ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.]) -ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) +ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) +# fetcher/resolver plugins +ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.]) +ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.]) +ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.]) +ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.]) +# database plugins ARG_ENABL_SET([mysql], [enable MySQL database support. Requires libmysqlclient_r.]) ARG_ENABL_SET([sqlite], [enable SQLite database support. Requires libsqlite3.]) -ARG_DISBL_SET([stroke], [disable charons stroke configuration backend.]) -ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon plugin.]) -ARG_ENABL_SET([medcli], [enable mediation client configuration database plugin.]) -ARG_ENABL_SET([smp], [enable SMP configuration and control interface. Requires libxml.]) -ARG_ENABL_SET([sql], [enable SQL database configuration backend.]) -ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.]) -ARG_ENABL_SET([lock-profiler], [enable lock/mutex profiling code.]) -ARG_ENABL_SET([unit-tester], [enable unit tests on IKEv2 daemon startup.]) -ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.]) +# authentication/credential plugins +ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.]) +ARG_ENABL_SET([acert], [enable X509 attribute certificate checking plugin.]) +ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.]) +ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.]) +ARG_ENABL_SET([coupling], [enable IKEv2 plugin to couple peer certificates permanently to authentication.]) +ARG_ENABL_SET([dnscert], [enable DNSCERT authentication plugin.]) ARG_ENABL_SET([eap-sim], [enable SIM authentication module for EAP.]) ARG_ENABL_SET([eap-sim-file], [enable EAP-SIM backend based on a triplet file.]) ARG_ENABL_SET([eap-sim-pcsc], [enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite.]) @@ -183,88 +188,97 @@ ARG_ENABL_SET([eap-peap], [enable EAP PEAP authentication module.]) ARG_ENABL_SET([eap-tnc], [enable EAP TNC trusted network connect module.]) ARG_ENABL_SET([eap-dynamic], [enable dynamic EAP proxy module.]) ARG_ENABL_SET([eap-radius], [enable RADIUS proxy authentication module.]) +ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.]) +ARG_ENABL_SET([keychain], [enables OS X Keychain Services credential set.]) +ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.]) +ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.]) +ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.]) ARG_DISBL_SET([xauth-generic], [disable generic XAuth backend.]) ARG_ENABL_SET([xauth-eap], [enable XAuth backend using EAP methods to verify passwords.]) ARG_ENABL_SET([xauth-pam], [enable XAuth backend using PAM to verify passwords.]) ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actually verify or even request any credentials.]) -ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module. Requires libxml]) -ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.]) -ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) -ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.]) -ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module. Requires libxml]) -ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.]) -ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.]) -ARG_ENABL_SET([imc-test], [enable IMC test module.]) -ARG_ENABL_SET([imv-test], [enable IMV test module.]) -ARG_ENABL_SET([imc-scanner], [enable IMC port scanner module.]) -ARG_ENABL_SET([imv-scanner], [enable IMV port scanner module.]) -ARG_ENABL_SET([imc-os], [enable IMC operating system module.]) -ARG_ENABL_SET([imv-os], [enable IMV operating system module.]) -ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.]) -ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.]) -ARG_ENABL_SET([imc-swid], [enable IMC swid module.]) -ARG_ENABL_SET([imv-swid], [enable IMV swid module.]) +# kernel interfaces / sockets ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.]) ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.]) ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.]) ARG_ENABL_SET([kernel-klips], [enable the KLIPS kernel interface.]) ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.]) -ARG_ENABL_SET([libipsec], [enable user space IPsec implementation.]) ARG_DISBL_SET([socket-default], [disable default socket implementation for charon.]) ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon]) -ARG_ENABL_SET([farp], [enable ARP faking plugin that responds to ARP requests to peers virtual IP]) -ARG_ENABL_SET([dumm], [enable the DUMM UML test framework.]) -ARG_ENABL_SET([fast], [enable libfast (FastCGI Application Server w/ templates.]) -ARG_ENABL_SET([manager], [enable web management console (proof of concept).]) -ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.]) -ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.]) -ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning in starter.]) -ARG_DISBL_SET([ikev1], [disable IKEv1 protocol support in charon.]) -ARG_DISBL_SET([ikev2], [disable IKEv2 protocol support in charon.]) -ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.]) -ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) -ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) -ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.]) -ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) +# configuration/control plugins +ARG_DISBL_SET([stroke], [disable charons stroke configuration backend.]) +ARG_ENABL_SET([smp], [enable SMP configuration and control interface. Requires libxml.]) +ARG_ENABL_SET([sql], [enable SQL database configuration backend.]) +ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.]) +# attribute provider/consumer plugins +ARG_ENABL_SET([android-dns], [enable Android specific DNS handler.]) ARG_DISBL_SET([attr], [disable strongswan.conf based configuration attribute plugin.]) ARG_ENABL_SET([attr-sql], [enable SQL based configuration attribute plugin.]) ARG_ENABL_SET([dhcp], [enable DHCP based attribute provider plugin.]) +ARG_ENABL_SET([osx-attr], [enable OS X SystemConfiguration attribute handler.]) ARG_DISBL_SET([resolve], [disable resolve DNS handler plugin.]) -ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.]) -ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.]) -ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.]) -ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.]) -ARG_ENABL_SET([keychain], [enables OS X Keychain Services credential set.]) -ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.]) -ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.]) -ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.]) -ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.]) -ARG_ENABL_SET([ntru], [enables the NTRU crypto plugin.]) -ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.]) ARG_ENABL_SET([unity], [enables Cisco Unity extension plugin.]) -ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.]) -ARG_ENABL_SET([osx-attr], [enable OS X SystemConfiguration attribute handler.]) -ARG_ENABL_SET([android-dns], [enable Android specific DNS handler.]) +# TNC modules/plugins +ARG_ENABL_SET([imc-test], [enable IMC test module.]) +ARG_ENABL_SET([imv-test], [enable IMV test module.]) +ARG_ENABL_SET([imc-scanner], [enable IMC port scanner module.]) +ARG_ENABL_SET([imv-scanner], [enable IMV port scanner module.]) +ARG_ENABL_SET([imc-os], [enable IMC operating system module.]) +ARG_ENABL_SET([imv-os], [enable IMV operating system module.]) +ARG_ENABL_SET([imc-attestation],[enable IMC attestation module.]) +ARG_ENABL_SET([imv-attestation],[enable IMV attestation module.]) +ARG_ENABL_SET([imc-swid], [enable IMC swid module.]) +ARG_ENABL_SET([imv-swid], [enable IMV swid module.]) +ARG_ENABL_SET([tnc-ifmap], [enable TNC IF-MAP module. Requires libxml]) +ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) +ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.]) +ARG_ENABL_SET([tnc-pdp], [enable TNC policy decision point module.]) +ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module. Requires libxml]) +ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.]) +ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.]) +# misc plugins ARG_ENABL_SET([android-log], [enable Android specific logger plugin.]) -ARG_ENABL_SET([maemo], [enable Maemo specific plugin.]) -ARG_ENABL_SET([nm], [enable NetworkManager backend.]) -ARG_ENABL_SET([ha], [enable high availability cluster plugin.]) -ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.]) -ARG_ENABL_SET([lookip], [enable fast virtual IP lookup and notification plugin.]) -ARG_ENABL_SET([error-notify], [enable error notification plugin.]) ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.]) -ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.]) -ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.]) ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.]) -ARG_ENABL_SET([coupling], [enable IKEv2 plugin to couple peer certificates permanently to authentication.]) +ARG_ENABL_SET([error-notify], [enable error notification plugin.]) +ARG_ENABL_SET([farp], [enable ARP faking plugin that responds to ARP requests to peers virtual IP]) +ARG_ENABL_SET([ha], [enable high availability cluster plugin.]) +ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.]) +ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.]) +ARG_ENABL_SET([lookip], [enable fast virtual IP lookup and notification plugin.]) +ARG_ENABL_SET([maemo], [enable Maemo specific plugin.]) ARG_ENABL_SET([radattr], [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.]) -ARG_ENABL_SET([vstr], [enforce using the Vstr string library to replace glibc-like printf hooks.]) -ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.]) +ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.]) +ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) +ARG_ENABL_SET([unit-tester], [enable unit tests on IKEv2 daemon startup.]) +ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) +# programs/components +ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.]) +ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.]) +ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.]) +ARG_ENABL_SET([dumm], [enable the DUMM UML test framework.]) +ARG_ENABL_SET([fast], [enable libfast (FastCGI Application Server w/ templates.]) +ARG_ENABL_SET([libipsec], [enable user space IPsec implementation.]) +ARG_ENABL_SET([manager], [enable web management console (proof of concept).]) +ARG_ENABL_SET([medcli], [enable mediation client configuration database plugin.]) +ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon plugin.]) +ARG_ENABL_SET([nm], [enable NetworkManager backend.]) +ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) +ARG_ENABL_SET([tkm], [enable Trusted Key Manager support.]) +ARG_DISBL_SET([tools], [disable additional utilities (scepclient and pki).]) +# optional features ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.]) +ARG_DISBL_SET([ikev1], [disable IKEv1 protocol support in charon.]) +ARG_DISBL_SET([ikev2], [disable IKEv2 protocol support in charon.]) +ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.]) +ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning in starter.]) +ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.]) ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.]) +# compile options ARG_ENABL_SET([coverage], [enable lcov coverage report generation.]) -ARG_ENABL_SET([tkm], [enable Trusted Key Manager support.]) -ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.]) +ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.]) +ARG_ENABL_SET([lock-profiler], [enable lock/mutex profiling code.]) +ARG_ENABL_SET([monolithic], [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.]) # =================================== # option to disable default options @@ -275,7 +289,20 @@ ARG_DISBL_SET([defaults], [disable all default plugins (they can be enable if test x$defaults = xfalse; then for option in $enabled_by_default; do eval test x\${${option}_given} = xtrue && continue - let $option=false + eval $option=false + done +fi + +# ============================== +# option to enable all options +# ============================== + +ARG_ENABL_SET([all], [enable all plugins and features (they can be disabled with their respective --disable options). Mainly for testing.]) + +if test x$all_given = xtrue; then + for option in $disabled_by_default; do + eval test x\${${option}_given} = xtrue && continue + eval $option=true done fi @@ -528,8 +555,7 @@ AC_CHECK_FUNC( AC_MSG_FAILURE([qsort_r has unknown semantics])]) ]) CFLAGS="$save_CFLAGS" - ], - [] + ] ) AC_CHECK_FUNCS(prctl mallinfo getpass closefrom getpwnam_r getgrnam_r getpwuid_r) @@ -660,28 +686,43 @@ AC_RUN_IFELSE([AC_LANG_SOURCE( [AC_MSG_RESULT([no])] ) -# check for the new register_printf_specifier function with len argument, -# or the deprecated register_printf_function without -AC_CHECK_FUNC( - [register_printf_specifier], - [AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])], - [AC_CHECK_FUNC( - [register_printf_function], - [AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])], - [ - AC_MSG_NOTICE([printf does not support custom format specifiers!]) - builtin_printf=true - ] - )] -) +case "$printf_hooks" in +auto|builtin|glibc|vstr) + ;; +*) + AC_MSG_NOTICE([invalid printf hook implementation, defaulting to 'auto']) + printf_hooks=auto + ;; +esac + +if test x$printf_hooks = xauto -o x$printf_hooks = xglibc; then + # check for the new register_printf_specifier function with len argument, + # or the deprecated register_printf_function without + AC_CHECK_FUNC( + [register_printf_specifier], + [AC_DEFINE([HAVE_PRINTF_SPECIFIER], [], [have register_printf_specifier()])], + [AC_CHECK_FUNC( + [register_printf_function], + [AC_DEFINE([HAVE_PRINTF_FUNCTION], [], [have register_printf_function()])], + [ + AC_MSG_NOTICE([printf(3) does not support custom format specifiers!]) + if test x$printf_hooks = xglibc; then + AC_MSG_ERROR([please select a different printf hook implementation]) + else + # fallback to builtin printf hook implementation + printf_hooks=builtin + fi + ] + )] + ) +fi -if test x$vstr = xtrue; then +if test x$printf_hooks = xvstr; then AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[]) AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks]) - builtin_printf=false fi -if test x$builtin_printf = xtrue; then +if test x$printf_hooks = xbuiltin; then AC_DEFINE([USE_BUILTIN_PRINTF], [], [using builtin printf for printf hooks]) fi @@ -1012,7 +1053,6 @@ charon_plugins= starter_plugins= pool_plugins= attest_plugins= -openac_plugins= scepclient_plugins= pki_plugins= scripts_plugins= @@ -1028,7 +1068,7 @@ h_plugins= s_plugins= t_plugins= -ADD_PLUGIN([test-vectors], [s charon openac scepclient pki]) +ADD_PLUGIN([test-vectors], [s charon scepclient pki]) ADD_PLUGIN([curl], [s charon scepclient scripts nm cmd]) ADD_PLUGIN([soup], [s charon scripts nm cmd]) ADD_PLUGIN([unbound], [s charon scripts]) @@ -1036,37 +1076,38 @@ ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd]) ADD_PLUGIN([mysql], [s charon pool manager medsrv attest]) ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest]) ADD_PLUGIN([pkcs11], [s charon pki nm cmd]) -ADD_PLUGIN([aes], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([des], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([blowfish], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([rc2], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([sha1], [s charon openac scepclient pki scripts medsrv attest nm cmd]) -ADD_PLUGIN([sha2], [s charon openac scepclient pki scripts medsrv attest nm cmd]) -ADD_PLUGIN([md4], [s charon openac manager scepclient pki nm cmd]) -ADD_PLUGIN([md5], [s charon openac scepclient pki scripts attest nm cmd]) -ADD_PLUGIN([rdrand], [s charon openac scepclient pki scripts medsrv attest nm cmd]) -ADD_PLUGIN([random], [s charon openac scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([sha1], [s charon scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([md4], [s charon manager scepclient pki nm cmd]) +ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd]) +ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd]) ADD_PLUGIN([nonce], [s charon nm cmd]) -ADD_PLUGIN([x509], [s charon openac scepclient pki scripts attest nm cmd]) +ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd]) ADD_PLUGIN([revocation], [s charon nm cmd]) ADD_PLUGIN([constraints], [s charon nm cmd]) +ADD_PLUGIN([acert], [s charon]) ADD_PLUGIN([pubkey], [s charon cmd]) -ADD_PLUGIN([pkcs1], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([pkcs1], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([pkcs7], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([pkcs8], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([pkcs12], [s charon scepclient pki scripts cmd]) ADD_PLUGIN([pgp], [s charon]) ADD_PLUGIN([dnskey], [s charon pki]) ADD_PLUGIN([sshkey], [s charon pki nm cmd]) ADD_PLUGIN([dnscert], [c charon]) ADD_PLUGIN([ipseckey], [c charon]) -ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([pem], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([padlock], [s charon]) -ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) -ADD_PLUGIN([gcrypt], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) -ADD_PLUGIN([af-alg], [s charon openac scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([openssl], [s charon scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([gcrypt], [s charon scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd]) ADD_PLUGIN([fips-prf], [s charon nm cmd]) -ADD_PLUGIN([gmp], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) ADD_PLUGIN([xcbc], [s charon nm cmd]) @@ -1148,7 +1189,6 @@ AC_SUBST(charon_plugins) AC_SUBST(starter_plugins) AC_SUBST(pool_plugins) AC_SUBST(attest_plugins) -AC_SUBST(openac_plugins) AC_SUBST(scepclient_plugins) AC_SUBST(pki_plugins) AC_SUBST(scripts_plugins) @@ -1189,6 +1229,7 @@ AM_CONDITIONAL(USE_NONCE, test x$nonce = xtrue) AM_CONDITIONAL(USE_X509, test x$x509 = xtrue) AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue) AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue) +AM_CONDITIONAL(USE_ACERT, test x$acert = xtrue) AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue) AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue) AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue) @@ -1329,8 +1370,8 @@ AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue) AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) -AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue) -AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$builtin_printf = xtrue) +AM_CONDITIONAL(USE_VSTR, test x$printf_hooks = xvstr) +AM_CONDITIONAL(USE_BUILTIN_PRINTF, test x$printf_hooks = xbuiltin) AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue) AM_CONDITIONAL(USE_TLS, test x$tls = xtrue) AM_CONDITIONAL(USE_RADIUS, test x$radius = xtrue) @@ -1414,6 +1455,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile + src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile @@ -1453,6 +1495,7 @@ AC_CONFIG_FILES([ src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile + src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile @@ -1542,7 +1585,6 @@ AC_CONFIG_FILES([ src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile - src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile @@ -1579,6 +1621,7 @@ AC_CONFIG_FILES([ src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 + src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 ]) diff --git a/init/Makefile.in b/init/Makefile.in index c9ace238e..9937f3b76 100644 --- a/init/Makefile.in +++ b/init/Makefile.in @@ -347,7 +347,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in index 766402660..18d789d10 100644 --- a/init/systemd/Makefile.in +++ b/init/systemd/Makefile.in @@ -316,7 +316,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/m4/macros/enable-disable.m4 b/m4/macros/enable-disable.m4 index 2e4552068..9d51cb9b2 100644 --- a/m4/macros/enable-disable.m4 +++ b/m4/macros/enable-disable.m4 @@ -2,6 +2,7 @@ # ARG_ENABL_SET(option, help) # --------------------------- # Create a --enable-$1 option with helptext, set a variable $1 to true/false +# All $1 are collected in the variable $disabled_by_default AC_DEFUN([ARG_ENABL_SET], [AC_ARG_ENABLE( [$1], @@ -14,7 +15,8 @@ AC_DEFUN([ARG_ENABL_SET], fi], [patsubst([$1], [-], [_])=false patsubst([$1], [-], [_])_given=false] - )] + ) + disabled_by_default=${disabled_by_default}" patsubst([$1], [-], [_])"] ) # ARG_DISBL_SET(option, help) diff --git a/man/Makefile.in b/man/Makefile.in index d4a38b10e..72312c469 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -318,7 +318,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 40001f848..f55ce75f1 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -419,7 +419,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/scripts/aes-test.c b/scripts/aes-test.c index eb94180f8..425a4dc4f 100644 --- a/scripts/aes-test.c +++ b/scripts/aes-test.c @@ -313,7 +313,7 @@ static bool do_test_gcm(test_vector_t *test) return FALSE; } - aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len); + aead = lib->crypto->create_aead(lib->crypto, alg, test->key.len, 4); if (!aead) { DBG1(DBG_APP, "algorithm %N or key length (%d bits) not supported", diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c index 729472e7d..1768d769b 100644 --- a/scripts/crypt_burn.c +++ b/scripts/crypt_burn.c @@ -61,7 +61,7 @@ int main(int argc, char *argv[]) if (encryption_algorithm_is_aead(token->algorithm)) { aead = lib->crypto->create_aead(lib->crypto, - token->algorithm, token->keysize / 8); + token->algorithm, token->keysize / 8, 0); if (!aead) { fprintf(stderr, "aead '%s' not supported!\n", argv[1]); diff --git a/scripts/tls_test.c b/scripts/tls_test.c index 7ec477aae..84a32f96f 100644 --- a/scripts/tls_test.c +++ b/scripts/tls_test.c @@ -105,7 +105,7 @@ static int run_client(host_t *host, identification_t *server, close(fd); return 1; } - tls = tls_socket_create(FALSE, server, client, fd, cache); + tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE); if (!tls) { close(fd); @@ -162,7 +162,7 @@ static int serve(host_t *host, identification_t *server, } DBG1(DBG_TLS, "%#H connected", host); - tls = tls_socket_create(TRUE, server, NULL, cfd, cache); + tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE); if (!tls) { close(fd); diff --git a/src/Makefile.am b/src/Makefile.am index 7d11893d1..93da4893f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -73,7 +73,7 @@ if USE_UPDOWN endif if USE_TOOLS - SUBDIRS += openac scepclient pki + SUBDIRS += scepclient pki endif if USE_CONFTEST diff --git a/src/Makefile.in b/src/Makefile.in index 1c2a427f7..d1950d13d 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -95,7 +95,7 @@ host_triplet = @host@ @USE_NM_TRUE@am__append_16 = charon-nm @USE_STROKE_TRUE@am__append_17 = stroke @USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark -@USE_TOOLS_TRUE@am__append_19 = openac scepclient pki +@USE_TOOLS_TRUE@am__append_19 = scepclient pki @USE_CONFTEST_TRUE@am__append_20 = conftest @USE_DUMM_TRUE@am__append_21 = dumm @USE_FAST_TRUE@am__append_22 = libfast @@ -183,9 +183,9 @@ CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \ libtls libradius libtncif libtnccs libpttls libimcv libpts \ libcharon starter ipsec _copyright charon charon-nm stroke \ - _updown _updown_espmark openac scepclient pki conftest dumm \ - libfast manager medsrv pool charon-tkm charon-cmd \ - pt-tls-client checksum + _updown _updown_espmark scepclient pki conftest dumm libfast \ + manager medsrv pool charon-tkm charon-cmd pt-tls-client \ + checksum DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -381,7 +381,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 0783f9e7b..4377ca0ac 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -339,7 +339,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index e77049543..b015e3d96 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index 918bd6a89..ee814a4eb 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in index 62d6cd725..0e5c00a14 100644 --- a/src/charon-cmd/Makefile.in +++ b/src/charon-cmd/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in index 955d15313..edc3d7743 100644 --- a/src/charon-nm/Makefile.in +++ b/src/charon-nm/Makefile.in @@ -347,7 +347,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index f0daff61e..67366a067 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -329,7 +329,6 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, "Failed to create dummy TUN device."); - gateway->destroy(gateway); return FALSE; } address = nm_setting_vpn_get_data_item(vpn, "address"); @@ -660,6 +659,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, key->destroy(key); return FALSE; } + else if (nm_setting_vpn_get_secret(settings, "password")) + { + return FALSE; + } } } else if (streq(method, "smartcard")) diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in index 15e654d00..8005d076b 100644 --- a/src/charon-tkm/Makefile.in +++ b/src/charon-tkm/Makefile.in @@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index f3b7cfd56..f808ce0d7 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -343,7 +343,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index d172b1545..82bbadcf1 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -100,7 +100,6 @@ if USE_CMD endif if USE_TOOLS - exes += $(DESTDIR)$(ipsecdir)/openac exes += $(DESTDIR)$(ipsecdir)/scepclient exes += $(DESTDIR)$(bindir)/pki endif diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index cdfbf1016..d798d315e 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -105,8 +105,7 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT) @USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon @MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_25 = -DC_PLUGINS=\""${c_plugins}\"" @USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd -@USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/openac \ -@USE_TOOLS_TRUE@ $(DESTDIR)$(ipsecdir)/scepclient \ +@USE_TOOLS_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient \ @USE_TOOLS_TRUE@ $(DESTDIR)$(bindir)/pki @USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool @USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest @@ -412,7 +411,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in index ee6bf57f5..453e8f827 100644 --- a/src/conftest/Makefile.in +++ b/src/conftest/Makefile.in @@ -357,7 +357,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index f1628ef69..2f7b2ea9c 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -378,7 +378,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 1987dbde5..f5277e314 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 69b736a7a..545123bfd 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -320,7 +320,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index b7d820e21..17010608f 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.1.2rc2" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.2.0dr1" "strongSwan" . .SH NAME . diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 3c1f99825..61632188a 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -70,7 +70,6 @@ case "$1" in echo " rereadcacerts|rereadaacerts|rereadocspcerts" echo " rereadacerts|rereadcrls|rereadall" echo " purgeocsp|purgecrls|purgecerts|purgeike" - echo " openac" echo " scepclient" echo " secrets" echo " starter" diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 5f8453616..b300df3b2 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -870,7 +870,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index c74daa0cc..e08bb3f67 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -385,7 +385,7 @@ METHOD(ike_cfg_t, equals, bool, return FALSE; } e1 = this->proposals->create_enumerator(this->proposals); - e2 = this->proposals->create_enumerator(this->proposals); + e2 = other->proposals->create_enumerator(other->proposals); while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2)) { if (!p1->equals(p1, p2)) diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 891d1be84..2ecdb4f2e 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2014 Tobias Brunner * Copyright (C) 2006-2010 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -193,7 +193,7 @@ static bool select_algo(private_proposal_t *this, proposal_t *other, { enumerator_t *e1, *e2; u_int16_t alg1, alg2, ks1, ks2; - bool found = FALSE; + bool found = FALSE, optional = FALSE; if (type == INTEGRITY_ALGORITHM && selected->get_algorithm(selected, ENCRYPTION_ALGORITHM, &alg1, NULL) && @@ -202,12 +202,27 @@ static bool select_algo(private_proposal_t *this, proposal_t *other, /* no integrity algorithm required, we have an AEAD */ return TRUE; } + if (type == DIFFIE_HELLMAN_GROUP) + { + optional = this->protocol == PROTO_ESP || this->protocol == PROTO_AH; + } e1 = create_enumerator(this, type); e2 = other->create_enumerator(other, type); - if (!e1->enumerate(e1, NULL, NULL) && !e2->enumerate(e2, NULL, NULL)) + if (!e1->enumerate(e1, NULL, NULL)) { - found = TRUE; + if (!e2->enumerate(e2, &alg2, NULL)) + { + found = TRUE; + } + else if (optional) + { + do + { /* if the other peer proposes NONE, we accept the proposal */ + found = !alg2; + } + while (!found && e2->enumerate(e2, &alg2, NULL)); + } } e1->destroy(e1); diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c index a32f5705d..05d41051b 100644 --- a/src/libcharon/encoding/payloads/cert_payload.c +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -224,6 +224,9 @@ METHOD(cert_payload_t, get_cert, certificate_t*, case ENC_X509_SIGNATURE: type = CERT_X509; break; + case ENC_X509_ATTRIBUTE: + type = CERT_X509_AC; + break; case ENC_CRL: type = CERT_X509_CRL; break; @@ -333,6 +336,9 @@ cert_payload_t *cert_payload_create_from_cert(payload_type_t type, case CERT_X509: this->encoding = ENC_X509_SIGNATURE; break; + case CERT_X509_AC: + this->encoding = ENC_X509_ATTRIBUTE; + break; default: DBG1(DBG_ENC, "embedding %N certificate in payload failed", certificate_type_names, cert->get_type(cert)); @@ -380,4 +386,3 @@ cert_payload_t *cert_payload_create_custom(payload_type_t type, return &this->public; } - diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index cb9b359b3..3e35b75c6 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -361,12 +361,20 @@ METHOD(payload_t, verify, status_t, } break; case PROTO_IKE: - if (this->spi.len != 0 && this->spi.len != 8) + if (this->type == PROPOSAL_SUBSTRUCTURE_V1) { - DBG1(DBG_ENC, "invalid SPI length in IKE proposal"); - return FAILED; + if (this->spi.len <= 16) + { /* according to RFC 2409, section 3.5 anything between + * 0 and 16 is fine */ + break; + } } - break; + else if (this->spi.len == 0 || this->spi.len == 8) + { + break; + } + DBG1(DBG_ENC, "invalid SPI length in IKE proposal"); + return FAILED; default: break; } diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index bc32b5ade..0aa635a43 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in index 6278a6234..f44734cc6 100644 --- a/src/libcharon/plugins/android_dns/Makefile.in +++ b/src/libcharon/plugins/android_dns/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in index ae64a8758..361b36187 100644 --- a/src/libcharon/plugins/android_log/Makefile.in +++ b/src/libcharon/plugins/android_log/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in index f812770f3..e218c8a4f 100644 --- a/src/libcharon/plugins/certexpire/Makefile.in +++ b/src/libcharon/plugins/certexpire/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in index d8eb802b7..bb951264f 100644 --- a/src/libcharon/plugins/coupling/Makefile.in +++ b/src/libcharon/plugins/coupling/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index 395cd76ea..81f2b7868 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c index e092771f4..f5325b566 100644 --- a/src/libcharon/plugins/dhcp/dhcp_provider.c +++ b/src/libcharon/plugins/dhcp/dhcp_provider.c @@ -47,22 +47,6 @@ struct private_dhcp_provider_t { }; /** - * Hashtable hash function - */ -static u_int hash(void *key) -{ - return (uintptr_t)key; -} - -/** - * Hashtable equals function - */ -static bool equals(void *a, void *b) -{ - return a == b; -} - -/** * Hash ID and host to a key */ static uintptr_t hash_id_host(identification_t *id, host_t *host) @@ -226,7 +210,8 @@ dhcp_provider_t *dhcp_provider_create(dhcp_socket_t *socket) }, .socket = socket, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .transactions = hashtable_create(hash, equals, 8), + .transactions = hashtable_create(hashtable_hash_ptr, + hashtable_equals_ptr, 8), ); return &this->public; diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in index 4be453ea8..d9eeddf70 100644 --- a/src/libcharon/plugins/dnscert/Makefile.in +++ b/src/libcharon/plugins/dnscert/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in index e9da68ee8..0b12cf320 100644 --- a/src/libcharon/plugins/duplicheck/Makefile.in +++ b/src/libcharon/plugins/duplicheck/Makefile.in @@ -380,7 +380,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 67cf66720..9e771ae46 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index 7d6ae956c..91c4bb10b 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in index 6ff0acb32..16d0b4203 100644 --- a/src/libcharon/plugins/eap_dynamic/Makefile.in +++ b/src/libcharon/plugins/eap_dynamic/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 99ae94e37..1c8d51b94 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 688879a82..4c536b2a0 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 150b131f0..d9938dd00 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index d52f26a9a..7caac9c76 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index 49e3dd142..511506869 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -792,12 +792,14 @@ static status_t process_peer_success(private_eap_mschapv2_t *this, "invalid auth string"); goto error; } + chunk_free(&auth_string); hex = chunk_create(token, AUTH_RESPONSE_LEN - 2); auth_string = chunk_from_hex(hex, NULL); } else if (strpfx(token, "M=")) { token += 2; + free(msg); msg = strdup(token); } } @@ -883,6 +885,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, "invalid challenge"); goto error; } + chunk_free(&challenge); hex = chunk_create(token, 2 * CHALLENGE_LEN); challenge = chunk_from_hex(hex, NULL); } @@ -893,6 +896,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, else if (strpfx(token, "M=")) { token += 2; + free(msg); msg = strdup(token); } } diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in index 7ac4a6edf..29d8c8bb0 100644 --- a/src/libcharon/plugins/eap_peap/Makefile.in +++ b/src/libcharon/plugins/eap_peap/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 3e2bf046d..fbce3127f 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index 8c780e78d..5fb1bbb75 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -410,7 +410,12 @@ static job_requeue_t send_interim(interim_data_t *data) { if (!send_message(this, message)) { - eap_radius_handle_timeout(data->id); + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting_close_on_timeout", + TRUE, lib->ns)) + { + eap_radius_handle_timeout(data->id); + } } message->destroy(message); } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c index b873e1d69..54d52a98c 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c @@ -74,22 +74,6 @@ typedef struct { static private_eap_radius_forward_t *singleton = NULL; /** - * Hashtable hash function - */ -static u_int hash(uintptr_t key) -{ - return key; -} - -/** - * Hashtable equals function - */ -static bool equals(uintptr_t a, uintptr_t b) -{ - return a == b; -} - -/** * Free a queue entry */ static void free_attribute(chunk_t *chunk) @@ -442,10 +426,8 @@ eap_radius_forward_t *eap_radius_forward_create() .to_attr = parse_selector(lib->settings->get_str(lib->settings, "%s.plugins.eap-radius.forward.radius_to_ike", "", lib->ns)), - .from = hashtable_create((hashtable_hash_t)hash, - (hashtable_equals_t)equals, 8), - .to = hashtable_create((hashtable_hash_t)hash, - (hashtable_equals_t)equals, 8), + .from = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8), + .to = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index 3707f64f3..10b881f59 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 05bbc3129..e4552d196 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in index a22a5c355..628f5372a 100644 --- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in +++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 189baacbc..4a8127fc1 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 33443a1d2..8ac480d48 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 02cf1532c..79b45a9c1 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index ec189f895..c2b8b4feb 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index 6d4ff8756..1f2ace21d 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index a22b1e220..b6937877d 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in index d8a135cc1..8dd787569 100644 --- a/src/libcharon/plugins/error_notify/Makefile.in +++ b/src/libcharon/plugins/error_notify/Makefile.in @@ -381,7 +381,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 60c55f01e..13f0e5260 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 2f3263064..d7a77ee17 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c index ce1afe6f9..60e75fc7e 100644 --- a/src/libcharon/plugins/ha/ha_cache.c +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -59,22 +59,6 @@ struct private_ha_cache_t { }; /** - * Hashtable hash function - */ -static u_int hash(void *key) -{ - return (uintptr_t)key; -} - -/** - * Hashtable equals function - */ -static bool equals(void *a, void *b) -{ - return a == b; -} - -/** * Cache entry for an IKE_SA */ typedef struct { @@ -380,7 +364,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, .count = count, .kernel = kernel, .socket = socket, - .cache = hashtable_create(hash, equals, 8), + .cache = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 8), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in index 2ee5a49f1..1f62f4026 100644 --- a/src/libcharon/plugins/ipseckey/Makefile.in +++ b/src/libcharon/plugins/ipseckey/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in index 1726c689c..3bc289d22 100644 --- a/src/libcharon/plugins/kernel_libipsec/Makefile.in +++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index 48163aff2..f7179cfe8 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 2369044dd..561d69a23 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -383,7 +383,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in index 4b6d214de..57aaeeaeb 100644 --- a/src/libcharon/plugins/lookip/Makefile.in +++ b/src/libcharon/plugins/lookip/Makefile.in @@ -379,7 +379,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in index 314088a25..e1d4ee301 100644 --- a/src/libcharon/plugins/maemo/Makefile.in +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 8d7ca04e6..b6a04dfe7 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index 7abc23e50..82d985e57 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in index b891f55f1..ce8d67c53 100644 --- a/src/libcharon/plugins/osx_attr/Makefile.in +++ b/src/libcharon/plugins/osx_attr/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in index bf85d5713..3dbebd807 100644 --- a/src/libcharon/plugins/radattr/Makefile.in +++ b/src/libcharon/plugins/radattr/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index 43f3c6fbf..e0134e7a2 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 155113e48..894c1f9dc 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index da40a433b..a0e2d2d93 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 963804932..02967d0dd 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 11a8771cc..253203de7 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index ea168058f..1aa49ce0d 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -31,8 +31,9 @@ #include <credentials/certificates/ac.h> #include <credentials/certificates/crl.h> #include <credentials/certificates/pgp_certificate.h> -#include <credentials/ietf_attributes/ietf_attributes.h> #include <config/peer_cfg.h> +#include <asn1/asn1.h> +#include <asn1/oid.h> /* warning intervals for list functions */ #define CERT_WARNING_INTERVAL 30 /* days */ @@ -1027,16 +1028,19 @@ static void stroke_list_certs(linked_list_t *list, char *label, static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) { bool first = TRUE; - time_t thisUpdate, nextUpdate, now = time(NULL); - enumerator_t *enumerator = list->create_enumerator(list); + time_t notBefore, notAfter, now = time(NULL); + enumerator_t *enumerator; certificate_t *cert; - while (enumerator->enumerate(enumerator, (void**)&cert)) + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &cert)) { ac_t *ac = (ac_t*)cert; + ac_group_type_t type; identification_t *id; - ietf_attributes_t *groups; + enumerator_t *groups; chunk_t chunk; + bool firstgroup = TRUE; if (first) { @@ -1061,30 +1065,79 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out) { fprintf(out, " hserial: %#B\n", &chunk); } - groups = ac->get_groups(ac); - if (groups) + groups = ac->create_group_enumerator(ac); + while (groups->enumerate(groups, &type, &chunk)) { - fprintf(out, " groups: %s\n", groups->get_string(groups)); - groups->destroy(groups); + int oid; + char *str; + + if (firstgroup) + { + fprintf(out, " groups: "); + firstgroup = FALSE; + } + else + { + fprintf(out, " "); + } + switch (type) + { + case AC_GROUP_TYPE_STRING: + fprintf(out, "%.*s", (int)chunk.len, chunk.ptr); + break; + case AC_GROUP_TYPE_OID: + oid = asn1_known_oid(chunk); + if (oid == OID_UNKNOWN) + { + str = asn1_oid_to_string(chunk); + if (str) + { + fprintf(out, "%s", str); + free(str); + } + else + { + fprintf(out, "OID:%#B", &chunk); + } + } + else + { + fprintf(out, "%s", oid_names[oid].name); + } + break; + case AC_GROUP_TYPE_OCTETS: + fprintf(out, "%#B", &chunk); + break; + } + fprintf(out, "\n"); } + groups->destroy(groups); fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert)); chunk = chunk_skip_zero(ac->get_serial(ac)); fprintf(out, " serial: %#B\n", &chunk); /* list validity */ - cert->get_validity(cert, &now, &thisUpdate, &nextUpdate); - fprintf(out, " updates: this %T\n", &thisUpdate, utc); - fprintf(out, " next %T, ", &nextUpdate, utc); - if (now > nextUpdate) + cert->get_validity(cert, &now, ¬Before, ¬After); + fprintf(out, " validity: not before %T, ", ¬Before, utc); + if (now < notBefore) { - fprintf(out, "expired (%V ago)\n", &now, &nextUpdate); + fprintf(out, "not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + fprintf(out, "ok\n"); + } + fprintf(out, " not after %T, ", ¬After, utc); + if (now > notAfter) + { + fprintf(out, "expired (%V ago)\n", &now, ¬After); } else { fprintf(out, "ok"); - if (now > nextUpdate - AC_WARNING_INTERVAL * 60 * 60 * 24) + if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24) { - fprintf(out, " (expires in %V)", &now, &nextUpdate); + fprintf(out, " (expires in %V)", &now, ¬After); } fprintf(out, " \n"); } diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in index 63724728a..76b2c5703 100644 --- a/src/libcharon/plugins/systime_fix/Makefile.in +++ b/src/libcharon/plugins/systime_fix/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in index ace18e77c..194113088 100644 --- a/src/libcharon/plugins/tnc_ifmap/Makefile.in +++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c index 8f24daea3..a652e7067 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c @@ -779,7 +779,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) return FALSE; } DBG1(DBG_TNC, "loaded MAP client certificate from '%s'", client_cert); - this->creds->add_cert(this->creds, TRUE, cert); + cert = this->creds->add_cert_ref(this->creds, TRUE, cert); /* load MAP client private key */ if (client_key) @@ -876,7 +876,8 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) } /* open TLS socket */ - this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL); + this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, + NULL, TLS_1_2, FALSE); if (!this->tls) { DBG1(DBG_TNC, "creating TLS socket failed"); @@ -923,4 +924,3 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create() return &this->public; } - diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am index cc7c934d8..48de82571 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.am +++ b/src/libcharon/plugins/tnc_pdp/Makefile.am @@ -15,12 +15,13 @@ if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la else plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la +endif + libstrongswan_tnc_pdp_la_LIBADD = \ $(top_builddir)/src/libradius/libradius.la \ $(top_builddir)/src/libpttls/libpttls.la \ $(top_builddir)/src/libtls/libtls.la \ $(top_builddir)/src/libtnccs/libtnccs.la -endif libstrongswan_tnc_pdp_la_SOURCES = \ tnc_pdp_plugin.h tnc_pdp_plugin.c \ diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in index b2958efdb..875aa99d1 100644 --- a/src/libcharon/plugins/tnc_pdp/Makefile.in +++ b/src/libcharon/plugins/tnc_pdp/Makefile.in @@ -127,11 +127,11 @@ am__uninstall_files_from_dir = { \ } am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -@MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_DEPENDENCIES = \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libradius/libradius.la \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libpttls/libpttls.la \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libtnccs/libtnccs.la +libstrongswan_tnc_pdp_la_DEPENDENCIES = \ + $(top_builddir)/src/libradius/libradius.la \ + $(top_builddir)/src/libpttls/libpttls.la \ + $(top_builddir)/src/libtls/libtls.la \ + $(top_builddir)/src/libtnccs/libtnccs.la am_libstrongswan_tnc_pdp_la_OBJECTS = tnc_pdp_plugin.lo tnc_pdp.lo \ tnc_pdp_connections.lo libstrongswan_tnc_pdp_la_OBJECTS = \ @@ -377,7 +377,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -432,11 +431,11 @@ AM_CFLAGS = \ @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-pdp.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la -@MONOLITHIC_FALSE@libstrongswan_tnc_pdp_la_LIBADD = \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libradius/libradius.la \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libpttls/libpttls.la \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la \ -@MONOLITHIC_FALSE@ $(top_builddir)/src/libtnccs/libtnccs.la +libstrongswan_tnc_pdp_la_LIBADD = \ + $(top_builddir)/src/libradius/libradius.la \ + $(top_builddir)/src/libpttls/libpttls.la \ + $(top_builddir)/src/libtls/libtls.la \ + $(top_builddir)/src/libtnccs/libtnccs.la libstrongswan_tnc_pdp_la_SOURCES = \ tnc_pdp_plugin.h tnc_pdp_plugin.c \ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index b2b473c32..8c38ceade 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 2d9f59678..165590dee 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in index 65fe14e1d..efb7e958d 100644 --- a/src/libcharon/plugins/unity/Makefile.in +++ b/src/libcharon/plugins/unity/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index e2d6d32fb..36cf78eca 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in index aa8ad2e10..e3588ad7d 100644 --- a/src/libcharon/plugins/whitelist/Makefile.in +++ b/src/libcharon/plugins/whitelist/Makefile.in @@ -380,7 +380,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in index cf0c326e3..b78a91764 100644 --- a/src/libcharon/plugins/xauth_eap/Makefile.in +++ b/src/libcharon/plugins/xauth_eap/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in index 2d18f60df..e4d96a954 100644 --- a/src/libcharon/plugins/xauth_generic/Makefile.in +++ b/src/libcharon/plugins/xauth_generic/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in index 8173631ae..5fe4c064f 100644 --- a/src/libcharon/plugins/xauth_noauth/Makefile.in +++ b/src/libcharon/plugins/xauth_noauth/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in index 1ee269e04..2a6aec0c3 100644 --- a/src/libcharon/plugins/xauth_pam/Makefile.in +++ b/src/libcharon/plugins/xauth_pam/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 8c7ba8d55..88ad14faf 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -97,10 +97,35 @@ static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg, { aead_t *aead_i, *aead_r; chunk_t key = chunk_empty; + u_int salt_size; + + switch (alg) + { + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + /* RFC 4106 */ + salt_size = 4; + break; + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + /* RFC 4309 */ + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + /* RFC 5529 */ + salt_size = 3; + break; + default: + DBG1(DBG_IKE, "nonce size for %N unknown!", + encryption_algorithm_names, alg); + return FALSE; + } /* SK_ei/SK_er used for encryption */ - aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); - aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); + aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size); + aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size); if (aead_i == NULL || aead_r == NULL) { DBG1(DBG_IKE, "%N %N (key size %d) not supported!", diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index ac3be900f..a5252ab70 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this, case CREATE_CHILD_SA: { /* FIXME: we should prevent this on mediation connections */ bool notify_found = FALSE, ts_found = FALSE; + + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) + { + DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " + "unestablished IKE_SA, rejected"); + return FAILED; + } + enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c index e898efc88..88b032c8b 100644 --- a/src/libcharon/sa/ikev2/tasks/child_delete.c +++ b/src/libcharon/sa/ikev2/tasks/child_delete.c @@ -17,6 +17,7 @@ #include <daemon.h> #include <encoding/payloads/delete_payload.h> +#include <sa/ikev2/tasks/child_create.h> typedef struct private_child_delete_t private_child_delete_t; @@ -313,6 +314,17 @@ METHOD(task_t, build_i, status_t, } log_children(this); build_payloads(this, message); + + if (!this->rekeyed && this->expired) + { + child_cfg_t *child_cfg; + + DBG1(DBG_IKE, "scheduling CHILD_SA recreate after hard expire"); + child_cfg = child_sa->get_config(child_sa); + this->ike_sa->queue_task(this->ike_sa, (task_t*) + child_create_create(this->ike_sa, child_cfg->get_ref(child_cfg), + FALSE, NULL, NULL)); + } return NEED_MORE; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c index a93e5137e..6dbc4dec3 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c @@ -22,6 +22,7 @@ #include <encoding/payloads/certreq_payload.h> #include <encoding/payloads/auth_payload.h> #include <credentials/certificates/x509.h> +#include <credentials/certificates/ac.h> typedef struct private_ike_cert_post_t private_ike_cert_post_t; @@ -105,12 +106,109 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, } /** + * Add subject certificate to message + */ +static bool add_subject_cert(private_ike_cert_post_t *this, auth_cfg_t *auth, + message_t *message) +{ + cert_payload_t *payload; + certificate_t *cert; + + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (!cert) + { + return FALSE; + } + payload = build_cert_payload(this, cert); + if (!payload) + { + return FALSE; + } + DBG1(DBG_IKE, "sending end entity cert \"%Y\"", cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + return TRUE; +} + +/** + * Add intermediate CA certificates to message + */ +static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth, + message_t *message) +{ + cert_payload_t *payload; + enumerator_t *enumerator; + certificate_t *cert; + auth_rule_t type; + + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &cert)) + { + if (type == AUTH_RULE_IM_CERT) + { + payload = cert_payload_create_from_cert(CERTIFICATE, cert); + if (payload) + { + DBG1(DBG_IKE, "sending issuer cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); +} + +/** + * Add any valid attribute certificates of subject to message + */ +static void add_attribute_certs(private_ike_cert_post_t *this, + auth_cfg_t *auth, message_t *message) +{ + certificate_t *subject, *cert; + + subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (subject && subject->get_type(subject) == CERT_X509) + { + x509_t *x509 = (x509_t*)subject; + identification_t *id, *serial; + enumerator_t *enumerator; + cert_payload_t *payload; + ac_t *ac; + + /* we look for attribute certs having our serial and holder issuer, + * which is recommended by RFC 5755 */ + serial = identification_create_from_encoding(ID_KEY_ID, + x509->get_serial(x509)); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_AC, KEY_ANY, serial, FALSE); + while (enumerator->enumerate(enumerator, &ac)) + { + cert = &ac->certificate; + id = ac->get_holderIssuer(ac); + if (id && id->equals(id, subject->get_issuer(subject)) && + cert->get_validity(cert, NULL, NULL, NULL)) + { + payload = cert_payload_create_from_cert(CERTIFICATE, cert); + if (payload) + { + DBG1(DBG_IKE, "sending attribute certificate " + "issued by \"%Y\"", cert->get_issuer(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); + serial->destroy(serial); + } +} + +/** * add certificates to message */ static void build_certs(private_ike_cert_post_t *this, message_t *message) { peer_cfg_t *peer_cfg; auth_payload_t *payload; + auth_cfg_t *auth; payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); @@ -130,46 +228,13 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message) } /* FALL */ case CERT_ALWAYS_SEND: - { - cert_payload_t *payload; - enumerator_t *enumerator; - certificate_t *cert; - auth_rule_t type; - auth_cfg_t *auth; - auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); - - /* get subject cert first, then issuing certificates */ - cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (!cert) + if (add_subject_cert(this, auth, message)) { - break; + add_im_certs(this, auth, message); + add_attribute_certs(this, auth, message); } - payload = build_cert_payload(this, cert); - if (!payload) - { - break; - } - DBG1(DBG_IKE, "sending end entity cert \"%Y\"", - cert->get_subject(cert)); - message->add_payload(message, (payload_t*)payload); - - enumerator = auth->create_enumerator(auth); - while (enumerator->enumerate(enumerator, &type, &cert)) - { - if (type == AUTH_RULE_IM_CERT) - { - payload = cert_payload_create_from_cert(CERTIFICATE, cert); - if (payload) - { - DBG1(DBG_IKE, "sending issuer cert \"%Y\"", - cert->get_subject(cert)); - message->add_payload(message, (payload_t*)payload); - } - } - } - enumerator->destroy(enumerator); - } + break; } } diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c index bd28b29d7..558b1e914 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c @@ -260,6 +260,30 @@ static void process_crl(cert_payload_t *payload, auth_cfg_t *auth) } /** + * Process an attribute certificate payload + */ +static void process_ac(cert_payload_t *payload, auth_cfg_t *auth) +{ + certificate_t *cert; + + cert = payload->get_cert(payload); + if (cert) + { + if (cert->get_issuer(cert)) + { + DBG1(DBG_IKE, "received attribute certificate issued by \"%Y\"", + cert->get_issuer(cert)); + } + else if (cert->get_subject(cert)) + { + DBG1(DBG_IKE, "received attribute certificate for \"%Y\"", + cert->get_subject(cert)); + } + auth->add(auth, AUTH_HELPER_AC_CERT, cert); + } +} + +/** * Process certificate payloads */ static void process_certs(private_ike_cert_pre_t *this, message_t *message) @@ -298,13 +322,15 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) case ENC_CRL: process_crl(cert_payload, auth); break; + case ENC_X509_ATTRIBUTE: + process_ac(cert_payload, auth); + break; case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: case ENC_ARL: case ENC_SPKI: - case ENC_X509_ATTRIBUTE: case ENC_RAW_RSA_KEY: case ENC_X509_HASH_AND_URL_BUNDLE: case ENC_OCSP_CONTENT: diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index dbfb9889b..f4405ae09 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 5e0bf3f17..be3e36c48 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -430,7 +430,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index e762b7757..ed13f1eaa 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c index a27fd57b1..c1788df94 100644 --- a/src/libhydra/plugins/attr/attr_provider.c +++ b/src/libhydra/plugins/attr/attr_provider.c @@ -242,10 +242,13 @@ static void load_entries(private_attr_provider_t *this) { if (family == AF_INET) { /* IPv4 attributes contain a subnet mask */ - u_int32_t netmask; + u_int32_t netmask = 0; - mask = 32 - mask; - netmask = htonl((0xFFFFFFFF >> mask) << mask); + if (mask) + { /* shifting u_int32_t by 32 or more is undefined */ + mask = 32 - mask; + netmask = htonl((0xFFFFFFFF >> mask) << mask); + } data = chunk_cat("cc", host->get_address(host), chunk_from_thing(netmask)); } diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index 1d258f2fb..5d88c771e 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index c804c8e81..f20ceb44b 100644 --- a/src/libhydra/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index 5910cfd92..26cde7cbf 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index 5d0e927de..658ec7bc9 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index 8e01d2992..cdb09b106 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c index a8a57a5a2..63c38bb7c 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -1576,16 +1576,20 @@ retry: } DBG1(DBG_KNL, "PF_ROUTE lookup failed: %s", strerror(errno)); } - if (!host) + if (nexthop) { - return NULL; + host = host ?: dest->clone(dest); } - if (!nexthop) + else { /* make sure the source address is not virtual and usable */ addr_entry_t *entry, lookup = { .ip = host, }; + if (!host) + { + return NULL; + } this->lock->read_lock(this->lock); entry = this->addrs->get_match(this->addrs, &lookup, (void*)addr_map_entry_match_up_and_usable); diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index 0e520f126..e76ba577d 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 4c8287b70..9d8d86358 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -450,7 +450,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index 9d938b9b8..7f3bae813 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -204,6 +204,18 @@ INSERT INTO products ( /* 34 */ 'Android 4.4.2' ); +INSERT INTO products ( /* 35 */ + name +) VALUES ( + 'Ubuntu 14.04 i686' +); + +INSERT INTO products ( /* 36 */ + name +) VALUES ( + 'Ubuntu 14.04 x86_64' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -729,6 +741,12 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 6, 35 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 7, 8 ); @@ -777,6 +795,12 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 7, 36 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 3, 21 ); diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index bfb3f0022..7b25614f3 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -368,7 +368,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index 3db0f2ba2..afcaf1ac3 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index 64e1c271c..1c3065456 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -368,7 +368,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index 856ced897..044175029 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index 748b9a72d..525f445ef 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 3c73e8f95..3724cc582 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in index 737edad3f..f1a099e2f 100644 --- a/src/libipsec/Makefile.in +++ b/src/libipsec/Makefile.in @@ -410,7 +410,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index 66e14f98b..5e58f66da 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -216,7 +216,8 @@ static bool create_aead(private_esp_context_t *this, int alg, case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: /* the key includes a 4 byte salt */ - this->aead = lib->crypto->create_aead(lib->crypto, alg, key.len-4); + this->aead = lib->crypto->create_aead(lib->crypto, alg, + key.len - 4, 4); break; default: break; diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in index 05c27d9cb..af5eafd7f 100644 --- a/src/libpts/Makefile.in +++ b/src/libpts/Makefile.in @@ -448,7 +448,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in index 7a539ef22..dd347d2d8 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.in +++ b/src/libpts/plugins/imc_attestation/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 467b998c8..c71b21666 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, TNC_Version max_version, TNC_Version *actual_version) { + bool mandatory_dh_groups; + if (imc_attestation) { DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name); @@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, return TNC_RESULT_FATAL; } + mandatory_dh_groups = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns); + if (!pts_meas_algo_probe(&supported_algorithms) || - !pts_dh_group_probe(&supported_dh_groups)) + !pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups)) { imc_attestation->destroy(imc_attestation); imc_attestation = NULL; diff --git a/src/libpts/plugins/imc_swid/Makefile.in b/src/libpts/plugins/imc_swid/Makefile.in index e1c932e45..58402636f 100644 --- a/src/libpts/plugins/imc_swid/Makefile.in +++ b/src/libpts/plugins/imc_swid/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index c1c14d476..ff94363bf 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -382,7 +382,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index b8a6854cb..8f4df39e7 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -278,12 +278,14 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } } - free(file); free(dir); + if (!attest->set_file(attest, file, op == OP_ADD)) { + free(file); exit(EXIT_FAILURE); } + free(file); continue; } case 'G': diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c index e8c3c5e40..ae2660bae 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -482,6 +482,22 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, } } + /* do TPM TRUSTED BOOT measurements */ + if (strchr(workitem->get_arg_str(workitem), 'T')) + { + comp_name = pts_comp_func_name_create(PEN_ITA, + PTS_ITA_COMP_FUNC_NAME_TBOOT, + PTS_ITA_QUALIFIER_FLAG_KERNEL | + PTS_ITA_QUALIFIER_TYPE_TRUSTED); + comp = attestation_state->create_component( + attestation_state, comp_name, + 0, this->pts_db); + if (!comp) + { + comp_name->log(comp_name, "unregistered "); + comp_name->destroy(comp_name); + } + } attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_NONCE_REQ); continue; @@ -706,6 +722,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, private_imv_attestation_agent_t *this; imv_agent_t *agent; char *hash_alg, *dh_group, *cadir; + bool mandatory_dh_groups; agent = imv_agent_create(name, msg_types, countof(msg_types), id, actual_version); @@ -718,6 +735,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, "%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns); dh_group = lib->settings->get_str(lib->settings, "%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns); + mandatory_dh_groups = lib->settings->get_bool(lib->settings, + "%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns); cadir = lib->settings->get_str(lib->settings, "%s.plugins.imv-attestation.cadir", NULL, lib->ns); @@ -742,7 +761,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, libpts_init(); if (!pts_meas_algo_probe(&this->supported_algorithms) || - !pts_dh_group_probe(&this->supported_dh_groups) || + !pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) || !pts_meas_algo_update(hash_alg, &this->supported_algorithms) || !pts_dh_group_update(dh_group, &this->supported_dh_groups)) { diff --git a/src/libpts/plugins/imv_swid/Makefile.in b/src/libpts/plugins/imv_swid/Makefile.in index b92f7d4d0..f9bd93ce0 100644 --- a/src/libpts/plugins/imv_swid/Makefile.in +++ b/src/libpts/plugins/imv_swid/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index 8699282f0..3ab9b92e6 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -393,7 +393,7 @@ static void load_aik_blob(private_pts_t *this) fseek(fp, 0L, SEEK_SET); this->aik_blob = chunk_alloc(aikBlobLen); - if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp)) + if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp) == aikBlobLen) { DBG2(DBG_PTS, "loaded AIK Blob from '%s'", blob_path); DBG3(DBG_PTS, "AIK Blob: %B", &this->aik_blob); @@ -401,6 +401,7 @@ static void load_aik_blob(private_pts_t *this) else { DBG1(DBG_PTS, "unable to read AIK Blob file '%s'", blob_path); + chunk_free(&this->aik_blob); } fclose(fp); return; diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c index 07e8ae1da..fda644a6a 100644 --- a/src/libpts/pts/pts_database.c +++ b/src/libpts/pts/pts_database.c @@ -280,20 +280,17 @@ METHOD(pts_database_t, check_file_measurement, status_t, DB_TEXT, dir, DB_INT); if (!e) { - free(file); - free(dir); - return FAILED; + status = FAILED; + goto err; } dir_found = e->enumerate(e, &did); e->destroy(e); if (!dir_found) { - free(file); - free(dir); - return NOT_FOUND; + status = NOT_FOUND; + goto err; } - e = this->db->query(this->db, "SELECT fh.hash FROM file_hashes AS fh " "JOIN files AS f ON f.id = fh.file " @@ -302,12 +299,10 @@ METHOD(pts_database_t, check_file_measurement, status_t, DB_TEXT, product, DB_INT, did, DB_TEXT, file, DB_INT, algo, DB_BLOB); } - free(file); - free(dir); - if (!e) { - return FAILED; + status = FAILED; + goto err; } while (e->enumerate(e, &hash)) { @@ -324,6 +319,10 @@ METHOD(pts_database_t, check_file_measurement, status_t, } e->destroy(e); +err: + free(file); + free(dir); + return status; } diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c index 41a436036..305b4ec4f 100644 --- a/src/libpts/pts/pts_dh_group.c +++ b/src/libpts/pts/pts_dh_group.c @@ -20,7 +20,7 @@ /** * Described in header. */ -bool pts_dh_group_probe(pts_dh_group_t *dh_groups) +bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups) { enumerator_t *enumerator; diffie_hellman_group_t dh_group; @@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups) if (*dh_groups & PTS_DH_GROUP_IKE19) { + /* mandatory PTS DH group is available */ return TRUE; } - else + if (*dh_groups == PTS_DH_GROUP_NONE) + { + DBG1(DBG_PTS, "no PTS DH group available"); + return FALSE; + } + if (mandatory_dh_groups) { DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names, ECP_256_BIT); + return FALSE; } - return FALSE; + + /* at least one optional PTS DH group is available */ + return TRUE; } /** diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h index 2aab90263..f5d951e9a 100644 --- a/src/libpts/pts/pts_dh_group.h +++ b/src/libpts/pts/pts_dh_group.h @@ -59,10 +59,13 @@ enum pts_dh_group_t { /** * Probe available PTS Diffie-Hellman groups * - * @param dh_groups returns set of available DH groups - * @return TRUE if mandatory DH groups are available + * @param dh_groups returns set of available DH groups + * @param mandatory_dh_groups if TRUE enforce mandatory PTS DH groups + * @return TRUE if mandatory DH groups are available + * or at least one optional DH group if + * mandatory_dh_groups is set to FALSE. */ -bool pts_dh_group_probe(pts_dh_group_t *dh_groups); +bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups); /** * Update supported Diffie-Hellman groups according to configuration diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in index c827cb598..788c8caca 100644 --- a/src/libpttls/Makefile.in +++ b/src/libpttls/Makefile.in @@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index 01a84cd14..315129d7e 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -84,7 +84,8 @@ static bool make_connection(private_pt_tls_client_t *this) return FALSE; } - this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL); + this->tls = tls_socket_create(FALSE, this->server, this->client, fd, + NULL, TLS_1_2, FALSE); if (!this->tls) { close(fd); diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index 9af00e7c2..cedc2632c 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd, .destroy = _destroy, }, .state = PT_TLS_SERVER_VERSION, - .tls = tls_socket_create(TRUE, server, NULL, fd, NULL), + .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE), .tnccs = (tls_t*)tnccs, .auth = auth, ); diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in index d903de883..6e687a310 100644 --- a/src/libradius/Makefile.in +++ b/src/libradius/Makefile.in @@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index ee824abdb..cb27f0535 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 440913071..2b58db554 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -20,7 +20,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ credentials/containers/container.c credentials/containers/pkcs12.c \ -credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \ +credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \ credentials/sets/cert_cache.c credentials/sets/mem_cred.c \ credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index b3a4eda99..3462d2ffc 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -18,7 +18,7 @@ credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ credentials/containers/container.c credentials/containers/pkcs12.c \ -credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \ +credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \ credentials/sets/cert_cache.c credentials/sets/mem_cred.c \ credentials/sets/callback_cred.c credentials/auth_cfg.c database/database.c \ @@ -61,7 +61,6 @@ credentials/certificates/ocsp_response.h \ credentials/certificates/pgp_certificate.h \ credentials/containers/container.h credentials/containers/pkcs7.h \ credentials/containers/pkcs12.h \ -credentials/ietf_attributes/ietf_attributes.h \ credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \ credentials/sets/mem_cred.h credentials/sets/callback_cred.h \ @@ -308,6 +307,13 @@ if MONOLITHIC endif endif +if USE_ACERT + SUBDIRS += plugins/acert +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/acert/libstrongswan-acert.la +endif +endif + if USE_PUBKEY SUBDIRS += plugins/pubkey if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 64396b51f..af5ea402b 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -128,60 +128,62 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_47 = plugins/revocation/libstrongswan-revocation.la @USE_CONSTRAINTS_TRUE@am__append_48 = plugins/constraints @MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_49 = plugins/constraints/libstrongswan-constraints.la -@USE_PUBKEY_TRUE@am__append_50 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_51 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_52 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_53 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PKCS7_TRUE@am__append_54 = plugins/pkcs7 -@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_55 = plugins/pkcs7/libstrongswan-pkcs7.la -@USE_PKCS8_TRUE@am__append_56 = plugins/pkcs8 -@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_57 = plugins/pkcs8/libstrongswan-pkcs8.la -@USE_PKCS12_TRUE@am__append_58 = plugins/pkcs12 -@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_59 = plugins/pkcs12/libstrongswan-pkcs12.la -@USE_PGP_TRUE@am__append_60 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_61 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_62 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_63 = plugins/dnskey/libstrongswan-dnskey.la -@USE_SSHKEY_TRUE@am__append_64 = plugins/sshkey -@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_65 = plugins/sshkey/libstrongswan-sshkey.la -@USE_PEM_TRUE@am__append_66 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_67 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_68 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_69 = plugins/curl/libstrongswan-curl.la -@USE_UNBOUND_TRUE@am__append_70 = plugins/unbound -@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_71 = plugins/unbound/libstrongswan-unbound.la -@USE_SOUP_TRUE@am__append_72 = plugins/soup -@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_73 = plugins/soup/libstrongswan-soup.la -@USE_LDAP_TRUE@am__append_74 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_75 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_76 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_77 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_78 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_79 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_80 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_81 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_82 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_83 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_84 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_85 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_86 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_87 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_88 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_89 = plugins/agent/libstrongswan-agent.la -@USE_KEYCHAIN_TRUE@am__append_90 = plugins/keychain -@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_91 = plugins/keychain/libstrongswan-keychain.la -@USE_PKCS11_TRUE@am__append_92 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_93 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CTR_TRUE@am__append_94 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_95 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_96 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_97 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_98 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_99 = plugins/gcm/libstrongswan-gcm.la -@USE_NTRU_TRUE@am__append_100 = plugins/ntru -@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_101 = plugins/ntru/libstrongswan-ntru.la -@USE_TEST_VECTORS_TRUE@am__append_102 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_103 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_ACERT_TRUE@am__append_50 = plugins/acert +@MONOLITHIC_TRUE@@USE_ACERT_TRUE@am__append_51 = plugins/acert/libstrongswan-acert.la +@USE_PUBKEY_TRUE@am__append_52 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_53 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_54 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_55 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PKCS7_TRUE@am__append_56 = plugins/pkcs7 +@MONOLITHIC_TRUE@@USE_PKCS7_TRUE@am__append_57 = plugins/pkcs7/libstrongswan-pkcs7.la +@USE_PKCS8_TRUE@am__append_58 = plugins/pkcs8 +@MONOLITHIC_TRUE@@USE_PKCS8_TRUE@am__append_59 = plugins/pkcs8/libstrongswan-pkcs8.la +@USE_PKCS12_TRUE@am__append_60 = plugins/pkcs12 +@MONOLITHIC_TRUE@@USE_PKCS12_TRUE@am__append_61 = plugins/pkcs12/libstrongswan-pkcs12.la +@USE_PGP_TRUE@am__append_62 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_63 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_64 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_65 = plugins/dnskey/libstrongswan-dnskey.la +@USE_SSHKEY_TRUE@am__append_66 = plugins/sshkey +@MONOLITHIC_TRUE@@USE_SSHKEY_TRUE@am__append_67 = plugins/sshkey/libstrongswan-sshkey.la +@USE_PEM_TRUE@am__append_68 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_69 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_70 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_71 = plugins/curl/libstrongswan-curl.la +@USE_UNBOUND_TRUE@am__append_72 = plugins/unbound +@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_73 = plugins/unbound/libstrongswan-unbound.la +@USE_SOUP_TRUE@am__append_74 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_75 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_76 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_77 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_78 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_79 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_80 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_81 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_82 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_83 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_84 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_85 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_86 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_87 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_88 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_89 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_90 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_91 = plugins/agent/libstrongswan-agent.la +@USE_KEYCHAIN_TRUE@am__append_92 = plugins/keychain +@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_93 = plugins/keychain/libstrongswan-keychain.la +@USE_PKCS11_TRUE@am__append_94 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_95 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_96 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_97 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_98 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_99 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_100 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_101 = plugins/gcm/libstrongswan-gcm.la +@USE_NTRU_TRUE@am__append_102 = plugins/ntru +@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_103 = plugins/ntru/libstrongswan-ntru.la +@USE_TEST_VECTORS_TRUE@am__append_104 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_105 = plugins/test_vectors/libstrongswan-test-vectors.la subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp \ @@ -254,7 +256,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_83) $(am__append_85) $(am__append_87) \ $(am__append_89) $(am__append_91) $(am__append_93) \ $(am__append_95) $(am__append_97) $(am__append_99) \ - $(am__append_101) $(am__append_103) + $(am__append_101) $(am__append_103) $(am__append_105) am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \ bio/bio_writer.c collections/blocking_queue.c \ @@ -277,7 +279,6 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ credentials/certificates/ocsp_response.c \ credentials/containers/container.c \ credentials/containers/pkcs12.c \ - credentials/ietf_attributes/ietf_attributes.c \ credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c \ credentials/sets/ocsp_response_wrapper.c \ @@ -332,7 +333,6 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ credentials/certificates/ocsp_response.lo \ credentials/containers/container.lo \ credentials/containers/pkcs12.lo \ - credentials/ietf_attributes/ietf_attributes.lo \ credentials/credential_manager.lo \ credentials/sets/auth_cfg_wrapper.lo \ credentials/sets/ocsp_response_wrapper.lo \ @@ -438,7 +438,6 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ credentials/certificates/pgp_certificate.h \ credentials/containers/container.h \ credentials/containers/pkcs7.h credentials/containers/pkcs12.h \ - credentials/ietf_attributes/ietf_attributes.h \ credentials/credential_manager.h \ credentials/sets/auth_cfg_wrapper.h \ credentials/sets/ocsp_response_wrapper.h \ @@ -502,11 +501,11 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ plugins/sha1 plugins/sha2 plugins/gmp plugins/rdrand \ plugins/random plugins/nonce plugins/hmac plugins/cmac \ plugins/xcbc plugins/x509 plugins/revocation \ - plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pkcs7 \ - plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \ - plugins/sshkey plugins/pem plugins/curl plugins/unbound \ - plugins/soup plugins/ldap plugins/mysql plugins/sqlite \ - plugins/padlock plugins/openssl plugins/gcrypt \ + plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \ + plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \ + plugins/dnskey plugins/sshkey plugins/pem plugins/curl \ + plugins/unbound plugins/soup plugins/ldap plugins/mysql \ + plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \ plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \ plugins/ctr plugins/ccm plugins/gcm plugins/ntru \ plugins/test_vectors tests @@ -705,7 +704,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -767,7 +765,6 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ credentials/certificates/ocsp_response.c \ credentials/containers/container.c \ credentials/containers/pkcs12.c \ - credentials/ietf_attributes/ietf_attributes.c \ credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c \ credentials/sets/ocsp_response_wrapper.c \ @@ -816,7 +813,6 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \ @USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \ @USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \ -@USE_DEV_HEADERS_TRUE@credentials/ietf_attributes/ietf_attributes.h \ @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \ @USE_DEV_HEADERS_TRUE@credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \ @USE_DEV_HEADERS_TRUE@credentials/sets/mem_cred.h credentials/sets/callback_cred.h \ @@ -858,7 +854,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_81) $(am__append_83) $(am__append_85) \ $(am__append_87) $(am__append_89) $(am__append_91) \ $(am__append_93) $(am__append_95) $(am__append_97) \ - $(am__append_99) $(am__append_101) $(am__append_103) + $(am__append_99) $(am__append_101) $(am__append_103) \ + $(am__append_105) AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \ -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \ -DPLUGINDIR=\"${plugindir}\" \ @@ -905,7 +902,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_FALSE@ $(am__append_88) $(am__append_90) \ @MONOLITHIC_FALSE@ $(am__append_92) $(am__append_94) \ @MONOLITHIC_FALSE@ $(am__append_96) $(am__append_98) \ -@MONOLITHIC_FALSE@ $(am__append_100) $(am__append_102) tests +@MONOLITHIC_FALSE@ $(am__append_100) $(am__append_102) \ +@MONOLITHIC_FALSE@ $(am__append_104) tests # build plugins with their own Makefile ####################################### @@ -931,7 +929,8 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c @MONOLITHIC_TRUE@ $(am__append_88) $(am__append_90) \ @MONOLITHIC_TRUE@ $(am__append_92) $(am__append_94) \ @MONOLITHIC_TRUE@ $(am__append_96) $(am__append_98) \ -@MONOLITHIC_TRUE@ $(am__append_100) $(am__append_102) . tests +@MONOLITHIC_TRUE@ $(am__append_100) $(am__append_102) \ +@MONOLITHIC_TRUE@ $(am__append_104) . tests all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1172,15 +1171,6 @@ credentials/containers/container.lo: \ credentials/containers/pkcs12.lo: \ credentials/containers/$(am__dirstamp) \ credentials/containers/$(DEPDIR)/$(am__dirstamp) -credentials/ietf_attributes/$(am__dirstamp): - @$(MKDIR_P) credentials/ietf_attributes - @: > credentials/ietf_attributes/$(am__dirstamp) -credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) credentials/ietf_attributes/$(DEPDIR) - @: > credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp) -credentials/ietf_attributes/ietf_attributes.lo: \ - credentials/ietf_attributes/$(am__dirstamp) \ - credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp) credentials/credential_manager.lo: credentials/$(am__dirstamp) \ credentials/$(DEPDIR)/$(am__dirstamp) credentials/sets/$(am__dirstamp): @@ -1409,8 +1399,6 @@ mostlyclean-compile: -rm -f credentials/certificates/*.lo -rm -f credentials/containers/*.$(OBJEXT) -rm -f credentials/containers/*.lo - -rm -f credentials/ietf_attributes/*.$(OBJEXT) - -rm -f credentials/ietf_attributes/*.lo -rm -f credentials/keys/*.$(OBJEXT) -rm -f credentials/keys/*.lo -rm -f credentials/sets/*.$(OBJEXT) @@ -1488,7 +1476,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/ocsp_response.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/container.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/pkcs12.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@credentials/ietf_attributes/$(DEPDIR)/ietf_attributes.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/shared_key.Plo@am__quote@ @@ -1598,7 +1585,6 @@ clean-libtool: -rm -rf credentials/.libs credentials/_libs -rm -rf credentials/certificates/.libs credentials/certificates/_libs -rm -rf credentials/containers/.libs credentials/containers/_libs - -rm -rf credentials/ietf_attributes/.libs credentials/ietf_attributes/_libs -rm -rf credentials/keys/.libs credentials/keys/_libs -rm -rf credentials/sets/.libs credentials/sets/_libs -rm -rf crypto/.libs crypto/_libs @@ -1852,8 +1838,6 @@ distclean-generic: -rm -f credentials/certificates/$(am__dirstamp) -rm -f credentials/containers/$(DEPDIR)/$(am__dirstamp) -rm -f credentials/containers/$(am__dirstamp) - -rm -f credentials/ietf_attributes/$(DEPDIR)/$(am__dirstamp) - -rm -f credentials/ietf_attributes/$(am__dirstamp) -rm -f credentials/keys/$(DEPDIR)/$(am__dirstamp) -rm -f credentials/keys/$(am__dirstamp) -rm -f credentials/sets/$(DEPDIR)/$(am__dirstamp) @@ -1918,7 +1902,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-recursive - -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) + -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -1965,7 +1949,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/ietf_attributes/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) + -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) threading/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 6fa8f4e54..b479b0f4b 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -199,243 +199,268 @@ const oid_t oid_names[] = { { 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */ { 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */ - {0x2B, 372, 1, 0, "" }, /* 189 */ - { 0x06, 286, 1, 1, "dod" }, /* 190 */ + {0x2B, 391, 1, 0, "" }, /* 189 */ + { 0x06, 305, 1, 1, "dod" }, /* 190 */ { 0x01, 0, 1, 2, "internet" }, /* 191 */ - { 0x04, 237, 1, 3, "private" }, /* 192 */ + { 0x04, 256, 1, 3, "private" }, /* 192 */ { 0x01, 0, 1, 4, "enterprise" }, /* 193 */ - { 0x82, 207, 1, 5, "" }, /* 194 */ - { 0x37, 204, 1, 6, "Microsoft" }, /* 195 */ + { 0x82, 210, 1, 5, "" }, /* 194 */ + { 0x37, 207, 1, 6, "Microsoft" }, /* 195 */ { 0x0A, 200, 1, 7, "" }, /* 196 */ { 0x03, 0, 1, 8, "" }, /* 197 */ { 0x03, 199, 0, 9, "msSGC" }, /* 198 */ { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 199 */ - { 0x14, 0, 1, 7, "msEnrollmentInfrastructure" }, /* 200 */ + { 0x14, 204, 1, 7, "msEnrollmentInfrastructure" }, /* 200 */ { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 201 */ { 0x02, 203, 0, 9, "msSmartcardLogon" }, /* 202 */ { 0x03, 0, 0, 9, "msUPN" }, /* 203 */ - { 0xA0, 0, 1, 6, "" }, /* 204 */ - { 0x2A, 0, 1, 7, "ITA" }, /* 205 */ - { 0x01, 0, 0, 8, "strongSwan" }, /* 206 */ - { 0x89, 214, 1, 5, "" }, /* 207 */ - { 0x31, 0, 1, 6, "" }, /* 208 */ - { 0x01, 0, 1, 7, "" }, /* 209 */ - { 0x01, 0, 1, 8, "" }, /* 210 */ - { 0x02, 0, 1, 9, "" }, /* 211 */ - { 0x02, 0, 1, 10, "" }, /* 212 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 213 */ - { 0xc1, 0, 1, 5, "" }, /* 214 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 215 */ - { 0x01, 0, 1, 7, "eess" }, /* 216 */ - { 0x01, 0, 1, 8, "eess1" }, /* 217 */ - { 0x01, 222, 1, 9, "eess1-algs" }, /* 218 */ - { 0x01, 220, 0, 10, "ntru-EESS1v1-SVES" }, /* 219 */ - { 0x02, 221, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 220 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 221 */ - { 0x02, 236, 1, 9, "eess1-params" }, /* 222 */ - { 0x01, 224, 0, 10, "ees251ep1" }, /* 223 */ - { 0x02, 225, 0, 10, "ees347ep1" }, /* 224 */ - { 0x03, 226, 0, 10, "ees503ep1" }, /* 225 */ - { 0x07, 227, 0, 10, "ees251sp2" }, /* 226 */ - { 0x0C, 228, 0, 10, "ees251ep4" }, /* 227 */ - { 0x0D, 229, 0, 10, "ees251ep5" }, /* 228 */ - { 0x0E, 230, 0, 10, "ees251sp3" }, /* 229 */ - { 0x0F, 231, 0, 10, "ees251sp4" }, /* 230 */ - { 0x10, 232, 0, 10, "ees251sp5" }, /* 231 */ - { 0x11, 233, 0, 10, "ees251sp6" }, /* 232 */ - { 0x12, 234, 0, 10, "ees251sp7" }, /* 233 */ - { 0x13, 235, 0, 10, "ees251sp8" }, /* 234 */ - { 0x14, 0, 0, 10, "ees251sp9" }, /* 235 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 236 */ - { 0x05, 0, 1, 3, "security" }, /* 237 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 238 */ - { 0x07, 283, 1, 5, "id-pkix" }, /* 239 */ - { 0x01, 244, 1, 6, "id-pe" }, /* 240 */ - { 0x01, 242, 0, 7, "authorityInfoAccess" }, /* 241 */ - { 0x03, 243, 0, 7, "qcStatements" }, /* 242 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 243 */ - { 0x02, 247, 1, 6, "id-qt" }, /* 244 */ - { 0x01, 246, 0, 7, "cps" }, /* 245 */ - { 0x02, 0, 0, 7, "unotice" }, /* 246 */ - { 0x03, 257, 1, 6, "id-kp" }, /* 247 */ - { 0x01, 249, 0, 7, "serverAuth" }, /* 248 */ - { 0x02, 250, 0, 7, "clientAuth" }, /* 249 */ - { 0x03, 251, 0, 7, "codeSigning" }, /* 250 */ - { 0x04, 252, 0, 7, "emailProtection" }, /* 251 */ - { 0x05, 253, 0, 7, "ipsecEndSystem" }, /* 252 */ - { 0x06, 254, 0, 7, "ipsecTunnel" }, /* 253 */ - { 0x07, 255, 0, 7, "ipsecUser" }, /* 254 */ - { 0x08, 256, 0, 7, "timeStamping" }, /* 255 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 256 */ - { 0x08, 265, 1, 6, "id-otherNames" }, /* 257 */ - { 0x01, 259, 0, 7, "personalData" }, /* 258 */ - { 0x02, 260, 0, 7, "userGroup" }, /* 259 */ - { 0x03, 261, 0, 7, "id-on-permanentIdentifier" }, /* 260 */ - { 0x04, 262, 0, 7, "id-on-hardwareModuleName" }, /* 261 */ - { 0x05, 263, 0, 7, "xmppAddr" }, /* 262 */ - { 0x06, 264, 0, 7, "id-on-SIM" }, /* 263 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 264 */ - { 0x0A, 270, 1, 6, "id-aca" }, /* 265 */ - { 0x01, 267, 0, 7, "authenticationInfo" }, /* 266 */ - { 0x02, 268, 0, 7, "accessIdentity" }, /* 267 */ - { 0x03, 269, 0, 7, "chargingIdentity" }, /* 268 */ - { 0x04, 0, 0, 7, "group" }, /* 269 */ - { 0x0B, 271, 0, 6, "subjectInfoAccess" }, /* 270 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 271 */ - { 0x01, 280, 1, 7, "ocsp" }, /* 272 */ - { 0x01, 274, 0, 8, "basic" }, /* 273 */ - { 0x02, 275, 0, 8, "nonce" }, /* 274 */ - { 0x03, 276, 0, 8, "crl" }, /* 275 */ - { 0x04, 277, 0, 8, "response" }, /* 276 */ - { 0x05, 278, 0, 8, "noCheck" }, /* 277 */ - { 0x06, 279, 0, 8, "archiveCutoff" }, /* 278 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 279 */ - { 0x02, 281, 0, 7, "caIssuers" }, /* 280 */ - { 0x03, 282, 0, 7, "timeStamping" }, /* 281 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 282 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 283 */ - { 0x02, 0, 1, 6, "certificate" }, /* 284 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 285 */ - { 0x0E, 292, 1, 1, "oiw" }, /* 286 */ - { 0x03, 0, 1, 2, "secsig" }, /* 287 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 288 */ - { 0x07, 290, 0, 4, "des-cbc" }, /* 289 */ - { 0x1A, 291, 0, 4, "sha-1" }, /* 290 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 291 */ - { 0x24, 338, 1, 1, "TeleTrusT" }, /* 292 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 293 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 294 */ - { 0x01, 299, 1, 4, "rsaSignature" }, /* 295 */ - { 0x02, 297, 0, 5, "rsaSigWithripemd160" }, /* 296 */ - { 0x03, 298, 0, 5, "rsaSigWithripemd128" }, /* 297 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 298 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 299 */ - { 0x01, 301, 0, 5, "ecSignWithsha1" }, /* 300 */ - { 0x02, 302, 0, 5, "ecSignWithripemd160" }, /* 301 */ - { 0x03, 303, 0, 5, "ecSignWithmd2" }, /* 302 */ - { 0x04, 304, 0, 5, "ecSignWithmd5" }, /* 303 */ - { 0x05, 321, 1, 5, "ttt-ecg" }, /* 304 */ - { 0x01, 309, 1, 6, "fieldType" }, /* 305 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 306 */ - { 0x01, 0, 1, 8, "basisType" }, /* 307 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 308 */ - { 0x02, 311, 1, 6, "keyType" }, /* 309 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 310 */ - { 0x03, 312, 0, 6, "curve" }, /* 311 */ - { 0x04, 319, 1, 6, "signatures" }, /* 312 */ - { 0x01, 314, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 313 */ - { 0x02, 315, 0, 7, "ecgdsa-with-SHA1" }, /* 314 */ - { 0x03, 316, 0, 7, "ecgdsa-with-SHA224" }, /* 315 */ - { 0x04, 317, 0, 7, "ecgdsa-with-SHA256" }, /* 316 */ - { 0x05, 318, 0, 7, "ecgdsa-with-SHA384" }, /* 317 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 318 */ - { 0x05, 0, 1, 6, "module" }, /* 319 */ - { 0x01, 0, 0, 7, "1" }, /* 320 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 321 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 322 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 323 */ - { 0x01, 325, 0, 8, "brainpoolP160r1" }, /* 324 */ - { 0x02, 326, 0, 8, "brainpoolP160t1" }, /* 325 */ - { 0x03, 327, 0, 8, "brainpoolP192r1" }, /* 326 */ - { 0x04, 328, 0, 8, "brainpoolP192t1" }, /* 327 */ - { 0x05, 329, 0, 8, "brainpoolP224r1" }, /* 328 */ - { 0x06, 330, 0, 8, "brainpoolP224t1" }, /* 329 */ - { 0x07, 331, 0, 8, "brainpoolP256r1" }, /* 330 */ - { 0x08, 332, 0, 8, "brainpoolP256t1" }, /* 331 */ - { 0x09, 333, 0, 8, "brainpoolP320r1" }, /* 332 */ - { 0x0A, 334, 0, 8, "brainpoolP320t1" }, /* 333 */ - { 0x0B, 335, 0, 8, "brainpoolP384r1" }, /* 334 */ - { 0x0C, 336, 0, 8, "brainpoolP384t1" }, /* 335 */ - { 0x0D, 337, 0, 8, "brainpoolP512r1" }, /* 336 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 337 */ - { 0x81, 0, 1, 1, "" }, /* 338 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 339 */ - { 0x00, 0, 1, 3, "curve" }, /* 340 */ - { 0x01, 342, 0, 4, "sect163k1" }, /* 341 */ - { 0x02, 343, 0, 4, "sect163r1" }, /* 342 */ - { 0x03, 344, 0, 4, "sect239k1" }, /* 343 */ - { 0x04, 345, 0, 4, "sect113r1" }, /* 344 */ - { 0x05, 346, 0, 4, "sect113r2" }, /* 345 */ - { 0x06, 347, 0, 4, "secp112r1" }, /* 346 */ - { 0x07, 348, 0, 4, "secp112r2" }, /* 347 */ - { 0x08, 349, 0, 4, "secp160r1" }, /* 348 */ - { 0x09, 350, 0, 4, "secp160k1" }, /* 349 */ - { 0x0A, 351, 0, 4, "secp256k1" }, /* 350 */ - { 0x0F, 352, 0, 4, "sect163r2" }, /* 351 */ - { 0x10, 353, 0, 4, "sect283k1" }, /* 352 */ - { 0x11, 354, 0, 4, "sect283r1" }, /* 353 */ - { 0x16, 355, 0, 4, "sect131r1" }, /* 354 */ - { 0x17, 356, 0, 4, "sect131r2" }, /* 355 */ - { 0x18, 357, 0, 4, "sect193r1" }, /* 356 */ - { 0x19, 358, 0, 4, "sect193r2" }, /* 357 */ - { 0x1A, 359, 0, 4, "sect233k1" }, /* 358 */ - { 0x1B, 360, 0, 4, "sect233r1" }, /* 359 */ - { 0x1C, 361, 0, 4, "secp128r1" }, /* 360 */ - { 0x1D, 362, 0, 4, "secp128r2" }, /* 361 */ - { 0x1E, 363, 0, 4, "secp160r2" }, /* 362 */ - { 0x1F, 364, 0, 4, "secp192k1" }, /* 363 */ - { 0x20, 365, 0, 4, "secp224k1" }, /* 364 */ - { 0x21, 366, 0, 4, "secp224r1" }, /* 365 */ - { 0x22, 367, 0, 4, "secp384r1" }, /* 366 */ - { 0x23, 368, 0, 4, "secp521r1" }, /* 367 */ - { 0x24, 369, 0, 4, "sect409k1" }, /* 368 */ - { 0x25, 370, 0, 4, "sect409r1" }, /* 369 */ - { 0x26, 371, 0, 4, "sect571k1" }, /* 370 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 371 */ - {0x60, 420, 1, 0, "" }, /* 372 */ - { 0x86, 0, 1, 1, "" }, /* 373 */ - { 0x48, 0, 1, 2, "" }, /* 374 */ - { 0x01, 0, 1, 3, "organization" }, /* 375 */ - { 0x65, 396, 1, 4, "gov" }, /* 376 */ - { 0x03, 0, 1, 5, "csor" }, /* 377 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 378 */ - { 0x01, 389, 1, 7, "aes" }, /* 379 */ - { 0x02, 381, 0, 8, "id-aes128-CBC" }, /* 380 */ - { 0x06, 382, 0, 8, "id-aes128-GCM" }, /* 381 */ - { 0x07, 383, 0, 8, "id-aes128-CCM" }, /* 382 */ - { 0x16, 384, 0, 8, "id-aes192-CBC" }, /* 383 */ - { 0x1A, 385, 0, 8, "id-aes192-GCM" }, /* 384 */ - { 0x1B, 386, 0, 8, "id-aes192-CCM" }, /* 385 */ - { 0x2A, 387, 0, 8, "id-aes256-CBC" }, /* 386 */ - { 0x2E, 388, 0, 8, "id-aes256-GCM" }, /* 387 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 388 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 389 */ - { 0x01, 391, 0, 8, "id-SHA-256" }, /* 390 */ - { 0x02, 392, 0, 8, "id-SHA-384" }, /* 391 */ - { 0x03, 393, 0, 8, "id-SHA-512" }, /* 392 */ - { 0x04, 394, 0, 8, "id-SHA-224" }, /* 393 */ - { 0x05, 395, 0, 8, "id-SHA-512-224" }, /* 394 */ - { 0x06, 0, 0, 8, "id-SHA-512-256" }, /* 395 */ - { 0x86, 0, 1, 4, "" }, /* 396 */ - { 0xf8, 0, 1, 5, "" }, /* 397 */ - { 0x42, 410, 1, 6, "netscape" }, /* 398 */ - { 0x01, 405, 1, 7, "" }, /* 399 */ - { 0x01, 401, 0, 8, "nsCertType" }, /* 400 */ - { 0x03, 402, 0, 8, "nsRevocationUrl" }, /* 401 */ - { 0x04, 403, 0, 8, "nsCaRevocationUrl" }, /* 402 */ - { 0x08, 404, 0, 8, "nsCaPolicyUrl" }, /* 403 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 404 */ - { 0x03, 408, 1, 7, "directory" }, /* 405 */ - { 0x01, 0, 1, 8, "" }, /* 406 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 407 */ - { 0x04, 0, 1, 7, "policy" }, /* 408 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 409 */ - { 0x45, 0, 1, 6, "verisign" }, /* 410 */ - { 0x01, 0, 1, 7, "pki" }, /* 411 */ - { 0x09, 0, 1, 8, "attributes" }, /* 412 */ - { 0x02, 414, 0, 9, "messageType" }, /* 413 */ - { 0x03, 415, 0, 9, "pkiStatus" }, /* 414 */ - { 0x04, 416, 0, 9, "failInfo" }, /* 415 */ - { 0x05, 417, 0, 9, "senderNonce" }, /* 416 */ - { 0x06, 418, 0, 9, "recipientNonce" }, /* 417 */ - { 0x07, 419, 0, 9, "transID" }, /* 418 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 419 */ - {0x67, 0, 1, 0, "" }, /* 420 */ - { 0x81, 0, 1, 1, "" }, /* 421 */ - { 0x05, 0, 1, 2, "" }, /* 422 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 423 */ - { 0x01, 425, 0, 4, "tcg-at-tpmManufacturer" }, /* 424 */ - { 0x02, 426, 0, 4, "tcg-at-tpmModel" }, /* 425 */ - { 0x03, 427, 0, 4, "tcg-at-tpmVersion" }, /* 426 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 427 */ + { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 204 */ + { 0x07, 206, 0, 8, "msCertTemplate" }, /* 205 */ + { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 206 */ + { 0xA0, 0, 1, 6, "" }, /* 207 */ + { 0x2A, 0, 1, 7, "ITA" }, /* 208 */ + { 0x01, 0, 0, 8, "strongSwan" }, /* 209 */ + { 0x89, 217, 1, 5, "" }, /* 210 */ + { 0x31, 0, 1, 6, "" }, /* 211 */ + { 0x01, 0, 1, 7, "" }, /* 212 */ + { 0x01, 0, 1, 8, "" }, /* 213 */ + { 0x02, 0, 1, 9, "" }, /* 214 */ + { 0x02, 0, 1, 10, "" }, /* 215 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 216 */ + { 0xC1, 0, 1, 5, "" }, /* 217 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 218 */ + { 0x01, 0, 1, 7, "eess" }, /* 219 */ + { 0x01, 0, 1, 8, "eess1" }, /* 220 */ + { 0x01, 225, 1, 9, "eess1-algs" }, /* 221 */ + { 0x01, 223, 0, 10, "ntru-EESS1v1-SVES" }, /* 222 */ + { 0x02, 224, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 223 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 224 */ + { 0x02, 255, 1, 9, "eess1-params" }, /* 225 */ + { 0x01, 227, 0, 10, "ees251ep1" }, /* 226 */ + { 0x02, 228, 0, 10, "ees347ep1" }, /* 227 */ + { 0x03, 229, 0, 10, "ees503ep1" }, /* 228 */ + { 0x07, 230, 0, 10, "ees251sp2" }, /* 229 */ + { 0x0C, 231, 0, 10, "ees251ep4" }, /* 230 */ + { 0x0D, 232, 0, 10, "ees251ep5" }, /* 231 */ + { 0x0E, 233, 0, 10, "ees251sp3" }, /* 232 */ + { 0x0F, 234, 0, 10, "ees251sp4" }, /* 233 */ + { 0x10, 235, 0, 10, "ees251sp5" }, /* 234 */ + { 0x11, 236, 0, 10, "ees251sp6" }, /* 235 */ + { 0x12, 237, 0, 10, "ees251sp7" }, /* 236 */ + { 0x13, 238, 0, 10, "ees251sp8" }, /* 237 */ + { 0x14, 239, 0, 10, "ees251sp9" }, /* 238 */ + { 0x22, 240, 0, 10, "ees401ep1" }, /* 239 */ + { 0x23, 241, 0, 10, "ees449ep1" }, /* 240 */ + { 0x24, 242, 0, 10, "ees677ep1" }, /* 241 */ + { 0x25, 243, 0, 10, "ees1087ep2" }, /* 242 */ + { 0x26, 244, 0, 10, "ees541ep1" }, /* 243 */ + { 0x27, 245, 0, 10, "ees613ep1" }, /* 244 */ + { 0x28, 246, 0, 10, "ees887ep1" }, /* 245 */ + { 0x29, 247, 0, 10, "ees1171ep1" }, /* 246 */ + { 0x2A, 248, 0, 10, "ees659ep1" }, /* 247 */ + { 0x2B, 249, 0, 10, "ees761ep1" }, /* 248 */ + { 0x2C, 250, 0, 10, "ees1087ep1" }, /* 249 */ + { 0x2D, 251, 0, 10, "ees1499ep1" }, /* 250 */ + { 0x2E, 252, 0, 10, "ees401ep2" }, /* 251 */ + { 0x2F, 253, 0, 10, "ees439ep1" }, /* 252 */ + { 0x30, 254, 0, 10, "ees593ep1" }, /* 253 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 254 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 255 */ + { 0x05, 0, 1, 3, "security" }, /* 256 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 257 */ + { 0x07, 302, 1, 5, "id-pkix" }, /* 258 */ + { 0x01, 263, 1, 6, "id-pe" }, /* 259 */ + { 0x01, 261, 0, 7, "authorityInfoAccess" }, /* 260 */ + { 0x03, 262, 0, 7, "qcStatements" }, /* 261 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 262 */ + { 0x02, 266, 1, 6, "id-qt" }, /* 263 */ + { 0x01, 265, 0, 7, "cps" }, /* 264 */ + { 0x02, 0, 0, 7, "unotice" }, /* 265 */ + { 0x03, 276, 1, 6, "id-kp" }, /* 266 */ + { 0x01, 268, 0, 7, "serverAuth" }, /* 267 */ + { 0x02, 269, 0, 7, "clientAuth" }, /* 268 */ + { 0x03, 270, 0, 7, "codeSigning" }, /* 269 */ + { 0x04, 271, 0, 7, "emailProtection" }, /* 270 */ + { 0x05, 272, 0, 7, "ipsecEndSystem" }, /* 271 */ + { 0x06, 273, 0, 7, "ipsecTunnel" }, /* 272 */ + { 0x07, 274, 0, 7, "ipsecUser" }, /* 273 */ + { 0x08, 275, 0, 7, "timeStamping" }, /* 274 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 275 */ + { 0x08, 284, 1, 6, "id-otherNames" }, /* 276 */ + { 0x01, 278, 0, 7, "personalData" }, /* 277 */ + { 0x02, 279, 0, 7, "userGroup" }, /* 278 */ + { 0x03, 280, 0, 7, "id-on-permanentIdentifier" }, /* 279 */ + { 0x04, 281, 0, 7, "id-on-hardwareModuleName" }, /* 280 */ + { 0x05, 282, 0, 7, "xmppAddr" }, /* 281 */ + { 0x06, 283, 0, 7, "id-on-SIM" }, /* 282 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 283 */ + { 0x0A, 289, 1, 6, "id-aca" }, /* 284 */ + { 0x01, 286, 0, 7, "authenticationInfo" }, /* 285 */ + { 0x02, 287, 0, 7, "accessIdentity" }, /* 286 */ + { 0x03, 288, 0, 7, "chargingIdentity" }, /* 287 */ + { 0x04, 0, 0, 7, "group" }, /* 288 */ + { 0x0B, 290, 0, 6, "subjectInfoAccess" }, /* 289 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 290 */ + { 0x01, 299, 1, 7, "ocsp" }, /* 291 */ + { 0x01, 293, 0, 8, "basic" }, /* 292 */ + { 0x02, 294, 0, 8, "nonce" }, /* 293 */ + { 0x03, 295, 0, 8, "crl" }, /* 294 */ + { 0x04, 296, 0, 8, "response" }, /* 295 */ + { 0x05, 297, 0, 8, "noCheck" }, /* 296 */ + { 0x06, 298, 0, 8, "archiveCutoff" }, /* 297 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 298 */ + { 0x02, 300, 0, 7, "caIssuers" }, /* 299 */ + { 0x03, 301, 0, 7, "timeStamping" }, /* 300 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 301 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 302 */ + { 0x02, 0, 1, 6, "certificate" }, /* 303 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 304 */ + { 0x0E, 311, 1, 1, "oiw" }, /* 305 */ + { 0x03, 0, 1, 2, "secsig" }, /* 306 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 307 */ + { 0x07, 309, 0, 4, "des-cbc" }, /* 308 */ + { 0x1A, 310, 0, 4, "sha-1" }, /* 309 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 310 */ + { 0x24, 357, 1, 1, "TeleTrusT" }, /* 311 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 312 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 313 */ + { 0x01, 318, 1, 4, "rsaSignature" }, /* 314 */ + { 0x02, 316, 0, 5, "rsaSigWithripemd160" }, /* 315 */ + { 0x03, 317, 0, 5, "rsaSigWithripemd128" }, /* 316 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 317 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 318 */ + { 0x01, 320, 0, 5, "ecSignWithsha1" }, /* 319 */ + { 0x02, 321, 0, 5, "ecSignWithripemd160" }, /* 320 */ + { 0x03, 322, 0, 5, "ecSignWithmd2" }, /* 321 */ + { 0x04, 323, 0, 5, "ecSignWithmd5" }, /* 322 */ + { 0x05, 340, 1, 5, "ttt-ecg" }, /* 323 */ + { 0x01, 328, 1, 6, "fieldType" }, /* 324 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 325 */ + { 0x01, 0, 1, 8, "basisType" }, /* 326 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 327 */ + { 0x02, 330, 1, 6, "keyType" }, /* 328 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 329 */ + { 0x03, 331, 0, 6, "curve" }, /* 330 */ + { 0x04, 338, 1, 6, "signatures" }, /* 331 */ + { 0x01, 333, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 332 */ + { 0x02, 334, 0, 7, "ecgdsa-with-SHA1" }, /* 333 */ + { 0x03, 335, 0, 7, "ecgdsa-with-SHA224" }, /* 334 */ + { 0x04, 336, 0, 7, "ecgdsa-with-SHA256" }, /* 335 */ + { 0x05, 337, 0, 7, "ecgdsa-with-SHA384" }, /* 336 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 337 */ + { 0x05, 0, 1, 6, "module" }, /* 338 */ + { 0x01, 0, 0, 7, "1" }, /* 339 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 340 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 341 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 342 */ + { 0x01, 344, 0, 8, "brainpoolP160r1" }, /* 343 */ + { 0x02, 345, 0, 8, "brainpoolP160t1" }, /* 344 */ + { 0x03, 346, 0, 8, "brainpoolP192r1" }, /* 345 */ + { 0x04, 347, 0, 8, "brainpoolP192t1" }, /* 346 */ + { 0x05, 348, 0, 8, "brainpoolP224r1" }, /* 347 */ + { 0x06, 349, 0, 8, "brainpoolP224t1" }, /* 348 */ + { 0x07, 350, 0, 8, "brainpoolP256r1" }, /* 349 */ + { 0x08, 351, 0, 8, "brainpoolP256t1" }, /* 350 */ + { 0x09, 352, 0, 8, "brainpoolP320r1" }, /* 351 */ + { 0x0A, 353, 0, 8, "brainpoolP320t1" }, /* 352 */ + { 0x0B, 354, 0, 8, "brainpoolP384r1" }, /* 353 */ + { 0x0C, 355, 0, 8, "brainpoolP384t1" }, /* 354 */ + { 0x0D, 356, 0, 8, "brainpoolP512r1" }, /* 355 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 356 */ + { 0x81, 0, 1, 1, "" }, /* 357 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 358 */ + { 0x00, 0, 1, 3, "curve" }, /* 359 */ + { 0x01, 361, 0, 4, "sect163k1" }, /* 360 */ + { 0x02, 362, 0, 4, "sect163r1" }, /* 361 */ + { 0x03, 363, 0, 4, "sect239k1" }, /* 362 */ + { 0x04, 364, 0, 4, "sect113r1" }, /* 363 */ + { 0x05, 365, 0, 4, "sect113r2" }, /* 364 */ + { 0x06, 366, 0, 4, "secp112r1" }, /* 365 */ + { 0x07, 367, 0, 4, "secp112r2" }, /* 366 */ + { 0x08, 368, 0, 4, "secp160r1" }, /* 367 */ + { 0x09, 369, 0, 4, "secp160k1" }, /* 368 */ + { 0x0A, 370, 0, 4, "secp256k1" }, /* 369 */ + { 0x0F, 371, 0, 4, "sect163r2" }, /* 370 */ + { 0x10, 372, 0, 4, "sect283k1" }, /* 371 */ + { 0x11, 373, 0, 4, "sect283r1" }, /* 372 */ + { 0x16, 374, 0, 4, "sect131r1" }, /* 373 */ + { 0x17, 375, 0, 4, "sect131r2" }, /* 374 */ + { 0x18, 376, 0, 4, "sect193r1" }, /* 375 */ + { 0x19, 377, 0, 4, "sect193r2" }, /* 376 */ + { 0x1A, 378, 0, 4, "sect233k1" }, /* 377 */ + { 0x1B, 379, 0, 4, "sect233r1" }, /* 378 */ + { 0x1C, 380, 0, 4, "secp128r1" }, /* 379 */ + { 0x1D, 381, 0, 4, "secp128r2" }, /* 380 */ + { 0x1E, 382, 0, 4, "secp160r2" }, /* 381 */ + { 0x1F, 383, 0, 4, "secp192k1" }, /* 382 */ + { 0x20, 384, 0, 4, "secp224k1" }, /* 383 */ + { 0x21, 385, 0, 4, "secp224r1" }, /* 384 */ + { 0x22, 386, 0, 4, "secp384r1" }, /* 385 */ + { 0x23, 387, 0, 4, "secp521r1" }, /* 386 */ + { 0x24, 388, 0, 4, "sect409k1" }, /* 387 */ + { 0x25, 389, 0, 4, "sect409r1" }, /* 388 */ + { 0x26, 390, 0, 4, "sect571k1" }, /* 389 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 390 */ + {0x60, 445, 1, 0, "" }, /* 391 */ + { 0x86, 0, 1, 1, "" }, /* 392 */ + { 0x48, 0, 1, 2, "" }, /* 393 */ + { 0x01, 0, 1, 3, "organization" }, /* 394 */ + { 0x65, 421, 1, 4, "gov" }, /* 395 */ + { 0x03, 0, 1, 5, "csor" }, /* 396 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 397 */ + { 0x01, 408, 1, 7, "aes" }, /* 398 */ + { 0x02, 400, 0, 8, "id-aes128-CBC" }, /* 399 */ + { 0x06, 401, 0, 8, "id-aes128-GCM" }, /* 400 */ + { 0x07, 402, 0, 8, "id-aes128-CCM" }, /* 401 */ + { 0x16, 403, 0, 8, "id-aes192-CBC" }, /* 402 */ + { 0x1A, 404, 0, 8, "id-aes192-GCM" }, /* 403 */ + { 0x1B, 405, 0, 8, "id-aes192-CCM" }, /* 404 */ + { 0x2A, 406, 0, 8, "id-aes256-CBC" }, /* 405 */ + { 0x2E, 407, 0, 8, "id-aes256-GCM" }, /* 406 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 407 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 408 */ + { 0x01, 410, 0, 8, "id-sha256" }, /* 409 */ + { 0x02, 411, 0, 8, "id-sha384" }, /* 410 */ + { 0x03, 412, 0, 8, "id-sha512" }, /* 411 */ + { 0x04, 413, 0, 8, "id-sha224" }, /* 412 */ + { 0x05, 414, 0, 8, "id-sha512-224" }, /* 413 */ + { 0x06, 415, 0, 8, "id-sha512-256" }, /* 414 */ + { 0x07, 416, 0, 8, "id-sha3-224" }, /* 415 */ + { 0x08, 417, 0, 8, "id-sha3-256" }, /* 416 */ + { 0x09, 418, 0, 8, "id-sha3-384" }, /* 417 */ + { 0x0A, 419, 0, 8, "id-sha3-512" }, /* 418 */ + { 0x0B, 420, 0, 8, "id-shake128" }, /* 419 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 420 */ + { 0x86, 0, 1, 4, "" }, /* 421 */ + { 0xf8, 0, 1, 5, "" }, /* 422 */ + { 0x42, 435, 1, 6, "netscape" }, /* 423 */ + { 0x01, 430, 1, 7, "" }, /* 424 */ + { 0x01, 426, 0, 8, "nsCertType" }, /* 425 */ + { 0x03, 427, 0, 8, "nsRevocationUrl" }, /* 426 */ + { 0x04, 428, 0, 8, "nsCaRevocationUrl" }, /* 427 */ + { 0x08, 429, 0, 8, "nsCaPolicyUrl" }, /* 428 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 429 */ + { 0x03, 433, 1, 7, "directory" }, /* 430 */ + { 0x01, 0, 1, 8, "" }, /* 431 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 432 */ + { 0x04, 0, 1, 7, "policy" }, /* 433 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 434 */ + { 0x45, 0, 1, 6, "verisign" }, /* 435 */ + { 0x01, 0, 1, 7, "pki" }, /* 436 */ + { 0x09, 0, 1, 8, "attributes" }, /* 437 */ + { 0x02, 439, 0, 9, "messageType" }, /* 438 */ + { 0x03, 440, 0, 9, "pkiStatus" }, /* 439 */ + { 0x04, 441, 0, 9, "failInfo" }, /* 440 */ + { 0x05, 442, 0, 9, "senderNonce" }, /* 441 */ + { 0x06, 443, 0, 9, "recipientNonce" }, /* 442 */ + { 0x07, 444, 0, 9, "transID" }, /* 443 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 444 */ + {0x67, 0, 1, 0, "" }, /* 445 */ + { 0x81, 0, 1, 1, "" }, /* 446 */ + { 0x05, 0, 1, 2, "" }, /* 447 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 448 */ + { 0x01, 450, 0, 4, "tcg-at-tpmManufacturer" }, /* 449 */ + { 0x02, 451, 0, 4, "tcg-at-tpmModel" }, /* 450 */ + { 0x03, 452, 0, 4, "tcg-at-tpmVersion" }, /* 451 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 452 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 14f774adb..d72d986c5 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -138,101 +138,102 @@ extern const oid_t oid_names[]; #define OID_ECDSA_WITH_SHA256 186 #define OID_ECDSA_WITH_SHA384 187 #define OID_ECDSA_WITH_SHA512 188 +#define OID_MS_SMARTCARD_LOGON 202 #define OID_USER_PRINCIPAL_NAME 203 -#define OID_STRONGSWAN 206 -#define OID_TCGID 213 -#define OID_AUTHORITY_INFO_ACCESS 241 -#define OID_IP_ADDR_BLOCKS 243 -#define OID_POLICY_QUALIFIER_CPS 245 -#define OID_POLICY_QUALIFIER_UNOTICE 246 -#define OID_SERVER_AUTH 248 -#define OID_CLIENT_AUTH 249 -#define OID_OCSP_SIGNING 256 -#define OID_XMPP_ADDR 262 -#define OID_AUTHENTICATION_INFO 266 -#define OID_ACCESS_IDENTITY 267 -#define OID_CHARGING_IDENTITY 268 -#define OID_GROUP 269 -#define OID_OCSP 272 -#define OID_BASIC 273 -#define OID_NONCE 274 -#define OID_CRL 275 -#define OID_RESPONSE 276 -#define OID_NO_CHECK 277 -#define OID_ARCHIVE_CUTOFF 278 -#define OID_SERVICE_LOCATOR 279 -#define OID_CA_ISSUERS 280 -#define OID_IKE_INTERMEDIATE 285 -#define OID_DES_CBC 289 -#define OID_SHA1 290 -#define OID_SHA1_WITH_RSA_OIW 291 -#define OID_ECGDSA_PUBKEY 310 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 313 -#define OID_ECGDSA_SIG_WITH_SHA1 314 -#define OID_ECGDSA_SIG_WITH_SHA224 315 -#define OID_ECGDSA_SIG_WITH_SHA256 316 -#define OID_ECGDSA_SIG_WITH_SHA384 317 -#define OID_ECGDSA_SIG_WITH_SHA512 318 -#define OID_SECT163K1 341 -#define OID_SECT163R1 342 -#define OID_SECT239K1 343 -#define OID_SECT113R1 344 -#define OID_SECT113R2 345 -#define OID_SECT112R1 346 -#define OID_SECT112R2 347 -#define OID_SECT160R1 348 -#define OID_SECT160K1 349 -#define OID_SECT256K1 350 -#define OID_SECT163R2 351 -#define OID_SECT283K1 352 -#define OID_SECT283R1 353 -#define OID_SECT131R1 354 -#define OID_SECT131R2 355 -#define OID_SECT193R1 356 -#define OID_SECT193R2 357 -#define OID_SECT233K1 358 -#define OID_SECT233R1 359 -#define OID_SECT128R1 360 -#define OID_SECT128R2 361 -#define OID_SECT160R2 362 -#define OID_SECT192K1 363 -#define OID_SECT224K1 364 -#define OID_SECT224R1 365 -#define OID_SECT384R1 366 -#define OID_SECT521R1 367 -#define OID_SECT409K1 368 -#define OID_SECT409R1 369 -#define OID_SECT571K1 370 -#define OID_SECT571R1 371 -#define OID_AES128_CBC 380 -#define OID_AES128_GCM 381 -#define OID_AES128_CCM 382 -#define OID_AES192_CBC 383 -#define OID_AES192_GCM 384 -#define OID_AES192_CCM 385 -#define OID_AES256_CBC 386 -#define OID_AES256_GCM 387 -#define OID_AES256_CCM 388 -#define OID_SHA256 390 -#define OID_SHA384 391 -#define OID_SHA512 392 -#define OID_SHA224 393 -#define OID_NS_REVOCATION_URL 401 -#define OID_NS_CA_REVOCATION_URL 402 -#define OID_NS_CA_POLICY_URL 403 -#define OID_NS_COMMENT 404 -#define OID_EMPLOYEE_NUMBER 407 -#define OID_PKI_MESSAGE_TYPE 413 -#define OID_PKI_STATUS 414 -#define OID_PKI_FAIL_INFO 415 -#define OID_PKI_SENDER_NONCE 416 -#define OID_PKI_RECIPIENT_NONCE 417 -#define OID_PKI_TRANS_ID 418 -#define OID_TPM_MANUFACTURER 424 -#define OID_TPM_MODEL 425 -#define OID_TPM_VERSION 426 -#define OID_TPM_ID_LABEL 427 +#define OID_STRONGSWAN 209 +#define OID_TCGID 216 +#define OID_AUTHORITY_INFO_ACCESS 260 +#define OID_IP_ADDR_BLOCKS 262 +#define OID_POLICY_QUALIFIER_CPS 264 +#define OID_POLICY_QUALIFIER_UNOTICE 265 +#define OID_SERVER_AUTH 267 +#define OID_CLIENT_AUTH 268 +#define OID_OCSP_SIGNING 275 +#define OID_XMPP_ADDR 281 +#define OID_AUTHENTICATION_INFO 285 +#define OID_ACCESS_IDENTITY 286 +#define OID_CHARGING_IDENTITY 287 +#define OID_GROUP 288 +#define OID_OCSP 291 +#define OID_BASIC 292 +#define OID_NONCE 293 +#define OID_CRL 294 +#define OID_RESPONSE 295 +#define OID_NO_CHECK 296 +#define OID_ARCHIVE_CUTOFF 297 +#define OID_SERVICE_LOCATOR 298 +#define OID_CA_ISSUERS 299 +#define OID_IKE_INTERMEDIATE 304 +#define OID_DES_CBC 308 +#define OID_SHA1 309 +#define OID_SHA1_WITH_RSA_OIW 310 +#define OID_ECGDSA_PUBKEY 329 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 332 +#define OID_ECGDSA_SIG_WITH_SHA1 333 +#define OID_ECGDSA_SIG_WITH_SHA224 334 +#define OID_ECGDSA_SIG_WITH_SHA256 335 +#define OID_ECGDSA_SIG_WITH_SHA384 336 +#define OID_ECGDSA_SIG_WITH_SHA512 337 +#define OID_SECT163K1 360 +#define OID_SECT163R1 361 +#define OID_SECT239K1 362 +#define OID_SECT113R1 363 +#define OID_SECT113R2 364 +#define OID_SECT112R1 365 +#define OID_SECT112R2 366 +#define OID_SECT160R1 367 +#define OID_SECT160K1 368 +#define OID_SECT256K1 369 +#define OID_SECT163R2 370 +#define OID_SECT283K1 371 +#define OID_SECT283R1 372 +#define OID_SECT131R1 373 +#define OID_SECT131R2 374 +#define OID_SECT193R1 375 +#define OID_SECT193R2 376 +#define OID_SECT233K1 377 +#define OID_SECT233R1 378 +#define OID_SECT128R1 379 +#define OID_SECT128R2 380 +#define OID_SECT160R2 381 +#define OID_SECT192K1 382 +#define OID_SECT224K1 383 +#define OID_SECT224R1 384 +#define OID_SECT384R1 385 +#define OID_SECT521R1 386 +#define OID_SECT409K1 387 +#define OID_SECT409R1 388 +#define OID_SECT571K1 389 +#define OID_SECT571R1 390 +#define OID_AES128_CBC 399 +#define OID_AES128_GCM 400 +#define OID_AES128_CCM 401 +#define OID_AES192_CBC 402 +#define OID_AES192_GCM 403 +#define OID_AES192_CCM 404 +#define OID_AES256_CBC 405 +#define OID_AES256_GCM 406 +#define OID_AES256_CCM 407 +#define OID_SHA256 409 +#define OID_SHA384 410 +#define OID_SHA512 411 +#define OID_SHA224 412 +#define OID_NS_REVOCATION_URL 426 +#define OID_NS_CA_REVOCATION_URL 427 +#define OID_NS_CA_POLICY_URL 428 +#define OID_NS_COMMENT 429 +#define OID_EMPLOYEE_NUMBER 432 +#define OID_PKI_MESSAGE_TYPE 438 +#define OID_PKI_STATUS 439 +#define OID_PKI_FAIL_INFO 440 +#define OID_PKI_SENDER_NONCE 441 +#define OID_PKI_RECIPIENT_NONCE 442 +#define OID_PKI_TRANS_ID 443 +#define OID_TPM_MANUFACTURER 449 +#define OID_TPM_MODEL 450 +#define OID_TPM_VERSION 451 +#define OID_TPM_ID_LABEL 452 -#define OID_MAX 428 +#define OID_MAX 453 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index c15a1cc2a..e545188d4 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -200,8 +200,11 @@ 0x04 "msEncryptingFileSystem" 0x14 "msEnrollmentInfrastructure" 0x02 "msCertificateTypeExtension" - 0x02 "msSmartcardLogon" + 0x02 "msSmartcardLogon" OID_MS_SMARTCARD_LOGON 0x03 "msUPN" OID_USER_PRINCIPAL_NAME + 0x15 "msCertSrvInfrastructure" + 0x07 "msCertTemplate" + 0x0A "msApplicationCertPolicies" 0xA0 "" 0x2A "ITA" 0x01 "strongSwan" OID_STRONGSWAN @@ -212,7 +215,7 @@ 0x02 "" 0x02 "" 0x4B "TCGID" OID_TCGID - 0xc1 "" + 0xC1 "" 0x16 "ntruCryptosystems" 0x01 "eess" 0x01 "eess1" @@ -234,6 +237,22 @@ 0x12 "ees251sp7" 0x13 "ees251sp8" 0x14 "ees251sp9" + 0x22 "ees401ep1" + 0x23 "ees449ep1" + 0x24 "ees677ep1" + 0x25 "ees1087ep2" + 0x26 "ees541ep1" + 0x27 "ees613ep1" + 0x28 "ees887ep1" + 0x29 "ees1171ep1" + 0x2A "ees659ep1" + 0x2B "ees761ep1" + 0x2C "ees1087ep1" + 0x2D "ees1499ep1" + 0x2E "ees401ep2" + 0x2F "ees439ep1" + 0x30 "ees593ep1" + 0x31 "ees743ep1" 0x03 "eess1-encodingMethods" 0x05 "security" 0x05 "mechanisms" @@ -388,12 +407,18 @@ 0x2E "id-aes256-GCM" OID_AES256_GCM 0x2F "id-aes256-CCM" OID_AES256_CCM 0x02 "hashalgs" - 0x01 "id-SHA-256" OID_SHA256 - 0x02 "id-SHA-384" OID_SHA384 - 0x03 "id-SHA-512" OID_SHA512 - 0x04 "id-SHA-224" OID_SHA224 - 0x05 "id-SHA-512-224" - 0x06 "id-SHA-512-256" + 0x01 "id-sha256" OID_SHA256 + 0x02 "id-sha384" OID_SHA384 + 0x03 "id-sha512" OID_SHA512 + 0x04 "id-sha224" OID_SHA224 + 0x05 "id-sha512-224" + 0x06 "id-sha512-256" + 0x07 "id-sha3-224" + 0x08 "id-sha3-256" + 0x09 "id-sha3-384" + 0x0A "id-sha3-512" + 0x0B "id-shake128" + 0x0C "id-shake256" 0x86 "" 0xf8 "" 0x42 "netscape" diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c index 314e8e916..75efb85bf 100644 --- a/src/libstrongswan/collections/array.c +++ b/src/libstrongswan/collections/array.c @@ -141,7 +141,7 @@ static void remove_tail(array_t *array, int idx) /* move all items after idx one down */ memmove(array->data + get_size(array, idx + array->head), array->data + get_size(array, idx + array->head + 1), - get_size(array, array->count - idx)); + get_size(array, array->count - 1 - idx)); array->count--; array->tail++; } diff --git a/src/libstrongswan/collections/hashtable.c b/src/libstrongswan/collections/hashtable.c index 1003aa0fa..ca31d8361 100644 --- a/src/libstrongswan/collections/hashtable.c +++ b/src/libstrongswan/collections/hashtable.c @@ -30,7 +30,7 @@ struct pair_t { /** * Key of a hash table item. */ - void *key; + const void *key; /** * Value of a hash table item. @@ -51,7 +51,7 @@ struct pair_t { /** * Creates an empty pair object. */ -static inline pair_t *pair_create(void *key, void *value, u_int hash) +static inline pair_t *pair_create(const void *key, void *value, u_int hash) { pair_t *this; @@ -153,7 +153,7 @@ struct private_enumerator_t { /* * See header. */ -u_int hashtable_hash_ptr(void *key) +u_int hashtable_hash_ptr(const void *key) { return chunk_hash(chunk_from_thing(key)); } @@ -161,7 +161,7 @@ u_int hashtable_hash_ptr(void *key) /* * See header. */ -u_int hashtable_hash_str(void *key) +u_int hashtable_hash_str(const void *key) { return chunk_hash(chunk_from_str((char*)key)); } @@ -169,7 +169,7 @@ u_int hashtable_hash_str(void *key) /* * See header. */ -bool hashtable_equals_ptr(void *key, void *other_key) +bool hashtable_equals_ptr(const void *key, const void *other_key) { return key == other_key; } @@ -177,7 +177,7 @@ bool hashtable_equals_ptr(void *key, void *other_key) /* * See header. */ -bool hashtable_equals_str(void *key, void *other_key) +bool hashtable_equals_str(const void *key, const void *other_key) { return streq(key, other_key); } @@ -250,7 +250,7 @@ static void rehash(private_hashtable_t *this) } METHOD(hashtable_t, put, void*, - private_hashtable_t *this, void *key, void *value) + private_hashtable_t *this, const void *key, void *value) { void *old_value = NULL; pair_t *pair; @@ -284,7 +284,7 @@ METHOD(hashtable_t, put, void*, return old_value; } -static void *get_internal(private_hashtable_t *this, void *key, +static void *get_internal(private_hashtable_t *this, const void *key, hashtable_equals_t equals) { void *value = NULL; @@ -309,19 +309,19 @@ static void *get_internal(private_hashtable_t *this, void *key, } METHOD(hashtable_t, get, void*, - private_hashtable_t *this, void *key) + private_hashtable_t *this, const void *key) { return get_internal(this, key, this->equals); } METHOD(hashtable_t, get_match, void*, - private_hashtable_t *this, void *key, hashtable_equals_t match) + private_hashtable_t *this, const void *key, hashtable_equals_t match) { return get_internal(this, key, match); } METHOD(hashtable_t, remove_, void*, - private_hashtable_t *this, void *key) + private_hashtable_t *this, const void *key) { void *value = NULL; pair_t *pair, *prev = NULL; @@ -379,7 +379,7 @@ METHOD(hashtable_t, get_count, u_int, } METHOD(enumerator_t, enumerate, bool, - private_enumerator_t *this, void **key, void **value) + private_enumerator_t *this, const void **key, void **value) { while (this->count && this->row < this->table->capacity) { diff --git a/src/libstrongswan/collections/hashtable.h b/src/libstrongswan/collections/hashtable.h index 520a86c90..0a7ebeb65 100644 --- a/src/libstrongswan/collections/hashtable.h +++ b/src/libstrongswan/collections/hashtable.h @@ -31,7 +31,7 @@ typedef struct hashtable_t hashtable_t; * @param key key to hash * @return hash code */ -typedef u_int (*hashtable_hash_t)(void *key); +typedef u_int (*hashtable_hash_t)(const void *key); /** * Hashtable hash function calculation the hash solely based on the key pointer. @@ -39,7 +39,7 @@ typedef u_int (*hashtable_hash_t)(void *key); * @param key key to hash * @return hash of key */ -u_int hashtable_hash_ptr(void *key); +u_int hashtable_hash_ptr(const void *key); /** * Hashtable hash function calculation the hash for char* keys. @@ -47,7 +47,7 @@ u_int hashtable_hash_ptr(void *key); * @param key key to hash, a char* * @return hash of key */ -u_int hashtable_hash_str(void *key); +u_int hashtable_hash_str(const void *key); /** * Prototype for a function that compares the two keys for equality. @@ -56,7 +56,7 @@ u_int hashtable_hash_str(void *key); * @param other_key second key * @return TRUE if the keys are equal */ -typedef bool (*hashtable_equals_t)(void *key, void *other_key); +typedef bool (*hashtable_equals_t)(const void *key, const void *other_key); /** * Hashtable equals function comparing pointers. @@ -65,7 +65,7 @@ typedef bool (*hashtable_equals_t)(void *key, void *other_key); * @param other_key other key to compare * @return TRUE if key == other_key */ -bool hashtable_equals_ptr(void *key, void *other_key); +bool hashtable_equals_ptr(const void *key, const void *other_key); /** * Hashtable equals function comparing char* keys. @@ -74,7 +74,7 @@ bool hashtable_equals_ptr(void *key, void *other_key); * @param other_key other key to compare * @return TRUE if streq(key, other_key) */ -bool hashtable_equals_str(void *key, void *other_key); +bool hashtable_equals_str(const void *key, const void *other_key); /** * Class implementing a hash table. @@ -100,7 +100,7 @@ struct hashtable_t { * @param value the value to store * @return NULL if no item was replaced, the old value otherwise */ - void *(*put) (hashtable_t *this, void *key, void *value); + void *(*put) (hashtable_t *this, const void *key, void *value); /** * Returns the value with the given key, if the hash table contains such an @@ -109,7 +109,7 @@ struct hashtable_t { * @param key the key of the requested value * @return the value, NULL if not found */ - void *(*get) (hashtable_t *this, void *key); + void *(*get) (hashtable_t *this, const void *key); /** * Returns the value with a matching key, if the hash table contains such an @@ -125,7 +125,8 @@ struct hashtable_t { * @param match match function to be used when comparing keys * @return the value, NULL if not found */ - void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match); + void *(*get_match) (hashtable_t *this, const void *key, + hashtable_equals_t match); /** * Removes the value with the given key from the hash table and returns the @@ -134,7 +135,7 @@ struct hashtable_t { * @param key the key of the value to remove * @return the removed value, NULL if not found */ - void *(*remove) (hashtable_t *this, void *key); + void *(*remove) (hashtable_t *this, const void *key); /** * Removes the key and value pair from the hash table at which the given diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 2203519e2..4ff9aa6dd 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -31,7 +31,7 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_XAUTH, "XAuth", ); -ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT, +ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT, "RULE_IDENTITY", "RULE_IDENTITY_LOOSE", "RULE_AUTH_CLASS", @@ -56,6 +56,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT, "HELPER_IM_HASH_URL", "HELPER_SUBJECT_HASH_URL", "HELPER_REVOCATION_CERT", + "HELPER_AC_CERT", ); /** @@ -91,6 +92,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_HELPER_IM_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: return TRUE; } return FALSE; @@ -224,6 +226,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: /* pointer type */ this->value = va_arg(args, void*); break; @@ -262,6 +265,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: { certificate_t *c1, *c2; @@ -319,6 +323,7 @@ static void destroy_entry_value(entry_t *entry) case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: { certificate_t *cert = (certificate_t*)entry->value; cert->destroy(cert); @@ -390,6 +395,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: /* pointer type */ entry->value = va_arg(args, void*); break; @@ -467,6 +473,7 @@ METHOD(auth_cfg_t, get, void*, case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: case AUTH_RULE_MAX: break; } @@ -736,6 +743,7 @@ METHOD(auth_cfg_t, complies, bool, case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: case AUTH_RULE_MAX: /* skip helpers */ continue; @@ -868,6 +876,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: { certificate_t *cert = (certificate_t*)value; @@ -1029,6 +1038,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_REVOCATION_CERT: + case AUTH_HELPER_AC_CERT: { certificate_t *cert = (certificate_t*)value; clone->add(clone, type, cert->get_ref(cert)); diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index d87935589..95b36d706 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -117,6 +117,8 @@ enum auth_rule_t { AUTH_HELPER_SUBJECT_HASH_URL, /** revocation certificate (CRL, OCSP), certificate_t* */ AUTH_HELPER_REVOCATION_CERT, + /** attribute certificate for authorization decisions, certificate_t */ + AUTH_HELPER_AC_CERT, /** helper to determine the number of elements in this enum */ AUTH_RULE_MAX, diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 4e52272a7..ddb64ef88 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -38,7 +38,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_SERIAL", "BUILD_DIGEST_ALG", "BUILD_ENCRYPTION_ALG", - "BUILD_IETF_GROUP_ATTR", + "BUILD_AC_GROUP_STRINGS", "BUILD_CA_CERT", "BUILD_CERT", "BUILD_CRL_DISTRIBUTION_POINTS", @@ -72,4 +72,3 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_THRESHOLD", "BUILD_END", ); - diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 103b823c0..627e0934d 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -87,8 +87,8 @@ enum builder_part_t { BUILD_DIGEST_ALG, /** encryption algorithm to use, encryption_algorithm_t */ BUILD_ENCRYPTION_ALG, - /** a comma-separated list of ietf group attributes, char* */ - BUILD_IETF_GROUP_ATTR, + /** list of AC group memberships, linked_list_t* with char* */ + BUILD_AC_GROUP_STRINGS, /** a ca certificate, certificate_t* */ BUILD_CA_CERT, /** a certificate, certificate_t* */ diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h index 57b44adca..9a3d8f0b9 100644 --- a/src/libstrongswan/credentials/certificates/ac.h +++ b/src/libstrongswan/credentials/certificates/ac.h @@ -24,9 +24,18 @@ #include <library.h> #include <credentials/certificates/certificate.h> -#include <credentials/ietf_attributes/ietf_attributes.h> typedef struct ac_t ac_t; +typedef enum ac_group_type_t ac_group_type_t; + +/** + * Common group types, from IETF Attributes Syntax + */ +enum ac_group_type_t { + AC_GROUP_TYPE_OCTETS, + AC_GROUP_TYPE_STRING, + AC_GROUP_TYPE_OID, +}; /** * X.509 attribute certificate interface. @@ -70,19 +79,11 @@ struct ac_t { chunk_t (*get_authKeyIdentifier)(ac_t *this); /** - * Get the group memberships as a list of IETF attributes - * - * @return object containing a list of IETF attributes - */ - ietf_attributes_t* (*get_groups)(ac_t *this); - - /** - * @brief Checks if two attribute certificates belong to the same holder + * Create an enumerator of contained Group memberships. * - * @param that other attribute certificate - * @return TRUE if same holder + * @return enumerator over (ac_group_type_t, chunk_t) */ - bool (*equals_holder) (ac_t *this, ac_t *other); + enumerator_t* (*create_group_enumerator)(ac_t *this); }; #endif /** AC_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 4e8d4317f..6cbfcdeed 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -39,25 +39,27 @@ typedef enum x509_constraint_t x509_constraint_t; */ enum x509_flag_t { /** cert has no constraints */ - X509_NONE = 0, + X509_NONE = 0, /** cert has CA constraint */ - X509_CA = (1<<0), + X509_CA = (1<<0), /** cert has AA constraint */ - X509_AA = (1<<1), + X509_AA = (1<<1), /** cert has OCSP signer constraint */ - X509_OCSP_SIGNER = (1<<2), + X509_OCSP_SIGNER = (1<<2), /** cert has serverAuth key usage */ - X509_SERVER_AUTH = (1<<3), + X509_SERVER_AUTH = (1<<3), /** cert has clientAuth key usage */ - X509_CLIENT_AUTH = (1<<4), + X509_CLIENT_AUTH = (1<<4), /** cert is self-signed */ - X509_SELF_SIGNED = (1<<5), + X509_SELF_SIGNED = (1<<5), /** cert has an ipAddrBlocks extension */ - X509_IP_ADDR_BLOCKS = (1<<6), + X509_IP_ADDR_BLOCKS = (1<<6), /** cert has CRL sign key usage */ - X509_CRL_SIGN = (1<<7), + X509_CRL_SIGN = (1<<7), /** cert has iKEIntermediate key usage */ - X509_IKE_INTERMEDIATE = (1<<8), + X509_IKE_INTERMEDIATE = (1<<8), + /** cert has Microsoft Smartcard Logon usage */ + X509_MS_SMARTCARD_LOGON = (1<<9), }; /** diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c index 53ac13cbb..303816391 100644 --- a/src/libstrongswan/credentials/cred_encoding.c +++ b/src/libstrongswan/credentials/cred_encoding.c @@ -94,22 +94,6 @@ bool cred_encoding_args(va_list args, ...) return !failed; } -/** - * hashtable hash() function - */ -static u_int hash(void *key) -{ - return (uintptr_t)key; -} - -/** - * hashtable equals() function - */ -static bool equals(void *key1, void *key2) -{ - return key1 == key2; -} - METHOD(cred_encoding_t, get_cache, bool, private_cred_encoding_t *this, cred_encoding_type_t type, void *cache, chunk_t *encoding) @@ -289,7 +273,8 @@ cred_encoding_t *cred_encoding_create() for (type = 0; type < CRED_ENCODING_MAX; type++) { - this->cache[type] = hashtable_create(hash, equals, 8); + this->cache[type] = hashtable_create(hashtable_hash_ptr, + hashtable_equals_ptr, 8); } return &this->public; diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c deleted file mode 100644 index 49af5a079..000000000 --- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c +++ /dev/null @@ -1,534 +0,0 @@ -/* - * Copyright (C) 2007-2009 Andreas Steffen - * - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <asn1/oid.h> -#include <asn1/asn1.h> -#include <asn1/asn1_parser.h> -#include <collections/linked_list.h> -#include <utils/lexparser.h> - -#include "ietf_attributes.h" - -/** - * Private definition of IETF attribute types - */ -typedef enum { - IETF_ATTRIBUTE_OCTETS = 0, - IETF_ATTRIBUTE_OID = 1, - IETF_ATTRIBUTE_STRING = 2 -} ietf_attribute_type_t; - -typedef struct ietf_attr_t ietf_attr_t; - -/** - * Private definition of an IETF attribute - */ -struct ietf_attr_t { - /** - * IETF attribute type - */ - ietf_attribute_type_t type; - - /** - * IETF attribute value - */ - chunk_t value; - - /** - * Compares two IETF attributes - * - * return -1 if this is earlier in the alphabet than other - * return 0 if this equals other - * return +1 if this is later in the alphabet than other - * - * @param other other object - */ - int (*compare) (ietf_attr_t *this, ietf_attr_t *other); - - /** - * Destroys an ietf_attr_t object. - */ - void (*destroy) (ietf_attr_t *this); -}; - -/** - * Implements ietf_attr_t.compare. - */ -static int ietf_attr_compare(ietf_attr_t *this, ietf_attr_t *other) -{ - int cmp_len, len, cmp_value; - - /* OID attributes are appended after STRING and OCTETS attributes */ - if (this->type != IETF_ATTRIBUTE_OID && other->type == IETF_ATTRIBUTE_OID) - { - return -1; - } - if (this->type == IETF_ATTRIBUTE_OID && other->type != IETF_ATTRIBUTE_OID) - { - return 1; - } - - cmp_len = this->value.len - other->value.len; - len = (cmp_len < 0) ? this->value.len : other->value.len; - cmp_value = memcmp(this->value.ptr, other->value.ptr, len); - - return (cmp_value == 0) ? cmp_len : cmp_value; -} - -/** - * Implements ietf_attr_t.destroy. - */ -static void ietf_attr_destroy(ietf_attr_t *this) -{ - free(this->value.ptr); - free(this); -} - -/** - * Creates an ietf_attr_t object. - */ -static ietf_attr_t* ietf_attr_create(ietf_attribute_type_t type, chunk_t value) -{ - ietf_attr_t *this; - - INIT(this, - .compare = ietf_attr_compare, - .destroy = ietf_attr_destroy, - .type = type, - .value = chunk_clone(value), - ); - - return this; -} - -typedef struct private_ietf_attributes_t private_ietf_attributes_t; - -/** - * Private data of an ietf_attributes_t object. - */ -struct private_ietf_attributes_t { - /** - * Public interface. - */ - ietf_attributes_t public; - - /** - * Printable representation of the IETF attributes - */ - char *string; - - /** - * Linked list of IETF attributes. - */ - linked_list_t *list; - - /** - * reference count - */ - refcount_t ref; -}; - -METHOD(ietf_attributes_t, get_string, char*, - private_ietf_attributes_t *this) -{ - if (this->string == NULL) - { - char buf[BUF_LEN]; - char *pos = buf; - int len = BUF_LEN; - bool first = TRUE; - ietf_attr_t *attr; - enumerator_t *enumerator; - - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { - int written; - - if (first) - { - first = FALSE; - } - else - { - written = snprintf(pos, len, ", "); - if (written < 0 || written >= len) - { - break; - } - pos += written; - len -= written; - } - - switch (attr->type) - { - case IETF_ATTRIBUTE_OCTETS: - case IETF_ATTRIBUTE_STRING: - written = snprintf(pos, len, "%.*s", (int)attr->value.len, - attr->value.ptr); - break; - case IETF_ATTRIBUTE_OID: - { - int oid = asn1_known_oid(attr->value); - - if (oid == OID_UNKNOWN) - { - written = snprintf(pos, len, "0x%#B", &attr->value); - } - else - { - written = snprintf(pos, len, "%s", oid_names[oid].name); - } - break; - } - default: - written = 0; - break; - } - if (written < 0 || written >= len) - { - break; - } - pos += written; - len -= written; - } - enumerator->destroy(enumerator); - if (len < BUF_LEN) - { - this->string = strdup(buf); - } - } - return this->string; -} - -METHOD(ietf_attributes_t, get_encoding, chunk_t, - private_ietf_attributes_t *this) -{ - chunk_t values; - size_t size = 0; - u_char *pos; - ietf_attr_t *attr; - enumerator_t *enumerator; - - /* precalculate the total size of all values */ - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { - size_t len = attr->value.len; - - size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; - } - enumerator->destroy(enumerator); - - pos = asn1_build_object(&values, ASN1_SEQUENCE, size); - - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { - chunk_t ietfAttribute; - asn1_t type = ASN1_NULL; - - switch (attr->type) - { - case IETF_ATTRIBUTE_OCTETS: - type = ASN1_OCTET_STRING; - break; - case IETF_ATTRIBUTE_STRING: - type = ASN1_UTF8STRING; - break; - case IETF_ATTRIBUTE_OID: - type = ASN1_OID; - break; - } - ietfAttribute = asn1_simple_object(type, attr->value); - - /* copy ietfAttribute into values chunk */ - memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); - pos += ietfAttribute.len; - free(ietfAttribute.ptr); - } - enumerator->destroy(enumerator); - - return asn1_wrap(ASN1_SEQUENCE, "m", values); -} - -/** - * Implementation of ietf_attributes_t.equals. - */ -static bool equals(private_ietf_attributes_t *this, - private_ietf_attributes_t *other) -{ - bool result = TRUE; - - /* lists must have the same number of attributes */ - if (other == NULL || - this->list->get_count(this->list) != other->list->get_count(other->list)) - { - return FALSE; - } - - /* compare two alphabetically-sorted lists */ - { - ietf_attr_t *attr_a, *attr_b; - enumerator_t *enum_a, *enum_b; - - enum_a = this->list->create_enumerator(this->list); - enum_b = other->list->create_enumerator(other->list); - while (enum_a->enumerate(enum_a, &attr_a) && - enum_b->enumerate(enum_b, &attr_b)) - { - if (attr_a->compare(attr_a, attr_b) != 0) - { - /* we have a mismatch */ - result = FALSE; - break; - } - } - enum_a->destroy(enum_a); - enum_b->destroy(enum_b); - } - return result; -} - -/** - * Implementation of ietf_attributes_t.matches. - */ -static bool matches(private_ietf_attributes_t *this, - private_ietf_attributes_t *other) -{ - bool result = FALSE; - ietf_attr_t *attr_a, *attr_b; - enumerator_t *enum_a, *enum_b; - - /* always match if this->list does not contain any attributes */ - if (this->list->get_count(this->list) == 0) - { - return TRUE; - } - - /* never match if other->list does not contain any attributes */ - if (other == NULL || other->list->get_count(other->list) == 0) - { - return FALSE; - } - - /* get first attribute from both lists */ - enum_a = this->list->create_enumerator(this->list); - enum_a->enumerate(enum_a, &attr_a); - enum_b = other->list->create_enumerator(other->list); - enum_b->enumerate(enum_b, &attr_b); - - /* look for at least one common attribute */ - while (TRUE) - { - int cmp = attr_a->compare(attr_a, attr_b); - - if (cmp == 0) - { - /* we have a match */ - result = TRUE; - break; - } - if (cmp == -1) - { - /* attr_a is earlier in the alphabet, get next attr_a */ - if (!enum_a->enumerate(enum_a, &attr_a)) - { - /* we have reached the end of enum_a */ - break; - } - } - else - { - /* attr_a is later in the alphabet, get next attr_b */ - if (!enum_b->enumerate(enum_b, &attr_b)) - { - /* we have reached the end of enum_b */ - break; - } - } - } - enum_a->destroy(enum_a); - enum_b->destroy(enum_b); - - return result; -} - -METHOD(ietf_attributes_t, get_ref, ietf_attributes_t*, - private_ietf_attributes_t *this) -{ - ref_get(&this->ref); - return &this->public; -} - -METHOD(ietf_attributes_t, destroy, void, - private_ietf_attributes_t *this) -{ - if (ref_put(&this->ref)) - { - this->list->destroy_offset(this->list, offsetof(ietf_attr_t, destroy)); - free(this->string); - free(this); - } -} - -static private_ietf_attributes_t* create_empty(void) -{ - private_ietf_attributes_t *this; - - INIT(this, - .public = { - .get_string = _get_string, - .get_encoding = _get_encoding, - .equals = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))equals, - .matches = (bool (*)(ietf_attributes_t*,ietf_attributes_t*))matches, - .get_ref = _get_ref, - .destroy = _destroy, - }, - .list = linked_list_create(), - .ref = 1, - ); - - return this; -} - -/** - * Adds an ietf_attr_t object to a sorted linked list - */ -static void ietf_attributes_add(private_ietf_attributes_t *this, - ietf_attr_t *attr) -{ - ietf_attr_t *current_attr; - enumerator_t *enumerator; - int cmp = -1; - - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, (void **)¤t_attr) && - (cmp = attr->compare(attr, current_attr)) > 0) - { - continue; - } - if (cmp == 0) - { - attr->destroy(attr); - } - else - { /* the enumerator either points to the end or to the attribute > attr */ - this->list->insert_before(this->list, enumerator, attr); - } - enumerator->destroy(enumerator); -} - -/* - * Described in header. - */ -ietf_attributes_t *ietf_attributes_create_from_string(char *string) -{ - private_ietf_attributes_t *this = create_empty(); - - chunk_t line = { string, strlen(string) }; - - while (eat_whitespace(&line)) - { - chunk_t group; - - /* extract the next comma-separated group attribute */ - if (!extract_token(&group, ',', &line)) - { - group = line; - line.len = 0; - } - - /* remove any trailing spaces */ - while (group.len > 0 && *(group.ptr + group.len - 1) == ' ') - { - group.len--; - } - - /* add the group attribute to the list */ - if (group.len > 0) - { - ietf_attr_t *attr = ietf_attr_create(IETF_ATTRIBUTE_STRING, group); - - ietf_attributes_add(this, attr); - } - } - - return &(this->public); -} - -/** - * ASN.1 definition of ietfAttrSyntax - */ -static const asn1Object_t ietfAttrSyntaxObjects[] = -{ - { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | - ASN1_BODY }, /* 1 */ - { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ - { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ - { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | - ASN1_BODY }, /* 4 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ - { 2, "oid", ASN1_OID, ASN1_OPT | - ASN1_BODY }, /* 6 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ - { 2, "string", ASN1_UTF8STRING, ASN1_OPT | - ASN1_BODY }, /* 8 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ - { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } -}; -#define IETF_ATTR_OCTETS 4 -#define IETF_ATTR_OID 6 -#define IETF_ATTR_STRING 8 - -/* - * Described in header. - */ -ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded) -{ - private_ietf_attributes_t *this = create_empty(); - asn1_parser_t *parser; - chunk_t object; - int objectID; - - parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded); - while (parser->iterate(parser, &objectID, &object)) - { - switch (objectID) - { - case IETF_ATTR_OCTETS: - case IETF_ATTR_OID: - case IETF_ATTR_STRING: - { - ietf_attribute_type_t type; - ietf_attr_t *attr; - - type = (objectID - IETF_ATTR_OCTETS) / 2; - attr = ietf_attr_create(type, object); - ietf_attributes_add(this, attr); - } - break; - default: - break; - } - } - parser->destroy(parser); - - return &(this->public); -} - diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h deleted file mode 100644 index ab6bae984..000000000 --- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (C) 2007-2009 Andreas Steffen - * - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup ietf_attributes ietf_attributes - * @{ @ingroup credentials - */ - -#ifndef IETF_ATTRIBUTES_H_ -#define IETF_ATTRIBUTES_H_ - -typedef struct ietf_attributes_t ietf_attributes_t; - -#include <library.h> - -/** - * - */ -struct ietf_attributes_t { - - /** - * Get the an alphabetically sorted list of printable IETF attributes. - * - * Result points to internal data, do not free. - * - * @return a string containing printable attributes - */ - char* (*get_string) (ietf_attributes_t *this); - - /** - * Get the ASN.1 encoding of the IETF attributes. - * - * @return allocated chunk containing the encoded bytes - */ - chunk_t (*get_encoding) (ietf_attributes_t *this); - - /** - * Check for equality between two lists. - * - * @param other attribute list to be checked for equality - * @return TRUE if equal - */ - bool (*equals) (ietf_attributes_t *this, ietf_attributes_t *other); - - /** - * Check for common attributes between two lists. - * - * @param other attribute list to be matched - * @return TRUE if there is at least a common attribute - */ - bool (*matches) (ietf_attributes_t *this, ietf_attributes_t *other); - - /** - * Get a new reference to the IETF attributes. - * - * @return this, with an increased refcount - */ - ietf_attributes_t* (*get_ref)(ietf_attributes_t *this); - - /** - * Destroys an ietf_attributes_t object. - */ - void (*destroy) (ietf_attributes_t *this); -}; - -/** - * @param string input string, which will be converted - * @return ietf_attributes_t - */ -ietf_attributes_t *ietf_attributes_create_from_string(char *string); - -/** - * @param encoded ASN.1 encoded bytes, such as from ietf_attributes.get_encoding - * @return ietf_attributes_t - */ -ietf_attributes_t *ietf_attributes_create_from_encoding(chunk_t encoded); - -#endif /** IETF_ATTRIBUTES_H_ @}*/ - diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 46bfb5c6e..c6b8d0c7e 100644 --- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -133,7 +133,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) } else if (rule != AUTH_HELPER_SUBJECT_CERT && rule != AUTH_HELPER_IM_CERT && - rule != AUTH_HELPER_REVOCATION_CERT) + rule != AUTH_HELPER_REVOCATION_CERT && + rule != AUTH_HELPER_AC_CERT) { /* handle only HELPER certificates */ continue; } diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h index c887f53bb..43f71b65e 100644 --- a/src/libstrongswan/crypto/aead.h +++ b/src/libstrongswan/crypto/aead.h @@ -102,6 +102,10 @@ struct aead_t { /** * Get the size of the key material (for encryption and authentication). * + * This includes any additional bytes requires for the implicit nonce part. + * For AEADs based on traditional ciphers, the length is for both + * the integrity and the encryption key in total. + * * @return key size in bytes */ size_t (*get_key_size)(aead_t *this); @@ -109,6 +113,11 @@ struct aead_t { /** * Set the key for encryption and authentication. * + * If the AEAD uses an implicit nonce, the last part of the key shall + * be the implicit nonce. For AEADs based on traditional ciphers, the + * key shall include both integrity and encryption keys, concatenated + * in that order. + * * @param key encryption and authentication key * @return TRUE if key set successfully */ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index dba3f6f6d..6dea30ee3 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2014 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -20,6 +20,7 @@ #include <threading/rwlock.h> #include <collections/linked_list.h> #include <crypto/crypto_tester.h> +#include <utils/test.h> const char *default_plugin_name = "default"; @@ -175,7 +176,7 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*, METHOD(crypto_factory_t, create_aead, aead_t*, private_crypto_factory_t *this, encryption_algorithm_t algo, - size_t key_size) + size_t key_size, size_t salt_size) { enumerator_t *enumerator; entry_t *entry; @@ -189,12 +190,12 @@ METHOD(crypto_factory_t, create_aead, aead_t*, { if (this->test_on_create && !this->tester->test_aead(this->tester, algo, key_size, - entry->create_aead, NULL, + salt_size, entry->create_aead, NULL, default_plugin_name)) { continue; } - aead = entry->create_aead(algo, key_size); + aead = entry->create_aead(algo, key_size, salt_size); if (aead) { break; @@ -473,7 +474,7 @@ METHOD(crypto_factory_t, add_aead, bool, u_int speed = 0; if (!this->test_on_add || - this->tester->test_aead(this->tester, algo, 0, create, + this->tester->test_aead(this->tester, algo, 0, 0, create, this->bench ? &speed : NULL, plugin_name)) { add_entry(this, this->aeads, algo, plugin_name, speed, create); @@ -976,3 +977,39 @@ crypto_factory_t *crypto_factory_create() return &this->public; } + +/** + * Manually verify all registered algorithms against test vectors + */ +static u_int verify_registered_algorithms(crypto_factory_t *factory) +{ + private_crypto_factory_t *this = (private_crypto_factory_t*)factory; + enumerator_t *enumerator; + entry_t *entry; + u_int failures = 0; + +#define TEST_ALGORITHMS(test, ...) do { \ + enumerator = this->test##s->create_enumerator(this->test##s); \ + while (enumerator->enumerate(enumerator, &entry)) \ + { \ + if (!this->tester->test_##test(this->tester, entry->algo, ##__VA_ARGS__, \ + entry->create_##test, NULL, entry->plugin_name)) \ + { \ + failures++; \ + } \ + } \ + enumerator->destroy(enumerator); \ +} while (0) + + this->lock->read_lock(this->lock); + TEST_ALGORITHMS(crypter, 0); + TEST_ALGORITHMS(aead, 0, 0); + TEST_ALGORITHMS(signer); + TEST_ALGORITHMS(hasher); + TEST_ALGORITHMS(prf); + TEST_ALGORITHMS(rng); + this->lock->unlock(this->lock); + return failures; +} + +EXPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms); diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index 281dc256f..7865bcb15 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -46,7 +46,7 @@ typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo, * Constructor function for aead transforms */ typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo, - size_t key_size); + size_t key_size, size_t salt_size); /** * Constructor function for signers */ @@ -100,10 +100,12 @@ struct crypto_factory_t { * * @param algo encryption algorithm * @param key_size length of the key in bytes + * @param salt_size size of salt, implicit part of the nonce * @return aead_t instance, NULL if not supported */ aead_t* (*create_aead)(crypto_factory_t *this, - encryption_algorithm_t algo, size_t key_size); + encryption_algorithm_t algo, + size_t key_size, size_t salt_size); /** * Create a symmetric signer instance. diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index 30724b16d..c6780daf1 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -204,16 +204,13 @@ METHOD(crypto_tester_t, test_crypter, bool, continue; } - tested++; - failed = TRUE; crypter = create(alg, vector->key_size); if (!crypter) - { - DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", - encryption_algorithm_names, alg, plugin_name, - BITS_PER_BYTE * vector->key_size); + { /* key size not supported */ continue; } + tested++; + failed = TRUE; key = chunk_create(vector->key, crypter->get_key_size(crypter)); if (!crypter->set_key(crypter, key)) @@ -318,7 +315,7 @@ static u_int bench_aead(private_crypto_tester_t *this, { aead_t *aead; - aead = create(alg, 0); + aead = create(alg, 0, 0); if (aead) { char iv[aead->get_iv_size(aead)]; @@ -367,7 +364,8 @@ static u_int bench_aead(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_aead, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, - aead_constructor_t create, u_int *speed, const char *plugin_name) + size_t salt_size, aead_constructor_t create, + u_int *speed, const char *plugin_name) { enumerator_t *enumerator; aead_test_vector_t *vector; @@ -389,10 +387,14 @@ METHOD(crypto_tester_t, test_aead, bool, { /* test only vectors with a specific key size, if key size given */ continue; } + if (salt_size && salt_size != vector->salt_size) + { + continue; + } tested++; failed = TRUE; - aead = create(alg, vector->key_size); + aead = create(alg, vector->key_size, vector->salt_size); if (!aead) { DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", @@ -1221,4 +1223,3 @@ crypto_tester_t *crypto_tester_create() return &this->public; } - diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h index 9ac665929..add3b1cdf 100644 --- a/src/libstrongswan/crypto/crypto_tester.h +++ b/src/libstrongswan/crypto/crypto_tester.h @@ -54,6 +54,8 @@ struct aead_test_vector_t { encryption_algorithm_t alg; /** key length to use, in bytes */ size_t key_size; + /** salt length to use, in bytes */ + size_t salt_size; /** encryption key of test vector */ u_char *key; /** initialization vector, using crypters blocksize bytes */ @@ -150,13 +152,15 @@ struct crypto_tester_t { * * @param alg algorithm to test * @param key_size key size to test, 0 for default + * @param salt_size salt length to test, 0 for default * @param create constructor function for the aead transform * @param speed speed test result, NULL to omit * @return TRUE if test passed */ bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg, - size_t key_size, aead_constructor_t create, - u_int *speed, const char *plugin_name); + size_t key_size, size_t salt_size, + aead_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a signer algorithm. * diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 8472c30a5..c5bb4cd93 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -265,8 +265,11 @@ bool library_init(char *settings, const char *namespace) #ifdef LEAK_DETECTIVE lib->leak_detective = leak_detective_create(); - lib->leak_detective->set_report_cb(lib->leak_detective, - report_leaks, sum_leaks, NULL); + if (lib->leak_detective) + { + lib->leak_detective->set_report_cb(lib->leak_detective, + report_leaks, sum_leaks, NULL); + } #endif /* LEAK_DETECTIVE */ pfh = printf_hook_create(); diff --git a/src/libstrongswan/plugins/acert/Makefile.am b/src/libstrongswan/plugins/acert/Makefile.am new file mode 100644 index 000000000..ba16f413a --- /dev/null +++ b/src/libstrongswan/plugins/acert/Makefile.am @@ -0,0 +1,17 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-acert.la +else +plugin_LTLIBRARIES = libstrongswan-acert.la +endif + +libstrongswan_acert_la_SOURCES = \ + acert_validator.h acert_validator.c \ + acert_plugin.h acert_plugin.c + +libstrongswan_acert_la_LDFLAGS = -module -avoid-version diff --git a/src/openac/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in index b5e00bee6..3dd650d4b 100644 --- a/src/openac/Makefile.in +++ b/src/libstrongswan/plugins/acert/Makefile.in @@ -78,10 +78,9 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -ipsec_PROGRAMS = openac$(EXEEXT) -subdir = src/openac +subdir = src/libstrongswan/plugins/acert DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp $(dist_man_MANS) + $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -99,16 +98,49 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" -PROGRAMS = $(ipsec_PROGRAMS) -am_openac_OBJECTS = openac.$(OBJEXT) -openac_OBJECTS = $(am_openac_OBJECTS) -openac_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_acert_la_LIBADD = +am_libstrongswan_acert_la_OBJECTS = acert_validator.lo acert_plugin.lo +libstrongswan_acert_la_OBJECTS = $(am_libstrongswan_acert_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = +libstrongswan_acert_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_acert_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_acert_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_acert_la_rpath = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -143,43 +175,13 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(openac_SOURCES) -DIST_SOURCES = $(openac_SOURCES) +SOURCES = $(libstrongswan_acert_la_SOURCES) +DIST_SOURCES = $(libstrongswan_acert_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man_MANS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -369,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -409,14 +410,19 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -openac_SOURCES = openac.c -dist_man_MANS = openac.8 AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${openac_plugins}\"" + -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = \ + -rdynamic -openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-acert.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-acert.la +libstrongswan_acert_la_SOURCES = \ + acert_validator.h acert_validator.c \ + acert_plugin.h acert_plugin.c + +libstrongswan_acert_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: @@ -430,9 +436,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openac/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/acert/Makefile'; \ $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/openac/Makefile + $(AUTOMAKE) --gnu src/libstrongswan/plugins/acert/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -451,59 +457,55 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -install-ipsecPROGRAMS: $(ipsec_PROGRAMS) + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) @$(NORMAL_INSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-ipsecPROGRAMS: + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files - -clean-ipsecPROGRAMS: - @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - -openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) $(EXTRA_openac_DEPENDENCIES) - @rm -f openac$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-acert.la: $(libstrongswan_acert_la_OBJECTS) $(libstrongswan_acert_la_DEPENDENCIES) $(EXTRA_libstrongswan_acert_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_acert_la_LINK) $(am_libstrongswan_acert_la_rpath) $(libstrongswan_acert_la_OBJECTS) $(libstrongswan_acert_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -511,7 +513,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acert_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acert_validator.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -542,49 +545,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(dist_man_MANS) - @$(NORMAL_INSTALL) - @list1=''; \ - list2='$(dist_man_MANS)'; \ - test -n "$(man8dir)" \ - && test -n "`echo $$list1$$list2`" \ - || exit 0; \ - echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ - { for i in $$list1; do echo "$$i"; done; \ - if test -n "$$list2"; then \ - for i in $$list2; do echo "$$i"; done \ - | sed -n '/\.8[a-z]*$$/p'; \ - fi; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.8[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -670,9 +630,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) +all-am: Makefile $(LTLIBRARIES) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(plugindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -707,8 +667,8 @@ maintainer-clean-generic: @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \ - mostlyclean-am +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -728,7 +688,7 @@ info: info-am info-am: -install-data-am: install-ipsecPROGRAMS install-man +install-data-am: install-pluginLTLIBRARIES install-dvi: install-dvi-am @@ -744,7 +704,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-pdf: install-pdf-am @@ -774,28 +734,25 @@ ps: ps-am ps-am: -uninstall-am: uninstall-ipsecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 +uninstall-am: uninstall-pluginLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-ipsecPROGRAMS clean-libtool cscopelist-am ctags ctags-am \ - distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-ipsecPROGRAMS install-man install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ - uninstall-ipsecPROGRAMS uninstall-man uninstall-man8 - -openac.o : $(top_builddir)/config.status + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libstrongswan/plugins/acert/acert_plugin.c b/src/libstrongswan/plugins/acert/acert_plugin.c new file mode 100644 index 000000000..01d9ae3b8 --- /dev/null +++ b/src/libstrongswan/plugins/acert/acert_plugin.c @@ -0,0 +1,99 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "acert_plugin.h" +#include "acert_validator.h" + +#include <library.h> + +typedef struct private_acert_plugin_t private_acert_plugin_t; + +/** + * private data of acert_plugin + */ +struct private_acert_plugin_t { + + /** + * public functions + */ + acert_plugin_t public; + + /** + * Validator implementation instance. + */ + acert_validator_t *validator; +}; + +METHOD(plugin_t, get_name, char*, + private_acert_plugin_t *this) +{ + return "acert"; +} + +/** + * Register validator + */ +static bool plugin_cb(private_acert_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + } + else + { + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_acert_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "acert"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_acert_plugin_t *this) +{ + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *acert_plugin_create() +{ + private_acert_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .validator = acert_validator_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/acert/acert_plugin.h b/src/libstrongswan/plugins/acert/acert_plugin.h new file mode 100644 index 000000000..97d12936d --- /dev/null +++ b/src/libstrongswan/plugins/acert/acert_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup acert acert + * @ingroup plugins + * + * @defgroup acert_plugin acert_plugin + * @{ @ingroup acert + */ + +#ifndef ACERT_PLUGIN_H_ +#define ACERT_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct acert_plugin_t acert_plugin_t; + +/** + * X.509 attribute certificate group membership checking. + */ +struct acert_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** ACERT_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/acert/acert_validator.c b/src/libstrongswan/plugins/acert/acert_validator.c new file mode 100644 index 000000000..ab15dba98 --- /dev/null +++ b/src/libstrongswan/plugins/acert/acert_validator.c @@ -0,0 +1,149 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include <library.h> + +#include "acert_validator.h" + +#include <credentials/certificates/x509.h> +#include <credentials/certificates/ac.h> + +typedef struct private_acert_validator_t private_acert_validator_t; + +/** + * Private data of an acert_validator_t object. + */ +struct private_acert_validator_t { + + /** + * Public acert_validator_t interface. + */ + acert_validator_t public; +}; + +/** + * Check if an AC can be trusted + */ +static bool verify(private_acert_validator_t *this, certificate_t *ac) +{ + certificate_t *issuer; + enumerator_t *enumerator; + bool verified = FALSE; + + if (!ac->get_validity(ac, NULL, NULL, NULL)) + { + return FALSE; + } + DBG1(DBG_CFG, "verifying attribute certificate issued by \"%Y\"", + ac->get_issuer(ac)); + enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, + ac->get_issuer(ac), TRUE); + while (enumerator->enumerate(enumerator, &issuer, NULL)) + { + if (issuer->get_validity(issuer, NULL, NULL, NULL)) + { + if (lib->credmgr->issued_by(lib->credmgr, ac, issuer, NULL)) + { + verified = TRUE; + break; + } + } + } + enumerator->destroy(enumerator); + + return verified; +} + +/** + * Apply AC group membership to auth config + */ +static void apply(private_acert_validator_t *this, ac_t *ac, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + ac_group_type_t type; + chunk_t chunk; + + enumerator = ac->create_group_enumerator(ac); + while (enumerator->enumerate(enumerator, &type, &chunk)) + { + if (type == AC_GROUP_TYPE_STRING) + { + auth->add(auth, AUTH_RULE_GROUP, + identification_create_from_data(chunk)); + } + } + enumerator->destroy(enumerator); +} + +METHOD(cert_validator_t, validate, bool, + private_acert_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, u_int pathlen, bool anchor, + auth_cfg_t *auth) +{ + /* for X.509 end entity certs only */ + if (pathlen == 0 && subject->get_type(subject) == CERT_X509) + { + x509_t *x509 = (x509_t*)subject; + enumerator_t *enumerator; + identification_t *id, *serial; + ac_t *ac; + + /* find attribute certificates by serial and issuer. A lookup by + * the holder DN would work as well, but RFC 5755 recommends the use + * of baseCertificateID. */ + serial = identification_create_from_encoding(ID_KEY_ID, + x509->get_serial(x509)); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_AC, KEY_ANY, serial, FALSE); + while (enumerator->enumerate(enumerator, &ac)) + { + id = ac->get_holderIssuer(ac); + if (id && id->equals(id, subject->get_issuer(subject))) + { + if (verify(this, &ac->certificate)) + { + apply(this, ac, auth); + } + } + } + enumerator->destroy(enumerator); + serial->destroy(serial); + } + return TRUE; +} + +METHOD(acert_validator_t, destroy, void, + private_acert_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +acert_validator_t *acert_validator_create() +{ + private_acert_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/acert/acert_validator.h b/src/libstrongswan/plugins/acert/acert_validator.h new file mode 100644 index 000000000..507776f18 --- /dev/null +++ b/src/libstrongswan/plugins/acert/acert_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup acert_validator acert_validator + * @{ @ingroup acert + */ + +#ifndef ACERT_VALIDATOR_H_ +#define ACERT_VALIDATOR_H_ + +#include <credentials/cert_validator.h> + +typedef struct acert_validator_t acert_validator_t; + +/** + * Attribute certificate group membership checking + */ +struct acert_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a acert_validator_t. + */ + void (*destroy)(acert_validator_t *this); +}; + +/** + * Create a acert_validator instance. + */ +acert_validator_t *acert_validator_create(); + +#endif /** ACERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 9e91e8671..f9c0750ed 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in index 4ea1e8f36..08f5e9453 100644 --- a/src/libstrongswan/plugins/af_alg/Makefile.in +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 150e8d4d4..bfd9f2b6c 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index f13a96421..1e3f69f96 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index ed3f05681..b1e0f160b 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c index 65eccb2db..6d4b2e13c 100644 --- a/src/libstrongswan/plugins/ccm/ccm_aead.c +++ b/src/libstrongswan/plugins/ccm/ccm_aead.c @@ -343,7 +343,8 @@ METHOD(aead_t, destroy, void, /** * See header */ -ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size) +ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size) { private_ccm_aead_t *this; size_t icv_size; @@ -360,6 +361,11 @@ ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size) default: return NULL; } + if (salt_size && salt_size != SALT_SIZE) + { + /* currently not supported */ + return NULL; + } switch (algo) { case ENCR_AES_CCM_ICV8: diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h index 79ab31804..0f1ec09a7 100644 --- a/src/libstrongswan/plugins/ccm/ccm_aead.h +++ b/src/libstrongswan/plugins/ccm/ccm_aead.h @@ -44,8 +44,10 @@ struct ccm_aead_t { * * @param algo algorithm to implement, a CCM mode * @param key_size key size in bytes + * @param salt_size size of implicit salt length * @return aead, NULL if not supported */ -ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size); +ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size, + size_t salt_size); #endif /** CCM_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in index 620d8359f..a609e7177 100644 --- a/src/libstrongswan/plugins/cmac/Makefile.in +++ b/src/libstrongswan/plugins/cmac/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in index 060287d1c..654800b65 100644 --- a/src/libstrongswan/plugins/constraints/Makefile.in +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index ff34435a2..b6789e76d 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index a756a0a7e..67a92b3c2 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index ca79430c9..fb38b0738 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index b94b644c0..6986a8156 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 3bb540d90..71a61f617 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index 7bce3c983..dbf9d1169 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c index ba5f2e4b3..4ab17017f 100644 --- a/src/libstrongswan/plugins/gcm/gcm_aead.c +++ b/src/libstrongswan/plugins/gcm/gcm_aead.c @@ -375,7 +375,8 @@ METHOD(aead_t, destroy, void, /** * See header */ -gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size) +gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size) { private_gcm_aead_t *this; size_t icv_size; @@ -392,6 +393,11 @@ gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size) default: return NULL; } + if (salt_size && salt_size != SALT_SIZE) + { + /* currently not supported */ + return NULL; + } switch (algo) { case ENCR_AES_GCM_ICV8: diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h index 846c3c76c..5c09477c3 100644 --- a/src/libstrongswan/plugins/gcm/gcm_aead.h +++ b/src/libstrongswan/plugins/gcm/gcm_aead.h @@ -44,8 +44,10 @@ struct gcm_aead_t { * * @param algo algorithm to implement, a gcm mode * @param key_size key size in bytes + * @param salt_size size of implicit salt length * @return aead, NULL if not supported */ -gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size); +gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size, + size_t salt_size); #endif /** GCM_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 4ce3cf919..731375dcd 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 73e0645b0..6b63e192d 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index f5e38fa90..d255cc95d 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in index 42093e413..38a478b77 100644 --- a/src/libstrongswan/plugins/keychain/Makefile.in +++ b/src/libstrongswan/plugins/keychain/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 7f14fbf8e..bd5bd43f2 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index bdd446cd3..a5caf8df5 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 32aac7bfa..c44893149 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index a35f8051b..fb36d16a2 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in index 25437bdb8..60e45db7c 100644 --- a/src/libstrongswan/plugins/nonce/Makefile.in +++ b/src/libstrongswan/plugins/nonce/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am index b33cbc8c9..e241554b5 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.am +++ b/src/libstrongswan/plugins/ntru/Makefile.am @@ -12,21 +12,15 @@ endif libstrongswan_ntru_la_SOURCES = \ ntru_plugin.h ntru_plugin.c \ + ntru_convert.h ntru_convert.c \ ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ ntru_mgf1.h ntru_mgf1.c \ + ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ - ntru_trits.h ntru_trits.c \ - ntru_crypto/ntru_crypto.h \ - ntru_crypto/ntru_crypto_ntru_convert.h \ - ntru_crypto/ntru_crypto_ntru_convert.c \ - ntru_crypto/ntru_crypto_ntru_encrypt.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \ - ntru_crypto/ntru_crypto_ntru_poly.h \ - ntru_crypto/ntru_crypto_ntru_poly.c + ntru_public_key.h ntru_public_key.c \ + ntru_private_key.h ntru_private_key.c \ + ntru_trits.h ntru_trits.c libstrongswan_ntru_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in index af192d203..38258048f 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.in +++ b/src/libstrongswan/plugins/ntru/Makefile.in @@ -128,14 +128,10 @@ am__uninstall_files_from_dir = { \ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_ntru_la_LIBADD = -am__dirstamp = $(am__leading_dot)dirstamp -am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_drbg.lo \ - ntru_ke.lo ntru_mgf1.lo ntru_poly.lo ntru_trits.lo \ - ntru_crypto/ntru_crypto_ntru_convert.lo \ - ntru_crypto/ntru_crypto_ntru_encrypt.lo \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.lo \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo \ - ntru_crypto/ntru_crypto_ntru_poly.lo +am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \ + ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \ + ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \ + ntru_trits.lo libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -377,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -427,21 +422,15 @@ AM_CFLAGS = \ @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ntru.la libstrongswan_ntru_la_SOURCES = \ ntru_plugin.h ntru_plugin.c \ + ntru_convert.h ntru_convert.c \ ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ ntru_mgf1.h ntru_mgf1.c \ + ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ - ntru_trits.h ntru_trits.c \ - ntru_crypto/ntru_crypto.h \ - ntru_crypto/ntru_crypto_ntru_convert.h \ - ntru_crypto/ntru_crypto_ntru_convert.c \ - ntru_crypto/ntru_crypto_ntru_encrypt.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \ - ntru_crypto/ntru_crypto_ntru_poly.h \ - ntru_crypto/ntru_crypto_ntru_poly.c + ntru_public_key.h ntru_public_key.c \ + ntru_private_key.h ntru_private_key.c \ + ntru_trits.h ntru_trits.c libstrongswan_ntru_la_LDFLAGS = -module -avoid-version all: all-am @@ -524,47 +513,26 @@ clean-pluginLTLIBRARIES: echo rm -f $${locs}; \ rm -f $${locs}; \ } -ntru_crypto/$(am__dirstamp): - @$(MKDIR_P) ntru_crypto - @: > ntru_crypto/$(am__dirstamp) -ntru_crypto/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) ntru_crypto/$(DEPDIR) - @: > ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_convert.lo: ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_encrypt.lo: ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_encrypt_key.lo: \ - ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo: \ - ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_poly.lo: ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) libstrongswan-ntru.la: $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_DEPENDENCIES) $(EXTRA_libstrongswan_ntru_la_DEPENDENCIES) $(AM_V_CCLD)$(libstrongswan_ntru_la_LINK) $(am_libstrongswan_ntru_la_rpath) $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) - -rm -f ntru_crypto/*.$(OBJEXT) - -rm -f ntru_crypto/*.lo distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_convert.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_param_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_trits.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_convert.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_key.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_param_sets.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_poly.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -595,7 +563,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs - -rm -rf ntru_crypto/.libs ntru_crypto/_libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -712,8 +679,6 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -rm -f ntru_crypto/$(DEPDIR)/$(am__dirstamp) - -rm -f ntru_crypto/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -724,7 +689,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR) + -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -770,7 +735,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR) + -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_convert.c new file mode 100644 index 000000000..6330b2e39 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_convert.c @@ -0,0 +1,452 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdlib.h> +#include <string.h> + +#include "ntru_convert.h" + +/** + * 3-bit to 2-trit conversion tables: 2 represents -1 + */ +static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2}; +static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1}; + +/** + * See header. + */ +void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits, uint8_t *trits) +{ + uint32_t bits24, bits3, shift; + + while (num_trits >= 16) + { + /* get next three octets */ + bits24 = ((uint32_t)(*octets++)) << 16; + bits24 |= ((uint32_t)(*octets++)) << 8; + bits24 |= (uint32_t)(*octets++); + + /* for each 3 bits in the three octets, output 2 trits */ + bits3 = (bits24 >> 21) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 18) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 15) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 12) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 9) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 6) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 3) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = bits24 & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + num_trits -= 16; + } + if (num_trits == 0) + { + return; + } + + /* get three octets */ + bits24 = ((uint32_t)(*octets++)) << 16; + bits24 |= ((uint32_t)(*octets++)) << 8; + bits24 |= (uint32_t)(*octets++); + + shift = 21; + while (num_trits) + { + /** + * for each 3 bits in the three octets, output up to 2 trits + * until all trits needed are produced + */ + bits3 = (bits24 >> shift) & 0x7; + shift -= 3; + *trits++ = bits_2_trit1[bits3]; + if (--num_trits) + { + *trits++ = bits_2_trit2[bits3]; + --num_trits; + } + } +} + +/** + * See header. + */ +bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits, uint8_t *octets) +{ + bool all_trits_valid = TRUE; + uint32_t bits24, bits3, shift; + + while (num_trits >= 16) + { + /* convert each 2 trits to 3 bits and pack */ + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 = (bits3 << 21); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 18); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 15); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 12); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 9); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 6); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 3); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= bits3; + + num_trits -= 16; + + /* output three octets */ + *octets++ = (uint8_t)((bits24 >> 16) & 0xff); + *octets++ = (uint8_t)((bits24 >> 8) & 0xff); + *octets++ = (uint8_t)(bits24 & 0xff); + } + + bits24 = 0; + shift = 21; + while (num_trits) + { + /* convert each 2 trits to 3 bits and pack */ + bits3 = *trits++ * 3; + if (--num_trits) + { + bits3 += *trits++; + --num_trits; + } + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << shift); + shift -= 3; + } + + /* output three octets */ + *octets++ = (uint8_t)((bits24 >> 16) & 0xff); + *octets++ = (uint8_t)((bits24 >> 8) & 0xff); + *octets++ = (uint8_t)(bits24 & 0xff); + + return all_trits_valid; +} + +/** + * See header + */ +void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs, uint8_t *octets) +{ + uint8_t bits2; + int shift, i; + + *octets = 0; + shift = 6; + for (i = 0; i < num_coeffs; i++) + { + bits2 = (uint8_t)(coeffs[i] & 0x3); + *octets |= bits2 << shift; + shift -= 2; + if (shift < 0) + { + ++octets; + *octets = 0; + shift = 6; + } + } +} + +/** + * See header. + */ +void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet) +{ + int i; + + *octet = 0; + for (i = 4; i >= 0; i--) + { + *octet = (*octet * 3) + trits[i]; + } +} + +/** + * See header. + */ +void ntru_octet_2_trits(uint8_t octet, uint8_t *trits) +{ + int i; + + for (i = 0; i < 5; i++) + { + trits[i] = octet % 3; + octet = (octet - trits[i]) / 3; + } +} + +/** + * See header. + */ +void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1, + uint8_t *out) +{ + uint8_t trit = plus1 ? 1 : 2; + int i; + + for (i = 0; i < in_len; i++) + { + out[in[i]] = trit; + } +} + +/** + * See header. + */ +void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits, + uint16_t *indices_plus1, + uint16_t *indices_minus1) +{ + uint8_t trits[5]; + uint16_t i = 0; + int j; + + while (num_trits >= 5) + { + ntru_octet_2_trits(*in++, trits); + num_trits -= 5; + for (j = 0; j < 5; j++, i++) + { + if (trits[j] == 1) + { + *indices_plus1 = i; + ++indices_plus1; + } + else if (trits[j] == 2) + { + *indices_minus1 = i; + ++indices_minus1; + } + } + } + if (num_trits) + { + ntru_octet_2_trits(*in, trits); + for (j = 0; num_trits && (j < 5); j++, i++) + { + if (trits[j] == 1) + { + *indices_plus1 = i; + ++indices_plus1; + } + else if (trits[j] == 2) + { + *indices_minus1 = i; + ++indices_minus1; + } + --num_trits; + } + } +} + +/** + * See header. + */ +void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1, + uint16_t num_minus1, uint16_t num_trits, + uint8_t *buf, uint8_t *out) +{ + /* convert indices to an array of trits */ + memset(buf, 0, num_trits); + ntru_indices_2_trits(num_plus1, indices, TRUE, buf); + ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf); + + /* pack the array of trits */ + while (num_trits >= 5) + { + ntru_trits_2_octet(buf, out); + num_trits -= 5; + buf += 5; + ++out; + } + if (num_trits) + { + uint8_t trits[5]; + + memcpy(trits, buf, num_trits); + memset(trits + num_trits, 0, sizeof(trits) - num_trits); + ntru_trits_2_octet(trits, out); + } +} + +/** + * See header + */ +void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits, + uint8_t *out) +{ + uint16_t temp; + int shift, i; + + /* pack */ + temp = 0; + shift = n_bits - 8; + i = 0; + while (i < in_len) + { + /* add bits to temp to fill an octet and output the octet */ + temp |= in[i] >> shift; + *out++ = (uint8_t)(temp & 0xff); + shift = 8 - shift; + if (shift < 1) + { + /* next full octet is in current input word */ + shift += n_bits; + temp = 0; + } + else + { + /* put remaining bits of input word in temp as partial octet, + * and increment index to next input word + */ + temp = in[i] << (uint16_t)shift; + ++i; + } + shift = n_bits - shift; + } + + /* output any bits remaining in last input word */ + if (shift != n_bits - 8) + { + *out++ = (uint8_t)(temp & 0xff); + } +} + + +/** + * See header. + */ +void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits, + uint16_t *out) +{ + uint16_t temp; + uint16_t mask = (1 << n_bits) - 1; + int shift, i; + + /* unpack */ + temp = 0; + shift = n_bits; + i = 0; + while (i < in_len) + { + shift = 8 - shift; + if (shift < 0) + { + /* the current octet will not fill the current element */ + shift += n_bits; + } + else + { + /* add bits from the current octet to fill the current element and + * output the element + */ + temp |= ((uint16_t)in[i]) >> shift; + *out++ = temp & mask; + temp = 0; + } + + /* add the remaining bits of the current octet to start an element */ + shift = n_bits - shift; + temp |= ((uint16_t)in[i]) << shift; + ++i; + } +} diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_convert.h new file mode 100644 index 000000000..31594b1f6 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_convert.h @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_convert ntru_convert + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_CONVERT_H_ +#define NTRU_CONVERT_H_ + +#include <library.h> + +/** + * Each 3 bits in an array of octets is converted to 2 trits in an array + * of trits. + * + * @param octets pointer to array of octets + * @param num_trits number of trits to produce + * @param trits address for array of trits + */ +void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits, + uint8_t *trits); + +/** + * Each 2 trits in an array of trits is converted to 3 bits, and the bits + * are packed in an array of octets. A multiple of 3 octets is output. + * Any bits in the final octets not derived from trits are zero. + * + * @param trits pointer to array of trits + * @param num_trits number of trits to convert + * @param octets address for array of octets + * @return TRUE if all trits were valid + * FALSE if invalid trits were found + */ +bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits, + uint8_t *octets); + +/** + * Takes an array of coefficients mod 4 and packs the results into an + * octet string. + * + * @param num_coeffs number of coefficients + * @param coeffs pointer to coefficients + * @param octets address for octets + */ +void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs, + uint8_t *octets); + +/** + * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1). + * + * @param trits pointer to trits + * @param octet address for octet + */ +void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet); + +/** + * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1). + * + * @param octet octet to be unpacked + * @param trits address for trits + */ +void ntru_octet_2_trits(uint8_t octet, uint8_t *trits); + +/** + * + * Converts a list of the nonzero indices of a polynomial into an array of + * trits. + * + * @param in_len no. of indices + * @param in pointer to list of indices + * @param plus1 if list is +1 coefficients + * @param out address of output polynomial + */ +void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1, + uint8_t *out); + +/** + * Unpacks an array of N trits and creates a list of array indices + * corresponding to trits = +1, and list of array indices corresponding to + * trits = -1. + * + * @param in pointer to packed-trit octets + * @param num_trits no. of packed trits + * @param indices_plus1 address for indices of +1 trits + * @param indices_minus1 address for indices of -1 trits + */ +void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits, + uint16_t *indices_plus1, + uint16_t *indices_minus1); + +/** + * Takes a list of array indices corresponding to elements whose values + * are +1 or -1, and packs the N-element array of trits described by these + * lists into octets, 5 trits per octet. + * + * @param indices pointer to indices + * @param num_plus1 no. of indices for +1 trits + * @param num_minus1 no. of indices for -1 trits + * @param num_trits N, no. of trits in array + * @param buf temp buf, N octets + * @param out address for packed octet + */ +void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1, + uint16_t num_minus1, uint16_t num_trits, + uint8_t *buf, uint8_t *out); + +/** + * Packs an array of n-bit elements into an array of + * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16. + * + * @param in_len no. of elements to be packed + * @param in ptr to elements to be packed + * @param n_bits no. of bits in input element + * @param out addr for output octets + */ +void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits, + uint8_t *out); + +/** + * Unpacks an octet string into an array of ((in_len * 8) / n_bits) + * n-bit elements, 8 < n < 16. Any extra bits are discarded. + * + * @param in_len no. of octets to be unpacked + * @param in ptr to octets to be unpacked + * @param n_bits no. of bits in output element + * @param out addr for output elements + */ +void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits, + uint16_t *out); + +#endif /** NTRU_CONVERT_H_ @}*/ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h deleted file mode 100644 index 72f47035e..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h +++ /dev/null @@ -1,235 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - - -/****************************************************************************** - * - * File: ntru_crypto.h - * - * Contents: Public header file for NTRUEncrypt. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_H -#define NTRU_CRYPTO_H - -#include <library.h> - -#include "ntru_drbg.h" - -#if !defined( NTRUCALL ) - #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC) - // Linux, or a Win32 static library - #define NTRUCALL extern uint32_t - #elif defined (NTRUCRYPTO_EXPORTS) - // Win32 DLL build - #define NTRUCALL extern __declspec(dllexport) uint32_t - #else - // Win32 DLL import - #define NTRUCALL extern __declspec(dllimport) uint32_t - #endif -#endif /* NTRUCALL */ - -/* parameter set ID list */ - -typedef enum _NTRU_ENCRYPT_PARAM_SET_ID { - NTRU_EES401EP1, - NTRU_EES449EP1, - NTRU_EES677EP1, - NTRU_EES1087EP2, - NTRU_EES541EP1, - NTRU_EES613EP1, - NTRU_EES887EP1, - NTRU_EES1171EP1, - NTRU_EES659EP1, - NTRU_EES761EP1, - NTRU_EES1087EP1, - NTRU_EES1499EP1, - NTRU_EES401EP2, - NTRU_EES439EP1, - NTRU_EES593EP1, - NTRU_EES743EP1, -} NTRU_ENCRYPT_PARAM_SET_ID; - - -/* error codes */ - -#define NTRU_OK 0 -#define NTRU_FAIL 1 -#define NTRU_BAD_PARAMETER 2 -#define NTRU_BAD_LENGTH 3 -#define NTRU_BUFFER_TOO_SMALL 4 -#define NTRU_INVALID_PARAMETER_SET 5 -#define NTRU_BAD_PUBLIC_KEY 6 -#define NTRU_BAD_PRIVATE_KEY 7 -#define NTRU_OUT_OF_MEMORY 8 -#define NTRU_BAD_ENCODING 9 -#define NTRU_OID_NOT_RECOGNIZED 10 -#define NTRU_DRBG_FAIL 11 -#define NTRU_MGF1_FAIL 12 - -/* function declarations */ - -/* ntru_crypto_ntru_encrypt - * - * Implements NTRU encryption (SVES) for the parameter set specified in - * the public key blob. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH. - * - * The required minimum size of the output ciphertext buffer (ct) may be - * queried by invoking this function with ct = NULL. In this case, no - * encryption is performed, NTRU_OK is returned, and the required minimum - * size for ct is returned in ct_len. - * - * When ct != NULL, at invocation *ct_len must be the size of the ct buffer. - * Upon return it is the actual size of the ciphertext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is - * zero, or if pt_len exceeds the maximum plaintext length for the parameter set. - * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - */ - -NTRUCALL -ntru_crypto_ntru_encrypt( - ntru_drbg_t *drbg , /* in - handle for DRBG */ - uint16_t pubkey_blob_len, /* in - no. of octets in public key - blob */ - uint8_t const *pubkey_blob, /* in - pointer to public key */ - uint16_t pt_len, /* in - no. of octets in plaintext */ - uint8_t const *pt, /* in - pointer to plaintext */ - uint16_t *ct_len, /* in/out - no. of octets in ct, addr for - no. of octets in ciphertext */ - uint8_t *ct); /* out - address for ciphertext */ - - -/* ntru_crypto_ntru_decrypt - * - * Implements NTRU decryption (SVES) for the parameter set specified in - * the private key blob. - * - * The maximum size of the output plaintext may be queried by invoking - * this function with pt = NULL. In this case, no decryption is performed, - * NTRU_OK is returned, and the maximum size the plaintext could be is - * returned in pt_len. - * Note that until the decryption is performed successfully, the actual size - * of the resulting plaintext cannot be known. - * - * When pt != NULL, at invocation *pt_len must be the size of the pt buffer. - * Upon return it is the actual size of the plaintext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if - * ct_len is invalid for the parameter set. - * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if a decryption error occurs. - */ - -NTRUCALL -ntru_crypto_ntru_decrypt( - uint16_t privkey_blob_len, /* in - no. of octets in private key - blob */ - uint8_t const *privkey_blob, /* in - pointer to private key */ - uint16_t ct_len, /* in - no. of octets in ciphertext */ - uint8_t const *ct, /* in - pointer to ciphertext */ - uint16_t *pt_len, /* in/out - no. of octets in pt, addr for - no. of octets in plaintext */ - uint8_t *pt); /* out - address for plaintext */ - - -/* ntru_crypto_ntru_encrypt_keygen - * - * Implements key generation for NTRUEncrypt for the parameter set specified. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning NTRU_DRBG_FAIL. - * - * The required minimum size of the output public-key buffer (pubkey_blob) - * may be queried by invoking this function with pubkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for pubkey_blob is returned in pubkey_blob_len. - * - * The required minimum size of the output private-key buffer (privkey_blob) - * may be queried by invoking this function with privkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for privkey_blob is returned in privkey_blob_len. - * - * The required minimum sizes of both pubkey_blob and privkey_blob may be - * queried as described above, in a single invocation of this function. - * - * When pubkey_blob != NULL and privkey_blob != NULL, at invocation - * *pubkey_blob_len must be the size of the pubkey_blob buffer and - * *privkey_blob_len must be the size of the privkey_blob buffer. - * Upon return, *pubkey_blob_len is the actual size of the public-key blob - * and *privkey_blob_len is the actual size of the private-key blob. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob - * or privkey_blob) is NULL. - * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid. - * Returns NTRU_BAD_LENGTH if a length argument is invalid. - * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the - * privkey_blob buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if the polynomial generated for f is not invertible in - * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely. - * Should this occur, this function should simply be invoked again. - */ - -NTRUCALL -ntru_crypto_ntru_encrypt_keygen( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */ - uint16_t *pubkey_blob_len, /* in/out - no. of octets in - pubkey_blob, addr - for no. of octets - in pubkey_blob */ - uint8_t *pubkey_blob, /* out - address for - public key blob */ - uint16_t *privkey_blob_len, /* in/out - no. of octets in - privkey_blob, addr - for no. of octets - in privkey_blob */ - uint8_t *privkey_blob); /* out - address for - private key blob */ -#endif /* NTRU_CRYPTO_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c deleted file mode 100644 index 3d6dfde41..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c +++ /dev/null @@ -1,581 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_convert.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_convert.c - * - * Contents: Conversion routines for NTRUEncrypt, including packing, unpacking, - * and others. - * - *****************************************************************************/ - -#include <stdlib.h> -#include <string.h> -#include <assert.h> -#include "ntru_crypto_ntru_convert.h" - - -/* 3-bit to 2-trit conversion tables: 2 represents -1 */ - -static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2}; -static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1}; - - -/* ntru_bits_2_trits - * - * Each 3 bits in an array of octets is converted to 2 trits in an array - * of trits. - * - * The octet array may overlap the end of the trit array. - */ - -void -ntru_bits_2_trits( - uint8_t const *octets, /* in - pointer to array of octets */ - uint16_t num_trits, /* in - number of trits to produce */ - uint8_t *trits) /* out - address for array of trits */ -{ - uint32_t bits24; - uint32_t bits3; - uint32_t shift; - - assert(octets); - assert(trits); - - while (num_trits >= 16) { - - /* get next three octets */ - - bits24 = ((uint32_t)(*octets++)) << 16; - bits24 |= ((uint32_t)(*octets++)) << 8; - bits24 |= (uint32_t)(*octets++); - - /* for each 3 bits in the three octets, output 2 trits */ - - bits3 = (bits24 >> 21) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 18) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 15) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 12) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 9) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 6) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 3) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = bits24 & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - num_trits -= 16; - } - if (num_trits == 0) - return; - - /* get three octets */ - - bits24 = ((uint32_t)(*octets++)) << 16; - bits24 |= ((uint32_t)(*octets++)) << 8; - bits24 |= (uint32_t)(*octets++); - - shift = 21; - while (num_trits) { - - /* for each 3 bits in the three octets, output up to 2 trits - * until all trits needed are produced - */ - - bits3 = (bits24 >> shift) & 0x7; - shift -= 3; - *trits++ = bits_2_trit1[bits3]; - if (--num_trits) { - *trits++ = bits_2_trit2[bits3]; - --num_trits; - } - } -} - - -/* ntru_trits_2_bits - * - * Each 2 trits in an array of trits is converted to 3 bits, and the bits - * are packed in an array of octets. A multiple of 3 octets is output. - * Any bits in the final octets not derived from trits are zero. - * - * Returns TRUE if all trits were valid. - * Returns FALSE if invalid trits were found. - */ - -bool -ntru_trits_2_bits( - uint8_t const *trits, /* in - pointer to array of trits */ - uint32_t num_trits, /* in - number of trits to convert */ - uint8_t *octets) /* out - address for array of octets */ -{ - bool all_trits_valid = TRUE; - uint32_t bits24; - uint32_t bits3; - uint32_t shift; - - assert(octets); - assert(trits); - - while (num_trits >= 16) { - - /* convert each 2 trits to 3 bits and pack */ - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 = (bits3 << 21); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 18); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 15); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 12); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 9); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 6); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 3); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= bits3; - - num_trits -= 16; - - /* output three octets */ - - *octets++ = (uint8_t)((bits24 >> 16) & 0xff); - *octets++ = (uint8_t)((bits24 >> 8) & 0xff); - *octets++ = (uint8_t)(bits24 & 0xff); - } - - bits24 = 0; - shift = 21; - while (num_trits) { - - /* convert each 2 trits to 3 bits and pack */ - - bits3 = *trits++ * 3; - if (--num_trits) { - bits3 += *trits++; - --num_trits; - } - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << shift); - shift -= 3; - } - - /* output three octets */ - - *octets++ = (uint8_t)((bits24 >> 16) & 0xff); - *octets++ = (uint8_t)((bits24 >> 8) & 0xff); - *octets++ = (uint8_t)(bits24 & 0xff); - - return all_trits_valid; -} - - -/* ntru_coeffs_mod4_2_octets - * - * Takes an array of ring element coefficients mod 4 and packs the - * results into an octet string. - */ - -void -ntru_coeffs_mod4_2_octets( - uint16_t num_coeffs, /* in - number of coefficients */ - uint16_t const *coeffs, /* in - pointer to coefficients */ - uint8_t *octets) /* out - address for octets */ -{ - uint8_t bits2; - int shift; - uint16_t i; - - assert(coeffs); - assert(octets); - - *octets = 0; - shift = 6; - for (i = 0; i < num_coeffs; i++) { - bits2 = (uint8_t)(coeffs[i] & 0x3); - *octets |= bits2 << shift; - shift -= 2; - if (shift < 0) { - ++octets; - *octets = 0; - shift = 6; - } - } -} - - -/* ntru_trits_2_octet - * - * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1). - */ - -void -ntru_trits_2_octet( - uint8_t const *trits, /* in - pointer to trits */ - uint8_t *octet) /* out - address for octet */ -{ - int i; - - assert(trits); - assert(octet); - - *octet = 0; - for (i = 4; i >= 0; i--) { - *octet = (*octet * 3) + trits[i]; - } -} - - -/* ntru_octet_2_trits - * - * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1). - */ - -void -ntru_octet_2_trits( - uint8_t octet, /* in - octet to be unpacked */ - uint8_t *trits) /* out - address for trits */ -{ - int i; - - assert(trits); - - for (i = 0; i < 5; i++) { - trits[i] = octet % 3; - octet = (octet - trits[i]) / 3; - } -} - - -/* ntru_indices_2_trits - * - * Converts a list of the nonzero indices of a polynomial into an array of - * trits. - */ - -void -ntru_indices_2_trits( - uint16_t in_len, /* in - no. of indices */ - uint16_t const *in, /* in - pointer to list of indices */ - bool plus1, /* in - if list is +1 cofficients */ - uint8_t *out) /* out - address of output polynomial */ -{ - uint8_t trit = plus1 ? 1 : 2; - uint16_t i; - - assert(in); - assert(out); - - for (i = 0; i < in_len; i++) { - out[in[i]] = trit; - } -} - - -/* ntru_packed_trits_2_indices - * - * Unpacks an array of N trits and creates a list of array indices - * corresponding to trits = +1, and list of array indices corresponding to - * trits = -1. - */ - -void -ntru_packed_trits_2_indices( - uint8_t const *in, /* in - pointer to packed-trit octets */ - uint16_t num_trits, /* in - no. of packed trits */ - uint16_t *indices_plus1, /* out - address for indices of +1 trits */ - uint16_t *indices_minus1) /* out - address for indices of -1 trits */ -{ - uint8_t trits[5]; - uint16_t i = 0; - int j; - - assert(in); - assert(indices_plus1); - assert(indices_minus1); - - while (num_trits >= 5) { - ntru_octet_2_trits(*in++, trits); - num_trits -= 5; - for (j = 0; j < 5; j++, i++) { - if (trits[j] == 1) { - *indices_plus1 = i; - ++indices_plus1; - } else if (trits[j] == 2) { - *indices_minus1 = i; - ++indices_minus1; - } - } - } - if (num_trits) { - ntru_octet_2_trits(*in, trits); - for (j = 0; num_trits && (j < 5); j++, i++) { - if (trits[j] == 1) { - *indices_plus1 = i; - ++indices_plus1; - } else if (trits[j] == 2) { - *indices_minus1 = i; - ++indices_minus1; - } - --num_trits; - } - } -} - - -/* ntru_indices_2_packed_trits - * - * Takes a list of array indices corresponding to elements whose values - * are +1 or -1, and packs the N-element array of trits described by these - * lists into octets, 5 trits per octet. - */ - -void -ntru_indices_2_packed_trits( - uint16_t const *indices, /* in - pointer to indices */ - uint16_t num_plus1, /* in - no. of indices for +1 trits */ - uint16_t num_minus1, /* in - no. of indices for -1 trits */ - uint16_t num_trits, /* in - N, no. of trits in array */ - uint8_t *buf, /* in - temp buf, N octets */ - uint8_t *out) /* out - address for packed octets */ -{ - assert(indices); - assert(buf); - assert(out); - - /* convert indices to an array of trits */ - - memset(buf, 0, num_trits); - ntru_indices_2_trits(num_plus1, indices, TRUE, buf); - ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf); - - /* pack the array of trits */ - - while (num_trits >= 5) { - ntru_trits_2_octet(buf, out); - num_trits -= 5; - buf += 5; - ++out; - } - if (num_trits) { - uint8_t trits[5]; - - memcpy(trits, buf, num_trits); - memset(trits + num_trits, 0, sizeof(trits) - num_trits); - ntru_trits_2_octet(trits, out); - } -} - - -/* ntru_elements_2_octets - * - * Packs an array of n-bit elements into an array of - * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16. - */ - -void -ntru_elements_2_octets( - uint16_t in_len, /* in - no. of elements to be packed */ - uint16_t const *in, /* in - ptr to elements to be packed */ - uint8_t n_bits, /* in - no. of bits in input element */ - uint8_t *out) /* out - addr for output octets */ -{ - uint16_t temp; - int shift; - uint16_t i; - - assert(in_len); - assert(in); - assert((n_bits > 8) && (n_bits < 16)); - assert(out); - - /* pack */ - - temp = 0; - shift = n_bits - 8; - i = 0; - while (i < in_len) { - - /* add bits to temp to fill an octet and output the octet */ - - temp |= in[i] >> shift; - *out++ = (uint8_t)(temp & 0xff); - shift = 8 - shift; - if (shift < 1) { - - /* next full octet is in current input word */ - - shift += n_bits; - temp = 0; - - } else { - - /* put remaining bits of input word in temp as partial octet, - * and increment index to next input word - */ - temp = in[i] << (uint16_t)shift; - - ++i; - } - shift = n_bits - shift; - } - - /* output any bits remaining in last input word */ - - if (shift != n_bits - 8) { - *out++ = (uint8_t)(temp & 0xff); - } -} - - -/* ntru_octets_2_elements - * - * Unpacks an octet string into an array of ((in_len * 8) / n_bits) - * n-bit elements, 8 < n_bits < 16. Any extra bits are discarded. - */ - -void -ntru_octets_2_elements( - uint16_t in_len, /* in - no. of octets to be unpacked */ - uint8_t const *in, /* in - ptr to octets to be unpacked */ - uint8_t n_bits, /* in - no. of bits in output element */ - uint16_t *out) /* out - addr for output elements */ -{ - uint16_t temp; - uint16_t mask = (1 << n_bits) - 1; - int shift; - uint16_t i; - - assert(in_len > 1); - assert(in); - assert((n_bits > 8) && (n_bits < 16)); - assert(out); - - /* unpack */ - - temp = 0; - shift = n_bits; - i = 0; - while (i < in_len) { - shift = 8 - shift; - if (shift < 0) { - - /* the current octet will not fill the current element */ - - shift += n_bits; - - } else { - - /* add bits from the current octet to fill the current element and - * output the element - */ - - temp |= ((uint16_t)in[i]) >> shift; - *out++ = temp & mask; - temp = 0; - } - - /* add the remaining bits of the current octet to start an element */ - - shift = n_bits - shift; - temp |= ((uint16_t)in[i]) << shift; - ++i; - } -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h deleted file mode 100644 index 1c4b35b24..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h +++ /dev/null @@ -1,183 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_convert.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_convert.h - * - * Contents: Definitions and declarations for conversion routines - * for NTRUEncrypt, including packing, unpacking and others. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_NTRU_CONVERT_H -#define NTRU_CRYPTO_NTRU_CONVERT_H - -#include "ntru_crypto.h" - - -/* function declarations */ - -/* ntru_bits_2_trits - * - * Each 3 bits in an array of octets is converted to 2 trits in an array - * of trits. - */ - -extern void -ntru_bits_2_trits( - uint8_t const *octets, /* in - pointer to array of octets */ - uint16_t num_trits, /* in - number of trits to produce */ - uint8_t *trits); /* out - address for array of trits */ - - -/* ntru_trits_2_bits - * - * Each 2 trits in an array of trits is converted to 3 bits, and the bits - * are packed in an array of octets. A multiple of 3 octets is output. - * Any bits in the final octets not derived from trits are zero. - * - * Returns TRUE if all trits were valid. - * Returns FALSE if invalid trits were found. - */ - -extern bool -ntru_trits_2_bits( - uint8_t const *trits, /* in - pointer to array of trits */ - uint32_t num_trits, /* in - number of trits to convert */ - uint8_t *octets); /* out - address for array of octets */ - - -/* ntru_coeffs_mod4_2_octets - * - * Takes an array of coefficients mod 4 and packs the results into an - * octet string. - */ - -extern void -ntru_coeffs_mod4_2_octets( - uint16_t num_coeffs, /* in - number of coefficients */ - uint16_t const *coeffs, /* in - pointer to coefficients */ - uint8_t *octets); /* out - address for octets */ - - -/* ntru_trits_2_octet - * - * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1). - */ - -extern void -ntru_trits_2_octet( - uint8_t const *trits, /* in - pointer to trits */ - uint8_t *octet); /* out - address for octet */ - - -/* ntru_octet_2_trits - * - * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1). - */ - -extern void -ntru_octet_2_trits( - uint8_t octet, /* in - octet to be unpacked */ - uint8_t *trits); /* out - address for trits */ - - -/* ntru_indices_2_trits - * - * Converts a list of the nonzero indices of a polynomial into an array of - * trits. - */ - -extern void -ntru_indices_2_trits( - uint16_t in_len, /* in - no. of indices */ - uint16_t const *in, /* in - pointer to list of indices */ - bool plus1, /* in - if list is +1 coefficients */ - uint8_t *out); /* out - address of output polynomial */ - - -/* ntru_packed_trits_2_indices - * - * Unpacks an array of N trits and creates a list of array indices - * corresponding to trits = +1, and list of array indices corresponding to - * trits = -1. - */ - -extern void -ntru_packed_trits_2_indices( - uint8_t const *in, /* in - pointer to packed-trit octets */ - uint16_t num_trits, /* in - no. of packed trits */ - uint16_t *indices_plus1, /* out - address for indices of +1 trits */ - uint16_t *indices_minus1); /* out - address for indices of -1 trits */ - - -/* ntru_indices_2_packed_trits - * - * Takes a list of array indices corresponding to elements whose values - * are +1 or -1, and packs the N-element array of trits described by these - * lists into octets, 5 trits per octet. - */ - -extern void -ntru_indices_2_packed_trits( - uint16_t const *indices, /* in - pointer to indices */ - uint16_t num_plus1, /* in - no. of indices for +1 trits */ - uint16_t num_minus1, /* in - no. of indices for -1 trits */ - uint16_t num_trits, /* in - N, no. of trits in array */ - uint8_t *buf, /* in - temp buf, N octets */ - uint8_t *out); /* out - address for packed octets */ - - -/* ntru_elements_2_octets - * - * Packs an array of n-bit elements into an array of - * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16. - */ - -extern void -ntru_elements_2_octets( - uint16_t in_len, /* in - no. of elements to be packed */ - uint16_t const *in, /* in - ptr to elements to be packed */ - uint8_t n_bits, /* in - no. of bits in input element */ - uint8_t *out); /* out - addr for output octets */ - - -/* ntru_octets_2_elements - * - * Unpacks an octet string into an array of ((in_len * 8) / n_bits) - * n-bit elements, 8 < n < 16. Any extra bits are discarded. - */ - -extern void -ntru_octets_2_elements( - uint16_t in_len, /* in - no. of octets to be unpacked */ - uint8_t const *in, /* in - ptr to octets to be unpacked */ - uint8_t n_bits, /* in - no. of bits in output element */ - uint16_t *out); /* out - addr for output elements */ - - -#endif /* NTRU_CRYPTO_NTRU_CONVERT_H */ - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c deleted file mode 100644 index dba81915a..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c +++ /dev/null @@ -1,1034 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_encrypt.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt.c - * - * Contents: Routines implementing NTRUEncrypt encryption and decryption and - * key generation. - * - *****************************************************************************/ - - -#include <stdlib.h> -#include <string.h> -#include <assert.h> -#include "ntru_crypto.h" -#include "ntru_crypto_ntru_encrypt_param_sets.h" -#include "ntru_crypto_ntru_encrypt_key.h" -#include "ntru_crypto_ntru_convert.h" -#include "ntru_crypto_ntru_poly.h" -# -#include "ntru_trits.h" -#include "ntru_poly.h" - -/* ntru_crypto_ntru_encrypt - * - * Implements NTRU encryption (SVES) for the parameter set specified in - * the public key blob. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH. - * - * The required minimum size of the output ciphertext buffer (ct) may be - * queried by invoking this function with ct = NULL. In this case, no - * encryption is performed, NTRU_OK is returned, and the required minimum - * size for ct is returned in ct_len. - * - * When ct != NULL, at invocation *ct_len must be the size of the ct buffer. - * Upon return it is the actual size of the ciphertext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is - * zero, or if pt_len exceeds the maximum plaintext length for the parameter set. - * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - */ - -uint32_t -ntru_crypto_ntru_encrypt( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - uint16_t pubkey_blob_len, /* in - no. of octets in public key - blob */ - uint8_t const *pubkey_blob, /* in - pointer to public key */ - uint16_t pt_len, /* in - no. of octets in plaintext */ - uint8_t const *pt, /* in - pointer to plaintext */ - uint16_t *ct_len, /* in/out - no. of octets in ct, addr for - no. of octets in ciphertext */ - uint8_t *ct) /* out - address for ciphertext */ -{ - NTRU_ENCRYPT_PARAM_SET *params = NULL; - uint8_t const *pubkey_packed = NULL; - uint8_t pubkey_pack_type = 0x00; - uint16_t packed_ct_len; - size_t scratch_buf_len; - uint32_t dr; - uint32_t dr1 = 0; - uint32_t dr2 = 0; - uint32_t dr3 = 0; - uint16_t ring_mult_tmp_len; - int16_t m1 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf = NULL; - uint8_t *b_buf = NULL; - uint8_t *tmp_buf = NULL; - bool msg_rep_good = FALSE; - hash_algorithm_t hash_algid; - uint16_t mprime_len = 0; - uint16_t mod_q_mask; - uint32_t result = NTRU_OK; - ntru_trits_t *mask; - uint8_t *mask_trits; - chunk_t seed; - ntru_poly_t *r_poly; - - /* check for bad parameters */ - - if (!pubkey_blob || !pt || !ct_len) - { - return NTRU_BAD_PARAMETER; - } - if ((pubkey_blob_len == 0) || (pt_len == 0)) - { - return NTRU_BAD_LENGTH; - } - - /* get a pointer to the parameter-set parameters, the packing type for - * the public key, and a pointer to the packed public key - */ - - if (!ntru_crypto_ntru_encrypt_key_parse(TRUE /* pubkey */, pubkey_blob_len, - pubkey_blob, &pubkey_pack_type, - NULL, ¶ms, &pubkey_packed, - NULL)) - { - return NTRU_BAD_PUBLIC_KEY; - } - - /* return the ciphertext size if requested */ - - packed_ct_len = (params->N * params->q_bits + 7) >> 3; - if (!ct) - { - *ct_len = packed_ct_len; - return NTRU_OK; - } - - /* check the ciphertext buffer size */ - - if (*ct_len < packed_ct_len) - { - return NTRU_BUFFER_TOO_SMALL; - } - - /* check the plaintext length */ - - if (pt_len > params->m_len_max) - { - return NTRU_BAD_LENGTH; - } - - /* allocate memory for all operations */ - - if (params->is_product_form) - { - ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */ - dr1 = params->dF_r & 0xff; - dr2 = (params->dF_r >> 8) & 0xff; - dr3 = (params->dF_r >> 16) & 0xff; - dr = dr1 + dr2 + dr3; - } - else - { - ring_mult_tmp_len = params->N; /* N 16-bit word buffer */ - dr = params->dF_r; - } - scratch_buf_len = (ring_mult_tmp_len << 1) + - /* X-byte temp buf for ring mult and - other intermediate results */ - (params->N << 1) + /* 2N-byte buffer for ring elements - and overflow from temp buffer */ - (dr << 2) + /* buffer for r indices */ - params->sec_strength_len; - /* buffer for b */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf = scratch_buf + ring_mult_tmp_len; - b_buf = (uint8_t *)(ringel_buf + params->N); - tmp_buf = (uint8_t *)scratch_buf; - - /* set hash algorithm based on security strength */ - hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256; - - /* set constants */ - mod_q_mask = params->q - 1; - - /* loop until a message representative with proper weight is achieved */ - - do { - uint8_t *ptr = tmp_buf; - - /* get b */ - if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - params->sec_strength_len, b_buf)) - { - result = NTRU_OK; - } - else - { - result = NTRU_FAIL; - } - - if (result == NTRU_OK) - { - - /* form sData (OID || m || b || hTrunc) */ - memcpy(ptr, params->OID, 3); - ptr += 3; - memcpy(ptr, pt, pt_len); - ptr += pt_len; - memcpy(ptr, b_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - memcpy(ptr, pubkey_packed, params->sec_strength_len); - ptr += params->sec_strength_len; - - DBG2(DBG_LIB, "generate polynomial r"); - - seed = chunk_create(tmp_buf, ptr - tmp_buf); - r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!r_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint16_t pubkey_packed_len; - - /* unpack the public key */ - assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS); - pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - ntru_octets_2_elements(pubkey_packed_len, pubkey_packed, - params->q_bits, ringel_buf); - - /* form R = h * r */ - r_poly->ring_mult(r_poly, ringel_buf, ringel_buf); - r_poly->destroy(r_poly); - - /* form R mod 4 */ - ntru_coeffs_mod4_2_octets(params->N, ringel_buf, tmp_buf); - - /* form mask */ - seed = chunk_create(tmp_buf, (params->N + 3)/4); - mask = ntru_trits_create(params->N, hash_algid, seed); - if (!mask) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint8_t *Mtrin_buf = tmp_buf + params->N; - uint8_t *M_buf = Mtrin_buf + params->N - - (params->sec_strength_len + params->m_len_len + - params->m_len_max + 2); - uint16_t i; - - /* form the padded message M */ - ptr = M_buf; - memcpy(ptr, b_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - if (params->m_len_len == 2) - *ptr++ = (uint8_t)((pt_len >> 8) & 0xff); - *ptr++ = (uint8_t)(pt_len & 0xff); - memcpy(ptr, pt, pt_len); - ptr += pt_len; - - /* add an extra zero byte in case without it the bit string - * is not a multiple of 3 bits and therefore might not be - * able to produce enough trits - */ - - memset(ptr, 0, params->m_len_max - pt_len + 2); - - /* convert M to trits (Mbin to Mtrin) */ - mprime_len = params->N; - if (params->is_product_form) - { - --mprime_len; - } - - ntru_bits_2_trits(M_buf, mprime_len, Mtrin_buf); - mask_trits = mask->get_trits(mask); - - /* form the msg representative m' by adding Mtrin to mask, mod p */ - if (params->is_product_form) - { - for (i = 0; i < mprime_len; i++) - { - tmp_buf[i] = mask_trits[i] + Mtrin_buf[i]; - if (tmp_buf[i] >= 3) - { - tmp_buf[i] -= 3; - } - if (tmp_buf[i] == 1) - { - ++m1; - } - else if (tmp_buf[i] == 2) - { - --m1; - } - } - } - else - { - for (i = 0; i < mprime_len; i++) - { - tmp_buf[i] = mask_trits[i] + Mtrin_buf[i]; - if (tmp_buf[i] >= 3) - { - tmp_buf[i] -= 3; - } - } - } - mask->destroy(mask); - - /* check that message representative meets minimum weight - * requirements - */ - - if (params->is_product_form) - msg_rep_good = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : - (bool)( m1 <= params->min_msg_rep_wt); - else - msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf, - params->min_msg_rep_wt); - msg_rep_good = TRUE; - } - } while ((result == NTRU_OK) && !msg_rep_good); - - if (result == NTRU_OK) - { - uint16_t i; - - /* form ciphertext e by adding m' to R mod q */ - - for (i = 0; i < mprime_len; i++) { - if (tmp_buf[i] == 1) - ringel_buf[i] = (ringel_buf[i] + 1) & mod_q_mask; - else if (tmp_buf[i] == 2) - ringel_buf[i] = (ringel_buf[i] - 1) & mod_q_mask; - } - if (params->is_product_form) - ringel_buf[i] = (ringel_buf[i] - m1) & mod_q_mask; - - /* pack ciphertext */ - ntru_elements_2_octets(params->N, ringel_buf, params->q_bits, ct); - *ct_len = packed_ct_len; - } - - /* cleanup */ - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - return result; -} - - -/* ntru_crypto_ntru_decrypt - * - * Implements NTRU decryption (SVES) for the parameter set specified in - * the private key blob. - * - * The maximum size of the output plaintext may be queried by invoking - * this function with pt = NULL. In this case, no decryption is performed, - * NTRU_OK is returned, and the maximum size the plaintext could be is - * returned in pt_len. - * Note that until the decryption is performed successfully, the actual size - * of the resulting plaintext cannot be known. - * - * When pt != NULL, at invocation *pt_len must be the size of the pt buffer. - * Upon return it is the actual size of the plaintext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if - * ct_len is invalid for the parameter set. - * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if a decryption error occurs. - */ - -uint32_t -ntru_crypto_ntru_decrypt( - uint16_t privkey_blob_len, /* in - no. of octets in private key - blob */ - uint8_t const *privkey_blob, /* in - pointer to private key */ - uint16_t ct_len, /* in - no. of octets in ciphertext */ - uint8_t const *ct, /* in - pointer to ciphertext */ - uint16_t *pt_len, /* in/out - no. of octets in pt, addr for - no. of octets in plaintext */ - uint8_t *pt) /* out - address for plaintext */ -{ - NTRU_ENCRYPT_PARAM_SET *params = NULL; - uint8_t const *privkey_packed = NULL; - uint8_t const *pubkey_packed = NULL; - uint8_t privkey_pack_type = 0x00; - uint8_t pubkey_pack_type = 0x00; - size_t scratch_buf_len; - uint32_t dF_r; - uint32_t dF_r1 = 0; - uint32_t dF_r2 = 0; - uint32_t dF_r3 = 0; - uint16_t ring_mult_tmp_len; - int16_t m1 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf1 = NULL; - uint16_t *ringel_buf2 = NULL; - uint16_t *i_buf = NULL; - uint8_t *m_buf = NULL; - uint8_t *tmp_buf = NULL; - uint8_t *Mtrin_buf = NULL; - uint8_t *M_buf = NULL; - uint8_t *ptr = NULL; - hash_algorithm_t hash_algid; - uint16_t cmprime_len; - uint16_t mod_q_mask; - uint16_t q_mod_p; - uint16_t cm_len = 0; - uint16_t num_zeros; - uint16_t i; - bool decryption_ok = TRUE; - uint32_t result = NTRU_OK; - ntru_trits_t *mask; - uint8_t *mask_trits; - chunk_t seed; - ntru_poly_t *F_poly, *r_poly; - - /* check for bad parameters */ - if (!privkey_blob || !ct || !pt_len) - { - return NTRU_BAD_PARAMETER; - } - if ((privkey_blob_len == 0) || (ct_len == 0)) - { - return NTRU_BAD_LENGTH; - } - - /* get a pointer to the parameter-set parameters, the packing types for - * the public and private keys, and pointers to the packed public and - * private keys - */ - - if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */, - privkey_blob_len, - privkey_blob, &pubkey_pack_type, - &privkey_pack_type, ¶ms, - &pubkey_packed, &privkey_packed)) - { - return NTRU_BAD_PRIVATE_KEY; - } - - /* return the max plaintext size if requested */ - - if (!pt) - { - *pt_len = params->m_len_max; - return NTRU_OK; - } - - /* cannot check the plaintext buffer size until after the plaintext - * is derived, if we allow plaintext buffers only as large as the - * actual plaintext - */ - - /* check the ciphertext length */ - - if (ct_len != (params->N * params->q_bits + 7) >> 3) - { - return NTRU_BAD_LENGTH; - } - - /* allocate memory for all operations */ - - if (params->is_product_form) - { - ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */ - dF_r1 = params->dF_r & 0xff; - dF_r2 = (params->dF_r >> 8) & 0xff; - dF_r3 = (params->dF_r >> 16) & 0xff; - dF_r = dF_r1 + dF_r2 + dF_r3; - } else { - ring_mult_tmp_len = params->N; /* N 16-bit word buffer */ - dF_r = params->dF_r; - } - scratch_buf_len = (ring_mult_tmp_len << 1) + - /* X-byte temp buf for ring mult and - other intermediate results */ - (params->N << 2) + /* 2 2N-byte bufs for ring elements - and overflow from temp buffer */ - (dF_r << 2) + /* buffer for F, r indices */ - params->m_len_max; /* buffer for plaintext */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf1 = scratch_buf + ring_mult_tmp_len; - ringel_buf2 = ringel_buf1 + params->N; - i_buf = ringel_buf2 + params->N; - m_buf = (uint8_t *)(i_buf + (dF_r << 1)); - tmp_buf = (uint8_t *)scratch_buf; - Mtrin_buf = (uint8_t *)ringel_buf1; - M_buf = Mtrin_buf + params->N; - - /* set hash algorithm based on security strength */ - hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256; - - /* set constants */ - mod_q_mask = params->q - 1; - q_mod_p = params->q % 3; - - /* unpack the ciphertext */ - ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2); - - /* unpack the private key */ - if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) - { - ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf, - i_buf + dF_r); - - } - else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES) - { - ntru_octets_2_elements( - (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3, - privkey_packed, params->N_bits, i_buf); - - } - else - { - assert(FALSE); - } - - /* form cm': - * F * e - * A = e * (1 + pF) mod q = e + pFe mod q - * a = A in the range [-q/2, q/2) - * cm' = a mod p - */ - F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1); - F_poly->destroy(F_poly); - - cmprime_len = params->N; - if (params->is_product_form) - { - --cmprime_len; - for (i = 0; i < cmprime_len; i++) - { - ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask; - if (ringel_buf1[i] >= (params->q >> 1)) - { - ringel_buf1[i] = ringel_buf1[i] - q_mod_p; - } - Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3); - if (Mtrin_buf[i] == 1) - { - ++m1; - } - else if (Mtrin_buf[i] == 2) - { - --m1; - } - } - } - else - { - for (i = 0; i < cmprime_len; i++) - { - ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask; - if (ringel_buf1[i] >= (params->q >> 1)) - { - ringel_buf1[i] = ringel_buf1[i] - q_mod_p; - } - Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3); - } - } - - /* check that the candidate message representative meets minimum weight - * requirements - */ - - if (params->is_product_form) - { - decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : - (bool)( m1 <= params->min_msg_rep_wt); - } - else - { - decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf, - params->min_msg_rep_wt); - } - - /* form cR = e - cm' mod q */ - for (i = 0; i < cmprime_len; i++) - { - if (Mtrin_buf[i] == 1) - { - ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask; - } - else if (Mtrin_buf[i] == 2) - { - ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask; - } - } - if (params->is_product_form) - { - ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask; - } - - /* form cR mod 4 */ - ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf); - - /* form mask */ - seed = chunk_create(tmp_buf, (params->N + 3)/4); - mask = ntru_trits_create(params->N, hash_algid, seed); - if (!mask) - { - result = NTRU_MGF1_FAIL; - } - else - { - mask_trits = mask->get_trits(mask); - - /* form cMtrin by subtracting mask from cm', mod p */ - for (i = 0; i < cmprime_len; i++) - { - Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i]; - if (Mtrin_buf[i] >= 3) - { - Mtrin_buf[i] += 3; - } - } - mask->destroy(mask); - - if (params->is_product_form) - - /* set the last trit to zero since that's what it was, and - * because it can't be calculated from (cm' - mask) since - * we don't have the correct value for the last cm' trit - */ - - Mtrin_buf[i] = 0; - - /* convert cMtrin to cM (Mtrin to Mbin) */ - - if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf)) - decryption_ok = FALSE; - - /* validate the padded message cM and copy cm to m_buf */ - - ptr = M_buf + params->sec_strength_len; - if (params->m_len_len == 2) - cm_len = (uint16_t)(*ptr++) << 16; - cm_len |= (uint16_t)(*ptr++); - if (cm_len > params->m_len_max) { - cm_len = params->m_len_max; - decryption_ok = FALSE; - } - memcpy(m_buf, ptr, cm_len); - ptr += cm_len; - num_zeros = params->m_len_max - cm_len + 1; - for (i = 0; i < num_zeros; i++) { - if (ptr[i] != 0) - decryption_ok = FALSE; - } - - /* form sData (OID || m || b || hTrunc) */ - - ptr = tmp_buf; - memcpy(ptr, params->OID, 3); - ptr += 3; - memcpy(ptr, m_buf, cm_len); - ptr += cm_len; - memcpy(ptr, M_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - memcpy(ptr, pubkey_packed, params->sec_strength_len); - ptr += params->sec_strength_len; - - /* generate cr */ - DBG2(DBG_LIB, "generate polynomial r"); - - seed = chunk_create(tmp_buf, ptr - tmp_buf); - r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!r_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - /* unpack the public key */ - { - uint16_t pubkey_packed_len; - - assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS); - pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - ntru_octets_2_elements(pubkey_packed_len, pubkey_packed, - params->q_bits, ringel_buf1); - } - - /* form cR' = h * cr */ - r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1); - r_poly->destroy(r_poly); - - /* compare cR' to cR */ - for (i = 0; i < params->N; i++) - { - if (ringel_buf1[i] != ringel_buf2[i]) - { - decryption_ok = FALSE; - } - } - - /* output plaintext and plaintext length */ - if (decryption_ok) - { - if (*pt_len < cm_len) - { - return NTRU_BUFFER_TOO_SMALL; - } - memcpy(pt, m_buf, cm_len); - *pt_len = cm_len; - } - } - - /* cleanup */ - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - if (!decryption_ok) - { - return NTRU_FAIL; - } - - return result; -} - - -/* ntru_crypto_ntru_encrypt_keygen - * - * Implements key generation for NTRUEncrypt for the parameter set specified. - * - * The required minimum size of the output public-key buffer (pubkey_blob) - * may be queried by invoking this function with pubkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for pubkey_blob is returned in pubkey_blob_len. - * - * The required minimum size of the output private-key buffer (privkey_blob) - * may be queried by invoking this function with privkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for privkey_blob is returned in privkey_blob_len. - * - * The required minimum sizes of both pubkey_blob and privkey_blob may be - * queried as described above, in a single invocation of this function. - * - * When pubkey_blob != NULL and privkey_blob != NULL, at invocation - * *pubkey_blob_len must be the size of the pubkey_blob buffer and - * *privkey_blob_len must be the size of the privkey_blob buffer. - * Upon return, *pubkey_blob_len is the actual size of the public-key blob - * and *privkey_blob_len is the actual size of the private-key blob. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or - * privkey_blob) is NULL. - * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid. - * Returns NTRU_BAD_LENGTH if a length argument is invalid. - * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the - * privkey_blob buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if the polynomial generated for f is not invertible in - * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely. - * Should this occur, this function should simply be invoked again. - */ - -uint32_t -ntru_crypto_ntru_encrypt_keygen( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */ - uint16_t *pubkey_blob_len, /* in/out - no. of octets in - pubkey_blob, addr - for no. of octets - in pubkey_blob */ - uint8_t *pubkey_blob, /* out - address for - public key blob */ - uint16_t *privkey_blob_len, /* in/out - no. of octets in - privkey_blob, addr - for no. of octets - in privkey_blob */ - uint8_t *privkey_blob) /* out - address for - private key blob */ -{ - NTRU_ENCRYPT_PARAM_SET *params = NULL; - uint16_t public_key_blob_len; - uint16_t private_key_blob_len; - uint8_t pubkey_pack_type; - uint8_t privkey_pack_type; - size_t scratch_buf_len; - uint32_t dF; - uint32_t dF1 = 0; - uint32_t dF2 = 0; - uint32_t dF3 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf1 = NULL; - uint16_t *ringel_buf2 = NULL; - uint8_t *tmp_buf = NULL; - uint16_t mod_q_mask; - hash_algorithm_t hash_algid; - uint16_t seed_len; - chunk_t seed; - uint32_t result = NTRU_OK; - ntru_poly_t *F_poly = NULL; - ntru_poly_t *g_poly = NULL; - uint16_t *F_indices; - - /* get a pointer to the parameter-set parameters */ - - if ((params = ntru_encrypt_get_params_with_id(param_set_id)) == NULL) - { - return NTRU_INVALID_PARAMETER_SET; - } - - /* check for bad parameters */ - - if (!pubkey_blob_len || !privkey_blob_len) - { - return NTRU_BAD_PARAMETER; - } - - /* get public and private key packing types and blob lengths */ - - ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type, - &public_key_blob_len, - &privkey_pack_type, - &private_key_blob_len); - - /* return the pubkey_blob size and/or privkey_blob size if requested */ - - if (!pubkey_blob || !privkey_blob) - { - if (!pubkey_blob) - *pubkey_blob_len = public_key_blob_len; - if (!privkey_blob) - *privkey_blob_len = private_key_blob_len; - return NTRU_OK; - } - - /* check size of output buffers */ - - if ((*pubkey_blob_len < public_key_blob_len) || - (*privkey_blob_len < private_key_blob_len)) - { - return NTRU_BUFFER_TOO_SMALL; - } - - /* allocate memory for all operations */ - if (params->is_product_form) { - dF1 = params->dF_r & 0xff; - dF2 = (params->dF_r >> 8) & 0xff; - dF3 = (params->dF_r >> 16) & 0xff; - dF = dF1 + dF2 + dF3; - } else { - dF = params->dF_r; - } - - scratch_buf_len = (params->N * 8) + /* 4N-byte temp buffer for ring inv - and other intermediate results, - 2N-byte buffer for f, g indices - and overflow from temp buffer, - 2N-byte buffer for f^-1 */ - (dF << 2); /* buffer for F indices */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf1 = scratch_buf + (params->N << 1); - ringel_buf2 = ringel_buf1 + params->N; - tmp_buf = (uint8_t *)scratch_buf; - - /* set hash algorithm and seed length based on security strength */ - if (params->sec_strength_len <= 20) - { - hash_algid = HASH_SHA1; - } - else - { - hash_algid = HASH_SHA256; - } - seed_len = params->sec_strength_len + 8; - - /* set constants */ - - mod_q_mask = params->q - 1; - - /* get random bytes for seed for generating trinary F - * as a list of indices - */ - - if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - seed_len, tmp_buf)) - { - result = NTRU_OK; - } - else - { - result = NTRU_DRBG_FAIL; - } - - if (result == NTRU_OK) - { - DBG2(DBG_LIB, "generate polynomial F"); - - seed = chunk_create(tmp_buf, seed_len); - F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!F_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - int i; - - F_poly->get_array(F_poly, ringel_buf1); - - /* form f = 1 + pF */ - for (i = 0; i < params->N; i++) - { - ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask; - } - ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask; - - /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */ - if (!ntru_ring_inv(ringel_buf1, params->N, params->q, - scratch_buf, ringel_buf2)) - { - result = NTRU_FAIL; - } - } - - if (result == NTRU_OK) - { - - /* get random bytes for seed for generating trinary polynomial g - * as a list of indices - */ - if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - seed_len, tmp_buf)) - { - result = NTRU_DRBG_FAIL; - } - } - - if (result == NTRU_OK) - { - DBG2(DBG_LIB, "generate polynomial g"); - - seed = chunk_create(tmp_buf, seed_len); - g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dg + 1, params->dg, FALSE); - if (!g_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint16_t i; - - /* compute h = p * (f^-1 * g) mod q */ - g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2); - g_poly->destroy(g_poly); - - for (i = 0; i < params->N; i++) - { - ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask; - } - - /* create public key blob */ - ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2, - pubkey_pack_type, - pubkey_blob); - *pubkey_blob_len = public_key_blob_len; - - /* create private key blob */ - F_indices = F_poly->get_indices(F_poly); - ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2, - F_indices, - privkey_pack_type, - tmp_buf, privkey_blob); - *privkey_blob_len = private_key_blob_len; - } - - /* cleanup */ - DESTROY_IF(F_poly); - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - return result; -} diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c deleted file mode 100644 index 90baaadf3..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c +++ /dev/null @@ -1,360 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_encrypt_key.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt_key.c - * - * Contents: Routines for exporting and importing public and private keys - * for NTRUEncrypt. - * - *****************************************************************************/ - - -#include <stdlib.h> -#include <string.h> -#include <assert.h> -#include "ntru_crypto_ntru_encrypt_key.h" - - -/* ntru_crypto_ntru_encrypt_key_parse - * - * Parses an NTRUEncrypt key blob. - * If the blob is not corrupt, returns packing types for public and private - * keys, a pointer to the parameter set, a pointer to the public key, and - * a pointer to the private key if it exists. - * - * Returns TRUE if successful. - * Returns FALSE if the blob is invalid. - */ - -bool -ntru_crypto_ntru_encrypt_key_parse( - bool pubkey_parse, /* in - if parsing pubkey - blob */ - uint16_t key_blob_len, /* in - no. octets in key - blob */ - uint8_t const *key_blob, /* in - pointer to key blob */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - NTRU_ENCRYPT_PARAM_SET **params, /* out - addr for ptr to - parameter set */ - uint8_t const **pubkey, /* out - addr for ptr to - packed pubkey */ - uint8_t const **privkey) /* out - addr for ptr to - packed privkey */ -{ - uint8_t tag; - - assert(key_blob_len); - assert(key_blob); - assert(pubkey_pack_type); - assert(params); - assert(pubkey); - - /* parse key blob based on tag */ - - tag = key_blob[0]; - switch (tag) { - case NTRU_ENCRYPT_PUBKEY_TAG: - if (!pubkey_parse) - return FALSE; - break; - case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG: - case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG: - case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG: - assert(privkey_pack_type); - assert(privkey); - if (pubkey_parse) - return FALSE; - break; - default: - return FALSE; - } - - switch (tag) { - case NTRU_ENCRYPT_PUBKEY_TAG: - case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG: - case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG: - case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG: - - /* Version 0: - * byte 0: tag - * byte 1: no. of octets in OID - * bytes 2-4: OID - * bytes 5- : packed pubkey - * [packed privkey] - */ - - { - NTRU_ENCRYPT_PARAM_SET *p = NULL; - uint16_t pubkey_packed_len; - - /* check OID length and minimum blob length for tag and OID */ - - if ((key_blob_len < 5) || (key_blob[1] != 3)) - return FALSE; - - /* get a pointer to the parameter set corresponding to the OID */ - - if ((p = ntru_encrypt_get_params_with_OID(key_blob + 2)) == NULL) - return FALSE; - - /* check blob length and assign pointers to blob fields */ - - pubkey_packed_len = (p->N * p->q_bits + 7) / 8; - if (pubkey_parse) { /* public-key parsing */ - if (key_blob_len != 5 + pubkey_packed_len) - return FALSE; - - *pubkey = key_blob + 5; - - } else { /* private-key parsing */ - uint16_t privkey_packed_len; - uint16_t privkey_packed_trits_len = (p->N + 4) / 5; - uint16_t privkey_packed_indices_len; - uint16_t dF; - - /* check packing type for product-form private keys */ - - if (p->is_product_form && - (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)) - return FALSE; - - /* set packed-key length for packed indices */ - - if (p->is_product_form) - dF = (uint16_t)( (p->dF_r & 0xff) + /* df1 */ - ((p->dF_r >> 8) & 0xff) + /* df2 */ - ((p->dF_r >> 16) & 0xff)); /* df3 */ - else - dF = (uint16_t)p->dF_r; - privkey_packed_indices_len = ((dF << 1) * p->N_bits + 7) >> 3; - - /* set private-key packing type if defaulted */ - - if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) { - if (p->is_product_form || - (privkey_packed_indices_len <= - privkey_packed_trits_len)) - tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG; - else - tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG; - } - - if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) - privkey_packed_len = privkey_packed_trits_len; - else - privkey_packed_len = privkey_packed_indices_len; - - if (key_blob_len != 5 + pubkey_packed_len + privkey_packed_len) - return FALSE; - - *pubkey = key_blob + 5; - *privkey = *pubkey + pubkey_packed_len; - *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ? - NTRU_ENCRYPT_KEY_PACKED_TRITS : - NTRU_ENCRYPT_KEY_PACKED_INDICES; - } - - /* return parameter set pointer */ - - *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS; - *params = p; - } - default: - break; /* can't get here */ - } - return TRUE; -} - - -/* ntru_crypto_ntru_encrypt_key_get_blob_params - * - * Returns public and private key packing types and blob lengths given - * a packing format. For now, only a default packing format exists. - * - * Only public-key params may be returned by setting privkey_pack_type - * and privkey_blob_len to NULL. - */ - -void -ntru_crypto_ntru_encrypt_key_get_blob_params( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint16_t *pubkey_blob_len, /* out - addr for no. of - bytes in - pubkey blob */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - uint16_t *privkey_blob_len) /* out - addr for no. of - bytes in - privkey blob */ -{ - uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - - assert(params); - assert(pubkey_pack_type); - assert(pubkey_blob_len); - - *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS; - *pubkey_blob_len = 5 + pubkey_packed_len; - - if (privkey_pack_type && privkey_blob_len) { - uint16_t privkey_packed_trits_len = (params->N + 4) / 5; - uint16_t privkey_packed_indices_len; - uint16_t dF; - - if (params->is_product_form) - dF = (uint16_t)( (params->dF_r & 0xff) + /* df1 */ - ((params->dF_r >> 8) & 0xff) + /* df2 */ - ((params->dF_r >> 16) & 0xff)); /* df3 */ - else - dF = (uint16_t)params->dF_r; - privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3; - - if (params->is_product_form || - (privkey_packed_indices_len <= privkey_packed_trits_len)) { - *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES; - *privkey_blob_len = - 5 + pubkey_packed_len + privkey_packed_indices_len; - } else { - *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS; - *privkey_blob_len = - 5 + pubkey_packed_len + privkey_packed_trits_len; - } - } -} - - -/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob - * - * Returns a public key blob, packed according to the packing type provided. - */ - -void -ntru_crypto_ntru_encrypt_key_create_pubkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint8_t pubkey_pack_type, /* out - pubkey packing - type */ - uint8_t *pubkey_blob) /* out - addr for the - pubkey blob */ -{ - assert(params); - assert(pubkey); - assert(pubkey_blob); - - switch (pubkey_pack_type) { - case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS: - *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG; - *pubkey_blob++ = (uint8_t)sizeof(params->OID); - memcpy(pubkey_blob, params->OID, sizeof(params->OID)); - pubkey_blob += sizeof(params->OID); - ntru_elements_2_octets(params->N, pubkey, params->q_bits, - pubkey_blob); - break; - default: - assert(FALSE); - } -} - - -/* ntru_crypto_ntru_encrypt_key_create_privkey_blob - * - * Returns a private key blob, packed according to the packing type provided. - */ - -void -ntru_crypto_ntru_encrypt_key_create_privkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint16_t const *privkey, /* in - pointer to the - indices of the - privkey */ - uint8_t privkey_pack_type, /* in - privkey packing - type */ - uint8_t *buf, /* in - temp, N bytes */ - uint8_t *privkey_blob) /* out - addr for the - privkey blob */ -{ - assert(params); - assert(pubkey); - assert(privkey); - assert(privkey_blob); - - switch (privkey_pack_type) { - case NTRU_ENCRYPT_KEY_PACKED_TRITS: - case NTRU_ENCRYPT_KEY_PACKED_INDICES: - - /* format header and packed public key */ - - *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG; - *privkey_blob++ = (uint8_t)sizeof(params->OID); - memcpy(privkey_blob, params->OID, sizeof(params->OID)); - privkey_blob += sizeof(params->OID); - ntru_elements_2_octets(params->N, pubkey, params->q_bits, - privkey_blob); - privkey_blob += (params->N * params->q_bits + 7) >> 3; - - /* add packed private key */ - - if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) { - ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r, - (uint16_t)params->dF_r, - params->N, buf, privkey_blob); - } else { - uint32_t dF; - - if (params->is_product_form) { - dF = (params->dF_r & 0xff) + - ((params->dF_r >> 8) & 0xff) + - ((params->dF_r >> 16) & 0xff); - } else { - dF = params->dF_r; - } - ntru_elements_2_octets((uint16_t)dF << 1, privkey, - params->N_bits, privkey_blob); - } - break; - default: - assert(FALSE); - break; - } -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h deleted file mode 100644 index 6734f2a4c..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h +++ /dev/null @@ -1,167 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_cencrypt_key.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - - -#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H -#define NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H - -#include "ntru_crypto_ntru_convert.h" -#include "ntru_crypto_ntru_encrypt_param_sets.h" - - -/* key-blob definitions */ - -#define NTRU_ENCRYPT_PUBKEY_TAG 0x01 -#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG 0x02 -#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG 0xfe -#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG 0xff - -/* packing types */ - -#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS 0x01 -#define NTRU_ENCRYPT_KEY_PACKED_INDICES 0x02 -#define NTRU_ENCRYPT_KEY_PACKED_TRITS 0x03 - -/* function declarations */ - - -/* ntru_crypto_ntru_encrypt_key_parse - * - * Parses an NTRUEncrypt key blob. - * If the blob is not corrupt, returns packing types for public and private - * keys, a pointer to the parameter set, a pointer to the public key, and - * a pointer to the private key if it exists. - * - * Returns TRUE if successful. - * Returns FALSE if the blob is invalid. - */ - -extern bool -ntru_crypto_ntru_encrypt_key_parse( - bool pubkey_parse, /* in - if parsing pubkey - blob */ - uint16_t key_blob_len, /* in - no. octets in key - blob */ - uint8_t const *key_blob, /* in - pointer to key blob */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - NTRU_ENCRYPT_PARAM_SET **params, /* out - addr for ptr to - parameter set */ - uint8_t const **pubkey, /* out - addr for ptr to - packed pubkey */ - uint8_t const **privkey); /* out - addr for ptr to - packed privkey */ - - -/* ntru_crypto_ntru_encrypt_key_get_blob_params - * - * Returns public and private key packing types and blob lengths given - * a packing format. For now, only a default packing format exists. - * - * Only public-key params may be returned by setting privkey_pack_type - * and privkey_blob_len to NULL. - */ - -extern void -ntru_crypto_ntru_encrypt_key_get_blob_params( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint16_t *pubkey_blob_len, /* out - addr for no. of - bytes in - pubkey blob */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - uint16_t *privkey_blob_len); /* out - addr for no. of - bytes in - privkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob - * - * Returns a public key blob, packed according to the packing type provided. - */ - -extern void -ntru_crypto_ntru_encrypt_key_create_pubkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint8_t pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *pubkey_blob); /* out - addr for the - pubkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob - * - * Returns a public key blob, recreated from an already-packed public key. - */ - -extern void -ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t packed_pubkey_len, /* in - no. octets in - packed pubkey */ - uint8_t const *packed_pubkey, /* in - pointer to the - packed pubkey */ - uint8_t pubkey_pack_type, /* out - pubkey packing - type */ - uint8_t *pubkey_blob); /* out - addr for the - pubkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_create_privkey_blob - * - * Returns a privlic key blob, packed according to the packing type provided. - */ - -extern void -ntru_crypto_ntru_encrypt_key_create_privkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint16_t const *privkey, /* in - pointer to the - indices of the - privkey */ - uint8_t privkey_pack_type, /* in - privkey packing - type */ - uint8_t *buf, /* in - temp, N bytes */ - uint8_t *privkey_blob); /* out - addr for the - privkey blob */ - - -#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h deleted file mode 100644 index e5e977a0e..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h +++ /dev/null @@ -1,101 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_encrypt_param_sets.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt_param_sets.h - * - * Contents: Definitions and declarations for the NTRUEncrypt parameter sets. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H -#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H - -#include "ntru_crypto.h" - -/* structures */ - -typedef struct _NTRU_ENCRYPT_PARAM_SET { - NTRU_ENCRYPT_PARAM_SET_ID id; /* parameter-set ID */ - uint8_t const OID[3]; /* pointer to OID */ - uint8_t der_id; /* parameter-set DER id */ - uint8_t N_bits; /* no. of bits in N (i.e. in - an index */ - uint16_t N; /* ring dimension */ - uint16_t sec_strength_len; /* no. of octets of - security strength */ - uint16_t q; /* big modulus */ - uint8_t q_bits; /* no. of bits in q (i.e. in - a coefficient */ - bool is_product_form; /* if product form used */ - uint32_t dF_r; /* no. of 1 or -1 coefficients - in ring elements F, r */ - uint16_t dg; /* no. - 1 of 1 coefficients - or no. of -1 coefficients - in ring element g */ - uint16_t m_len_max; /* max no. of plaintext - octets */ - uint16_t min_msg_rep_wt; /* min. message - representative weight */ - uint8_t c_bits; /* no. bits in candidate for - deriving an index in - IGF-2 */ - uint8_t m_len_len; /* no. of octets to hold - mLenOctets */ -} NTRU_ENCRYPT_PARAM_SET; - - - -/* function declarations */ - -/* ntru_encrypt_get_params_with_id - * - * Looks up a set of NTRU Encrypt parameters based on the id of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. - */ - -extern NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_id( - NTRU_ENCRYPT_PARAM_SET_ID id); /* in - parameter-set id */ - - -/* ntru_encrypt_get_params_with_OID - * - * Looks up a set of NTRU Encrypt parameters based on the OID of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. - */ - -extern NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_OID( - uint8_t const *oid); /* in - pointer to parameter-set OID */ - -#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */ - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c deleted file mode 100644 index 8e4eede87..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c +++ /dev/null @@ -1,242 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_poly.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -#include <stdlib.h> -#include <string.h> -#include "ntru_crypto_ntru_poly.h" - -/* ntru_poly_check_min_weight - * - * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed - * a minimum weight. - */ - -bool -ntru_poly_check_min_weight( - uint16_t num_els, /* in - degree of polynomial */ - uint8_t *ringels, /* in - pointer to trinary ring elements */ - uint16_t min_wt) /* in - minimum weight */ -{ - uint16_t wt[3]; - uint16_t i; - - wt[0] = wt[1] = wt[2] = 0; - for (i = 0; i < num_els; i++) { - ++wt[ringels[i]]; - } - if ((wt[0] < min_wt) || (wt[1] < min_wt) || (wt[2] < min_wt)) { - return FALSE; - } - return TRUE; -} - -/* ntru_ring_mult_coefficients - * - * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" - * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). - * This is a convolution operation. - * - * Ring element "b" has coefficients in the range [0,N). - * - * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum - * beyond 16 bits does not matter. - */ - -void -ntru_ring_mult_coefficients( - uint16_t const *a, /* in - pointer to polynomial a */ - uint16_t const *b, /* in - pointer to polynomial b */ - uint16_t N, /* in - no. of coefficients in a, b, c */ - uint16_t q, /* in - large modulus */ - uint16_t *c) /* out - address for polynomial c */ -{ - uint16_t const *bptr = b; - uint16_t mod_q_mask = q - 1; - uint16_t i, k; - - /* c[k] = sum(a[i] * b[k-i]) mod q */ - memset(c, 0, N * sizeof(uint16_t)); - for (k = 0; k < N; k++) { - i = 0; - while (i <= k) - c[k] += a[i++] * *bptr--; - bptr += N; - while (i < N) - c[k] += a[i++] * *bptr--; - c[k] &= mod_q_mask; - ++bptr; - } -} - - -/* ntru_ring_inv - * - * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1). - * - * This assumes q is 2^r where 8 < r < 16, so that operations mod q can - * wait until the end, and only 16-bit arrays need to be used. - */ - -bool -ntru_ring_inv( - uint16_t *a, /* in - pointer to polynomial a */ - uint16_t N, /* in - no. of coefficients in a */ - uint16_t q, /* in - large modulus */ - uint16_t *t, /* in - temp buffer of 2N elements */ - uint16_t *a_inv) /* out - address for polynomial a^-1 */ -{ - uint8_t *b = (uint8_t *)t; /* b cannot be in a_inv since it must be - rotated and copied there as a^-1 mod 2 */ - uint8_t *c = b + N; /* c cannot be in a_inv since it exchanges - with b, and b cannot be in a_inv */ - uint8_t *f = c + N; - uint8_t *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */ - uint16_t *t2 = t + N; - uint16_t deg_b; - uint16_t deg_c; - uint16_t deg_f; - uint16_t deg_g; - uint16_t k = 0; - bool done = FALSE; - uint16_t i, j; - - /* form a^-1 in (Z/2Z)[X]/X^N - 1) */ - memset(b, 0, (N << 1)); /* clear to init b, c */ - - /* b(X) = 1 */ - b[0] = 1; - deg_b = 0; - - /* c(X) = 0 (cleared above) */ - deg_c = 0; - - /* f(X) = a(X) mod 2 */ - for (i = 0; i < N; i++) - f[i] = (uint8_t)(a[i] & 1); - deg_f = N - 1; - - /* g(X) = X^N - 1 */ - g[0] = 1; - memset(g + 1, 0, N - 1); - g[N] = 1; - deg_g = N; - - /* until f(X) = 1 */ - - while (!done) - { - - /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */ - - for (i = 0; (i <= deg_f) && (f[i] == 0); ++i); - if (i > deg_f) - return FALSE; - if (i) { - f = f + i; - deg_f = deg_f - i; - deg_c = deg_c + i; - for (j = deg_c; j >= i; j--) - c[j] = c[j-i]; - for (j = 0; j < i; j++) - c[j] = 0; - k = k + i; - } - - /* adjust degree of f(X) if the highest coefficients are zero - * Note: f[0] = 1 from above so the loop will terminate. - */ - - while (f[deg_f] == 0) - --deg_f; - - /* if f(X) = 1, done - * Note: f[0] = 1 from above, so only check the x term and up - */ - - for (i = 1; (i <= deg_f) && (f[i] == 0); ++i); - if (i > deg_f) { - done = TRUE; - break; - } - - /* if deg_f < deg_g, f <-> g, b <-> c */ - - if (deg_f < deg_g) { - uint8_t *x; - - x = f; - f = g; - g = x; - deg_f ^= deg_g; - deg_g ^= deg_f; - deg_f ^= deg_g; - x = b; - b = c; - c = x; - deg_b ^= deg_c; - deg_c ^= deg_b; - deg_b ^= deg_c; - } - - /* f(X) += g(X), b(X) += c(X) */ - - for (i = 0; i <= deg_g; i++) - f[i] ^= g[i]; - - if (deg_c > deg_b) - deg_b = deg_c; - for (i = 0; i <= deg_c; i++) - b[i] ^= c[i]; - } - - /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */ - - j = 0; - if (k >= N) - k = k - N; - for (i = k; i < N; i++) - a_inv[j++] = (uint16_t)(b[i]); - for (i = 0; i < k; i++) - a_inv[j++] = (uint16_t)(b[i]); - - /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */ - - for (j = 0; j < 4; ++j) { /* assumes 256 < q <= 65536 */ - - /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ - - memcpy(t2, a_inv, N * sizeof(uint16_t)); - ntru_ring_mult_coefficients(a, t2, N, q, t); - for (i = 0; i < N; ++i) - t[i] = q - t[i]; - t[0] = t[0] + 2; - ntru_ring_mult_coefficients(t2, t, N, q, a_inv); - } - - return TRUE; - - -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h deleted file mode 100644 index 1e9d467ed..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h +++ /dev/null @@ -1,96 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_poly.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_poly.h - * - * Contents: Public header file for generating and operating on polynomials - * in the NTRU algorithm. - * - *****************************************************************************/ - - -#ifndef NTRU_CRYPTO_NTRU_POLY_H -#define NTRU_CRYPTO_NTRU_POLY_H - - -#include "ntru_crypto.h" - -#include <crypto/hashers/hasher.h> - - -/* function declarations */ - -/* ntru_poly_check_min_weight - * - * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed - * a minimum weight. - */ - -extern bool -ntru_poly_check_min_weight( - uint16_t num_els, /* in - degree of polynomial */ - uint8_t *ringels, /* in - pointer to trinary ring elements */ - uint16_t min_wt); /* in - minimum weight */ - -/* ntru_ring_mult_coefficients - * - * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" - * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). - * This is a convolution operation. - * - * Ring element "b" has coefficients in the range [0,N). - * - * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum - * beyond 16 bits does not matter. - */ - -extern void -ntru_ring_mult_coefficients( - uint16_t const *a, /* in - pointer to polynomial a */ - uint16_t const *b, /* in - pointer to polynomial b */ - uint16_t N, /* in - no. of coefficients in a, b, c */ - uint16_t q, /* in - large modulus */ - uint16_t *c); /* out - address for polynomial c */ - - -/* ntru_ring_inv - * - * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1). - * - * This assumes q is 2^r where 8 < r < 16, so that operations mod q can - * wait until the end, and only 16-bit arrays need to be used. - */ - -extern bool -ntru_ring_inv( - uint16_t *a, /* in - pointer to polynomial a */ - uint16_t N, /* in - no. of coefficients in a */ - uint16_t q, /* in - large modulus */ - uint16_t *t, /* in - temp buffer of 2N elements */ - uint16_t *a_inv); /* out - address for polynomial a^-1 */ - - -#endif /* NTRU_CRYPTO_NTRU_POLY_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c index 181a58939..ef0d3d9c8 100644 --- a/src/libstrongswan/plugins/ntru/ntru_drbg.c +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c @@ -67,6 +67,10 @@ struct private_ntru_drbg_t { */ chunk_t value; + /** + * reference count + */ + refcount_t ref; }; /** @@ -180,13 +184,23 @@ METHOD(ntru_drbg_t, generate, bool, return TRUE; } +METHOD(ntru_drbg_t, get_ref, ntru_drbg_t*, + private_ntru_drbg_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + METHOD(ntru_drbg_t, destroy, void, private_ntru_drbg_t *this) { - this->hmac->destroy(this->hmac); - chunk_clear(&this->key); - chunk_clear(&this->value); - free(this); + if (ref_put(&this->ref)) + { + this->hmac->destroy(this->hmac); + chunk_clear(&this->key); + chunk_clear(&this->value); + free(this); + } } /* @@ -238,6 +252,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, .get_strength = _get_strength, .reseed = _reseed, .generate = _generate, + .get_ref = _get_ref, .destroy = _destroy, }, .strength = strength, @@ -247,6 +262,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, .value = chunk_alloc(hmac->get_block_size(hmac)), .max_requests = max_requests, .reseed_counter = 1, + .ref = 1, ); memset(this->key.ptr, 0x00, this->key.len); diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h index 38ac718ae..83cef11be 100644 --- a/src/libstrongswan/plugins/ntru/ntru_drbg.h +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h @@ -58,6 +58,13 @@ struct ntru_drbg_t { u_int8_t *out); /** + * Get a reference on an ntru_drbg_t object increasing the count by one + * + * @return reference to the ntru_drbg_t object + */ + ntru_drbg_t* (*get_ref)(ntru_drbg_t *this); + + /** * Uninstantiate and destroy the DRBG object */ void (*destroy)(ntru_drbg_t *this); diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index 39fb261cd..abaa22336 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,54 +15,33 @@ #include "ntru_ke.h" #include "ntru_drbg.h" - -#include "ntru_crypto/ntru_crypto.h" +#include "ntru_param_set.h" +#include "ntru_private_key.h" +#include "ntru_public_key.h" #include <crypto/diffie_hellman.h> #include <utils/debug.h> typedef struct private_ntru_ke_t private_ntru_ke_t; -typedef struct param_set_t param_set_t; - -/** - * Defines an NTRU parameter set by ID or OID - */ -struct param_set_t { - NTRU_ENCRYPT_PARAM_SET_ID id; - char oid[3]; - char *name; -}; /* Best bandwidth and speed, no X9.98 compatibility */ -static param_set_t param_sets_optimum[] = { - { NTRU_EES401EP2, {0x00, 0x02, 0x10}, "ees401ep2" }, - { NTRU_EES439EP1, {0x00, 0x03, 0x10}, "ees439ep1" }, - { NTRU_EES593EP1, {0x00, 0x05, 0x10}, "ees593ep1" }, - { NTRU_EES743EP1, {0x00, 0x06, 0x10}, "ees743ep1" } +static ntru_param_set_id_t param_sets_optimum[] = { + NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1 }; /* X9.98/IEEE 1363.1 parameter sets for best speed */ -static param_set_t param_sets_x9_98_speed[] = { - { NTRU_EES659EP1, {0x00, 0x02, 0x06}, "ees659ep1" }, - { NTRU_EES761EP1, {0x00, 0x03, 0x05}, "ees761ep1" }, - { NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" }, - { NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" } +static ntru_param_set_id_t param_sets_x9_98_speed[] = { + NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1 }; /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ -static param_set_t param_sets_x9_98_bandwidth[] = { - { NTRU_EES401EP1, {0x00, 0x02, 0x04}, "ees401ep1" }, - { NTRU_EES449EP1, {0x00, 0x03, 0x03}, "ees449ep1" }, - { NTRU_EES677EP1, {0x00, 0x05, 0x03}, "ees677ep1" }, - { NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" } +static ntru_param_set_id_t param_sets_x9_98_bandwidth[] = { + NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP2 }; /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ -static param_set_t param_sets_x9_98_balance[] = { - { NTRU_EES541EP1, {0x00, 0x02, 0x05}, "ees541ep1" }, - { NTRU_EES613EP1, {0x00, 0x03, 0x04}, "ees613ep1" }, - { NTRU_EES887EP1, {0x00, 0x05, 0x04}, "ees887ep1" }, - { NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" } +static ntru_param_set_id_t param_sets_x9_98_balance[] = { + NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1 }; /** @@ -82,7 +61,7 @@ struct private_ntru_ke_t { /** * NTRU Parameter Set */ - param_set_t *param_set; + ntru_param_set_t *param_set; /** * Cryptographical strength in bits of the NTRU Parameter Set @@ -92,12 +71,12 @@ struct private_ntru_ke_t { /** * NTRU Public Key */ - chunk_t pub_key; + ntru_public_key_t *pubkey; /** * NTRU Private Key */ - chunk_t priv_key; + ntru_private_key_t *privkey; /** * NTRU encrypted shared secret @@ -133,8 +112,6 @@ struct private_ntru_ke_t { METHOD(diffie_hellman_t, get_my_public_value, void, private_ntru_ke_t *this, chunk_t *value) { - uint16_t pub_key_len, priv_key_len; - *value = chunk_empty; if (this->responder) @@ -146,34 +123,19 @@ METHOD(diffie_hellman_t, get_my_public_value, void, } else { - if (this->pub_key.len == 0) + if (!this->pubkey) { - /* determine the NTRU public and private key sizes */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, - &pub_key_len, NULL, - &priv_key_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining NTRU public and private key " - "sizes"); - return; - } - this->pub_key = chunk_alloc(pub_key_len); - this->priv_key = chunk_alloc(priv_key_len); - /* generate a random NTRU public/private key pair */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, - &pub_key_len, this->pub_key.ptr, - &priv_key_len, this->priv_key.ptr) != NTRU_OK) + this->privkey = ntru_private_key_create(this->drbg, this->param_set); + if (!this->privkey) { DBG1(DBG_LIB, "NTRU keypair generation failed"); - chunk_free(&this->priv_key); - chunk_free(&this->pub_key); return; } - DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key); - DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key); + this->pubkey = this->privkey->get_public_key(this->privkey); } - *value = chunk_clone(this->pub_key); + *value = chunk_clone(this->pubkey->get_encoding(this->pubkey)); + DBG3(DBG_LIB, "NTRU public key: %B", value); } } @@ -194,9 +156,7 @@ METHOD(diffie_hellman_t, get_shared_secret, status_t, METHOD(diffie_hellman_t, set_other_public_value, void, private_ntru_ke_t *this, chunk_t value) { - u_int16_t plaintext_len, ciphertext_len; - - if (this->priv_key.len) + if (this->privkey) { /* initiator decrypting shared secret */ if (value.len == 0) @@ -204,48 +164,36 @@ METHOD(diffie_hellman_t, set_other_public_value, void, DBG1(DBG_LIB, "empty NTRU ciphertext"); return; } - this->ciphertext = chunk_clone(value); - DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext); - - /* determine the size of the maximum plaintext */ - if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr, - this->ciphertext.len, this->ciphertext.ptr, - &plaintext_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining maximum plaintext size"); - return; - } - this->shared_secret = chunk_alloc(plaintext_len); + DBG3(DBG_LIB, "NTRU ciphertext: %B", &value); /* decrypt the shared secret */ - if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr, - this->ciphertext.len, this->ciphertext.ptr, - &plaintext_len, this->shared_secret.ptr) != NTRU_OK) + if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret)) { DBG1(DBG_LIB, "NTRU decryption of shared secret failed"); - chunk_free(&this->shared_secret); return; } - this->shared_secret.len = plaintext_len; this->computed = TRUE; } else { + ntru_public_key_t *pubkey; + /* responder generating and encrypting the shared secret */ this->responder = TRUE; - /* check the NTRU public key format */ - if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3) + DBG3(DBG_LIB, "NTRU public key: %B", &value); + pubkey = ntru_public_key_create_from_data(this->drbg, value); + if (!pubkey) { - DBG1(DBG_LIB, "received NTRU public key with invalid header"); return; } - if (!memeq(value.ptr + 2, this->param_set->oid, 3)) + if (pubkey->get_id(pubkey) != this->param_set->id) { - DBG1(DBG_LIB, "received NTRU public key with wrong OID"); + DBG1(DBG_LIB, "received NTRU public key with wrong OUI"); + pubkey->destroy(pubkey); return; } - this->pub_key = chunk_clone(value); + this->pubkey = pubkey; /* shared secret size is chosen as twice the cryptographical strength */ this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE); @@ -260,25 +208,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void, } this->computed = TRUE; - /* determine the size of the ciphertext */ - if (ntru_crypto_ntru_encrypt(this->drbg, - this->pub_key.len, this->pub_key.ptr, - this->shared_secret.len, this->shared_secret.ptr, - &ciphertext_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining ciphertext size"); - return; - } - this->ciphertext = chunk_alloc(ciphertext_len); - /* encrypt the shared secret */ - if (ntru_crypto_ntru_encrypt(this->drbg, - this->pub_key.len, this->pub_key.ptr, - this->shared_secret.len, this->shared_secret.ptr, - &ciphertext_len, this->ciphertext.ptr) != NTRU_OK) + if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext)) { DBG1(DBG_LIB, "NTRU encryption of shared secret failed"); - chunk_free(&this->ciphertext); return; } DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext); @@ -294,11 +227,11 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, METHOD(diffie_hellman_t, destroy, void, private_ntru_ke_t *this) { + DESTROY_IF(this->privkey); + DESTROY_IF(this->pubkey); this->drbg->destroy(this->drbg); this->entropy->destroy(this->entropy); - chunk_free(&this->pub_key); chunk_free(&this->ciphertext); - chunk_clear(&this->priv_key); chunk_clear(&this->shared_secret); free(this); } @@ -309,7 +242,7 @@ METHOD(diffie_hellman_t, destroy, void, ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) { private_ntru_ke_t *this; - param_set_t *param_sets, *param_set; + ntru_param_set_id_t *param_sets, param_set_id; rng_t *entropy; ntru_drbg_t *drbg; char *parameter_set; @@ -339,25 +272,25 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) { case NTRU_112_BIT: strength = 112; - param_set = ¶m_sets[0]; + param_set_id = param_sets[0]; break; case NTRU_128_BIT: strength = 128; - param_set = ¶m_sets[1]; + param_set_id = param_sets[1]; break; case NTRU_192_BIT: strength = 192; - param_set = ¶m_sets[2]; + param_set_id = param_sets[2]; break; case NTRU_256_BIT: strength = 256; - param_set = ¶m_sets[3]; + param_set_id = param_sets[3]; break; default: return NULL; } - DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength, - parameter_set, param_set->name); + DBG1(DBG_LIB, "%u bit %s NTRU parameter set %N selected", strength, + parameter_set, ntru_param_set_id_names, param_set_id); entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE); if (!entropy) @@ -385,7 +318,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) }, }, .group = group, - .param_set = param_set, + .param_set = ntru_param_set_get_by_id(param_set_id), .strength = strength, .entropy = entropy, .drbg = drbg, diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c b/src/libstrongswan/plugins/ntru/ntru_param_set.c index 5ddf91d2a..4af1e3091 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c +++ b/src/libstrongswan/plugins/ntru/ntru_param_set.c @@ -1,44 +1,49 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_param_sets.c is a component of ntru-crypto. +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt_param_sets.c * - * Contents: Defines the NTRUEncrypt parameter sets. + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. * - *****************************************************************************/ - -#include <stdlib.h> -#include <string.h> -#include "ntru_crypto_ntru_encrypt_param_sets.h" - - -/* parameter sets */ + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ -static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { +#include "ntru_param_set.h" + +#include <utils/test.h> + +ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1, + "ees401ep1", + "ees449ep1", + "ees677ep1", + "ees1087ep2", + "ees541ep1", + "ees613ep1", + "ees887ep1", + "ees1171ep1", + "ees659ep1", + "ees761ep1", + "ees1087ep1", + "ees1499ep1", + "ees401ep2", + "ees439ep1", + "ees593ep1", + "ees743ep1" +); + +/** + * NTRU encryption parameter set definitions + */ +static ntru_param_set_t ntru_param_sets[] = { + /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ { NTRU_EES401EP1, /* parameter-set id */ {0x00, 0x02, 0x04}, /* OID */ @@ -97,7 +102,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { NTRU_EES1087EP2, /* parameter-set id */ {0x00, 0x06, 0x03}, /* OID */ 0x25, /* DER id */ - 10, /* no. of bits in N (i.e., in an index) */ + 11, /* no. of bits in N (i.e., in an index) */ 1087, /* N */ 32, /* security strength in octets */ 2048, /* q */ @@ -111,6 +116,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { 1, /* lLen */ }, + /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ { NTRU_EES541EP1, /* parameter-set id */ {0x00, 0x02, 0x05}, /* OID */ @@ -183,6 +189,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { 1, /* lLen */ }, + /* X9.98/IEEE 1363.1 parameter sets for best speed */ { NTRU_EES659EP1, /* parameter-set id */ {0x00, 0x02, 0x06}, /* OID */ @@ -255,6 +262,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { 1, /* lLen */ }, + /* Best bandwidth and speed, no X9.98 compatibility */ { NTRU_EES401EP2, /* parameter-set id */ {0x00, 0x02, 0x10}, /* OID */ @@ -329,56 +337,39 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { }; -static size_t numParamSets = - sizeof(ntruParamSets)/sizeof(NTRU_ENCRYPT_PARAM_SET); - - -/* functions */ - -/* ntru_encrypt_get_params_with_id - * - * Looks up a set of NTRUEncrypt parameters based on the id of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. +/** + * See header. */ - -NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_id( - NTRU_ENCRYPT_PARAM_SET_ID id) /* in - parameter-set id */ +ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id) { - size_t i; - - for (i = 0; i < numParamSets; i++) { - if (ntruParamSets[i].id == id) { - return &(ntruParamSets[i]); - } - } - return NULL; + int i; + + for (i = 0; i < countof(ntru_param_sets); i++) + { + if (ntru_param_sets[i].id == id) + { + return &ntru_param_sets[i]; + } + } + return NULL; } -/* ntru_encrypt_get_params_with_OID - * - * Looks up a set of NTRUEncrypt parameters based on the OID of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. +/** + * See header. */ - -NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_OID( - uint8_t const *oid) /* in - pointer to parameter-set OID */ +ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid) { - size_t i; - - for (i = 0; i < numParamSets; i++) { - if (!memcmp(ntruParamSets[i].OID, oid, 3)) { - return &(ntruParamSets[i]); - } - } - return NULL; + int i; + + for (i = 0; i < countof(ntru_param_sets); i++) + { + if (memeq(ntru_param_sets[i].oid, oid, 3)) + { + return &ntru_param_sets[i]; + } + } + return NULL; } +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id); diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.h b/src/libstrongswan/plugins/ntru/ntru_param_set.h new file mode 100644 index 000000000..df4e55333 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_param_set.h @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_param_set ntru_param_set + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PARAM_SET_H_ +#define NTRU_PARAM_SET_H_ + +typedef enum ntru_param_set_id_t ntru_param_set_id_t; +typedef struct ntru_param_set_t ntru_param_set_t; + +#include <library.h> + +/** + * Encoding types for NTRU encryption public/private key blobs + */ +#define NTRU_PUBKEY_TAG 0x01 +#define NTRU_PRIVKEY_DEFAULT_TAG 0x02 +#define NTRU_PRIVKEY_TRITS_TAG 0xfe +#define NTRU_PRIVKEY_INDICES_TAG 0xff + +/** + * Size in octets of the OID designating the NTRU encryption parameter set + */ +#define NTRU_OID_LEN 3 + +/** + * Packing types for NTRU encryption public/private keys + */ +#define NTRU_KEY_PACKED_COEFFICIENTS 0x01 +#define NTRU_KEY_PACKED_INDICES 0x02 +#define NTRU_KEY_PACKED_TRITS 0x03 + +/** + * NTRU encryption parameter set ID list + */ +enum ntru_param_set_id_t { + /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ + NTRU_EES401EP1, + NTRU_EES449EP1, + NTRU_EES677EP1, + NTRU_EES1087EP2, + /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ + NTRU_EES541EP1, + NTRU_EES613EP1, + NTRU_EES887EP1, + NTRU_EES1171EP1, + /* X9.98/IEEE 1363.1 parameter sets for best speed */ + NTRU_EES659EP1, + NTRU_EES761EP1, + NTRU_EES1087EP1, + NTRU_EES1499EP1, + /* Best bandwidth and speed, no X9.98 compatibility */ + NTRU_EES401EP2, + NTRU_EES439EP1, + NTRU_EES593EP1, + NTRU_EES743EP1, +}; + +extern enum_name_t *ntru_param_set_id_names; + +/** + * NTRU encryption parameter set definitions + */ +struct ntru_param_set_t { + ntru_param_set_id_t id; /* NTRU parameter set ID */ + uint8_t oid[NTRU_OID_LEN]; /* pointer to OID */ + uint8_t der_id; /* parameter-set DER id */ + uint8_t N_bits; /* no. of bits in N (i.e. in an index */ + uint16_t N; /* ring dimension */ + uint16_t sec_strength_len; /* no. of octets of security strength */ + uint16_t q; /* big modulus */ + uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */ + bool is_product_form; /* if product form used */ + uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements + F, r */ + uint16_t dg; /* no. - 1 of +1 coefficients or + no. of -1 coefficients in ring element g */ + uint16_t m_len_max; /* max no. of plaintext octets */ + uint16_t min_msg_rep_wt; /* min. message representative weight */ + uint8_t c_bits; /* no. bits in candidate for deriving an index */ + uint8_t m_len_len; /* no. of octets to hold mLenOctets */ +}; + +/** + * Get NTRU encryption parameter set by NTRU parameter set ID + * + * @param id NTRU parameter set ID + * @return NTRU parameter set +*/ +ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id); + +/** + * Get NTRU encryption parameter set by NTRU parameter set OID + * + * @param oid NTRU parameter set OID + * @return NTRU parameter set +*/ +ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid); + +#endif /** NTRU_PARAM_SET_H_ @}*/ diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c index 3f754f2a0..77ab54a5c 100644 --- a/src/libstrongswan/plugins/ntru/ntru_poly.c +++ b/src/libstrongswan/plugins/ntru/ntru_poly.c @@ -239,11 +239,29 @@ METHOD(ntru_poly_t, destroy, void, free(this); } -static void init_indices(private_ntru_poly_t *this, bool is_product_form, - uint32_t indices_len_p, uint32_t indices_len_m) +/** + * Creates an empty ntru_poly_t object with space allocated for indices + */ +static private_ntru_poly_t* ntru_poly_create(uint16_t N, uint16_t q, + uint32_t indices_len_p, + uint32_t indices_len_m, + bool is_product_form) { + private_ntru_poly_t *this; int n; + INIT(this, + .public = { + .get_size = _get_size, + .get_indices = _get_indices, + .get_array = _get_array, + .ring_mult = _ring_mult, + .destroy = _destroy, + }, + .N = N, + .q = q, + ); + if (is_product_form) { this->num_polynomials = 3; @@ -265,6 +283,8 @@ static void init_indices(private_ntru_poly_t *this, bool is_product_form, this->num_indices = indices_len_p + indices_len_m; } this->indices = malloc(sizeof(uint16_t) * this->num_indices); + + return this; } /* @@ -291,19 +311,8 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed, } i = hash_len = mgf1->get_hash_size(mgf1); - INIT(this, - .public = { - .get_size = _get_size, - .get_indices = _get_indices, - .get_array = _get_array, - .ring_mult = _ring_mult, - .destroy = _destroy, - }, - .N = N, - .q = q, - ); + this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form); - init_indices(this, is_product_form, indices_len_p, indices_len_m); used = malloc(N); limit = N * ((1 << c_bits) / N); @@ -390,19 +399,8 @@ ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q, private_ntru_poly_t *this; int i; - INIT(this, - .public = { - .get_size = _get_size, - .get_indices = _get_indices, - .get_array = _get_array, - .ring_mult = _ring_mult, - .destroy = _destroy, - }, - .N = N, - .q = q, - ); + this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form); - init_indices(this, is_product_form, indices_len_p, indices_len_m); for (i = 0; i < this->num_indices; i++) { this->indices[i] = data[i]; diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c new file mode 100644 index 000000000..fa87fe9c3 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_private_key.c @@ -0,0 +1,892 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_private_key.h" +#include "ntru_trits.h" +#include "ntru_poly.h" +#include "ntru_convert.h" + +#include <utils/debug.h> +#include <utils/test.h> + +typedef struct private_ntru_private_key_t private_ntru_private_key_t; + +/** + * Private data of an ntru_private_key_t object. + */ +struct private_ntru_private_key_t { + + /** + * Public ntru_private_key_t interface. + */ + ntru_private_key_t public; + + /** + * NTRU Parameter Set + */ + ntru_param_set_t *params; + + /** + * Polynomial F which is the private key + */ + ntru_poly_t *privkey; + + /** + * Polynomial h which is the public key + */ + uint16_t *pubkey; + + /** + * Encoding of the private key + */ + chunk_t encoding; + + /** + * Deterministic Random Bit Generator + */ + ntru_drbg_t *drbg; + +}; + +METHOD(ntru_private_key_t, get_id, ntru_param_set_id_t, + private_ntru_private_key_t *this) +{ + return this->params->id; +} + +METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*, + private_ntru_private_key_t *this) +{ + return ntru_public_key_create(this->drbg, this->params, this->pubkey); +} + +/** + * Generate NTRU encryption private key encoding + */ +static void generate_encoding(private_ntru_private_key_t *this) +{ + size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len; + int privkey_pack_type; + uint16_t *indices; + uint8_t *trits; + u_char *enc; + + /* compute public key length encoded as packed coefficients */ + pubkey_len = (this->params->N * this->params->q_bits + 7) / 8; + + /* compute private key length encoded as packed trits coefficients */ + privkey_trits_len = (this->params->N + 4) / 5; + + /* compute private key length encoded as packed indices */ + privkey_indices_len = (this->privkey->get_size(this->privkey) * + this->params->N_bits + 7) / 8; + + if (this->params->is_product_form || + privkey_indices_len <= privkey_trits_len) + { + privkey_pack_type = NTRU_KEY_PACKED_INDICES; + privkey_len = privkey_indices_len; + } + else + { + privkey_pack_type = NTRU_KEY_PACKED_TRITS; + privkey_len = privkey_trits_len; + } + + /* allocate memory for private key encoding */ + this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len); + enc = this->encoding.ptr; + + /* format header and packed public key */ + *enc++ = NTRU_PRIVKEY_DEFAULT_TAG; + *enc++ = NTRU_OID_LEN; + memcpy(enc, this->params->oid, NTRU_OID_LEN); + enc += NTRU_OID_LEN; + ntru_elements_2_octets(this->params->N, this->pubkey, + this->params->q_bits, enc); + enc += pubkey_len; + + /* add packed private key */ + indices = this->privkey->get_indices(this->privkey); + + if (privkey_pack_type == NTRU_KEY_PACKED_TRITS) + { + /* encode private key as packed trits */ + trits = malloc(this->params->N); + ntru_indices_2_packed_trits(indices, this->params->dF_r, + this->params->dF_r, this->params->N, trits, enc); + memwipe(trits, this->params->N); + free(trits); + } + else + { + /* encode private key as packed indices */ + ntru_elements_2_octets(this->privkey->get_size(this->privkey), + indices, this->params->N_bits, enc); + } +} + +METHOD(ntru_private_key_t, get_encoding, chunk_t, + private_ntru_private_key_t *this) +{ + return this->encoding; +} + +/** + * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed + * a minimum weight. + * + * @param N degree of polynomial + * @param t array of trinary ring elements + * @param min_wt minimum weight + * @return TRUE if minimum weight met or exceeded + */ +bool ntru_check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt) +{ + uint16_t wt[3]; + bool success; + int i; + + wt[0] = wt[1] = wt[2] = 0; + + for (i = 0; i < N; i++) + { + ++wt[t[i]]; + } + success = (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt); + + DBG2(DBG_LIB, "minimum weight = %u, so -1: %u, 0: %u, +1: %u is %sok", + min_wt, wt[2], wt[0], wt[1], success ? "" : "not "); + + return success; +} + +METHOD(ntru_private_key_t, decrypt, bool, + private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext) +{ + hash_algorithm_t hash_algid; + size_t t_len, seed1_len, seed2_len; + uint16_t *t1, *t2, *t = NULL; + uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros; + uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr; + int16_t m1 = 0; + chunk_t seed = chunk_empty; + ntru_trits_t *mask; + ntru_poly_t *r_poly; + bool msg_rep_good, success = TRUE; + int i; + + *plaintext = chunk_empty; + + if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8) + { + DBG1(DBG_LIB, "wrong NTRU ciphertext length"); + return FALSE; + } + + /* allocate temporary array t */ + t_len = 2 * this->params->N * sizeof(uint16_t); + t = malloc(t_len); + t1 = t; + t2 = t + this->params->N; + Mtrin = (uint8_t *)t1; + M = Mtrin + this->params->N; + + /* set hash algorithm based on security strength */ + hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 : + HASH_SHA256; + + /* set constants */ + mod_q_mask = this->params->q - 1; + q_mod_p = this->params->q % 3; + + /* unpack the ciphertext */ + ntru_octets_2_elements(ciphertext.len, ciphertext.ptr, + this->params->q_bits, t2); + + /* form cm': + * F * e + * A = e * (1 + pF) mod q = e + pFe mod q + * a = A in the range [-q/2, q/2) + * cm' = a mod p + */ + this->privkey->ring_mult(this->privkey, t2, t1); + + cmprime_len = this->params->N; + if (this->params->is_product_form) + { + --cmprime_len; + for (i = 0; i < cmprime_len; i++) + { + t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask; + if (t1[i] >= (this->params->q / 2)) + { + t1[i] -= q_mod_p; + } + Mtrin[i] = (uint8_t)(t1[i] % 3); + if (Mtrin[i] == 1) + { + ++m1; + } + else if (Mtrin[i] == 2) + { + --m1; + } + } + } + else + { + for (i = 0; i < cmprime_len; i++) + { + t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask; + if (t1[i] >= (this->params->q / 2)) + { + t1[i] -= q_mod_p; + } + Mtrin[i] = (uint8_t)(t1[i] % 3); + } + } + + /** + * check that the candidate message representative meets + * minimum weight requirements + */ + if (this->params->is_product_form) + { + msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt); + } + else + { + msg_rep_good = ntru_check_min_weight(cmprime_len, Mtrin, + this->params->min_msg_rep_wt); + } + if (!msg_rep_good) + { + DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight"); + success = FALSE; + } + + /* form cR = e - cm' mod q */ + for (i = 0; i < cmprime_len; i++) + { + if (Mtrin[i] == 1) + { + t2[i] = (t2[i] - 1) & mod_q_mask; + } + else if (Mtrin[i] == 2) + { + t2[i] = (t2[i] + 1) & mod_q_mask; + } + } + if (this->params->is_product_form) + { + t2[i] = (t2[i] + m1) & mod_q_mask; + } + + /* allocate memory for the larger of the two seeds */ + seed1_len = (this->params->N + 3)/4; + seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max; + seed = chunk_alloc(max(seed1_len, seed2_len)); + seed.len = seed1_len; + + /* form cR mod 4 */ + ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr); + + /* form mask */ + mask = ntru_trits_create(this->params->N, hash_algid, seed); + if (!mask) + { + DBG1(DBG_LIB, "mask creation failed"); + success = FALSE; + goto err; + } + + mask_trits = mask->get_trits(mask); + + /* form cMtrin by subtracting mask from cm', mod p */ + for (i = 0; i < cmprime_len; i++) + { + Mtrin[i] -= mask_trits[i]; + if (Mtrin[i] >= 3) + { + Mtrin[i] += 3; + } + } + mask->destroy(mask); + + if (this->params->is_product_form) + { + /* set the last trit to zero since that's what it was, and + * because it can't be calculated from (cm' - mask) since + * we don't have the correct value for the last cm' trit + */ + Mtrin[i] = 0; + } + + /* convert cMtrin to cM (Mtrin to Mbin) */ + if (!ntru_trits_2_bits(Mtrin, this->params->N, M)) + { + success = FALSE; + goto err; + } + + /* skip the random padding */ + ptr = M + this->params->sec_strength_len; + + /* validate the padded message cM and copy cm to m_buf */ + if (this->params->m_len_len == 2) + { + cm_len = (uint16_t)(*ptr++) << 16; + } + cm_len |= (uint16_t)(*ptr++); + + if (cm_len > this->params->m_len_max) + { + cm_len = this->params->m_len_max; + DBG1(DBG_LIB, "NTRU message length is larger than maximum length"); + success = FALSE; + } + cm = ptr; + ptr += cm_len; + + /* check if the remaining padding consists of zeros */ + num_zeros = this->params->m_len_max - cm_len + 1; + for (i = 0; i < num_zeros; i++) + { + if (ptr[i] != 0) + { + DBG1(DBG_LIB, "non-zero trailing padding detected"); + success = FALSE; + break; + } + } + + /* form sData (OID || m || b || hTrunc) */ + ptr = seed.ptr; + memcpy(ptr, this->params->oid, 3); + ptr += 3; + memcpy(ptr, cm, cm_len); + ptr += cm_len; + memcpy(ptr, M, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN, + this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + seed.len = ptr - seed.ptr; + + /* generate cr */ + DBG2(DBG_LIB, "generate polynomial r"); + r_poly = ntru_poly_create_from_seed(hash_algid, seed, + this->params->c_bits, this->params->N, + this->params->q, this->params->dF_r, + this->params->dF_r, this->params->is_product_form); + if (!r_poly) + { + success = FALSE; + goto err; + } + + /* output plaintext in allocated chunk */ + *plaintext = chunk_clone(chunk_create(cm, cm_len)); + + /* form cR' = h * cr */ + r_poly->ring_mult(r_poly, this->pubkey, t1); + r_poly->destroy(r_poly); + + /* compare cR' to cR */ + for (i = 0; i < this->params->N; i++) + { + if (t[i] != t2[i]) + { + DBG1(DBG_LIB, "cR' does not equal cR'"); + chunk_clear(plaintext); + success = FALSE; + break; + } + } + memwipe(t, t_len); + +err: + /* cleanup */ + chunk_clear(&seed); + free(t); + + return success; +} + +METHOD(ntru_private_key_t, destroy, void, + private_ntru_private_key_t *this) +{ + DESTROY_IF(this->privkey); + this->drbg->destroy(this->drbg); + chunk_clear(&this->encoding); + free(this->pubkey); + free(this); +} + +/** + * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" + * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). + * This is a convolution operation. + * + * Ring element "b" has coefficients in the range [0,N). + * + * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum + * beyond 16 bits does not matter. + * + * @param a polynomial a + * @param b polynomial b + * @param N no. of coefficients in a, b, c + * @param q large modulus + * @param c polynomial c = a * b + */ +static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q, + uint16_t *c) +{ + uint16_t *bptr = b; + uint16_t mod_q_mask = q - 1; + int i, k; + + /* c[k] = sum(a[i] * b[k-i]) mod q */ + memset(c, 0, N * sizeof(uint16_t)); + for (k = 0; k < N; k++) + { + i = 0; + while (i <= k) + { + c[k] += a[i++] * *bptr--; + } + bptr += N; + while (i < N) + { + c[k] += a[i++] * *bptr--; + } + c[k] &= mod_q_mask; + ++bptr; + } +} + +/** + * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1). + * + * This assumes q is 2^r where 8 < r < 16, so that operations mod q can + * wait until the end, and only 16-bit arrays need to be used. + * + * @param a polynomial a + * @param N no. of coefficients in a + * @param q large modulus + * @param t temporary buffer of size 2N elements + * @param a_inv polynomial for inverse of a + */ +static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t, + uint16_t *a_inv) +{ + uint8_t *b = (uint8_t *)t; + uint8_t *c = b + N; + uint8_t *f = c + N; + uint8_t *g = (uint8_t *)a_inv; + uint16_t *t2 = t + N; + uint16_t deg_b, deg_c, deg_f, deg_g; + bool done = FALSE; + int i, j, k = 0; + + /* form a^-1 in (Z/2Z)[X]/X^N - 1) */ + memset(b, 0, 2 * N); /* clear to init b, c */ + + /* b(X) = 1 */ + b[0] = 1; + deg_b = 0; + + /* c(X) = 0 (cleared above) */ + deg_c = 0; + + /* f(X) = a(X) mod 2 */ + for (i = 0; i < N; i++) + { + f[i] = (uint8_t)(a[i] & 1); + } + deg_f = N - 1; + + /* g(X) = X^N - 1 */ + g[0] = 1; + memset(g + 1, 0, N - 1); + g[N] = 1; + deg_g = N; + + /* until f(X) = 1 */ + while (!done) + { + /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */ + for (i = 0; (i <= deg_f) && (f[i] == 0); ++i); + + if (i > deg_f) + { + return FALSE; + } + if (i) + { + f = f + i; + deg_f = deg_f - i; + deg_c = deg_c + i; + for (j = deg_c; j >= i; j--) + { + c[j] = c[j-i]; + } + for (j = 0; j < i; j++) + { + c[j] = 0; + } + k = k + i; + } + + /* adjust degree of f(X) if the highest coefficients are zero + * Note: f[0] = 1 from above so the loop will terminate. + */ + while (f[deg_f] == 0) + { + --deg_f; + } + + /* if f(X) = 1, done + * Note: f[0] = 1 from above, so only check the x term and up + */ + for (i = 1; (i <= deg_f) && (f[i] == 0); ++i); + + if (i > deg_f) + { + done = TRUE; + break; + } + + /* if deg_f < deg_g, f <-> g, b <-> c */ + if (deg_f < deg_g) + { + uint8_t *x; + + x = f; + f = g; + g = x; + deg_f ^= deg_g; + deg_g ^= deg_f; + deg_f ^= deg_g; + x = b; + b = c; + c = x; + deg_b ^= deg_c; + deg_c ^= deg_b; + deg_b ^= deg_c; + } + + /* f(X) += g(X), b(X) += c(X) */ + for (i = 0; i <= deg_g; i++) + { + f[i] ^= g[i]; + } + if (deg_c > deg_b) + { + deg_b = deg_c; + } + for (i = 0; i <= deg_c; i++) + { + b[i] ^= c[i]; + } + } + + /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */ + j = 0; + if (k >= N) + { + k = k - N; + } + for (i = k; i < N; i++) + { + a_inv[j++] = (uint16_t)(b[i]); + } + for (i = 0; i < k; i++) + { + a_inv[j++] = (uint16_t)(b[i]); + } + + /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */ + for (j = 0; j < 4; ++j) /* assumes 256 < q <= 65536 */ + { + /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ + memcpy(t2, a_inv, N * sizeof(uint16_t)); + ring_mult_c(a, t2, N, q, t); + for (i = 0; i < N; ++i) + { + t[i] = q - t[i]; + } + t[0] = t[0] + 2; + ring_mult_c(t2, t, N, q, a_inv); + } + + return TRUE; +} + +/* + * Described in header. + */ +ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, + ntru_param_set_t *params) +{ + private_ntru_private_key_t *this; + size_t t_len; + uint16_t *t1, *t2, *t = NULL; + uint16_t mod_q_mask; + hash_algorithm_t hash_algid; + ntru_poly_t *g_poly; + chunk_t seed; + int i; + + INIT(this, + .public = { + .get_id = _get_id, + .get_public_key = _get_public_key, + .get_encoding = _get_encoding, + .decrypt = _decrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .drbg = drbg->get_ref(drbg), + ); + + /* set hash algorithm and seed length based on security strength */ + if (params->sec_strength_len <= 20) + { + hash_algid = HASH_SHA1; + } + else + { + hash_algid = HASH_SHA256; + } + seed =chunk_alloc(params->sec_strength_len + 8); + + /* get random seed for generating trinary F as a list of indices */ + if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, + seed.len, seed.ptr)) + { + goto err; + } + + DBG2(DBG_LIB, "generate polynomial F"); + this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, + params->N, params->q, + params->dF_r, params->dF_r, + params->is_product_form); + if (!this->privkey) + { + goto err; + } + + /* allocate temporary array t */ + t_len = 3 * params->N * sizeof(uint16_t); + t = malloc(t_len); + t1 = t + 2 * params->N; + + /* extend sparse private key polynomial f to N array elements */ + this->privkey->get_array(this->privkey, t1); + + /* set mask for large modulus */ + mod_q_mask = params->q - 1; + + /* form f = 1 + pF */ + for (i = 0; i < params->N; i++) + { + t1[i] = (t1[i] * 3) & mod_q_mask; + } + t1[0] = (t1[0] + 1) & mod_q_mask; + + /* use the public key array as a temporary buffer */ + t2 = this->pubkey; + + /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */ + if (!ring_inv(t1, params->N, params->q, t, t2)) + { + goto err; + } + + /* get random seed for generating trinary g as a list of indices */ + if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, + seed.len, seed.ptr)) + { + goto err; + } + + DBG2(DBG_LIB, "generate polynomial g"); + g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, + params->N, params->q, params->dg + 1, + params->dg, FALSE); + if (!g_poly) + { + goto err; + } + + /* compute public key polynomial h = p * (f^-1 * g) mod q */ + g_poly->ring_mult(g_poly, t2, t2); + g_poly->destroy(g_poly); + + for (i = 0; i < params->N; i++) + { + this->pubkey[i] = (t2[i] * 3) & mod_q_mask; + } + + /* cleanup temporary storage */ + chunk_clear(&seed); + memwipe(t, t_len); + free(t); + + /* generate private key encoding */ + generate_encoding(this); + + return &this->public; + +err: + chunk_free(&seed); + free(t); + destroy(this); + + return NULL; +} + +/* + * Described in header. + */ +ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data) +{ + private_ntru_private_key_t *this; + size_t header_len, pubkey_packed_len, privkey_packed_len; + size_t privkey_packed_trits_len, privkey_packed_indices_len; + uint8_t *privkey_packed, tag; + uint16_t *indices, dF; + ntru_param_set_t *params; + + header_len = 2 + NTRU_OID_LEN; + + /* check the NTRU public key header format */ + if (data.len < header_len || + !(data.ptr[0] == NTRU_PRIVKEY_DEFAULT_TAG || + data.ptr[0] == NTRU_PRIVKEY_TRITS_TAG || + data.ptr[0] == NTRU_PRIVKEY_INDICES_TAG) || + data.ptr[1] != NTRU_OID_LEN) + { + DBG1(DBG_LIB, "loaded NTRU private key with invalid header"); + return NULL; + } + tag = data.ptr[0]; + params = ntru_param_set_get_by_oid(data.ptr + 2); + + if (!params) + { + DBG1(DBG_LIB, "loaded NTRU private key with unknown OID"); + return NULL; + } + + pubkey_packed_len = (params->N * params->q_bits + 7) / 8; + privkey_packed_trits_len = (params->N + 4) / 5; + + /* check packing type for product-form private keys */ + if (params->is_product_form && tag == NTRU_PRIVKEY_TRITS_TAG) + { + DBG1(DBG_LIB, "a product-form NTRU private key cannot be trits-encoded"); + return NULL; + } + + /* set packed-key length for packed indices */ + if (params->is_product_form) + { + dF = (uint16_t)((params->dF_r & 0xff) + /* df1 */ + ((params->dF_r >> 8) & 0xff) + /* df2 */ + ((params->dF_r >> 16) & 0xff)); /* df3 */ + } + else + { + dF = (uint16_t)params->dF_r; + } + privkey_packed_indices_len = (2 * dF * params->N_bits + 7) / 8; + + /* set private-key packing type if defaulted */ + if (tag == NTRU_PRIVKEY_DEFAULT_TAG) + { + if (params->is_product_form || + privkey_packed_indices_len <= privkey_packed_trits_len) + { + tag = NTRU_PRIVKEY_INDICES_TAG; + } + else + { + tag = NTRU_PRIVKEY_TRITS_TAG; + } + } + privkey_packed_len = (tag == NTRU_PRIVKEY_TRITS_TAG) ? + privkey_packed_trits_len : privkey_packed_indices_len; + + if (data.len < header_len + pubkey_packed_len + privkey_packed_len) + { + DBG1(DBG_LIB, "loaded NTRU private key with wrong packed key size"); + return NULL; + } + + INIT(this, + .public = { + .get_id = _get_id, + .get_public_key = _get_public_key, + .get_encoding = _get_encoding, + .decrypt = _decrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .encoding = chunk_clone(data), + .drbg = drbg->get_ref(drbg), + ); + + /* unpack the encoded public key */ + ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len, + params->q_bits, this->pubkey); + + /* allocate temporary memory for indices */ + indices = malloc(2 * dF * sizeof(uint16_t)); + + /* unpack the private key */ + privkey_packed = data.ptr + header_len + pubkey_packed_len; + if (tag == NTRU_PRIVKEY_TRITS_TAG) + { + ntru_packed_trits_2_indices(privkey_packed, params->N, + indices, indices + dF); + } + else + { + ntru_octets_2_elements(privkey_packed_indices_len, privkey_packed, + params->N_bits, indices); + } + this->privkey = ntru_poly_create_from_data(indices, params->N, params->q, + params->dF_r, params->dF_r, + params->is_product_form); + + /* cleanup */ + memwipe(indices, 2 * dF * sizeof(uint16_t)); + free(indices); + + return &this->public; +} + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create); + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data); diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h new file mode 100644 index 000000000..c6f08440f --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_private_key.h @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_private_key ntru_private_key + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PRIVATE_KEY_H_ +#define NTRU_PRIVATE_KEY_H_ + +typedef struct ntru_private_key_t ntru_private_key_t; + +#include "ntru_drbg.h" +#include "ntru_param_set.h" +#include "ntru_public_key.h" + +#include <library.h> + +/** + * Implements an NTRU encryption public/private key pair + */ +struct ntru_private_key_t { + + /** + * Returns NTRU parameter set ID of the private key + * + * @return NTRU parameter set ID + */ + ntru_param_set_id_t (*get_id)(ntru_private_key_t *this); + + /** + * Returns the NTRU encryption public key as an encoded binary blob + * + * @return NTRU encryption public key (must be freed after use) + */ + ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this); + + /** + * Returns the packed encoding of the NTRU encryption private key + * + * @return Packed encoding of NTRU encryption private key + */ + chunk_t (*get_encoding)(ntru_private_key_t *this); + + /** + * Decrypts an NTRU ciphertext + * + * @param ciphertext NTRU Ciphertext + * @param plaintext Plaintext + * @return TRUE if decryption was successful + */ + bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext, + chunk_t *plaintext); + + /** + * Destroy ntru_private_key_t object + */ + void (*destroy)(ntru_private_key_t *this); +}; + +/** + * Creates an NTRU encryption public/private key pair using a NIST DRBG + * + * @param drbg Digital Random Bit Generator used for key generation + * @param params NTRU encryption parameter set to be used + */ +ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params); + +/** + * Creates an NTRU encryption private key from encoding + * + * @param drbg Deterministic random bit generator + * @param data Encoded NTRU private key + */ +ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data); + +#endif /** NTRU_PRIVATE_KEY_H_ @}*/ + diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c new file mode 100644 index 000000000..a2ff1b2b0 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_public_key.c @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_public_key.h" +#include "ntru_trits.h" +#include "ntru_poly.h" +#include "ntru_convert.h" + +#include <utils/debug.h> +#include <utils/test.h> + +typedef struct private_ntru_public_key_t private_ntru_public_key_t; + +/** + * Private data of an ntru_public_key_t object. + */ +struct private_ntru_public_key_t { + /** + * Public ntru_public_key_t interface. + */ + ntru_public_key_t public; + + /** + * NTRU Parameter Set + */ + ntru_param_set_t *params; + + /** + * Polynomial h which is the public key + */ + uint16_t *pubkey; + + /** + * Encoding of the public key + */ + chunk_t encoding; + + /** + * Deterministic Random Bit Generator + */ + ntru_drbg_t *drbg; + +}; + +METHOD(ntru_public_key_t, get_id, ntru_param_set_id_t, + private_ntru_public_key_t *this) +{ + return this->params->id; +} + +/** + * Generate NTRU encryption public key encoding + */ +static void generate_encoding(private_ntru_public_key_t *this) +{ + size_t pubkey_len; + u_char *enc; + + /* compute public key length encoded as packed coefficients */ + pubkey_len = (this->params->N * this->params->q_bits + 7) / 8; + + /* allocate memory for public key encoding */ + this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len); + enc = this->encoding.ptr; + + /* format header and packed public key */ + *enc++ = NTRU_PUBKEY_TAG; + *enc++ = NTRU_OID_LEN; + memcpy(enc, this->params->oid, NTRU_OID_LEN); + enc += NTRU_OID_LEN; + ntru_elements_2_octets(this->params->N, this->pubkey, + this->params->q_bits, enc); +} + +METHOD(ntru_public_key_t, get_encoding, chunk_t, + private_ntru_public_key_t *this) +{ + return this->encoding; +} + +#define MAX_SEC_STRENGTH_LEN 32 /* bytes */ + +/** + * Shared with ntru_private_key.c + */ +extern bool ntru_check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt); + +METHOD(ntru_public_key_t, encrypt, bool, + private_ntru_public_key_t *this, chunk_t plaintext, chunk_t *ciphertext) +{ + hash_algorithm_t hash_algid; + size_t t_len, seed1_len, seed2_len; + uint16_t *t1, *t = NULL; + uint8_t b[MAX_SEC_STRENGTH_LEN]; + uint8_t *t2, *Mtrin, *M, *mask_trits, *ptr; + uint16_t mod_q_mask, mprime_len = 0; + int16_t m1 = 0; + chunk_t seed = chunk_empty; + ntru_trits_t *mask; + ntru_poly_t *r_poly; + bool msg_rep_good, success = FALSE; + int i; + + *ciphertext = chunk_empty; + + if (plaintext.len > this->params->m_len_max) + { + DBG1(DBG_LIB, "plaintext exceeds maximum size"); + return FALSE; + } + + if (this->params->sec_strength_len > MAX_SEC_STRENGTH_LEN) + { + DBG1(DBG_LIB, "required security strength exceeds %d bits", + MAX_SEC_STRENGTH_LEN * BITS_PER_BYTE); + return FALSE; + } + + /* allocate temporary array t */ + t_len = (sizeof(uint16_t) + 3*sizeof(uint8_t)) * this->params->N; + t = malloc(t_len); + t1 = t; + t2 = (uint8_t *)(t1 + this->params->N); + Mtrin = t2 + this->params->N; + M = Mtrin + this->params->N; + + /* set hash algorithm based on security strength */ + hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 : + HASH_SHA256; + /* set constants */ + mod_q_mask = this->params->q - 1; + + /* allocate memory for the larger of the two seeds */ + seed1_len = (this->params->N + 3)/4; + seed2_len = 3 + 2*this->params->sec_strength_len + plaintext.len; + seed = chunk_alloc(max(seed1_len, seed2_len)); + + /* loop until a message representative with proper weight is achieved */ + do + { + if (!this->drbg->generate(this->drbg, + this->params->sec_strength_len * BITS_PER_BYTE, + this->params->sec_strength_len, b)) + { + goto err; + } + + /* form sData (OID || m || b || hTrunc) */ + ptr = seed.ptr; + memcpy(ptr, this->params->oid, NTRU_OID_LEN); + ptr += NTRU_OID_LEN; + memcpy(ptr, plaintext.ptr, plaintext.len); + ptr += plaintext.len; + memcpy(ptr, b, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN, + this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + seed.len = seed2_len; + + DBG2(DBG_LIB, "generate polynomial r"); + r_poly = ntru_poly_create_from_seed(hash_algid, seed, this->params->c_bits, + this->params->N, this->params->q, + this->params->dF_r, this->params->dF_r, + this->params->is_product_form); + if (!r_poly) + { + goto err; + } + + /* form R = h * r */ + r_poly->ring_mult(r_poly, this->pubkey, t1); + r_poly->destroy(r_poly); + + /* form R mod 4 */ + ntru_coeffs_mod4_2_octets(this->params->N, t1, seed.ptr); + seed.len = seed1_len; + + /* form mask */ + mask = ntru_trits_create(this->params->N, hash_algid, seed); + if (!mask) + { + DBG1(DBG_LIB, "mask creation failed"); + goto err; + } + + /* form the padded message M */ + ptr = M; + memcpy(ptr, b, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + if (this->params->m_len_len == 2) + { + *ptr++ = (uint8_t)((plaintext.len >> 8) & 0xff); + } + *ptr++ = (uint8_t)(plaintext.len & 0xff); + memcpy(ptr, plaintext.ptr, plaintext.len); + ptr += plaintext.len; + + /* add an extra zero byte in case without it the bit string + * is not a multiple of 3 bits and therefore might not be + * able to produce enough trits + */ + memset(ptr, 0, this->params->m_len_max - plaintext.len + 2); + + /* convert M to trits (Mbin to Mtrin) */ + mprime_len = this->params->N; + if (this->params->is_product_form) + { + --mprime_len; + } + ntru_bits_2_trits(M, mprime_len, Mtrin); + mask_trits = mask->get_trits(mask); + + + /* form the msg representative m' by adding Mtrin to mask, mod p */ + if (this->params->is_product_form) + { + m1 = 0; + for (i = 0; i < mprime_len; i++) + { + t2[i] = mask_trits[i] + Mtrin[i]; + if (t2[i] >= 3) + { + t2[i] -= 3; + } + if (t2[i] == 1) + { + ++m1; + } + else if (t2[i] == 2) + { + --m1; + } + } + } + else + { + for (i = 0; i < mprime_len; i++) + { + t2[i] = mask_trits[i] + Mtrin[i]; + if (t2[i] >= 3) + { + t2[i] -= 3; + } + } + } + mask->destroy(mask); + + /* check that message representative meets minimum weight + * requirements + */ + if (this->params->is_product_form) + { + msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt); + } + else + { + msg_rep_good = ntru_check_min_weight(mprime_len, t2, + this->params->min_msg_rep_wt); + } + } + while (!msg_rep_good); + + /* form ciphertext e by adding m' to R mod q */ + for (i = 0; i < mprime_len; i++) + { + if (t2[i] == 1) + { + t1[i] = (t1[i] + 1) & mod_q_mask; + } + else if (t2[i] == 2) + { + t1[i] = (t1[i] - 1) & mod_q_mask; + } + } + if (this->params->is_product_form) + { + t1[i] = (t1[i] - m1) & mod_q_mask; + } + + /* pack ciphertext */ + *ciphertext = chunk_alloc((this->params->N * this->params->q_bits + 7) / 8); + ntru_elements_2_octets(this->params->N, t1, this->params->q_bits, + ciphertext->ptr); + + memwipe(t, t_len); + success = TRUE; + +err: + /* cleanup */ + chunk_clear(&seed); + free(t); + + return success; +} +METHOD(ntru_public_key_t, destroy, void, + private_ntru_public_key_t *this) +{ + this->drbg->destroy(this->drbg); + chunk_clear(&this->encoding); + free(this->pubkey); + free(this); +} + +/* + * Described in header. + */ +ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg, + ntru_param_set_t *params, + uint16_t *pubkey) +{ + private_ntru_public_key_t *this; + int i; + + INIT(this, + .public = { + .get_id = _get_id, + .get_encoding = _get_encoding, + .encrypt = _encrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .drbg = drbg->get_ref(drbg), + ); + + for (i = 0; i < params->N; i++) + { + this->pubkey[i] = pubkey[i]; + } + + /* generate public key encoding */ + generate_encoding(this); + + return &this->public; +} + +/* + * Described in header. + */ +ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data) +{ + private_ntru_public_key_t *this; + size_t header_len, pubkey_packed_len; + ntru_param_set_t *params; + + header_len = 2 + NTRU_OID_LEN; + + /* check the NTRU public key header format */ + if (data.len < header_len || + data.ptr[0] != NTRU_PUBKEY_TAG || + data.ptr[1] != NTRU_OID_LEN) + { + DBG1(DBG_LIB, "received NTRU public key with invalid header"); + return NULL; + } + params = ntru_param_set_get_by_oid(data.ptr + 2); + + if (!params) + { + DBG1(DBG_LIB, "received NTRU public key with unknown OID"); + return NULL; + } + + pubkey_packed_len = (params->N * params->q_bits + 7) / 8; + + if (data.len < header_len + pubkey_packed_len) + { + DBG1(DBG_LIB, "received NTRU public key with wrong packed key size"); + return NULL; + } + + INIT(this, + .public = { + .get_id = _get_id, + .get_encoding = _get_encoding, + .encrypt = _encrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .encoding = chunk_clone(data), + .drbg = drbg->get_ref(drbg), + ); + + /* unpack the encoded public key */ + ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len, + params->q_bits, this->pubkey); + + return &this->public; +} + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data); diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h new file mode 100644 index 000000000..baa8eabcd --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_public_key.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_public_key ntru_public_key + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PUBLIC_KEY_H_ +#define NTRU_PUBLIC_KEY_H_ + +typedef struct ntru_public_key_t ntru_public_key_t; + +#include "ntru_param_set.h" +#include "ntru_drbg.h" + +#include <library.h> + +/** + * Implements an NTRU encryption public key + */ +struct ntru_public_key_t { + + /** + * Returns NTRU parameter set ID of the public key + * + * @return NTRU parameter set ID + */ + ntru_param_set_id_t (*get_id)(ntru_public_key_t *this); + + /** + * Returns the packed encoding of the NTRU encryption public key + * + * @return Packed encoding of NTRU encryption public key + */ + chunk_t (*get_encoding)(ntru_public_key_t *this); + + /** + * Encrypts a plaintext with the NTRU public key + * + * @param ciphertext Plaintext + * @param plaintext Ciphertext + * @return TRUE if encryption was successful + */ + bool (*encrypt)(ntru_public_key_t *this, chunk_t plaintext, + chunk_t *ciphertext); + + /** + * Destroy ntru_public_key_t object + */ + void (*destroy)(ntru_public_key_t *this); +}; + +/** + * Creates an NTRU encryption public key from coefficients + * + * @param drbg Deterministic random bit generator + * @param params NTRU encryption parameter set to be used + * @param pubkey Coefficients of public key polynomial h + */ +ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg, + ntru_param_set_t *params, + uint16_t *pubkey); + +/** + * Creates an NTRU encryption public key from encoding + * + * @param drbg Deterministic random bit generator + * @param data Encoded NTRU public key + */ +ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data); + + +#endif /** NTRU_PUBLIC_KEY_H_ @}*/ + diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c index f82501629..1abb7671c 100644 --- a/src/libstrongswan/plugins/ntru/ntru_trits.c +++ b/src/libstrongswan/plugins/ntru/ntru_trits.c @@ -15,8 +15,7 @@ #include "ntru_trits.h" #include "ntru_mgf1.h" - -#include "ntru_crypto/ntru_crypto_ntru_convert.h" +#include "ntru_convert.h" #include <utils/debug.h> #include <utils/test.h> diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index f0735294b..5d8ada2fa 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -379,7 +379,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.c b/src/libstrongswan/plugins/openssl/openssl_gcm.c index 842111bd3..147e4afb4 100644 --- a/src/libstrongswan/plugins/openssl/openssl_gcm.c +++ b/src/libstrongswan/plugins/openssl/openssl_gcm.c @@ -202,7 +202,8 @@ METHOD(aead_t, destroy, void, /* * Described in header */ -aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size) +aead_t *openssl_gcm_create(encryption_algorithm_t algo, + size_t key_size, size_t salt_size) { private_aead_t *this; @@ -236,6 +237,13 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size) return NULL; } + if (salt_size && salt_size != SALT_LEN) + { + /* currently not supported */ + free(this); + return NULL; + } + switch (algo) { case ENCR_AES_GCM_ICV8: diff --git a/src/libstrongswan/plugins/openssl/openssl_gcm.h b/src/libstrongswan/plugins/openssl/openssl_gcm.h index 12d2e8ab6..4ae268bd6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_gcm.h +++ b/src/libstrongswan/plugins/openssl/openssl_gcm.h @@ -30,8 +30,10 @@ * * @param algo algorithm to implement * @param key_size key size in bytes + * @param salt_size size of implicit salt length * @return aead_t object, NULL if not supported */ -aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size); +aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size, + size_t salt_size); #endif /** OPENSSL_GCM_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index f0c172629..9748e28f2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -222,7 +222,21 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp) i2d_RSA_PUBKEY(rsa, &p); break; default: - return FALSE; + { + chunk_t n = chunk_empty, e = chunk_empty; + bool success = FALSE; + + if (openssl_bn2chunk(rsa->n, &n) && + openssl_bn2chunk(rsa->e, &e)) + { + success = lib->encoding->encode(lib->encoding, type, rsa, fp, + CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); + } + chunk_free(&n); + chunk_free(&e); + return success; + } } hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (!hasher || !hasher->allocate_hash(hasher, key, fp)) diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 55c0271ce..0450ab053 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 22c33b0c8..300615eb7 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 9c8237e4d..df4b77cc3 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -106,6 +106,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, label = "CERTIFICATE REQUEST"; break; } + if (cred_encoding_args(args, CRED_PART_X509_AC_ASN1_DER, + &asn1, CRED_PART_END)) + { + label = "ATTRIBUTE CERTIFICATE"; + break; + } default: return FALSE; } @@ -154,4 +160,3 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, encoding->len = pos - encoding->ptr; return TRUE; } - diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index e2491f5a4..ca8743bc0 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index d3f3fdf49..c563806ee 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c index b304a5101..eb0903d47 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c @@ -46,6 +46,9 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE), PLUGIN_PROVIDE(PUBKEY, KEY_ANY), + PLUGIN_SDEPEND(PUBKEY, KEY_RSA), + PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA), + PLUGIN_SDEPEND(PUBKEY, KEY_DSA), PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE), PLUGIN_PROVIDE(PUBKEY, KEY_RSA), }; diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index c8cec3771..5d2f39c9e 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in index 67b1f4f57..f398652d5 100644 --- a/src/libstrongswan/plugins/pkcs12/Makefile.in +++ b/src/libstrongswan/plugins/pkcs12/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in index feff6e5b0..7d1c65538 100644 --- a/src/libstrongswan/plugins/pkcs7/Makefile.in +++ b/src/libstrongswan/plugins/pkcs7/Makefile.in @@ -374,7 +374,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in index 35a5c9a35..fca8fd1f9 100644 --- a/src/libstrongswan/plugins/pkcs8/Makefile.in +++ b/src/libstrongswan/plugins/pkcs8/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/plugin_feature.c b/src/libstrongswan/plugins/plugin_feature.c index 8a1958be5..65cdbe9d9 100644 --- a/src/libstrongswan/plugins/plugin_feature.c +++ b/src/libstrongswan/plugins/plugin_feature.c @@ -73,25 +73,55 @@ u_int32_t plugin_feature_hash(plugin_feature_t *feature) data = chunk_empty; break; case FEATURE_CRYPTER: + data = chunk_from_thing(feature->arg.crypter); + break; case FEATURE_AEAD: + data = chunk_from_thing(feature->arg.aead); + break; case FEATURE_SIGNER: + data = chunk_from_thing(feature->arg.signer); + break; case FEATURE_HASHER: + data = chunk_from_thing(feature->arg.hasher); + break; case FEATURE_PRF: + data = chunk_from_thing(feature->arg.prf); + break; case FEATURE_DH: + data = chunk_from_thing(feature->arg.dh_group); + break; case FEATURE_PRIVKEY: + data = chunk_from_thing(feature->arg.privkey); + break; case FEATURE_PRIVKEY_GEN: + data = chunk_from_thing(feature->arg.privkey_gen); + break; case FEATURE_PUBKEY: + data = chunk_from_thing(feature->arg.pubkey); + break; case FEATURE_PRIVKEY_SIGN: + data = chunk_from_thing(feature->arg.privkey_sign); + break; case FEATURE_PUBKEY_VERIFY: + data = chunk_from_thing(feature->arg.pubkey_verify); + break; case FEATURE_PRIVKEY_DECRYPT: + data = chunk_from_thing(feature->arg.privkey_decrypt); + break; case FEATURE_PUBKEY_ENCRYPT: + data = chunk_from_thing(feature->arg.pubkey_encrypt); + break; case FEATURE_CERT_DECODE: case FEATURE_CERT_ENCODE: + data = chunk_from_thing(feature->arg.cert); + break; case FEATURE_CONTAINER_DECODE: case FEATURE_CONTAINER_ENCODE: + data = chunk_from_thing(feature->arg.container); + break; case FEATURE_EAP_SERVER: case FEATURE_EAP_PEER: - data = chunk_from_thing(feature->arg); + data = chunk_from_thing(feature->arg.eap); break; case FEATURE_CUSTOM: data = chunk_create(feature->arg.custom, diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index 08a8442ea..487fafa01 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -1047,6 +1047,7 @@ static char *modular_pluginlist(char *list) array_sort(final, (void*)plugin_priority_cmp, NULL); + plugins = strdup(""); enumerator = array_create_enumerator(final); while (enumerator->enumerate(enumerator, ¤t)) { diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 803eeab44..6f00e7eb1 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 0efe24cb7..59f062dd2 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in index afcbc07eb..b820d1211 100644 --- a/src/libstrongswan/plugins/rc2/Makefile.in +++ b/src/libstrongswan/plugins/rc2/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in index 88b283e87..db926c545 100644 --- a/src/libstrongswan/plugins/rdrand/Makefile.in +++ b/src/libstrongswan/plugins/rdrand/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 745ee83e7..cfdd7e8b6 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index c8ec3f723..9fd5b2a22 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -93,40 +93,92 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, /** * check the signature of an OCSP response */ -static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) +static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca) { certificate_t *issuer, *subject; identification_t *responder; ocsp_response_wrapper_t *wrapper; enumerator_t *enumerator; - auth_cfg_t *current; - bool verified = FALSE; + x509_t *x509; + bool verified = FALSE, found = FALSE; wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE); subject = &response->certificate; responder = subject->get_issuer(subject); - enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, + + /* check OCSP response using CA or directly delegated OCSP signer */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, CERT_X509, KEY_ANY, responder, FALSE); - while (enumerator->enumerate(enumerator, &issuer, ¤t)) + while (enumerator->enumerate(enumerator, &issuer)) { + x509 = (x509_t*)issuer; + if (!issuer->get_validity(issuer, NULL, NULL, NULL)) + { /* OCSP signer currently invalid */ + continue; + } + if (!ca->equals(ca, issuer)) + { /* delegated OCSP signer? */ + if (!lib->credmgr->issued_by(lib->credmgr, issuer, ca, NULL)) + { /* OCSP response not signed by CA, nor delegated OCSP signer */ + continue; + } + if (!(x509->get_flags(x509) & X509_OCSP_SIGNER)) + { /* delegated OCSP signer does not have OCSP signer flag */ + continue; + } + } + found = TRUE; if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL)) { DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", - issuer->get_subject(issuer)); - if (auth) - { - auth->merge(auth, current, FALSE); - } + issuer->get_subject(issuer)); verified = TRUE; break; } + DBG1(DBG_CFG, "ocsp response verification failed, " + "invalid signature"); } enumerator->destroy(enumerator); + if (!verified) + { + /* as fallback, use any locally installed OCSP signer certificate */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509, KEY_ANY, responder, TRUE); + while (enumerator->enumerate(enumerator, &issuer)) + { + x509 = (x509_t*)issuer; + /* while issued_by() accepts both OCSP signer or CA basic + * constraint flags to verify OCSP responses, unrelated but trusted + * OCSP signers must explicitly have the OCSP signer flag set. */ + if ((x509->get_flags(x509) & X509_OCSP_SIGNER) && + issuer->get_validity(issuer, NULL, NULL, NULL)) + { + found = TRUE; + if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL)) + { + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + verified = TRUE; + break; + } + DBG1(DBG_CFG, "ocsp response verification failed, " + "invalid signature"); + } + } + enumerator->destroy(enumerator); + } + lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); wrapper->destroy(wrapper); + + if (!found) + { + DBG1(DBG_CFG, "ocsp response verification failed, " + "no signer certificate '%Y' found", responder); + } return verified; } @@ -134,8 +186,8 @@ static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) * Get the better of two OCSP responses, and check for usable OCSP info */ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, cert_validation_t *valid, - auth_cfg_t *auth, bool cache) + x509_t *subject, x509_t *issuer, + cert_validation_t *valid, bool cache) { ocsp_response_t *response; time_t revocation, this_update, next_update, valid_until; @@ -145,9 +197,8 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, response = (ocsp_response_t*)cand; /* check ocsp signature */ - if (!verify_ocsp(response, auth)) + if (!verify_ocsp(response, &issuer->interface)) { - DBG1(DBG_CFG, "ocsp response verification failed"); cand->destroy(cand); return best; } @@ -226,8 +277,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - best = get_better_ocsp(current, best, subject, issuer, - &valid, auth, FALSE); + best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); if (best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached ocsp response"); @@ -254,7 +304,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, auth, TRUE); + &valid, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -276,7 +326,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, auth, TRUE); + &valid, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -330,25 +380,20 @@ static certificate_t* fetch_crl(char *url) /** * check the signature of an CRL */ -static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) +static bool verify_crl(certificate_t *crl) { certificate_t *issuer; enumerator_t *enumerator; bool verified = FALSE; - auth_cfg_t *current; enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, crl->get_issuer(crl), FALSE); - while (enumerator->enumerate(enumerator, &issuer, ¤t)) + while (enumerator->enumerate(enumerator, &issuer, NULL)) { if (lib->credmgr->issued_by(lib->credmgr, crl, issuer, NULL)) { DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); - if (auth) - { - auth->merge(auth, current, FALSE); - } verified = TRUE; break; } @@ -362,7 +407,7 @@ static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) * Get the better of two CRLs, and check for usable CRL info */ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, - x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth, + x509_t *subject, cert_validation_t *valid, bool cache, crl_t *base) { enumerator_t *enumerator; @@ -390,7 +435,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, } /* check CRL signature */ - if (!verify_crl(cand, auth)) + if (!verify_crl(cand)) { DBG1(DBG_CFG, "crl response verification failed"); cand->destroy(cand); @@ -452,8 +497,8 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, * Find or fetch a certificate for a given crlIssuer */ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, - auth_cfg_t *auth, crl_t *base, - certificate_t **best, bool *uri_found) + crl_t *base, certificate_t **best, + bool *uri_found) { cert_validation_t valid = VALIDATION_SKIPPED; enumerator_t *enumerator; @@ -466,8 +511,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - *best = get_better_crl(current, *best, subject, &valid, - auth, FALSE, base); + *best = get_better_crl(current, *best, subject, &valid, FALSE, base); if (*best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached crl"); @@ -495,7 +539,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, continue; } *best = get_better_crl(current, *best, subject, - &valid, auth, TRUE, base); + &valid, TRUE, base); if (*best && valid != VALIDATION_STALE) { break; @@ -511,7 +555,7 @@ static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, * Look for a delta CRL for a given base CRL */ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, - crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth) + crl_t *base, cert_validation_t base_valid) { cert_validation_t valid = VALIDATION_SKIPPED; certificate_t *best = NULL, *current; @@ -526,7 +570,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, if (chunk.len) { id = identification_create_from_encoding(ID_KEY_ID, chunk); - valid = find_crl(subject, id, auth, base, &best, &uri); + valid = find_crl(subject, id, base, &best, &uri); id->destroy(id); } @@ -537,7 +581,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, { if (cdp->issuer) { - valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri); + valid = find_crl(subject, cdp->issuer, base, &best, &uri); } } enumerator->destroy(enumerator); @@ -558,8 +602,7 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, current->destroy(current); continue; } - best = get_better_crl(current, best, subject, &valid, - auth, TRUE, base); + best = get_better_crl(current, best, subject, &valid, TRUE, base); if (best && valid != VALIDATION_STALE) { break; @@ -576,7 +619,6 @@ static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, return base_valid; } - /** * validate a x509 certificate using CRL */ @@ -597,7 +639,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, if (chunk.len) { id = identification_create_from_encoding(ID_KEY_ID, chunk); - valid = find_crl(subject, id, auth, NULL, &best, &uri_found); + valid = find_crl(subject, id, NULL, &best, &uri_found); id->destroy(id); } @@ -608,8 +650,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, { if (cdp->issuer) { - valid = find_crl(subject, cdp->issuer, auth, NULL, - &best, &uri_found); + valid = find_crl(subject, cdp->issuer, NULL, &best, &uri_found); } } enumerator->destroy(enumerator); @@ -633,7 +674,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, continue; } best = get_better_crl(current, best, subject, &valid, - auth, TRUE, NULL); + TRUE, NULL); if (best && valid != VALIDATION_STALE) { break; @@ -646,7 +687,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, /* look for delta CRLs */ if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE)) { - valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth); + valid = check_delta_crl(subject, issuer, (crl_t*)best, valid); } /* an uri was found, but no result. switch validation state to failed */ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index e57eb78ab..4f9d24a7e 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index c044178b9..ddc287522 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in index cc16ef5cb..2ba05f71e 100644 --- a/src/libstrongswan/plugins/soup/Makefile.in +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -371,7 +371,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index c428b883f..2cbacddf1 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in index 3c9926acc..6bd82503d 100644 --- a/src/libstrongswan/plugins/sshkey/Makefile.in +++ b/src/libstrongswan/plugins/sshkey/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index a1439f6ea..7443f531c 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -387,7 +387,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index 788baae57..33c13d9f4 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -88,11 +88,18 @@ TEST_VECTOR_AEAD(aes_ccm10) TEST_VECTOR_AEAD(aes_ccm11) TEST_VECTOR_AEAD(aes_gcm1) TEST_VECTOR_AEAD(aes_gcm2) -TEST_VECTOR_AEAD(aes_gcm3) +TEST_VECTOR_AEAD(aes_gcm3_1) +TEST_VECTOR_AEAD(aes_gcm3_2) +TEST_VECTOR_AEAD(aes_gcm3_3) TEST_VECTOR_AEAD(aes_gcm4) -TEST_VECTOR_AEAD(aes_gcm5) -TEST_VECTOR_AEAD(aes_gcm6) TEST_VECTOR_AEAD(aes_gcm7) +TEST_VECTOR_AEAD(aes_gcm8) +TEST_VECTOR_AEAD(aes_gcm9) +TEST_VECTOR_AEAD(aes_gcm10) +TEST_VECTOR_AEAD(aes_gcm13) +TEST_VECTOR_AEAD(aes_gcm14) +TEST_VECTOR_AEAD(aes_gcm15) +TEST_VECTOR_AEAD(aes_gcm16) TEST_VECTOR_SIGNER(aes_xcbc_s1) TEST_VECTOR_SIGNER(aes_xcbc_s2) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c index 8de180ad5..95c41ecbc 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c @@ -21,7 +21,8 @@ * originally from "fips cavs fax files on hand at Red Hat". */ aead_test_vector_t aes_ccm1 = { - .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0, + .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3, + .len = 32, .alen = 0, .key = "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e" "\x96\xac\x59", .iv = "\x30\x07\xa1\xe2\xa2\xc7\x55\x24", @@ -33,7 +34,8 @@ aead_test_vector_t aes_ccm1 = { }; aead_test_vector_t aes_ccm2 = { - .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32, + .alg = ENCR_AES_CCM_ICV16, .key_size = 16, .salt_size = 3, + .len = 32, .alen = 32, .key = "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3" "\x4f\xa3\x19", .iv = "\xd3\x01\x5a\xd8\x30\x60\x15\x56", @@ -47,7 +49,8 @@ aead_test_vector_t aes_ccm2 = { }; aead_test_vector_t aes_ccm3 = { - .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32, + .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3, + .len = 0, .alen = 32, .key = "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75" "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35", .iv = "\x26\xf2\x21\x8d\x50\x20\xda\xe2", @@ -57,7 +60,8 @@ aead_test_vector_t aes_ccm3 = { }; aead_test_vector_t aes_ccm4 = { - .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32, + .alg = ENCR_AES_CCM_ICV16, .key_size = 24, .salt_size = 3, + .len = 32, .alen = 32, .key = "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62" "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c", .iv = "\x86\x84\xb6\xcd\xef\x09\x2e\x94", @@ -71,7 +75,8 @@ aead_test_vector_t aes_ccm4 = { }; aead_test_vector_t aes_ccm5 = { - .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32, + .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3, + .len = 32, .alen = 32, .key = "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a" "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b" "\x1e\x29\x91", @@ -86,7 +91,8 @@ aead_test_vector_t aes_ccm5 = { }; aead_test_vector_t aes_ccm6 = { - .alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32, + .alg = ENCR_AES_CCM_ICV12, .key_size = 32, .salt_size = 3, + .len = 32, .alen = 32, .key = "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32" "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39" "\xf9\xd9\x4e", @@ -101,7 +107,8 @@ aead_test_vector_t aes_ccm6 = { }; aead_test_vector_t aes_ccm7 = { - .alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32, + .alg = ENCR_AES_CCM_ICV16, .key_size = 32, .salt_size = 3, + .len = 32, .alen = 32, .key = "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46" "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b" "\x24\xa7\x8b", @@ -116,7 +123,8 @@ aead_test_vector_t aes_ccm7 = { }; aead_test_vector_t aes_ccm8 = { - .alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0, + .alg = ENCR_AES_CCM_ICV8, .key_size = 16, .salt_size = 3, + .len = 0, .alen = 0, .key = "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9" "\xaf\x94\x87", .iv = "\x78\x35\x82\x81\x7f\x88\x94\x68", @@ -124,7 +132,8 @@ aead_test_vector_t aes_ccm8 = { }; aead_test_vector_t aes_ccm9 = { - .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32, + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3, + .len = 0, .alen = 32, .key = "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3" "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83", .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", @@ -134,7 +143,8 @@ aead_test_vector_t aes_ccm9 = { }; aead_test_vector_t aes_ccm10 = { - .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0, + .alg = ENCR_AES_CCM_ICV8, .key_size = 32, .salt_size = 3, + .len = 0, .alen = 0, .key = "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c" "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff" "\xee\x49\x83", @@ -143,7 +153,8 @@ aead_test_vector_t aes_ccm10 = { }; aead_test_vector_t aes_ccm11 = { - .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32, + .alg = ENCR_AES_CCM_ICV8, .key_size = 24, .salt_size = 3, + .len = 32, .alen = 32, .key = "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0" "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83", .iv = "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e", diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c index 7534633e1..1f33bcbd5 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c @@ -16,11 +16,37 @@ #include <crypto/crypto_tester.h> /** - * From the Linux kernel, those with an IV. Originally from - * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html + * From McGrew & Viega + * http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf + * Formatted to match our API which expects the first four bytes (salt) of the + * IV as part of the key and writes/expects the ICV at the end of the cipher + * text. + * Since our implementations are currently limited to IV lengths of 12 (IV=8, + * SALT=4 as per RFC 4106/5282) the test cases 5/6, 11/12 and 17/18 aren't + * compatible. */ aead_test_vector_t aes_gcm1 = { - .alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0, + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4, + .len = 0, .alen = 0, + .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "", + .cipher = "\x58\xe2\xfc\xce\xfa\x7e\x30\x61\x36\x7f\x1d\x57\xa4\xe7\x45\x5a", +}; +aead_test_vector_t aes_gcm2 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4, + .len = 16, .alen = 0, + .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .cipher = "\x03\x88\xda\xce\x60\xb6\xa3\x92\xf3\x28\xc2\xb9\x71\xb2\xfe\x78" + "\xab\x6e\x47\xd4\x2c\xec\x13\xbd\xf5\x3a\x67\xb2\x12\x57\xbd\xdf", +}; +aead_test_vector_t aes_gcm3_1 = { + .alg = ENCR_AES_GCM_ICV8, .key_size = 16, .salt_size = 4, + .len = 64, .alen = 0, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xca\xfe\xba\xbe", .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", @@ -34,9 +60,9 @@ aead_test_vector_t aes_gcm1 = { "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85" "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6", }; - -aead_test_vector_t aes_gcm2 = { - .alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0, +aead_test_vector_t aes_gcm3_2 = { + .alg = ENCR_AES_GCM_ICV12, .key_size = 16, .salt_size = 4, + .len = 64, .alen = 0, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xca\xfe\xba\xbe", .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", @@ -50,9 +76,9 @@ aead_test_vector_t aes_gcm2 = { "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85" "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd", }; - -aead_test_vector_t aes_gcm3 = { - .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0, +aead_test_vector_t aes_gcm3_3 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4, + .len = 64, .alen = 0, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xca\xfe\xba\xbe", .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", @@ -66,9 +92,9 @@ aead_test_vector_t aes_gcm3 = { "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85" "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4", }; - aead_test_vector_t aes_gcm4 = { - .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20, + .alg = ENCR_AES_GCM_ICV16, .key_size = 16, .salt_size = 4, + .len = 60, .alen = 20, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xca\xfe\xba\xbe", .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", @@ -84,9 +110,28 @@ aead_test_vector_t aes_gcm4 = { "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc" "\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47", }; - -aead_test_vector_t aes_gcm5 = { - .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0, +aead_test_vector_t aes_gcm7 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4, + .len = 0, .alen = 0, + .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "", + .cipher = "\xcd\x33\xb2\x8a\xc7\x73\xf7\x4b\xa0\x0e\xd1\xf3\x12\x57\x24\x35", +}; +aead_test_vector_t aes_gcm8 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4, + .len = 16, .alen = 0, + .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .cipher = "\x98\xe7\x24\x7c\x07\xf0\xfe\x41\x1c\x26\x7e\x43\x84\xb0\xf6\x00" + "\x2f\xf5\x8d\x80\x03\x39\x27\xab\x8e\xf4\xd4\x58\x75\x14\xf0\xfb", +}; +aead_test_vector_t aes_gcm9 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4, + .len = 64, .alen = 0, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe", .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", @@ -100,9 +145,48 @@ aead_test_vector_t aes_gcm5 = { "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56" "\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14", }; - -aead_test_vector_t aes_gcm6 = { - .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0, +aead_test_vector_t aes_gcm10 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 24, .salt_size = 4, + .len = 60, .alen = 20, + .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" + "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe", + .iv = "\xfa\xce\xdb\xad\xde\xca\xf8\x88", + .plain = "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a" + "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72" + "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25" + "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39", + .adata = "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef" + "\xab\xad\xda\xd2", + .cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57" + "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c" + "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47" + "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\x25\x19\x49\x8e" + "\x80\xf1\x47\x8f\x37\xba\x55\xbd\x6d\x27\x61\x8c", +}; +aead_test_vector_t aes_gcm13 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4, + .len = 0, .alen = 0, + .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "", + .cipher = "\x53\x0f\x8a\xfb\xc7\x45\x36\xb9\xa9\x63\xb4\xf1\xc4\xcb\x73\x8b", +}; +aead_test_vector_t aes_gcm14 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4, + .len = 16, .alen = 0, + .key = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00", + .iv = "\x00\x00\x00\x00\x00\x00\x00\x00", + .plain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + .cipher = "\xce\xa7\x40\x3d\x4d\x60\x6b\x6e\x07\x4e\xc5\xd3\xba\xf3\x9d\x18" + "\xd0\xd1\xc8\xa7\x99\x99\x6b\xf0\x26\x5b\x98\xb5\xd4\x8a\xb9\x19", +}; +aead_test_vector_t aes_gcm15 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4, + .len = 64, .alen = 0, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xca\xfe\xba\xbe", @@ -117,9 +201,9 @@ aead_test_vector_t aes_gcm6 = { "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad" "\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c", }; - -aead_test_vector_t aes_gcm7 = { - .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20, +aead_test_vector_t aes_gcm16 = { + .alg = ENCR_AES_GCM_ICV16, .key_size = 32, .salt_size = 4, + .len = 60, .alen = 20, .key = "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08" "\xca\xfe\xba\xbe", @@ -136,4 +220,3 @@ aead_test_vector_t aes_gcm7 = { "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce" "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b", }; - diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in index 961311eb0..c3c6ed6a7 100644 --- a/src/libstrongswan/plugins/unbound/Makefile.in +++ b/src/libstrongswan/plugins/unbound/Makefile.in @@ -373,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 74552e00b..154fc5ccd 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 7d83e48ea..30b871d42 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -29,7 +29,6 @@ #include <utils/identification.h> #include <collections/linked_list.h> #include <credentials/certificates/x509.h> -#include <credentials/ietf_attributes/ietf_attributes.h> #include <credentials/keys/private_key.h> extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, @@ -75,7 +74,7 @@ struct private_x509_ac_t { /** * Serial number of the holder certificate */ - chunk_t holderSerial; + identification_t *holderSerial; /** * ID representing the holder @@ -98,14 +97,9 @@ struct private_x509_ac_t { time_t notAfter; /** - * List of charging attributes + * List of group attributes, as group_t */ - ietf_attributes_t *charging; - - /** - * List of groub attributes - */ - ietf_attributes_t *groups; + linked_list_t *groups; /** * Authority Key Identifier @@ -153,6 +147,25 @@ struct private_x509_ac_t { refcount_t ref; }; +/** + * Group definition, an IETF attribute + */ +typedef struct { + /** Attribute type */ + ac_group_type_t type; + /* attribute value */ + chunk_t value; +} group_t; + +/** + * Clean up a group entry + */ +static void group_destroy(group_t *group) +{ + free(group->value.ptr); + free(group); +} + static chunk_t ASN1_noRevAvail_ext = chunk_from_chars( 0x30, 0x09, 0x06, 0x03, @@ -169,42 +182,41 @@ extern void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, /** * parses a directoryName */ -static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name) +static bool parse_directoryName(chunk_t blob, int level, bool implicit, + identification_t **name) { - bool has_directoryName; - linked_list_t *list = linked_list_create(); + identification_t *directoryName; + enumerator_t *enumerator; + bool first = TRUE; + linked_list_t *list; + list = linked_list_create(); x509_parse_generalNames(blob, level, implicit, list); - has_directoryName = list->get_count(list) > 0; - if (has_directoryName) + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &directoryName)) { - enumerator_t *enumerator = list->create_enumerator(list); - identification_t *directoryName; - bool first = TRUE; - - while (enumerator->enumerate(enumerator, (void**)&directoryName)) + if (first) { - if (first) - { - *name = directoryName; - first = FALSE; - } - else - { - DBG1(DBG_ASN, "more than one directory name - first selected"); - directoryName->destroy(directoryName); - } + *name = directoryName; + first = FALSE; + } + else + { + DBG1(DBG_ASN, "more than one directory name - first selected"); + directoryName->destroy(directoryName); + break; } - enumerator->destroy(enumerator); } - else + enumerator->destroy(enumerator); + list->destroy(list); + + if (first) { DBG1(DBG_ASN, "no directoryName found"); + return FALSE; } - - list->destroy(list); - return has_directoryName; + return TRUE; } /** @@ -244,63 +256,131 @@ static void parse_roleSyntax(chunk_t blob, int level0) } /** + * ASN.1 definition of ietfAttrSyntax + */ +static const asn1Object_t ietfAttrSyntaxObjects[] = +{ + { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT | + ASN1_BODY }, /* 1 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */ + { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */ + { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT | + ASN1_BODY }, /* 4 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */ + { 2, "oid", ASN1_OID, ASN1_OPT | + ASN1_BODY }, /* 6 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 2, "string", ASN1_UTF8STRING, ASN1_OPT | + ASN1_BODY }, /* 8 */ + { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define IETF_ATTR_OCTETS 4 +#define IETF_ATTR_OID 6 +#define IETF_ATTR_STRING 8 + +/** + * Parse group memberships, IETF attributes + */ +static bool parse_groups(private_x509_ac_t *this, chunk_t encoded, int level0) +{ + ac_group_type_t type; + group_t *group; + asn1_parser_t *parser; + chunk_t object; + int objectID; + bool success; + + parser = asn1_parser_create(ietfAttrSyntaxObjects, encoded); + parser->set_top_level(parser, level0); + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case IETF_ATTR_OCTETS: + type = AC_GROUP_TYPE_OCTETS; + break; + case IETF_ATTR_OID: + type = AC_GROUP_TYPE_OID; + break; + case IETF_ATTR_STRING: + type = AC_GROUP_TYPE_STRING; + break; + default: + continue; + } + INIT(group, + .type = type, + .value = chunk_clone(object), + ); + this->groups->insert_last(this->groups, group); + } + success = parser->success(parser); + parser->destroy(parser); + + return success; +} + +/** * ASN.1 definition of an X509 attribute certificate */ static const asn1Object_t acObjects[] = { { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ - { 2, "version", ASN1_INTEGER, ASN1_DEF | + { 2, "version", ASN1_INTEGER, ASN1_DEF | ASN1_BODY }, /* 2 */ - { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */ - { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */ - { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ - { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */ + { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ + { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */ { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | ASN1_BODY }, /* 7 */ { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ - { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT | + { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT | ASN1_OBJ }, /* 10 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ - { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */ - { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */ - { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */ + { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */ + { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT | ASN1_BODY }, /* 14 */ { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15 */ { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */ - { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */ - { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT | + { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */ + { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT | ASN1_OBJ }, /* 19 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ - { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */ - { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */ - { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */ - { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */ + { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */ + { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */ + { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */ { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | ASN1_BODY }, /* 25 */ { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */ { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */ - { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */ - { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */ - { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */ + { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */ + { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT | ASN1_BODY }, /* 31 */ { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */ { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */ - { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */ - { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */ - { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */ - { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */ - { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */ - { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */ + { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */ + { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */ + { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */ + { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */ + { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */ + { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */ { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */ { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */ { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */ { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */ - { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */ + { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */ { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */ { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */ @@ -368,22 +448,26 @@ static bool parse_certificate(private_x509_ac_t *this) } break; case AC_OBJ_HOLDER_ISSUER: - if (!parse_directoryName(object, level, FALSE, &this->holderIssuer)) + if (!parse_directoryName(object, level, FALSE, + &this->holderIssuer)) { goto end; } break; case AC_OBJ_HOLDER_SERIAL: - this->holderSerial = object; + this->holderSerial = identification_create_from_encoding( + ID_KEY_ID, object); break; case AC_OBJ_ENTITY_NAME: - if (!parse_directoryName(object, level, TRUE, &this->entityName)) + if (!parse_directoryName(object, level, TRUE, + &this->entityName)) { goto end; } break; case AC_OBJ_ISSUER_NAME: - if (!parse_directoryName(object, level, FALSE, &this->issuerName)) + if (!parse_directoryName(object, level, FALSE, + &this->issuerName)) { goto end; } @@ -414,13 +498,14 @@ static bool parse_certificate(private_x509_ac_t *this) DBG2(DBG_ASN, " need to parse accessIdentity"); break; case OID_CHARGING_IDENTITY: - DBG2(DBG_ASN, "-- > --"); - this->charging = ietf_attributes_create_from_encoding(object); - DBG2(DBG_ASN, "-- < --"); + DBG2(DBG_ASN, " need to parse chargingIdentity"); break; case OID_GROUP: DBG2(DBG_ASN, "-- > --"); - this->groups = ietf_attributes_create_from_encoding(object); + if (!parse_groups(this, object, level)) + { + goto end; + } DBG2(DBG_ASN, "-- < --"); break; case OID_ROLE: @@ -446,8 +531,9 @@ static bool parse_certificate(private_x509_ac_t *this) DBG2(DBG_ASN, " need to parse crlDistributionPoints"); break; case OID_AUTHORITY_KEY_ID: - this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, - level, &this->authKeySerialNumber); + this->authKeyIdentifier = + x509_parse_authorityKeyIdentifier(object, + level, &this->authKeySerialNumber); break; case OID_TARGET_INFORMATION: DBG2(DBG_ASN, " need to parse targetInformation"); @@ -490,7 +576,7 @@ end: static chunk_t build_directoryName(asn1_t tag, chunk_t name) { return asn1_wrap(tag, "m", - asn1_simple_object(ASN1_CONTEXT_C_4, name)); + asn1_simple_object(ASN1_CONTEXT_C_4, name)); } /** @@ -499,14 +585,15 @@ static chunk_t build_directoryName(asn1_t tag, chunk_t name) static chunk_t build_holder(private_x509_ac_t *this) { x509_t* x509 = (x509_t*)this->holderCert; - identification_t *issuer = this->holderCert->get_issuer(this->holderCert); - identification_t *subject = this->holderCert->get_subject(this->holderCert); + identification_t *issuer, *subject; + + issuer = this->holderCert->get_issuer(this->holderCert); + subject = this->holderCert->get_subject(this->holderCert); return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_CONTEXT_C_0, "mm", build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)), - asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509)) - ), + asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))), build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject))); } @@ -515,10 +602,12 @@ static chunk_t build_holder(private_x509_ac_t *this) */ static chunk_t build_v2_form(private_x509_ac_t *this) { - identification_t *subject = this->signerCert->get_subject(this->signerCert); + identification_t *subject; + subject = this->signerCert->get_subject(this->signerCert); return asn1_wrap(ASN1_CONTEXT_C_0, "m", - build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject))); + build_directoryName(ASN1_SEQUENCE, + subject->get_encoding(subject))); } /** @@ -531,7 +620,6 @@ static chunk_t build_attr_cert_validity(private_x509_ac_t *this) asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME)); } - /** * build attribute type */ @@ -547,8 +635,55 @@ static chunk_t build_attribute_type(int type, chunk_t content) */ static chunk_t build_attributes(private_x509_ac_t *this) { + enumerator_t *enumerator; + group_t *group; + chunk_t values; + size_t size = 0, len; + u_char *pos; + + /* precalculate the total size of all values */ + enumerator = this->groups->create_enumerator(this->groups); + while (enumerator->enumerate(enumerator, &group)) + { + len = group->value.len; + size += 1 + (len > 0) + (len >= 128) + + (len >= 256) + (len >= 65536) + len; + } + enumerator->destroy(enumerator); + + pos = asn1_build_object(&values, ASN1_SEQUENCE, size); + + enumerator = this->groups->create_enumerator(this->groups); + while (enumerator->enumerate(enumerator, &group)) + { + chunk_t attr; + asn1_t type; + + switch (group->type) + { + case AC_GROUP_TYPE_OCTETS: + type = ASN1_OCTET_STRING; + break; + case AC_GROUP_TYPE_STRING: + type = ASN1_UTF8STRING; + break; + case AC_GROUP_TYPE_OID: + type = ASN1_OID; + break; + default: + continue; + } + attr = asn1_simple_object(type, group->value); + + memcpy(pos, attr.ptr, attr.len); + pos += attr.len; + free(attr.ptr); + } + enumerator->destroy(enumerator); + return asn1_wrap(ASN1_SEQUENCE, "m", - build_attribute_type(OID_GROUP, this->groups->get_encoding(this->groups))); + build_attribute_type(OID_GROUP, + asn1_wrap(ASN1_SEQUENCE, "m", values))); } /** @@ -621,14 +756,11 @@ static chunk_t build_attr_cert_info(private_x509_ac_t *this) */ static chunk_t build_ac(private_x509_ac_t *this) { - chunk_t signatureValue; - chunk_t attributeCertificateInfo; + chunk_t signatureValue, attributeCertificateInfo; attributeCertificateInfo = build_attr_cert_info(this); - this->signerKey->sign(this->signerKey, SIGN_RSA_EMSA_PKCS1_SHA1, attributeCertificateInfo, &signatureValue); - return asn1_wrap(ASN1_SEQUENCE, "mmm", attributeCertificateInfo, asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), @@ -644,7 +776,11 @@ METHOD(ac_t, get_serial, chunk_t, METHOD(ac_t, get_holderSerial, chunk_t, private_x509_ac_t *this) { - return this->holderSerial; + if (this->holderSerial) + { + return this->holderSerial->get_encoding(this->holderSerial); + } + return chunk_empty; } METHOD(ac_t, get_holderIssuer, identification_t*, @@ -659,10 +795,28 @@ METHOD(ac_t, get_authKeyIdentifier, chunk_t, return this->authKeyIdentifier; } -METHOD(ac_t, get_groups, ietf_attributes_t*, +/** + * Filter function for attribute enumeration + */ +static bool attr_filter(void *null, group_t **in, ac_group_type_t *type, + void *in2, chunk_t *out) +{ + if ((*in)->type == AC_GROUP_TYPE_STRING && + !chunk_printable((*in)->value, NULL, 0)) + { /* skip non-printable strings */ + return FALSE; + } + *type = (*in)->type; + *out = (*in)->value; + return TRUE; +} + +METHOD(ac_t, create_group_enumerator, enumerator_t*, private_x509_ac_t *this) { - return this->groups ? this->groups->get_ref(this->groups) : NULL; + return enumerator_create_filter( + this->groups->create_enumerator(this->groups), + (void*)attr_filter, NULL, NULL); } METHOD(certificate_t, get_type, certificate_type_t, @@ -674,7 +828,11 @@ METHOD(certificate_t, get_type, certificate_type_t, METHOD(certificate_t, get_subject, identification_t*, private_x509_ac_t *this) { - return this->entityName; + if (this->entityName) + { + return this->entityName; + } + return this->holderSerial; } METHOD(certificate_t, get_issuer, identification_t*, @@ -686,13 +844,24 @@ METHOD(certificate_t, get_issuer, identification_t*, METHOD(certificate_t, has_subject, id_match_t, private_x509_ac_t *this, identification_t *subject) { - return ID_MATCH_NONE; + id_match_t entity = ID_MATCH_NONE, serial = ID_MATCH_NONE; + + if (this->entityName) + { + entity = this->entityName->matches(this->entityName, subject); + } + if (this->holderSerial) + { + serial = this->holderSerial->matches(this->holderSerial, subject); + } + return max(entity, serial); } METHOD(certificate_t, has_issuer, id_match_t, private_x509_ac_t *this, identification_t *issuer) { - if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr && + if (issuer->get_type(issuer) == ID_KEY_ID && + this->authKeyIdentifier.ptr && chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer))) { return ID_MATCH_PERFECT; @@ -808,9 +977,10 @@ METHOD(certificate_t, equals, bool, { return TRUE; } - if (other->equals == (void*)equals) + if (other->equals == _equals) { /* skip allocation if we have the same implementation */ - return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); + return chunk_equals(this->encoding, + ((private_x509_ac_t*)other)->encoding); } if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) { @@ -827,13 +997,13 @@ METHOD(certificate_t, destroy, void, if (ref_put(&this->ref)) { DESTROY_IF(this->holderIssuer); + DESTROY_IF(this->holderSerial); DESTROY_IF(this->entityName); DESTROY_IF(this->issuerName); DESTROY_IF(this->holderCert); DESTROY_IF(this->signerCert); DESTROY_IF(this->signerKey); - DESTROY_IF(this->charging); - DESTROY_IF(this->groups); + this->groups->destroy_function(this->groups, (void*)group_destroy); free(this->serialNumber.ptr); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); @@ -869,9 +1039,10 @@ static private_x509_ac_t *create_empty(void) .get_holderSerial = _get_holderSerial, .get_holderIssuer = _get_holderIssuer, .get_authKeyIdentifier = _get_authKeyIdentifier, - .get_groups = _get_groups, + .create_group_enumerator = _create_group_enumerator, }, }, + .groups = linked_list_create(), .ref = 1, ); @@ -914,6 +1085,27 @@ x509_ac_t *x509_ac_load(certificate_type_t type, va_list args) } /** + * Add groups from a list into AC group memberships + */ +static void add_groups_from_list(private_x509_ac_t *this, linked_list_t *list) +{ + enumerator_t *enumerator; + group_t *group; + char *name; + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &name)) + { + INIT(group, + .type = AC_GROUP_TYPE_STRING, + .value = chunk_clone(chunk_from_str(name)), + ); + this->groups->insert_last(this->groups, group); + } + enumerator->destroy(enumerator); +} + +/** * See header. */ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) @@ -934,8 +1126,8 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) case BUILD_SERIAL: ac->serialNumber = chunk_clone(va_arg(args, chunk_t)); continue; - case BUILD_IETF_GROUP_ATTR: - ac->groups = ietf_attributes_create_from_string(va_arg(args, char*)); + case BUILD_AC_GROUP_STRINGS: + add_groups_from_list(ac, va_arg(args, linked_list_t*)); continue; case BUILD_CERT: ac->holderCert = va_arg(args, certificate_t*); @@ -968,4 +1160,3 @@ x509_ac_t *x509_ac_gen(certificate_type_t type, va_list args) destroy(ac); return NULL; } - diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index ed850e8f5..9fd869e77 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -758,6 +758,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0, case OID_OCSP_SIGNING: this->flags |= X509_OCSP_SIGNER; break; + case OID_MS_SMARTCARD_LOGON: + this->flags |= X509_MS_SMARTCARD_LOGON; + break; default: break; } @@ -2008,7 +2011,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; - chunk_t ikeIntermediate = chunk_empty; + chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -2139,6 +2142,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING); } + if (cert->flags & X509_MS_SMARTCARD_LOGON) + { + msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON); + } if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr || ocspSigning.ptr) @@ -2146,9 +2153,9 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_EXTENDED_KEY_USAGE), asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "mmmm", + asn1_wrap(ASN1_SEQUENCE, "mmmmm", serverAuth, clientAuth, ikeIntermediate, - ocspSigning))); + ocspSigning, msSmartcardLogon))); } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ @@ -2167,7 +2174,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, } /* add the keyid authKeyIdentifier for non self-signed certificates */ - if (sign_key) + if (sign_cert) { chunk_t keyid; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index 09c5a8539..ff0f0231f 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -252,7 +252,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, { int oid; signature_scheme_t scheme; - chunk_t certs, signature, encoding; + chunk_t certs = chunk_empty, signature, encoding; switch (this->key->get_type(this->key)) { diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index 15fea7ee0..54bef7357 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -52,9 +52,7 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(CERT_DECODE, x509_cert_load, TRUE), PLUGIN_PROVIDE(CERT_DECODE, CERT_X509), PLUGIN_DEPENDS(HASHER, HASH_SHA1), - PLUGIN_SDEPEND(PUBKEY, KEY_RSA), - PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA), - PLUGIN_SDEPEND(PUBKEY, KEY_DSA), + PLUGIN_DEPENDS(PUBKEY, KEY_ANY), PLUGIN_REGISTER(CERT_ENCODE, x509_ac_gen, FALSE), PLUGIN_PROVIDE(CERT_ENCODE, CERT_X509_AC), diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index c8f886c60..ca6164371 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index 656be4efb..e58831c5b 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -402,7 +402,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c index e373fbdb6..34ace2894 100644 --- a/src/libstrongswan/tests/suites/test_chunk.c +++ b/src/libstrongswan/tests/suites/test_chunk.c @@ -117,10 +117,13 @@ START_TEST(test_chunk_clear) } chunk_clear(&chunk); /* check memory area of freed chunk. We can't use ck_assert() for this - * test directly, as it might allocate data at the freed area. */ - for (i = 0; i < 64; i++) + * test directly, as it might allocate data at the freed area. comparing + * two bytes at once reduces the chances of conflicts if memory got + * overwritten already */ + for (i = 0; i < 64; i += 2) { - if (ptr[i] != 0 && ptr[i] == i) + if (ptr[i] != 0 && ptr[i] == i && + ptr[i+1] != 0 && ptr[i+1] == i+1) { cleared = FALSE; break; diff --git a/src/libstrongswan/tests/suites/test_enumerator.c b/src/libstrongswan/tests/suites/test_enumerator.c index b5dde4650..9bd6d24f2 100644 --- a/src/libstrongswan/tests/suites/test_enumerator.c +++ b/src/libstrongswan/tests/suites/test_enumerator.c @@ -104,10 +104,10 @@ static void destroy_data(void *data) * filtered test */ -static bool filter(void *data, int *v, int *vo, int *w, int *wo, - int *x, int *xo, int *y, int *yo, int *z, int *zo) +static bool filter(int *data, int **v, int *vo, int **w, int *wo, + int **x, int *xo, int **y, int *yo, int **z, int *zo) { - int val = *v; + int val = **v; *vo = val++; *wo = val++; @@ -118,21 +118,21 @@ static bool filter(void *data, int *v, int *vo, int *w, int *wo, return TRUE; } -static bool filter_odd(void *data, int *item, int *out) +static bool filter_odd(void *data, int **item, int *out) { fail_if(data != (void*)101, "data does not match '101' in filter function"); - *out = *item; - return *item % 2 == 0; + *out = **item; + return **item % 2 == 0; } START_TEST(test_filtered) { - int round, v, w, x, y, z; + int data[5] = {1,2,3,4,5}, round, v, w, x, y, z; linked_list_t *list; enumerator_t *enumerator; - list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4, - (void*)5, NULL); + list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3], + &data[4], NULL); round = 1; enumerator = enumerator_create_filter(list->create_enumerator(list), @@ -155,12 +155,12 @@ END_TEST START_TEST(test_filtered_filter) { - int count, x; + int data[5] = {1,2,3,4,5}, count, x; linked_list_t *list; enumerator_t *enumerator; - list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4, - (void*)5, NULL); + list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3], + &data[4], NULL); count = 0; /* should also work without destructor, so set this manually */ diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c index a46f5742c..7c0cb81bf 100644 --- a/src/libstrongswan/tests/suites/test_ntru.c +++ b/src/libstrongswan/tests/suites/test_ntru.c @@ -20,6 +20,8 @@ #include <plugins/ntru/ntru_mgf1.h> #include <plugins/ntru/ntru_trits.h> #include <plugins/ntru/ntru_poly.h> +#include <plugins/ntru/ntru_param_set.h> +#include <plugins/ntru/ntru_private_key.h> #include <utils/test.h> IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*, @@ -41,6 +43,18 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*, uint32_t indices_len_p, uint32_t indices_len_m, bool is_product_form) +IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id, ntru_param_set_t* , + ntru_param_set_id_t id) + +IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create, ntru_private_key_t*, + ntru_drbg_t *drbg, ntru_param_set_t *params) + +IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data, ntru_private_key_t*, + ntru_drbg_t *drbg, chunk_t data) + +IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data, ntru_public_key_t*, + ntru_drbg_t *drbg, chunk_t data) + /** * NTRU parameter sets to test */ @@ -86,7 +100,8 @@ START_TEST(test_ntru_drbg_strength) entropy = lib->crypto->create_rng(lib->crypto, RNG_STRONG); ck_assert(entropy != NULL); - drbg = ntru_drbg_create(strengths[_i].requested, chunk_empty, entropy); + drbg = TEST_FUNCTION(ntru, ntru_drbg_create, strengths[_i].requested, + chunk_empty, entropy); if (strengths[_i].standard) { ck_assert(drbg != NULL); @@ -243,7 +258,8 @@ START_TEST(test_ntru_drbg) out = chunk_alloc(128); entropy = test_rng_create(drbg_tests[_i].entropy); - drbg = ntru_drbg_create(256, drbg_tests[_i].pers_str, entropy); + drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, drbg_tests[_i].pers_str, + entropy); ck_assert(drbg != NULL); ck_assert(drbg->reseed(drbg)); ck_assert(drbg->generate(drbg, 256, 128, out.ptr)); @@ -265,7 +281,7 @@ START_TEST(test_ntru_drbg_reseed) "libstrongswan.plugins.ntru.max_drbg_requests", 2); out = chunk_alloc(128); entropy = test_rng_create(drbg_tests[0].entropy); - drbg = ntru_drbg_create(256, chunk_empty, entropy); + drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy); /* bad output parameters */ ck_assert(!drbg->generate(drbg, 256, 0, out.ptr)); @@ -283,13 +299,13 @@ START_TEST(test_ntru_drbg_reseed) drbg->destroy(drbg); /* no entropy available for DRBG instantiation */ - drbg = ntru_drbg_create(256, chunk_empty, entropy); + drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy); ck_assert(drbg == NULL); entropy->destroy(entropy); /* one automatic reseeding occurs */ entropy = test_rng_create(drbg_tests[0].entropy); - drbg = ntru_drbg_create(256, chunk_empty, entropy); + drbg = TEST_FUNCTION(ntru, ntru_drbg_create, 256, chunk_empty, entropy); ck_assert(drbg->generate(drbg, 256, 128, out.ptr)); ck_assert(drbg->generate(drbg, 256, 128, out.ptr)); ck_assert(drbg->generate(drbg, 256, 128, out.ptr)); @@ -374,7 +390,7 @@ uint16_t indices_ees1171ep1[] = { */ mgf1_test_t mgf1_tests[] = { { HASH_SHA1, 20, 60, 20, 15, 24, - chunk_from_chars( + chunk_from_chars( 0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D, 0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D, 0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2, @@ -408,7 +424,7 @@ mgf1_test_t mgf1_tests[] = { 0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D, 0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C, 0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92, - 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), + 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14), chunk_from_chars( 1, 2, 1, 0, 0, 1, 1, 1, 2, 0, 1, 0, 1, 1, 1, 0, 2, 0, 1, 1, 0, 0, 0, 1, 1, 0, 2, 0, 2, 2, 1, 2, 2, 2, 1, 2, 1, 1, 0, 0, @@ -466,7 +482,7 @@ mgf1_test_t mgf1_tests[] = { 0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D, 0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB, 0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C, - 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), + 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28), chunk_from_chars( 0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A, 0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46, @@ -542,14 +558,17 @@ START_TEST(test_ntru_mgf1) mask2.len = mgf1_tests[_i].ml2; mask3.len = mgf1_tests[_i].ml3; - mgf1 = ntru_mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE); + mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, HASH_UNKNOWN, + mgf1_tests[_i].seed, TRUE); ck_assert(mgf1 == NULL); - mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE); + mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, + chunk_empty, TRUE); ck_assert(mgf1 == NULL); /* return mask in allocated chunk */ - mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE); + mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, + mgf1_tests[_i].seed, TRUE); ck_assert(mgf1); /* check hash size */ @@ -565,14 +584,16 @@ START_TEST(test_ntru_mgf1) mgf1->destroy(mgf1); /* copy mask to pre-allocated buffer */ - mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE); + mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, + mgf1_tests[_i].seed, TRUE); ck_assert(mgf1); ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr)); ck_assert(chunk_equals(mask, mgf1_tests[_i].mask)); mgf1->destroy(mgf1); /* get mask in batches without hashing the seed */ - mgf1 = ntru_mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE); + mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg, + mgf1_tests[_i].hashed_seed, FALSE); ck_assert(mgf1); /* first batch */ @@ -600,16 +621,16 @@ START_TEST(test_ntru_trits) ntru_trits_t *mask; chunk_t trits; - mask = ntru_trits_create(mgf1_tests[_i].trits.len, HASH_UNKNOWN, - mgf1_tests[_i].seed); + mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len, + HASH_UNKNOWN, mgf1_tests[_i].seed); ck_assert(mask == NULL); - mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg, - chunk_empty); + mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len, + mgf1_tests[_i].alg, chunk_empty); ck_assert(mask == NULL); - mask = ntru_trits_create(mgf1_tests[_i].trits.len, mgf1_tests[_i].alg, - mgf1_tests[_i].seed); + mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len, + mgf1_tests[_i].alg, mgf1_tests[_i].seed); ck_assert(mask); trits = chunk_create(mask->get_trits(mask), mask->get_size(mask)); @@ -617,7 +638,8 @@ START_TEST(test_ntru_trits) mask->destroy(mask); /* generate a multiple of 5 trits */ - mask = ntru_trits_create(10, mgf1_tests[_i].alg, mgf1_tests[_i].seed); + mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, mgf1_tests[_i].alg, + mgf1_tests[_i].seed); ck_assert(mask); trits = chunk_create(mask->get_trits(mask), mask->get_size(mask)); @@ -638,17 +660,17 @@ START_TEST(test_ntru_poly) seed.len = mgf1_tests[_i].seed_len; p = &mgf1_tests[_i].poly_test[0]; - poly = ntru_poly_create_from_seed(HASH_UNKNOWN, seed, p->c_bits, p->N, p->q, - p->indices_len, p->indices_len, - p->is_product_form); + poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed, + p->c_bits, p->N, p->q, p->indices_len, p->indices_len, + p->is_product_form); ck_assert(poly == NULL); for (n = 0; n < 2; n++) { p = &mgf1_tests[_i].poly_test[n]; - poly = ntru_poly_create_from_seed(mgf1_tests[_i].alg, seed, p->c_bits, - p->N, p->q, p->indices_len, - p->indices_len, p->is_product_form); + poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, + mgf1_tests[_i].alg, seed, p->c_bits, p->N, p->q, + p->indices_len, p->indices_len, p->is_product_form); ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size); indices = poly->get_indices(poly); @@ -748,8 +770,9 @@ START_TEST(test_ntru_ring_mult) int i; t = &ring_mult_tests[_i]; - poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p, - t->indices_len_m, t->is_product_form); + poly = TEST_FUNCTION(ntru, ntru_poly_create_from_data, t->indices, t->N, + t->q, t->indices_len_p, t->indices_len_m, + t->is_product_form); ck_assert(poly != NULL); c = malloc(t->N * sizeof(uint16_t)); @@ -776,8 +799,9 @@ START_TEST(test_ntru_array) t = &ring_mult_tests[array_tests[_i]]; - poly = ntru_poly_create_from_data(t->indices, t->N, t->q, t->indices_len_p, - t->indices_len_m, t->is_product_form); + poly = TEST_FUNCTION(ntru, ntru_poly_create_from_data, t->indices, t->N, + t->q, t->indices_len_p, t->indices_len_m, + t->is_product_form); ck_assert(poly != NULL); c = malloc(t->N * sizeof(uint16_t)); @@ -793,62 +817,413 @@ START_TEST(test_ntru_array) } END_TEST +START_TEST(test_ntru_param_set) +{ + ck_assert(TEST_FUNCTION(ntru, ntru_param_set_get_by_id, -1) == NULL); + ck_assert(TEST_FUNCTION(ntru, ntru_param_set_get_by_id, 16) == NULL); +} +END_TEST + +typedef struct { + ntru_param_set_id_t id; + chunk_t entropy; + chunk_t encoding; +} privkey_test_t; + +privkey_test_t privkey_tests[] = { + { + NTRU_EES401EP1, + chunk_from_chars( + 0x0C, 0x2F, 0x24, 0xE1, 0xA4, 0x81, 0x26, 0xA2, + 0x6C, 0xEA, 0xCD, 0x1A, 0xF3, 0xEB, 0x3D, 0xBF, + 0xEA, 0xAE, 0xC3, 0x0D, 0xC1), + chunk_from_chars( + 0x02, 0x03, 0x00, 0x02, 0x04, 0x3E, 0xF3, 0xCB, + 0x7A, 0x58, 0x13, 0x75, 0xBB, 0x87, 0xF5, 0xBF, + 0x2E, 0x18, 0xAE, 0x03, 0xAF, 0xB8, 0x33, 0x85, + 0xD8, 0xBF, 0x8A, 0xB5, 0x8C, 0xA6, 0xDF, 0x03, + 0x90, 0x1E, 0xE4, 0x83, 0xA4, 0x95, 0x40, 0xB5, + 0x08, 0x92, 0x29, 0xD8, 0x83, 0xA8, 0x42, 0xB2, + 0x69, 0xC2, 0x00, 0x8B, 0xAE, 0x80, 0x00, 0x4F, + 0x3D, 0xDD, 0xFB, 0xDB, 0x9A, 0xD8, 0x0F, 0xFF, + 0xBC, 0x21, 0xD5, 0xE6, 0x04, 0x9C, 0xDD, 0x3B, + 0x2D, 0x16, 0x4B, 0xC7, 0x3D, 0xBE, 0xDE, 0xBB, + 0x6F, 0xF4, 0x8A, 0x31, 0xCD, 0x23, 0x19, 0xC2, + 0x3C, 0xE1, 0xE2, 0xEE, 0xE4, 0xE7, 0x2E, 0xFC, + 0x5C, 0xDD, 0xAD, 0x0C, 0x9D, 0x98, 0xC5, 0x18, + 0x2A, 0x80, 0x21, 0x93, 0x61, 0xC4, 0x9A, 0x16, + 0xE8, 0x9B, 0xF7, 0x3B, 0x6D, 0x06, 0x91, 0x9E, + 0x71, 0x59, 0xBE, 0x8E, 0x65, 0x61, 0xB2, 0x69, + 0x9C, 0x82, 0x58, 0x0D, 0x63, 0x7A, 0x1F, 0x2A, + 0x1C, 0x2C, 0x92, 0x8C, 0x8D, 0xCA, 0x2B, 0x45, + 0x24, 0x79, 0xDB, 0x7F, 0x1D, 0x2F, 0xAB, 0x88, + 0x8C, 0x1D, 0xE3, 0x15, 0x8F, 0xCD, 0x46, 0x8C, + 0x45, 0x20, 0x88, 0x1C, 0x17, 0xE0, 0xE5, 0x89, + 0xF4, 0x60, 0x56, 0x3C, 0x6B, 0x9F, 0x2A, 0xD9, + 0xD0, 0xAE, 0x3B, 0xB6, 0xC2, 0xB7, 0x58, 0xC6, + 0x6E, 0x09, 0x36, 0x21, 0x0B, 0xDD, 0xE9, 0x52, + 0x33, 0x27, 0x39, 0xC8, 0x51, 0x59, 0x69, 0x25, + 0xC6, 0x3D, 0x19, 0x5C, 0x5E, 0x74, 0xD0, 0x62, + 0xD9, 0x26, 0x90, 0xC7, 0x64, 0x92, 0xA8, 0x72, + 0xD1, 0x77, 0x1F, 0x78, 0xC5, 0x11, 0xBD, 0x5D, + 0x3C, 0x1B, 0x1F, 0x8B, 0x5B, 0xE4, 0x5D, 0xA1, + 0x27, 0x6D, 0x20, 0x24, 0x32, 0x53, 0xF3, 0xB0, + 0xE6, 0x71, 0x61, 0xCC, 0xFC, 0x4A, 0x06, 0xDA, + 0xBE, 0xD7, 0x9F, 0x2F, 0xEB, 0x44, 0xD0, 0x8A, + 0x7D, 0x8E, 0x82, 0xF5, 0x84, 0xCF, 0x8E, 0xE5, + 0x4B, 0xA4, 0x30, 0x77, 0xBD, 0x14, 0xB9, 0x75, + 0x02, 0x68, 0xDF, 0x71, 0x89, 0x81, 0xF2, 0x95, + 0xC3, 0x67, 0x6E, 0x37, 0xE4, 0xD0, 0xC9, 0x1E, + 0x02, 0xDE, 0x2D, 0x79, 0x99, 0xE8, 0x7D, 0x5C, + 0x99, 0xF2, 0x1A, 0xDE, 0x12, 0x9B, 0xD1, 0x83, + 0x9B, 0x01, 0xD3, 0xEB, 0x2B, 0x8E, 0x9C, 0xA5, + 0x19, 0xE8, 0x2E, 0xFE, 0x23, 0x6E, 0xAD, 0x8F, + 0x3C, 0xAF, 0xB9, 0xE6, 0xDB, 0x07, 0xA4, 0x31, + 0x02, 0x2B, 0x6A, 0xA0, 0xFB, 0x51, 0x6C, 0xD0, + 0x26, 0xD5, 0xAD, 0x29, 0x65, 0x10, 0xCE, 0xF8, + 0x84, 0x4D, 0x1E, 0x37, 0x92, 0xA2, 0xD1, 0xFA, + 0xF6, 0xC0, 0x36, 0x4C, 0x23, 0x3A, 0x42, 0xAA, + 0xB8, 0x0D, 0x4E, 0xD4, 0x40, 0x61, 0xD5, 0x36, + 0x62, 0x23, 0x7C, 0x1C, 0x5E, 0xEA, 0x16, 0xAD, + 0x4F, 0x30, 0xF9, 0x16, 0x99, 0xCE, 0xC5, 0x50, + 0xAC, 0x8F, 0x6F, 0x98, 0xD7, 0xE3, 0x89, 0x6E, + 0x3A, 0x12, 0xCE, 0xA7, 0xA4, 0x17, 0x74, 0xDC, + 0xDB, 0xFA, 0xFF, 0xF9, 0x35, 0xD7, 0xF5, 0x77, + 0x03, 0xF5, 0xBF, 0x81, 0x6C, 0x9F, 0x62, 0xA6, + 0x8A, 0x5B, 0xA3, 0xEF, 0x9D, 0xC3, 0xF6, 0x3A, + 0x6A, 0xC0, 0x42, 0x71, 0xAF, 0x90, 0xCA, 0x1D, + 0x86, 0x78, 0xD7, 0x2C, 0xFE, 0xB6, 0x99, 0x15, + 0x8C, 0x10, 0x42, 0x92, 0x2C, 0x05, 0x43, 0x92, + 0x69, 0x05, 0x8D, 0x9E, 0xBC, 0xAB, 0x8F, 0x28, + 0xAA, 0x4B, 0xFB, 0x25, 0xD9, 0xAD, 0x29, 0xFF, + 0x33, 0x65, 0x14, 0xC3, 0x75, 0x1F, 0xCF, 0xFC, + 0x20, 0x83, 0xBF, 0xB9, 0xA5, 0x4B, 0x7B, 0xD9, + 0x07, 0x5C, 0xA1, 0xD1, 0x5A, 0x3E, 0x94, 0xF8, + 0x03, 0xDE, 0xB8, 0x94, 0x11, 0x92, 0x80, 0x77, + 0x57, 0x45, 0x1E, 0x6B, 0xA5, 0x15, 0xDB, 0x48, + 0xB6, 0x9E, 0x02, 0xF1, 0x61, 0x4A, 0xAC, 0x1D, + 0x49, 0xBC, 0xA9, 0x3F, 0x03, 0x50, 0xAC, 0x02, + 0x8E, 0x84, 0xE0, 0x12, 0x37, 0x76, 0xBC, 0x4A, + 0xF9, 0xC6, 0x74, 0x36, 0xFC, 0x92, 0x1D, 0x59, + 0x0C, 0x04, 0xD2, 0x14, 0xB7, 0x11, 0xE9, 0xE2, + 0xFE, 0x0C, 0xE1, 0xDA, 0x8B, 0xCA, 0x10, 0xA1, + 0x60, 0xB6, 0x57, 0x51, 0x00, 0xD6, 0x5B, 0x55, + 0x09, 0x60, 0xE8, 0x00, 0x40, 0x45, 0x56, 0xBA, + 0x83, 0x1E, 0x36, 0x12, 0x59, 0x4B, 0x19, 0x00, + 0x53, 0xAE, 0x62, 0xA6, 0x29, 0x39, 0xED, 0x87, + 0x24, 0x37, 0x1E, 0x1B, 0xCF, 0x3F, 0x3A, 0x71, + 0x31, 0xB5, 0x50, 0x8D, 0x4B, 0x53, 0x53, 0x75, + 0x3F, 0x33, 0x39, 0x09, 0x2A, 0x78, 0xA8, 0x71, + 0x3E, 0x63, 0xC5, 0x61, 0x73, 0xB6, 0xE1, 0x71, + 0x16, 0xDA, 0x06, 0xBF, 0x3F, 0x22, 0x74, 0x89, + 0x08, 0xD2, 0x05, 0x0B, 0x16, 0xC8, 0xF0, 0x17, + 0x4E, 0xA2, 0x65, 0x67, 0x6D, 0x02) + }, + { + NTRU_EES743EP1, + chunk_from_chars( + 0x9B, 0xAB, 0x57, 0xDB, 0x2C, 0x60, 0x83, 0x48, + 0x9F, 0xC9, 0x70, 0x8F, 0x69, 0xF7, 0xB4, 0xBB, + 0x63, 0x5C, 0x9A, 0x63, 0x07, 0x80, 0x17, 0xD3, + 0xCD, 0xB1, 0x57, 0x79, 0xFE, 0x8D, 0x81, 0x70, + 0xEB, 0x50, 0xFA, 0x05, 0xFB, 0x97, 0xB2, 0xAB, + 0x25, 0xED, 0xD8, 0x18, 0x1C, 0xFE, 0x96, 0x7D), + chunk_from_chars( + 0x02, 0x03, 0x00, 0x06, 0x10, 0x14, 0x53, 0x73, + 0x56, 0xF5, 0xA9, 0x34, 0xDE, 0xA6, 0x4D, 0x46, + 0x05, 0x9E, 0x80, 0xAE, 0xB6, 0x74, 0x91, 0xFF, + 0xFB, 0x48, 0xD3, 0x5C, 0x61, 0x12, 0x46, 0x02, + 0x9F, 0x53, 0x45, 0x87, 0x47, 0xBD, 0x6B, 0x26, + 0xF7, 0x36, 0xD3, 0x99, 0x1B, 0xD7, 0xEA, 0xA3, + 0xA8, 0x94, 0xFF, 0x93, 0x46, 0x7C, 0x2C, 0x5F, + 0x87, 0x8C, 0x38, 0xB3, 0x7B, 0xC6, 0x49, 0xE2, + 0x88, 0xCA, 0x67, 0x89, 0xD0, 0x6D, 0x7C, 0xAE, + 0x7C, 0x98, 0x84, 0xDA, 0x6B, 0x93, 0x92, 0xEF, + 0x4A, 0xD1, 0x4A, 0xD2, 0x5B, 0x13, 0xF8, 0x59, + 0x15, 0x2E, 0xBC, 0x70, 0x8D, 0x2D, 0xA9, 0x47, + 0xA1, 0x99, 0x19, 0x3F, 0x67, 0xE8, 0x18, 0xA7, + 0x17, 0x07, 0xB3, 0x14, 0xF6, 0x20, 0xA1, 0xD8, + 0x33, 0xE8, 0x08, 0x6A, 0xC1, 0x39, 0x99, 0x08, + 0xB4, 0x88, 0xEB, 0x48, 0x7D, 0xFB, 0xF5, 0xEF, + 0x03, 0x0D, 0x25, 0xB7, 0x98, 0xF3, 0xF1, 0x15, + 0x63, 0xE4, 0x0F, 0xFD, 0x54, 0x9F, 0x56, 0xE9, + 0xD1, 0x44, 0xE5, 0x89, 0x66, 0x14, 0x91, 0x1C, + 0xFD, 0xD6, 0xFD, 0x38, 0xAE, 0x39, 0xE3, 0xF7, + 0xCD, 0x77, 0xC2, 0xEA, 0x2E, 0xE4, 0xB7, 0x2B, + 0xBA, 0x7A, 0xD1, 0x75, 0xB8, 0x28, 0x65, 0x18, + 0xF4, 0xC6, 0xBD, 0xD0, 0x17, 0x7E, 0xEA, 0x86, + 0x7E, 0xFC, 0x95, 0xD6, 0x4C, 0x92, 0x01, 0xC3, + 0xFF, 0x04, 0x9B, 0xF8, 0xD6, 0xB3, 0x8F, 0x72, + 0xEF, 0x64, 0x09, 0x61, 0xF8, 0xE4, 0x48, 0xFC, + 0x0D, 0xEE, 0xEF, 0xA2, 0x9F, 0x3A, 0x2B, 0x1A, + 0xFB, 0x8B, 0xA0, 0x9C, 0x11, 0x0B, 0x97, 0x75, + 0x30, 0x7C, 0xB8, 0x9F, 0xEE, 0x3B, 0x53, 0x85, + 0x7D, 0xE9, 0xCB, 0xC4, 0x4D, 0xD7, 0x7F, 0x59, + 0x10, 0x72, 0x19, 0x3A, 0xC9, 0x38, 0xFE, 0xE8, + 0xB3, 0x06, 0x55, 0x8D, 0xA2, 0x5A, 0x3D, 0x79, + 0x67, 0x0E, 0x90, 0xC9, 0x25, 0x6D, 0x45, 0x9C, + 0x39, 0x79, 0x5F, 0x18, 0x35, 0x9F, 0xC1, 0x49, + 0x08, 0x6F, 0x1C, 0x47, 0x09, 0x0D, 0x49, 0x7C, + 0x3C, 0x7B, 0xB1, 0x09, 0x92, 0x1C, 0x4E, 0x5A, + 0xDA, 0x74, 0x9E, 0xBB, 0x55, 0x9D, 0xBB, 0x1E, + 0x43, 0x28, 0x62, 0xAF, 0x02, 0xB0, 0x1A, 0xEA, + 0x13, 0x0A, 0x70, 0x0F, 0x60, 0x0F, 0x62, 0xA2, + 0x4E, 0x1F, 0xB2, 0xEA, 0x06, 0xDD, 0x18, 0x02, + 0x6C, 0xF3, 0x82, 0xF1, 0x80, 0x7F, 0xA7, 0x2F, + 0xCC, 0xC6, 0x18, 0xEA, 0xFF, 0x1F, 0xAD, 0xC6, + 0xBA, 0x0C, 0x0E, 0x04, 0xB2, 0x58, 0x1D, 0xB6, + 0x01, 0xA3, 0x97, 0xDF, 0x7D, 0x9B, 0xB5, 0x0A, + 0xAD, 0x30, 0x2B, 0xC5, 0x67, 0x40, 0x07, 0xF1, + 0xD5, 0x6C, 0x11, 0x10, 0xE1, 0x69, 0x30, 0xAD, + 0x90, 0x06, 0xDB, 0xF8, 0xEA, 0x92, 0x9B, 0x39, + 0x57, 0x38, 0x7B, 0xE4, 0xB2, 0xA2, 0x89, 0xFD, + 0xB1, 0x6D, 0x88, 0x41, 0x62, 0x4D, 0x18, 0xB6, + 0x3F, 0x12, 0x81, 0xDE, 0xE6, 0xDC, 0x4A, 0x31, + 0x61, 0x26, 0xB1, 0x4B, 0x95, 0xC1, 0x69, 0xDC, + 0xDC, 0xAC, 0xD0, 0x15, 0xFC, 0x21, 0xC5, 0x20, + 0x5F, 0x97, 0x76, 0x41, 0xC1, 0xF2, 0xD7, 0x95, + 0x1D, 0x25, 0x23, 0x36, 0x86, 0xFA, 0x7E, 0xF4, + 0x14, 0x9F, 0x9D, 0x9F, 0xB2, 0xBB, 0x25, 0x1D, + 0xD5, 0x7A, 0x6F, 0x9E, 0xF7, 0xEF, 0x9D, 0x63, + 0x1E, 0xD5, 0xDE, 0x6A, 0xE6, 0x46, 0x48, 0x1F, + 0xE1, 0x0C, 0x4D, 0x82, 0xC9, 0x19, 0x3B, 0x65, + 0xA4, 0x06, 0x13, 0xB7, 0x04, 0xB1, 0x62, 0xF7, + 0x08, 0xAE, 0xED, 0x42, 0x6D, 0xCC, 0x6C, 0xA6, + 0x06, 0x06, 0x41, 0x3E, 0x0C, 0x89, 0x4C, 0xBD, + 0x00, 0x4F, 0x0E, 0xA9, 0x72, 0x06, 0x21, 0x82, + 0xD2, 0xB6, 0x6C, 0xB0, 0xB0, 0x01, 0x5B, 0xDD, + 0x05, 0xCE, 0x71, 0x6E, 0x00, 0x58, 0xC7, 0xA6, + 0x5B, 0xF6, 0xFB, 0x6B, 0x62, 0xB1, 0xE8, 0x4D, + 0xAC, 0xC0, 0x6B, 0xF4, 0x40, 0x69, 0xEE, 0x0D, + 0xE7, 0x82, 0x61, 0x8D, 0x35, 0x01, 0x97, 0x4E, + 0xF2, 0xCC, 0xF5, 0x7F, 0xBF, 0xE4, 0xEC, 0x9C, + 0xC4, 0xD2, 0xD9, 0x65, 0x78, 0x98, 0xD8, 0xB0, + 0xFA, 0xA8, 0xFB, 0xB0, 0xCE, 0x22, 0x5D, 0x0B, + 0x27, 0xDF, 0x0E, 0x63, 0x42, 0xFE, 0x89, 0x13, + 0x99, 0xB2, 0x02, 0x0B, 0xF6, 0x04, 0xB6, 0xAF, + 0x9F, 0x8C, 0xA6, 0x17, 0x0D, 0xD9, 0x5B, 0x45, + 0xE4, 0x08, 0x53, 0x51, 0xE0, 0xD5, 0x22, 0x72, + 0xBE, 0xAD, 0x74, 0x69, 0xB9, 0xFB, 0x91, 0xF8, + 0xC1, 0x89, 0x28, 0x71, 0x27, 0x62, 0xB1, 0xF0, + 0xFD, 0x78, 0xBC, 0x82, 0xFE, 0x76, 0xBE, 0x7B, + 0x47, 0x79, 0x32, 0x71, 0xAD, 0xD6, 0x76, 0x46, + 0xFB, 0x32, 0xE8, 0x4B, 0x98, 0x9A, 0xC6, 0x85, + 0xF2, 0xF1, 0x8A, 0xEC, 0xC2, 0x4E, 0x9B, 0x2F, + 0x2D, 0x6F, 0xC9, 0x9B, 0xB6, 0x14, 0x35, 0x6D, + 0xD6, 0x5B, 0xF3, 0x02, 0x5A, 0xE5, 0xBD, 0x00, + 0xF7, 0x6E, 0x51, 0xA7, 0xDB, 0x19, 0xAE, 0x01, + 0x01, 0x05, 0x94, 0x23, 0xF7, 0x5B, 0x07, 0x79, + 0xFF, 0x39, 0x58, 0x9C, 0x2A, 0xF7, 0x7E, 0x5D, + 0x81, 0xF9, 0x59, 0xFE, 0xB9, 0x9A, 0x96, 0x63, + 0x1F, 0x65, 0xF6, 0xF0, 0x3D, 0xEA, 0xD7, 0xC2, + 0x8A, 0xCF, 0xB5, 0x58, 0x74, 0x77, 0x23, 0xD6, + 0x72, 0x58, 0xA8, 0xAE, 0x31, 0x8A, 0x59, 0xEA, + 0x69, 0x14, 0x6A, 0x20, 0x78, 0x79, 0x28, 0x5A, + 0xE1, 0x76, 0x6F, 0xA6, 0x1A, 0x9E, 0x47, 0xD2, + 0xAF, 0x63, 0xF8, 0x06, 0xF6, 0xD8, 0xD5, 0x14, + 0xA8, 0xD1, 0xEE, 0x96, 0xCE, 0xBB, 0x8E, 0x22, + 0x69, 0x2F, 0x52, 0x06, 0xB6, 0x6F, 0xC8, 0x99, + 0x96, 0xEA, 0xC6, 0x1D, 0x96, 0x4C, 0x69, 0x95, + 0xFE, 0x74, 0x04, 0x3C, 0x55, 0xD9, 0x5F, 0xE0, + 0x41, 0x21, 0x43, 0x21, 0x5A, 0x50, 0x5D, 0x8B, + 0xE8, 0xB2, 0x51, 0x1B, 0x7C, 0x63, 0x50, 0xAE, + 0x97, 0x4F, 0xBA, 0x7D, 0xF2, 0xB6, 0xB6, 0x16, + 0x1D, 0x47, 0x9E, 0x19, 0x68, 0xD4, 0x6B, 0x2B, + 0x75, 0xCD, 0xAE, 0x65, 0x33, 0x38, 0xF6, 0x6D, + 0xC7, 0x3E, 0x46, 0x98, 0x9E, 0x98, 0x8B, 0x45, + 0x11, 0xA7, 0x12, 0x05, 0xB0, 0x01, 0xC3, 0x51, + 0xA0, 0xEE, 0x7C, 0x16, 0xD1, 0x42, 0x96, 0xC4, + 0xF0, 0x7B, 0x71, 0xCD, 0x50, 0x38, 0xA4, 0xB0, + 0x6E, 0x6F, 0xE0, 0xBD, 0xC4, 0xF7, 0x96, 0x2B, + 0xF1, 0x6D, 0x9F, 0xF3, 0x71, 0x89, 0xFA, 0xB4, + 0x44, 0xA4, 0x32, 0xDC, 0xB2, 0x55, 0x13, 0x31, + 0x83, 0x29, 0x66, 0x21, 0x3E, 0x89, 0xF8, 0x78, + 0x97, 0x9C, 0x64, 0xF9, 0x2C, 0x0A, 0x88, 0xBC, + 0xCA, 0x6F, 0x83, 0x42, 0xF6, 0xD7, 0x00, 0xC4, + 0x19, 0x52, 0xB0, 0x31, 0xA8, 0xBA, 0xE8, 0xD4, + 0xAD, 0x4B, 0x5D, 0xC0, 0x01, 0x20, 0x6C, 0xBB, + 0x1D, 0x9A, 0x1D, 0xD4, 0x19, 0xFD, 0x33, 0xAB, + 0xA0, 0x54, 0x50, 0x91, 0xE9, 0x75, 0x5C, 0x7E, + 0x7E, 0xB3, 0x24, 0x79, 0xAE, 0x10, 0x3C, 0xB4, + 0xB7, 0x0A, 0x1D, 0x86, 0xAD, 0x06, 0x95, 0xCB, + 0x84, 0x9B, 0x0E, 0x8B, 0x77, 0x7E, 0x3E, 0xD2, + 0xA6, 0xDF, 0xAD, 0x4E, 0xFB, 0x69, 0x23, 0xAC, + 0x7A, 0xCB, 0xAA, 0xB0, 0x22, 0xDD, 0xD2, 0xC6, + 0xC7, 0xAD, 0xD7, 0xDE, 0xEC, 0x6F, 0x08, 0x41, + 0x54, 0xD5, 0x52, 0xDC, 0x77, 0xE4, 0x72, 0xF9, + 0x16, 0xB1, 0xC9, 0xAF, 0xB1, 0x3B, 0x18, 0x99, + 0x20, 0x9F, 0x79, 0x63, 0x7B, 0x07, 0xC7, 0x35, + 0xDF, 0xBB, 0xCE, 0x66, 0x93, 0x1B, 0xF5, 0x82, + 0x25, 0x67, 0xC1, 0xF2, 0xF0, 0x89, 0x0F, 0xEF, + 0x84, 0x0D, 0x63, 0xB6, 0x7B, 0xD0, 0x40, 0x8E, + 0xDB, 0x94, 0xCC, 0x71, 0x3C, 0xDB, 0x36, 0x14, + 0x34, 0xFD, 0xA0, 0xB0, 0xC1, 0x45, 0x31, 0xF8, + 0x8D, 0xD8, 0x23, 0xB1, 0x05, 0x14, 0xA9, 0x55, + 0x3A, 0x1A, 0x37, 0x48, 0x68, 0x89, 0x3F, 0x15, + 0x25, 0xD4, 0x99, 0x53, 0x4C, 0x85, 0x98, 0x78, + 0x1D, 0x35, 0x4A, 0x83, 0x79, 0x9A, 0x29, 0x90, + 0x2B, 0x45, 0x76, 0x0C, 0x13, 0x80, 0x4A, 0xE0, + 0x40, 0xED, 0x6B, 0x2E, 0x2A, 0x43, 0xA9, 0x28, + 0xB0, 0x2F, 0x89, 0x01, 0x6B, 0x39, 0x8C, 0x5E, + 0x80, 0x61, 0xD9, 0xEE, 0x0F, 0x41, 0x75, 0xB5, + 0xAE, 0xB6, 0xC2, 0x42, 0x49, 0x8D, 0x89, 0xD8, + 0xF4, 0x78, 0x1D, 0x90, 0x46, 0x26, 0x4C, 0x56, + 0xB7, 0xC0, 0xD9, 0x98, 0x7B, 0x07, 0xA1, 0x20) + } +}; + +START_TEST(test_ntru_privkey) +{ + rng_t *entropy; + ntru_drbg_t *drbg; + ntru_private_key_t *privkey; + ntru_public_key_t *pubkey; + ntru_param_set_t *params; + uint32_t strength; + chunk_t encoding, privkey_encoding, pubkey_encoding; + + params = TEST_FUNCTION(ntru, ntru_param_set_get_by_id, + privkey_tests[_i].id); + strength = params->sec_strength_len * BITS_PER_BYTE; + entropy = test_rng_create(privkey_tests[_i].entropy); + drbg = TEST_FUNCTION(ntru, ntru_drbg_create, strength, + chunk_from_str("IKE NTRU-KE"), entropy); + ck_assert(drbg != NULL); + + privkey = TEST_FUNCTION(ntru, ntru_private_key_create, drbg, params); + ck_assert(privkey); + ck_assert(privkey->get_id(privkey) == privkey_tests[_i].id); + + privkey_encoding = privkey->get_encoding(privkey); + encoding = privkey_tests[_i].encoding; + ck_assert(chunk_equals(privkey_encoding, encoding)); + + /* load private key as a packed blob */ + privkey->destroy(privkey); + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, chunk_empty); + ck_assert(privkey == NULL); + + encoding = chunk_clone(encoding); + encoding.ptr[0] = NTRU_PUBKEY_TAG; + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, encoding); + ck_assert(privkey == NULL); + + encoding.ptr[0] = NTRU_PRIVKEY_TRITS_TAG; + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, encoding); + if (params->is_product_form) + { + ck_assert(privkey == NULL); + } + else + { + ck_assert(privkey != NULL); + privkey->destroy(privkey); + } + + encoding.ptr[0] = NTRU_PRIVKEY_INDICES_TAG; + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, encoding); + if (params->is_product_form) + { + ck_assert(privkey != NULL); + privkey->destroy(privkey); + } + else + { + ck_assert(privkey == NULL); + } + + encoding.ptr[0] = NTRU_PRIVKEY_DEFAULT_TAG; + encoding.ptr[1] = NTRU_OID_LEN - 1; + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, encoding); + ck_assert(privkey == NULL); + + encoding.ptr[1] = NTRU_OID_LEN; + encoding.ptr[2] = 0xff; + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, encoding); + ck_assert(privkey == NULL); + + encoding.ptr[2] = params->oid[0]; + privkey = TEST_FUNCTION(ntru, ntru_private_key_create_from_data, + drbg, encoding); + privkey_encoding = privkey->get_encoding(privkey); + ck_assert(chunk_equals(privkey_encoding, encoding)); + + pubkey = privkey->get_public_key(privkey); + pubkey_encoding = pubkey->get_encoding(pubkey); + + encoding.ptr[0] = NTRU_PUBKEY_TAG; + encoding.len = pubkey_encoding.len; + ck_assert(chunk_equals(pubkey_encoding, encoding)); + + /* load public key as a packed blob */ + pubkey->destroy(pubkey); + pubkey = TEST_FUNCTION(ntru, ntru_public_key_create_from_data, + drbg, encoding); + pubkey_encoding = pubkey->get_encoding(pubkey); + ck_assert(chunk_equals(pubkey_encoding, encoding)); + + chunk_free(&encoding); + privkey->destroy(privkey); + pubkey->destroy(pubkey); + drbg->destroy(drbg); + entropy->destroy(entropy); +} +END_TEST + START_TEST(test_ntru_ke) { chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret; diffie_hellman_t *i_ntru, *r_ntru; char buf[10]; - int n, len; + int k, n, len; status_t status; + k = (_i) / countof(parameter_sets); + n = (_i) % countof(parameter_sets); + len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names, - params[_i].group); + params[k].group); ck_assert(len == 8); - ck_assert(streq(buf, params[_i].group_name)); - - for (n = 0; n < countof(parameter_sets); n++) - { - lib->settings->set_str(lib->settings, - "libstrongswan.plugins.ntru.parameter_set", - parameter_sets[n]); + ck_assert(streq(buf, params[k].group_name)); - i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group); - ck_assert(i_ntru != NULL); - ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group); + lib->settings->set_str(lib->settings, + "libstrongswan.plugins.ntru.parameter_set", parameter_sets[n]); - i_ntru->get_my_public_value(i_ntru, &pub_key); - ck_assert(pub_key.len > 0); + i_ntru = lib->crypto->create_dh(lib->crypto, params[k].group); + ck_assert(i_ntru != NULL); + ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group); - r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group); - ck_assert(r_ntru != NULL); + i_ntru->get_my_public_value(i_ntru, &pub_key); + ck_assert(pub_key.len > 0); - r_ntru->set_other_public_value(r_ntru, pub_key); - r_ntru->get_my_public_value(r_ntru, &cipher_text); - ck_assert(cipher_text.len > 0); + r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group); + ck_assert(r_ntru != NULL); - status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret); - ck_assert(status == SUCCESS); - ck_assert(r_shared_secret.len > 0); + r_ntru->set_other_public_value(r_ntru, pub_key); + r_ntru->get_my_public_value(r_ntru, &cipher_text); + ck_assert(cipher_text.len > 0); - i_ntru->set_other_public_value(i_ntru, cipher_text); - status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret); + status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret); + ck_assert(status == SUCCESS); + ck_assert(r_shared_secret.len > 0); - if (status == SUCCESS) - { - ck_assert(chunk_equals(i_shared_secret, r_shared_secret)); - } - else - { - ck_assert(i_shared_secret.len == 0); - } + i_ntru->set_other_public_value(i_ntru, cipher_text); + status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret); + ck_assert(status == SUCCESS); + ck_assert(chunk_equals(i_shared_secret, r_shared_secret)); - chunk_clear(&i_shared_secret); - chunk_clear(&r_shared_secret); - chunk_free(&pub_key); - chunk_free(&cipher_text); - i_ntru->destroy(i_ntru); - r_ntru->destroy(r_ntru); - } + chunk_clear(&i_shared_secret); + chunk_clear(&r_shared_secret); + chunk_free(&pub_key); + chunk_free(&cipher_text); + i_ntru->destroy(i_ntru); + r_ntru->destroy(r_ntru); } END_TEST @@ -1015,8 +1390,17 @@ Suite *ntru_suite_create() tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests)); suite_add_tcase(s, tc); + tc = tcase_create("param_set"); + tcase_add_test(tc, test_ntru_param_set); + suite_add_tcase(s, tc); + + tc = tcase_create("privkey"); + tcase_add_loop_test(tc, test_ntru_privkey, 0, countof(privkey_tests)); + suite_add_tcase(s, tc); + tc = tcase_create("ke"); - tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params)); + tcase_add_loop_test(tc, test_ntru_ke, 0, + countof(params) * countof(parameter_sets)); suite_add_tcase(s, tc); tc = tcase_create("retransmission"); diff --git a/src/libstrongswan/tests/suites/test_vectors.c b/src/libstrongswan/tests/suites/test_vectors.c index 242ac9d09..a1205d0be 100644 --- a/src/libstrongswan/tests/suites/test_vectors.c +++ b/src/libstrongswan/tests/suites/test_vectors.c @@ -1,4 +1,7 @@ /* + * Copyright (C) 2014 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * * Copyright (C) 2013 Martin Willi * Copyright (C) 2013 revosec AG * @@ -15,13 +18,15 @@ #include "test_suite.h" -/******************************************************************************* - * Check if test vectors have been successful during transform registration - */ +#include <utils/test.h> + +IMPORT_FUNCTION_FOR_TESTS(crypto, verify_registered_algorithms, u_int, + crypto_factory_t *factory); START_TEST(test_vectors) { - u_int failed = lib->crypto->get_test_vector_failures(lib->crypto); + u_int failed = TEST_FUNCTION(crypto, verify_registered_algorithms, + lib->crypto); fail_if(failed > 0, "%u test vectors failed", failed); } END_TEST diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c index 0b26ee128..5ec4198e7 100644 --- a/src/libstrongswan/tests/test_runner.c +++ b/src/libstrongswan/tests/test_runner.c @@ -22,6 +22,7 @@ #include <collections/array.h> #include <utils/test.h> +#include <stdlib.h> #include <dirent.h> #include <unistd.h> #include <limits.h> @@ -32,31 +33,85 @@ #define TTY(color) tty_escape_get(2, TTY_FG_##color) /** - * Initialize the lookup table for testable functions (defined in libstrongswan) + * Initialize the lookup table for testable functions (defined in + * libstrongswan). We don't use the constructor attribute as the order can't + * really be defined (clang does not support it and gcc does not adhere to it in + * the monolithic build). The function here is a weak symbol in libstrongswan. */ -static void testable_functions_create() __attribute__ ((constructor(1000))); -static void testable_functions_create() +void testable_functions_create() { - testable_functions = hashtable_create(hashtable_hash_str, - hashtable_equals_str, 8); + if (!testable_functions) + { + testable_functions = hashtable_create(hashtable_hash_str, + hashtable_equals_str, 8); + } } /** * Destroy the lookup table for testable functions */ -static void testable_functions_destroy() __attribute__ ((destructor(1000))); +static void testable_functions_destroy() __attribute__ ((destructor)); static void testable_functions_destroy() { - testable_functions->destroy(testable_functions); + DESTROY_IF(testable_functions); /* if leak detective is enabled plugins are not actually unloaded, which * means their destructor is called AFTER this one when the process - * terminates, even though the priority says differently, make sure this - * does not crash */ + * terminates, make sure this does not crash */ testable_functions = NULL; } /** - * Load all available test suites + * Destroy a single test suite and associated data + */ +static void destroy_suite(test_suite_t *suite) +{ + test_case_t *tcase; + + while (array_remove(suite->tcases, 0, &tcase)) + { + array_destroy(tcase->functions); + array_destroy(tcase->fixtures); + } + free(suite); +} + +/** + * Removes and destroys test suites that are not selected. + */ +static void filter_suites(array_t *loaded) +{ + enumerator_t *enumerator, *names; + hashtable_t *selected; + test_suite_t *suite; + char *suites, *name; + + suites = getenv("TESTS_SUITES"); + if (!suites) + { + return; + } + selected = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8); + names = enumerator_create_token(suites, ",", " "); + while (names->enumerate(names, &name)) + { + selected->put(selected, name, name); + } + enumerator = array_create_enumerator(loaded); + while (enumerator->enumerate(enumerator, &suite)) + { + if (!selected->get(selected, suite->name)) + { + array_remove_at(loaded, enumerator); + destroy_suite(suite); + } + } + enumerator->destroy(enumerator); + selected->destroy(selected); + names->destroy(names); +} + +/** + * Load all available test suites, or optionally only selected ones. */ static array_t *load_suites(test_configuration_t configs[], test_runner_init_t init) @@ -91,6 +146,7 @@ static array_t *load_suites(test_configuration_t configs[], array_insert(suites, -1, configs[i].suite()); } } + filter_suites(suites); if (lib->leak_detective) { @@ -112,16 +168,10 @@ static array_t *load_suites(test_configuration_t configs[], static void unload_suites(array_t *suites) { test_suite_t *suite; - test_case_t *tcase; while (array_remove(suites, 0, &suite)) { - while (array_remove(suite->tcases, 0, &tcase)) - { - array_destroy(tcase->functions); - array_destroy(tcase->fixtures); - } - free(suite); + destroy_suite(suite); } array_destroy(suites); } @@ -178,6 +228,9 @@ static bool call_fixture(test_case_t *tcase, bool up) */ static bool pre_test(test_runner_init_t init) { + level_t level = LEVEL_SILENT; + char *verbosity; + library_init(NULL, "test-runner"); /* use non-blocking RNG to generate keys fast */ @@ -185,6 +238,9 @@ static bool pre_test(test_runner_init_t init) "libstrongswan.plugins.random.random", lib->settings->get_str(lib->settings, "libstrongswan.plugins.random.urandom", "/dev/urandom")); + /* same for the gcrypt plugin */ + lib->settings->set_default_str(lib->settings, + "libstrongswan.plugins.gcrypt.quick_random", "yes"); if (lib->leak_detective) { @@ -197,7 +253,12 @@ static bool pre_test(test_runner_init_t init) library_deinit(); return FALSE; } - dbg_default_set_level(LEVEL_SILENT); + verbosity = getenv("TESTS_VERBOSITY"); + if (verbosity) + { + level = atoi(verbosity); + } + dbg_default_set_level(level); return TRUE; } @@ -254,7 +315,7 @@ static void sum_leaks(report_data_t *data, int count, size_t bytes, * Do library cleanup and optionally check for memory leaks */ static bool post_test(test_runner_init_t init, bool check_leaks, - array_t *failures, char *name, int i) + array_t *failures, char *name, int i, int *leaks) { report_data_t data = { .failures = failures, @@ -264,7 +325,15 @@ static bool post_test(test_runner_init_t init, bool check_leaks, if (init) { - init(FALSE); + if (test_restore_point()) + { + init(FALSE); + } + else + { + library_deinit(); + return FALSE; + } } if (check_leaks && lib->leak_detective) { @@ -274,7 +343,8 @@ static bool post_test(test_runner_init_t init, bool check_leaks, } library_deinit(); - return data.leaks != 0; + *leaks = data.leaks; + return TRUE; } /** @@ -346,7 +416,8 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init) { if (pre_test(init)) { - bool ok = FALSE, leaks = FALSE; + bool ok = FALSE; + int leaks = 0; test_setup_timeout(tcase->timeout); @@ -363,9 +434,11 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init) { call_fixture(tcase, FALSE); } - } - leaks = post_test(init, ok, failures, tfun->name, i); + if (!post_test(init, ok, failures, tfun->name, i, &leaks)) + { + ok = FALSE; + } test_setup_timeout(0); diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c index 0f2e74b7c..fb40b05c1 100644 --- a/src/libstrongswan/tests/test_suite.c +++ b/src/libstrongswan/tests/test_suite.c @@ -136,7 +136,8 @@ static inline void test_failure() else { pthread_kill(main_thread, SIGUSR1); - /* how can we stop just the thread? longjmp to a restore point? */ + /* terminate thread to prevent it from going wild */ + pthread_exit(NULL); } } diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c index eb167d6a4..0adfb31d0 100644 --- a/src/libstrongswan/threading/thread.c +++ b/src/libstrongswan/threading/thread.c @@ -496,6 +496,8 @@ void threads_deinit() dummy1->destroy(dummy1); main_thread->mutex->lock(main_thread->mutex); + main_thread->terminated = TRUE; + main_thread->detached_or_joined = TRUE; thread_destroy(main_thread); current_thread->destroy(current_thread); id_mutex->destroy(id_mutex); diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 82eadcb97..af29e2100 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2014 Tobias Brunner * Copyright (C) 2006-2013 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -973,17 +973,20 @@ leak_detective_t *leak_detective_create() }, ); + if (getenv("LEAK_DETECTIVE_DISABLE") != NULL) + { + free(this); + return NULL; + } + lock = spinlock_create(); thread_disabled = thread_value_create(NULL); init_static_allocations(); - if (getenv("LEAK_DETECTIVE_DISABLE") == NULL) + if (register_hooks()) { - if (register_hooks()) - { - enable_leak_detective(); - } + enable_leak_detective(); } return &this->public; } diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h index 3fd0b8c93..ca70067d4 100644 --- a/src/libstrongswan/utils/leak_detective.h +++ b/src/libstrongswan/utils/leak_detective.h @@ -50,9 +50,7 @@ typedef void (*leak_detective_summary_cb_t)(void* user, int count, size_t bytes, int whitelisted); /** - * Leak detective finds leaks and bad frees using malloc hooks. - * - * Currently leaks are reported to stderr on destruction. + * Leak detective finds leaks and invalid frees using malloc hooks. * * @todo Build an API for leak detective, allowing leak enumeration, statistics * and dynamic whitelisting. @@ -62,13 +60,12 @@ struct leak_detective_t { /** * Report leaks to the registered callback functions. * - * @param detailed TRUE to resolve line/filename of leak (slow) + * @param detailed TRUE to resolve line/filename of leaks (slow) */ void (*report)(leak_detective_t *this, bool detailed); /** - * Report current memory usage to out. - * Set callback functions invoked during a report(). + * Set callback functions invoked when report() is called. * * @param cb callback invoked for each detected leak * @param scb summary callback invoked at end of report @@ -78,11 +75,11 @@ struct leak_detective_t { leak_detective_summary_cb_t scb, void *user); /** - * Report current memory usage using a callbacks. + * Report current memory usage using callback functions. * * @param cb callback invoked for each allocation * @param scb summary callback invoked at end of usage report - * @param user user data supplied to callbacks + * @param user user data to supply to callbacks */ void (*usage)(leak_detective_t *this, leak_detective_report_cb_t cb, leak_detective_summary_cb_t scb, void *user); @@ -109,7 +106,10 @@ struct leak_detective_t { }; /** - * Create a leak_detective instance. + * Create a leak_detective instance, unless the LEAK_DETECTIVE_DISABLE + * environment variable is set. + * + * @return leak detective instance */ leak_detective_t *leak_detective_create(); diff --git a/src/libstrongswan/utils/settings.c b/src/libstrongswan/utils/settings.c index 490490a1e..cf34fd1cf 100644 --- a/src/libstrongswan/utils/settings.c +++ b/src/libstrongswan/utils/settings.c @@ -1224,7 +1224,16 @@ static bool parse_file(linked_list_t *contents, char *file, int level, { if (errno == ENOENT) { - DBG2(DBG_LIB, "'%s' does not exist, ignored", file); +#ifdef STRONGSWAN_CONF + if (streq(file, STRONGSWAN_CONF)) + { + DBG2(DBG_LIB, "'%s' does not exist, ignored", file); + } + else +#endif + { + DBG1(DBG_LIB, "'%s' does not exist, ignored", file); + } return TRUE; } DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno)); @@ -1244,8 +1253,8 @@ static bool parse_file(linked_list_t *contents, char *file, int level, fseek(fd, 0, SEEK_END); len = ftell(fd); rewind(fd); - text = malloc(len + 1); - text[len] = '\0'; + text = malloc(len + 2); + text[len] = text[len + 1] = '\0'; if (fread(text, 1, len, fd) != len) { free(text); @@ -1287,7 +1296,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level, if (!strlen(pattern)) { - DBG2(DBG_LIB, "empty include pattern, ignored"); + DBG1(DBG_LIB, "empty include pattern, ignored"); return TRUE; } @@ -1318,7 +1327,7 @@ static bool parse_files(linked_list_t *contents, char *file, int level, status = glob(pat, GLOB_ERR, NULL, &buf); if (status == GLOB_NOMATCH) { - DBG2(DBG_LIB, "no files found matching '%s', ignored", pat); + DBG1(DBG_LIB, "no files found matching '%s', ignored", pat); } else if (status != 0) { @@ -1509,4 +1518,3 @@ settings_t *settings_create(char *file) return &this->public; } - diff --git a/src/libstrongswan/utils/test.c b/src/libstrongswan/utils/test.c index 7de5a7661..624ac4b34 100644 --- a/src/libstrongswan/utils/test.c +++ b/src/libstrongswan/utils/test.c @@ -22,29 +22,46 @@ */ hashtable_t *testable_functions; +/** + * The function that actually initializes the hash table above. Provided + * by the test runner. + */ +void testable_functions_create() __attribute__((weak)); + /* * Described in header. */ void testable_function_register(char *name, void *fn) { - if (testable_functions) + bool old = FALSE; + + if (!testable_functions_create) + { /* not linked to the test runner */ + return; + } + else if (!fn && !testable_functions) + { /* ignore as testable_functions has already been destroyed */ + return; + } + + if (lib && lib->leak_detective) + { + old = lib->leak_detective->set_state(lib->leak_detective, FALSE); + } + if (!testable_functions) + { + testable_functions_create(); + } + if (fn) + { + testable_functions->put(testable_functions, name, fn); + } + else + { + testable_functions->remove(testable_functions, name); + } + if (lib && lib->leak_detective) { - bool old = FALSE; - if (lib->leak_detective) - { - old = lib->leak_detective->set_state(lib->leak_detective, FALSE); - } - if (fn) - { - testable_functions->put(testable_functions, name, fn); - } - else - { - testable_functions->remove(testable_functions, name); - } - if (lib->leak_detective) - { - lib->leak_detective->set_state(lib->leak_detective, old); - } + lib->leak_detective->set_state(lib->leak_detective, old); } } diff --git a/src/libstrongswan/utils/test.h b/src/libstrongswan/utils/test.h index 5b7289244..a1b2a2d9b 100644 --- a/src/libstrongswan/utils/test.h +++ b/src/libstrongswan/utils/test.h @@ -51,7 +51,7 @@ void testable_function_register(char *name, void *fn); * @param fn function to register */ #define EXPORT_FUNCTION_FOR_TESTS(ns, fn) \ -static void testable_function_register_##fn() __attribute__ ((constructor(2000))); \ +static void testable_function_register_##fn() __attribute__ ((constructor)); \ static void testable_function_register_##fn() \ { \ testable_function_register(#ns "/" #fn, fn); \ @@ -65,32 +65,32 @@ static void testable_function_unregister_##fn() \ /** * Import a registered function so that it can be called from tests. * - * @note If the imported function is static (or no conflicting header files - * are included) ret can be prefixed with static to declare the function static. - * - * @note We allocate an arbitrary amount of stack space, hopefully enough for - * all arguments. - * * @param ns namespace of the function * @param name name of the function * @param ret return type of the function * @param ... arguments of the function */ #define IMPORT_FUNCTION_FOR_TESTS(ns, name, ret, ...) \ -ret name(__VA_ARGS__) \ -{ \ - void (*fn)() = NULL; \ +static ret (*TEST_##ns##name)(__VA_ARGS__); + +/** + * Call a registered function from tests. + * + * @param ns namespace of the function + * @param name name of the function + * @param ... arguments for the function + */ +#define TEST_FUNCTION(ns, name, ...) \ +({ \ if (testable_functions) \ { \ - fn = testable_functions->get(testable_functions, #ns "/" #name); \ + TEST_##ns##name = testable_functions->get(testable_functions, #ns "/" #name); \ } \ - if (fn) \ + if (!TEST_##ns##name) \ { \ - void *args = __builtin_apply_args(); \ - __builtin_return(__builtin_apply(fn, args, 16*sizeof(void*))); \ + test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \ } \ - test_fail_msg(__FILE__, __LINE__, "function " #name " (" #ns ") not found"); \ - __builtin_return(NULL); \ -} + TEST_##ns##name(__VA_ARGS__); \ +}) #endif /** TEST_H_ @}*/ diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am index b83ea8eba..d565a1479 100644 --- a/src/libtls/Makefile.am +++ b/src/libtls/Makefile.am @@ -8,6 +8,7 @@ ipseclib_LTLIBRARIES = libtls.la libtls_la_SOURCES = \ tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \ tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \ + tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \ tls_server.c tls.c libtls_la_LIBADD = \ @@ -18,5 +19,7 @@ tls_includedir = ${dev_headers}/tls nobase_tls_include_HEADERS = \ tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \ tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \ - tls_server.h tls_handshake.h tls_application.h tls.h + tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h endif + +SUBDIRS = . tests diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 87ae2a63d..b6abd1eac 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -134,6 +134,7 @@ libtls_la_DEPENDENCIES = \ am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \ tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \ tls_socket.lo tls_eap.lo tls_cache.lo tls_peer.lo \ + tls_aead_expl.lo tls_aead_impl.lo tls_aead_null.lo tls_aead.lo \ tls_server.lo tls.lo libtls_la_OBJECTS = $(am_libtls_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -176,6 +177,14 @@ am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(libtls_la_SOURCES) DIST_SOURCES = $(libtls_la_SOURCES) +RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ + install-exec-recursive install-html-recursive \ + install-info-recursive install-pdf-recursive \ + install-ps-recursive install-recursive installcheck-recursive \ + installdirs-recursive pdf-recursive ps-recursive \ + tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -184,8 +193,17 @@ am__can_run_installinfo = \ am__nobase_tls_include_HEADERS_DIST = tls_protection.h \ tls_compression.h tls_fragmentation.h tls_alert.h tls_crypto.h \ tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \ - tls_server.h tls_handshake.h tls_application.h tls.h + tls_server.h tls_handshake.h tls_application.h tls_aead.h \ + tls.h HEADERS = $(nobase_tls_include_HEADERS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +am__recursive_targets = \ + $(RECURSIVE_TARGETS) \ + $(RECURSIVE_CLEAN_TARGETS) \ + $(am__extra_recursive_targets) +AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ + distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -205,7 +223,33 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ @@ -375,7 +419,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -425,6 +468,7 @@ ipseclib_LTLIBRARIES = libtls.la libtls_la_SOURCES = \ tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \ tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \ + tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \ tls_server.c tls.c libtls_la_LIBADD = \ @@ -434,9 +478,10 @@ libtls_la_LIBADD = \ @USE_DEV_HEADERS_TRUE@nobase_tls_include_HEADERS = \ @USE_DEV_HEADERS_TRUE@ tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \ @USE_DEV_HEADERS_TRUE@ tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \ -@USE_DEV_HEADERS_TRUE@ tls_server.h tls_handshake.h tls_application.h tls.h +@USE_DEV_HEADERS_TRUE@ tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h -all: all-am +SUBDIRS = . tests +all: all-recursive .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -516,6 +561,10 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead_expl.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead_impl.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_aead_null.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_alert.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_compression.Plo@am__quote@ @@ -582,14 +631,61 @@ uninstall-nobase_tls_includeHEADERS: $(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \ dir='$(DESTDIR)$(tls_includedir)'; $(am__uninstall_files_from_dir) +# This directory's subdirectories are mostly independent; you can cd +# into them and run 'make' without going through this Makefile. +# To change the values of 'make' variables: instead of editing Makefiles, +# (1) if the variable is set in 'config.status', edit 'config.status' +# (which will cause the Makefiles to be regenerated when you run 'make'); +# (2) otherwise, pass the desired values on the 'make' command line. +$(am__recursive_targets): + @fail=; \ + if $(am__make_keepgoing); then \ + failcom='fail=yes'; \ + else \ + failcom='exit 1'; \ + fi; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am +tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ @@ -602,7 +698,7 @@ tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $$unique; \ fi; \ fi -ctags: ctags-am +ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) @@ -615,7 +711,7 @@ GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am +cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ @@ -664,22 +760,48 @@ distdir: $(DISTFILES) || exit 1; \ fi; \ done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + || test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done check-am: all-am -check: check-am +check: check-recursive all-am: Makefile $(LTLIBRARIES) $(HEADERS) -installdirs: +installdirs: installdirs-recursive +installdirs-am: for dir in "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(tls_includedir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -installcheck: installcheck-am +installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ @@ -701,92 +823,93 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -clean: clean-am +clean: clean-recursive clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \ mostlyclean-am -distclean: distclean-am +distclean: distclean-recursive -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags -dvi: dvi-am +dvi: dvi-recursive dvi-am: -html: html-am +html: html-recursive html-am: -info: info-am +info: info-recursive info-am: install-data-am: install-ipseclibLTLIBRARIES \ install-nobase_tls_includeHEADERS -install-dvi: install-dvi-am +install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: -install-html: install-html-am +install-html: install-html-recursive install-html-am: -install-info: install-info-am +install-info: install-info-recursive install-info-am: install-man: -install-pdf: install-pdf-am +install-pdf: install-pdf-recursive install-pdf-am: -install-ps: install-ps-am +install-ps: install-ps-recursive install-ps-am: installcheck-am: -maintainer-clean: maintainer-clean-am +maintainer-clean: maintainer-clean-recursive -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic -mostlyclean: mostlyclean-am +mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool -pdf: pdf-am +pdf: pdf-recursive pdf-am: -ps: ps-am +ps: ps-recursive ps-am: uninstall-am: uninstall-ipseclibLTLIBRARIES \ uninstall-nobase_tls_includeHEADERS -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-ipseclibLTLIBRARIES clean-libtool cscopelist-am ctags \ - ctags-am distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-ipseclibLTLIBRARIES install-man \ +.MAKE: $(am__recursive_targets) install-am install-strip + +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ + check-am clean clean-generic clean-ipseclibLTLIBRARIES \ + clean-libtool cscopelist-am ctags ctags-am distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-ipseclibLTLIBRARIES install-man \ install-nobase_tls_includeHEADERS install-pdf install-pdf-am \ install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ + installcheck-am installdirs installdirs-am maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am \ diff --git a/src/libtls/tests/Makefile.am b/src/libtls/tests/Makefile.am new file mode 100644 index 000000000..1c0e2f941 --- /dev/null +++ b/src/libtls/tests/Makefile.am @@ -0,0 +1,22 @@ +TESTS = tls_tests + +check_PROGRAMS = $(TESTS) + +tls_tests_SOURCES = \ + suites/test_socket.c \ + suites/test_suites.c \ + tls_tests.h tls_tests.c + +tls_tests_CFLAGS = \ + -I$(top_srcdir)/src/libtls \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +tls_tests_LDADD = \ + $(top_builddir)/src/libtls/libtls.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in new file mode 100644 index 000000000..0b8ba33c4 --- /dev/null +++ b/src/libtls/tests/Makefile.in @@ -0,0 +1,872 @@ +# Makefile.in generated by automake 1.13.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +TESTS = tls_tests$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) +subdir = src/libtls/tests +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/depcomp +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__EXEEXT_1 = tls_tests$(EXEEXT) +am__dirstamp = $(am__leading_dot)dirstamp +am_tls_tests_OBJECTS = suites/tls_tests-test_socket.$(OBJEXT) \ + suites/tls_tests-test_suites.$(OBJEXT) \ + tls_tests-tls_tests.$(OBJEXT) +tls_tests_OBJECTS = $(am_tls_tests_OBJECTS) +tls_tests_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +tls_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tls_tests_CFLAGS) \ + $(CFLAGS) $(tls_tests_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(tls_tests_SOURCES) +DIST_SOURCES = $(tls_tests_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red='[0;31m'; \ + grn='[0;32m'; \ + lgn='[1;32m'; \ + blu='[1;34m'; \ + mgn='[0;35m'; \ + brg='[1m'; \ + std='[m'; \ + fi; \ +} +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +tls_tests_SOURCES = \ + suites/test_socket.c \ + suites/test_suites.c \ + tls_tests.h tls_tests.c + +tls_tests_CFLAGS = \ + -I$(top_srcdir)/src/libtls \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +tls_tests_LDADD = \ + $(top_builddir)/src/libtls/libtls.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/tests/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libtls/tests/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +suites/$(am__dirstamp): + @$(MKDIR_P) suites + @: > suites/$(am__dirstamp) +suites/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) suites/$(DEPDIR) + @: > suites/$(DEPDIR)/$(am__dirstamp) +suites/tls_tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) +suites/tls_tests-test_suites.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) + +tls_tests$(EXEEXT): $(tls_tests_OBJECTS) $(tls_tests_DEPENDENCIES) $(EXTRA_tls_tests_DEPENDENCIES) + @rm -f tls_tests$(EXEEXT) + $(AM_V_CCLD)$(tls_tests_LINK) $(tls_tests_OBJECTS) $(tls_tests_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + -rm -f suites/*.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_tests-tls_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tls_tests-test_socket.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tls_tests-test_suites.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +suites/tls_tests-test_socket.o: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c + +suites/tls_tests-test_socket.obj: suites/test_socket.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_socket.Tpo -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_socket.Tpo suites/$(DEPDIR)/tls_tests-test_socket.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tls_tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi` + +suites/tls_tests-test_suites.o: suites/test_suites.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.o -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.o `test -f 'suites/test_suites.c' || echo '$(srcdir)/'`suites/test_suites.c + +suites/tls_tests-test_suites.obj: suites/test_suites.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT suites/tls_tests-test_suites.obj -MD -MP -MF suites/$(DEPDIR)/tls_tests-test_suites.Tpo -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tls_tests-test_suites.Tpo suites/$(DEPDIR)/tls_tests-test_suites.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_suites.c' object='suites/tls_tests-test_suites.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o suites/tls_tests-test_suites.obj `if test -f 'suites/test_suites.c'; then $(CYGPATH_W) 'suites/test_suites.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_suites.c'; fi` + +tls_tests-tls_tests.o: tls_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.o -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.o `test -f 'tls_tests.c' || echo '$(srcdir)/'`tls_tests.c + +tls_tests-tls_tests.obj: tls_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -MT tls_tests-tls_tests.obj -MD -MP -MF $(DEPDIR)/tls_tests-tls_tests.Tpo -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tls_tests-tls_tests.Tpo $(DEPDIR)/tls_tests-tls_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tls_tests.c' object='tls_tests-tls_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tls_tests_CFLAGS) $(CFLAGS) -c -o tls_tests-tls_tests.obj `if test -f 'tls_tests.c'; then $(CYGPATH_W) 'tls_tests.c'; else $(CYGPATH_W) '$(srcdir)/tls_tests.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + $(am__tty_colors); \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + col=$$red; res=XPASS; \ + ;; \ + *) \ + col=$$grn; res=PASS; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + col=$$lgn; res=XFAIL; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + col=$$red; res=FAIL; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + col=$$blu; res=SKIP; \ + fi; \ + echo "$${col}$$res$${std}: $$tst"; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + if test "$$failed" -eq 0; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + fi; \ + echo "$${col}$$dashes$${std}"; \ + echo "$${col}$$banner$${std}"; \ + test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \ + test -z "$$report" || echo "$${col}$$report$${std}"; \ + echo "$${col}$$dashes$${std}"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f suites/$(DEPDIR)/$(am__dirstamp) + -rm -f suites/$(am__dirstamp) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) suites/$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c new file mode 100644 index 000000000..42a4607b7 --- /dev/null +++ b/src/libtls/tests/suites/test_socket.c @@ -0,0 +1,524 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <test_suite.h> + +#include <unistd.h> +#include <errno.h> + +#include <processing/jobs/callback_job.h> +#include <credentials/sets/mem_cred.h> + +#include "tls_socket.h" + +/** + * Credentials for authentication + */ +static mem_cred_t *creds; + +/** + * RSA private key, 2048 bit + */ +static char rsa[] = { + 0x30,0x82,0x04,0xa4,0x02,0x01,0x00,0x02,0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc, + 0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7, + 0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49, + 0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e, + 0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40, + 0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad, + 0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30, + 0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74, + 0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7, + 0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89, + 0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91, + 0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3, + 0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6, + 0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb, + 0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57, + 0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed, + 0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00, + 0x01,0x02,0x82,0x01,0x01,0x00,0xd9,0x5b,0x99,0x74,0x80,0xb4,0x57,0xcc,0x82,0x2a, + 0x17,0x66,0x1d,0x3c,0xde,0xea,0xbd,0x11,0x40,0x03,0x62,0x47,0xe3,0xe5,0x2c,0x6b, + 0x65,0x67,0x0f,0x0b,0x96,0x13,0x83,0x4c,0x71,0x58,0xfa,0xfe,0xe6,0xe9,0x37,0xeb, + 0x98,0x51,0x73,0x48,0xcc,0xf9,0xe1,0x46,0x5b,0xfe,0x16,0xe1,0xc0,0xa5,0x75,0xf3, + 0x4d,0x30,0x84,0x14,0x15,0x04,0x6f,0x3e,0xa3,0x03,0xbd,0xba,0x4f,0x5a,0x71,0xe9, + 0x26,0xbf,0x5d,0x7a,0x93,0x22,0x98,0xb5,0xcf,0x51,0xc3,0xc7,0x51,0xb8,0x59,0x0a, + 0xfb,0xd7,0xe5,0xa8,0x1d,0x0f,0x5c,0xfd,0x30,0x0e,0x71,0xd7,0x79,0xc4,0x60,0x55, + 0x9e,0x1e,0x1c,0x0b,0x9a,0x40,0xb8,0x7a,0x8d,0xb2,0xec,0xb0,0x70,0x8a,0x19,0x5f, + 0x1d,0x2e,0xde,0x90,0x8f,0x68,0x56,0x08,0xce,0x0c,0x08,0xde,0xc7,0xf8,0x13,0xef, + 0xd2,0xbc,0x92,0xb6,0xfb,0xec,0xb6,0x04,0xf6,0x8f,0x7d,0x95,0xe9,0xeb,0xc7,0xfb, + 0xcc,0x4f,0xad,0x41,0xf1,0x4c,0x79,0x07,0xdd,0x4b,0x40,0xb4,0x74,0x44,0x9a,0x06, + 0x0a,0x0f,0xb2,0xda,0x12,0x46,0xe5,0xee,0x01,0x64,0xe5,0xf0,0x82,0x69,0xf9,0xf1, + 0xe9,0x41,0x13,0x5a,0xee,0xc0,0x37,0x9a,0xbe,0x9a,0x9a,0x06,0x4b,0x52,0xd6,0xf3, + 0x1b,0x30,0x64,0x93,0x3a,0x97,0xe1,0xdc,0x50,0x1f,0x46,0xc4,0x81,0x6a,0x17,0x52, + 0x49,0x85,0xc6,0x85,0xb7,0x60,0xd4,0xf0,0xd1,0x6a,0xeb,0x50,0x8c,0xb7,0xeb,0x1f, + 0x17,0x0e,0xf0,0xfd,0x67,0x03,0x7c,0x74,0x1a,0xac,0x66,0x81,0x00,0x45,0x5e,0xf3, + 0xd9,0x9d,0x22,0x99,0xc4,0x11,0x02,0x81,0x81,0x00,0xfa,0x44,0x32,0x14,0xb2,0x82, + 0x28,0x02,0x46,0x05,0xdd,0x8d,0xb1,0x9f,0x9e,0x6f,0x61,0xf2,0x01,0xa0,0x2b,0x76, + 0xee,0x46,0xaa,0x2d,0x2d,0x5b,0xd2,0x67,0x90,0x36,0xbb,0xa0,0x07,0xdf,0x9b,0xad, + 0x18,0x1e,0xa7,0xe6,0x36,0xc6,0x49,0xda,0xc5,0x0d,0x52,0x29,0x5a,0x40,0xcf,0xdf, + 0x8d,0xd0,0xa3,0xc2,0x34,0x17,0x9f,0xb5,0xf1,0x67,0xac,0x29,0x10,0xc2,0x5c,0x62, + 0xe3,0xe2,0x5c,0x9f,0x93,0xcc,0xb5,0xeb,0x16,0x64,0x44,0x9f,0x6b,0x5a,0xac,0x19, + 0x09,0xff,0x4b,0x78,0x7f,0xec,0x5a,0xbd,0xe9,0xcb,0x74,0xbb,0x30,0x13,0xc5,0x25, + 0x8b,0xac,0x8d,0xf9,0xa9,0x99,0x25,0xf5,0xce,0x07,0xb6,0x2b,0x1b,0x42,0xed,0x3a, + 0x30,0x4a,0xfc,0x5f,0xf0,0xe2,0x26,0xa6,0x60,0x5d,0x02,0x81,0x81,0x00,0xf4,0x1a, + 0xc2,0x7e,0xa0,0xa0,0xad,0x20,0x65,0x04,0xe8,0xf7,0xb0,0xb1,0x76,0x79,0x08,0x18, + 0x58,0x93,0x21,0xf1,0x56,0x58,0x58,0x18,0x4a,0x5c,0x59,0x08,0x27,0x64,0x09,0xcb, + 0x0b,0x0b,0x4e,0x26,0xc8,0x0b,0x87,0x67,0x40,0xc1,0xab,0x31,0x60,0xa6,0x78,0xdd, + 0x78,0xc8,0x86,0x38,0xbd,0x19,0xde,0x0b,0x70,0x72,0xec,0x36,0x88,0x39,0x69,0x70, + 0xda,0xa6,0x2e,0xf9,0x5c,0xd8,0x17,0xc5,0xfa,0xf8,0xa5,0xc9,0x9b,0xf0,0xfe,0x03, + 0x71,0x57,0xfa,0x58,0x0f,0x33,0xc3,0xab,0xce,0xb0,0x5d,0xd0,0x40,0x07,0x9a,0x0b, + 0xff,0xb9,0xaa,0x9d,0xc5,0x33,0x7f,0x5f,0x48,0x7e,0x54,0x82,0xd1,0xdf,0x75,0x69, + 0xee,0xe5,0xf5,0x80,0x44,0xce,0x52,0x72,0x14,0x2c,0xe6,0xa7,0xd5,0x8d,0x02,0x81, + 0x81,0x00,0xb8,0xf7,0x70,0x20,0x35,0xf2,0xd6,0x89,0x1f,0xa1,0xb4,0x26,0xc6,0x51, + 0xd7,0xb2,0x30,0xac,0xc1,0xa0,0xd4,0x9e,0xf8,0xea,0x87,0x5a,0x0e,0x7d,0x1f,0xdb, + 0xe5,0x0d,0x5e,0xcc,0x9f,0x25,0x18,0x14,0xed,0x8f,0xb2,0xbe,0x06,0x5b,0xb5,0x38, + 0x18,0x8d,0x88,0xdd,0x01,0x54,0x87,0x8e,0x8d,0x6c,0xd7,0xab,0x6f,0xfe,0xc9,0xce, + 0x9a,0x15,0xea,0x7b,0x0b,0x64,0xeb,0x0d,0x37,0xaa,0x14,0x94,0xe8,0x92,0xd3,0x1d, + 0x66,0x16,0x43,0x55,0xa3,0xed,0x86,0xe6,0x96,0xa9,0xf5,0xe8,0xa0,0x7b,0x5a,0x71, + 0xa4,0x7a,0xf7,0xd2,0x65,0x6d,0x27,0x37,0x61,0xac,0xed,0xdd,0xc9,0x08,0x64,0xb2, + 0xf0,0x4c,0x68,0xca,0x21,0x42,0xec,0xbc,0x25,0xf7,0x35,0xe1,0xde,0xd1,0xf6,0x88, + 0xdf,0x0d,0x02,0x81,0x80,0x44,0xb0,0xcb,0x0e,0x6b,0x11,0x0b,0xe6,0xd3,0xc6,0x7f, + 0xf0,0x43,0x6e,0x8c,0xd2,0x1e,0x2f,0x0b,0xad,0xcb,0x9d,0x68,0x18,0xd0,0x21,0x75, + 0xbb,0x6a,0xea,0x5a,0x7b,0x52,0x2e,0x2a,0xdb,0x71,0x90,0x84,0x36,0x8a,0x51,0xc9, + 0xed,0x35,0xc9,0x5d,0x53,0x3b,0x2b,0xc7,0x73,0x56,0x21,0xdd,0x44,0xcc,0x31,0x17, + 0xe1,0x9f,0x0a,0xf1,0x66,0x86,0x7f,0x55,0x67,0xf2,0x4c,0x05,0x8e,0x61,0x92,0x3a, + 0xbf,0x81,0x97,0xac,0x24,0x32,0xb6,0xb1,0x4c,0x7a,0x8c,0x11,0x2b,0x15,0xe2,0xe0, + 0xf4,0xcc,0x51,0x6f,0xd3,0x33,0xcc,0x30,0x98,0x04,0xa5,0x04,0xfb,0x2a,0xda,0x9b, + 0x41,0xc1,0x72,0x56,0xb0,0xb5,0x0f,0xac,0x44,0x55,0xc3,0x54,0x99,0x62,0xa5,0xeb, + 0x7b,0x7f,0x24,0xb7,0x79,0x02,0x81,0x80,0x0a,0x3b,0x9b,0x91,0x1d,0x9b,0x04,0x4e, + 0xdf,0xd9,0xe6,0x47,0xf3,0x79,0xb7,0x17,0xcf,0x42,0xa5,0xde,0x94,0xf0,0xfe,0xed, + 0x46,0xf6,0xaf,0x3e,0x6c,0x91,0x01,0x89,0x79,0x81,0xea,0x2b,0x82,0x68,0x0e,0xd8, + 0x25,0xaf,0x79,0x8b,0x14,0xfd,0xf2,0x29,0x20,0x34,0x2d,0x0b,0x08,0x8c,0x3b,0x2b, + 0xfc,0x75,0xe9,0x4e,0x21,0xa6,0xb2,0x35,0x67,0x8d,0x4c,0x90,0x94,0x02,0xd5,0x32, + 0x23,0xc6,0xa0,0x92,0x2e,0xfa,0x97,0x48,0x5b,0x95,0xc3,0xf1,0xbc,0x6b,0xe8,0x4c, + 0x92,0x6f,0x5e,0x3d,0xf9,0xbd,0x2c,0xf0,0x83,0x1c,0xe6,0xb3,0x45,0x68,0x32,0x8d, + 0x85,0x20,0xcb,0x9d,0xd2,0x30,0x5a,0x57,0xa4,0x6e,0x27,0xb5,0x29,0x14,0xdb,0xf1, + 0x4b,0x9a,0xc3,0xc1,0xc5,0x37,0x6d,0x1b, +}; + +/** + * ECDSA private key + */ +static char ecdsa[] = { + 0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0xc0,0x1f,0xfd,0x65,0xc6,0xc4,0x4c,0xb8, + 0xff,0x56,0x08,0xb5,0xbd,0xb8,0xf5,0x93,0xf7,0x51,0x0e,0x92,0x1f,0x06,0xbf,0xa6, + 0xd9,0x1d,0xae,0xa3,0x16,0x0d,0x0f,0xc9,0xd5,0x97,0x90,0x46,0xf1,0x98,0xa8,0x18, + 0x07,0xba,0xcf,0x91,0x8e,0x07,0xed,0x88,0xa0,0x07,0x06,0x05,0x2b,0x81,0x04,0x00, + 0x22,0xa1,0x64,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09,0x22,0x21,0x12,0x69, + 0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3,0xdb,0xb9,0xb1,0xee, + 0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef,0x4e,0xe3,0xdd,0xf4, + 0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,0x5b,0xe6,0xde,0x0a, + 0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,0x5b,0x57,0xb0,0x01, + 0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,0x9a,0x1c,0x52,0x09, + 0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97, +}; + +/** + * TLS certificate for RSA key + */ +static char rsa_crt[] = { + 0x30,0x82,0x03,0x1f,0x30,0x82,0x02,0x07,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00, + 0xf0,0xbb,0xac,0xc3,0xa1,0x6b,0xf3,0x1c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86, + 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55, + 0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13, + 0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x10,0x30,0x0e,0x06, + 0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,0x73,0x61,0x30,0x1e,0x17, + 0x0d,0x31,0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x17,0x0d, + 0x31,0x37,0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x30,0x34,0x31, + 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11, + 0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61, + 0x6e,0x31,0x10,0x30,0x0e,0x06,0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d, + 0x72,0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7, + 0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02, + 0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18, + 0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea, + 0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a, + 0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59, + 0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39, + 0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc, + 0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16, + 0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6, + 0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7, + 0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6, + 0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25, + 0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f, + 0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc, + 0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a, + 0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3, + 0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0, + 0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,0x01,0xa3,0x34,0x30,0x32,0x30,0x1f,0x06, + 0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x96,0x0e,0xc8,0xd3,0xb3,0x3f, + 0xd1,0x11,0xb6,0x36,0x70,0xdb,0x37,0x98,0x3c,0xab,0x69,0x03,0x69,0x56,0x30,0x0f, + 0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,0x30, + 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82, + 0x01,0x01,0x00,0x94,0x1d,0x08,0xda,0x7b,0xc4,0xa3,0xf4,0x40,0x54,0xae,0x45,0x6a, + 0xb3,0x62,0xb6,0x0b,0x35,0xc7,0x5f,0xed,0xb9,0x42,0x33,0xd5,0x32,0x80,0x23,0x76, + 0x87,0xae,0x59,0xbb,0x77,0x00,0xc4,0xbf,0x60,0x3b,0x9b,0x04,0x46,0x52,0xde,0x9f, + 0x16,0xc6,0x96,0x5e,0x7a,0xb5,0xbb,0x49,0x6a,0x89,0x4a,0x60,0x0b,0x85,0x15,0xec, + 0xbb,0x83,0x79,0x01,0xfa,0x3c,0xd5,0x1e,0x6a,0x75,0xe7,0x93,0xc9,0xc4,0xbb,0xea, + 0xad,0xa2,0x23,0x32,0xc5,0x57,0x4c,0x41,0xb2,0x41,0x91,0x53,0x5e,0xaf,0x98,0x83, + 0xcb,0x6b,0xa8,0x2f,0xc8,0x06,0x16,0x18,0x5a,0x75,0xe1,0xee,0xac,0xc0,0x28,0x08, + 0x0a,0x09,0xd1,0x03,0xba,0x65,0xf1,0x89,0xcc,0x63,0x6f,0xb2,0x70,0xdc,0x46,0x2b, + 0x62,0x5b,0x64,0xd4,0x7a,0xc4,0x12,0xe2,0x88,0x3a,0x54,0x0a,0xf5,0x1e,0x1c,0x9e, + 0x9a,0xb2,0x62,0xf9,0xd3,0x02,0xf0,0xc1,0xf0,0x7b,0x4d,0xf3,0x44,0xd8,0x3c,0x13, + 0x1d,0xfc,0x78,0xa3,0x54,0x68,0xce,0x43,0x31,0x78,0x58,0x2f,0x5d,0xb8,0xa7,0xff, + 0x54,0xae,0x6e,0x25,0xd7,0x40,0x6c,0x59,0x7b,0x5f,0x18,0x31,0xe9,0xfc,0x53,0x34, + 0xb2,0xb0,0x18,0xd4,0x2c,0x85,0x9d,0xad,0x2d,0xd2,0x05,0x5d,0x2e,0x47,0xee,0x09, + 0x3d,0x05,0x2e,0x46,0x66,0xea,0x09,0xb2,0x81,0xd3,0x9b,0x28,0xbf,0xf9,0x9c,0x54, + 0x98,0xb7,0x2d,0x38,0xd8,0xae,0x03,0x70,0xae,0x1e,0xd4,0xa9,0xb7,0x2e,0xdb,0x02, + 0x6a,0x84,0x0f,0x6c,0xe8,0xb8,0x25,0x73,0x84,0x13,0x9f,0x34,0x24,0xb8,0xfc,0x96, + 0x4c,0x91,0xfa, +}; + +/** + * TLS certificate for ECDSA key + */ +static char ecdsa_crt[] = { + 0x30,0x82,0x01,0xd3,0x30,0x82,0x01,0x59,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00, + 0xaa,0x92,0xf5,0x39,0x85,0xf5,0xd5,0xa3,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce, + 0x3d,0x04,0x01,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72, + 0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03, + 0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x31, + 0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x17,0x0d,0x31,0x37, + 0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x30,0x36,0x31,0x0b,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31, + 0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63, + 0x64,0x73,0x61,0x30,0x76,0x30,0x10,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,0x01, + 0x06,0x05,0x2b,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09, + 0x22,0x21,0x12,0x69,0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3, + 0xdb,0xb9,0xb1,0xee,0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef, + 0x4e,0xe3,0xdd,0xf4,0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3, + 0x5b,0xe6,0xde,0x0a,0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e, + 0x5b,0x57,0xb0,0x01,0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d, + 0x9a,0x1c,0x52,0x09,0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,0xa3,0x34,0x30,0x32,0x30, + 0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4f,0x1e,0x5d,0x94, + 0x85,0xe2,0xbc,0x86,0x0e,0x80,0xce,0x17,0x92,0x42,0xb4,0xb8,0x19,0x67,0xb8,0xfe, + 0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00, + 0x01,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x04,0x01,0x03,0x69,0x00,0x30, + 0x66,0x02,0x31,0x00,0xdc,0x6e,0x3b,0xe4,0x9f,0x36,0xa5,0xa8,0x88,0x8d,0xcf,0x2d, + 0xa1,0x6e,0x33,0x68,0x73,0xd6,0x6a,0xd6,0x1d,0x00,0xe5,0x5c,0x76,0x09,0x5e,0xe9, + 0x7a,0x3a,0x00,0x5e,0xbc,0xef,0x0d,0x8d,0x95,0x5c,0x2b,0xfc,0xa4,0xe3,0xe3,0xcf, + 0x74,0x95,0x00,0x21,0x02,0x31,0x00,0x8f,0x40,0x3e,0xfc,0xe9,0xae,0x17,0x9b,0x36, + 0x39,0xe2,0x79,0xa5,0x7b,0x5d,0xe3,0xe0,0x84,0x68,0x7e,0x00,0x57,0xbe,0x4d,0xe3, + 0x0e,0xff,0x20,0x9c,0xce,0xd1,0x43,0x76,0x00,0x6e,0x59,0x7b,0xac,0x94,0x05,0xef, + 0xed,0xca,0x8b,0xe5,0x7f,0xa5,0xd7, +}; + +START_SETUP(setup_creds) +{ + private_key_t *key; + certificate_t *cert; + + creds = mem_cred_create(); + + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB, chunk_from_thing(rsa), BUILD_END); + if (key) + { + creds->add_key(creds, key); + } + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + BUILD_BLOB, chunk_from_thing(ecdsa), BUILD_END); + if (key) + { + creds->add_key(creds, key); + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB, chunk_from_thing(rsa_crt), BUILD_END); + if (cert) + { + creds->add_cert(creds, TRUE, cert); + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB, chunk_from_thing(ecdsa_crt), BUILD_END); + if (cert) + { + creds->add_cert(creds, TRUE, cert); + } + + lib->credmgr->add_set(lib->credmgr, &creds->set); +} +END_SETUP + +START_TEARDOWN(teardown_creds) +{ + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); +} +END_TEARDOWN + +/** + * Configuration for an echo server + */ +typedef struct { + tls_version_t version; + u_int16_t port; + char *addr; + chunk_t data; + int fd; + bool cauth; +} echo_server_config_t; + +/** + * Run an echo server + */ +static job_requeue_t serve_echo(echo_server_config_t *config) +{ + tls_socket_t *tls; + int sfd, cfd; + identification_t *server, *client = NULL; + ssize_t len, total, done; + char buf[128]; + + server = identification_create_from_string(config->addr); + if (config->cauth) + { + client = server; + } + sfd = config->fd; + while (TRUE) + { + cfd = accept(sfd, NULL, NULL); + if (cfd < 0) + { + break; + } + + tls = tls_socket_create(TRUE, server, client, cfd, NULL, + config->version, TRUE); + ck_assert(tls != NULL); + + while (TRUE) + { + len = tls->read(tls, buf, sizeof(buf), TRUE); + if (len <= 0) + { + break; + } + total = 0; + while (total < len) + { + done = tls->write(tls, buf + total, len - total); + ck_assert_msg(done > 0, "%s", strerror(errno)); + total += done; + } + } + + tls->destroy(tls); + close(cfd); + } + server->destroy(server); + + return JOB_REQUEUE_NONE; +} + +/** + * Start a echo server using config + */ +static void start_echo_server(echo_server_config_t *config) +{ + host_t *host; + int on = 1; + + host = host_create_from_string(config->addr, config->port); + + config->fd = socket(AF_INET, SOCK_STREAM, 0); + ck_assert(config->fd != -1); + ck_assert(setsockopt(config->fd, SOL_SOCKET, SO_REUSEADDR, + (void*)&on, sizeof(on)) != -1); + ck_assert_msg(bind(config->fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) != -1, "%s", strerror(errno)); + host->destroy(host); + ck_assert(listen(config->fd, 1) != -1); + + lib->processor->set_threads(lib->processor, 8); + + lib->processor->queue_job(lib->processor, (job_t*) + callback_job_create((void*)serve_echo, config, NULL, NULL)); +} + +/** + * Run client to perform echo test + */ +static void run_echo_client(echo_server_config_t *config) +{ + tls_socket_t *tls; + ssize_t len, rd, wr; + int fd; + host_t *host; + identification_t *server, *client = NULL; + char buf[128]; + + host = host_create_from_string(config->addr, config->port); + server = identification_create_from_string(config->addr); + if (config->cauth) + { + client = server; + } + + fd = socket(AF_INET, SOCK_STREAM, 0); + ck_assert(fd != -1); + ck_assert(connect(fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) != -1); + tls = tls_socket_create(FALSE, server, client, fd, NULL, + config->version, TRUE); + ck_assert(tls != NULL); + + wr = rd = 0; + while (rd < config->data.len) + { + len = tls->write(tls, config->data.ptr + wr, config->data.len - wr); + ck_assert(len >= 0); + wr += len; + + len = tls->read(tls, buf, sizeof(buf), FALSE); + if (len == -1 && errno == EWOULDBLOCK) + { + continue; + } + if (len == 0) + { + ck_assert_int_eq(rd, config->data.len); + break; + } + ck_assert(len > 0); + ck_assert(rd + len <= config->data.len); + ck_assert(memeq(buf, config->data.ptr + rd, len)); + rd += len; + } + + tls->destroy(tls); + close(fd); + host->destroy(host); + server->destroy(server); +} + +/** + * Common test wrapper function for different test variants + */ +static void test_tls(tls_version_t version, u_int16_t port, bool cauth, u_int i) +{ + echo_server_config_t *config; + tls_cipher_suite_t *suites; + char suite[128]; + int count; + + INIT(config, + .version = version, + .addr = "127.0.0.1", + .port = port, + .cauth = cauth, + .data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08), + ); + + start_echo_server(config); + + count = tls_crypto_get_supported_suites(TRUE, &suites); + + ck_assert(i < count); + snprintf(suite, sizeof(suite), "%N", tls_cipher_suite_names, suites[i]); + lib->settings->set_str(lib->settings, "%s.tls.suites", suite, lib->ns); + + run_echo_client(config); + + free(suites); + + shutdown(config->fd, SHUT_RDWR); + close(config->fd); + + free(config); +} + +START_TEST(test_tls12) +{ + test_tls(TLS_1_2, 5671, FALSE, _i); +} +END_TEST + +START_TEST(test_tls12_mutual) +{ + test_tls(TLS_1_2, 5672, TRUE, _i); +} +END_TEST + +START_TEST(test_tls11) +{ + test_tls(TLS_1_1, 5673, FALSE, _i); +} +END_TEST + +START_TEST(test_tls11_mutual) +{ + test_tls(TLS_1_1, 5674, TRUE, _i); +} +END_TEST + +START_TEST(test_tls10) +{ + test_tls(TLS_1_0, 5675, FALSE, _i); +} +END_TEST + +START_TEST(test_tls10_mutual) +{ + test_tls(TLS_1_0, 5676, TRUE, _i); +} +END_TEST + +Suite *socket_suite_create() +{ + Suite *s; + TCase *tc; + int count; + + count = tls_crypto_get_supported_suites(TRUE, NULL); + + s = suite_create("socket"); + + tc = tcase_create("TLS 1.2/anon"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls12, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.2/mutl"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls12_mutual, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.1/anon"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls11, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.1/mutl"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls11_mutual, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.0/anon"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls10, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.0/mutl"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls10_mutual, 0, count); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libtls/tests/suites/test_suites.c b/src/libtls/tests/suites/test_suites.c new file mode 100644 index 000000000..f8ae12eb3 --- /dev/null +++ b/src/libtls/tests/suites/test_suites.c @@ -0,0 +1,247 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <test_suite.h> + +#include <unistd.h> + +#include "tls_crypto.h" + +START_TEST(test_cipher_names) +{ + char buf[128]; + +#define CHECK_NAME(x) { \ + snprintf(buf, sizeof(buf), "%N", tls_cipher_suite_names, x); \ + ck_assert_str_eq(#x, buf); } + + CHECK_NAME(TLS_NULL_WITH_NULL_NULL); + CHECK_NAME(TLS_RSA_WITH_NULL_MD5); + CHECK_NAME(TLS_RSA_WITH_NULL_SHA); + CHECK_NAME(TLS_RSA_EXPORT_WITH_RC4_40_MD5); + CHECK_NAME(TLS_RSA_WITH_RC4_128_MD5); + CHECK_NAME(TLS_RSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5); + CHECK_NAME(TLS_RSA_WITH_IDEA_CBC_SHA); + CHECK_NAME(TLS_RSA_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DH_anon_EXPORT_WITH_RC4_40_MD5); + CHECK_NAME(TLS_DH_anon_WITH_RC4_128_MD5); + CHECK_NAME(TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_RC4_128_SHA); + CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_DES_CBC_MD5); + CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_MD5); + CHECK_NAME(TLS_KRB5_WITH_RC4_128_MD5); + CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_MD5); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_SHA); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_MD5); + CHECK_NAME(TLS_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_NULL_SHA256); + CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DH_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DH_DSS_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DH_anon_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_PSK_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_PSK_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_PSK_WITH_NULL_SHA384); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA384); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA384); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_EMPTY_RENEGOTIATION_INFO_SCSV); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDHE_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA384); +} +END_TEST + +Suite *suites_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("suites"); + + tc = tcase_create("cipher-names"); + tcase_add_test(tc, test_cipher_names); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libtls/tests/tls_tests.c b/src/libtls/tests/tls_tests.c new file mode 100644 index 000000000..2c2c5bacc --- /dev/null +++ b/src/libtls/tests/tls_tests.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <test_runner.h> + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x) +#include "tls_tests.h" +#undef TEST_SUITE +#undef TEST_SUITE_DEPEND + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#define TEST_SUITE_DEPEND(x, type, args) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#include "tls_tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS); + if (!lib->plugins->load(lib->plugins, PLUGINS)) + { + return FALSE; + } + } + else + { + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + lib->plugins->unload(lib->plugins); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("libtls", tests, test_runner_init); +} diff --git a/src/libtls/tests/tls_tests.h b/src/libtls/tests/tls_tests.h new file mode 100644 index 000000000..489b2ddb1 --- /dev/null +++ b/src/libtls/tests/tls_tests.h @@ -0,0 +1,17 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +TEST_SUITE(socket_suite_create) +TEST_SUITE(suites_suite_create) diff --git a/src/libtls/tls.c b/src/libtls/tls.c index 6b51e7593..6e2955814 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -218,14 +218,7 @@ METHOD(tls_t, process, status_t, { if (this->input.len == 0) { - if (buflen < sizeof(tls_record_t)) - { - DBG2(DBG_TLS, "received incomplete TLS record header"); - memcpy(&this->head, buf, buflen); - this->headpos = buflen; - break; - } - while (TRUE) + while (buflen >= sizeof(tls_record_t)) { /* try to process records inline */ record = buf; @@ -252,6 +245,13 @@ METHOD(tls_t, process, status_t, return NEED_MORE; } } + if (buflen < sizeof(tls_record_t)) + { + DBG2(DBG_TLS, "received incomplete TLS record header"); + memcpy(&this->head, buf, buflen); + this->headpos = buflen; + break; + } } len = min(buflen, this->input.len - this->inpos); memcpy(this->input.ptr + this->inpos, buf, len); @@ -447,6 +447,7 @@ tls_t *tls_create(bool is_server, identification_t *server, case TLS_PURPOSE_EAP_TTLS: case TLS_PURPOSE_EAP_PEAP: case TLS_PURPOSE_GENERIC: + case TLS_PURPOSE_GENERIC_NULLOK: break; default: return NULL; diff --git a/src/libtls/tls.h b/src/libtls/tls.h index db332fbbf..fc1d9b9fd 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -107,6 +107,8 @@ enum tls_purpose_t { TLS_PURPOSE_EAP_PEAP, /** non-EAP TLS */ TLS_PURPOSE_GENERIC, + /** non-EAP TLS accepting NULL encryption */ + TLS_PURPOSE_GENERIC_NULLOK, /** EAP binding for TNC */ TLS_PURPOSE_EAP_TNC }; diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c new file mode 100644 index 000000000..1d0779dc0 --- /dev/null +++ b/src/libtls/tls_aead.c @@ -0,0 +1,217 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_aead.h" + +#include <crypto/iv/iv_gen_rand.h> + +typedef struct private_tls_aead_t private_tls_aead_t; + +/** + * Private data of an tls_aead_t object. + */ +struct private_tls_aead_t { + + /** + * Public tls_aead_t interface. + */ + tls_aead_t public; + + /** + * AEAD transform + */ + aead_t *aead; + + /** + * Size of salt, the implicit nonce + */ + size_t salt; +}; + +/** + * Associated header data to create signature over + */ +typedef struct __attribute__((__packed__)) { + u_int64_t seq; + u_int8_t type; + u_int16_t version; + u_int16_t length; +} sigheader_t; + +METHOD(tls_aead_t, encrypt, bool, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, encrypted, iv, plain; + u_int8_t icvlen; + sigheader_t hdr; + iv_gen_t *gen; + + gen = this->aead->get_iv_gen(this->aead); + iv.len = this->aead->get_iv_size(this->aead); + icvlen = this->aead->get_icv_size(this->aead); + + encrypted = chunk_alloc(iv.len + data->len + icvlen); + iv.ptr = encrypted.ptr; + if (!gen->get_iv(gen, seq, iv.len, iv.ptr)) + { + chunk_free(&encrypted); + return FALSE; + } + memcpy(encrypted.ptr + iv.len, data->ptr, data->len); + plain = chunk_skip(encrypted, iv.len); + plain.len -= icvlen; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, plain.len); + + assoc = chunk_from_thing(hdr); + if (!this->aead->encrypt(this->aead, plain, assoc, iv, NULL)) + { + return FALSE; + } + chunk_free(data); + *data = encrypted; + return TRUE; +} + +METHOD(tls_aead_t, decrypt, bool, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, iv; + u_int8_t icvlen; + sigheader_t hdr; + + iv.len = this->aead->get_iv_size(this->aead); + if (data->len < iv.len) + { + return FALSE; + } + iv.ptr = data->ptr; + *data = chunk_skip(*data, iv.len); + icvlen = this->aead->get_icv_size(this->aead); + if (data->len < icvlen) + { + return FALSE; + } + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len - icvlen); + + assoc = chunk_from_thing(hdr); + if (!this->aead->decrypt(this->aead, *data, assoc, iv, NULL)) + { + return FALSE; + } + data->len -= icvlen; + return TRUE; +} + +METHOD(tls_aead_t, get_mac_key_size, size_t, + private_tls_aead_t *this) +{ + return 0; +} + +METHOD(tls_aead_t, get_encr_key_size, size_t, + private_tls_aead_t *this) +{ + return this->aead->get_key_size(this->aead) - this->salt; +} + +METHOD(tls_aead_t, get_iv_size, size_t, + private_tls_aead_t *this) +{ + return this->salt; +} + +METHOD(tls_aead_t, set_keys, bool, + private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv) +{ + chunk_t key; + + if (mac.len) + { + return FALSE; + } + key = chunk_cata("cc", encr, iv); + return this->aead->set_key(this->aead, key); +} + +METHOD(tls_aead_t, destroy, void, + private_tls_aead_t *this) +{ + this->aead->destroy(this->aead); + free(this); +} + +/** + * See header + */ +tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size) +{ + private_tls_aead_t *this; + size_t salt; + + switch (encr) + { + case ENCR_AES_GCM_ICV8: + case ENCR_AES_GCM_ICV12: + case ENCR_AES_GCM_ICV16: + case ENCR_AES_CCM_ICV8: + case ENCR_AES_CCM_ICV12: + case ENCR_AES_CCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: + salt = 4; + break; + default: + return NULL; + } + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_mac_key_size = _get_mac_key_size, + .get_encr_key_size = _get_encr_key_size, + .get_iv_size = _get_iv_size, + .set_keys = _set_keys, + .destroy = _destroy, + }, + .aead = lib->crypto->create_aead(lib->crypto, encr, encr_size, salt), + .salt = salt, + ); + + if (!this->aead) + { + free(this); + return NULL; + } + + if (this->aead->get_block_size(this->aead) != 1) + { /* TLS does not define any padding scheme for AEAD */ + destroy(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h new file mode 100644 index 000000000..1d5ba92b5 --- /dev/null +++ b/src/libtls/tls_aead.h @@ -0,0 +1,156 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tls_aead tls_aead + * @{ @ingroup tls + */ + +#ifndef TLS_AEAD_H_ +#define TLS_AEAD_H_ + +typedef struct tls_aead_t tls_aead_t; + +#include "tls.h" + +/** + * TLS specific AEAD interface, includes padding. + * + * As TLS uses sign-then-encrypt instead of the more modern encrypt-then-sign, + * we can't directly abstract traditional transforms using our aead_t interface. + * With traditional transforms, the AEAD operation has to manage padding, as + * the MAC is calculated over unpadded data. + */ +struct tls_aead_t { + + /** + * Encrypt and sign a TLS record. + * + * The plain data chunk gets freed on success, and the data chunk + * gets updated with a new allocation of the encrypted data. + * If next_iv is given, it must contain the IV for this operation. It + * gets updated to the IV for the next record. + * + * @param version TLS version + * @param type TLS content type + * @param seq record sequence number + * @param data data to encrypt, encryption result + * @return TRUE if successfully encrypted + */ + bool (*encrypt)(tls_aead_t *this, tls_version_t version, + tls_content_type_t type, u_int64_t seq, chunk_t *data); + + /** + * Decrypt and verify a TLS record. + * + * The passed encrypted data chunk gets updated to the decrypted record + * length, decryption is done inline. + * + * @param version TLS version + * @param type TLS content type + * @param seq record sequence number + * @param data data to decrypt, decrypted result + * @return TRUE if successfully decrypted + */ + bool (*decrypt)(tls_aead_t *this, tls_version_t version, + tls_content_type_t type, u_int64_t seq, chunk_t *data); + + /** + * Get the authentication key size. + * + * @return key size, in bytes, 0 if not used + */ + size_t (*get_mac_key_size)(tls_aead_t *this); + + /** + * Get the encrytion key size, if used. + * + * @return key size, in bytes, 0 if not used + */ + size_t (*get_encr_key_size)(tls_aead_t *this); + + /** + * Get the size of implicit IV (or AEAD salt), if used. + * + * @return IV/salt size, in bytes, 0 if not used + */ + size_t (*get_iv_size)(tls_aead_t *this); + + /** + * Set the keys used by an AEAD transform. + * + * @param mac authentication key, if used + * @param encr encryption key, if used + * @param iv initial implicit IV or AEAD salt, if any + * @return TRUE if key valid and set + */ + bool (*set_keys)(tls_aead_t *this, chunk_t mac, chunk_t ecnr, chunk_t iv); + + /** + * Destroy a tls_aead_t. + */ + void (*destroy)(tls_aead_t *this); +}; + +/** + * Create a tls_aead instance using traditional transforms, explicit IV. + * + * An explicit IV means that the IV is prepended to each TLS record. This is + * the mechanism used in TLS 1.1 and newer. + * + * @param mac integrity protection algorithm + * @param encr encryption algorithm + * @param encr_size encryption key size, in bytes + * @return TLS AEAD transform + */ +tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac, + encryption_algorithm_t encr, size_t encr_size); + +/** + * Create a tls_aead instance using traditional transforms, implicit IV. + * + * An implicit IV uses a first IV derived from the TLS keymat, which then + * gets replaced by the last encrypted records tail. This is the mechanism + * used for TLS 1.0 and older. + * + * @param mac integrity protection algorithm + * @param encr encryption algorithm + * @param encr_size encryption key size, in bytes + * @return TLS AEAD transform + */ +tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac, + encryption_algorithm_t encr, size_t encr_size); + +/** + * Create a tls_aead instance using NULL encryption. + * + * As no IV is involved with null encryption, this AEAD works with any + * version of TLS. + * + * @param mac integrity protection algorithm + * @return TLS AEAD transform + */ +tls_aead_t *tls_aead_create_null(integrity_algorithm_t mac); + +/** + * Create a tls_aead instance using real a AEAD cipher. + * + * @param encr AEAD encryption algorithm + * @param encr_size encryption key size, in bytes + * @return TLS AEAD transform + */ +tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size); + +#endif /** TLS_AEAD_H_ @}*/ diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c new file mode 100644 index 000000000..5e4d33e14 --- /dev/null +++ b/src/libtls/tls_aead_expl.c @@ -0,0 +1,222 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_aead.h" + +#include <crypto/iv/iv_gen_rand.h> + +typedef struct private_tls_aead_t private_tls_aead_t; + +/** + * Private data of an tls_aead_t object. + */ +struct private_tls_aead_t { + + /** + * Public tls_aead_t interface. + */ + tls_aead_t public; + + /** + * traditional crypter + */ + crypter_t *crypter; + + /** + * traditional signer + */ + signer_t *signer; + + /** + * IV generator + */ + iv_gen_t *iv_gen; +}; + +/** + * Associated header data to create signature over + */ +typedef struct __attribute__((__packed__)) { + u_int64_t seq; + u_int8_t type; + u_int16_t version; + u_int16_t length; +} sigheader_t; + +METHOD(tls_aead_t, encrypt, bool, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, mac, padding, iv; + u_int8_t bs, padlen; + sigheader_t hdr; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len); + + assoc = chunk_from_thing(hdr); + if (!this->signer->get_signature(this->signer, assoc, NULL) || + !this->signer->allocate_signature(this->signer, *data, &mac)) + { + return FALSE; + } + bs = this->crypter->get_block_size(this->crypter); + padlen = pad_len(data->len + mac.len + 1, bs); + + padding = chunk_alloca(padlen); + memset(padding.ptr, padlen, padding.len); + + /* TLSv1.1 uses random IVs, prepended to record */ + iv.len = this->crypter->get_iv_size(this->crypter); + iv = chunk_alloca(iv.len); + if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr)) + { + return FALSE; + } + *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen)); + /* encrypt inline */ + if (!this->crypter->encrypt(this->crypter, *data, iv, NULL)) + { + free(data->ptr); + return FALSE; + } + /* prepend IV */ + *data = chunk_cat("cm", iv, *data); + return TRUE; +} + +METHOD(tls_aead_t, decrypt, bool, + private_tls_aead_t *this, tls_version_t version, tls_content_type_t type, + u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, mac, iv; + u_int8_t bs, padlen; + sigheader_t hdr; + + iv.len = this->crypter->get_iv_size(this->crypter); + if (data->len < iv.len) + { + return FALSE; + } + iv.ptr = data->ptr; + *data = chunk_skip(*data, iv.len); + bs = this->crypter->get_block_size(this->crypter); + if (data->len < bs || data->len % bs) + { + return FALSE; + } + if (!this->crypter->decrypt(this->crypter, *data, iv, NULL)) + { + return FALSE; + } + padlen = data->ptr[data->len - 1]; + if (padlen < data->len) + { /* If padding looks valid, remove it */ + data->len -= padlen + 1; + } + + bs = this->signer->get_block_size(this->signer); + if (data->len < bs) + { + return FALSE; + } + mac = chunk_skip(*data, data->len - bs); + data->len -= bs; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len); + + assoc = chunk_from_thing(hdr); + if (!this->signer->get_signature(this->signer, assoc, NULL) || + !this->signer->verify_signature(this->signer, *data, mac)) + { + return FALSE; + } + return TRUE; +} + +METHOD(tls_aead_t, get_mac_key_size, size_t, + private_tls_aead_t *this) +{ + return this->signer->get_key_size(this->signer); +} + +METHOD(tls_aead_t, get_encr_key_size, size_t, + private_tls_aead_t *this) +{ + return this->crypter->get_key_size(this->crypter); +} + +METHOD(tls_aead_t, get_iv_size, size_t, + private_tls_aead_t *this) +{ + return 0; +} + +METHOD(tls_aead_t, set_keys, bool, + private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv) +{ + if (iv.len) + { + return FALSE; + } + return this->signer->set_key(this->signer, mac) && + this->crypter->set_key(this->crypter, encr); +} + +METHOD(tls_aead_t, destroy, void, + private_tls_aead_t *this) +{ + this->iv_gen->destroy(this->iv_gen); + DESTROY_IF(this->crypter); + DESTROY_IF(this->signer); + free(this); +} + +/** + * See header + */ +tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac, + encryption_algorithm_t encr, size_t encr_size) +{ + private_tls_aead_t *this; + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_mac_key_size = _get_mac_key_size, + .get_encr_key_size = _get_encr_key_size, + .get_iv_size = _get_iv_size, + .set_keys = _set_keys, + .destroy = _destroy, + }, + .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size), + .signer = lib->crypto->create_signer(lib->crypto, mac), + .iv_gen = iv_gen_rand_create(), + ); + + if (!this->crypter || !this->signer) + { + destroy(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c new file mode 100644 index 000000000..fb14026e0 --- /dev/null +++ b/src/libtls/tls_aead_impl.c @@ -0,0 +1,214 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_aead.h" + +typedef struct private_tls_aead_t private_tls_aead_t; + +/** + * Private data of an tls_aead_t object. + */ +struct private_tls_aead_t { + + /** + * Public tls_aead_t interface. + */ + tls_aead_t public; + + /** + * traditional crypter + */ + crypter_t *crypter; + + /** + * traditional signer + */ + signer_t *signer; + + /** + * Next implicit IV + */ + chunk_t iv; +}; + +/** + * Associated header data to create signature over + */ +typedef struct __attribute__((__packed__)) { + u_int64_t seq; + u_int8_t type; + u_int16_t version; + u_int16_t length; +} sigheader_t; + +METHOD(tls_aead_t, encrypt, bool, + private_tls_aead_t *this, tls_version_t version, + tls_content_type_t type, u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, mac, padding; + u_int8_t bs, padlen; + sigheader_t hdr; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len); + + assoc = chunk_from_thing(hdr); + if (!this->signer->get_signature(this->signer, assoc, NULL) || + !this->signer->allocate_signature(this->signer, *data, &mac)) + { + return FALSE; + } + bs = this->crypter->get_block_size(this->crypter); + padlen = pad_len(data->len + mac.len + 1, bs); + + padding = chunk_alloca(padlen); + memset(padding.ptr, padlen, padding.len); + + *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen)); + /* encrypt inline */ + if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL)) + { + return FALSE; + } + if (data->len < this->iv.len) + { + return FALSE; + } + /* next record IV is last ciphertext block of this record */ + memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len); + return TRUE; +} + +METHOD(tls_aead_t, decrypt, bool, + private_tls_aead_t *this, tls_version_t version, + tls_content_type_t type, u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, mac, iv; + u_int8_t bs, padlen; + sigheader_t hdr; + + bs = this->crypter->get_block_size(this->crypter); + if (data->len < bs || data->len < this->iv.len || data->len % bs) + { + return FALSE; + } + iv = chunk_alloca(this->iv.len); + memcpy(iv.ptr, this->iv.ptr, this->iv.len); + memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len); + if (!this->crypter->decrypt(this->crypter, *data, iv, NULL)) + { + return FALSE; + } + padlen = data->ptr[data->len - 1]; + if (padlen < data->len) + { /* If padding looks valid, remove it */ + data->len -= padlen + 1; + } + + bs = this->signer->get_block_size(this->signer); + if (data->len < bs) + { + return FALSE; + } + mac = chunk_skip(*data, data->len - bs); + data->len -= bs; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len); + + assoc = chunk_from_thing(hdr); + if (!this->signer->get_signature(this->signer, assoc, NULL) || + !this->signer->verify_signature(this->signer, *data, mac)) + { + return FALSE; + } + return TRUE; +} + +METHOD(tls_aead_t, get_mac_key_size, size_t, + private_tls_aead_t *this) +{ + return this->signer->get_key_size(this->signer); +} + +METHOD(tls_aead_t, get_encr_key_size, size_t, + private_tls_aead_t *this) +{ + return this->crypter->get_key_size(this->crypter); +} + +METHOD(tls_aead_t, get_iv_size, size_t, + private_tls_aead_t *this) +{ + return this->iv.len; +} + +METHOD(tls_aead_t, set_keys, bool, + private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv) +{ + if (iv.len != this->iv.len) + { + return FALSE; + } + memcpy(this->iv.ptr, iv.ptr, this->iv.len); + return this->signer->set_key(this->signer, mac) && + this->crypter->set_key(this->crypter, encr); +} + +METHOD(tls_aead_t, destroy, void, + private_tls_aead_t *this) +{ + DESTROY_IF(this->crypter); + DESTROY_IF(this->signer); + chunk_free(&this->iv); + free(this); +} + +/** + * See header + */ +tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac, + encryption_algorithm_t encr, size_t encr_size) +{ + private_tls_aead_t *this; + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_mac_key_size = _get_mac_key_size, + .get_encr_key_size = _get_encr_key_size, + .get_iv_size = _get_iv_size, + .set_keys = _set_keys, + .destroy = _destroy, + }, + .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size), + .signer = lib->crypto->create_signer(lib->crypto, mac), + ); + + if (!this->crypter || !this->signer) + { + destroy(this); + return NULL; + } + + this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter)); + + return &this->public; +} diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c new file mode 100644 index 000000000..595b64000 --- /dev/null +++ b/src/libtls/tls_aead_null.c @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tls_aead.h" + +typedef struct private_tls_aead_t private_tls_aead_t; + +/** + * Private data of an tls_aead_t object. + */ +struct private_tls_aead_t { + + /** + * Public tls_aead_t interface. + */ + tls_aead_t public; + + /** + * traditional signer + */ + signer_t *signer; +}; + +/** + * Associated header data to create signature over + */ +typedef struct __attribute__((__packed__)) { + u_int64_t seq; + u_int8_t type; + u_int16_t version; + u_int16_t length; +} sigheader_t; + +METHOD(tls_aead_t, encrypt, bool, + private_tls_aead_t *this, tls_version_t version, + tls_content_type_t type, u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, mac; + sigheader_t hdr; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len); + + assoc = chunk_from_thing(hdr); + if (!this->signer->get_signature(this->signer, assoc, NULL) || + !this->signer->allocate_signature(this->signer, *data, &mac)) + { + return FALSE; + } + *data = chunk_cat("mm", *data, mac); + return TRUE; +} + +METHOD(tls_aead_t, decrypt, bool, + private_tls_aead_t *this, tls_version_t version, + tls_content_type_t type, u_int64_t seq, chunk_t *data) +{ + chunk_t assoc, mac; + sigheader_t hdr; + + mac.len = this->signer->get_block_size(this->signer); + if (data->len < mac.len) + { + return FALSE; + } + mac = chunk_skip(*data, data->len - mac.len); + data->len -= mac.len; + + hdr.type = type; + htoun64(&hdr.seq, seq); + htoun16(&hdr.version, version); + htoun16(&hdr.length, data->len); + + assoc = chunk_from_thing(hdr); + if (!this->signer->get_signature(this->signer, assoc, NULL) || + !this->signer->verify_signature(this->signer, *data, mac)) + { + return FALSE; + } + return TRUE; +} + +METHOD(tls_aead_t, get_mac_key_size, size_t, + private_tls_aead_t *this) +{ + return this->signer->get_key_size(this->signer); +} + +METHOD(tls_aead_t, get_encr_key_size, size_t, + private_tls_aead_t *this) +{ + return 0; +} + +METHOD(tls_aead_t, get_iv_size, size_t, + private_tls_aead_t *this) +{ + return 0; +} + +METHOD(tls_aead_t, set_keys, bool, + private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv) +{ + if (iv.len || encr.len) + { + return FALSE; + } + return this->signer->set_key(this->signer, mac); +} + +METHOD(tls_aead_t, destroy, void, + private_tls_aead_t *this) +{ + this->signer->destroy(this->signer); + free(this); +} + +/** + * See header + */ +tls_aead_t *tls_aead_create_null(integrity_algorithm_t alg) +{ + private_tls_aead_t *this; + + INIT(this, + .public = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_mac_key_size = _get_mac_key_size, + .get_encr_key_size = _get_encr_key_size, + .get_iv_size = _get_iv_size, + .set_keys = _set_keys, + .destroy = _destroy, + }, + .signer = lib->crypto->create_signer(lib->crypto, alg), + ); + + if (!this->signer) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index cc73ebaeb..4f67b20d6 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2010 Martin Willi - * Copyright (C) 2010 revosec AG + * Copyright (C) 2010-2014 Martin Willi + * Copyright (C) 2010-2014 revosec AG * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -16,6 +16,7 @@ #include "tls_crypto.h" #include <utils/debug.h> +#include <plugins/plugin_feature.h> ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL, TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, @@ -80,7 +81,7 @@ ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_anon_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_NULL_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256 ", + "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", @@ -111,13 +112,13 @@ ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", "TLS_PSK_WITH_RC4_128_SHA", - "TLS_PSK_WITH_3DES_EDE_CBC_SHA2", + "TLS_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_PSK_WITH_AES_128_CBC_SHA", "TLS_PSK_WITH_AES_256_CBC_SHA", "TLS_DHE_PSK_WITH_RC4_128_SHA", "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", - "TLS_DHE_PSK_WITH_AES_256_CBC_SHA2", + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", "TLS_RSA_PSK_WITH_RC4_128_SHA", "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", @@ -385,34 +386,14 @@ struct private_tls_crypto_t { tls_prf_t *prf; /** - * Signer instance for inbound traffic + * AEAD transform for inbound traffic */ - signer_t *signer_in; + tls_aead_t *aead_in; /** - * Signer instance for outbound traffic + * AEAD transform for outbound traffic */ - signer_t *signer_out; - - /** - * Crypter instance for inbound traffic - */ - crypter_t *crypter_in; - - /** - * Crypter instance for outbound traffic - */ - crypter_t *crypter_out; - - /** - * IV for input decryption, if < TLSv1.2 - */ - chunk_t iv_in; - - /** - * IV for output decryption, if < TLSv1.2 - */ - chunk_t iv_out; + tls_aead_t *aead_out; /** * EAP-[T]TLS MSK @@ -460,6 +441,16 @@ static suite_algs_t suite_algs[] = { HASH_SHA384, PRF_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32 }, + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + KEY_ECDSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16 + }, + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + KEY_ECDSA, ECP_384_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32 + }, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, KEY_RSA, ECP_256_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, @@ -480,6 +471,16 @@ static suite_algs_t suite_algs[] = { HASH_SHA384, PRF_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32 }, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + KEY_RSA, ECP_256_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16 + }, + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + KEY_RSA, ECP_384_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32 + }, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, KEY_RSA, MODP_2048_BIT, HASH_SHA256,PRF_HMAC_SHA2_256, @@ -500,6 +501,16 @@ static suite_algs_t suite_algs[] = { HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32 }, + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + KEY_RSA, MODP_3072_BIT, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16 + }, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + KEY_RSA, MODP_4096_BIT, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32 + }, { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, KEY_RSA, MODP_2048_BIT, HASH_SHA256, PRF_HMAC_SHA2_256, @@ -545,6 +556,16 @@ static suite_algs_t suite_algs[] = { HASH_SHA256, PRF_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32 }, + { TLS_RSA_WITH_AES_128_GCM_SHA256, + KEY_RSA, MODP_NONE, + HASH_SHA256, PRF_HMAC_SHA2_256, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 16 + }, + { TLS_RSA_WITH_AES_256_GCM_SHA384, + KEY_RSA, MODP_NONE, + HASH_SHA384, PRF_HMAC_SHA2_384, + AUTH_UNDEFINED, ENCR_AES_GCM_ICV16, 32 + }, { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, KEY_RSA, MODP_NONE, HASH_SHA256, PRF_HMAC_SHA2_256, @@ -627,8 +648,7 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite) /** * Filter a suite list using a transform enumerator */ -static void filter_suite(private_tls_crypto_t *this, - suite_algs_t suites[], int *count, int offset, +static void filter_suite(suite_algs_t suites[], int *count, int offset, enumerator_t*(*create_enumerator)(crypto_factory_t*)) { const char *plugin_name; @@ -641,21 +661,56 @@ static void filter_suite(private_tls_crypto_t *this, for (i = 0; i < *count; i++) { + if (create_enumerator == lib->crypto->create_crypter_enumerator && + encryption_algorithm_is_aead(suites[i].encr)) + { /* filtering crypters, but current suite uses an AEAD, apply */ + suites[remaining] = suites[i]; + remaining++; + continue; + } + if (create_enumerator == lib->crypto->create_aead_enumerator && + !encryption_algorithm_is_aead(suites[i].encr)) + { /* filtering AEADs, but current suite doesn't use one, apply */ + suites[remaining] = suites[i]; + remaining++; + continue; + } enumerator = create_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, current_alg, &plugin_name)) { - if ((suites[i].encr == ENCR_NULL || - !current.encr || current.encr == suites[i].encr) && - (!current.mac || current.mac == suites[i].mac) && - (!current.prf || current.prf == suites[i].prf) && - (!current.hash || current.hash == suites[i].hash) && - (suites[i].dh == MODP_NONE || - !current.dh || current.dh == suites[i].dh)) + if (current.encr && current.encr != suites[i].encr) { - suites[remaining] = suites[i]; - remaining++; - break; + if (suites[i].encr != ENCR_NULL) + { /* skip, ENCR does not match nor is NULL */ + continue; + } } + if (current.mac && current.mac != suites[i].mac) + { + if (suites[i].mac != AUTH_UNDEFINED) + { /* skip, MAC does not match nor is it undefined */ + continue; + } + } + if (current.prf && current.prf != suites[i].prf) + { /* skip, PRF does not match */ + continue; + } + if (current.hash && current.hash != suites[i].hash) + { /* skip, hash does not match */ + continue; + } + if (current.dh && current.dh != suites[i].dh) + { + if (suites[i].dh != MODP_NONE) + { /* skip DH group, does not match nor NONE */ + continue; + } + } + /* suite supported, apply */ + suites[remaining] = suites[i]; + remaining++; + break; } enumerator->destroy(enumerator); } @@ -665,8 +720,7 @@ static void filter_suite(private_tls_crypto_t *this, /** * Purge NULL encryption cipher suites from list */ -static void filter_null_suites(private_tls_crypto_t *this, - suite_algs_t suites[], int *count) +static void filter_null_suites(suite_algs_t suites[], int *count) { int i, remaining = 0; @@ -789,6 +843,20 @@ static void filter_cipher_config_suites(private_tls_crypto_t *this, suites[remaining++] = suites[i]; break; } + if (strcaseeq(token, "aes128gcm") && + suites[i].encr == ENCR_AES_GCM_ICV16 && + suites[i].encr_size == 16) + { + suites[remaining++] = suites[i]; + break; + } + if (strcaseeq(token, "aes256gcm") && + suites[i].encr == ENCR_AES_GCM_ICV16 && + suites[i].encr_size == 32) + { + suites[remaining++] = suites[i]; + break; + } if (strcaseeq(token, "camellia128") && suites[i].encr == ENCR_CAMELLIA_CBC && suites[i].encr_size == 16) @@ -905,6 +973,26 @@ static void filter_specific_config_suites(private_tls_crypto_t *this, } /** + * Filter out unsupported suites on given suite array + */ +static void filter_unsupported_suites(suite_algs_t suites[], int *count) +{ + /* filter suite list by each algorithm */ + filter_suite(suites, count, offsetof(suite_algs_t, encr), + lib->crypto->create_crypter_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, encr), + lib->crypto->create_aead_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, mac), + lib->crypto->create_signer_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, prf), + lib->crypto->create_prf_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, hash), + lib->crypto->create_hasher_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, dh), + lib->crypto->create_dh_enumerator); +} + +/** * Initialize the cipher suite list */ static void build_cipher_suite_list(private_tls_crypto_t *this, @@ -918,9 +1006,10 @@ static void build_cipher_suite_list(private_tls_crypto_t *this, { suites[i] = suite_algs[i]; } + if (require_encryption) { - filter_null_suites(this, suites, &count); + filter_null_suites(suites, &count); } if (!this->rsa) { @@ -931,17 +1020,7 @@ static void build_cipher_suite_list(private_tls_crypto_t *this, filter_key_suites(this, suites, &count, KEY_ECDSA); } - /* filter suite list by each algorithm */ - filter_suite(this, suites, &count, offsetof(suite_algs_t, encr), - lib->crypto->create_crypter_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, mac), - lib->crypto->create_signer_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, prf), - lib->crypto->create_prf_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, hash), - lib->crypto->create_hasher_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, dh), - lib->crypto->create_dh_enumerator); + filter_unsupported_suites(suites, &count); /* filter suites with strongswan.conf options */ filter_key_exchange_config_suites(this, suites, &count); @@ -969,10 +1048,82 @@ METHOD(tls_crypto_t, get_cipher_suites, int, } /** + * Create NULL encryption transforms + */ +static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs) +{ + this->aead_in = tls_aead_create_null(algs->mac); + this->aead_out = tls_aead_create_null(algs->mac); + if (!this->aead_in || !this->aead_out) + { + DBG1(DBG_TLS, "selected TLS MAC %N not supported", + integrity_algorithm_names, algs->mac); + return FALSE; + } + return TRUE; +} + +/** + * Create traditional transforms + */ +static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs) +{ + if (this->tls->get_version(this->tls) < TLS_1_1) + { + this->aead_in = tls_aead_create_implicit(algs->mac, + algs->encr, algs->encr_size); + this->aead_out = tls_aead_create_implicit(algs->mac, + algs->encr, algs->encr_size); + } + else + { + this->aead_in = tls_aead_create_explicit(algs->mac, + algs->encr, algs->encr_size); + this->aead_out = tls_aead_create_explicit(algs->mac, + algs->encr, algs->encr_size); + } + if (!this->aead_in || !this->aead_out) + { + DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported", + encryption_algorithm_names, algs->encr, algs->encr_size * 8, + integrity_algorithm_names, algs->mac); + return FALSE; + } + return TRUE; +} + +/** + * Create AEAD transforms + */ +static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs) +{ + this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size); + this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size); + if (!this->aead_in || !this->aead_out) + { + DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported", + encryption_algorithm_names, algs->encr, algs->encr_size * 8); + return FALSE; + } + return TRUE; +} + +/** + * Clean up and unset AEAD transforms + */ +static void destroy_aeads(private_tls_crypto_t *this) +{ + DESTROY_IF(this->aead_in); + DESTROY_IF(this->aead_out); + this->aead_in = this->aead_out = NULL; +} + +/** * Create crypto primitives */ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs) { + destroy_aeads(this); DESTROY_IF(this->prf); if (this->tls->get_version(this->tls) < TLS_1_2) { @@ -987,38 +1138,29 @@ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs) DBG1(DBG_TLS, "selected TLS PRF not supported"); return FALSE; } - - DESTROY_IF(this->signer_in); - DESTROY_IF(this->signer_out); - this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac); - this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac); - if (!this->signer_in || !this->signer_out) + if (algs->encr == ENCR_NULL) { - DBG1(DBG_TLS, "selected TLS MAC %N not supported", - integrity_algorithm_names, algs->mac); - return FALSE; + if (create_null(this, algs)) + { + return TRUE; + } } - - DESTROY_IF(this->crypter_in); - DESTROY_IF(this->crypter_out); - if (algs->encr == ENCR_NULL) + else if (encryption_algorithm_is_aead(algs->encr)) { - this->crypter_in = this->crypter_out = NULL; + if (create_aead(this, algs)) + { + return TRUE; + } } else { - this->crypter_in = lib->crypto->create_crypter(lib->crypto, - algs->encr, algs->encr_size); - this->crypter_out = lib->crypto->create_crypter(lib->crypto, - algs->encr, algs->encr_size); - if (!this->crypter_in || !this->crypter_out) + if (create_traditional(this, algs)) { - DBG1(DBG_TLS, "selected TLS crypter %N not supported", - encryption_algorithm_names, algs->encr); - return FALSE; + return TRUE; } } - return TRUE; + destroy_aeads(this); + return FALSE; } METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t, @@ -1065,54 +1207,52 @@ METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t, return MODP_NONE; } +/** + * Map signature schemes to TLS key types and hashes, ordered by preference + */ +static struct { + tls_signature_algorithm_t sig; + tls_hash_algorithm_t hash; + signature_scheme_t scheme; +} schemes[] = { + { TLS_SIG_ECDSA, TLS_HASH_SHA256, SIGN_ECDSA_WITH_SHA256_DER }, + { TLS_SIG_ECDSA, TLS_HASH_SHA384, SIGN_ECDSA_WITH_SHA384_DER }, + { TLS_SIG_ECDSA, TLS_HASH_SHA512, SIGN_ECDSA_WITH_SHA512_DER }, + { TLS_SIG_ECDSA, TLS_HASH_SHA1, SIGN_ECDSA_WITH_SHA1_DER }, + { TLS_SIG_RSA, TLS_HASH_SHA256, SIGN_RSA_EMSA_PKCS1_SHA256 }, + { TLS_SIG_RSA, TLS_HASH_SHA384, SIGN_RSA_EMSA_PKCS1_SHA384 }, + { TLS_SIG_RSA, TLS_HASH_SHA512, SIGN_RSA_EMSA_PKCS1_SHA512 }, + { TLS_SIG_RSA, TLS_HASH_SHA224, SIGN_RSA_EMSA_PKCS1_SHA224 }, + { TLS_SIG_RSA, TLS_HASH_SHA1, SIGN_RSA_EMSA_PKCS1_SHA1 }, + { TLS_SIG_RSA, TLS_HASH_MD5, SIGN_RSA_EMSA_PKCS1_MD5 }, +}; + METHOD(tls_crypto_t, get_signature_algorithms, void, private_tls_crypto_t *this, bio_writer_t *writer) { bio_writer_t *supported; - enumerator_t *enumerator; - hash_algorithm_t alg; - tls_hash_algorithm_t hash; - const char *plugin_name; + int i; supported = bio_writer_create(32); - enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &alg, &plugin_name)) + + for (i = 0; i < countof(schemes); i++) { - switch (alg) + if (schemes[i].sig == TLS_SIG_RSA && !this->rsa) { - case HASH_MD5: - hash = TLS_HASH_MD5; - break; - case HASH_SHA1: - hash = TLS_HASH_SHA1; - break; - case HASH_SHA224: - hash = TLS_HASH_SHA224; - break; - case HASH_SHA256: - hash = TLS_HASH_SHA256; - break; - case HASH_SHA384: - hash = TLS_HASH_SHA384; - break; - case HASH_SHA512: - hash = TLS_HASH_SHA512; - break; - default: - continue; + continue; } - if (this->rsa) + if (schemes[i].sig == TLS_SIG_ECDSA && !this->ecdsa) { - supported->write_uint8(supported, hash); - supported->write_uint8(supported, TLS_SIG_RSA); + continue; } - if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224) - { /* currently we have no signature scheme for MD5/SHA224 */ - supported->write_uint8(supported, hash); - supported->write_uint8(supported, TLS_SIG_ECDSA); + if (!lib->plugins->has_feature(lib->plugins, + PLUGIN_PROVIDE(PUBKEY_VERIFY, schemes[i].scheme))) + { + continue; } + supported->write_uint8(supported, schemes[i].hash); + supported->write_uint8(supported, schemes[i].sig); } - enumerator->destroy(enumerator); supported->wrap16(supported); writer->write_data16(writer, supported->get_buf(supported)); @@ -1120,6 +1260,29 @@ METHOD(tls_crypto_t, get_signature_algorithms, void, } /** + * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair + */ +static signature_scheme_t hashsig_to_scheme(key_type_t type, + tls_hash_algorithm_t hash, + tls_signature_algorithm_t sig) +{ + int i; + + if ((sig == TLS_SIG_RSA && type == KEY_RSA) || + (sig == TLS_SIG_ECDSA && type == KEY_ECDSA)) + { + for (i = 0; i < countof(schemes); i++) + { + if (schemes[i].sig == sig && schemes[i].hash == hash) + { + return schemes[i].scheme; + } + } + } + return SIGN_UNKNOWN; +} + +/** * Mapping groups to TLS named curves */ static struct { @@ -1236,59 +1399,6 @@ static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash) return TRUE; } -/** - * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair - */ -static signature_scheme_t hashsig_to_scheme(key_type_t type, - tls_hash_algorithm_t hash, tls_signature_algorithm_t sig) -{ - switch (sig) - { - case TLS_SIG_RSA: - if (type != KEY_RSA) - { - return SIGN_UNKNOWN; - } - switch (hash) - { - case TLS_HASH_MD5: - return SIGN_RSA_EMSA_PKCS1_MD5; - case TLS_HASH_SHA1: - return SIGN_RSA_EMSA_PKCS1_SHA1; - case TLS_HASH_SHA224: - return SIGN_RSA_EMSA_PKCS1_SHA224; - case TLS_HASH_SHA256: - return SIGN_RSA_EMSA_PKCS1_SHA256; - case TLS_HASH_SHA384: - return SIGN_RSA_EMSA_PKCS1_SHA384; - case TLS_HASH_SHA512: - return SIGN_RSA_EMSA_PKCS1_SHA512; - default: - return SIGN_UNKNOWN; - } - case TLS_SIG_ECDSA: - if (type != KEY_ECDSA) - { - return SIGN_UNKNOWN; - } - switch (hash) - { - case TLS_HASH_SHA224: - return SIGN_ECDSA_WITH_SHA1_DER; - case TLS_HASH_SHA256: - return SIGN_ECDSA_WITH_SHA256_DER; - case TLS_HASH_SHA384: - return SIGN_ECDSA_WITH_SHA384_DER; - case TLS_HASH_SHA512: - return SIGN_ECDSA_WITH_SHA512_DER; - default: - return SIGN_UNKNOWN; - } - default: - return SIGN_UNKNOWN; - } -} - METHOD(tls_crypto_t, sign, bool, private_tls_crypto_t *this, private_key_t *key, bio_writer_t *writer, chunk_t data, chunk_t hashsig) @@ -1512,93 +1622,63 @@ static bool derive_master(private_tls_crypto_t *this, chunk_t premaster, static bool expand_keys(private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random) { - chunk_t seed, block, client_write, server_write; - int mks, eks = 0, ivs = 0; + chunk_t seed, block; + chunk_t cw_mac, cw, cw_iv; + chunk_t sw_mac, sw, sw_iv; + int mklen, eklen, ivlen; - /* derive key block for key expansion */ - mks = this->signer_out->get_key_size(this->signer_out); - if (this->crypter_out) + if (!this->aead_in || !this->aead_out) { - eks = this->crypter_out->get_key_size(this->crypter_out); - if (this->tls->get_version(this->tls) < TLS_1_1) - { - ivs = this->crypter_out->get_iv_size(this->crypter_out); - } + return FALSE; } + + /* derive key block for key expansion */ + mklen = this->aead_in->get_mac_key_size(this->aead_in); + eklen = this->aead_in->get_encr_key_size(this->aead_in); + ivlen = this->aead_in->get_iv_size(this->aead_in); seed = chunk_cata("cc", server_random, client_random); - block = chunk_alloca((mks + eks + ivs) * 2); + block = chunk_alloca((mklen + eklen + ivlen) * 2); if (!this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr)) { return FALSE; } - /* signer keys */ - client_write = chunk_create(block.ptr, mks); - block = chunk_skip(block, mks); - server_write = chunk_create(block.ptr, mks); - block = chunk_skip(block, mks); + /* client/server write signer keys */ + cw_mac = chunk_create(block.ptr, mklen); + block = chunk_skip(block, mklen); + sw_mac = chunk_create(block.ptr, mklen); + block = chunk_skip(block, mklen); + + /* client/server write encryption keys */ + cw = chunk_create(block.ptr, eklen); + block = chunk_skip(block, eklen); + sw = chunk_create(block.ptr, eklen); + block = chunk_skip(block, eklen); + + /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */ + cw_iv = chunk_create(block.ptr, ivlen); + block = chunk_skip(block, ivlen); + sw_iv = chunk_create(block.ptr, ivlen); + block = chunk_skip(block, ivlen); + if (this->tls->is_server(this->tls)) { - if (!this->signer_in->set_key(this->signer_in, client_write) || - !this->signer_out->set_key(this->signer_out, server_write)) + if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) || + !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv)) { return FALSE; } } else { - if (!this->signer_out->set_key(this->signer_out, client_write) || - !this->signer_in->set_key(this->signer_in, server_write)) + if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) || + !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv)) { return FALSE; } } - /* crypter keys, and IVs if < TLSv1.2 */ - if (this->crypter_out && this->crypter_in) - { - client_write = chunk_create(block.ptr, eks); - block = chunk_skip(block, eks); - server_write = chunk_create(block.ptr, eks); - block = chunk_skip(block, eks); - - if (this->tls->is_server(this->tls)) - { - if (!this->crypter_in->set_key(this->crypter_in, client_write) || - !this->crypter_out->set_key(this->crypter_out, server_write)) - { - return FALSE; - } - } - else - { - if (!this->crypter_out->set_key(this->crypter_out, client_write) || - !this->crypter_in->set_key(this->crypter_in, server_write)) - { - return FALSE; - } - } - if (ivs) - { - client_write = chunk_create(block.ptr, ivs); - block = chunk_skip(block, ivs); - server_write = chunk_create(block.ptr, ivs); - block = chunk_skip(block, ivs); - - if (this->tls->is_server(this->tls)) - { - this->iv_in = chunk_clone(client_write); - this->iv_out = chunk_clone(server_write); - } - else - { - this->iv_out = chunk_clone(client_write); - this->iv_in = chunk_clone(server_write); - } - } - } - /* EAP-MSK */ if (this->msk_label) { @@ -1666,13 +1746,11 @@ METHOD(tls_crypto_t, change_cipher, void, { if (inbound) { - this->protection->set_cipher(this->protection, TRUE, - this->signer_in, this->crypter_in, this->iv_in); + this->protection->set_cipher(this->protection, TRUE, this->aead_in); } else { - this->protection->set_cipher(this->protection, FALSE, - this->signer_out, this->crypter_out, this->iv_out); + this->protection->set_cipher(this->protection, FALSE, this->aead_out); } } } @@ -1686,12 +1764,7 @@ METHOD(tls_crypto_t, get_eap_msk, chunk_t, METHOD(tls_crypto_t, destroy, void, private_tls_crypto_t *this) { - DESTROY_IF(this->signer_in); - DESTROY_IF(this->signer_out); - DESTROY_IF(this->crypter_in); - DESTROY_IF(this->crypter_out); - free(this->iv_in.ptr); - free(this->iv_out.ptr); + destroy_aeads(this); free(this->handshake.ptr); free(this->msk.ptr); DESTROY_IF(this->prf); @@ -1773,8 +1846,43 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache) case TLS_PURPOSE_GENERIC: build_cipher_suite_list(this, TRUE); break; + case TLS_PURPOSE_GENERIC_NULLOK: + build_cipher_suite_list(this, FALSE); + break; default: break; } return &this->public; } + +/** + * See header. + */ +int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out) +{ + suite_algs_t suites[countof(suite_algs)]; + int count = countof(suite_algs), i; + + /* initialize copy of suite list */ + for (i = 0; i < count; i++) + { + suites[i] = suite_algs[i]; + } + + filter_unsupported_suites(suites, &count); + + if (!null) + { + filter_null_suites(suites, &count); + } + + if (out) + { + *out = calloc(count, sizeof(tls_cipher_suite_t)); + for (i = 0; i < count; i++) + { + (*out)[i] = suites[i].suite; + } + } + return count; +} diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h index 5512b1f48..a42e07bb3 100644 --- a/src/libtls/tls_crypto.h +++ b/src/libtls/tls_crypto.h @@ -572,4 +572,13 @@ struct tls_crypto_t { */ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache); +/** + * Get a list of all supported TLS cipher suites. + * + * @param null include supported NULL encryption suites + * @param suites pointer to allocated suites array, to free(), or NULL + * @return number of suites supported + */ +int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **suites); + #endif /** TLS_CRYPTO_H_ @}*/ diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index b429da300..a95b40f55 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -80,6 +80,11 @@ struct private_tls_peer_t { peer_state_t state; /** + * TLS version we offered in hello + */ + tls_version_t hello_version; + + /** * Hello random data selected by client */ char client_random[32]; @@ -724,6 +729,7 @@ static status_t send_client_hello(private_tls_peer_t *this, /* TLS version */ version = this->tls->get_version(this->tls); + this->hello_version = version; writer->write_uint16(writer, version); writer->write_data(writer, chunk_from_thing(this->client_random)); @@ -917,7 +923,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this, return NEED_MORE; } rng->destroy(rng); - htoun16(premaster, TLS_1_2); + htoun16(premaster, this->hello_version); if (!this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster), this->session, this->server, diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c index 0d5df18f7..b016db21f 100644 --- a/src/libtls/tls_protection.c +++ b/src/libtls/tls_protection.c @@ -45,74 +45,26 @@ struct private_tls_protection_t { tls_alert_t *alert; /** - * RNG if we generate IVs ourself - */ - rng_t *rng; - - /** * Sequence number of incoming records */ - u_int32_t seq_in; + u_int64_t seq_in; /** * Sequence number for outgoing records */ - u_int32_t seq_out; - - /** - * Signer instance for inbound traffic - */ - signer_t *signer_in; - - /** - * Signer instance for outbound traffic - */ - signer_t *signer_out; + u_int64_t seq_out; /** - * Crypter instance for inbound traffic + * AEAD transform for inbound traffic */ - crypter_t *crypter_in; + tls_aead_t *aead_in; /** - * Crypter instance for outbound traffic + * AEAD transform for outbound traffic */ - crypter_t *crypter_out; - - /** - * Current IV for input decryption - */ - chunk_t iv_in; - - /** - * Current IV for output decryption - */ - chunk_t iv_out; + tls_aead_t *aead_out; }; -/** - * Create the header and feed it into a signer for MAC verification - */ -static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type, - u_int16_t version, u_int16_t length) -{ - /* we only support 32 bit sequence numbers, but TLS uses 64 bit */ - struct __attribute__((__packed__)) { - u_int32_t seq_high; - u_int32_t seq_low; - u_int8_t type; - u_int16_t version; - u_int16_t length; - } header = { - .type = type, - }; - htoun32(&header.seq_low, seq); - htoun16(&header.version, version); - htoun16(&header.length, length); - - return signer->get_signature(signer, chunk_from_thing(header), NULL); -} - METHOD(tls_protection_t, process, status_t, private_tls_protection_t *this, tls_content_type_t type, chunk_t data) { @@ -121,75 +73,12 @@ METHOD(tls_protection_t, process, status_t, return NEED_MORE; } - if (this->crypter_in) - { - chunk_t iv, next_iv = chunk_empty; - u_int8_t bs, padding_length; - - bs = this->crypter_in->get_block_size(this->crypter_in); - if (this->iv_in.len) - { /* < TLSv1.1 uses IV from key derivation/last block */ - if (data.len < bs || data.len % bs) - { - DBG1(DBG_TLS, "encrypted TLS record length invalid"); - this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); - return NEED_MORE; - } - iv = this->iv_in; - next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs)); - } - else - { /* TLSv1.1 uses random IVs, prepended to record */ - iv.len = this->crypter_in->get_iv_size(this->crypter_in); - iv = chunk_create(data.ptr, iv.len); - data = chunk_skip(data, iv.len); - if (data.len < bs || data.len % bs) - { - DBG1(DBG_TLS, "encrypted TLS record length invalid"); - this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); - return NEED_MORE; - } - } - if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL)) - { - free(next_iv.ptr); - this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); - return NEED_MORE; - } - - if (next_iv.len) - { /* next record IV is last ciphertext block of this record */ - memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len); - free(next_iv.ptr); - } - - padding_length = data.ptr[data.len - 1]; - if (padding_length < data.len) - { /* remove padding if it looks valid. Continue with no padding, try - * to prevent timing attacks. */ - data.len -= padding_length + 1; - } - } - if (this->signer_in) + if (this->aead_in) { - chunk_t mac; - u_int8_t bs; - - bs = this->signer_in->get_block_size(this->signer_in); - if (data.len < bs) + if (!this->aead_in->decrypt(this->aead_in, this->version, + type, this->seq_in, &data)) { - DBG1(DBG_TLS, "TLS record too short to verify MAC"); - this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); - return NEED_MORE; - } - mac = chunk_skip(data, data.len - bs); - data.len -= bs; - - if (!sigheader(this->signer_in, this->seq_in, type, - this->version, data.len) || - !this->signer_in->verify_signature(this->signer_in, data, mac)) - { - DBG1(DBG_TLS, "TLS record MAC verification failed"); + DBG1(DBG_TLS, "TLS record decryption failed"); this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC); return NEED_MORE; } @@ -220,72 +109,15 @@ METHOD(tls_protection_t, build, status_t, if (status == NEED_MORE) { - if (this->signer_out) + if (this->aead_out) { - chunk_t mac; - - if (!sigheader(this->signer_out, this->seq_out, *type, - this->version, data->len) || - !this->signer_out->allocate_signature(this->signer_out, - *data, &mac)) + if (!this->aead_out->encrypt(this->aead_out, this->version, + *type, this->seq_out, data)) { + DBG1(DBG_TLS, "TLS record encryption failed"); + chunk_free(data); return FAILED; } - if (this->crypter_out) - { - chunk_t padding, iv; - u_int8_t bs, padding_length; - - bs = this->crypter_out->get_block_size(this->crypter_out); - padding_length = bs - ((data->len + mac.len + 1) % bs); - - padding = chunk_alloca(padding_length); - memset(padding.ptr, padding_length, padding.len); - - if (this->iv_out.len) - { /* < TLSv1.1 uses IV from key derivation/last block */ - iv = this->iv_out; - } - else - { /* TLSv1.1 uses random IVs, prepended to record */ - iv.len = this->crypter_out->get_iv_size(this->crypter_out); - if (!this->rng || - !this->rng->allocate_bytes(this->rng, iv.len, &iv)) - { - DBG1(DBG_TLS, "failed to generate TLS IV"); - free(data->ptr); - return FAILED; - } - } - - *data = chunk_cat("mmcc", *data, mac, padding, - chunk_from_thing(padding_length)); - /* encrypt inline */ - if (!this->crypter_out->encrypt(this->crypter_out, *data, - iv, NULL)) - { - if (!this->iv_out.len) - { - free(iv.ptr); - } - free(data->ptr); - return FAILED; - } - - if (this->iv_out.len) - { /* next record IV is last ciphertext block of this record */ - memcpy(this->iv_out.ptr, data->ptr + data->len - - this->iv_out.len, this->iv_out.len); - } - else - { /* prepend IV */ - *data = chunk_cat("mm", iv, *data); - } - } - else - { /* NULL encryption */ - *data = chunk_cat("mm", *data, mac); - } } this->seq_out++; } @@ -293,24 +125,15 @@ METHOD(tls_protection_t, build, status_t, } METHOD(tls_protection_t, set_cipher, void, - private_tls_protection_t *this, bool inbound, signer_t *signer, - crypter_t *crypter, chunk_t iv) + private_tls_protection_t *this, bool inbound, tls_aead_t *aead) { if (inbound) { - this->signer_in = signer; - this->crypter_in = crypter; - this->iv_in = iv; + this->aead_in = aead; } else { - this->signer_out = signer; - this->crypter_out = crypter; - this->iv_out = iv; - if (!iv.len) - { /* generate IVs if none given */ - this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - } + this->aead_out = aead; } } @@ -323,7 +146,6 @@ METHOD(tls_protection_t, set_version, void, METHOD(tls_protection_t, destroy, void, private_tls_protection_t *this) { - DESTROY_IF(this->rng); free(this); } diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h index 05cf3df45..3280fb5a9 100644 --- a/src/libtls/tls_protection.h +++ b/src/libtls/tls_protection.h @@ -26,6 +26,7 @@ typedef struct tls_protection_t tls_protection_t; #include "tls.h" +#include "tls_aead.h" #include "tls_alert.h" #include "tls_compression.h" @@ -62,15 +63,12 @@ struct tls_protection_t { tls_content_type_t *type, chunk_t *data); /** - * Set a new cipher, including encryption and integrity algorithms. + * Set a new transforms to use at protection layer * * @param inbound TRUE to use cipher for inbound data, FALSE for outbound - * @param signer new signer to use, gets owned by protection layer - * @param crypter new crypter to use, gets owned by protection layer - * @param iv initial IV for crypter, gets owned by protection layer + * @param aead new AEAD transform */ - void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer, - crypter_t *crypter, chunk_t iv); + void (*set_cipher)(tls_protection_t *this, bool inbound, tls_aead_t *aead); /** * Set the TLS version negotiated, used for MAC calculation. diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c index 19232750b..648771e75 100644 --- a/src/libtls/tls_socket.c +++ b/src/libtls/tls_socket.c @@ -406,9 +406,11 @@ METHOD(tls_socket_t, destroy, void, * See header */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, - identification_t *peer, int fd, tls_cache_t *cache) + identification_t *peer, int fd, tls_cache_t *cache, + tls_version_t max_version, bool nullok) { private_tls_socket_t *this; + tls_purpose_t purpose; INIT(this, .public = { @@ -430,13 +432,23 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, .fd = fd, ); - this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC, + if (nullok) + { + purpose = TLS_PURPOSE_GENERIC_NULLOK; + } + else + { + purpose = TLS_PURPOSE_GENERIC; + } + + this->tls = tls_create(is_server, server, peer, purpose, &this->app.application, cache); if (!this->tls) { free(this); return NULL; } + this->tls->set_version(this->tls, max_version); return &this->public; } diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h index 75130a4d3..0d4db3b41 100644 --- a/src/libtls/tls_socket.h +++ b/src/libtls/tls_socket.h @@ -104,9 +104,12 @@ struct tls_socket_t { * @param peer client identity, NULL for no client authentication * @param fd socket to read/write from * @param cache session cache to use, or NULL + * @param max_version maximun TLS version to negotiate + * @param nullok accept NULL encryption ciphers * @return TLS socket wrapper */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, - identification_t *peer, int fd, tls_cache_t *cache); + identification_t *peer, int fd, tls_cache_t *cache, + tls_version_t max_version, bool nullok); #endif /** TLS_SOCKET_H_ @}*/ diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in index 745850ac1..bf37bc688 100644 --- a/src/libtnccs/Makefile.in +++ b/src/libtnccs/Makefile.in @@ -425,7 +425,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in index 1f839853c..11a3952ce 100644 --- a/src/libtnccs/plugins/tnc_imc/Makefile.in +++ b/src/libtnccs/plugins/tnc_imc/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in index 45c3569ac..cef45abc2 100644 --- a/src/libtnccs/plugins/tnc_imv/Makefile.in +++ b/src/libtnccs/plugins/tnc_imv/Makefile.in @@ -376,7 +376,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in index 21ed94de2..bba53f53f 100644 --- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in +++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in index 7b4d53ed2..182d1ddce 100644 --- a/src/libtnccs/plugins/tnccs_11/Makefile.in +++ b/src/libtnccs/plugins/tnccs_11/Makefile.in @@ -385,7 +385,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in index 63010c301..468f21780 100644 --- a/src/libtnccs/plugins/tnccs_20/Makefile.in +++ b/src/libtnccs/plugins/tnccs_20/Makefile.in @@ -386,7 +386,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in index 6a99188ef..7327202aa 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in +++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in @@ -375,7 +375,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in index 66ac31127..de76a6eee 100644 --- a/src/libtncif/Makefile.in +++ b/src/libtncif/Makefile.in @@ -337,7 +337,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 08033c461..04db56931 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -389,7 +389,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 5452a419a..d26237b7b 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -378,7 +378,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am deleted file mode 100644 index 78a466bd6..000000000 --- a/src/openac/Makefile.am +++ /dev/null @@ -1,11 +0,0 @@ -ipsec_PROGRAMS = openac -openac_SOURCES = openac.c -dist_man_MANS = openac.8 - -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${openac_plugins}\"" - -openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -openac.o : $(top_builddir)/config.status diff --git a/src/openac/openac.8 b/src/openac/openac.8 deleted file mode 100644 index ed1b8ed6c..000000000 --- a/src/openac/openac.8 +++ /dev/null @@ -1,165 +0,0 @@ -.TH IPSEC_OPENAC 8 "22 September 2007" -.SH NAME -ipsec openac \- Generation of X.509 attribute certificates -.SH SYNOPSIS -.B ipsec -.B openac -[ -.B \-\-help -] [ -.B \-\-version -] [ -.B \-\-optionsfrom -\fIfilename\fP -] -.br -\ \ \ [ -.B \-\-quiet -] [ -.B \-\-debug -\fIlevel\fP -] -.br -\ \ \ [ -.B \-\-days -\fIdays\fP -] [ -.B \-\-hours -\fIhours\fP -] -.br -\ \ \ [ -.B \-\-startdate -\fIYYYYMMDDHHMMSSZ\fP -] [ -.B \-\-stopdate -\fIYYYYMMDDHHMMSSZ\fP -] -.br -.B \ \ \ \-\-cert -\fIcertfile\fP -.B \-\-key -\fIkeyfile\fP -[ -.B \-\-password -\fIpassword\fP -] -.br -.B \ \ \ \-\-usercert -\fIcertfile\fP -.B \-\-groups -\fIattr1,attr2,...\fP -.B \-\-out -\fIfilename\fP -.SH DESCRIPTION -.BR openac -is intended to be used by an Authorization Authority (AA) to generate and sign -X.509 attribute certificates. Currently only the inclusion of one ore several group -attributes is supported. An attribute certificate is linked to a holder by -including the issuer and serial number of the holder's X.509 certificate. -.SH OPTIONS -.TP -\fB\-\-help\fP -display the usage message. -.TP -\fB\-\-version\fP -display the version of \fBopenac\fP. -.TP -\fB\-\-optionsfrom\fP\ \fIfilename\fP -adds the contents of the file to the argument list. -If \fIfilename\fP is a relative path then the file is searched in the directory -\fI/etc/openac\fP. -.TP -\fB\-\-quiet\fP -By default \fBopenac\fP logs all control output both to syslog and stderr. -With the \fB\-\-quiet\fP option no output is written to stderr. -.TP -\fB\-\-days\fP\ \fIdays\fP -Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor -the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed. -The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option. -.TP -\fB\-\-hours\fP\ \fIhours\fP -Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor -the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed. -The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option. -.TP -\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP -defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid. -The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). -If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default. - -.TP -\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP -defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire. -The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). -If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed -by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options -to the \fBnotBefore\fP date. -.TP -\fB\-\-cert\fP\ \fIcertfile\fP -specifies the file containing the X.509 certificate of the Authorization Authority. -The certificate is stored either in PEM or DER format. -.TP -\fB\-\-key\fP\ \fIkeyfile\fP -specifies the encrypted file containing the private RSA key of the Authoritzation -Authority. The private key is stored in PKCS#1 format. -.TP -\fB\-\-password\fP\ \fIpassword\fP -specifies the password with which the private RSA keyfile defined by the -\fB\-\-key\fP option has been protected. If the option is missing then the -password is prompted for on the command line. -.TP -\fB\-\-usercert\fP\ \fIcertfile\fP -specifies file containing the X.509 certificate of the user to which the generated attribute -certificate will apply. The certificate file is stored either in PEM or DER format. -.TP -\fB\-\-groups\fP\ \fIattr1,attr2\fP -specifies a comma-separated list of group attributes that will go into the -X.509 attribute certificate. -.TP -\fB\-\-out\fP\ \fIfilename\fP -specifies the file where the generated X.509 attribute certificate will be stored to. -.SS Debugging -.LP -\fBopenac\fP produces a prodigious amount of debugging information. To do so, -it must be compiled with \-DDEBUG. There are several classes of debugging output, -and \fBopenac\fP may be directed to produce a selection of them. All lines of -debugging output are prefixed with ``|\ '' to distinguish them from error messages. -.LP -When \fBopenac\fP is invoked, it may be given arguments to specify -which classes to output. The current options are: -.TP -\fB\-\-debug\fP\ \fIlevel\fP -sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), -the default level being 1. -.SH EXIT STATUS -.LP -The execution of \fBopenac\fP terminates with one of the following two exit codes: -.TP -0 -means that the attribute certificate was successfully generated and stored. -.TP -1 -means that something went wrong. -.SH FILES -\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate -.SH SEE ALSO -.LP -The X.509 attribute certificates generated with \fBopenac\fP can be used to -enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8) -to load and list X.509 attribute certificates. -.LP -For more information on X.509 attribute certificates, refer to the following -IETF RFC: -.IP -RFC 3281 An Internet Attribute Certificate Profile for Authorization -.SH HISTORY -The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi. -The software was recoded by Andreas Steffen using strongSwan's X.509 library and -the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen. -All authors were with the Zurich University of Applied Sciences in Winterthur, -Switzerland. -.LP -.SH BUGS -Bugs should be reported to the <users@lists.strongswan.org> mailing list. diff --git a/src/openac/openac.c b/src/openac/openac.c deleted file mode 100644 index 8862e9ab0..000000000 --- a/src/openac/openac.c +++ /dev/null @@ -1,551 +0,0 @@ -/** - * @file openac.c - * - * @brief Generation of X.509 attribute certificates. - * - */ - -/* - * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004,2007 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> -#include <getopt.h> -#include <ctype.h> -#include <time.h> -#include <errno.h> - -#include <library.h> -#include <utils/debug.h> -#include <asn1/asn1.h> -#include <credentials/certificates/x509.h> -#include <credentials/certificates/ac.h> -#include <credentials/keys/private_key.h> -#include <credentials/sets/mem_cred.h> -#include <utils/optionsfrom.h> - -#define OPENAC_PATH IPSEC_CONFDIR "/openac" -#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" - -#define DEFAULT_VALIDITY 24*3600 /* seconds */ - -/** - * @brief prints the usage of the program to the stderr - */ -static void usage(const char *message) -{ - if (message != NULL && *message != '\0') - { - fprintf(stderr, "%s\n", message); - } - fprintf(stderr, "Usage: openac" - " [--help]" - " [--version]" - " [--optionsfrom <filename>]" - " [--quiet]" - " \\\n\t" - " [--debug <level 0..4>]" - " \\\n\t" - " [--days <days>]" - " [--hours <hours>]" - " \\\n\t" - " [--startdate <YYYYMMDDHHMMSSZ>]" - " [--enddate <YYYYMMDDHHMMSSZ>]" - " \\\n\t" - " --cert <certfile>" - " --key <keyfile>" - " [--password <password>]" - " \\\n\t" - " --usercert <certfile>" - " --groups <attr1,attr2,..>" - " --out <filename>" - "\n" - ); -} - -/** - * read the last serial number from file - */ -static chunk_t read_serial(void) -{ - chunk_t hex, serial = chunk_empty; - char one[] = {0x01}; - FILE *fd; - - fd = fopen(OPENAC_SERIAL, "r"); - if (fd) - { - hex = chunk_alloca(64); - hex.len = fread(hex.ptr, 1, hex.len, fd); - if (hex.len) - { - /* remove any terminating newline character */ - if (hex.ptr[hex.len-1] == '\n') - { - hex.len--; - } - serial = chunk_alloca((hex.len / 2) + (hex.len % 2)); - serial = chunk_from_hex(hex, serial.ptr); - } - fclose(fd); - } - else - { - DBG1(DBG_LIB, " file '%s' does not exist yet - serial number " - "set to 01", OPENAC_SERIAL); - } - if (!serial.len) - { - return chunk_clone(chunk_create(one, 1)); - } - if (chunk_increment(serial)) - { /* overflow, prepend 0x01 */ - return chunk_cat("cc", chunk_create(one, 1), serial); - } - return chunk_clone(serial); -} - -/** - * write back the last serial number to file - */ -static void write_serial(chunk_t serial) -{ - FILE *fd = fopen(OPENAC_SERIAL, "w"); - - if (fd) - { - chunk_t hex_serial; - - DBG1(DBG_LIB, " serial number is %#B", &serial); - hex_serial = chunk_to_hex(serial, NULL, FALSE); - fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr); - fclose(fd); - free(hex_serial.ptr); - } - else - { - DBG1(DBG_LIB, " could not open file '%s' for writing", OPENAC_SERIAL); - } -} - -/** - * global variables accessible by both main() and build.c - */ - -static int debug_level = 1; -static bool stderr_quiet = FALSE; - -/** - * openac dbg function - */ -static void openac_dbg(debug_t group, level_t level, char *fmt, ...) -{ - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; - va_list args; - - if (level <= debug_level) - { - if (!stderr_quiet) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - fprintf(stderr, "\n"); - va_end(args); - } - - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(priority, "%s\n", current); - current = next; - } - } -} - -/** - * @brief openac main program - * - * @param argc number of arguments - * @param argv pointer to the argument values - */ -int main(int argc, char **argv) -{ - certificate_t *attr_cert = NULL; - certificate_t *userCert = NULL; - certificate_t *signerCert = NULL; - private_key_t *signerKey = NULL; - - time_t notBefore = UNDEFINED_TIME; - time_t notAfter = UNDEFINED_TIME; - time_t validity = 0; - - char *keyfile = NULL; - char *certfile = NULL; - char *usercertfile = NULL; - char *outfile = NULL; - char *groups = ""; - char buf[BUF_LEN]; - - chunk_t passphrase = { buf, 0 }; - chunk_t serial = chunk_empty; - chunk_t attr_chunk = chunk_empty; - - int status = 1; - - /* enable openac debugging hook */ - dbg = openac_dbg; - - passphrase.ptr[0] = '\0'; - - openlog("openac", 0, LOG_AUTHPRIV); - - /* initialize library */ - atexit(library_deinit); - if (!library_init(NULL, "openac")) - { - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (lib->integrity && - !lib->integrity->check_file(lib->integrity, "openac", argv[0])) - { - fprintf(stderr, "integrity check of openac failed\n"); - exit(SS_RC_DAEMON_INTEGRITY); - } - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "openac.load", PLUGINS))) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - - /* initialize optionsfrom */ - options_t *options = options_create(); - - /* handle arguments */ - for (;;) - { - static const struct option long_opts[] = { - /* name, has_arg, flag, val */ - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, 'v' }, - { "optionsfrom", required_argument, NULL, '+' }, - { "quiet", no_argument, NULL, 'q' }, - { "cert", required_argument, NULL, 'c' }, - { "key", required_argument, NULL, 'k' }, - { "password", required_argument, NULL, 'p' }, - { "usercert", required_argument, NULL, 'u' }, - { "groups", required_argument, NULL, 'g' }, - { "days", required_argument, NULL, 'D' }, - { "hours", required_argument, NULL, 'H' }, - { "startdate", required_argument, NULL, 'S' }, - { "enddate", required_argument, NULL, 'E' }, - { "out", required_argument, NULL, 'o' }, - { "debug", required_argument, NULL, 'd' }, - { 0,0,0,0 } - }; - - int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL); - - /* Note: "breaking" from case terminates loop */ - switch (c) - { - case EOF: /* end of flags */ - break; - - case 0: /* long option already handled */ - continue; - - case ':': /* diagnostic already printed by getopt_long */ - case '?': /* diagnostic already printed by getopt_long */ - case 'h': /* --help */ - usage(NULL); - status = 1; - goto end; - - case 'v': /* --version */ - printf("openac (strongSwan %s)\n", VERSION); - status = 0; - goto end; - - case '+': /* --optionsfrom <filename> */ - { - char path[BUF_LEN]; - - if (*optarg == '/') /* absolute pathname */ - { - strncpy(path, optarg, BUF_LEN); - path[BUF_LEN-1] = '\0'; - } - else /* relative pathname */ - { - snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); - } - if (!options->from(options, path, &argc, &argv, optind)) - { - status = 1; - goto end; - } - } - continue; - - case 'q': /* --quiet */ - stderr_quiet = TRUE; - continue; - - case 'c': /* --cert */ - certfile = optarg; - continue; - - case 'k': /* --key */ - keyfile = optarg; - continue; - - case 'p': /* --key */ - if (strlen(optarg) >= BUF_LEN) - { - usage("passphrase too long"); - goto end; - } - strncpy(passphrase.ptr, optarg, BUF_LEN); - passphrase.len = min(strlen(optarg), BUF_LEN); - continue; - - case 'u': /* --usercert */ - usercertfile = optarg; - continue; - - case 'g': /* --groups */ - groups = optarg; - continue; - - case 'D': /* --days */ - if (optarg == NULL || !isdigit(optarg[0])) - { - usage("missing number of days"); - goto end; - } - else - { - char *endptr; - long days = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg || days <= 0) - { - usage("<days> must be a positive number"); - goto end; - } - validity += 24*3600*days; - } - continue; - - case 'H': /* --hours */ - if (optarg == NULL || !isdigit(optarg[0])) - { - usage("missing number of hours"); - goto end; - } - else - { - char *endptr; - long hours = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg || hours <= 0) - { - usage("<hours> must be a positive number"); - goto end; - } - validity += 3600*hours; - } - continue; - - case 'S': /* --startdate */ - if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') - { - usage("date format must be YYYYMMDDHHMMSSZ"); - goto end; - } - else - { - chunk_t date = { optarg, 15 }; - - notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME); - } - continue; - - case 'E': /* --enddate */ - if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') - { - usage("date format must be YYYYMMDDHHMMSSZ"); - goto end; - } - else - { - chunk_t date = { optarg, 15 }; - notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME); - } - continue; - - case 'o': /* --out */ - outfile = optarg; - continue; - - case 'd': /* --debug */ - debug_level = atoi(optarg); - continue; - - default: - usage(""); - status = 0; - goto end; - } - /* break from loop */ - break; - } - - if (optind != argc) - { - usage("unexpected argument"); - goto end; - } - - DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION); - - /* load the signer's RSA private key */ - if (keyfile != NULL) - { - mem_cred_t *mem; - shared_key_t *shared; - - mem = mem_cred_create(); - lib->credmgr->add_set(lib->credmgr, &mem->set); - shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, - chunk_clone(passphrase)); - mem->add_shared(mem, shared, NULL); - signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_FROM_FILE, keyfile, - BUILD_END); - lib->credmgr->remove_set(lib->credmgr, &mem->set); - mem->destroy(mem); - if (signerKey == NULL) - { - goto end; - } - DBG1(DBG_LIB, " loaded private key file '%s'", keyfile); - } - - /* load the signer's X.509 certificate */ - if (certfile != NULL) - { - signerCert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, certfile, - BUILD_END); - if (signerCert == NULL) - { - goto end; - } - } - - /* load the users's X.509 certificate */ - if (usercertfile != NULL) - { - userCert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, usercertfile, - BUILD_END); - if (userCert == NULL) - { - goto end; - } - } - - /* compute validity interval */ - validity = (validity)? validity : DEFAULT_VALIDITY; - notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore; - notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter; - - /* build and parse attribute certificate */ - if (userCert != NULL && signerCert != NULL && signerKey != NULL && - outfile != NULL) - { - /* read the serial number and increment it by one */ - serial = read_serial(); - - attr_cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_AC, - BUILD_CERT, userCert, - BUILD_NOT_BEFORE_TIME, notBefore, - BUILD_NOT_AFTER_TIME, notAfter, - BUILD_SERIAL, serial, - BUILD_IETF_GROUP_ATTR, groups, - BUILD_SIGNING_CERT, signerCert, - BUILD_SIGNING_KEY, signerKey, - BUILD_END); - if (!attr_cert) - { - goto end; - } - - /* write the attribute certificate to file */ - if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk)) - { - if (chunk_write(attr_chunk, outfile, 0022, TRUE)) - { - DBG1(DBG_APP, " written attribute cert file '%s' (%d bytes)", - outfile, attr_chunk.len); - write_serial(serial); - status = 0; - } - else - { - DBG1(DBG_APP, " writing attribute cert file '%s' failed: %s", - outfile, strerror(errno)); - } - } - } - else - { - usage("some of the mandatory parameters --usercert --cert --key --out " - "are missing"); - } - -end: - /* delete all dynamically allocated objects */ - DESTROY_IF(signerKey); - DESTROY_IF(signerCert); - DESTROY_IF(userCert); - DESTROY_IF(attr_cert); - free(attr_chunk.ptr); - free(serial.ptr); - closelog(); - dbg = dbg_default; - options->destroy(options); - exit(status); -} diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index efbed9b2b..266802cf7 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -11,6 +11,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/self.c \ commands/print.c \ commands/signcrl.c \ + commands/acert.c \ commands/pkcs7.c \ commands/verify.c diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 461d958da..2dd91e801 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -107,7 +107,8 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \ commands/keyid.$(OBJEXT) commands/pub.$(OBJEXT) \ commands/req.$(OBJEXT) commands/self.$(OBJEXT) \ commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \ - commands/pkcs7.$(OBJEXT) commands/verify.$(OBJEXT) + commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \ + commands/verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_lt = $(am__v_lt_@AM_V@) @@ -386,7 +387,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -436,6 +436,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/self.c \ commands/print.c \ commands/signcrl.c \ + commands/acert.c \ commands/pkcs7.c \ commands/verify.c @@ -549,6 +550,8 @@ commands/print.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/signcrl.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/acert.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/verify.$(OBJEXT): commands/$(am__dirstamp) \ @@ -567,6 +570,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/acert.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@ diff --git a/src/pki/command.c b/src/pki/command.c index b6966ee0b..075a2279a 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -200,7 +200,7 @@ int command_usage(char *error) fprintf(out, "usage:\n"); if (active == help_idx) { - for (i = 0; cmds[i].cmd; i++) + for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) { fprintf(out, " pki --%-7s (-%c) %s\n", cmds[i].cmd, cmds[i].op, cmds[i].description); @@ -263,7 +263,7 @@ int command_dispatch(int c, char *v[]) build_opts(); op = getopt_long(c, v, command_optstring, command_opts, NULL); - for (i = 0; cmds[i].cmd; i++) + for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) { if (cmds[i].op == op) { diff --git a/src/pki/command.h b/src/pki/command.h index 737f4658d..9cf036bf2 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -24,12 +24,12 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 11 +#define MAX_COMMANDS 12 /** * Maximum number of options in a command (+3) */ -#define MAX_OPTIONS 32 +#define MAX_OPTIONS 36 /** * Maximum number of usage summary lines (+1) diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c new file mode 100644 index 000000000..d49365db5 --- /dev/null +++ b/src/pki/commands/acert.c @@ -0,0 +1,292 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <time.h> +#include <errno.h> + +#include "pki.h" + +#include <utils/debug.h> +#include <asn1/asn1.h> +#include <collections/linked_list.h> +#include <credentials/certificates/certificate.h> +#include <credentials/certificates/x509.h> +#include <credentials/certificates/ac.h> + +/** + * Issue an attribute certificate + */ +static int acert() +{ + cred_encoding_type_t form = CERT_ASN1_DER; + hash_algorithm_t digest = HASH_SHA1; + certificate_t *ac = NULL, *cert = NULL, *issuer =NULL; + private_key_t *private = NULL; + public_key_t *public = NULL; + char *file = NULL, *hex = NULL, *issuercert = NULL, *issuerkey = NULL; + char *error = NULL, *keyid = NULL; + linked_list_t *groups; + chunk_t serial = chunk_empty, encoding = chunk_empty; + time_t not_before, not_after, lifetime = 24 * 60 * 60; + char *datenb = NULL, *datena = NULL, *dateform = NULL; + rng_t *rng; + char *arg; + + groups = linked_list_create(); + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + goto usage; + case 'g': + digest = enum_from_name(hash_algorithm_short_names, arg); + if (digest == -1) + { + error = "invalid --digest type"; + goto usage; + } + continue; + case 'i': + file = arg; + continue; + case 'm': + groups->insert_last(groups, arg); + continue; + case 'c': + issuercert = arg; + continue; + case 'k': + issuerkey = arg; + continue; + case 'x': + keyid = arg; + continue; + case 'l': + lifetime = atoi(arg) * 60 * 60; + if (!lifetime) + { + error = "invalid --lifetime value"; + goto usage; + } + continue; + case 'D': + dateform = arg; + continue; + case 'F': + datenb = arg; + continue; + case 'T': + datena = arg; + continue; + case 's': + hex = arg; + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + error = "invalid output format"; + goto usage; + } + continue; + case EOF: + break; + default: + error = "invalid --acert option"; + goto usage; + } + break; + } + + if (!calculate_lifetime(dateform, datenb, datena, lifetime, + ¬_before, ¬_after)) + { + error = "invalid --not-before/after datetime"; + goto usage; + } + + if (!issuercert) + { + error = "--issuercert is required"; + goto usage; + } + if (!issuerkey && !keyid) + { + error = "--issuerkey or --issuerkeyid is required"; + goto usage; + } + + issuer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, issuercert, BUILD_END); + if (!issuer) + { + error = "parsing issuer certificate failed"; + goto end; + } + public = issuer->get_public_key(issuer); + if (!public) + { + error = "extracting issuer certificate public key failed"; + goto end; + } + if (issuerkey) + { + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + public->get_type(public), + BUILD_FROM_FILE, issuerkey, BUILD_END); + } + else + { + chunk_t chunk; + + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + } + if (!private) + { + error = "loading issuer private key failed"; + goto end; + } + if (!private->belongs_to(private, public)) + { + error = "issuer private key does not match issuer certificate"; + goto end; + } + + if (hex) + { + serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL); + } + else + { + rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!rng) + { + error = "no random number generator found"; + goto end; + } + if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE)) + { + error = "failed to generate serial number"; + rng->destroy(rng); + goto end; + } + serial.ptr[0] &= 0x7F; + rng->destroy(rng); + } + + if (file) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + } + else + { + if (!chunk_from_fd(0, &encoding)) + { + fprintf(stderr, "%s: ", strerror(errno)); + error = "reading public key failed"; + goto end; + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB, encoding, BUILD_END); + chunk_free(&encoding); + } + if (!cert) + { + error = "parsing user certificate failed"; + goto end; + } + + ac = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_AC, + BUILD_CERT, cert, + BUILD_NOT_BEFORE_TIME, not_before, + BUILD_NOT_AFTER_TIME, not_after, + BUILD_SERIAL, serial, + BUILD_AC_GROUP_STRINGS, groups, + BUILD_SIGNING_CERT, issuer, + BUILD_SIGNING_KEY, private, + BUILD_END); + if (!ac) + { + error = "generating attribute certificate failed"; + goto end; + } + if (!ac->get_encoding(ac, form, &encoding)) + { + error = "encoding attribute certificate failed"; + goto end; + } + if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1) + { + error = "writing attribute certificate key failed"; + goto end; + } + +end: + DESTROY_IF(ac); + DESTROY_IF(cert); + DESTROY_IF(issuer); + DESTROY_IF(public); + DESTROY_IF(private); + groups->destroy(groups); + free(encoding.ptr); + free(serial.ptr); + + if (error) + { + fprintf(stderr, "%s\n", error); + return 1; + } + return 0; + +usage: + groups->destroy(groups); + return command_usage(error); +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + acert, 'z', "acert", + "issue an attribute certificate", + {"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex", + " --issuercert file [--serial hex] [--lifetime hours]", + " [--not-before datetime] [--not-after datetime] [--dateform form]", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "holder certificate, default: stdin"}, + {"group", 'm', 1, "group membership string to include"}, + {"issuercert", 'c', 1, "issuer certificate file"}, + {"issuerkey", 'k', 1, "issuer private key file"}, + {"issuerkeyid", 'x', 1, "keyid on smartcard of issuer private key"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"lifetime", 'l', 1, "hours the acert is valid, default: 24"}, + {"not-before", 'F', 1, "date/time the validity of the AC starts"}, + {"not-after", 'T', 1, "date/time the validity of the AC ends"}, + {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, + } + }); +} diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index d5c33b89f..d03326e3d 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -72,8 +72,8 @@ static int issue() int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; - time_t lifetime = 1095; - time_t not_before, not_after; + time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60; + char *datenb = NULL, *datena = NULL, *dateform = NULL; x509_flag_t flags = 0; x509_t *x509; x509_cdp_t *cdp = NULL; @@ -132,13 +132,22 @@ static int issue() san->insert_last(san, identification_create_from_string(arg)); continue; case 'l': - lifetime = atoi(arg); + lifetime = atoi(arg) * 24 * 60 * 60; if (!lifetime) { error = "invalid --lifetime value"; goto usage; } continue; + case 'D': + dateform = arg; + continue; + case 'F': + datenb = arg; + continue; + case 'T': + datena = arg; + continue; case 's': hex = arg; continue; @@ -242,6 +251,10 @@ static int issue() { flags |= X509_OCSP_SIGNER; } + else if (streq(arg, "msSmartcardLogon")) + { + flags |= X509_MS_SMARTCARD_LOGON; + } continue; case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) @@ -285,6 +298,12 @@ static int issue() error = "--cakey or --keyid is required"; goto usage; } + if (!calculate_lifetime(dateform, datenb, datena, lifetime, + ¬_before, ¬_after)) + { + error = "invalid --not-before/after datetime"; + goto usage; + } if (dn && *dn) { id = identification_create_from_string(dn); @@ -363,6 +382,7 @@ static int issue() rng->destroy(rng); goto end; } + serial.ptr[0] &= 0x7F; rng->destroy(rng); } @@ -454,9 +474,6 @@ static int issue() chunk_from_chars(ASN1_SEQUENCE, 0)); } - not_before = time(NULL); - not_after = not_before + lifetime * 24 * 60 * 60; - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id, @@ -536,7 +553,7 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex", " --cacert file [--dn subject-dn] [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", - "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]", "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", @@ -552,6 +569,9 @@ static void __attribute__ ((constructor))reg() {"dn", 'd', 1, "distinguished name to include as subject"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, + {"not-before", 'F', 1, "date/time the validity of the cert starts"}, + {"not-after", 'T', 1, "date/time the validity of the cert ends"}, + {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 077c1ef3e..15ace035d 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -16,9 +16,11 @@ #include "pki.h" #include <asn1/asn1.h> +#include <asn1/oid.h> #include <credentials/certificates/certificate.h> #include <credentials/certificates/x509.h> #include <credentials/certificates/crl.h> +#include <credentials/certificates/ac.h> #include <selectors/traffic_selector.h> #include <time.h> @@ -138,6 +140,10 @@ static void print_x509(x509_t *x509) { printf("iKEIntermediate "); } + if (flags & X509_MS_SMARTCARD_LOGON) + { + printf("msSmartcardLogon "); + } if (flags & X509_SELF_SIGNED) { printf("self-signed "); @@ -388,6 +394,85 @@ static void print_crl(crl_t *crl) } /** + * Print AC specific information + */ +static void print_ac(ac_t *ac) +{ + ac_group_type_t type; + identification_t *id; + enumerator_t *groups; + chunk_t chunk; + bool first = TRUE; + + chunk = chunk_skip_zero(ac->get_serial(ac)); + printf("serial: %#B\n", &chunk); + + id = ac->get_holderIssuer(ac); + if (id) + { + printf("hissuer: \"%Y\"\n", id); + } + chunk = chunk_skip_zero(ac->get_holderSerial(ac)); + if (chunk.ptr) + { + printf("hserial: %#B\n", &chunk); + } + groups = ac->create_group_enumerator(ac); + while (groups->enumerate(groups, &type, &chunk)) + { + int oid; + char *str; + + if (first) + { + printf("groups: "); + first = FALSE; + } + else + { + printf(" "); + } + switch (type) + { + case AC_GROUP_TYPE_STRING: + printf("%.*s", (int)chunk.len, chunk.ptr); + break; + case AC_GROUP_TYPE_OID: + oid = asn1_known_oid(chunk); + if (oid == OID_UNKNOWN) + { + str = asn1_oid_to_string(chunk); + if (str) + { + printf("%s", str); + free(str); + } + else + { + printf("OID:%#B", &chunk); + } + } + else + { + printf("%s", oid_names[oid].name); + } + break; + case AC_GROUP_TYPE_OCTETS: + printf("%#B", &chunk); + break; + } + printf("\n"); + } + groups->destroy(groups); + + chunk = ac->get_authKeyIdentifier(ac); + if (chunk.ptr) + { + printf("authkey: %#B\n", &chunk); + } +} + +/** * Print certificate information */ static void print_cert(certificate_t *cert) @@ -432,6 +517,9 @@ static void print_cert(certificate_t *cert) case CERT_X509_CRL: print_crl((crl_t*)cert); break; + case CERT_X509_AC: + print_ac((ac_t*)cert); + break; default: printf("parsing certificate subtype %N not implemented\n", certificate_type_names, cert->get_type(cert)); @@ -472,6 +560,11 @@ static int print() type = CRED_CERTIFICATE; subtype = CERT_X509_CRL; } + else if (streq(arg, "ac")) + { + type = CRED_CERTIFICATE; + subtype = CERT_X509_AC; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -558,7 +651,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl]"}, + {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl|ac]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index c28c9c291..a35a42b89 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -60,8 +60,8 @@ static int self() int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; - time_t lifetime = 1095; - time_t not_before, not_after; + time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60; + char *datenb = NULL, *datena = NULL, *dateform = NULL; x509_flag_t flags = 0; x509_cert_policy_t *policy = NULL; char *arg; @@ -115,13 +115,22 @@ static int self() san->insert_last(san, identification_create_from_string(arg)); continue; case 'l': - lifetime = atoi(arg); + lifetime = atoi(arg) * 24 * 60 * 60; if (!lifetime) { error = "invalid --lifetime value"; goto usage; } continue; + case 'D': + dateform = arg; + continue; + case 'F': + datenb = arg; + continue; + case 'T': + datena = arg; + continue; case 's': hex = arg; continue; @@ -225,6 +234,10 @@ static int self() { flags |= X509_OCSP_SIGNER; } + else if (streq(arg, "msSmartcardLogon")) + { + flags |= X509_MS_SMARTCARD_LOGON; + } continue; case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) @@ -250,6 +263,12 @@ static int self() error = "--dn is required"; goto usage; } + if (!calculate_lifetime(dateform, datenb, datena, lifetime, + ¬_before, ¬_after)) + { + error = "invalid --not-before/after datetime"; + goto usage; + } id = identification_create_from_string(dn); if (id->get_type(id) != ID_DER_ASN1_DN) { @@ -314,10 +333,9 @@ static int self() rng->destroy(rng); goto end; } + serial.ptr[0] &= 0x7F; rng->destroy(rng); } - not_before = time(NULL); - not_after = not_before + lifetime * 24 * 60 * 60; cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before, @@ -391,7 +409,7 @@ static void __attribute__ ((constructor))reg() {" [--in file|--keyid hex] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", - "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", "[--nc-permitted name] [--nc-excluded name]", "[--policy-map issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", @@ -405,6 +423,9 @@ static void __attribute__ ((constructor))reg() {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, + {"not-before", 'F', 1, "date/time the validity of the cert starts"}, + {"not-after", 'T', 1, "date/time the validity of the cert ends"}, + {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 4f9dd291d..c9eebbf59 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -124,7 +124,8 @@ static int sign_crl() int serial_len = 0; crl_reason_t reason = CRL_REASON_UNSPECIFIED; time_t thisUpdate, nextUpdate, date = time(NULL); - time_t lifetime = 15; + time_t lifetime = 15 * 24 * 60 * 60; + char *datetu = NULL, *datenu = NULL, *dateform = NULL; linked_list_t *list, *cdps; enumerator_t *enumerator, *lastenum = NULL; x509_cdp_t *cdp; @@ -161,13 +162,22 @@ static int sign_crl() lastupdate = arg; continue; case 'l': - lifetime = atoi(arg); + lifetime = atoi(arg) * 24 * 60 * 60; if (!lifetime) { - error = "invalid lifetime"; + error = "invalid --lifetime value"; goto usage; } continue; + case 'D': + dateform = arg; + continue; + case 'F': + datetu = arg; + continue; + case 'T': + datenu = arg; + continue; case 'z': serial_len = read_serial(arg, serial, sizeof(serial)); if (serial_len < 0) @@ -275,6 +285,12 @@ static int sign_crl() error = "--cakey or --keyid is required"; goto usage; } + if (!calculate_lifetime(dateform, datetu, datenu, lifetime, + &thisUpdate, &nextUpdate)) + { + error = "invalid --this/next-update datetime"; + goto usage; + } ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, cacert, BUILD_END); @@ -321,9 +337,6 @@ static int sign_crl() goto error; } - thisUpdate = time(NULL); - nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; - if (basecrl) { lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -442,6 +455,9 @@ static void __attribute__ ((constructor))reg() {"cakey", 'k', 1, "CA private key file"}, {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, {"lifetime", 'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"this-update", 'F', 1, "date/time the validity of the CRL starts"}, + {"next-update", 'T', 1, "date/time the validity of the CRL ends"}, + {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, {"basecrl", 'b', 1, "base CRL to create a delta CRL for"}, {"crluri", 'u', 1, "freshest delta CRL URI to include"}, diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am index 618bd4093..4c901ae3c 100644 --- a/src/pki/man/Makefile.am +++ b/src/pki/man/Makefile.am @@ -4,6 +4,7 @@ man1_MANS = \ pki---self.1 \ pki---issue.1 \ pki---signcrl.1 \ + pki---acert.1 \ pki---req.1 \ pki---pkcs7.1 \ pki---keyid.1 \ diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index edbde85b5..5d901a87e 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -84,7 +84,7 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \ $(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \ $(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \ - $(srcdir)/pki---verify.1.in + $(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -102,7 +102,7 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \ pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \ - pki---self.1 pki---signcrl.1 pki---verify.1 + pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1 CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -325,7 +325,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -371,6 +370,7 @@ man1_MANS = \ pki---self.1 \ pki---issue.1 \ pki---signcrl.1 \ + pki---acert.1 \ pki---req.1 \ pki---pkcs7.1 \ pki---keyid.1 \ @@ -432,6 +432,8 @@ pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pki---acert.1: $(top_builddir)/config.status $(srcdir)/pki---acert.1.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in new file mode 100644 index 000000000..ec1d8be6e --- /dev/null +++ b/src/pki/man/pki---acert.1.in @@ -0,0 +1,130 @@ +.TH "PKI \-\-ACERT" 1 "2014-02-05" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-acert \- Issue an attribute certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-acert +.OP \-\-in file +.OP \-\-group membership +.BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex +.BI \-\-issuercert\~ file +.OP \-\-lifetime hours +.OP \-\-not-before datetime +.OP \-\-not-after datetime +.OP \-\-serial hex +.OP \-\-digest digest +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-acert +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-acert" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to issue an attribute certificate using an issuer certificate with its +private key and the holder certificate. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Holder certificate to issue an attribute certificate for. If not given the +certificate is read from \fISTDIN\fR. +.TP +.BI "\-m, \-\-group " membership +Group membership the attribute certificate shall certify. The specified group +is included as a string. To include multiple groups, the option can be repeated. +.TP +.BI "\-k, \-\-issuerkey " file +Issuer private key file. Either this or +.B \-\-issuerkeyid +is required. +.TP +.BI "\-x, \-\-issuerkeyid " hex +Key ID of a issuer private key on a smartcard. Either this or +.B \-\-issuerkey +is required. +.TP +.BI "\-c, \-\-issuercert " file +Issuer certificate file. Required. +.TP +.BI "\-l, \-\-lifetime " hours +Hours the attribute certificate is valid, default: 24. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-not-before " datetime +Absolute time when the validity of the AC begins. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-not-after " datetime +Absolute time when the validity of the AC ends. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-not\-before +and +.B \-\-not\-after +options, default: +.B %d.%m.%y %T +.TP +.BI "\-s, \-\-serial " hex +Serial number in hex. It is randomly allocated by default. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +. +.SH "EXAMPLES" +. +To save repetitive typing, command line options can be stored in files. +Lets assume +.I acert.opt +contains the following contents: +.PP +.EX + --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4 +.EE +.PP +Then the following command can be used to issue an attribute certificate based +on a holder certificate and the options above: +.PP +.EX + pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1) diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 3fad1ae8a..375cb2fe4 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -14,6 +14,8 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key .OP \-\-dn subject-dn .OP \-\-san subjectAltName .OP \-\-lifetime days +.OP \-\-not-before datetime +.OP \-\-not-after datetime .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest @@ -88,7 +90,28 @@ Subject distinguished name (DN) of the issued certificate. subjectAltName extension to include in certificate. Can be used multiple times. .TP .BI "\-l, \-\-lifetime " days -Days the certificate is valid, default: 1095. +Days the certificate is valid, default: 1095. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-not-before " datetime +Absolute time when the validity of the certificate begins. The datetime format +is defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-not-after " datetime +Absolute time when the validity of the certificate ends. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-not\-before +and +.B \-\-not\-after +options, default: +.B %d.%m.%y %T .TP .BI "\-s, \-\-serial " hex Serial number in hex. It is randomly allocated by default. @@ -176,4 +199,4 @@ given PKCS#10 certificate request and the options above: . .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in index 8d3345edc..434d4ea16 100644 --- a/src/pki/man/pki---print.1.in +++ b/src/pki/man/pki---print.1.in @@ -46,8 +46,9 @@ Input file. If not given the input is read from \fISTDIN\fR. .BI "\-t, \-\-type " type Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR -(Certificate Revocation List, CRL), defaults to \fIx509\fR. +(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate), +defaults to \fIx509\fR. . .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index ee42cf9a0..5e6e78bd0 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -14,6 +14,8 @@ pki \-\-self \- Create a self-signed certificate .BI \-\-dn\~ distinguished-name .OP \-\-san subjectAltName .OP \-\-lifetime days +.OP \-\-not-before datetime +.OP \-\-not-after datetime .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest @@ -75,7 +77,28 @@ Subject and issuer distinguished name (DN). Required. subjectAltName extension to include in certificate. Can be used multiple times. .TP .BI "\-l, \-\-lifetime " days -Days the certificate is valid, default: 1095. +Days the certificate is valid, default: 1095. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-not-before " datetime +Absolute time when the validity of the certificate begins. The datetime format +is defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-not-after " datetime +Absolute time when the validity of the certificate ends. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-not\-before +and +.B \-\-not\-after +options, default: +.B %d.%m.%y %T .TP .BI "\-s, \-\-serial " hex Serial number in hex. It is randomly allocated by default. @@ -145,4 +168,4 @@ Generate a self-signed certificate using the given RSA key: . .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in index 6ba96f6bc..bd6cba547 100644 --- a/src/pki/man/pki---signcrl.1.in +++ b/src/pki/man/pki---signcrl.1.in @@ -10,6 +10,8 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific .BI \-\-cakey\~ file |\-\-cakeyid\~ hex .BI \-\-cacert\~ file .OP \-\-lifetime days +.OP \-\-this-update datetime +.OP \-\-next-update datetime .OP \-\-lastcrl crl .OP \-\-basecrl crl .OP \-\-crluri uri @@ -62,7 +64,28 @@ is required. CA certificate file. Required. .TP .BI "\-l, \-\-lifetime " days -Days until the CRL gets a nextUpdate, default: 15. +Days until the CRL gets a nextUpdate, default: 15. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-this-update " datetime +Absolute time when the validity of the CRL begins. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-next-update " datetime +Absolute time when the validity of the CRL end. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-this\-update +and +.B \-\-next\-update +options, default: +.B %d.%m.%y %T .TP .BI "\-a, \-\-lastcrl " crl CRL of lastUpdate to copy revocations from. @@ -121,4 +144,4 @@ number, but no reason: .PP .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in index 8dfc53af3..f347031b4 100644 --- a/src/pki/man/pki.1.in +++ b/src/pki/man/pki.1.in @@ -49,6 +49,9 @@ Issue a certificate using a CA certificate and key. .B "\-c, \-\-signcrl" Issue a CRL using a CA certificate and key. .TP +.B "\-z, \-\-acert" +Issue an attribute certificate. +.TP .B "\-r, \-\-req" Create a PKCS#10 certificate request. .TP @@ -148,6 +151,7 @@ certificates with the \-\-crl option. .BR pki\ \-\-self (1), .BR pki\ \-\-issue (1), .BR pki\ \-\-signcrl (1), +.BR pki\ \-\-acert (1), .BR pki\ \-\-req (1), .BR pki\ \-\-pkcs7 (1), .BR pki\ \-\-keyid (1), diff --git a/src/pki/pki.c b/src/pki/pki.c index eb614dd7f..ae4ef1cb0 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -13,9 +13,11 @@ * for more details. */ +#define _GNU_SOURCE #include "command.h" #include "pki.h" +#include <time.h> #include <unistd.h> #include <utils/debug.h> @@ -102,6 +104,56 @@ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type) } /** + * See header + */ +bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span, + time_t *nb, time_t *na) +{ + struct tm tm; + time_t now; + char *end; + + if (!format) + { + format = "%d.%m.%y %T"; + } + + now = time(NULL); + + localtime_r(&now, &tm); + if (nbstr) + { + end = strptime(nbstr, format, &tm); + if (end == NULL || *end != '\0') + { + return FALSE; + } + } + *nb = mktime(&tm); + + localtime_r(&now, &tm); + if (nastr) + { + end = strptime(nastr, format, &tm); + if (end == NULL || *end != '\0') + { + return FALSE; + } + } + *na = mktime(&tm); + + if (!nbstr && nastr) + { + *nb = *na - span; + } + else if (!nastr) + { + *na = *nb + span; + } + return TRUE; +} + +/** * Callback credential set pki uses */ static callback_cred_t *cb_set; @@ -188,4 +240,3 @@ int main(int argc, char *argv[]) atexit(remove_callback); return command_dispatch(argc, argv); } - diff --git a/src/pki/pki.h b/src/pki/pki.h index 09c50c6c2..616fac44a 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -33,4 +33,21 @@ */ bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type); +/** + * Calculate start/end lifetime for certificates. + * + * If both nbstr and nastr are given, span is ignored. Otherwise missing + * arguments are calculated, or assumed to be now. + * + * @param format strptime() format, NULL for default: %d.%m.%y %T + * @param nbstr string describing notBefore datetime, or NULL + * @param nastr string describing notAfter datetime, or NULL + * @param span lifetime span, from notBefore to notAfter + * @param nb calculated notBefore time + * @param na calculated notAfter time + * @return TRUE of nb/na calculated successfully + */ +bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span, + time_t *nb, time_t *na); + #endif /** PKI_H_ @}*/ diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in index 63489034f..e8caddc63 100644 --- a/src/pool/Makefile.in +++ b/src/pool/Makefile.in @@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in index 61dff904e..d9a8259e9 100644 --- a/src/pt-tls-client/Makefile.in +++ b/src/pt-tls-client/Makefile.in @@ -342,7 +342,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 06354da5f..524e05bd7 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -369,7 +369,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 7a9154d84..3f3200d64 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -366,7 +366,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 0b285285b..61136e84a 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -341,7 +341,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/testing/Makefile.in b/testing/Makefile.in index 21858672b..f9acc24ad 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -286,7 +286,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ diff --git a/testing/do-tests b/testing/do-tests index 979cb487f..becb7f181 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -373,6 +373,15 @@ do done fi + ########################################################################## + # flush conntrack table on all hosts + # + + for host in $STRONGSWANHOSTS + do + ssh $SSHCONF root@`eval echo \\\$ipv4_$host` 'conntrack -F' >/dev/null 2>&1 + done + ########################################################################## # execute pre-test commands diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index 728c18c12..5958a1347 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -37,3 +37,4 @@ V 161015124507Z 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongsw V 161015124759Z 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org V 161015125030Z 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org +R 190321135622Z 140322135700Z,CACompromise 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index b9ab05a4f..a6d5a0828 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -36,3 +36,5 @@ V 151119165922Z 23 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=m V 161015124507Z 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org V 161015124759Z 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org V 161015125030Z 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org +V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org +V 190321135622Z 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/28.pem b/testing/hosts/winnetou/etc/openssl/newcerts/28.pem new file mode 100644 index 000000000..4d9fed09a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/28.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC +wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7 +Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ +Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG +6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN +d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC +mk13kTA= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem index 77f5bde52..dd6ed8e4b 100644 --- a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem +++ b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV +MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu -Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT +Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM @@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr -4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW -BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt -rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0 -cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww -GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw -FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN -BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ -9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI -zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V -14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL -lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v -1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg== +4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G +A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ +bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y +aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD +VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD +CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret +YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l +Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS +fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ +T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE +FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA== -----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf index a614ff640..3939efc98 100644 --- a/testing/hosts/winnetou/etc/openssl/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -165,10 +165,12 @@ crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl [ ca_ext ] -basicConstraints = critical, CA:TRUE, pathlen:1 +basicConstraints = critical, CA:TRUE #, pathlen:1 keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always +#subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigning #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt index 844e001c7..0565c768e 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -1,7 +1,9 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA -V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org -V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org +R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org +R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org +V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old index 3ebf4b191..8a0231b05 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -1,6 +1,8 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA -V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org -V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org +R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org +R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem new file mode 100644 index 000000000..8f7b7cc85 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/08.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEaDCCA1CgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MDYzM1oXDTE5MDMyMzE0MDYz +M1oweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm +BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT +HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6Jq9DciPtR5iC73URlc9qcqFl+QGeRDxDLCtnLqFjkuWv +0ul17qZH0iMwxbbRU1UZo2bANNwAmWxBcT6VNf84V9Dj9m9UwUTSfegrkN2RVBEH +cHm5higeJzC25C46S+VCTQkq8QxS2k34sA2sK6vys1XDgzwmDfT/GYyHf3nl0blR +GkrotmgVAsweUVQ7a5ThcWVf4d06F3mN5xxGWNxgNoVxZ5Ki6a9dMuQRrNh54qje +N1pulp0fZWxshWK0YrQSpPhKgz5kAflSnIwrdyjFdFS8WKpLOAkXV/NyZa6urUw7 +mz3owNCZJqCrYjC2JdTS3wUqRZhx1xyY2DO+laLJAgMBAAGjggEhMIIBHTAJBgNV +HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU/cGV4/+zOIk30UYg1R87H7V9 +GAgwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCASAwJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv +bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo +hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG +9w0BAQsFAAOCAQEAWyIL5QjvpT0SC1BHVItXbq06D0DwOUFfei4lLyuDZLpFYrNX +AujT6WqTdjki1Gx8GbOdz7YAoWVw61g9w8jKEwDg/UIKYGzjokXWzVg4v5eEakF+ ++APmZRpk9ezBZgvKZ3k49OaRvtWjUSUy6aZU+vfsdd2oO3JKyonJY05y+cm0N0qT +ytWMzX+Zig1NEArG2FnUTMPjudOCn0YiK41siFEaS9AHYXfsU3MhVer08PobmIKy +cLfhoXF+xpn8+DCp8fcAEt7sJX2us71XmQBxSpfFW4FeGjcye11YU4QRBFDMP47f +t5cybNEL+tLtcdJzPFxQlly0pc0w8BN4F6eY8w== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem new file mode 100644 index 000000000..94bf123d2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/09.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTE5MDMyMzE0MjM1 +MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW +BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA +6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy +yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r +JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl +ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX +u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV +bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O +BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj +zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry +b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY +MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCWS7T3 +Np88w0oHJAeMJUdfNGVSlhPFrtqnrNDqYleLEgY2XwJj6cxottILtvgJ+nbsT4uz +bp5Qk4pygNG3wESt0avGptgSs0Pued/CdHMyyFTrFw/RN7113eTHShDfTtnS0dhh +6AkI2lxFcNwrGMGh2CqdOyApDYqdm5qayk2CSKnoWOvEL1+SLyfy+XIYCFkarfbv +ZTCWeO/R8doQVZ+H2gW6NloYJVkUpfMHCqTpd9psAK+hvc/R+6eP03wmhAb8S4mK +OGdb8VOT7CAaL8f37vrDvj08nOG32j24/JOyrtS7vuAhP2QmDDF15XucygtgskRB +iQNoCoi+dBX92ol4 +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem index 279b4191d..8f7b7cc85 100644 --- a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem +++ b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MIIEaDCCA1CgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz -MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MDYzM1oXDTE5MDMyMzE0MDYz +M1oweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2 -ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA -TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs -qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo -h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io -HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV -HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw -5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV +A4IBDwAwggEKAoIBAQC6Jq9DciPtR5iC73URlc9qcqFl+QGeRDxDLCtnLqFjkuWv +0ul17qZH0iMwxbbRU1UZo2bANNwAmWxBcT6VNf84V9Dj9m9UwUTSfegrkN2RVBEH +cHm5higeJzC25C46S+VCTQkq8QxS2k34sA2sK6vys1XDgzwmDfT/GYyHf3nl0blR +GkrotmgVAsweUVQ7a5ThcWVf4d06F3mN5xxGWNxgNoVxZ5Ki6a9dMuQRrNh54qje +N1pulp0fZWxshWK0YrQSpPhKgz5kAflSnIwrdyjFdFS8WKpLOAkXV/NyZa6urUw7 +mz3owNCZJqCrYjC2JdTS3wUqRZhx1xyY2DO+laLJAgMBAAGjggEhMIIBHTAJBgNV +HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU/cGV4/+zOIk30UYg1R87H7V9 +GAgwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv -bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv +bmdTd2FuIFJvb3QgQ0GCASAwJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG -9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn -l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D -4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78 -d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj -1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r -qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA== +9w0BAQsFAAOCAQEAWyIL5QjvpT0SC1BHVItXbq06D0DwOUFfei4lLyuDZLpFYrNX +AujT6WqTdjki1Gx8GbOdz7YAoWVw61g9w8jKEwDg/UIKYGzjokXWzVg4v5eEakF+ ++APmZRpk9ezBZgvKZ3k49OaRvtWjUSUy6aZU+vfsdd2oO3JKyonJY05y+cm0N0qT +ytWMzX+Zig1NEArG2FnUTMPjudOCn0YiK41siFEaS9AHYXfsU3MhVer08PobmIKy +cLfhoXF+xpn8+DCp8fcAEt7sJX2us71XmQBxSpfFW4FeGjcye11YU4QRBFDMP47f +t5cybNEL+tLtcdJzPFxQlly0pc0w8BN4F6eY8w== -----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem index adbfe0f92..1355fc3c6 100644 --- a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem +++ b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArl39cBowZOcLYX8iXDYGLublXSvX6ge5OULMMu+jNiY2dhAr -/CWTLxgwvXIisBKi90JDfhPdEbrHQqoGmwJditwL20eFTqWgnct9aXT2in0VwE2s -yB9BhvE/wSJlk7sHhbdF5rApeuUoaFbpdAx1k5YuIzgIByI+nqGJUKUSOgm2bKnX -BmSUVs2TD2vOkN4tpygLDoloe44NOLixbFrvtrgWJrD0myqmXu+hWOZvj4AMKIdG -xSSPasuGq8rzWYhU9frd4Xf8Lf2V56mF+FrGXBpTzpSmaIg5Zl81NStWGO9YqB1I -h+0DmAWGPvPjHOZMLf66KWBG3y3wBDQu1lfvLQIDAQABAoIBAEx5LnknE0h9yJEH -GEPG8elKHRhC7VxX7NV/RV2lmjhahBI9v3zD4gyKmH3N/Aaq9cxpxH4cKh3nhBLp -zSHY5LvNDGossPuwSoRKRgOlZ6ePeqWvq3LNuoh7cFG9Sz2CjqcHnWGyq06aCKHS -VGswN7T17eBGZ8bxLvOVt0qmSxsmg2A2tmZQCAhc6IkEe3L4sqtS4N1y+8J1GSuu -KlIuT9NtReDiXXQNxr48QJeddj6RE+5xgInUEUGPUrOnv+lllxN42u0Yrqnnci7M -SNuxiCkYmvUm47zem3mUKrTJnr4uyKSVnzY5wKcbjebnjlaJmWefM6L7wTKYGbbF -KsXXwOUCgYEA5cXCD09Oeb888dwgvOaVgZqfJaCex2wZ2Wgu8dm3y2YcrNHbrj13 -PU+1fBp29AE4cNowUitL0rHPE232WyKPCsvEt4H/ioucWvXUc9rzNlo+2H4J6ZMI -4GQp2WXQZeqEAAI35qdcRwIDMRJdsDlg9fAwKAGJAYLhL4fZewmPb8cCgYEAwkU3 -ynMCj1XMvZzhPNS9bACD1euSLTopdAzlASX9bVnDGJ5/KeWl2PqJjrmV3LCjX/4t -WnGsP5bgv6IGVRpTcjeJSebF2kEA/pwYEZJezwh304JUqsqg4K4QF1ra5v3Wp06e -Y+sMdUphzTQFAvGzWTSQweSVlXHgrW+VWxdIEWsCgYApwL7b01h6TSMA/DRCv0/p -pjRHPSG9MUqdNA5bymlYn6yURuo5hlfVn1dmPtTg0Bv2fd+L/uwfVEpByJicxPHj -T1Xm1sud3HLEIKnDh8TsWofTBUw90ocpZ2onZBXzfyMPcVfBJSZijN4Rm7nEnRie -eE/35ReFW8gZwADoF7ul3wKBgELkXo+BBnKgUn0/lXbCse6MRtjT4mNcUYW6IuhA -UoDilYDWomakwnRx4Aea83UoBTk6ZhdsaKkEpKKXgaKwC+eaI9Wkdp/uHg+NY+Q5 -CBg1jDzx9YFRgA+dH8FK8XD0GoNFWNiCyKliUUa9ELSw0NZ4eReqQ69PpNNTRpQ0 -8gW9AoGBAIUpz52BrP0XcIEE+f9ONKGJq+cr1cRXDZlgHBE90GA/b5hfMiAmvaGm -SVdBXfUzIwEv6fHRqFjXsGqRI1qD6my69khnoObu3H+DR4Dsk/3iwxDMEpK63dfM -p2fp/wc8G/s/5YVQeAOW0NpPY7qyGDoXN5UcHfLjJw23gbkUJD58 +MIIEowIBAAKCAQEAuiavQ3Ij7UeYgu91EZXPanKhZfkBnkQ8QywrZy6hY5Llr9Lp +de6mR9IjMMW20VNVGaNmwDTcAJlsQXE+lTX/OFfQ4/ZvVMFE0n3oK5DdkVQRB3B5 +uYYoHicwtuQuOkvlQk0JKvEMUtpN+LANrCur8rNVw4M8Jg30/xmMh3955dG5URpK +6LZoFQLMHlFUO2uU4XFlX+HdOhd5jeccRljcYDaFcWeSoumvXTLkEazYeeKo3jda +bpadH2VsbIVitGK0EqT4SoM+ZAH5UpyMK3coxXRUvFiqSzgJF1fzcmWurq1MO5s9 +6MDQmSagq2IwtiXU0t8FKkWYcdccmNgzvpWiyQIDAQABAoIBAQCqbIBI31bFBac7 +OL+VOfKLIidhlHdGznHdjbKu5KIc54AhWJckwTi6yEgvftPBEOn4bwDDN6GzasMR +pvwE30qp6rvz+Mo0bjzz+RF10UsIok504SSQFaLk+DxBNOaduJ5L9PtPtR/zOqnn +5EagOdtSd50tQhjvPhfu9RUTeEHBhJDILUIZeJ4pCkM6/+agsgnDP2/4PucCXHkD +8k6FLw2eoYMY3e9UKuiWUGXiCVopIZmZcG33ipQ3VFUzrP9JmE7ji4/p40VfShvV +/fKWPEGe11IOQf8VJfcTYjluCbq8+UkIO4HgZxa36sxtYTjC+4MR9MDfMNIM+GzH +mh+qd84BAoGBANx2v3tCY0zVAkqhoilOTYAixeTJjzsFRjR/9XkxfkrGJt8kl7jk +s3hl4VUlblT1FWytk2vN8mE2MfT73mie0TpsNCefrWN9Xd9Yi7xjpJDfyMs8spD4 +8snmLK5euFNMNqbu9tyi2sfUR41FBi8kUzA7WAMx+M/pHUug6i/Xn4XlAoGBANgo +DPF7M+BCsls8OibT49+K4nF3rQWY4axojcCb5UZQRMDysg0ji0nwYqQktDjBk74w +3uIITVlB6UaG5dZ9O6C3ZP1+yi9Egoj6XYG74YKebgZnH7F1EKEdZnh7BPlTOQsl +kv9Ccm2r4RrxSsbXpDIel/54s8rdVPHfdfiv1psVAoGAMIWSLza1VDutfW+FmUG6 +nPEKTQhvlbXbdcKT7FCQUzS5aXNMUU1EksMZjPvoBJrMVFb/k0KIjgy3ggvNL4mE +0y7ta6shJjx5ZKbAWn4zwg7+ynxZcL7Z8MXQH7CJMQwdGzCM9JKDRGfcN6NxcP61 +sG/fNxTQhjHwWKzZ3h2+5mECgYBd254rKO0QnsVlWlSB0ZXr1hmXXXjSqlyriUar +8MVwb6A7C+cGT33G4EtkrM9Yqa1mc0AEc8hqTnVle2PHa999XMTMUcanGZ94rQX3 +NEaqefKacyLO4l8TJnn9LKWvQVTOo0Ud85NOTcjT8xweFTqlzKUBCRZAqzScRgSq +tGeCNQKBgE9nGL9anLDb7CD05ya0L3mW0cIkPz42NKCNI7zCs17ujABII6BpDXK1 +ApiZf3JxoTlp8czTvS6hqBZhicd6WxFqSBRhC8nOuq5YKPBPRQssayirzJiEi/JV +qEZzKbKKRUl33ESWI8ltWz/hg/WE0gSQyJVpyPo3IOI22a+KHvNe -----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial index adb9de8ee..d9bb888f8 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -1 +1 @@ -08 +0A diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old index 2c7456e3e..86397e5c1 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial.old +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -1 +1 @@ -07 +09 diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt index 314acd784..36b24a619 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -1,6 +1,8 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA -V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org -V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org +R 120323211811Z 140324141327Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org +R 140323211053Z 140324141726Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 190323141524Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org +V 190323152702Z 08 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old index fd5485026..1db0072db 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -1,5 +1,7 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org -R 100615195536Z 100703150410Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA -V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org -V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org +R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +R 120323211811Z 140324141327Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org +R 140323211053Z 140324141726Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 190323141524Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem new file mode 100644 index 000000000..bd7eb729d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/07.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEVjCCAz6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE0MTUyNFoXDTE5MDMyMzE0MTUyNFowczEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT +HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs +ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6zwcVirVu3/hsJRQY19GOO9Rw1BbCGd3t+dSYfkCFFt3l4JeAwAvPlXB1fbfT +vCJryl/xIcfgq58ZIgqjC0tEOKaVYa0ySvdlmI7HdqTWrFx5dqQpsSiU14U8xb5U +QAr9ha0AhRc5et2evsdg4bFNwlbOdrcKfQ82F+gRUi6v4n4PLLKDhH//L+PmUNBn +CTkmVcDVxlRkTvjwKhWpSbh99lFRhR2BuB91frCGXuZUnyue0FOXQrFLeY1bgzJa +hC+pvAMfx7P0XY/3V+H+vMlJOfYM2e2+np9Ca4l6mpmA3dvuiDHNe8xGl48EKT5m +iY3wk3wluBl5vEzz1UBp7i4RAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwIDqDAdBgNVHQ4EFgQUUHRhgpplj7IuGGKeMOaU0UEKTcEwbQYDVR0jBGYw +ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCASEwJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV +HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiFNm9XwY +u21dMTYWGT480c/ijzeBhV+eT0im5kifb3V+tW0ZpWiTDumqfplFeamNReXpkVkJ +G8Tfsejc1A2CTmiKe4FPEl+Ukm2lCpIvY1TjO7nGN8TJUF0DPKU5GjijbIKbQben +utQBMEtuuLJnZpSEk60YhamPvUWWkoKXKEwyHPHK6KozrLj1E/j/wk0sFNaNOijr +DKe+Hb57x4Sta5WlXqFxeBviwnnAS895UAGlM+vGU4hxw1LNs0HfS0TRoKhk+Cmt +N8rYAvzn4ziXNqa3A7FtuVviyXjY7eQEaIVA70795xmyVqQJTgkECBnD2Bk7qBUI +kuR4vkO8gStiKA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem new file mode 100644 index 000000000..c464df579 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/08.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTE5MDMyMzE1MjcwMlowXTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT +DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht +E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G +8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy ++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv +8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh +AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA +AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn +nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT +KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x +GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl +QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0 +cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB +AK3d7gR8IpPu03rV/RnOx4seoZAgm6//nCvP2ceFrEy4tbihnJ+QDvwrgKb/UvwK +yERLXh/X7WhDyLSyVrbQq/Jj4xEOB5PMSItpmiDHYGX+YaiymZT3VsTJah1zqxSe +amqHhrlW2U+UDqz/7vFClknSO6tn1vbNo4miYiVALGtRSMhFhVZsXfnA9+VKLdua +vvdeueRCDg7aXPfAU0MAdcJIYoegJRnLZsJ4IfE/OWvMFnR1w4NmhIHhNT8T/ib0 +3pi2cp6JeSOcZ1Upd2napUoGd2U4XfNE15XGCdoVRazA1STWhfHwu/aBUnINpk0M +zqpIrvuM6lklZb8gUl4pPwc= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem index ce2ff7b9d..bd7eb729d 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem +++ b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MIIEVjCCAz6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL +BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE0MTUyNFoXDTE5MDMyMzE0MTUyNFowczEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV -AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9 -K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO -yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8 -N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT -oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud -DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw +AQC6zwcVirVu3/hsJRQY19GOO9Rw1BbCGd3t+dSYfkCFFt3l4JeAwAvPlXB1fbfT +vCJryl/xIcfgq58ZIgqjC0tEOKaVYa0ySvdlmI7HdqTWrFx5dqQpsSiU14U8xb5U +QAr9ha0AhRc5et2evsdg4bFNwlbOdrcKfQ82F+gRUi6v4n4PLLKDhH//L+PmUNBn +CTkmVcDVxlRkTvjwKhWpSbh99lFRhR2BuB91frCGXuZUnyue0FOXQrFLeY1bgzJa +hC+pvAMfx7P0XY/3V+H+vMlJOfYM2e2+np9Ca4l6mpmA3dvuiDHNe8xGl48EKT5m +iY3wk3wluBl5vEzz1UBp7i4RAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwIDqDAdBgNVHQ4EFgQUUHRhgpplj7IuGGKeMOaU0UEKTcEwbQYDVR0jBGYw ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg -Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV +Q0GCASEwJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0 -cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8 -DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3 -csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg -pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH -XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl -is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH -kiJdzc42Apd8uw== +cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiFNm9XwY +u21dMTYWGT480c/ijzeBhV+eT0im5kifb3V+tW0ZpWiTDumqfplFeamNReXpkVkJ +G8Tfsejc1A2CTmiKe4FPEl+Ukm2lCpIvY1TjO7nGN8TJUF0DPKU5GjijbIKbQben +utQBMEtuuLJnZpSEk60YhamPvUWWkoKXKEwyHPHK6KozrLj1E/j/wk0sFNaNOijr +DKe+Hb57x4Sta5WlXqFxeBviwnnAS895UAGlM+vGU4hxw1LNs0HfS0TRoKhk+Cmt +N8rYAvzn4ziXNqa3A7FtuVviyXjY7eQEaIVA70795xmyVqQJTgkECBnD2Bk7qBUI +kuR4vkO8gStiKA== -----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem index 5d10a3467..288aecb08 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem +++ b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAxoAdtFk8xFVDRg1P4sMTf3sm5mAENq1MrcaMilB6DfEO7QE4 -O28B9x6zHXOSVQAOLolhXazcOxhrvkCVa2Ivu43be+n33HJOnkIy5plbBqeE9elP -dNGcxYesy54bPSv0sPMohjEHGJ3G5Uk+Epd2Hel3YmP32R7HLGxY8VaTxscHm2Tz -4q7pHlgxS1MFTsnOQO6XajZb5n8ubYjuQ7PIUDEMlaqZpQ2ME0M98mUtvl+CJ/Bq -4LwZ1Gf3rRs6vDft9PcF/4Nlr3CmA6Vi6rtysZMC/kE02ISDOjb0F7Txgn9zOcgb -aDaj84CKl73rk6DMCcBfrg2XXQVowHiNRvifAQIDAQABAoIBAQCUOZL02zYfPbPw -mXwvzo++wA16NfSvh5UcpojHt/SMeJc2r5R3/Rqwl8IUmfqJcnMkmP2V38DMeB3s -gXmSKE2QdguRalLl0I2Ya8Jqo9VvEKSepMvqZaP1dKy5l6SrdylPASQfoHi2Dws4 -qAqsA2H2UCIP3Kp0/SCpsXZxML9EzIWtYtvrqJ0p0EI9ZzEn5uFok91qTYqD9c3T -v142OyfmHlwICLy7UlFkmawrV4PIIP2RGTRgr2b16Vis7mAkRC7blsFXUEBb8hwE -SmISdZYXc+NCesonXYGeRhln8PPLI3/T+HHH8G2eFhyQISHgE0CbjK+zvFcAddvD -BbeceDPhAoGBAOkXwIklHvzSj4QoCi572QNkNIkxlIa6PL3I2ygJczeB1vj9kvVc -CV2onhvBL3FGy0BJrQI7UBySW59/GdSs+WJFQWlIwI9QglDS8itAQK6+9zeyg69U -NbGw784NGn5cP3F4P3QCGEUg5Oj8t0iE8gKbljz6rlSjO5uhXYOYf0rtAoGBANoC -E0noRtG4QloEbIiHjLbnNAjabOO9KNm9FLZZFnGvTHQ1690i+GBOXC/cbP3jo6tz -07+Ob/+IKhXhEj9opGu8ZvEfarHmBEWxj6TdvFmlaHEcEFD0LqGu5ssSfW3S3AEB -Z3rBLkEeJYUYQqCU+vgZHEbrLWeBt33AIeB1nN3lAoGAL0LJnwUPy2NGBh24MsSZ -s75ViJus6cRJHJHlHbEM02xYEhQX//exTnQp2qbI38bi3x4RHiq4i5KBUU2MBzsr -NWmlYZuGr4g7Y/fhcjOM6eF+bqSbXqlMWcLuXHD7tjMuCeu/sd3a3elVgIf9AY8z -IqQ5ShPp1O9j3qJRO6Vn6eECgYBIu9KFoOonxArXD4zKTDcFOsPghEc5//0mD/Be -GgDj8vFWADtt7uHg96PIEAmI9y6+4Ajwauww29P2sr2szBO3IgdSQQIO0kfwnJnp -DlVtr0LWId/LsnvwU3MKo2OXhXcDGt3UValB7nXkHsDz5GCK743Al2vxkZSPbs+e -nH62hQKBgQC8AouEwXXXQD8+MnW+qcIbaAzVMirc94sI3fQH1AnfiZHH6aMCOh/4 -xoh/RzylotQlOk1xjCOB4O/Hhd+MAnlH9ZawCnRdvB/4usxd4j2AYr0Np7Q+VUyx -EFejvkdm20j1dh29jfSbiXHd2RCoFimX0Dr3weiRqffqi9aV2tdqLQ== +MIIEowIBAAKCAQEAus8HFYq1bt/4bCUUGNfRjjvUcNQWwhnd7fnUmH5AhRbd5eCX +gMALz5VwdX2307wia8pf8SHH4KufGSIKowtLRDimlWGtMkr3ZZiOx3ak1qxceXak +KbEolNeFPMW+VEAK/YWtAIUXOXrdnr7HYOGxTcJWzna3Cn0PNhfoEVIur+J+Dyyy +g4R//y/j5lDQZwk5JlXA1cZUZE748CoVqUm4ffZRUYUdgbgfdX6whl7mVJ8rntBT +l0KxS3mNW4MyWoQvqbwDH8ez9F2P91fh/rzJSTn2DNntvp6fQmuJepqZgN3b7ogx +zXvMRpePBCk+ZomN8JN8JbgZebxM89VAae4uEQIDAQABAoIBAB8kFe08Y0RpZ7M3 +dyMxDwjj5mUspeKTh1B9fjgxi7Xj+vewOfFHknB3W/jqDTPpv98yLE45MGW+llYN +O7K0Vka4HuT2FHY20wkHpn2PxKjYsM26vmEI3Ff7mYVo/XJz/qEGoLFefmGhnsIw +0XHQDcuFowzl81t3P4rn71K73XaKRUjS8EMnuyqN2vKIsOyoexslRRfab01Iypb1 +IIpWgL4ZGy1KSaymT+F6KfblAR3W6txsHyLKz39YzwMAVC5tL1zFlWMr2oUkjCn5 +DphKGSF/rUOLN82VwXj3+vKdp+8FG7KyxS5yI208srwuHi3PiPNZj8Mjo2rqZ7Aq +iT+MDrECgYEA3XjNNSBg0aJMv894K3eQTFG879iByQBHv5zIuuaJwRPTAAkKAcBe +XEZyvf72CAzkQJdUGkxhaNPI2S9+euzitlGwTp4XWC6/N1pZWVWpu4daiihBgw1j +hsOpvnJCR0SCSWQXTF+G4cJ6L8JF4nECfRpmZKRkY/pfWg5x2VqlLj0CgYEA1+7H +UTD+dng7hD9Amn/yl5d/5utUW5hTzeTDGm16Xrzhszi/Lj62/OcnnF3FVSgqcLoi +jti32P7XeeZYe8BcwF5rrk1/xEfs0HtRDL3Fw3ZatJNL+MqkWmTOftbvZq0vJqmA +Y03Gwc4Wk8u+s88m4Yd0Uu/fQoZTochlpHNtsGUCgYAKXwbVDxAZoQ0RCmkpN+8k +88ryPGRPgljZy0DHJ9aZmREPdlzmmhiRH6dt6EujMt9ZevywQpVpMEm+ie/VV9SC +Dy8/bz3OnlnMAMogWdeZ9Yuy3pG6zlyzyePgDD+4UKf9Qdepduu9FLteEy3snbgt +HZhf7CbbW7UtZXHFaO5FTQKBgEMucSjbm2/0fF/q5giroihz5EFOGlLdE8XNVL5W +LWpoTbhbAXA75ubMbFCEBC84bevgnXvgBWMn9pZgiksGUFUxi0MRrZy92/oJQ/A4 +4tyraBEietKPCY9uKajg6l8BptfaiK1ct2f43KFjFJQQ8UHdyN088DNcY4zEMot1 +tjzZAoGBAMtLZ5chaulGceF9B4EOFlAfZ73Wnd3okLkmVNr1pV2m4JM43lMtyBVk +lsrzNDyj7mqpdbdTk9L93SMzuN710+uV8m3Km+nszW0OkzLshR6QUrn8guXFu6a7 +B2bbVtgUDGt+mMuwrgVFPLStmNAUfbIAFp03+sQxD29Oy0Dvv3xv -----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf index 0e3a45292..8511c5452 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -157,6 +157,7 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = email:$ENV::COMMON_NAME crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl +#authorityInfoAccess = OCSP;URI:http://ocsp2.strongswan.org:8882 #################################################################### diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial index 2c7456e3e..86397e5c1 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -1 +1 @@ -07 +09 diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old index cd672a533..adb9de8ee 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial.old +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -1 +1 @@ -06 +08 diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index 9902f1784..f04c001f3 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -28 +29 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index f64f5d8d8..9902f1784 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -27 +28 diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 438e6668a..c4142086f 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -76,6 +76,7 @@ CONFIG_OPTS = \ --enable-unbound \ --enable-ipseckey \ --enable-dnscert \ + --enable-acert \ --enable-cmd \ --enable-libipsec \ --enable-kernel-libipsec \ diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf index e27685447..2d08b38bc 100644 --- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf index 3ddd02fe7..037d4348d 100644 --- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf index e27685447..2d08b38bc 100644 --- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf index 969a5f5aa..1dcaed4a3 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf @@ -3,8 +3,6 @@ charon { load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf index 969a5f5aa..1dcaed4a3 100644 --- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf @@ -3,8 +3,6 @@ charon { load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf index 969a5f5aa..1dcaed4a3 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf @@ -3,8 +3,6 @@ charon { load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf index 969a5f5aa..1dcaed4a3 100644 --- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf @@ -3,8 +3,6 @@ charon { load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 671d97342..2b4da7495 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 3ddd02fe7..037d4348d 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 671d97342..2b4da7495 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat index e4ffe8eef..867016dba 100644 --- a/testing/tests/ha/both-active/posttest.dat +++ b/testing/tests/ha/both-active/posttest.dat @@ -13,5 +13,3 @@ alice::ip addr del 10.1.0.5/16 dev eth0 alice::ifdown eth1 venus::ip route del default via 10.1.0.5 dev eth0 venus::ip route add default via 10.1.0.1 dev eth0 -moon::conntrack -F -alice::conntrack -F diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat index 63d4f98e7..ec663e70d 100644 --- a/testing/tests/ikev1/double-nat-net/posttest.dat +++ b/testing/tests/ikev1/double-nat-net/posttest.dat @@ -4,6 +4,4 @@ alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F -moon::conntrack -F -sun::conntrack -F sun::ip route del 10.1.0.0/16 via PH_IP_BOB diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat index aa806bfc9..f434b336c 100644 --- a/testing/tests/ikev1/double-nat/posttest.dat +++ b/testing/tests/ikev1/double-nat/posttest.dat @@ -4,5 +4,3 @@ alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F -moon::conntrack -F -sun::conntrack -F diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat index 4643a3a7b..bc7d23771 100644 --- a/testing/tests/ikev1/nat-rw/posttest.dat +++ b/testing/tests/ikev1/nat-rw/posttest.dat @@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat index 11bd19da7..b9fbde7cb 100644 --- a/testing/tests/ikev1/nat-virtual-ip/posttest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat @@ -2,5 +2,4 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::conntrack -F moon::rm /etc/nat_updown diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat index eb0c28c7f..8945d87b9 100644 --- a/testing/tests/ikev1/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat @@ -1,8 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::conntrack -F moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::sleep 1 moon::ipsec up net-net moon::sleep 1 diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf index 9caf4fa37..8cc4192c6 100644 --- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf @@ -4,8 +4,5 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown fragment_size = 1024 -} - -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf index 9caf4fa37..8cc4192c6 100644 --- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf @@ -4,8 +4,5 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown fragment_size = 1024 -} - -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index f4fd948fd..4de997a66 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no send_vendor_id = yes -} -libstrongswan { plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf index 238ec24b7..248642530 100644 --- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf index 238ec24b7..248642530 100644 --- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf index c032d8291..eb8b1400a 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf index c032d8291..eb8b1400a 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf index c032d8291..eb8b1400a 100644 --- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf index 14e061408..38bfed070 100644 --- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity + cisco_unity = yes -} - -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf index cbc51d38c..dbf1bee46 100644 --- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf @@ -2,14 +2,13 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity + cisco_unity = yes + dh_exponent_ansi_x9_42 = no + plugins { attr { split-exclude = 192.168.0.0/24 } } } - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 8822cae64..0792a3f52 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no integrity_test = yes + crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf index 8822cae64..0792a3f52 100644 --- a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no integrity_test = yes + crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 8822cae64..0792a3f52 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no integrity_test = yes + crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf index 1fb5d14b1..c08fab86e 100644 --- a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf index 1fb5d14b1..66054d0f9 100644 --- a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown -} - -libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf index 422538cec..02e7618d3 100644 --- a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf @@ -2,10 +2,8 @@ charon { load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown + dns1 = 192.168.0.150 dns2 = 10.1.0.20 -} - -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf index 61260f891..f65197bef 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf index 61260f891..f65197bef 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf index 61260f891..f65197bef 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf index e2e2164ae..ba37a47cf 100644 --- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -2,6 +2,9 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown + + dh_exponent_ansi_x9_42 = no + plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..e79fe2c92 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/strongswan.conf @@ -0,0 +1 @@ +# /etc/strongswan.conf - strongSwan configuration file diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf index 77266cfa0..7114a3fe4 100644 --- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf @@ -2,6 +2,9 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown + + dh_exponent_ansi_x9_42 = no + plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf index 5cd9bf11e..ca3372f7d 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/acert-cached/description.txt b/testing/tests/ikev2/acert-cached/description.txt new file mode 100644 index 000000000..42f7432bc --- /dev/null +++ b/testing/tests/ikev2/acert-cached/description.txt @@ -0,0 +1,11 @@ +<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +To authorize clients, <b>moon</b> uses locally cached attribute certificates. +While for <b>carol</b> a valid attribute certificate for the group <i>sales</i> +is available, <b>dave</b>'s attribute certificates are either expired or +do not grant permissions for the <i>sales</i> group.</p> +<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try +to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails +to do so.</p> diff --git a/testing/tests/ikev2/acert-cached/evaltest.dat b/testing/tests/ikev2/acert-cached/evaltest.dat new file mode 100644 index 000000000..682c55ce2 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/evaltest.dat @@ -0,0 +1,12 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES +dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e72f78742 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..65c9819bb --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..fbffbad62 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightgroups=sales + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cd836a2b7 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-cached/posttest.dat b/testing/tests/ikev2/acert-cached/posttest.dat new file mode 100644 index 000000000..e5b8d291c --- /dev/null +++ b/testing/tests/ikev2/acert-cached/posttest.dat @@ -0,0 +1,11 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/acerts/carol-sales-finance.pem +moon::rm /etc/ipsec.d/acerts/dave-sales-expired.pem +moon::rm /etc/ipsec.d/acerts/dave-marketing.pem +moon::rm /etc/ipsec.d/private/aa.pem +moon::rm /etc/ipsec.d/aacerts/aa.pem diff --git a/testing/tests/ikev2/acert-cached/pretest.dat b/testing/tests/ikev2/acert-cached/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev2/acert-cached/test.conf b/testing/tests/ikev2/acert-cached/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev2/acert-cached/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/acert-fallback/description.txt b/testing/tests/ikev2/acert-fallback/description.txt new file mode 100644 index 000000000..0008b105a --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/description.txt @@ -0,0 +1,12 @@ +<p>The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +The authentication is based on <b>X.509 certificates</b>. To authorize clients, +<b>moon</b> expects attribute certificates sent inline in IKEv2 CERT payloads. +<b>Carol</b> has attribute certificates for both the <i>sales</i> and +the <i>finance</i> groups. The attribute certificate for <i>finance</i> is not +valid anymore, hence <b>carol</b> gets access to the <i>sales</i> connection +only.</p> +<p>Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> tries to ping both +<b>alice</b> and <b>venus</b>, but only the ping for the <i>sales</i> related +host <b>venus</b> succeeds.</p> diff --git a/testing/tests/ikev2/acert-fallback/evaltest.dat b/testing/tests/ikev2/acert-fallback/evaltest.dat new file mode 100644 index 000000000..985f3208e --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e72f78742 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..37e779fef --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn finance + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.10/32 + leftfirewall=yes + right=%any + rightid=*@strongswan.org + rightgroups=finance + keyexchange=ikev2 + auto=add + +conn sales + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.20/32 + leftfirewall=yes + right=%any + rightgroups=sales + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cd836a2b7 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-fallback/posttest.dat b/testing/tests/ikev2/acert-fallback/posttest.dat new file mode 100644 index 000000000..2ccb86a41 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +carol::rm /etc/ipsec.d/acerts/carol-sales.pem +carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem +moon::rm /etc/ipsec.d/private/aa.pem +moon::rm /etc/ipsec.d/aacerts/aa.pem diff --git a/testing/tests/ikev2/acert-fallback/pretest.dat b/testing/tests/ikev2/acert-fallback/pretest.dat new file mode 100644 index 000000000..baacc1605 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/acert-fallback/test.conf b/testing/tests/ikev2/acert-fallback/test.conf new file mode 100644 index 000000000..a6c21de09 --- /dev/null +++ b/testing/tests/ikev2/acert-fallback/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/acert-inline/description.txt b/testing/tests/ikev2/acert-inline/description.txt new file mode 100644 index 000000000..948b84725 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/description.txt @@ -0,0 +1,12 @@ +<p>The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +To authorize clients, <b>moon</b> expects attribute certificates sent inline in +IKEv2 CERT payloads. <b>Carol</b> provides a valid attribute certificate for +the group <i>sales</i>, but <b>dave</b> offers two invalid attribute +certificates: One is not for the <i>sales</i> group, and the other is issued by +an AA that has been expired.</p> +<p>Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> try +to ping the client <b>alice</b> behind the gateway <b>moon</b>, but dave fails +to do so.</p> diff --git a/testing/tests/ikev2/acert-inline/evaltest.dat b/testing/tests/ikev2/acert-inline/evaltest.dat new file mode 100644 index 000000000..ba448f81b --- /dev/null +++ b/testing/tests/ikev2/acert-inline/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::NO +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: group membership to 'sales' required::YES +carol::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES +dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=strongSwan AA\"::YES +dave::cat /var/log/daemon.log::sending attribute certificate issued by \"C=CH, O=Linux strongSwan, CN=expired AA\"::YES +dave::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e72f78742 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..65c9819bb --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e3abea51f --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightgroups="finance, sales" + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cd836a2b7 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation acert hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/acert-inline/posttest.dat b/testing/tests/ikev2/acert-inline/posttest.dat new file mode 100644 index 000000000..a0ef98440 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/posttest.dat @@ -0,0 +1,13 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +carol::rm /etc/ipsec.d/acerts/carol-sales.pem +dave::rm /etc/ipsec.d/acerts/dave-expired-aa.pem +dave::rm /etc/ipsec.d/acerts/dave-marketing.pem +moon::rm /etc/ipsec.d/private/aa-expired.pem +moon::rm /etc/ipsec.d/private/aa.pem +moon::rm /etc/ipsec.d/aacerts/aa-expired.pem +moon::rm /etc/ipsec.d/aacerts/aa.pem diff --git a/testing/tests/ikev2/acert-inline/pretest.dat b/testing/tests/ikev2/acert-inline/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev2/acert-inline/test.conf b/testing/tests/ikev2/acert-inline/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev2/acert-inline/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/compress-nat/posttest.dat b/testing/tests/ikev2/compress-nat/posttest.dat index b8432a8f2..ddab5f9f9 100644 --- a/testing/tests/ikev2/compress-nat/posttest.dat +++ b/testing/tests/ikev2/compress-nat/posttest.dat @@ -5,6 +5,4 @@ alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::conntrack -F -sun::conntrack -F
\ No newline at end of file +sun::iptables-restore < /etc/iptables.flush
\ No newline at end of file diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf index c393b298a..2ba42b67c 100644 --- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -2,10 +2,9 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown - multiple_authentication = no -} -libstrongswan { + multiple_authentication = no + x509 { enforce_critical = no } diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf index 8e685c862..1e3d11819 100644 --- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -2,5 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat index 63d4f98e7..ec663e70d 100644 --- a/testing/tests/ikev2/double-nat-net/posttest.dat +++ b/testing/tests/ikev2/double-nat-net/posttest.dat @@ -4,6 +4,4 @@ alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F -moon::conntrack -F -sun::conntrack -F sun::ip route del 10.1.0.0/16 via PH_IP_BOB diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat index aa806bfc9..f434b336c 100644 --- a/testing/tests/ikev2/double-nat/posttest.dat +++ b/testing/tests/ikev2/double-nat/posttest.dat @@ -4,5 +4,3 @@ alice::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F -moon::conntrack -F -sun::conntrack -F diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf index bad10ca43..73bbf6805 100644 --- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown -} -libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat index 9c0bb5cae..150690e3c 100644 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -10,7 +10,6 @@ carol::iptables-restore < /etc/iptables.flush dave::iptables-restore < /etc/iptables.flush moon::ip route del 10.3.0.0/16 via PH_IP_MOON moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 -moon::conntrack -F moon::ipsec pool --del extpool 2> /dev/null moon::ipsec pool --del intpool 2> /dev/null moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat index a3924b2f6..57449be25 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat @@ -4,6 +4,5 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush -moon::conntrack -F moon::ipsec pool --del intpool 2> /dev/null moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat index 311e9f21d..2e78893e3 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat @@ -1,5 +1,4 @@ alice::ip -6 route del default via fec1:\:1 carol::ipsec stop moon::ipsec stop -moon::conntrack -F moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat index bb20cae05..e46195cd3 100644 --- a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat @@ -1,4 +1,3 @@ alice::ip -6 route del default via fec1:\:1 carol::ipsec stop moon::ipsec stop -moon::conntrack -F diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat index 2fbc2c3a0..7de2bc9be 100644 --- a/testing/tests/ikev2/ip-two-pools/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools/posttest.dat @@ -4,5 +4,4 @@ moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush alice::iptables-restore < /etc/iptables.flush -moon::conntrack -F moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat index f4e5316c9..0754edeab 100644 --- a/testing/tests/ikev2/mobike-nat/posttest.dat +++ b/testing/tests/ikev2/mobike-nat/posttest.dat @@ -3,4 +3,3 @@ sun::ipsec stop alice::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat index 86ac6e7e0..fde195daa 100644 --- a/testing/tests/ikev2/mobike-nat/pretest.dat +++ b/testing/tests/ikev2/mobike-nat/pretest.dat @@ -1,7 +1,6 @@ alice::ifup eth1 alice::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::conntrack -F moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem index c380a5110..4d9fed09a 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MIIDwTCCAqmgAwIBAgIBKDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE +b290IENBMB4XDTE0MDMyMjEzNTYyMloXDTE5MDMyMTEzNTYyMlowUTELMAkGA1UE BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD @@ -13,11 +13,11 @@ C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv -bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 -LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa -6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN -T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r -9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL -cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq -YO2C4HE= +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAKHj4oUmSaG9u3QC +wjbETgexmKo6EViRjaf++QlK54ILHmPHCkN6Smzr5xpmi7P/FnBLqMlfMIQ3DCD7 +Fof/8SqaE/V9cP7TXK6c5vZHLoVU/NZW1A/HucMHSxd1DEiTfmrz8Q9RNb/r5adZ +Epbje7IRlufhpDD2hDNs1FyjmY9V9G4VfOBA/JBWlgs+A810uidNVD+YEFxDlIZG +6Kr0d5/WZowOUX7G8LUaa5kjoCS7MJONeEX2D/wtsx7Zw3f7GjFDdJfdi+CbAwBN +d8kt2l7yt7oEW9AfOcMQ7+HZOqihNrV8mCErk39p9f6zcZtYHnjM5fJlNRmc+EXC +mk13kTA= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat index 72dff4e10..343fcc15b 100644 --- a/testing/tests/ikev2/nat-rw-mark/posttest.dat +++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat @@ -6,7 +6,5 @@ alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush -moon::conntrack -F sun::iptables-restore < /etc/iptables.flush -sun::conntrack -F sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat index 4643a3a7b..bc7d23771 100644 --- a/testing/tests/ikev2/nat-rw-psk/posttest.dat +++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat @@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat index 4643a3a7b..bc7d23771 100644 --- a/testing/tests/ikev2/nat-rw/posttest.dat +++ b/testing/tests/ikev2/nat-rw/posttest.dat @@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/nat-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat index f58e82adc..12676f7ac 100644 --- a/testing/tests/ikev2/nat-rw/pretest.dat +++ b/testing/tests/ikev2/nat-rw/pretest.dat @@ -1,14 +1,13 @@ alice::iptables-restore < /etc/iptables.rules venus::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::conntrack -F moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 2 +alice::sleep 2 alice::ipsec up nat-t -venus::sleep 2 +venus::sleep 2 venus::ipsec up nat-t venus::sleep 2 diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat index 11bd19da7..b9fbde7cb 100644 --- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat @@ -2,5 +2,4 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::conntrack -F moon::rm /etc/nat_updown diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat index eb0c28c7f..8945d87b9 100644 --- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat @@ -1,8 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::conntrack -F moon::ipsec start sun::ipsec start -moon::sleep 1 +moon::sleep 1 moon::ipsec up net-net moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf index e9c79b333..d5ac37937 100644 --- a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf @@ -7,11 +7,6 @@ charon { dnscert { enable = yes } - } -} - -libstrongswan { - plugins { unbound { # trust_anchors = /etc/ipsec.d/dnssec.keys # resolv_conf = /etc/resolv.conf diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf index e9c79b333..d5ac37937 100644 --- a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf @@ -7,11 +7,6 @@ charon { dnscert { enable = yes } - } -} - -libstrongswan { - plugins { unbound { # trust_anchors = /etc/ipsec.d/dnssec.keys # resolv_conf = /etc/resolv.conf diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf index 44a54a9dd..58deb25f0 100644 --- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf @@ -7,11 +7,6 @@ charon { ipseckey { enable = yes } - } -} - -libstrongswan { - plugins { unbound { # trust_anchors = /etc/ipsec.d/dnssec.keys # resolv_conf = /etc/resolv.conf diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf index 44a54a9dd..58deb25f0 100644 --- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf @@ -7,11 +7,6 @@ charon { ipseckey { enable = yes } - } -} - -libstrongswan { - plugins { unbound { # trust_anchors = /etc/ipsec.d/dnssec.keys # resolv_conf = /etc/resolv.conf diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt new file mode 100644 index 000000000..aab0c68c4 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/description.txt @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The key exchange is based on NTRU encryption with a security strength of 128 bits. +The ANSI X9.98 NTRU encryption parameter set used is optimized for bandwidth. +<p/> +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat new file mode 100644 index 000000000..69b5ef754 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES +sun::ipsec statusall 2> /dev/null::net-net.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..01d114dd9 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="ike 4, lib 4" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ntru128! + esp=aes128-sha256! + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..17f6111fd --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown + + multiple_authentication = no + send_vendor_id = yes + + plugins { + ntru { + parameter_set = x9_98_bandwidth + } + } +} diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e57bec965 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="ike 4, lib 4" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ntru128! + esp=aes128-sha256! + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..0d1855504 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown + + multiple_authentication = no + send_vendor_id = yes + + plugins { + ntru { + parameter_set = x9_98_bandwidth + } + } +} diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat new file mode 100644 index 000000000..837738fc6 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat new file mode 100644 index 000000000..c724e5df8 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index f4fd948fd..4de997a66 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 ntru revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no send_vendor_id = yes -} -libstrongswan { plugins { ntru { parameter_set = optimum diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat index b0225c37e..5fca9501d 100644 --- a/testing/tests/ikev2/net2net-same-nets/posttest.dat +++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat @@ -4,4 +4,3 @@ moon::ipsec stop sun::ipsec stop moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -sun::conntrack -F diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem index 77f5bde52..dd6ed8e4b 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV +MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu -Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT +Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM @@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr -4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW -BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt -rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0 -cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww -GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw -FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN -BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ -9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI -zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V -14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL -lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v -1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg== +4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G +A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ +bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y +aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD +VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD +CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret +YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l +Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS +fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ +T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE +FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem index 77f5bde52..dd6ed8e4b 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV +MIIEcTCCA1mgAwIBAgIJAOQ3M9xQ+07MMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu -Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT +Lm9yZzAeFw0xNDAzMjcyMTQxNTVaFw0xOTAzMjYyMTQxNTVaMGsxCzAJBgNVBAYT AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM @@ -11,16 +11,16 @@ P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr -4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW -BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt -rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0 -cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww -GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw -FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN -BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ -9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI -zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V -14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL -lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v -1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg== +4qcCAwEAAaOCARYwggESMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G +A1UdDgQWBBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJ +bwUSQJDtrfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExp +bnV4IHN0cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9y +aXR5MRwwGgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkA5Dcz3FD7TswwHgYD +VR0RBBcwFYITb2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcD +CTANBgkqhkiG9w0BAQsFAAOCAQEAp6nXN0kW1HduCfwJQ/JVs4PJMZ80na7l1ret +YBWy0PflqOOOMudLu4eWbMipLBkgly9WYXrZlvIVkPHXJ9YJHevy3Wn3DRefsJ9l +Zdrc3A1WclEEE5aK3uq+c/VK5oYBYNkSMOgwDzD18WoRpyUhUxwZTWMG27nutZfS +fl0P8pjkx+YC0nNJjK50hq7wcd2U2JBFl3WLtrjDpIyuYSaDhPMqCGYyNqrAuWTJ +T5cZWY8r5pKMRQLqKX+IOTHkhk0wS8U3o8TCBe5g2J9dDedDCz+/UAIq2rFPhXxE +FiVXHxDxr4APbVurgspe5jm36oNRSK1MAMrhYZDTle/caa2frA== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat index c41a668f0..baeccb357 100644 --- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat @@ -1,6 +1,10 @@ moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES +dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::certificate status is good::YES dave:: cat /var/log/daemon.log::certificate status is good::YES diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index a2ce5ad93..a6ae74fe3 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,5 +1,5 @@ moon:: cat /var/log/daemon.log::requesting ocsp status from::YES -moon:: cat /var/log/daemon.log::ocsp response verification failed::YES +moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem index f586a9414..94bf123d2 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIID+DCCAuCgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MIID+DCCAuCgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MDMyNDIwMzc0N1oXDTE0MDMyMzIwMzc0 -N1owYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MDMyNDE0MjM1MloXDTE5MDMyMzE0MjM1 +MlowYTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGDAW BgNVBAsTD1Jlc2VhcmNoIG5vIENEUDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPqE4le5QodSA+ -NXnQ1IFI0XWcBDDwQDNcQ6qMScSCaboPFCLrlC9E70J2eGeX2v/UDTQpEOxQ4fGX -Efk0/MdJjnWGAO95jEInNJ+DuexfrP5REiryKDfryA0d6xiQb/a2M7UuDgxPgyZf -VyvU7SHebue4317v5NyGJeRnkN3/onNpdjpWu9Le9DqenBQ2SITgo7NsVsNsqhnT -1jg2jfxJ8OXzi7/6JvuxxweCoDxr+KeKIViFAqNlyufeyIvowdjHTlJRvN/9Wl+/ -jPiHmFcIyIc1o8EUHzM9AEIWtB2DeHL62e7LVJbjMXsLAkTggc3BkGE2cWFOBY0f -J4R+AKWDAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O -BBYEFIuo2f3quxaDSQ4lj9zJcPYmmc8iMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXPVagzyvHEGzA +6jWum0URx2TSMs8cM991OU3n8fkBiLEY9H8DUbjEZlZ0mgcxTOSXSmyqmW+10QCy +yHPBtR0kxNY/Bl/+QppnB7IpFCR9bsvA4bySYUbdlQWdIPGTmT1polGtoF1mPZ2r +JqN+Ai5jnFduJ+/189l8chqcz8KlJ2Jp72OaeYqQpgDfo63hqS71OzyY1Cu27vHl +ay186P+HW75yr5YMwxtYk/rZ6jHRMXFwmI+bq1vgpKYHTomaVCG3zDUD+1XsGVBX +u3z6qh6FaxxDPizT/fcCbYcYGbKjJw14JOqfddeAHZe+N41Wev0gAhOCIgUiMoxV +bbx0XkMzAgMBAAGjgcowgccwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O +BBYEFHtMZgnElcGoYKmMUvCkQaloTKKfMG0GA1UdIwRmMGSAFOd18KDyrSDNzWAj zMfIDynz3VQgoUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry -b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEPMB8GA1UdEQQY -MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQBiOKAx -ePEwlga++nOpkfBg6ESag5/VWfnAp1zRpXHXnRak10OTtCPDjmJiDUzlKBwolwJN -I6T3S7eg+M04E3r5IHn3i+HtQcENkq02YUPiUXS5cvLtzKMPIm8pYCj7/5pXxAek -nHGRdBZkQiGDz49H9rPKxLdJDTLCXpj4l9uOFgsbiQ3k5SyWq5oMhtZsf4VKqAd+ -77Mbn9pnjjy53wLuzjaMVX+K5KKotPNeSHH/pWh9RqNROmf6F2B0nZhW5Aryxa9/ -24GRkZEPZ+cqhtwgVjq5aImzdSrARJQ1tu6lZqNB5b9klYSAi+al0FrvUFoG58Qt -eWeiFXLvAtXTGoax +b25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEgMB8GA1UdEQQY +MBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCWS7T3 +Np88w0oHJAeMJUdfNGVSlhPFrtqnrNDqYleLEgY2XwJj6cxottILtvgJ+nbsT4uz +bp5Qk4pygNG3wESt0avGptgSs0Pued/CdHMyyFTrFw/RN7113eTHShDfTtnS0dhh +6AkI2lxFcNwrGMGh2CqdOyApDYqdm5qayk2CSKnoWOvEL1+SLyfy+XIYCFkarfbv +ZTCWeO/R8doQVZ+H2gW6NloYJVkUpfMHCqTpd9psAK+hvc/R+6eP03wmhAb8S4mK +OGdb8VOT7CAaL8f37vrDvj08nOG32j24/JOyrtS7vuAhP2QmDDF15XucygtgskRB +iQNoCoi+dBX92ol4 -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem index b91f9bf81..f4b0af38c 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi -65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq -8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 -VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY -hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu -y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz -0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX -FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH -gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z -PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D -nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El -U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF -mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm -MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB -UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy -G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz -Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY -hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu -PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah -tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr -s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy -uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J -ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu -LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx -Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +MIIEpQIBAAKCAQEA1z1WoM8rxxBswOo1rptFEcdk0jLPHDPfdTlN5/H5AYixGPR/ +A1G4xGZWdJoHMUzkl0psqplvtdEAsshzwbUdJMTWPwZf/kKaZweyKRQkfW7LwOG8 +kmFG3ZUFnSDxk5k9aaJRraBdZj2dqyajfgIuY5xXbifv9fPZfHIanM/CpSdiae9j +mnmKkKYA36Ot4aku9Ts8mNQrtu7x5WstfOj/h1u+cq+WDMMbWJP62eox0TFxcJiP +m6tb4KSmB06JmlQht8w1A/tV7BlQV7t8+qoehWscQz4s0/33Am2HGBmyoycNeCTq +n3XXgB2XvjeNVnr9IAITgiIFIjKMVW28dF5DMwIDAQABAoIBAQC44viRw8OgCAzT +HZwlMzz+S5/gK0Lav/g38pRoI+M4HRm7DPI5gK5NDnc/S7vX7mwBRS3Y0Voy/Kgz +6pn8j73MAsTieHBmsQF+dQ7l2GaL1GtzcLSRrLu5xLOAyHaayawGHCc7FKCGHXFd +PiB8MhV0/Svg9K9cPy3XhxAzGQfi4kF9+a3+3NDWnV4kcQbW6s3ykGBF9xxqZu5K +gbvDxNhZFrcv65SMBwghjdDldngtjMB3ZbiMRltobbvTRWHwqgd9V1qf2g3at1dZ +z8ws8UFOhWgCsvT/W+2pPBCJFz0dvfJXCiaWbA4kCmHViJVIoxtdREj5EtmaSQtT +cENSR0HRAoGBAO9jbCUy/dfqPvFowEfpDu1jBrGFoxL8UY8K8wr+NCjbusmbB7+a +n5XLkrpyBGlNSYa1zP1eNpsLq+ee5XTwEbXMWDaOfMNlURNiHy9KfHnEZ4UVDKfa +WW9skfS7adFxwkOxAOM7BynsIrcJ8OgBrP+gKTM4aKvZNRcfGfZAhaj5AoGBAOYs +7c8z0M9JvN9RDpyXT51Rus24n2ApsupPwMeGZwoz45EJPzK9FUFq+x6abENFCGrp +xQ4Sg8QSGSAL78j2jEo+d8qRGoUr7o8zJElfsx/ZvELR3cGgv8Aut7vwW6/SNKlz +MTDiqaf9H9FEEwKV1hbauuJrS1VOMtMAbGG27KSLAoGBAKTozcg2f24tXVz6d3NS +VskrraG/WN6sWRb8SP+qrI31CJD3rnfM8eDEU3kDMIzGBD+7n9JvA5j9ilfOO226 +L8kYUzCKKeKFOjvrHWZ7npJXvaSNIqHDJlc+6LE6JiR1hIkTN3RR5pZ3qFaFj6KT +/PRABgHV+y1fPVaHQ2BDhJApAoGAU9PxGBFK7vNv8fTXWXhR6n2lht7CTIdjPaqm +DwSH6lNTgbLYbWYno5eOtWqQGz+8/RL+TU2452Of+ufeAFaqaS+u+Ps3qWCClWyO +vpo35lWqFrvQA4DD1P4utCepfLMVstDdDWy/VQr+13vvYHWpbtFiVqu01/CO2gHB +dyTjslkCgYEAhsDsPqKdlh1DzVZudNUeMRaE2V6yG937Vf9VB/rNphm+gEwwmM3l +/kfErgTcYzgjV/2csIVZxm9nk17A+ZnPUnIDW2keI1+eIPw/IEWceX+4adKwiv5h +IL5HsD/O12ZD8Mi5mmkGgNVI4nN8TldxiHvh7tAxQQiMrv/AnHTiA8A= -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem index cae8184f6..c464df579 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELTCCAxWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MIIELTCCAxWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTA5MDMyNDIxMTA1M1oXDTE0MDMyMzIxMTA1M1owXTEL +BAMTCFNhbGVzIENBMB4XDTE0MDMyNDE1MjcwMloXDTE5MDMyMzE1MjcwMlowXTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsT DFNhbGVzIG5vIENEUDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqgEdIrRiLkrf0UfCB4xUyx/5cs -Ka5h1MNBks2cKP6uABOL+jnlkRtyVFIOOCuNMgcK+873LC87UU32zapbe6Ph46aN -5M9ADMA6PtVeNkJIetVSVtT9DUL5II4kJ/hJUjINbt7omAiDAIWDGKNmTCsR18Ua -o1O/QFbiTT96fMFKX8EXiJgMt/5+vOWG0s1nGz6gn40R/2K52EvBmu5v0M3TX67c -YQFgBqMNfvnk0jLy10pEHro1OjgiTTj1DQd55ydSKGa0JvMDT/GOQeR87zkshRLz -bhxXOt4Ej2kkYbs9ILm7jKa9XfUYI58vCYLHwhGzpLZSsJ2xXkgfAAIFTI8CAwEA -AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57r -UdNRbytUkRGYGjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7tkn1sXzlBRzSVHoPoct2D0kht +E/Tf+LnryMsw79IBMfiOU61ijdwx2jCLxUh7t90NEIN4CdpIYqzc/1Yi/LWXD9+G +8gBwft5nqTIz8S8Lf6Qiy4LjGXV3VWpDMZLLRJL5ZWm+0ZN8Wtp9qglVh4LnQSiy ++NYTlxnRtPB7xkwia287wn4aQfNJpNhlocXdSpGIF5bNIQm32n84SDMafXtuA+vv +8/72nBiy2SWhkAd+CiNq5dnZkYGnIFL718V6Zu4kmZQhzM3gi/7POZCkOCeSZVeh +AJJf1mJI7SJH54XYkZLUS5EG6ad3kBf1nFGRAjPgwxQHhfUlP8njpjsV7WUCAwEA +AaOCAQgwggEEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSYfvgn +nLJ1nMbHDd2zdo60Qpy0HDBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guT KKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4x -GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZl +GzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBITAeBgNVHREEFzAVgRNkYXZl QHN0cm9uZ3N3YW4ub3JnMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0 -cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQEFBQADggEB -ADn1ow4aGxckB4HsJQf1Z6LFpiCOExqhqcK/+fsFcl/WM3F0F+1TbEWzwFzDj3Yu -5gH6DQ/c0Fp+WYCKAbZXdYoKHJDSZY0BsoD7Nglc1r+l1wFRv1UGF5DoYZPryHGA -FkusMTUQMvWRRmN9PsURQ77DsmAtryKi5aDQ/rAiPIJK67bQ0HmvPAynO8IF2Fd9 -GpqFSc0gZni9NQszVUH33nuLlZP1hFC5MDeqhcqgmUL/GZbs7DZYThF4INBryfOg -xFE73CpyNQHHmfT23TLsrFD5IXCp3z3oMtCtTphwUnCJrEzZ1H7mJ+xSJoJ3MOqd -mNs1ygehz0a99cPoX1j/iwo= +cDovL29jc3AyLnN0cm9uZ3N3YW4ub3JnOjg4ODIwDQYJKoZIhvcNAQELBQADggEB +AK3d7gR8IpPu03rV/RnOx4seoZAgm6//nCvP2ceFrEy4tbihnJ+QDvwrgKb/UvwK +yERLXh/X7WhDyLSyVrbQq/Jj4xEOB5PMSItpmiDHYGX+YaiymZT3VsTJah1zqxSe +amqHhrlW2U+UDqz/7vFClknSO6tn1vbNo4miYiVALGtRSMhFhVZsXfnA9+VKLdua +vvdeueRCDg7aXPfAU0MAdcJIYoegJRnLZsJ4IfE/OWvMFnR1w4NmhIHhNT8T/ib0 +3pi2cp6JeSOcZ1Upd2napUoGd2U4XfNE15XGCdoVRazA1STWhfHwu/aBUnINpk0M +zqpIrvuM6lklZb8gUl4pPwc= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem index 022436de4..e4054aee9 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 -OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW -1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI -mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe -ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM -pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 -mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c -JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz -0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq -8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 -3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u -U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ -Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs -MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS -sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B -oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 -1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i -bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 -AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO -9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX -3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw -px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP -qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt -/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ -UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +MIIEogIBAAKCAQEAzu2SfWxfOUFHNJUeg+hy3YPSSG0T9N/4uevIyzDv0gEx+I5T +rWKN3DHaMIvFSHu33Q0Qg3gJ2khirNz/ViL8tZcP34byAHB+3mepMjPxLwt/pCLL +guMZdXdVakMxkstEkvllab7Rk3xa2n2qCVWHgudBKLL41hOXGdG08HvGTCJrbzvC +fhpB80mk2GWhxd1KkYgXls0hCbfafzhIMxp9e24D6+/z/vacGLLZJaGQB34KI2rl +2dmRgacgUvvXxXpm7iSZlCHMzeCL/s85kKQ4J5JlV6EAkl/WYkjtIkfnhdiRktRL +kQbpp3eQF/WcUZECM+DDFAeF9SU/yeOmOxXtZQIDAQABAoIBAHGuCqBk/RtTRW8Z +zR3igdg4Jzoq0p/gu6BIbJNUWywgA/ftGQNT9WNW7+tjngpoDWafWscfFyqYQb19 +27jSl8qbJtlCJYkgRFKi2E0ARCv4QTNG+k75vG7QFFjAeWePzCiCYrhpYHGKC8+k +4dkm579+lElrqVDSilxg3OqQ1SvVcBPn+ADsFBR30Z7xvxU2iJV+A+zw7tV9EQhU +4t0zGny5lsxNSr57FbJDn5Y+aUoXo7okty2MAjL0jEXM5bwgOsgBYWQass1hhFRb +EnGk+WJTZUs0o1+WPi+2hrNHFwAKBzfI4ZRigEPa4monRDeCnyOe64qhb+koC/AA +MNulG4ECgYEA5zIAmtGivoC92ffuQd+uk0mXNYSnKQFIYbs7L/GO8xLX1lzZQeA3 +tRRUM6s3aAmoB1q69x60HFulL/WmMvx+uKGrRIIimXTvRunxt2QFHAcnkAR3C4Vt +habUbilP9qbj6wWU6GCyopkPC2OQmQgy9bE6f/6E6ArlYafatPMzQAkCgYEA5SEL +oVbUXfyD9M7dm0q9R4GvzKIyg1l+afdXCCS4VoEhg+Sq94wBDjpezctt/8WhICau +uoZzTZ9Y1SEsQ9JMQ0XCurV6C9eIR+mNrq4Ik7oqVMe7IbOoaYwuOpY8cJQXRNfR +6EGthY2wZtzE7a4OyuinWUkfyzQcnwV6nb/6oX0CgYA5bIwF6Ef59VQyjYhaSEq+ +PqsWGerDHpRx4eVjlSYibe26SrmTyTNNAM2hP8e1SaC4ouqJctDdsk2nSeaMB3ca +ON2nWINrhkXgYT8ug+NZANXsyY8gB3YamkNtUUmRRAacW3iO92WnSUkZVROXTxgJ +OooDPJ6aXAp5ZQ3HoBh8sQKBgFXT5AxifxhZr4AzQRWbkH1JmfWYSD2ld1HwQZye +TKKyqkBClrw1qGuQ99Q0wJaPjASEGO1r0aMg7mCflXouOzzz07ampfnrmXP+i4EE +VdgoYxTw4CsGpi4rQWHWxvsQrgquoUVT3NDrO0m8ptO1YHsnXRB38L3oXlQ+9ChF +MnftAoGAOVoCOlqqnkUY/u7U3tWu2W5WUnqdsopBxXHhygFKoJS9IcKx5gYoxTTj +XJBGrKU/PD7TIQevRvdIqZFI+PtinhSF1z3zFMoCoKhaNOnul+hNYMn/IwxJFv1Y +XqDI8srXac4vcTsKV0OtPnirx3+pnRlrQupNRZLocZciygUY7PM= -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index 6ba1be6b1..0e97d45bd 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -1,6 +1,5 @@ moon:: cat /var/log/daemon.log::requesting ocsp status from::YES -moon:: cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES -moon:: cat /var/log/daemon.log::ocsp response verification failed::YES +moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer certificate::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 102801a92..4e2acefeb 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 102801a92..4e2acefeb 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 102801a92..4e2acefeb 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index 69f9845af..bbbafd71b 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown -} -libstrongswan { integrity_test = yes } diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index 69f9845af..bbbafd71b 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown -} -libstrongswan { integrity_test = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf index 8caa11c97..66d8fb315 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -2,8 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown -} -libstrongswan { integrity_test = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf index 6c8911e5a..3eda3aa58 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown -} -libstrongswan { integrity_test = yes } diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf index 535b37210..1a0f83687 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no plugins { diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf index 535b37210..1a0f83687 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no plugins { diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat index a436131bf..06d4dd917 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat @@ -1,5 +1,6 @@ carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 4272d98be..5e06976d1 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + charondebug="tls 2" conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 2eb2adc78..d397fe6f6 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -1,6 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown + multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index b9a58e902..37fa2b435 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + charondebug="tls 2" conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 2eb2adc78..ac6642e5b 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -1,6 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown + multiple_authentication=no } + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 +} diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat index 283099acb..407427a0d 100644 --- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat @@ -6,7 +6,5 @@ alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON -sun::conntrack -F sun::rm /etc/mark_updown moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/libipsec/net2net-3des/description.txt b/testing/tests/libipsec/net2net-3des/description.txt new file mode 100644 index 000000000..632162c31 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/description.txt @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> +plugin is used for userland IPsec ESP encryption. The negotiated encryption and authentication +algorithms are <b>3DES</b> and <b>SHA-1</b>, respectively. +<p/> +Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b> +behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat new file mode 100644 index 000000000..f60fea6bf --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/evaltest.dat @@ -0,0 +1,11 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES +sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES +sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES +sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f1d328fe5 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha1-modp1024! + esp=3des-sha1-modp1024! + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftupdown=/etc/updown + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..97bb34aed --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown new file mode 100755 index 000000000..1a68ada0e --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown @@ -0,0 +1,705 @@ +#! /bin/sh +# iproute2 version, default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +prepare-host-v6:*|prepare-client-v6:*) + ;; +route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed + #uproute_v6 + ;; +unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted + #downroute_v6 + ;; +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..3bd31c61f --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha1-modp1024! + esp=3des-sha1-modp1024! + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..97bb34aed --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown new file mode 100755 index 000000000..1a68ada0e --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown @@ -0,0 +1,705 @@ +#! /bin/sh +# iproute2 version, default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +prepare-host-v6:*|prepare-client-v6:*) + ;; +route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed + #uproute_v6 + ;; +unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted + #downroute_v6 + ;; +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/net2net-3des/posttest.dat b/testing/tests/libipsec/net2net-3des/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat new file mode 100644 index 000000000..c724e5df8 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-3des/test.conf b/testing/tests/libipsec/net2net-3des/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/libipsec/net2net-3des/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf index 06bcaa1e5..69c6e3222 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf @@ -4,9 +4,7 @@ charon { load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown initiator_only = yes -} -libstrongswan { plugins { openssl { fips_mode = 2 diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf index 06bcaa1e5..69c6e3222 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf @@ -4,9 +4,7 @@ charon { load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown initiator_only = yes -} -libstrongswan { plugins { openssl { fips_mode = 2 diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf index efa0575e5..fa8dd94a4 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown -} -libstrongswan { plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf index 628476313..490146249 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -3,9 +3,7 @@ charon { load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no -} -libstrongswan { x509 { enforce_critical = no } diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt new file mode 100644 index 000000000..bd680b57a --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat new file mode 100644 index 000000000..460c659d9 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..7601113ab --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftid=@#71270432cd763a18020ac988c0e75aed + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..aea93d234 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..641c3d929 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + rightid=@#71270432cd763a18020ac988c0e75aed + auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..aea93d234 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat new file mode 100644 index 000000000..9a9513dc3 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat new file mode 100644 index 000000000..0f4ae0f4f --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 9f31821cd..a952c8189 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 5708510ef..d9d650c8b 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index f065861dc..065050d5b 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat index a2c02f630..7d32c11c3 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 6072bb335..c55b0a9b6 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown + load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 5660f4376..af4737fbe 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown + load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } libtls { - key_exchange = ecdhe-ecdsa - cipher = aes128 - mac = sha256 + suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf index 128d4f2d9..8a8e08e22 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf @@ -4,14 +4,13 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf index 958a502c2..c97a52088 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf @@ -7,14 +7,13 @@ charon { retransmit_base = 1.5 retransmit_tries = 3 initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf index fc49f9fd2..a234b6cca 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf @@ -2,14 +2,14 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default -} -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf index 128d4f2d9..8a8e08e22 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf @@ -4,14 +4,13 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf index 958a502c2..c97a52088 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf @@ -7,14 +7,13 @@ charon { retransmit_base = 1.5 retransmit_tries = 3 initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf index fc49f9fd2..a234b6cca 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf @@ -2,14 +2,14 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default -} -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat index a1d5b4612..f02095725 100644 --- a/testing/tests/p2pnat/behind-same-nat/posttest.dat +++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat @@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush -moon::conntrack -F diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat index 4b696b90f..90a729237 100644 --- a/testing/tests/p2pnat/medsrv-psk/posttest.dat +++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat @@ -6,5 +6,3 @@ carol::iptables-restore < /etc/iptables.flush bob::iptables-restore < /etc/iptables.flush moon::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush -moon::conntrack -F -sun::conntrack -F diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat index 4643a3a7b..bc7d23771 100644 --- a/testing/tests/pfkey/nat-rw/posttest.dat +++ b/testing/tests/pfkey/nat-rw/posttest.dat @@ -5,4 +5,3 @@ alice::iptables-restore < /etc/iptables.flush venus::iptables-restore < /etc/iptables.flush sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf index 3da60b82f..8aa0ef4f5 100644 --- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf index 3da60b82f..8aa0ef4f5 100644 --- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf index 3da60b82f..8aa0ef4f5 100644 --- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 7cd88f5da..101bd2e2b 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -7,9 +7,7 @@ charon { } } load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 7cd88f5da..101bd2e2b 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -7,9 +7,7 @@ charon { } } load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 7cd88f5da..101bd2e2b 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -7,9 +7,7 @@ charon { } } load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat index f7d86ec7f..97ff0c1ec 100644 --- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat @@ -6,7 +6,7 @@ carol::cat /etc/tnc_config carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id dave::cat /etc/tnc_config -alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data.sql +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db alice::ipsec start winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt new file mode 100644 index 000000000..29976509a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt @@ -0,0 +1,26 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b> +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b> +client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair +is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to +exchange PA-TNC attributes. +<p> +<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes +<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front +to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an +<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference +measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to +measure a couple of individual files and the files in the <b>/bin</b> directory as +well as to get metadata on the <b>/etc/tnc_confg</b> configuration file. +<p> +Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements, +the mandatory default being <b>ecp256</b>, with the strongswan.conf option +<b>mandatory_dh_groups = no</b> no ECC support is required. +<p> +<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is +enabled. Based on these assessments which are communicated to the IMCs using the +<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b> +to the "rw-allow" and "rw-isolate" subnets, respectively. +</p> diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat new file mode 100644 index 000000000..5eb944055 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: cat /var/log/daemon.log::added group membership 'allow'::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d17473db1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..72bf2c7c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} + +libimcv { + plugins { + imc-os { + push_info = yes + } + imc-attestation { + mandatory_dh_groups = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..d459bfc6c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..6f71994ae --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -0,0 +1,25 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = de + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-attestation { + mandatory_dh_groups = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..bc8b2d8f9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql new file mode 100644 index 000000000..2bb7e7924 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql @@ -0,0 +1,29 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 28, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e76598b9a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,34 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + plugins { + imv-attestation { + hash_algorithm = sha1 + dh_group = modp2048 + mandatory_dh_groups = no + } + } +} + +attest { + load = random nonce openssl sqlite + database = sqlite:///etc/pts/config.db +} + diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..6507baaa1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat new file mode 100644 index 000000000..48514d6e0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +carol::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat new file mode 100644 index 000000000..49ea0416e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -0,0 +1,18 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 +moon::ipsec attest --sessions +moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf new file mode 100644 index 000000000..a8a05af19 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index e6f5ad365..f4ea047ec 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -2,20 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + integrity_test = yes + plugins { eap-tnc { protocol = tnccs-1.1 } - } -} - -libstrongswan { - integrity_test = yes -} - -libimcv { - plugins { imc-test { command = allow } diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index db91eace4..4c738ce42 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -2,20 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + multiple_authentication=no + integrity_test = yes + plugins { eap-tnc { protocol = tnccs-2.0 } - } -} - -libstrongswan { - integrity_test = yes -} - -libimcv { - plugins { imc-test { command = isolate } diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index 3fc6c3a4b..0b1cf10eb 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -2,7 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown + multiple_authentication=no + integrity_test = yes + plugins { eap-ttls { phase2_method = md5 @@ -14,17 +17,3 @@ charon { } } } - -libstrongswan { - integrity_test = yes -} - -libimcv { - plugins { - imv-scanner { - closed_port_policy = yes - tcp_ports = 22 - udp_ports = 500 4500 - } - } -} |