New upstream version 5.7.2

14 files changed, 102 insertions, 87 deletions

diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
index a1f31495d..773e43a35 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt
@@ -1,17 +1,17 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
 plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
 certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
 plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
 <b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes
 ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors
 fall back to ECP_384 and ECP_521, respectively.
 <p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 4cee48d89..07ad135d8 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,17 +1,11 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
 dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=ECP_521.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2fd776e25..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..46942c7e2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256,aes192gcm16-ecp384
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256,aes192-sha384-ecp384
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 8d8989ed7..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index fde691e96..5b59e8d55 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..828c4d6c7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256,aes256gcm16-ecp521
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256,aes256-sha512-ecp521
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index addcc6175..000000000
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	ike=aes192-sha384-ecp384,aes256-sha512-ecp521!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4a5e52dbd..a322670f4 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..18a98ad6e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm16-ecp384,aes256gcm16-ecp521
+         }
+      }
+      version = 2
+      proposals = aes192-sha384-ecp384,aes256-sha512-ecp521
+   }
+}
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 1865a1c60..199873ba1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index e87a8ee47..dd1a17ccb 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
 moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1