New upstream version 5.5.3

15 files changed, 163 insertions, 1 deletions

diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt
new file mode 100644
index 000000000..a7410c1b6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt
@@ -0,0 +1,9 @@
+At the outset the gateway authenticates itself to the client by sending an
+IKEv2 <b>RSA signature</b> accompanied by a certificate.
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Authentication and Key Agreement</i> protocol
+(<b>EAP-AKA</b>) to authenticate against the gateway. In this scenario,
+quintuplets from the SQL database /etc/ipsec.d/ipsec.db are used instead
+of a physical USIM card on the client <b>carol</b>. The USIM provider on
+gateway <b>moon</b> also stores the quintuplets in an SQL database.
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat
new file mode 100644
index 000000000..b31a46809
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..ade0c7c36
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	leftauth=eap
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..038c454aa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -0,0 +1,9 @@
+INSERT INTO quintuplets
+  (id, used, rand, autn, ck, ik, res) VALUES
+  ('carol@strongswan.org', 0,
+     X'00112233445566778899AABBCCDDEEFF',
+     X'112233445566778899AABBCCDDEEFF00',
+     X'2233445566778899AABBCCDDEEFF0011',
+     X'33445566778899AABBCCDDEEFF001122',
+     X'00112233445566778899'
+  );
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql
new file mode 100644
index 000000000..301f2bfd6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql
@@ -0,0 +1,10 @@
+DROP TABLE IF EXISTS quintuplets;
+CREATE TABLE quintuplets (
+    id TEXT NOT NULL,
+    used INTEGER NOT NULL,
+    rand BLOB NOT NULL,
+    autn BLOB NOT NULL,
+    ck BLOB NOT NULL,
+    ik BLOB NOT NULL,
+    res BLOB NOT NULL
+);
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..81d2c8e74
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+
+  plugins {
+    eap-simaka-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0875bed8b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightid=*@strongswan.org
+	rightsendcert=never
+	rightauth=eap-aka
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..038c454aa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,9 @@
+INSERT INTO quintuplets
+  (id, used, rand, autn, ck, ik, res) VALUES
+  ('carol@strongswan.org', 0,
+     X'00112233445566778899AABBCCDDEEFF',
+     X'112233445566778899AABBCCDDEEFF00',
+     X'2233445566778899AABBCCDDEEFF0011',
+     X'33445566778899AABBCCDDEEFF001122',
+     X'00112233445566778899'
+  );
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql
new file mode 100644
index 000000000..301f2bfd6
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql
@@ -0,0 +1,10 @@
+DROP TABLE IF EXISTS quintuplets;
+CREATE TABLE quintuplets (
+    id TEXT NOT NULL,
+    used INTEGER NOT NULL,
+    rand BLOB NOT NULL,
+    autn BLOB NOT NULL,
+    ck BLOB NOT NULL,
+    ik BLOB NOT NULL,
+    res BLOB NOT NULL
+);
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..81d2c8e74
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+
+  plugins {
+    eap-simaka-sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat
new file mode 100644
index 000000000..e3d7998a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
+moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db
+moon::ipsec start
+carol::ipsec start
+moon::expect-connection rw-eap
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf
new file mode 100644
index 000000000..e093d43d8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index 422c76e2e..41601102f 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -2,7 +2,7 @@ moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongs
 moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO
 moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
 moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES