New upstream version 5.5.2

author: Yves-Alexis Perez <corsac@corsac.net> 2017-04-01 16:26:44 +0200
committer: Yves-Alexis Perez <corsac@corsac.net> 2017-04-01 16:26:44 +0200
commit: 05ddd767992d68bb38c7f16ece142e8c2e9ae016 (patch)
tree: 302c618be306d4ed3c7f9fc58a1f6aaad4dd252f /testing/tests/swanctl/ocsp-disabled
parent: 25663e04c3ab01ef8dc9f906608282319cfea2db (diff)
download: vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.tar.gz
vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.zip
11 files changed, 195 insertions, 0 deletions
diff --git a/testing/tests/swanctl/ocsp-disabled/description.txt b/testing/tests/swanctl/ocsp-disabled/description.txt
new file mode 100644
index 000000000..4875229ff
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/description.txt
@@ -0,0 +1,10 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. 
+Client <b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority information
+access extension pointing to <b>winnetou</b>. Gateway <b>moon</b>'s certificate doesn't 
+contain any such extensions but <b>carol</b>'s swanctl.conf contains a corresponding
+authorities section. With the directive <b>charon.plugins.revocation.enable_ocsp = no</b>
+in strongswan.conf all OCSP fetching is disabled and a fallback to CRL fetching occurs. 
+<p/>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/swanctl/ocsp-disabled/evaltest.dat b/testing/tests/swanctl/ocsp-disabled/evaltest.dat
new file mode 100644
index 000000000..01fc2bc8b
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: cat /var/log/daemon.log::all OCSP validation disabled::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http://crl.strongswan.org/strongswan.crl::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::all OCSP validation disabled::YES
+carol::cat /var/log/daemon.log::fetching crl from.*http://crl.strongswan.org/strongswan.crl::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e3eb4e36d
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+    auths = /usr/local/sbin/swanctl --load-authorities
+  }
+  plugins {
+    revocation {
+      enable_ocsp = no
+    }
+  } 
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 000000000..2d7938a1b
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6fd22973f
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      ocsp_uris = http://ocsp.strongswan.org:8880
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 000000000..d1e85db8a
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3912f5e07
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+  plugins {
+    revocation {
+      enable_ocsp = no
+    }
+  }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..710307195
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            esp_proposals = aes128gcm128-x25519
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-x25519
+   }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/swanctl/ocsp-disabled/posttest.dat
new file mode 100644
index 000000000..672f4188c
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/posttest.dat
@@ -0,0 +1,3 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/swanctl/ocsp-disabled/pretest.dat
new file mode 100644
index 000000000..e6d60458d
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/pretest.dat
@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/ocsp-disabled/test.conf b/testing/tests/swanctl/ocsp-disabled/test.conf
new file mode 100644
index 000000000..c5b3ecc43
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
author	Yves-Alexis Perez <corsac@corsac.net>	2017-04-01 16:26:44 +0200
committer	Yves-Alexis Perez <corsac@corsac.net>	2017-04-01 16:26:44 +0200
commit	05ddd767992d68bb38c7f16ece142e8c2e9ae016 (patch)
tree	302c618be306d4ed3c7f9fc58a1f6aaad4dd252f /testing/tests/swanctl/ocsp-disabled
parent	25663e04c3ab01ef8dc9f906608282319cfea2db (diff)
download	vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.tar.gz vyos-strongswan-05ddd767992d68bb38c7f16ece142e8c2e9ae016.zip