New upstream version 5.7.2

author: Yves-Alexis Perez <corsac@debian.org> 2019-01-02 10:45:36 +0100
committer: Yves-Alexis Perez <corsac@debian.org> 2019-01-02 11:07:05 +0100
commit: 918094fde55fa0dbfd59a5f88d576efb513a88db (patch)
tree: 61e31656c60a6cc928c50cd633568043673e2cbd /testing/tests/openssl-ikev2/critical-extension
parent: 69bc96f6b0b388d35e983f8d27224fa49d92918c (diff)
download: vyos-strongswan-918094fde55fa0dbfd59a5f88d576efb513a88db.tar.gz
vyos-strongswan-918094fde55fa0dbfd59a5f88d576efb513a88db.zip
13 files changed, 73 insertions, 18 deletions
diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt
index 8c0d37c88..4f472b83b 100644
--- a/testing/tests/openssl-ikev2/critical-extension/description.txt
+++ b/testing/tests/openssl-ikev2/critical-extension/description.txt
@@ -1,5 +1,5 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
 The authentication is based on <b>X.509 certificates</b> which contain a <b>critical</b> but
-unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical 
+unsupported 'strongSwan' extension. Whereas <b>moon</b> ignores unsupported critical
 extensions by setting <b>libstrongswan.x509.enforce_critical = no</b> in strongswan.conf,
 <b>sun</b> discards such certificates and aborts the connection setup.
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
index cc904c8bc..e91ba2b82 100644
--- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,4 @@
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
 sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index a72c82525..f2104c5f8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 random nonce openssl revocation curl hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl revocation curl vici kernel-netlink socket-default updown
   multiple_authentication = no
+}
 
+libstrongswan {
   x509 {
     enforce_critical = no
   }
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
index 4d99866f7..4d99866f7 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/rsa/moonKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..0b0aa32a5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
index 7f78d5820..7f78d5820 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/swanctl/x509/moonCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index d67640548..77d858547 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 random nonce openssl curl revocation hmac stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
index d8fad9aad..d8fad9aad 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/rsa/sunKey.pem
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bb068bdbe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+             esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
index c1efb6719..c1efb6719 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/swanctl/x509/sunCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index 837738fc6..83cd75a5d 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::rm /etc/swanctl/x509/moonCert.der
+sun::rm /etc/swanctl/x509/sunCert.der
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 08ca6b54c..cc8d9d74f 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,7 +1,7 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-sun::expect-connection net-net
-moon::ipsec up net-net
+moon::rm /etc/swanctl/x509/moonCert.pem
+sun::rm /etc/swanctl/x509/sunCert.pem
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index b286ef6eb..d3016a886 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
- 
+
 # Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
@@ -19,3 +19,7 @@ TCPDUMPHOSTS=""
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
author	Yves-Alexis Perez <corsac@debian.org>	2019-01-02 10:45:36 +0100
committer	Yves-Alexis Perez <corsac@debian.org>	2019-01-02 11:07:05 +0100
commit	918094fde55fa0dbfd59a5f88d576efb513a88db (patch)
tree	61e31656c60a6cc928c50cd633568043673e2cbd /testing/tests/openssl-ikev2/critical-extension
parent	69bc96f6b0b388d35e983f8d27224fa49d92918c (diff)
download	vyos-strongswan-918094fde55fa0dbfd59a5f88d576efb513a88db.tar.gz vyos-strongswan-918094fde55fa0dbfd59a5f88d576efb513a88db.zip