summaryrefslogtreecommitdiff
path: root/src/conftest
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
commit7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
treee4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/conftest
parentc1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
downloadvyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz
vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip
Imported Upstream version 5.0.2
Diffstat (limited to 'src/conftest')
-rw-r--r--src/conftest/Makefile.in26
-rw-r--r--src/conftest/README9
-rw-r--r--src/conftest/config.c34
-rw-r--r--src/conftest/conftest.c57
-rw-r--r--src/conftest/conftest.h5
-rw-r--r--src/conftest/hooks/reset_seq.c77
6 files changed, 156 insertions, 52 deletions
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index ea26b70e7..960705ce1 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -111,6 +111,7 @@ CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -138,6 +139,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MYSQLCFLAG = @MYSQLCFLAG@
MYSQLCONFIG = @MYSQLCONFIG@
@@ -165,6 +167,7 @@ RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -177,6 +180,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@@ -230,7 +234,6 @@ libexecdir = @libexecdir@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
maemo_CFLAGS = @maemo_CFLAGS@
maemo_LIBS = @maemo_LIBS@
manager_plugins = @manager_plugins@
@@ -379,7 +382,7 @@ clean-ipsecPROGRAMS:
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
-conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES)
+conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) $(EXTRA_conftest_DEPENDENCIES)
@rm -f conftest$(EXEEXT)
$(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS)
@@ -864,10 +867,15 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
mostlyclean-generic:
clean-generic:
diff --git a/src/conftest/README b/src/conftest/README
index e2156921f..617195df9 100644
--- a/src/conftest/README
+++ b/src/conftest/README
@@ -98,9 +98,10 @@ The IKE_SA configuration uses the following options (as key/value pairs):
src/libstrongswan/crypt/proposal/proposal_keywords.txt
fake_nat: Fake the NAT_DETECTION_*_IP payloads to simulate a NAT
scenario
- rsa_strength: connection requires a trustchain with RSA keys of given bits
- ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits
- cert_policy: connection requries a certificate with the given OID policy
+ rsa_strength: Connection requires a trustchain with RSA keys of given bits
+ ecdsa_strength: Connection requires a trustchain with ECDSA keys of given bits
+ cert_policy: Connection requries a certificate with the given OID policy
+ named_pool: Name of an IP pool defined e.g. in a database backend
The following CHILD_SA specific configuration options are supported:
@@ -109,6 +110,7 @@ The following CHILD_SA specific configuration options are supported:
transport: Propose IPsec transport mode instead of tunnel mode
tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the
given length
+ proposal: CHILD_SA proposal list, same syntax as IKE_SA proposal list
6. Credentials
--------------
@@ -238,6 +240,7 @@ Currently, the following hooks are defined with the following options:
rebuild_auth: rebuild AUTH payload, i.e. if ID payload changed
reset_seq: Reset sequence numbers of an ESP SA
delay: Seconds to delay reset after SA established
+ oseq: Sequence number to set, default is 0
set_critical: Set critical bit on existing payloads:
request: yes to set in request, no in response
id: IKEv2 message identifier of message to mangle payloads
diff --git a/src/conftest/config.c b/src/conftest/config.c
index cbc6ac05f..ae0d93460 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -101,12 +101,13 @@ static ike_cfg_t *load_ike_config(private_config_t *this,
proposal_t *proposal;
char *token;
- ike_cfg = ike_cfg_create(TRUE,
+ ike_cfg = ike_cfg_create(IKEV2, TRUE,
settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config),
settings->get_str(settings, "configs.%s.lhost", "%any", config), FALSE,
settings->get_int(settings, "configs.%s.lport", 500, config),
settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
- settings->get_int(settings, "configs.%s.rport", 500, config));
+ settings->get_int(settings, "configs.%s.rport", 500, config),
+ FRAGMENTATION_NO);
token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
if (token)
{
@@ -143,9 +144,7 @@ static child_cfg_t *load_child_config(private_config_t *this,
proposal_t *proposal;
traffic_selector_t *ts;
ipsec_mode_t mode = MODE_TUNNEL;
- host_t *net;
char *token;
- int bits;
u_int32_t tfc;
if (settings->get_bool(settings, "configs.%s.%s.transport",
@@ -183,16 +182,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
}
- token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config);
+ token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child);
if (token)
{
enumerator = enumerator_create_token(token, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- net = host_create_from_subnet(token, &bits);
- if (net)
+ ts = traffic_selector_create_from_cidr(token, 0, 0);
+ if (ts)
{
- ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
}
else
@@ -208,16 +206,15 @@ static child_cfg_t *load_child_config(private_config_t *this,
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
}
- token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config);
+ token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config, child);
if (token)
{
enumerator = enumerator_create_token(token, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- net = host_create_from_subnet(token, &bits);
- if (net)
+ ts = traffic_selector_create_from_cidr(token, 0, 0);
+ if (ts)
{
- ts = traffic_selector_create_from_subnet(net, bits, 0, 0);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
}
else
@@ -247,11 +244,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
child_cfg_t *child_cfg;
enumerator_t *enumerator;
identification_t *lid, *rid;
- char *child, *policy;
+ char *child, *policy, *pool;
uintptr_t strength;
ike_cfg = load_ike_config(this, settings, config);
- peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND,
+ peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
FALSE, NULL, NULL);
@@ -266,12 +263,12 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
rid = identification_create_from_string(
settings->get_str(settings, "configs.%s.rid", "%any", config));
- strength = settings->get_int(settings, "configs.%s.rsa_strength", 0);
+ strength = settings->get_int(settings, "configs.%s.rsa_strength", 0, config);
if (strength)
{
auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength);
}
- strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0);
+ strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0, config);
if (strength)
{
auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
@@ -283,6 +280,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
}
auth->add(auth, AUTH_RULE_IDENTITY, rid);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+ pool = settings->get_str(settings, "configs.%s.named_pool", NULL, config);
+ if (pool)
+ {
+ peer_cfg->add_pool(peer_cfg, pool);
+ }
DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid);
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index 6491fd294..c2251effa 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -26,6 +26,7 @@
#include "config.h"
#include "hooks/hook.h"
+#include <bus/listeners/file_logger.h>
#include <threading/thread.h>
#include <credentials/certificates/x509.h>
@@ -322,6 +323,7 @@ static bool load_hooks()
*/
static void cleanup()
{
+ file_logger_t *logger;
hook_t *hook;
DESTROY_IF(conftest->test);
@@ -344,6 +346,13 @@ static void cleanup()
}
conftest->config->destroy(conftest->config);
}
+ while (conftest->loggers->remove_last(conftest->loggers,
+ (void**)&logger) == SUCCESS)
+ {
+ charon->bus->remove_logger(charon->bus, &logger->logger);
+ logger->destroy(logger);
+ }
+ conftest->loggers->destroy(conftest->loggers);
free(conftest->suite_dir);
free(conftest);
libcharon_deinit();
@@ -369,32 +378,46 @@ static void load_log_levels(file_logger_t *logger, char *section)
}
/**
+ * Load logger options for a logger from section
+ */
+static void load_logger_options(file_logger_t *logger, char *section)
+{
+ bool ike_name;
+ char *time_format;
+
+ time_format = conftest->test->get_str(conftest->test,
+ "log.%s.time_format", NULL, section);
+ ike_name = conftest->test->get_bool(conftest->test,
+ "log.%s.ike_name", FALSE, section);
+
+ logger->set_options(logger, time_format, ike_name);
+}
+
+/**
* Load logger configuration
*/
static void load_loggers(file_logger_t *logger)
{
enumerator_t *enumerator;
char *section;
- FILE *file;
load_log_levels(logger, "stdout");
+ load_logger_options(logger, "stdout");
+ /* Re-add the logger to propagate configuration changes to the
+ * logging system */
+ charon->bus->add_logger(charon->bus, &logger->logger);
enumerator = conftest->test->create_section_enumerator(conftest->test, "log");
while (enumerator->enumerate(enumerator, &section))
{
if (!streq(section, "stdout"))
{
- file = fopen(section, "w");
- if (file == NULL)
- {
- fprintf(stderr, "opening file %s for logging failed: %s",
- section, strerror(errno));
- continue;
- }
- logger = file_logger_create(file, NULL, FALSE);
+ logger = file_logger_create(section);
+ load_logger_options(logger, section);
+ logger->open(logger, FALSE, FALSE);
load_log_levels(logger, section);
charon->bus->add_logger(charon->bus, &logger->logger);
- charon->file_loggers->insert_last(charon->file_loggers, logger);
+ conftest->loggers->insert_last(conftest->loggers, logger);
}
}
enumerator->destroy(enumerator);
@@ -433,16 +456,18 @@ int main(int argc, char *argv[])
INIT(conftest,
.creds = mem_cred_create(),
+ .config = config_create(),
+ .hooks = linked_list_create(),
+ .loggers = linked_list_create(),
);
+ lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
- logger = file_logger_create(stdout, NULL, FALSE);
+ logger = file_logger_create("stdout");
+ logger->set_options(logger, NULL, FALSE);
+ logger->open(logger, FALSE, FALSE);
logger->set_level(logger, DBG_ANY, LEVEL_CTRL);
charon->bus->add_logger(charon->bus, &logger->logger);
- charon->file_loggers->insert_last(charon->file_loggers, logger);
-
- lib->credmgr->add_set(lib->credmgr, &conftest->creds->set);
- conftest->hooks = linked_list_create();
- conftest->config = config_create();
+ conftest->loggers->insert_last(conftest->loggers, logger);
atexit(cleanup);
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
index 2caf9b3ce..6bbdabd07 100644
--- a/src/conftest/conftest.h
+++ b/src/conftest/conftest.h
@@ -64,6 +64,11 @@ struct conftest_t {
* Action handling
*/
actions_t *actions;
+
+ /**
+ * Test specific loggers
+ */
+ linked_list_t *loggers;
};
/**
diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c
index 6fb7a2e4b..100977324 100644
--- a/src/conftest/hooks/reset_seq.c
+++ b/src/conftest/hooks/reset_seq.c
@@ -12,6 +12,27 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
+/*
+ * Copyright (C) 2012 achelos GmbH
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
#include "hook.h"
@@ -40,21 +61,46 @@ struct private_reset_seq_t {
* Delay for reset
*/
int delay;
+
+ /**
+ * Sequence number to set for outgoing packages
+ */
+ int oseq;
+};
+
+typedef struct reset_cb_data_t reset_cb_data_t;
+
+/**
+ * Data needed for the callback job
+ */
+struct reset_cb_data_t {
+
+ /**
+ * The SA to modify
+ */
+ struct xfrm_usersa_id usersa;
+
+ /**
+ * Sequence number to set for outgoing packages
+ */
+ int oseq;
};
/**
* Callback job
*/
-static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
+static job_requeue_t reset_cb(struct reset_cb_data_t *data)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
struct xfrm_aevent_id *id;
struct rtattr *rthdr;
+ struct xfrm_replay_state *rpstate;
struct sockaddr_nl addr;
int s, len;
- DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi));
+ DBG1(DBG_CFG, "setting sequence number of SPI 0x%x to %d",
+ htonl(data->usersa.spi), data->oseq);
memset(&request, 0, sizeof(request));
@@ -66,13 +112,22 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id));
id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr);
- id->sa_id = *data;
+ id->sa_id = data->usersa;
rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id);
rthdr->rta_type = XFRMA_REPLAY_VAL;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state));
hdr->nlmsg_len += rthdr->rta_len;
+ /* xfrm_replay_state is the structure the kernel uses for
+ * replay detection, and the oseq element contains the
+ * sequence number for outgoing packets. Currently, this
+ * function sets the other elements seq (records the number of
+ * incoming packets) and bitmask to zero, but they could be
+ * adjusted in the same way as oseq if required. */
+ rpstate = (struct xfrm_replay_state*)RTA_DATA(rthdr);
+ rpstate->oseq = data->oseq;
+
s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
if (s == -1)
{
@@ -97,17 +152,21 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data)
static void schedule_reset_job(private_reset_seq_t *this, host_t *dst,
u_int32_t spi)
{
- struct xfrm_usersa_id *data;
+ struct reset_cb_data_t *data;
chunk_t chunk;
INIT(data,
- .spi = spi,
- .family = dst->get_family(dst),
- .proto = IPPROTO_ESP,
+ .usersa = {
+ .spi = spi,
+ .family = dst->get_family(dst),
+ .proto = IPPROTO_ESP,
+ },
+ .oseq = this->oseq,
);
chunk = dst->get_address(dst);
- memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));
+ memcpy(&data->usersa.daddr, chunk.ptr,
+ min(chunk.len, sizeof(xfrm_address_t)));
lib->scheduler->schedule_job(lib->scheduler,
(job_t*)callback_job_create(
@@ -149,6 +208,8 @@ hook_t *reset_seq_hook_create(char *name)
},
.delay = conftest->test->get_int(conftest->test,
"hooks.%s.delay", 10, name),
+ .oseq = conftest->test->get_int(conftest->test,
+ "hooks.%s.oseq", 0, name),
);
return &this->hook;